💾 Archived View for aphrack.org › issues › phrack54 › 11.gmi captured on 2021-12-04 at 18:04:22. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2021-12-03)
-=-=-=-=-=-=-
---[ Phrack Magazine Volume 8, Issue 54 Dec 25th, 1998, article 11 of 12 -------------------------[ P H R A C K W O R L D N E W S --------[ Issue 54 Hi. A few changes have been made to Phrack World News (PWN) and will probably change again in the future. Because of the increase of news on the net, security, hackers and other PWN topics, it is getting more difficult to keep Phrack readers informed of everything. To combat this problem, PWN will include more articles, but only relevant portions (or the parts I want to make smart ass remarks about). If you would like to read the full article, look through the ISN (InfoSec News) archives located at: ftp.repsec.com /pub/text/digests/isn If you would like timely news delivered with less smart ass remarks, you can always subscribe to ISN by mailing majordomo@repsec.com with 'subscribe isn' in the body of your mail. The following articles have been accumulated from a wide variety of places. When known, original source/author/date has been included. If the information is absent, then it wasn't sent to us. As usual, I am putting some of my own comments in brackets to help readers realize a few things left out of the articles. Comments are my own, and do not necessarily represent the views of Phrack, journalists, government spooks, my cat, or anyone else. If you want to see more serious comments about the piss poor journalism plagueing us today, visit the Security Scene Errata web page: http://www.attrition.org/errata/ If you feel the need to send me love letters, please cc: route@infonexus.com so he can see I really do have fans. If you would like to mail my cat, don't, he hates you because you are a plebian in his eyes. Meow. This installment of PWN is dedicated to Feds, Hackers, and blatant stupidity. It was brought to you by the letters that collectively spell 'dumb shit'. - disorder --------[ Issue 54 0x1: Teen Crackers Admit Guilt 0x2: FBI grads get gun, badge, and now, a laptop 0x3: Meet the Hacker Trackers 0x4: Justice Department to Hire Computer Hackers 0x5: A Cracker-Proofing Guarantee 0x6: First-Ever Insurance Against Hackers 0x7: New Unit to Combat High-Tech Crime (National Police Agency) 0x8: First 'Cyber Warrior' Unit is Poised for Operational Status (DOD) 0x9: Tracking Global Cybercrime (Chamber of Commerce) 0xa: FBI Opens High-Tech Crisis Center 0xb: Navy fights new hack method 0xc: Pentagon Blocks DoS Attack 0xd: Hackers Elude Accelerator Center Staff 0xe: Cyberattacks leave feds chasing 'vapor' 0xf: Congress Attacks Cyber Defense Funds 0x10: Mudge on Security Vendors 0x11: More delays for Mitnick trial 0x12: 'Back door' doesn't get very far 0x13: ICSA Goon Pretends to be a Hacker 0x14: Is Your kid a Hacker 0x15: Paging Network Hijacked 0x16: FBI busts hacker who sold clandestine accounts on PageNet system 0x17: EFF DES Cracker Machine Brings Honesty to Crypto Debate 0x18: Hacking site gets hacked 0x19: From Criminals to Web Crawlers 0x1a: Running a Microsoft OS on a Network? Our Condolences 0x1b: Security expert explains New York Times site break in 0x1c: Merriam-Webster Taken Offline Old Fashioned Way 0x1d: Long Haired Hacker Works Magic 0x1e: Body of Evidence 0x1f: The Golden Age of Hacktivism 0x20: Phrack straddles the world of hackers 0x21: Cops see little hope in controlling computer crime 0x1>------------------------------------------------------------------------- Title: Teen Crackers Admit Guilt Source: Wired Date: 1:10pm 11.Jun.98.PDT Two California teenagers have pleaded guilty to federal charges of cracking Pentagon computers, the San Francisco Chronicle reports. Terms of the plea are still being negotiated after a meeting last week between attorneys for the youths and federal officials, the newspaper said. Neither youth is expected to serve time in custody, sources close to the case said. In February, the FBI raided the Cloverdale homes of the two suspected crackers -- nicknamed Makaveli, 16, and TooShort, 15 -- and seized computers believed to have been used to break into unclassified computer systems in government agencies, military bases, and universities. [Sucks to be busted. Sucks worse to plead guilty to being a script kiddie.] The youths were never formally arrested in the FBI probe. US Deputy Defense Secretary John Hamre called the breach "the most organized and systematic attack" to date on Pentagon systems. [Feds only enjoy sticking guns in the faces of these kids. Not actually arresting them.] 0x2>------------------------------------------------------------------------- Title: FBI grads get gun, badge, and now, a laptop Source: TechWeb Date: 7.22.98 When FBI special-agent trainees graduate from the bureau academy at Quantico, Va., they are each issued a gun, a badge -- and now, a laptop computer. [Unfortunately, they don't always get a clue.] Crime today often involves the use of sophisticated technology, and new agents have to be able to shoot straight, learn the law, and be able to use technology. Part of the FBI's duty is to investigate computer-related crimes and issues of national security. Because it needs these specialized skills, the bureau is in competition with other agencies such as the Secret Service and the Central Intelligence Agency (CIA) -- as well as the private sector -- for recruits. [Great low pay! Lots of travel! No respect! Come join the FBI!] Attorney General Janet Reno, addressing a conference on children's safety on the Internet in December, called on the technology community to help law enforcement. But Reno's call does not mean making a computer geek into a G-man. The FBI recruits in the high-tech industry and in colleges and universities for special agents with other attributes besides computer-science degrees. "There is not a specific category [in the FBI] for someone with more computer skills," said Special Agent Ron Van Vraken, an FBI spokesman. "But someone with skills and experience is highly marketable. We've recognized we need to attract those people into the FBI." The FBI is not alone. The CIA has a long listing of Web postings for technology-related jobs. There are ongoing requirements for knowledge-based systems engineers, software developers, and electronics engineers listed alongside jobs such as theatrical-effects specialists and clandestine service trainees. [Yet the CIA is scrambling to find jobs for all the cold-war spook rejects...] Although the CIA is not a law-enforcement agency like the FBI and the Secret Service, it, too, chases "bad guys" and needs people trained in technology, said Anya Guilsher, an agency spokeswoman. "We have a great interest in people with advanced technology skills," she said. The Secret Service, which investigates financially related crimes as well as protects the president, is also looking. Its jobs listings include openings for computer specialists and telecommunications specialists. The ideal candidate for these agencies is not necessarily a computer wiz, said Ron Williams, a former Secret Service agent and current CEO of high-tech security company Talon Technology. "The ideal candidate is well-rounded," he said, adding they should also understand computers, have good communications skills, and know human behavior. "To catch a criminal, you have to think like one," Williams said. "You can take agents, and if they have good street smarts and good computer skills, you can make them into hacker sleuths." [Hypothetically.. since they haven't done it yet.] 0x3>------------------------------------------------------------------------- Title: Meet the Hacker Trackers A gang of convicts dressed in cartoon-striped uniforms shuffle slowly along a sidewalk, searing in the noon-day sun. This is downtown Phoenix, a low-rise high-tech city with a decidedly old- fashioned approach to crime. From her office on the sixth floor of the county attorney's office, the prosecutor remains unmoved by the sight of the prisoners. "People 'round here don't have much in the way of sympathy for criminals of any kind. And most of those guys are real criminals, not jumped up nobodies screaming for attention - the kind of people I deal with!" Meet Gail Thackeray, the world's foremost legal expert on computer crime. A former assistant attorney general of the state of Arizona, Thackeray has been fighting hackers and fraudsters for nearly 25 years. Now she works as a prosecutor for the Maricopa County attorney's office, a jurisdiction the size of New England that takes in all of Phoenix. It's most famous as the home of Sheriff Joe Arpaio, "the meanest sheriff in America". This is the man responsible for the convicts in stripes. He has made his reputation by toughening up prison conditions, to loud hollers of approval from freedom-loving Arizonans. Good citizens of Maricopa County can now walk the streets in safety, but for the big technology companies that have moved to the "valley of the sun", the unseen hand of hackers and computer phreaks is proving a major distraction. Whether it's a left-over hippy feeling, the University campus or just a reaction to the extreme heat, Phoenix is a top spot for computer criminals. Thackeray is there to stop them. Arizona has perhaps the United States' strongest legal code against the activities of hackers, but sometimes Gail aches to fight fire with fire. "We have to document every step of the way we investigate. They don't need to have our education. They just need one other crook showing them, like monkeys at a keyboard, how to imitate the crime. The bulletin boards were the precursors to this, but the Net has exploded it down to the individual level anywhere in the world. You don't need sophistication, you don't even need very good equipment - one of the best hackers we've ever dealt with had a Compaq luggable 286 and he was wreaking havoc around the world. Just a list of his route on different systems attached to the Internet would keep me in the hacker business for the rest of my life - it goes on for pages." Getting away with it We move from her office to the conference room next door. Thackeray proudly displays her new Compaq notebook. Her famous slide show is now held on the notebook's hard disk. For more years than she'd care to remember, Thackeray has been showing her slides to police forces and prosecutors across the United States, advising them how to build a case against hackers. She also trains police forces all over the country, including secret service agents at the Georgia Federal training centre. Even the bad guys have been known to call her to find out what the cops have been up to. Although she has been a hacker tracker for 25 years, Thackeray is more depressed than ever by the escalating scale of computer crime. The Web, she says, has made it impossible to catch the crooks. "Even if it's the boy next door, we haven't a chance. He may be doing something rotten to your high-tech consulting firm, he may be next door trying to steal your stuff - but he's looping through a long-distance carrier, a corporate phone system, three Internet providers and circling the world twice before he hits you. That's the problem from our standpoint. Even assuming all those parties can trace the links they're involved in, we have to go through a different process, and probably a different law enforcement agency, for every single one. "In the old days out here, the Texas rangers were very famous for catching bank robbers. They didn't stop at the Texas border when chasing a killer. They'd jump on their horse and, even if they crossed the state line, they would follow wherever the chase lead them. In the computer age we can't do that at all. What we have now in the US is a mish-mash of laws and agencies. Multiply that on the international level and it's completely out of hand." High-tech law enforcement Thackeray moved to Arizona in 1986 after beginning her career as a prosecutor in Philadelphia. She worked in the attorney general's office running an organised crime and racketeering unit that won a national reputation for its technical ability in the fight against hackers. She was also the mastermind behind Operation Sundevil (see panel, overleaf), the first nationally coordinated raid on hackers. But then democracy took a turn and she became a victim of the strange process by which Americans elect their most senior law officers. Her boss lost the race to be elected attorney general. The victor wasn't interested in technology so 12 people got sacked, including Thackeray. Taking a break from the slide show for a moment, she shows me a little number-generating program stored on her laptop. It generates random numbers for Visa cards. Give it the four-digit code that identifies a card issuer and within minutes you'll have hundreds of false credit card numbers to play with. "Now supposing you had another little program that made the bank think these numbers were legitimate - How much do you think you could make?" We go on-line to see some of the hacker sites. Thackeray believes that the Web is making a bigger range of crimes much easier to commit. "In the future the good parts of the Internet will be bigger and more complex and available to more people and that's great. But this means all of those people will have victim potential. Thanks to the growth of the Web, one criminal can now do an unprecedented amount of damage, whether it's to corporations or to individual's feelings by threatening and stalking, spam attacks or just shutting down ISPs. "We have had four incidents in the first six months of this year. These people are attacking not just the little local service provider, but also some of the 19 Internet backbone carriers. They're absolutely ruthless and don't care who they hurt. In a case in Tucson, tens of thousands of users were shut down just because some person with an adolescent level of maturity decided he was mad at another ISP, so he took all of its customers off-line. It's frighteningly easy to do and only took one broadcast message. All the routers that run the Internet shake hands periodically, so if you can infect one router, given time it will infect the entire world. And that's what happened. It took just a few days for the entire world to believe that this service provider, and all its customers, didn't exist." Not only is the Web host to a whole new range of crimes, it's also home to a brand new band of weirdos. "Unfortunately the Web is the best playground ever invented for sociopaths. They can hide, are anonymous and can't be traced. Nobody is in charge and it gives them that power rush that psychologists say is what they live off. It's their whole life's breath. It's the chest-beating power surge of being able to do it and get away with it. We are just seeing more acts of wanton destruction simply for the sake of showing that you can do it." Does she think this new generation of Web hackers is a real threat to people? "Every baby in America knows the 911 emergency system. If mommy's drowning in the pool, we've had three-year- olds save her life by dialling 911. The hackers have attacked the 911 system and they're still doing it. That's not for knowledge or for glory, that's just an act of vicious ego." Rat's nests and technocrap Personal liberty is taken very seriously in the western United States. No-one likes the idea of "big government" interfering with people's lives. Even hackers gain sympathy when they complain of harassment by police and prosecutors. Some say they've been victimised by the authorities. Thackeray denies this. "It's a hacker myth that we take away their computers and sit on them forever. In one case we came across, the guy had over 12Gb of data stored on his system - that's equivalent to 15,000 paperback books. It's better that we seize all that material - you might have love letters, cook book recipes and your extortion kidnapping letter on the same disk. We can't take one without taking the other. We cannot physically copy that volume. It is far easier for us to take computers away than for us to camp out in your house for six months." A hovel of a bedroom fills the projector screen. Coke cans everywhere, rubbish dotted across an unmade bed. In the corner sits a naked computer, stripped of casing, wires exposed. Thackeray calls it a rat's nest. She has hundreds of similar photos. "Back in Philadelphia I began collecting pictures of computers with their wires hanging out. When the geeks speak to a jury we call the language they use technocrap. What you have here is the physical version of technocrap." She gestures at the screen. Typically hackers will set up a stereo system within easy reach of the computer, and often a drinks cabinet as well. A recent innovation is the home network. "We've come up against four or five houses recently where people have had multiple systems networked in the house. And that's even without running a bulletin board. When we get lucky and we're fast enough we can find the guilty computer - but the hardest part of the job is finding the brain behind the computer. To find that person is good old- fashioned low-tech police work." Thackeray's team face another new problem caused by the huge increase in storage capacity. "In the computer situation no one throws anything out. That makes our life more difficult. We don't want to read the last five year's worth of your e-mail, life's too short and frankly it's not that interesting. But sometimes we're searching for one piece of evidence and it's buried in a huge volume of stuff so what else can we do?" Tracking or trailing? The slide show draws to an end. We amble downstairs to the office of another investigator. He shows us an array of hacker memorabilia on his computer. I ask Gail about the future. She believes that unless there's a fundamental change in the way police forces treat computer crime, there is no hope at all. "The police departments and prosecutors around the country are, frankly, paramilitary organisations with very bureaucratic, layered decision- making processes. They see the need for more training in gangs; they don't see the need for more training in computers because the management came out of the knife and gun club. "Police management is dominated by the physical crimes people. We've got to dissolve some of these barriers. When we move we need to move fast like the Texas rangers - both legally and bureaucratically we're just not there yet. When I started 20 years ago law enforcement was behind the computer crime wave. We're farther behind today than we were then." Matt McGrath is an investigative journalist who works for Radio 5. 0x4>------------------------------------------------------------------------- Title: Justice Department to Hire Computer Hackers Source: Business Week Date: Aug. 6, 1998 Wanted: Hackers to break into the Justice Dept. computer network. Under a program known as Operation Get Cracking, the Justice Dept. sought members of the computer underground at late July's Def Con hackers' conference in Las Vegas, BUSINESS WEEK reports in its August 17 issue. Attorney General Janet Reno has quietly committed $1 million to hire up to 16 hackers to test the Department's networks, says a source at Justice, which would neither confirm nor deny the operation. [Uh... huh... I won't go there.] 0x5>------------------------------------------------------------------------- Title: A Cracker-Proofing Guarantee Source: Wired News Report Date: 9:05 a.m. 5.Oct.98.PDT CIGNA Secure Systems Insurance is offering a US$25 million liability policy designed to cover losses resulting from attacks by computer crackers, the company said Monday. To qualify for coverage, a client must secure its systems or pass inspection from a CIGNA-approved security-management company. Otherwise, potential clients are encouraged to contract with security-management company NetSolve, in conjunction with Cisco's NetRanger intrusion-detection software, which is pre-approved by CIGNA. CIGNA Secure Systems Insurance provides coverage for theft of money, securities, and property; for damage done by crackers to a firm's data or software; and for business losses caused by attacks on a company's computer systems. [And how do they put value on your information? Who audits the system to make sure you are telling the truth about your policy?] A recent survey by the Computer Security Institute and the FBI found a 36 percent increase from the previous year in losses stemming from computer-security breaches. However, traditional property and liability insurance policies do not address these risks, according to CIGNA. "It's a nice marketing ploy," said computer security consultant Pete Shiply. "But if someone is concentrating on breaking into a site, eventually they will get in. There is no such thing as a secure site; security is economics, it's a question of money and how much you want to invest." Asked what kind of intrusion might lead to a $25 million claim, Shiply was skeptical. "While I haven't read the agreements, I am pretty sure you would not get that much," he said. "You would have to prove losses approaching that figure, and that will likely be a difficult thing to do." 0x6>------------------------------------------------------------------------- Title: First-Ever Insurance Against Hackers Source: Reuters Date: 14-JUN-98 By: Therese Poletti A computer security firm is so certain of its security prowess that it is offering to protect its customers with the first-ever hacker insurance, in the event a customer is successfully invaded by hackers. [So secure, hackers dumped logs of one of the ICSA's machines being hacked to several IRC channels. Do as we say, not as we do.] ICSA Inc., the International Computer Security Association, is now offering as part of its TruSecure service, insurance against hacker attacks. ISCA will pay up to $250,000 if a customer's network is hacked into, after it has followed the TruSecure criteria. ``This is the first hacker-related insurance,'' said Peter Tibbett, president of the ICSA, based in Carlisle, Penn. ``It puts our money where our mouth is.'' ICSA sells its TruSecure service for $40,000 a year. The service, which it has been offering for several years, is a series of steps, methods and procedures that an ICSA client must adhere to. Some steps are simple, common sense procedures, such as having the server which hosts your company's Web site inside a locked room. [You pay 40,000 a year, for up to 250,000 insurance. Pretty high premium. 40,000 will buy you a lot of security consulting and additional security precautions.] Other steps are more complicated, such as the requirement to have a secure firewall around an internal network. But the ICSA does not sell products. Instead, it recommends a whole range of software that it has approved as secure and meets its standards, through open meetings and debates, with all its members, many of whom develop security products. Then, ICSA tests a client's security by using typical hacker methods, through its 100 or so employees, none of whom are reformed hackers. ICSA believes, along with executives at International Business Machines Corp. who perform ``ethical'' hacking on its customers, that there is no such thing as a reformed hacker. ``We spray them with hacker tools and see where their vulnerabilities are,'' Tibbett said, referring to many of the widely-used hacker programs that are available over the Internet or shared among hackers. ``The average site took about two weeks to get to the place where they meet all our requirements.'' After ICSA completes a six-step process to test and improve a company's security, the customer is deemed secure and will then receive insurance. The ICSA said it will pay its customers if they fall prey to a hacker, even if they are not financially harmed from the attack. ``Whether you lose money or not, we will pay,'' Tibbett said. ''We believe that we reduce the risk dramatically ... Yes, we expect to write some checks, but we don't expect to write very many.'' Tibbett likens the ICSA to the Center for Disease Control, because it tracks all hacker attacks and tests every hacker tool and virus its progammers can find. The ICSA also is known for its emergency response center, which tracks the fallout from known computer viruses and helps companies in a crisis. ``Good enough is never going to be perfect,'' Tibbett said. ''But we have a motivation to improve our service. If we have to write a check when someone gets hacked, it gives us another emphasis.'' The company said it is partnering with major nationwide insurance carriers who recognize the ICSA TruSecure certification as a requirement for hacker policies. 0x7>------------------------------------------------------------------------- Title: New Unit to Combat High-Tech Crime By: Yomiuri Shimbun Date: June 05, 1998 The National Police Agency plans to create a special "cyberpolice" unit to combat the rise in high-tech crimes involving the Internet and other new technologies, the agency said Wednesday in announcing its new high-tech crime program. Information will be exchanged with its investigative counterparts overseas on a 24-hour-a-day basis, it said. The program will include special high-tech crime squads at the prefectural level, and information security advisers at prefectural police stations who will liaise directly with the private sector, with which the NPA wants to coordinate its efforts. The agency will also request a budget for a "hacker-proof" supercomputer next fiscal year. The NPA recorded 263 high-tech crimes last year-eight times more than in 1992. High-tech crime was on the agenda of the Group of Eight summit meeting in Britain last month, where the eight leaders agreed to report on their efforts to combat high-tech crime at the G-8 summit in Cologne, Germany, next year. The NPA said Japan's current laws are inadequate and it would push to have new laws enacted to limit access to computers by those with criminal intent. 0x8>------------------------------------------------------------------------- Title: First 'Cyber Warrior' Unit is Poised for Operational Status By: Bryan Bender Date: June 17 1998 The US Department of Defense (DoD) plans to stand up its first operational unit of `cyber warriors' by September to safeguard against and respond to computer attacks aimed at the US military, according to defence officials. The Joint Chiefs of Staff (JCS) is assessing several proposals for a Computer Defense Joint Task Force and JCS chairman Gen Henry Shelton is expected to make a recommendation to Defense Secretary William Cohen, who will have direct authority over the organisation, in the near future. The JCS has a computer attack response cell within its directorate of operations, but it "has not been codified as a warfighting entity," said JCS spokesman Lt Cdr Jim Brooks. The task force, which will conduct defensive rather than offensive information operations, will have the necessary authority to take action in the event of information attacks. Officials are determining how the unit should be structured, where it should be and how much it will cost. They say that the new unit will have to have a high level of co-ordination with other federal agencies, particularly the Federal Bureau of Investigation, given the constitutional limitations placed on the US armed forces in the area of law enforcement. JCS sources add that the task force is only expected to be an interim solution to the rising need for a specialised unit to counter incidents of cyber warfare. A permanent unit, possibly under the authority of one of the US warfighting commanders-in-chief, is planned for the future. The Pentagon has seen a steep rise in computer attacks and other attempts either to access or contaminate DoD information networks. Art Money, the DoD's senior civilian overseeing computer operations, said on 10 June that the Pentagon experiences an average of 60 cyber attacks per week. The US Department of Defense (DoD) plans to stand up its first operational unit of `cyber warriors' by September to safeguard against and respond to computer attacks aimed at the US military, according to defence officials. The Joint Chiefs of Staff (JCS) is assessing several proposals for a Computer Defense Joint Task Force and JCS chairman Gen Henry Shelton is expected to make a recommendation to Defense Secretary William Cohen, who will have direct authority over the organisation, in the near future. The JCS has a computer attack response cell within its directorate of operations, but it "has not been codified as a warfighting entity," said JCS spokesman Lt Cdr Jim Brooks. The task force, which will conduct defensive rather than offensive information operations, will have the necessary authority to take action in the event of information attacks. Officials are determining how the unit should be structured, where it should be and how much it will cost. They say that the new unit will have to have a high level of co-ordination with other federal agencies, particularly the Federal Bureau of Investigation, given the constitutional limitations placed on the US armed forces in the area of law enforcement. JCS sources add that the task force is only expected to be an interim solution to the rising need for a specialised unit to counter incidents of cyber warfare. A permanent unit, possibly under the authority of one of the US warfighting commanders-in-chief, is planned for the future. The Pentagon has seen a steep rise in computer attacks and other attempts either to access or contaminate DoD information networks. Art Money, the DoD's senior civilian overseeing computer operations, said on 10 June that the Pentagon experiences an average of 60 cyber attacks per week. 0x9>------------------------------------------------------------------------- Title: Tracking Global Cybercrime By: Claudia Graziano Date: 4:00 a.m. 25.Sep.98.PDT The International Chamber of Commerce said Thursday that it will open a new division to help companies around the world protect themselves against cybercrime. "Basically, any scams you can do terrestrially you can do even easier in cyberspace," said Eric Ellen, the chamber's executive director, who will take the reins of the new division. [Oooh.. 'terrestrially'.. three point word.] The London-based unit will work with Interpol to fight heavy-duty technological thievery -- such as money laundering, industrial espionage, and investment fraud -- as opposed to small-time consumer scams like selling nonexistent goods online. Interpol chief Ray Kendall said the international police agency had been pushing for years for such an alliance with the private sector since it could move more quickly than governments in purchasing the equipment needed to investigate high-tech crime. The cybercrime unit will provide the 7,000 International Chamber of Commerce members with information about how and where the myriad types of crimes are committed on the Net and what businesses can do to protect themselves against crackers and fraud artists. A Federal Trade Commission official praised the commission's efforts to raise domestic awareness of Internet fraud. "We welcome any international effort to crack down on cyberfraud, because crime and fraud perpetrated against consumers or businesses only undermines the electronic marketplace and stifles the great opportunities available through Internet commerce," said Paul Luehr, an assistant director at the commission. The chamber said it hopes to persuade governments, including the United States, to wipe out restrictions that limit the spread and availability of strong encryption algorithms. That position flies in the face of US law enforcement, which currently limits the export of powerful crypto on the grounds that it might be used by terrorists. Meanwhile, US crypto advocates have long said that ciphers are better suited to fighting crime than hiding it. "There will be some lobbying on our part, but many businesses can't wait for laws," Ellen said. "Crimes cross international borders, yet existing laws [against cybercrime] are national." The chamber's cybercrime unit will meet regularly with Interpol in Lyon, France, to exchange information and intelligence on cybercrime and its perpetrators. Additionally, the chamber division plans to exchange information with the FBI's National Infrastructure Protection Center and the FBI's National Security Awareness unit, which looks after the interests of US businesses. Headquartered in Paris, the International Chamber of Commerce establishes rules that govern the conduct of businesses worldwide. The nonprofit group holds top-level consultative status with the United Nations, where it puts forward the views of business in countries around the world. 0xa>------------------------------------------------------------------------- Title: FBI Opens High-Tech Crisis Center By: Michael J. Sniffen Date: Friday, November 20, 1998; 9:29 a.m. EST Entering its 91st year with new duties that extend around the world, the FBI today opened a high-tech, $20 million operations center nearly the size of a football field to allow headquarters to manage up to five crises at once. The new Strategic Information and Operations Center -- called ``sigh-ock'' after its initials -- has 35 separate rooms that can seat up 450 people total and covers 40,000 square feet on the fifth floor of FBI headquarters on Pennsylvania Avenue. It is 10 times bigger than its two-decade-old predecessor that could, with difficulty, handle two crises simultaneously. Bureau officials became convinced the old SIOC was outmoded in the summer of 1996 when they tried to manage investigations of the Olympic bombing in Atlanta, the explosion of TWA 800 and the Khobar Towers truck-bombing in Saudi Arabia at the same time. ``There weren't enough rooms or enough telephones,'' FBI Director Louis J. Freeh said. ``We had people working at desks in the hallway outside and reading top secret material in the vending area across the hall.'' The supersecret facility with no windows to the street, or even any outside walls, has a private ribbon-cutting today with former President George Bush as the FBI celebrates its 90th birthday. Introducing the new SIOC to reporters for a one-time-only tour, Freeh said it was emblematic of the bureau's expanded responsibilities and technology. He noted that the bureau's fastest growing component, its Counterterrorism Center, is arrayed in the offices around the SIOC -- as is its violent crime unit, which handles domestic attacks such as the Oklahoma City bombing or hijackings. Much of the counterterrorism work now extends overseas, to Saudi Arabia where U.S. soldiers have been killed in two bombings and East Africa where two U.S. embassies were bombed, for example. In the last five years, Freeh said, the FBI has nearly doubled its legal attaches working abroad -- to 32 cities now. Eight more are to open soon -- in Almaty, Kazakhstan; Ankara, Turkey; Brasilia, Brazil; Copenhagen, Denmark; Prague, Czech Republic; Santo Domingo, Dominican Republic; Singapore and Seoul, Korea. The computers at desks throughout the center and the 5-by-15-foot video screens on the walls of almost every room can display not only U.S. television broadcasts but also local TV channels from foreign countries. The bank of red-lettered digital clocks in each room can display the local time in five or six locations. The FBI's new National Infrastructure Protection Center, tasked to prevent and respond to attacks on government or private computer systems that keep America running, will have three representatives on each of the 10-member watch teams that staff the center at all times. Also present around the clock: a representative of the National Security Agency's Cryptologic Security Group to provide information from the government's worldwide electronic eavesdropping. Behind a series of blond wood doors, the complex warren of workrooms, many of which can be combined or divided as need requires, have light gray carpets, paler gray walls and dark gray metal desks with white plastic tops. The desks are fixed in place only in two control rooms that manage the flow of information to each room; elsewhere they are modular and can be rearranged at will over floor-mounted electric and telephone plugs. Interior windows allow views into conference rooms or the SIOC's hallways. Ron Wilcox, deputy chief of the SIOC, said the compartmented areas would allow bureau agents ``to work in one room with District of Columbia police on a local kidnapping while another room works on a terrorist bombing with top secret data.'' Each work station can receive data from three sets of phone and computer links: unclassified, secret and top secret-sensitive compartmented information. While the center will draw information from around the world, information will not leave without permission. The center is shielded to prevent outside detection of electronic emissions, so cell phones do not work inside it. In Operations Group D and G, the largest room with capacity for 118 people, there are printers with yard-wide rolls of paper to print out city maps. So the room will not be overcome with noise, the sound from video screens is broadcast silently from black boxes around the room to headphone sets available to each worker. The chairs, most on wheels, have arm rests. They are blue-green cloth in the workrooms; gray leather in the Executive Briefing Room, the center's second largest room, with three blond wood semicircles seating 36 and fixed theater seats at the back for 50 more. Rather than increasing the burden on field agents to report to Washington, Wilcox said the new center should reduce such demands, because ``we will offer one-stop shopping for headquarters. Field agents can report to us, and we will be responsible for making sure everybody is alerted who should be.'' 0xb>------------------------------------------------------------------------- Title: Navy fights new hack method By: Tim Clark Source: CNET NEWS.COM Hackers are banding together across the globe to mount low-visibility attacks in an effort to sneak under the radar of security specialists and intrusion detection software, a U.S. Navy network security team said today. Coordinated attacks from up to 15 different locations on several continents have been detected, and Navy experts believe that the attackers garner information by probing Navy Web sites and then share it among themselves. "These new patterns are really hard to decipher--you need expert forensics to get the smoking gun," said Stephen Northcutt, head of the Shadow intrusion detection team at the Naval Surface Warfare Center. "To know what's really happening will require law enforcement to get hold of the hackers' code so we can disassemble it." The new method involves sending as few as two suspicious probes per hour to a host computer, a level of interest that usually won't be detected by standard countermeasures. But by pooling information learned from those probes, hackers can garner considerable knowledge about a site. 0xc>------------------------------------------------------------------------- Title: Pentagon Blocks DoS Attack Source: Newsbytes via NewsEdge The Pentagon launched an attack applet of its own this month to thwart a denial-of-service attack against its DefenseLink Web site at http://www.defenselink.mil . DefenseLink was one of three sites targeted on Sept. 7 by a group that calls itself the Electronic Disturbance Theater. The group claimed to be acting in solidarity with Zapatista rebels in the Mexican state of Chiapas to protest Defense Department funding of the School of the Americas. Other target Web sites belonged to Germany's Frankfurt Stock Exchange and Mexican President Ernesto Zedillo. The theater group's Web site referred to the attacks as a virtual sit- in. Visitors to the group's site received a hostile Java applet designed to keep reloading the DefenseLink and other Web sites automatically as long as the the visitors' browsers were open. Multiple simultaneous reload requests can overwhelm a server, but the attacks apparently had little impact, DOD officials said. "Our support staff certainly was aware of the planned attack," Pentagon spokeswoman Susan Hansen said. "They took preventive measures to thwart the attack so that DefenseLink was available." Hansen would not specify the preventive measures, but the theater group reported, and a DOD official confirmed, that the Pentagon aimed its own hostile applet back at the attackers. Browsers "got back a message saying the (theater group's) server wasn't available," Hansen said. The Frankfurt exchange reported the reload requests had little or no impact on its server, either. The theater group has promised a second round of attacks, known as FloodNet, between Sept. 16, Mexican Independence Day, and Oct. 12, Columbus Day. Representatives of security software vendor Finjan Inc. of Santa Clara, Calif., said the attacks marked the first time Java applets have been used in a political protest, although the theater group has claimed participation in other virtual sit-ins against Zedillo and President Clinton since April. The group is a throwback to the 1960s guerrilla theater of the Yippies, who once hosted an attempt to mentally levitate the Pentagon. The theater group's Web site at http://www.nyu.edu/projects/wray/ecd.html advocates electronic civil disobedience. Its attempted Pentagon attack was part of Swarm, a project launched at the Ars Electronic Festival on InfoWar in Linz, Austria. The group's announced activities, in addition to the unspecified attacks planned through mid-October, include radio protests against the Federal Communications Commission on Oct. 4 and 5. The Swarm attacks reportedly did not meet with much approval among hackers, who view FloodNet as an abuse of network resources. 0xd>------------------------------------------------------------------------- Title: Hackers Elude Accelerator Center Staff Source: San Francisco Chronicle Date: 06/11/98 Officials at Stanford Linear Accelerator Center are rethinking the openness of their computer system a week after hackers forced them to shut down outside access to the federal research facility's computer network. External access to the center's computer system was suspended after staff members failed to catch hackers who had intercepted a password and were moving in and out of more than 30 of the facility's Unix servers. "We traced the hackers around to the point that we weren't gaining on them," said center spokeswoman P.A. Moore. "The person or persons were successful in covering their tracks and in getting into and out of accounts." It is still unclear how the hackers got access to a password and the system, Moore said. But as a result of the breach, she said, officials are rethinking the center's policy of being an open scientific research facility. She said proposals are being considered to restrict the center's computer system. "A number of options are being considered and they range from very mild to more severe," she said. Moore said that most of the center's Internet services were restored Tuesday after security measures were put in place and that staff members were instructed to change their passwords. The shutdown did not create any serious problems, although it caused delays in many projects and denied researchers from all over the world access to the center's Web site, Moore said. Established in 1962, the Linear Accelerator Center is funded by the Department of Energy and operated by Stanford University. With a staff of about 1,300 and 2,000 researchers worldwide, the center conducts basic research on atomic and subatomic physics. The center's researchers use colliders to study matter at the atomic level. "Mostly, we've lost time on experiments," Moore said. "We do not see that any data has been compromised. It's more of a setback than a major disaster." But she said future break-ins will remain a problem for open scientific facility. The center does not conduct any classified research, she said. "Computer hackers are very sophisticated in terms of their knowledge and ease in traveling through cyberspace," she said. "We're vulnerable. By being an open facility, we are a target for vandals." Stephen Hansen, a Stanford University computer security officer, said campus system break-ins average at least two a month. A common tool used by hackers is a computer program dubbed "the sniffer," which allows intruders to decode data in a system, specifically passwords and log-on names. "Sniffers are quite dangerous," Hansen said. "If they are not caught right away, they can lead to break-ins to thousands of accounts, not just locally, but across the Internet." To minimize such break-ins, he said, more system operators are using encryption programs that prevent hackers from determining sign-on names and passwords. However, this is not an easy option for the Stanford center because encryption programs are prohibited in some countries, including France, where a number of center-affiliated researchers live. 0xe>------------------------------------------------------------------------- Title: Cyberattacks leave feds chasing 'vapor' By: Bob Brewin (antenna@fcw.com) Top administration officials last week warned that the United States lacks the capability to quickly identify the nature and scope of a continuing series of cyberattacks against both federal and private systems that support the country's telecommunications, financial and energy critical infrastructures. During a series of congressional hearings and in speeches last week, federal security and information technology officials made it clear that they anticipate a powerful ''Achilles' heel'' cyberattack that could cripple the nation's vital systems because the government lacks the ability to defend against such an attack. John Hamre, deputy secretary of Defense, told the House National Security Committee that such a paralyzing cyberattack against critical infrastructures is inevitable. "There will be an electronic attack sometime in our future," he said. "Should an attack come, it will likely not be aimed at just military targets but at civilian [targets] as well." Administration officials also reported that the attacks continue unabated. Art Money, who is slated to take over as assistant secretary of Defense for command, control, communications and intelligence later this year, said in a speech at a conference in Washington, D.C., last week that DOD "averages 60 intrusions a week" into its computer systems. An official of the FBI's new National Infrastructure Protection Center (NIPC) said the office is investigating a "half dozen" incidents, describing them as ''substantial.'' But security agencies said the process of chasing down and identifying attackers is frustrating, as in the case of the highly publicized series of hacks against DOD computers last February. The FBI and numerous DOD agencies worked together to track down the hackers, but the agencies could not "identify [until] the following week" the source and type of attack, Ellie Padgett, deputy chief of the National Security Agency, told the Senate Judiciary Committee's Subcommittee on Technology, Terrorism and Government Information. Padgett said it would still take the agency a "matter of days" to determine if an attack was strategic or just a teenage prank. Michael Vatis, director of NIPC, told the committee, "In most cyberattacks, it's impossible to know the identity of the penetrator," be it teenage hackers, criminals or a strategic attack by a hostile nation. Vatis, in an interview, likened chasing down hackers to "tracking vapor." Barry Collin, a senior researcher with the Institute for Security and Intelligence, said it will become increasingly difficult to identify strategic attacks because a nation that is sophisticated enough to mount a cyberwar against the United States also will have the sophistication to disguise that effort as a hacker attack mounted by teenagers. "They can make it appear as if it is a game instead of a real attack," he said. A "Predatory Phase" Also frustrating security experts is the possibility that attacks will be carried out in quick hits over a long period of time, Hamre said. "The predatory phase could take place over several years, making it hard to collate curious, seemingly unrelated events into a coherent picture," he said. These long-term attacks "could take place over multiple jurisdictions - [for example] power grids or air traffic control nodes in various states. Our knowledge of the origin of such attacks and their sponsorship is likely to be imprecise." Hamre also presented classified testimony to a joint closed hearing of the House National Security Committee's Military Procurement and the Military Research and Development subcommittees. Hamre may have presented more detailed evidence of computer vulnerabilities, based on remarks by Rep. Curt Weldon (R.-Pa.), chairman of the Military Research and Development Subcommittee, who called Hamre's classified testimony "the most provocative briefing" he had ever received during his 12 years in Congress. The Clinton administration hopes to protect the critical infrastructures with recently formed security organizations, including the National Infrastructure Assurance Plan, the NSA Network Incident Analysis Cell and the Critical Infrastructure Assurance Office in the Commerce Department. CIAO will spearhead multiple-agency efforts to develop better policies, processes, procedures and systems to detect and deter attacks. The administration also plans to heavily involve the private sector - banks, power companies and railroad companies - in "public/private partnerships'' to protect the infrastructure. Members of Congress on both sides of the Hill praised the administration's initial efforts, but they also expressed some skepticism about the approach. Sen. Diane Feinstein (D-Calif.) said she "wondered if the nexus between the public and private sectors will work." Rep. Herbert Bateman (R-Va.) said he is "deeply skeptical" about placing the CIAO in Commerce rather than in DOD. Bateman said Commerce's willingness to allow the exportation of critical satellite and rocketry information to the Chinese left him "unconvinced" that Commerce had the same "sensitivity" as the Pentagon has to the requirements of national security. 0xf>------------------------------------------------------------------------- Title: Congress Attacks Cyber Defense Funds Source: Defense News Date: 6/16/98 U.S. Congress Attacks Cyber Defense Funds By George I. Seffers Defense News Staff Writer WASHINGTON-- Congress is taking millions of dollars from the war chest intended to protect critical U.S. infrastructure from potentially crippling cyber attacks, according to Defense Department and White House sources. The House Appropriations Committee deleted the entire $69.9 million the Defense Department had requested for infrastructure protection in its 1999 budget. That funding should be restored, Linton Wells, principal deputy for the assistant secretary of defense for command, control, communications and intelligence, told lawmakers at a June 11 hearing here on protecting national infrastructures-- telecommunications, banking and finance, energy, transportation, and essential government services-- from cyber attack. [So they make all these new groups to fight cybercrime.. then this?] 0x10>------------------------------------------------------------------------ Title: Mudge on Security Vendors From: Bugtraq In the SAFER bulletin they mention compromising software that was explicitly installed as an additional security measure. While joking around I was mentioning to some colleagues about the attrocity of some (most) of the security related products out there right now. Not in what they are claiming to accomplish but in the lack of sound coding in their own products. I thought it was pretty much understood but the amazed looks on their faces told me otherwise. So I figured I might point this out in case that was not an isolated assumption that these people had. Hopefuly I'm already preaching to the choir on Bugtraq. [Note - though I explicitly mention ISS and Axent they are by no means any worse or better than others not mentioned here... in addition I am referring to older versions of their products. I have not spent time looking at their most current releases to verify whether things have improved or gotten worse. Please take this for what it is meant to be - a general rant about the security vendor world as it stands... not an attack against particular vendors] A few real world cases: A few revs back in ISS' commercial security scanner there were several vulnerabilities. One particular company contracted me to come in and give them a report on the level of competance that an auditing company they had hired were at. Sure enough, when the auditor scanned the box that we had setup they were using ISS (version 3? my memory isn't serving me very well right now). Upon an attempt to connect to tcp/79 (fingerd) we fed them back a bunch of 'garbage' (well, you know... that garbage that is comprised of a long run of NOPs followed by machine dependent opcodes and operands :). After a few tries, root on the scanning machine was handed out as there were no checks done on the data that was being retrieved (or more accurately assumptions were being made about the length). ... Axent swore up and down that their ESM systems were communicating via DES encrypted channels. In reality the communications were simply XOR'd and they would send the progressive XOR key every X packets. The DES components were slated for the 'next rev'. Doesn't matter - the point is that they shouldn't have done the XOR scheme to begin with when the purpose of the communications between the client and server are "lists" of vulnerabilities on said machines. Not something you want advertised to anyone passivle monitoring. ... I don't know how many "security" packages I've looked at that do outrageously stupid things like chmod(777), popen(), or system() even! Even if the program is running non-priveledged and is designed to be on a system that does not have multiple users it is a demonstration that the people writing the code to protect your systems (often at outrageous price tags!) seem incapable of demonstrating sane coding techniques themselves. How is one supposed to get 'warm fuzzies' that one is having their systems "protected" when the products doing the protecting show no security competence. Vendors listen up! .mudge 0x11>------------------------------------------------------------------------ Title: More delays for Mitnick trial By: Kevin Poulsen Date: November 25, 1998 3:33 PM PT Source: ZDNet Accusing government attorneys of stalling efforts to collect key documents for his case, the defense attorney representing Kevin Mitnick, famed criminal hacker, requested a continuance on Tuesday. According to Donald Randolph's motion, the government missed a court-ordered deadline to provide the defense with copies of prosecution witnesses statements. The statements were finally handed over on Tuesday, almost a month late. In addition, the prosecution is almost a week behind in handing over a list of evidence to the defense. Some electronic evidence is being withheld completely, claimed Randolph. Prosecution delays "Due to the government's significant delay in producing discovery as ordered by this court, and due to its continuing failure to produce certain discoverable evidence altogether, the defense cannot competently complete its investigations and prepare for trial in this matter absent a reasonable continuance in the trial date," stated the motion. The original trial was scheduled for Jan. 19, 1999. The prosecutors attacked any delay. "The contention that we have been late with materials is disingenuous," says prosecutor David Schindler. "We've provided thousands of pages of discovery." Government mole? The text of the motion also implied that the government had paid a one-time Mitnick cohort and employee of Mitnick's previous attorney, Ron Austin, to spy on his client. "Austin was privy to confidential communications between Mr. Mitnick and Mr. Sherman which he later disclosed to the government," said the statement. 0x12>------------------------------------------------------------------------ Title: 'Back door' doesn't get very far Source: San Jose Mercury News A U.S. government panel has failed in a two-year effort to design a federal computer security system that includes ''back doors,'' a feature that would enable snooping by law enforcement agencies, people familiar with the effort said this week. The failure casts further doubt on the Clinton administration policy -- required for government agencies and strongly encouraged for the private sector -- of including such back doors in computer encryption technology used to protect computer data and communications, according to outside experts. But administration officials said the panel, which is set to expire in July, simply needed more time. The 22-member panel appointed by the secretary of commerce in 1996 concluded at a meeting last week that it could not overcome the technical hurdles involved in creating a large-scale infrastructure that would meet the needs of law enforcers, panel members said. The group was tapped to write a formal government plan known as a ''Federal Information Processing Standard,'' or FIPS, detailing how government agencies should build systems including back doors. 0x13>------------------------------------------------------------------------ Title: ICSA Goon Pretends to be a Hacker [my title] Source: Forbes Digital Tool By: Adam Penenberg J3 spends his days trolling around the hacker underground, monitoring hacker channels on Internet Relay Chat, checking out the latest on "phreaking,"--cracking the phone system-- dialing up bulletin boards and checking out web sites that offer password-cracking software and how-to guides. For J3 this isn't just a hobby, it's a job. ICSA, a computer security firm, hired J3 (not his real name nor his online "nick", since his success depends on total anonymity) two years ago as the company's lead underground analyst. His mission: to keep tabs on the latest trends and tools in the hacker world. When he gets wind of a new security hole, he passes the information on to ICSA's tech staff so that the company can either develop a defense or tip off software makers before the flaw can be exploited. J3 is very busy. Recently, a group of European hackers released a Trojan horse-like program that would enable them to set up backdoors in geeky programs known only to network administrators, such as "named" programs related to domain name servers, a basic component of any network connected to the larger Internet. J3 found out about it in the course of his monitoring, passed it on to ICSA, and the company informed CERT (Computer Emergency Response Team) which posted an advisory. The Internet is a lot like Lord of the Flies, a nasty, violent --yet virtual--world where the strong intimidate the weak. He was also instrumental in helping ICSA detect two types of denial of service attack modes--Teardrop and Land--that were being used to exploit vulnerabilities in the TCP/IP protocol. These new attacks took advantage of tweaks that would beat existing patches, which made it difficult for system administrators to stay ahead of hackers. But J3, because of his links to the underground, was able to learn of these exploits shortly after they were posted on hacker channels. "I'm proud of a lot of the work we do," J3 says. "I've found a company's entire password file posted to a web site, or that hackers have root in a network or that a merchant site with a database of credit cards has been compromised. I then contact the companies and warn them." He says that the Internet is a lot like Lord of the Flies, a nasty, violent--yet virtual--world where the strong intimidate the weak. Not all hackers are destructive, of course. There are many good ones on a quest for pure information, the lifeblood of their avocation, who post security flaws because they believe it's the best way to fix them. It's the ones who exploit these flaws to cause damage that irritate J3. But they have a vulnerability: their need for self-aggrandizement, which is key to J3's success. "If hackers didn't brag," he says, "I wouldn't have a job." J3, who works mostly nights since the Internet never sleeps, isn't just a full-time worker. He's also a graduate student working on his Ph.D. in psychology. And his area of study? Hackers, of course. 0x14>------------------------------------------------------------------------ Title: Is Your kid a Hacker Source: Family PC Magazine Date: November 1998 By: Kevin Poulsen If you suspect your kid is a computer hacker, here's some advice from a convicted hacker on how to handle it It starts with a knock on the door. A dozen men in suits and shoulder holsters are outside, their Buicks and Broncos crammed into your driveway and parked along the street. Over their shoulders you can see your bathrobe-clad neighbors watching the spectacle from their lawns. It might be the FBI, it may be the Secret Service, but whoever it is, the humorless agents hand you a piece of paper and head toward your son or daughter's room. You wonder, perhaps for the first time, what your kid has been doing in there with the computer. If you're a parent, you probably regard the Internet as a font of both promise and peril for your children. It can be an invaluable learning tool and a way to encourage your kids to develop the basic computer skills they'll eventually need. But what if they take to it a little too eagerly and enthusiastically and begin using it to get into places where they don't belong? In that case, normal youthful rebellion, or simple inquisitiveness, if it's expressed over the Internet, could turn your family upside down. It happened last February in Cloverdale, California, when surprised parents found out their teenage son was suspected in a series of Pentagon intrusions. It happened again in Massachusetts a week later, when the Justice Department won its first juvenile conviction under the Federal Computer Fraud and Abuse Act. It happened to my family 15 years ago, in one of the first hacker raids in the country. At that time, I was the teenage miscreant who was illegally accessing federal computers. Now, in my early thirties, I've begun to wonder how I would protect a kid of my own from becoming a poster child for computer crime. I believe the best approach is to stay informed and to communicate with your potential cyberpunks. Open Communication Channels Some of the things you might view as ominous warning signs are actually quite harmless. For example, if your teenager calls himself a "hacker," he may not be headed for trouble. Despite the media's breathless exhortation, hackers are not lawbreakers by definition. The word actually describes someone with a talent for technology, a deep interest in how things work, and a tendency to reject any limitations. If your son disassembled the Giga Pet you gave him for Christmas, he's probably a hacker. If he made it run better, he definitely is. Of course, some hackers go further and test their skills against the adult world of corporate and governmental computer systems. If I thought my kids were cracking computers, I would want to put a stop to it -- though not because it's the crime of the century. True hackers live by an ethical code that precludes damaging systems or profiting from their intrusions. There are worse values for a teenager to have. But regardless of motives, a hacker who's caught in the act today is likely to be treated as an industrial spy or a national security threat. A single moment of rebellious exploration could land a teenager an early felony conviction. If you suspect that your kid may be crossing the line, there are various software packages on the market that will allow you to monitor or control his or her access to the Internet. Don't even think about using one. If your teen really is a hacker, your technological solution will be a source of amusement and derision, as well as an insult to his talents. Instead of putting up barriers, I suggest you talk to your kids. If your kid is reading underground Web sites for hackers, read them yourself. If he has a subscription to a hacker magazine, go through it and ask questions. Feel free to marvel at the cleverness of the latest hacker technique. Then talk about consequences: the rising costs of legal representation, the problems that a convicted felon encounters in academia and the job market. Start looking at alternatives to a life of cybercrime. Constructive Alternatives If your kid has a rebellious streak, I suggest giving up on trying to suppress it; try to channel it instead. When hackers grow up, they often find a reasonable substitute for the thrill of intrusion by working the other side. Ask your teen how he would plug the latest security holes. Get him thinking about it. Ask him for advice on protecting your own e-mail or your ISP account. The hacker tradition has always contained an element of disrespect for authority. Up until 15 years ago, cracking systems was an acceptable rite of passage in the industry, and some of the same people who pioneered artificial intelligence and the personal computer also ushered in phone phreaking, lock hacking, and computer intrusion. Early hackers believed that computers were a public resource and that access to them and knowledge about them should be free. In a sense, the first-generation hackers won their battle when they created the personal computer: It gave them free access to computing power anytime they wanted. Today, kids can claim that victory on the Internet by authoring a Web page. There is plenty of room for innovation and creativity. Today's PCs are as powerful as yesterday's mainframes. With today's PCs, no one needs to break the law to explore technology. With the right tools, and parental support, kids can earn the respect of their peers and get an early start on their future by mastering the latest programming languages. If my kid were a hacker, I'd encourage him to shun the instant gratification of cracking a Fortune 500 company in favor of the greater satisfaction of creating something unique from scratch. Ultimately, that's what hacking really is all about. 0x15>------------------------------------------------------------------------ Title: Paging Network Hijacked By: Chris Oakes Date: 4:00am 24.Jul.98.PDT [A non internet hacking article! Woohoo!] Someone in Texas exploited a vulnerability in the PageMart paging network this week, sending a flurry of mysterious pages to tiny screens nationwide, confusing subscribers, and swamping the company's customer service center with phone calls. PageMart said a random discovery enabled the intruder to use a set of pager addressing numbers to send messages to entire groups of customers, rather than individual subscribers. But a security expert said the system may have been hacked. PageMart spokeswoman Bridget Cavanaugh detailed Wednesday's incident in an email late Thursday. "A person, unknown to PageMart," she said, "discovered that three PINs [personal identification numbers] on our paging terminal in Dallas were actually mail drops." [snip...] On Wednesday, PageMart customer and San Francisco resident Jeremiah Kelly reported that he received odd messages for a period of about an hour and a half on Wednesday afternoon. Upon receiving one incomprehensible page -- unrecognizable in source or content -- he suspected a simple "wrong-number" message. "But then, all of a sudden, I got a blitz" Kelly said. Most notable was a recurring message: "There is only one blu bula." "I received one of those several times," he said. Another pair of messages said "Mike, you're Mom drives a Passat," and another was sexually suggestive. Both of the latter pages were signed "Christian." Kelly said he received about 30 of the senseless messages. [snip...] "The incident impacted about 1.5 percent of our customers nationwide," Cavanaugh said. "Statistically, it's a small number." PageMart provides numeric and text paging service in all 50 states, Canada, Mexico, Central America, and the Caribbean, serving approximately 2.7 million customers. "It's a perfect example of how overconfidence can eventually cause a problem," said Peter Shipley, who analyzes and bolsters system security for accounting firm KPMG Peat Marwick. Though it wasn't clear that PageMart's system was actually broken into, Shipley said poor protection against break-ins is all too common. "I'm in the business of doing these type of security audits, and a large number of systems I've seen have easy password access -- under the assumption of 'why would somebody want to hack it?'" In fact, paging services are responsible for enormously valuable data, from billing addresses to credit card information and more, Shipley said. Then there are the messages themselves, which can be easily netted as they make their way through the airwaves. "Smaller companies believe they are not targets [for hackers]," concluded KPMG's Shipley. "But small companies are as equally targeted as large companies. They're stepping stones -- the small fish that hackers start on." 0x16>------------------------------------------------------------------------ Title: FBI busts hacker who sold clandestine accounts on PageNet system Date: July 30, 1998 7:28 p.m. EDT Source: Nando Times PageNet Inc., one of the largest wireless message providers, said U.S. federal agents arrested a San Diego man Thursday who allegedly set up unauthorized voice mailboxes and paging accounts on its system, costing the company about $1 million. [snip...] 0x17>------------------------------------------------------------------------ Title: EFF DES Cracker Machine Brings Honesty to Crypto Debate Date: July 17, 1998 "EFF DES CRACKER" MACHINE BRINGS HONESTY TO CRYPTO DEBATE ELECTRONIC FRONTIER FOUNDATION PROVES THAT DES IS NOT SECURE SAN FRANCISCO, CA -- The Electronic Frontier Foundation (EFF) today raised the level of honesty in crypto politics by revealing that the Data Encryption Standard (DES) is insecure. The U.S. government has long pressed industry to limit encryption to DES (and even weaker forms), without revealing how easy it is to crack. Continued adherence to this policy would put critical infrastructures at risk; society should choose a different course. To prove the insecurity of DES, EFF built the first unclassified hardware for cracking messages encoded with it. On Wednesday of this week the EFF DES Cracker, which was built for less than $250,000, easily won RSA Laboratory's "DES Challenge II" contest and a $10,000 cash prize. It took the machine less than 3 days to complete the challenge, shattering the previous record of 39 days set by a massive network of tens of thousands of computers. The research results are fully documented in a book published this week by EFF and O'Reilly and Associates, entitled "Cracking DES: Secrets of Encryption Research, Wiretap Politics, and Chip Design." [snip...] 0x18>------------------------------------------------------------------------ Title: Hacking site gets hacked By: Paul Festa Source: CNET News.com Date: October 28, 1998, 11:30 a.m. PT Hacking and security news and information site Rootshell.com was the subject of its own coverage today after suffering an early morning hack. The hack, preserved here, occurred this morning at 5:12 a.m. PT, according to Rootshell. Administrators took the site down after discovering the attack at 6 a.m. PT. The site was restored two hours later. "Steps have been taken to prevent re-entry, and full details are now being turned over to law enforcement for what we hope will turn into arrests," Rootshell administrator Kit Knox said this morning in a statement. [Hrm. Lets give out scripts that help every clueless script kiddie break into thousands of sites worldwide.. then narc off the one that breaks into us. Time to face the music. That's like the pot calling the kettle black. Name your cliche', they deserved it.] Knox later said that the matter had been turned over to the FBI. The attacker replaced the Rootshell.com front page with a rambling screed peppered with profanity as well as references to groups and luminaries in the hacking world, including imprisoned hacker and perennial cause Kevin Mitnick. The attacker also threatened to hit another hacking news site, AntiOnline. 0x19>------------------------------------------------------------------------ Title: From Criminals to Web Crawlers By: Kristen Philipkoski Date: 4:00am 15.Jul.98.PDT A crime-fighting search engine used to fight terrorism and insurance scams may soon find a home at one of the Web's top search engines. The system, called VCLAS, has helped detectives crack cases all over the world. "In 11 days, the PhoneFraud software helped law-enforcement agencies in New York uncover US$1.2 billion in stolen services," said Jay Valentine, president and CEO of InfoGlide, the company that owns the VCLAS software package. The software is built around a "Similarity Search Engine," which thrives on imperfect and complex information, data that engineer David Wheeler said often stumps search algorithms based on neural networks. Similarity searching is well-suited to crime work, Wheeler said, because investigations are often inherently random and disconnected. For instance, if police are looking for a red vehicle, but a witness says it was maroon, a traditional keyword search wouldn't register a match since it couldn't recognize that the colors are similar. 0x1a>------------------------------------------------------------------------ Title: Running a Microsoft OS on a Network? Our Condolences Date: July 21, 1998 [The title alone made this worth including.] The CULT OF THE DEAD COW (cDc) will release Back Orifice, a remote MS Windows Administration tool at Defcon VI in Las Vegas (www.defcon.org) on August 1. Programmed by Sir Dystic [cDc], Back Orifice is a self-contained, self-installing utility which allows the user to control and monitor computers running the Windows operating system over a network. Sir Dystic sounded like an overworked sysadmin when he said, "The two main legitimate purposes for BO are, remote tech support aid and employee monitoring and administering [of a Windows network]." Back Orifice is going to be made available to anyone who takes the time to download it. So what does that mean for anyone who's bought into Microsoft's Swiss cheese approach to security? Plenty according to Mike Bloom, Chief Technical Officer for Gomi Media in Toronto. [snip...] None of this is lost on Microsoft. But then again, they don't care. Security is way down on their list of priorities according to security expert Russ Cooper of NT BUGTRAQ (www.ntbugtraq.com). "Microsoft doesn't care about security because I don't believe they think it affects their profit. And honestly, it probably doesn't." Nice. But regardless of which side of the firewall you sit on, you can't afford not to have a copy of Back Orifice. Here are the specs: [snip...] After August 3, Back Orifice will be available from www.cultdeadcow.com free of charge. 0x1b>------------------------------------------------------------------------ Title: Security expert explains New York Times site break in Date: September 18, 1998 By: Ellen Messmer Although the New York Times is not revealing the details of what happened last weekend when it was hijacked by a hacker group, one security expert has it figured out. A group of hackers calling themselves Hackers for Girlies broke into the Times news site on Sunday. The hackers took control of the site to display their own diatribe complete with nude images and to protest the arrest of hacker Kevin Mitnick. The Times worked for half a day to regain command of its server. Hackers often break in by exploiting security vulnerabilities associated with default Common Gateway Interface scripts that ship with Web servers, according to Patrick Taylor, director of strategic marketing at Internet Security Systems in Atlanta. They exploit these scripts to send a string of long commands to cause a buffer overflow that lets them into the operating system. They first give themselves an account in the system and then stick in a backdoor Trojan horse program such as "rootkit" to gain and maintain root control, he said. "CGI scripts are intended to pass commands from the Web server to something in the operating system, perhaps to pull database information," Taylor said. "But you should get rid of these superfluous CGI scripts and depend on your own custom scripts." The Times may have had a long struggle regaining control of its Web site because the latest Trojan horses are designed so well that they hide within the operating system, encrypted or even providing the same checksum as the legitimate operating system. "It's nefarious--the hacker essentially has remote administration of the Web server," Taylor said. "You can't rely on a backup of the machine. You may have to reinstall the entire operating system." By coincidence, the Times had once looked at using the ISS security gear, but decided not to, he said. The Times declined to discuss any aspect of its Web operations, saying it was "a matter of security." [The real reason for this article and quoting a PR person from ISS maybe? Fact is, ISS didn't audit the network before OR after the breakin. How would this guy know the method they used to compromise the machine?] The "Hackers for Girlies" ranted in its own posting to have "busted root" on the Times, and directed some invective toward Times reporter John Markoff and security expert Tsutomu Shimomura for their respective roles in the investigation of hacker Kevin Mitnick, now held in jail. Markoff and Shimomura two years ago collaborated on a book entitled "Takedown" about the law enforcement pursuit of Mitnick. In its own account, the Times said the hacker incident at nytimes.com may be related to an upcoming trial in January of Mitnick. While hacker rantings and pornography can be bad enough to discover on a Web site, a far more serious scenario involves a hijacker more surreptitiously posting information that has been slightly changed, leading the reader to view it as authentic. "This could end up like 'War of the Worlds,' where people went into a panic because they didn't know what they were hearing on the radio was made up," commented Doug Barney, Network World news editor. 0x1c>------------------------------------------------------------------------ Title: Merriam-Webster Taken Offline Old Fashioned Way Date: Wed Aug 5 00:41:57 MDT 1998 Source: www.m-w.com What happened? On Thursday night, July 30th, the facility that hosts Merriam-Webster's Web site was burglarized and its servers were stolen. We've managed to restore limited capacity, but we need to obtain new hardware from our suppliers before we can return to full service. We hope to have the entire site active again in a few days. We apologize for the inconvenience and hope you will bear with us as we deal with the situation. Thank you for your patience. --The Merriam-Webster Web Team [Guess we shouldn't put the computer by the window...] 0x1d>------------------------------------------------------------------------ Title: Long Haired Hacker Works Magic [my title] Source: Nando Times Date: September 20, 1998 The hacker calling himself Mudge pushed his long hair back, scratched his beard and stared at the computer screen. He knew there was something wrong with the data traffic he was watching, but what was it? A week earlier, Mudge and his fellow hackers in their hangout known as the L0pht -- pronounced "loft" -- had acquired some software that was supposed to let computers talk to each other in code. But as Mudge watched the data he realized someone else was doing the same and maybe even decoding it, which shouldn't happen. "So you are saying that you're using DES to communicate between the computers?" Mudge recalled asking representatives of the software maker. Yes, they said, they were using DES, a standard encryption method that for years was considered virtually uncrackable. But this wasn't DES, thought Mudge. It's almost as if... Whoa. He blinked and felt the adrenaline kick in. This wasn't secure at all. In fact, the encoding was only slightly more complex than the simple ciphers kids did in grade school -- where "A" is set to 1, "B" is set to 2, and so on. The company was selling this software as a secure product, charging customers up to $10,000. And yet, it had a security hole big enough to waltz through. Instead of exploiting this knowledge, Mudge confronted the company. "You realize there isn't any secure or 'strong' encoding being used in your communications between the computers, don't you?" he asked. "Well..." "And that you claimed you were using DES to encrypt the data," he pressed. "That will go in the next revision." Mudge is a "real" hacker -- one who used to snoop around the nation's electronic infrastructure for the sheer love of knowing how it worked. His kind today are sighted about as often as the timberwolf, and society has attached to them the same level of legend. Like the wolf, they were once considered a scourge. Law enforcement and telecommunication companies investigated and arrested many of them during the late 1980s and early '90s. Today, many elite hackers of the past are making a go at legitimate work, getting paid big bucks by Fortune 500 companies to explore computer networks and find the weak spots. And none too soon. The void left by the old hackers has been filled by a new, more destructive generation. So today, Mudge -- who uses a pseudonym like others in the hacker community, a world where anonymity keeps you out of trouble -- wears a white hat. As part of L0pht, the hacker think tank, he and six comrades hole up in a South End loft space in Boston and spend their evenings peeling open software and computer networks to see how they work. When they find vulnerabilities in supposedly secure systems, they publish their findings on the Web in hopes of embarrassing the companies into fixing the problems. A recent example: They posted notice via the Internet of a problem that makes Lotus Notes vulnerable to malicious hackers... A Lotus spokesman said the company was aware of the flaw but it was extremely technical and unlikely to affect anyone. The hackers at L0pht have made enemies among industry people, but they command respect. They were even called to testify before the U.S. Senate Committee on Governmental Affairs in May. Why do they publish what they find? "If that information doesn't get out," Mudge replies, "then only the bad guys will have it." The "bad guys" are the hacker cliche: secretive teens lurking online, stealing credit card numbers, breaking into Pentagon systems, and generally causing trouble. One of L0pht's members, Kingpin, was just such a cad when he was younger, extending his online shenanigans to real-world breaking and entering. Today, L0pht keeps him out of mischief, he said. "We're like midnight basketball for hackers," said Weld Pond, another member.