💾 Archived View for clemat.is › saccophore › library › ezines › textfiles › ezines › DEFAULT › defau… captured on 2022-01-08 at 15:26:38.
⬅️ Previous capture (2021-12-03)
-=-=-=-=-=-=-
-------------------------------------------------------------------------------- Default newsletter Issue #3 http://default.net-security.org 27.08.1999 Help Net Security http://www.net-security.org -------------------------------------------------------------------------------- TABLE OF CONTENTS ----------------- I. Editorial II. Last weeks news on Help Net Security a) Help Net Security news headlines b) Defaced Pages III. Y2K: As the millennium approaches IV. A look into basic cryptography V. Internet privacy: Freedom Network VI. Macintosh Security: F33r my hybride M4c, I'm coding! VII. Computing: A closer look at hard- and software VIII. Linux: IP Masquerading IX. Infection and vaccination X. Freedom of speech - related incidents XI. Scams - Getting something by all means XII. Intrusion and detection part two I. Editorial ------------ Hey people. We received good comments on Default newsletter from both individuals and security professionals. We have only 2 issues behind, but we will be even better (of course with your feedback and help). If you would like to write an article for Default newsletter please do e-mail us. Any help is appreciated. As you can see, this issue is little bit shorter. That is because Doug Muth didn't came yet from his holidays and Thejian and me were so busy this week. So do expect next Default newsletter to be bigger and better than the previous ones. In case you want to mirror Default newsletter on your site e-mail us also;) Subscribing to Default newsletter: send an e-mail to majordomo@net-security.org with a body message subscribe news your@email Berislav Kucan aka BHZ, webmaster Help Net Security bhz@net-security.org Xander Teunissen aka Thejian, co-webmaster Help Net Security thejian@net-security.org II. Last weeks news on Help Net Security ---------------------------------------- a) Help Net Security news headlines - Friday 20th August 1999: Default #2 released ABC compromised Belgian bank compromised Intel extends on-line privacy ban Homophobic web site "stolen" by hackers? Indonesia responds to cyber war threats Watching workers Carding in Newcastle - Saturday 21st August 1999: Linux trojan in portmap.c FTP.exe overflow Biometrics in prisons Office 2000 also vulnerable to Jet flaw Former CIA director kept state secrets on home PC Furor rising over PV wiretap plan Student draws first net piracy conviction - Sunday 22nd August 1999: MS security bulletin #30 Sun says US army is testing Jini Hardencrypt E-commerce group formed to combat fraud ReDaTtAcK busted - Monday 23th August 1999: Firm nabs cracker with intrusion detection tool First Net convict will do no time GAO risk-assessment report Sprint plans service to detect viruses US Government and inavasion of privacy East Timorese domain host denounces cyberwar Secure your web site DOD speaks on Y2K Bomb for Microsoft manager - Tuesday 24th August 1999: ISS X-force advisory on Lotus Domino server 4.6 Technology keys to tracking down Internet crime Govt. home-invasion bill Hackers scanning for trouble Norton AntiVirus 2000 is out Secret searches from DOJ SSL CPU consumption causes concerns Unix: It doesn't need to be so insecure - Wednesday 25th August 1999: Shoutcast compromised HK police to establish computer crime team Smith admitted to creating Melissa New IE5 bug worst then ever? Audit office blasts agencies' serious security flaws Malicious attack on linux-kernel mailinglist More cyber-war threats - Thursday 26th August 1999: Taiwan circles wagons in cyber-warfare UK webhosting company hit by virus Netscape issues web-server fix Windows and bugs? Nooooo? CWI cracks 512 bit key Mounting an anti-virus defense Tracing stolen computers through RC5 Self destructing e-mails? Nice Y2K problems in Pakistan Retrospective on cracking contest Y2K test http://net-security.org - Daily security related news http://net-security.org/news - News archives http://net-security.org/headlines.shtml - Add HNS headlines to your web-site b) Defaced pages: (mirrors provided by Attrition (http://www.attrition.org)) Site: Red Hat Indonesia (www.redhat.or.id) Mirror: http://default.net-security.org/3/www.redhat.or.id.htm Site: Official Web site of Limp Bizkit (www.limpbizkit.com) Mirror: http://default.net-security.org/3/www.limpbizkit.com.htm Site: Monica Lewinsky's site (www.monicalewinsky.com) Mirror: http://default.net-security.org/3/www.monicalewinsky.com.htm Site: Madison Square Garden (www.thegarden.com) Mirror: http://default.net-security.org/3/www.thegarden.com.htm Site: The State University of West Georgia (www.westga.edu) Mirror: http://default.net-security.org/3/www.westga.edu.htm Site: Rock.com's Rolling Stone's Web site (www.stones.com) Mirror: http://default.net-security.org/3/www.stones.com.htm III. Y2K: As the millennium approaches ------------------------------------- These weeks' Y2K headlines: The computer network used by many Vermont police agencies and other emergency services went down for two days this week while technicians were preparing the system for the year 2000. While it was down, prosecutors had problems getting police paperwork, reporters couldn't get routine releases, and motorists needing copies of accident reports were out of luck. Officials do not yet know why the computer crashed. They do know it happened as technicians were upgrading the system to prepare for Y2K. It took more than two days to get the system running again. In the meantime, much of the record-keeping had to be done the old-fashioned way: with pen and paper. PC Week reported about MS Excel Y2K problems: "Unless users of Microsoft Corp.'s Excel download scanning tools from the company's Web site, their spreadsheets could go haywire when they open their files on Jan. 1. A Boston-based technology management consulting company has found that an Excel year 2000 error causing drastic math errors went undetected by a handful of Y2K analysis tools. The core of the problem is that Excel versions through Excel 2000 have a DATE() function that treats all two-digit years as 20th-century dates, regardless of how Excel is configured to handle two-digit dates. As a result, spreadsheets that use the DATE function are particularly vulnerable to Y2K problems. (By default, Excel 97's and Excel 2000's other date functions, as well as the software's data entry routines, treat two-digit dates less than 30 as part of the 21st century)" The Millennium Bug that promised to swell U.S. courts with lawsuits arising from damage that may occur if a computer system fails to recognize the Year 2000 so far has resulted in only 74 cases filed, according to a report released Monday by PricewaterhouseCoopers. The trickle has the potential to turn into a full fledge flood after the clock strikes midnight 1999, some experts said. As of June 30, there were only 74 cases filed in state and federal courts against 45 defendants that related to the Year 2000 computer glitch (Y2K), according to the report. Karen Shaw completed her 39-day trek across the state in which she set out to promote Y2K awareness to rural residents of Oregon. 49 year old teacher started her journey to show others that Y2K is coming very soon, and they must be prepared. Shaw left Medford with only $20 but said she lived on the generous donations of food and cash from people she encountered along the way. She said: "I did not come across any panicked people, but very practical, grounded, spiritual, caring people who are just doing what their hearts tell them to do". Hundreds of people in Japan complained Sunday after their automobile navigation systems went haywire - the result of a Y2K-like glitch in the satellite system used in navigation devices worldwide. Screens went blank and bizarre symbols turned up on the electronic navigators, essential for millions of drivers in a country where urban streets are a chaotic jumble. Pioneer Corp, a major manufacturer of car navigation systems, received about 600 calls on its help hotline, said company spokesman Hidehiko Shimizu. Shimizu said callers were directed to the nearest repair shop, where their systems were fixed for free. Y2K TOOLS --------- TITLE: Outlook Express Year 2000 Update SIZE: 140 Kb TYPE: Freeware REQUIREMENTS: Windows 95/98/NT, Outlook Express 4.01 DOWNLOAD: http://default.net-security.org/3/en-x86-Q234681.exe INFO: Part of Windows 98 Service Pack 1, this program will resolve a year 2000 issue with Outlook Express 4.01. The year 2000 issue occurs when receiving an IMAP mail message or a News message with a two-digit year as the sent date. The date can be misinterpreted under certain conditions. For example, if the two-digit year is anything other than '99, Outlook Express assumes the century value is the same as the current century. If the current year is 2000, and a two-digit date is received as '97, then the year will be interpreted as 2097. However, there is one special case when different logic is applied. If a two-digit year of '99 is received and the current year is a multiple of 100 (e.g., 2000), the year will be interpreted as the current year plus 98 (e.g., 2098). Berislav Kucan aka BHZ bhz@net-security.org http://net-security.org IV. A look into basic cryptography ---------------------------------- This is where I left off when I was working on the HOWTO last.... so from here on in is new and (slightly) improved. I probably have my terminology wrong, but the next is what I think is called an output feedback cipher. It takes the output from one step of applying the cipher, and uses that to apply the cipher to the next part. This is the most simple method of an output feedback that I could think of. First index the alphabet in some manner, it could be using ascii values, or it could be a simple 1-26 method (I suggest ascii because then you will allow for punctuation, I used a simple 1-26 because it is easier to explain the cryptosystem). A=1 B=2 C=3 D=4 E=5 F=6 G=7 H=8 I=9 J=10 K=11 L=12 M=13 N=14 O=15 P=16 Q=17 R=18 S=19 T=20 U=21 V=22 W=23 X=24 Y=25 Z=26 This is a very basic transposition cipher as is, but will soon change. The algorithm in mathematical terms is: (N+P(1))%26=C(1) (N+C(1)+P(2))%26=C(2) (N+C(2)+P(3))%26=C(3) (N+C(3)+P(4))%26=C(4) ... (N+C(r-1)+P(r)=C(r) This may seem complicated, but its not. N is a random number that will be passed on as a key. I suggest a larger number to protect yourself from a brute force attack. Do not use a number divisible by 26. In fact, for safety's sake, try using a larger prime, or a product of two smaller primes. C(1) is the first ciphertext letter P(1) is the first plaintext letter r is the total number of characters in the message. % is the mathematical symbol for the function modulus. Modulus is like the remainder after dividing an integer by another integer. So 28%26=2 and 942%26=6 (if your calculator doesn't handle modulus, a simple way to do it would be... 942/26=36.2307692307692307692307692307692 36.2307692307692307692307692307692-36=.2307692307692307692307692307692 .2307692307692307692307692307692*26=6 (round, your calculator cant handle these decimals -windows calc in scientific mode can handle modulus, the key you are looking for is Mod) You take your message. Lets take the word hello for simplicities sake. HELLO first change it to corresponding numbers. 8 5 12 12 15 our key number will be... 73. (once again, I suggest a more secure key number than this, but this will serve our purposes well.) 1 2 3 4 5 8 5 12 12 15 Restate the Algorithm... (N+P(1))%26=C(1) (N+C(1)+P(2))%26=C(2) (N+C(2)+P(3))%26=C(3) (N+C(3)+P(4))%26=C(4) ... (N+C(r-1)+P(r)=C(r) And begin applying the algorithm: H (73+8)%26=3 E (73+3+5)%26=3 NOW you see the power of a more complicated cipher. Here 3 stands for both H AND E L (73+3+12)%26=10 L (73+10+12)%26=17 Once again, the power of a more complicated cipher. while 3 stands for both H and E, L is represented by both 10 and 17. O (73+17+15)%26=1 3 3 10 17 1 Then take these numbers, and transfer them back to letters. A=1 B=2 C=3 D=4 E=5 F=6 G=7 H=8 I=9 J=10 K=11 L=12 M=13 N=14 O=15 P=16 Q=17 R=18 S=19 T=20 U=21 V=22 W=23 X=24 Y=25 Z=26 CCJQA Now you ask how do you get back to the original "HELLO"? Well first you need to find a way to tell someone the key number.... I suggest appending it to the beginning of the message, go back to how it was in numbers. (Note, if someone knows the method you used to hide the key number in the message, the security of the message is lost. This is the case with all single key cryptosystems.) 3 3 10 17 1 here the code number was 73. that's 2 letters. add 2 7 3 to your message in the beginning 2 7 3 3 3 10 17 1 then make it the text B G C C C J Q A send that to someone. They extract the numbers, and then the key number of 73. Here's an idea, I will make this section somewhat interactive. If you can decrypt this message back to the original text of HELLO, please send your analysis of how to decrypt it using mathematical terms to crypto@net-security.org. Ill go over all the emails and post who was first, and then go over it in the next issue. Have fun. -Iconoclast V. Internet privacy: Freedom network ----------------------------------------- The Freedom Network plays an integral role in Zero-Knowledge's absolute privacy solution - Freedom. Here's a quick look at what exactly the Freedom Network is and what it does. You'll often hear Freedom referred to as client/server software, but what does this really mean? Well, the "client" part is the software you install on your personal computer and the "server" part is the software that runs the Freedom Network. The Freedom Network is a series of servers distributed among ISPs and organizations around the world. Internet traffic normally travels from source to destination unsecured (i.e. not encrypted) while passing through certain servers which can be easily identified. This is like sending confidential information using a postcard - anyone who handles the postcard knows the sender, the recipient and the contents. This unsecured delivery system makes message interception, falsification and tracking possible. To solve this problem, Freedom encrypts all Internet traffic and routes it through a series of anonymous Freedom servers, known as the Freedom Network. Each server in the chain knows only the previous and following servers in the path, and nothing about the traffic (data) that it's handling. This makes the system extremely secure since no single server knows both the origin and the destination of the traffic. In fact, no one, not even your ISP, can monitor your web activities. Does My ISP Need A Freedom Server For Me To Use Freedom? It's important to note that your ISP doesn't need to run a Freedom Server for you to enjoy the benefits of Freedom. If they do opt to host one, however, you may notice an increase in browsing speed while running Freedom. This will be explained in greater detail in the next section. - Network Speed We often talk about what effect running Freedom will have on your Internet connection speeds. These are also known as "latency" issues. Freedom employs a number of systems to foil any attempts at analyzing Freedom user's Internet activities. The net effect of these systems can result in slightly slower connection speeds for some users. The exact latency, if any, that a user will experience while running Freedom depends on many factors, including; - proximity to a Freedom Server - geographic location relative to the Internet backbone - the speed of your connection - random Internet bottlenecks or "traffic jams" When a user running Freedom connects to the Internet through their ISP, that connection will use a greater amount of bandwidth than a non-Freedom connection. As mentioned above, this is due to the extra systems Freedom employs to ensure user privacy. This extra bandwidth consumption will be more taxing on an ISP's servers as the Freedom user's traffic passes though their system on its way to the first Freedom Server on the Freedom Network. If, however, the user's ISP is hosting a Freedom Server, that server will be able to intercept this traffic much earlier, thereby streamlining the entire process. This, in turn, will result in quicker connection speeds for the Freedom user. To sum up, the closer a Freedom user's computer is to the first Freedom Server, the less latency a Freedom user will experience. Since the closest a user can possibly get to a Freedom Server is if their ISP is running one - alerting your ISP to the benefits of running a Freedom Server is a good idea! :-) For an up to date listing of worldwide Freedom Server operators, please visit: http://www.zeroknowledge.com/partners/founders.asp Please keep in mind that this list gets bigger every day as more server operators sign up so be sure to check back often. - Security Issues "How is it possible that my ISP can't monitor my activities since all my communications pass through their servers?" Simple - all the data leaving your machine is encrypted using strong crypto, which means that no one, not even your ISP, can watch what you're doing. In fact, whether you're sending email, surfing the Net, chatting or posting to newsgroups, Freedom ensures that your activities remain private! Why should I trust your security when other supposedly invulnerable codes and systems have been cracked? - Software Zero-Knowledge uses established public algorithms that have proven to be impervious to attack. Well-known public algorithms like Diffie/Helman, Triple DES, Blowfish and others ensure that the system will remain secure. ZK is uncompromising in its testing and implementation of encryption technology, using only established algorithms with unbreakable bit lengths - we do NOT cut corners. - The More Bits, The Stronger The Encryption As a Canadian company, ZK can export encryption technology far stronger than the US Government's 56-bit encryption export standard. A document encrypted with 56-bit key length would have 72,057,594,037,927,900 possible keys. Freedom's encryption begins at 128-bit key length, meaning it has 340,282,366,920,938,000,000,000,000,000,000,000,000 possible keys. A supercomputer capable of trying one million keys per second in a brute-force attack would require 10,000,000,000,000,000,000,000,000 years to find the right key. That's a long time. - Personnel A number of experts in the field of privacy and cryptography have estimated that there are perhaps five people in the world capable of designing and lending credibility to a system of this complexity. ZK Chief Scientist Ian Goldberg appears on that short list. ZK sought out Mr. Goldberg because of his reputation for cracking other supposedly secure systems. As a grad student at USC Berkeley's Internet Security Applications Authentication and Cryptography Group, Ian cracked the 40-bit DES code in the RSA Data Security Challenge in just three and a half hours. He also earned international recognition for his part in breaking the Netscape SSL encryption system, as well as the cryptography system used in the GSM cellular phone standard. - Peer Review Freedom has always been and will continue to be opened up for independent review by acknowledged industry experts. -- Bruce Schneier of Counterpane Systems will audit the source code line-by-line to ensure that no cracks, holes or errors exist in the encryption implementation. Mr. Schneier, another short-list member, is well-known as a veteran cryptographer and author of Applied Cryptography: Protocols, Algorithms, and Source Code, widely recognized as the bible of cryptography. Complete Privacy ZK puts its customers' privacy first - with no exceptions. Unlike key-escrow or third-party systems, Zero-Knowledge (as implied by its name) is unable to determine who is behind a given pseudonym -- even under threat of force. Jordan Socran Zero Knowledge Systems (http://www.zeroknowledge.com) VI. Macintosh security: F33r my hybride M4c, I'm coding! ------------------------------------------------------------- Most underground mac users are facing the same problems: only very few people are actually coding network security tools on Mac. The main reason is that coding a tcp/ip stack would take hundred of lines just to initialize. Today many products are offering a easy approach to programming, developing a project in RealBasic (http://www.realsoftware.com) is much more easier than in CodeWarrior (http://www.metrowerks.com) even if each have sepecificities and use different language. Security software are ,usualy, not very big since they're focused on one type of vulnerability. It takes a long time to code, to debug a program.Another way to create your own tools is to use other languages, faster to code and to use. Many cross platform languages exist.Most useful are C/C++, Visual Basic, perl, ph3, java, rebol and much more. Rebol is a new great language 100% network oriented (http://www.rebol.com), it easy to code. You can do many things from basic mail client to databases, table builder, port scan. In few minutes you can build for example a scanner for a remote vulnerability on ip ranges. I made few month a cgi-check like in rebol, it scans around 70 famous vulnerabilities it took few minutes to adapt it from a C source. Plus the code is used by a virtual machine (available for 17 OS), and it quiet fast. Don't expect an well designed software with full of color because it's commande line only. Another language is perl. Many sources are available in the security domain, you can easily use those with Macperl and or with a local webserver. Make sure those sources are likely to be used on your os to even think about using a firewall admin tool in perl.... Anyway if you plan to use other languages that can't run on MacOs you can use a emulation, or install Linuxppc. The macintosh with tools like "realbasic" allow you to build software in an almost ligne free of code way.Everything is performed graphically, except all commands. The compiler allows to build software for macOs and for wintel. For java it's more difficult to code even if tools jdk are available for mac. It'll ask you alot of patience.If you just start programming, and want to learn fast you'd better start with RealBasic.Many people from the mac underground scene code with realbasic, for example Portsniffer (http://software.theresistance.net) is a great product.It's one of the fastest port scanner I've ever seen on Mac. Another alternative is MacOX, a unix like made by Apple.Many unix tools are available or usable on this OS.It's a Unix easier to configure since MAcos computer have less type of hardware. Before you choose any languages you'd better learn how to code, sometimes it takes years to claim to know a language.Don't for get that only the limit you have is your imagination! deepquest deepquest@default.net-security.org All rights not reserved- Serving since 1994 http://www.deepquest.pf VII. Computing: A closer look at hard- and software ---------------------------------------------------- Intel Celeron CPU has been introduced at the end of June 1998 with the version at 266 MHz of clock, aiming at balancing the success of AMD K6-2 processor released a month before. It used the Deshutes Core at 0.25 microns of Pentium II CPUs but it didn't have L2 cache; this technical solution allowed to obtain high performance with floating point calculation due to the floating point processing unit (FPU) identical to that used with Pentium II CPUs, but it is a big gap with integer calculations, both in comparison to K6-2 and Pentium II, due to the lack of L2 cache. In July 1998 the version at 300 MHz of clock has been released always without L2 cache, while at the beginning of September the versions 300A and 333 MHz have been launched, with L2 cache at 128 Kbytes working at the clock frequency (against 512 Kbytes at half clock frequency of Pentium II CPUs) and put within the Core of the processor (on die). The introduction of the L2 cache allowed to reduce the gap with performance with integer calculations of the previous versions of Celeron CPUs making this processor a perfect solution in every field. The technical features of Celeron CPU up to September 1998 can be summarized as following: � Deshutes core at 0.25 microns (as for Pentium II CPUs), which is called Mendocino for CPUs including L2 cache and Covignon for those without L2 cache; � L1 cache at 32 Kbytes divided in two parts each with 16 Kbytes respectively for instructions and data (as for Pentium II); � L2 cache at 128 Kbytes working at the clock frequency and put on die (in Pentium II it amounts at 512 Kbytes working at half clock frequency and put on the processor cartridge, outside the cpu's Core); � Frequency multiplier locked both upwards and downwards; � Bus frequency at 66 MHz against 100 MHz of Pentium II CPU; � SEPP package, that is based on cartridge and use of Slot 1 motherboard (the same used by Pentium II CPUs). Intel marketing has always maintained a low cost for Celeron processors, on one side to compete with AMD K6-2 on low-end market, on the other to avoid to add an expensive product to Pentium II. Let's note two aspects: � Celeron uses a bus frequency of 66 MHz while that of Pentium II is 100 MHz; if in practice the differences in performance between the two solutions, with the same clock frequency, are reduced, to the user the first seems to be cheaper, while the second seems to be more "professional" so many buy systems based on Pentium II with more profits for Intel. � The performance of Celeron Mendocino and Pentium II, with the same clock frequency, are almost aligned; Pentium II has a big advantage if used with server, where the presence of L2 cache 4 times bigger, even if working at half clock frequency, is evident. For this reason, Intel has always maintained an high clock difference between the to CPUs, so to avoid that power users buy Celeron with higher frequency, less profitable than Pentium II. At the beginning of 1999 a new version of Celeron Mendocino CPU has been released; if the technical features are the same, the package of the CPU, that is SEPP one, has been substituted by a PPGA one: SEPP Package: it is installed on Slot 1 and it is similar to a Pentium II CPU without external plastic cover; note in the middle, the CPU core and the space on its sides where there are the chips of the L2 cache with Pentium II CPUs. PPGA Package: very similar to a Pentium MMX CPU it is more compact in comparison the SEPP version and it is installed on Socket 370. Officially the reasons which led to the introduction of PPGA package aimed at reducing the production costs of the processor, as the SEPP package, an heritage from Pentium II, wasn't worth to exist anymore as the L2 cache is anymore put on it but directly within the CPU Core. Another reason, linked to marketing, is that of making the processor market more selective: Slot 1 for more "professional" systems based on Pentium II and Pentium III processors, Socket 370 for those cheaper based on Celeron CPU. Up to the version at 433 MHz both variants of Celeron, SEPP and PPGA, were available, while from the version at 466 MHz on SEPP was almost completely abandoned. Celeron CPU was very successful due to its general performance in every field and to its high overclockability which characterized almost every version; with these processors it was possible to achieve high clock frequencies, higher than those of Pentium II processors, with a very reduced investment. This article aims at checking the overclockability of Celeron CPU and finding, where possible, which is the best version of Celeron CPU in comparison to the price and the performance. Damir Kvajo aka Atlienz atlienz@default.net-security.org VIII. IP Masquerading: Multi-computer access to a network via single interface on the server ----------------------------------------------------------------------- IPmasq basis: When you set up IP Masquerading system on your Linux servers, other machines on the *local* network will be able to use the single network interface on the server. The most common usage is to provide internet access to other machines, which do not have their own connection. The difference between Linux IPmasq and Windows tools (i.e. Wingate) The is a big difference between the two. IPmasq is the "IP forwarding system", while Wingate acts as a proxy. So, to make the machine use the wingate, each application has to be configured separately, while to use IPmasq, one just have to set up a "default gateway" for the machine. Further adjustments of client permissions are set on the server side (by modifying the firewall rules). Also, IPmasq is capable of forwarding any kinds of protocols, even those which does not have a special IPmasq helper application. Kernel options.. To enable IP masquerade in the kernel, select: - ip firewalling- packet filter firewall on a Linux box - ip always defragment- neccessary for ipmasq to work. The packet is defragmented (put into one piece from the network fragments) on the server and then goes "to the court". - ip masquerading- actual ip masq support - transparent proxy support- by selecting this option, client machines think they communicate with the end server, while infact it is a local proxy. - ICMP masquerading- adds IPmasq ICMP support (without this, the system does it only for UDP, TCP (and ICMP errors). - ipmasq special modules support - ipautofw masq support - ipportfw masq support (optional) - optimize as router Tools to get: - ipmasq (the automatic ipmasq script, very useful, just be sure to get the new one with the ipchains support in it) - ipchains - ipautofw - ipportfw - ipmasqadm (special modules support) Once you are finished with the kernel configuration, compile it and install the new kernel. Add: echo "1" > /proc/sys/net/ipv4/ip_forward to some of your system initialization scripts (or do it manually). After you raise the interface you want others to use (usually ppp0), just run "ipmasq" to recompute firewall rules. By default, IPmasq allows only the local network to use the interface. Client side adjustments: Linux: as root, execute: route del default; route add default gw your.servers.ip.address You can see the current routing table by issuing "route", active connections with "netstat", interfaces with "ifconfig" Windows: as any user (9x) click Start->Settings->Control panel->Network-> TCP/IP-network device and in the Gateway tab, add your server's IP to the list. dev dev@net-security.org IX. Infection and vaccination ---------------------------- Since school is back in for a lot of people, the number of trojans being made/updated has decreased(same with the length of this article). So, this is the first of a few articles that simply explain general info about trojans, to help remove them. We also have info on the new LockDown 2000. As most people know a trojan is a program that says it will do something and then does something else. Currently the only security hole trojans take advantage of is someone willing to run a program. Here is the general way most trojan infect people: 1. Someone is tricked into running the trojan 2. Then it copies to another location 3. After that it starts listening for connections 4. Writes to the registry so it will load with Windows Windows lets programs autoload when booting many different ways. Just about everyone knows about the startup folder on the start menu. Most trojans don't use this method, though we have seen at least one that did. Another autoloading method is via the registry. This is the most common way a trojan uses to start with windows. While lesser known is the win.ini and even system.ini. A common thing to do among trojan users is to "bind" the trojan they want to infect someone with. Binding allows them to make a harmless program into a dangerous one. Popular trojans such as DeepThroat and SubSeven come with such tools. While many separate tools exist and are easily found that do the same(such as silkrope). Binding also makes it more difficult to be picked up by virus/trojan scanners, but it still is possible. We are lucky to view and get info on LockDown 2000 Version 4.0 Pre-Release. This version fixes some minor bugs and adds some more control to the user. Also another handy feature is upon exiting it saves the configuration changes you made. Plus the trojan count has been increased to 378. Unfortunately the price is still probably high at 99 US dollars. We also have not had the chance to personally test it, maybe by next week we can. zemac zemac@dark-e.com http://www.dark-e.com X. Freedom of speech - related incidents ------------------------------------------